Do you know what IT devices are in your business or on your network right now? If not, it’s not just cybercriminals that might be knocking on your door very soon, but the White House.
Binding Operational Directive 23-01, or BOD 23-01, is a new directive from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD) that orders federal agencies in the country to keep track of their IT assets and any vulnerabilities on their networks.
The guidance aims to shake up the way devices are tracked, managed, and protected against unauthorized access and attacks like Ransomware. Because if IT teams and organizations don’t know what devices are under their roof, then what chance do they stand in protecting them?
What is the new directive?
The wide-ranging cybersecurity directive orders all U.S. Federal Civilian Executive Branch (FCEB) agencies to create a complete and accurate inventory of all of their software assets.
The new directive is trying to prevent situations such as the 2020 SolarWinds scandal, where several government agencies and organizations were compromised by malicious code injected into the software system.
But it also wants to put more accountability on federal civilian agencies for their own devices and what resides on their networks, as well as hold more responsibility in the case that a cyber breach or attack takes place.
And although the directive only covers federal civilian agencies in the U.S., the CISA also urged the private sector and state governments to review and implement similar asset and vulnerability practices. It’s hard to think of a reason why it shouldn’t also be rolled out to all businesses, not just those in the U.S.
For several years, the CISA has been working to gain greater visibility into risks facing federal civilian networks. It may now finally have made some progress.
What issues is it trying to address?
Threat actors continue to target critical infrastructure, networks, and devices to exploit weaknesses within unknown, unprotected, or under-protected assets. Previous and even current methods to prevent this from happening have provided varying levels of success, hence the need for another layer of protection.
At a basic level, businesses still aren’t tracking the devices and software underneath their own roof, with around one in three IT teams saying they don’t actively track the software used by employees within the business.
The hope with the new directive is that, at a minimum, agencies and government departments have access to an up-to-date inventory of assets. You can't protect what you can't see, so by providing this visibility, we're already one step ahead of the game.
But that alone won’t solve the issue altogether, as there’s no point seeing what’s under threat if you can’t prevent an attack from happening in the first place or at least stop it from becoming mission-critical.
For example, 93% of companies are vulnerable to external attackers breaching their network perimeters and gaining access to sensitive data. By improving on current IT asset management strategies to be able to identify vulnerabilities, track vulnerability signatures, and share that information with the relevant parties, we can help protect information from getting into the wrong hands.
What does it mean for IT teams?
The attack surface – the points of entry and vulnerabilities that serve as attack vectors – is expanding rapidly. New technologies, recent changes to implement remote and hybrid workplaces, and bring your own device (BYOD) are gaining momentum again is threatening to overpower IT teams.
The attack surface is becoming uncontrollable, which is why new methods of Cyber Asset Attack Surface Management (CAASM) are becoming vital in managing and protecting organizations.
For agencies looking to become compliant with the new directive, creating a software asset inventory will be seen as a significant administrative challenge. We’re talking about having to locate, identify, record, and report on potentially hundreds or thousands of pieces of hardware and software.
Agentless scanning technology should help here. If done manually, creating an up-to-date inventory of all of these assets would take hundreds of hours, cost a significant amount of money, and potentially impact operations with IT resources diverted from other business-critical tasks.
Asset visibility and vulnerability detection 101
There are two key areas IT teams need to focus on - asset inventory and vulnerability scans. Together, these are seen as vital in gaining the visibility needed to protect federal organizations against outside threats.
By April 3, 2023, asset discovery scans will need to be run every seven days, while vulnerability assessments across those assets every 14 days. Agencies will also have to prove that they have the capabilities to run such tests on-demand, with the CISA requesting proof within 72 hours of receiving a written request.
If IT teams don't have one already, they will need to create and maintain an up-to-date inventory of IT assets on their network, as well as identify vulnerabilities and share relevant information with the CISA at regular intervals.
IT teams are already under pressure, and the only realistic and cost-effective way organizations can become compliant is to automate IT inventory. With new devices added on an almost daily basis and current tech needing to be constantly updated, it’s virtually impossible to handle this manually.
Knowing what’s on your network is necessary for any organization to reduce risk. In today’s digital-first world, with more attack surfaces than ever before, taking stock of what you have is the first step in protecting and preventing the worst from taking place.
Roel Decneut is Chief Strategy Officer at Lansweeper.