CISA: On Cyber Risks, Mitigation & Best Practices

In April, CISA, aka the Cybersecurity and Infrastructure Security Agency, published a handy trends findings summary that they pulled from 192 healthcare and public health sector entities (HPH). From fiscal year 2019 – 2020, the agency discovered, HPH’s four most common cyber risks were:

  • Phishing
  • Out-of-date patches
  • Unsupported software and operating systems
  • Poorly configured internet-accessible ports on systems and devices

They focused on those top four with mitigation measures clearly spelled out in listed observations, mitigation measures, and recommended best practices. We’ve summarized them here.

CISA Findings & Recommendations

Improve phishing defenses: Well, that’s a “duh.” But what did CISA find? Vulnerability assessments and pen-testing teams were able to get past filtering to spearfish 96% of the time. The click rate vs report rate wasn’t so hot either. What you really need to know is how to mitigate.

It comes back to “it’s the people.” The number one mitigation recommendation is more (and better) user awareness training. Simulations are essential to getting the message through. Also, check regularly that spam-filtering is up-to-date and capable enough to block malware delivery.

Patch vulnerabilities – regularly: Even after all the global incidents over the last few years related to patching failures, CISA found that entities still don’t effectively manage patching. There’s been a significant increase in active vulnerability volume across entities, which means the chances of the risk being exploited is much higher than in the past.

CISA recommends to combat the threat, reduce vulnerability backlog. Start with the ones with “known exploits” that place your security perimeter at risk. Prioritize patching on the systems that have the biggest impact on business operations first, then work your way from there. The other mitigation recommendation is to “reduce the time to remediate vulnerabilities” aka don’t delay.

Update your software and operating systems: What versions are you using? Are they fully supported? If not, and there’s an internet-accessible host involved, you’re a great target for threat actors.

Go ahead and plan upgrades for your legacy systems. Are software or components at the end of the support, or getting there? Replace and upgrade to secure, supported versions. If you’re worried about affordability or other issues, CISA recommends network segmentation use so you can isolate the exceptions to the rule.

Configure – securely – systems and devices’ internet-accessible ports: Internet-exposed services considered risky, like remote procedure call, remote desktop protocol, and file transfer protocol, need to be securely configured. Otherwise, those points of entry are too tempting as escalation points for cyberattacks.

If you can’t securely configure these assets, then limit them to only those that you absolutely need to operate. Again, network segmentation, i.e., asset isolation, may be your best option to protect these critical systems with multi-layer defenses.

You don’t need to be an HPH entity to take advantage of CISA resources that help improve your organization’s cybersecurity. You can even sign up for a free vulnerability scan for your organization! If you’re not sure about which steps to take first, contact us about putting together a plan.