As part of the Enduring Security Framework (ESF), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) has released Identity and Access Management Recommended Best Practices Guide for Administrators. These recommended best practices provide system administrators with actionable recommendations to better secure their systems from threats to Identity and Access Management (IAM).

IAM—a framework of business processes, policies, and technologies that facilitate the management of digital identities—ensures that users only gain access to data when they have the appropriate credentials. This paper provides recommended best practices and mitigations to counter threats to IAM related to:

• identity governance
• environmental hardening
• identity federation/single sign-on
• multifactor authentication
• IAM auditing and monitoring

This guidance was developed and published by a CISA- and NSA-led working panel with ESF, a public-private cross-sector partnership that aims to address risks that threaten critical infrastructure and national security systems.
 

Content: Today, we published stakeholder-based updates to the Cybersecurity Performance Goals (CPGs). Originally released last October, the CPGs are voluntary practices that businesses and critical infrastructure owners can take to protect themselves against cyber threats. The CPGs have been reorganized, reordered and renumbered to align closely with NIST CSF functions (Identify, Protect, Detect, Respond, and Recover) to help organizations more easily use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF. 

CISA urges stakeholders to review and learn more by visiting Cross-Sector Cybersecurity Performance Goals.
 

CISA released eight Industrial Control Systems (ICS) advisories on March 16, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.  
  
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:  

• ICSA-23-075-01 Siemens SCALANCE, RUGGEDCOM Third-Party
• ICSA-23-075-02 Siemens RUGGEDCOM CROSSBOW V5.3 
• ICSA-23-075-03 Siemens RUGGEDCOM CROSSBOW V5.2
• ICSA-23-075-04 Siemens SCALANCE W1750D Devices
• ICSA-23-075-05 Siemens Mendix SMAL Module
• ICSA-23-075-06 Honeywell OneWireless Wireless Device Manager
• ICSA-23-075-07 Rockwell Automation Modbus TCP AOI Server
• ICSA-22-342-02 AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (Update A)

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.

CISA has released a draft Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture guidance document for public comment. The request for comment period is open until April 17, 2023. Comments may be submitted to CyberSharedServices@cisa.dhs.gov.

In accordance with Executive Order 14028, CISA’s SCuBA project aims to develop consistent, effective, modern, and manageable security that will help secure agency information assets stored within cloud operations. This guidance will help federal civilian departments and agencies securely and efficiently integrate their traditional on-premises enterprise networks with cloud-based solutions.

CISA encourages federal program and project managers involved in identity management interoperability and vulnerability mitigation to review and provide comment. Visit CISA’s SCuBA project page for more information and to review the guidance document.

In light of recent bank failures, CISA warns consumers to beware of potential scams requesting your money or sensitive personal information. Exercise caution in handling emails with bank-related subject lines, attachments, or links. In addition, be wary of social media pleas, texts, or door-to-door solicitations relating to any failed bank.

The Federal Deposit Insurance Corporation (FDIC), the “Receiver” of failed banks, would never contact you asking for personal details, such as bank account information, credit and debit card numbers, social security numbers, or passwords.

To avoid becoming victims of scams, consumers should review the following resources and take preventative measures:

• CISA: Avoiding Social Engineering and Phishing Attacks
• FDIC Consumer News: Beware, It’s a Scam!
• FDIC Consumer News: Scammers Pretending to be the FDIC
• FDIC: Failed Bank Information for Silicon Valley Bank, Santa Clara, CA
• FDIC: Failed Bank Information for Signature Bank, New York, NY
• CISA: Phishing Infographic 

Consider reporting scams and fraud to the police and file a report with the Federal Trade Commission.

Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.