Cybersecurity threats are a daily concern for organizations across the country, impacting the delivery of essential services. Recognizing the need for protection, the question arises: where to start? While there is no shortage of guidance, best practices, and standards, many organizations struggle with prioritization. To address this, President Biden’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems mandated the Cybersecurity and Infrastructure Security Agency (CISA) to develop voluntary Cross-Sector Cybersecurity Performance Goals (CPGs). Introduced in December 2022 and updated in March, the CPGs are designed for entities of all sizes and sectors, enabling rigorous prioritization without breaking the budget. They also help organizations evaluate their current cyber posture and guide them towards a strong cybersecurity foundation.
The first goal, changing default passwords, is a straightforward but essential practice. Creating and enforcing an organization-wide policy that requires changing default manufacturer’s passwords prior to putting hardware, software, or firmware on the network can help organizations both prevent initial access by threat actors and hinder lateral movement in the event of a compromise.
The second goal is implementing phishing-resistant multifactor authentication (MFA). Adding a critical, additional layer of security to protect your organizations’ accounts can deny threat actors an initial foothold used to wreak havoc. CISA recommends using hardware-based tokens, such as FIDO or Public Key Infrastructure, for the greatest resistance to exploitation.
The third goal is separating user and privileged accounts. Making it harder for threat actors to gain access or escalate privileges, even if user accounts get compromised, by ensuring no user accounts have administrator-level privileges. Regular re-evaluation of privileges is also recommended to validate the need for certain permissions.
The fourth goal is creating incident response plans. Maintaining and exercising cybersecurity response plans can help an organization know what needs to be done to quickly address common threat scenarios and recover more quickly. CISA recommends organizations practice exercising the plan by drilling realistic scenarios at least annually.
CISA believes that if every organization incorporates these fundamental cybersecurity practices, they can significantly reduce the risk of intrusions, regardless of sector or size. As the nation’s Cyber Defense Agency, CISA’s goal is to make it easier for every organization to prioritize the most important cybersecurity practices. The full list of goals may seem long, especially for small organizations, but they are quite achievable and can help prevent cyberattacks and mitigate their damage.
Source: CISA
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.