{"id":3525,"date":"2024-05-10T13:21:29","date_gmt":"2024-05-10T18:21:29","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/rsa-2024-cisa-secure-design-pledge-necessary-toothless"},"modified":"2024-05-10T13:21:29","modified_gmt":"2024-05-10T18:21:29","slug":"is-cisas-secure-by-design-pledge-toothless","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/10\/is-cisas-secure-by-design-pledge-toothless\/","title":{"rendered":"Is CISA’s Secure by Design Pledge Toothless?"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

At 2024’s RSA Conference this week, <\/span>brand names<\/a><\/span> like Microsoft, Amazon Web Service (AWS), International Business Machines (IBM), Fortinet, and more <\/span>agreed to take steps<\/a><\/span> toward meeting a set of seven objectives defined by the US’s premier cyber authority.<\/span><\/p>\n

The agreement<\/a><\/span> is voluntary, not legally binding, anodyne, and can be flexibly applied to all or just one of a company’s products or services. Still, signees say, it may help move the needle to incentivize good security practices and investments across industries.<\/span><\/p>\n

“I think that this represents the zeitgeist,” says Grant Geyer, CPO of Claroty, one of the signatories. “It’s a recognition that as more of us agree that we’re going to operate at a certain standard, that makes it more comfortable and open for others to do the same.”<\/span><\/p>\n

No Teeth, No Problem<\/h2>\n

CISA’s Secure by Design pledge consists of areas of improvement split into seven primary categories: multi-factor authentication (MFA), default passwords, reducing entire classes of vulnerability, security patches, vulnerability disclosure policy, CVEs, and evidence of intrusions.<\/span><\/p>\n

The pledge contains nothing revolutionary and has no teeth whatsoever. But for those involved, that’s all beside the point.<\/span><\/p>\n

“While they may not have direct authority, I think that there is indirect authority by starting to define what the expectation is,” says Chris Henderson, senior director of threat operations at Huntress, another signee.<\/span><\/p>\n

For example, he says, “In the private space there are companies effectively war profiteering off of the security tooling within their products. You see a lot of companies adding security features behind paywalls because it’s viewed as an easy way to increase revenue. In reality, a lot of these features don’t actually cost any extra money to deliver,” Henderson adds.<\/span><\/p>\n

He thinks the pledge could be a new approach toward pushing public-private partnerships without new regulations.<\/span><\/p>\n

“I think the Secure By Design pledge is a really interesting approach through private and government partnership to try to drive not regulation, but change what the expectation is for ‘reasonable.'” Henderson says. “If you’re a product that offers multi-factor authentication (MFA) or single sign-on (SSO), but it’s behind a paywall, and one of your clients gets breached because they weren’t paying for that, well, now are you negligent?”<\/span><\/p>\n

Like Henderson, Jonathan Trull, CISO of Qualys (also a signatory), envisions the pledge’s effects as primarily economic in nature. “In the commercial sector you’ve got two (incentive) mechanisms. You’ve got compliance, where it’s binding and SEC-enforceable for publicly traded companies,” Trull explains. “And then you’ve got the more powerful (one), which is: Where will the dollars flow?”<\/span><\/p>\n

His hope is that these basic security principles start to influence tech buyers, Trull adds.<\/span><\/p>\n

“I’m hoping buyers stop and say: ‘Hey, why didn’t you sign up for this? Even if it’s voluntary,'” he says.<\/span><\/p>\n

Zooming Out Beyond Just Vulnerabilities<\/h2>\n

Regardless of how companies address it, for Claroty’s Geyer, the pledge alone is important in how it reframes the conversation around some fundamental security issues.<\/span><\/p>\n

For example, there’s vulnerability management. Organizations know to <\/span>patch individual bugs when they pop up<\/a><\/span> but, as CISA notes in its report, “The vast majority of exploited vulnerabilities today are due to classes of vulnerabilities that can often be prevented at scale.”<\/span><\/p>\n

In a <\/span>recent analysis<\/a><\/span> of more than 20 million assets, Claroty’s Team82 found that 22% and 23% of all industrial OT and connected medical devices (IoMT), respectively, possessed vulnerabilities with critically-ranked CVSS scores of 9.0 or higher. However, only 1.3% and 1.9% of industrial OT and IoMT devices were found to contain at least one known exploitable vulnerability and communicated directly with the Web instead of through a secure access solution.<\/span><\/p>\n

“So if you take the traditional approach, you have to patch 23% of your assets,” Geyer says. “Not only is that an enormous number, but what we found is that when you broaden out what a risk is \u2014from just a vulnerability to things like default passwords, clear text, communications, the things that are covered in this pledge \u2014 you would only need to focus on 1.3% of your assets.”<\/span><\/p>\n

“If you did take the approach of catching all 23%, it turns out that you would miss 43% of the highest risks, like default credentials,” Geyer adds. “So it’s super important that CISA is taking a more expansive view of risk, rather than only focusing on vulnerabilities. That has been the traditional wisdom, and traditional wisdom is misguided, both in terms of effort and impact.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

At 2024’s RSA Conference this week, brand names like Microsoft,<\/p>\n","protected":false},"author":12,"featured_media":3526,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3525","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=2560%2C1706&ssl=1",2560,1706,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=640%2C427&ssl=1",640,427,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=640%2C426&ssl=1",640,426,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=1536%2C1023&ssl=1",1536,1023,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=2048%2C1365&ssl=1",2048,1365,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=1024%2C682&ssl=1",1024,682,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/is-cisas-secure-by-design-pledge-toothless-scaled.jpg?fit=2560%2C1706&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3525"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3525\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3526"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}