dav3r
commented
1 year ago Update Cyber Exposure Scorecard to include asterisks for services flagged as the following
Add the following below the scorecard:
Image of Updated Scorecard
[ ] Scorecard will be updated to have asterisks for potential NMIs [ ] Scorecard will have an annotation for * potentially risky services under BOD 23-02
@KeithBonesJr Please update the details of this issue to reflect an important wording change (unless I am mistaken). In several places, you refer to the "Cyber Exposure Scorecard" or the "Scorecard", however I think you mean to refer to the "Report Card" section within the customer CyHy (VS) report.
The Cyber Exposure Scorecard is a completely separate document from the customer CyHy (VS) report, so it's important that we are very clear with our wording here.
Please let me know if you have any questions about this.
KeithBonesJr
climber-girl
💡 Summary
Please update the language, table, and csv for the main VS report in support of BOD 23-02.
Motivation and context
Internal and external stakeholders need to have potentially risky services covered by the BOD identified explicitly in the report. Currently we have a table that covers potentially risky service, however nothing specifies that this is covered under the new BOD.
Implementation notes
Update Cyber Hygiene Report Card to include asterisks for services flagged as the following:
Add the following below the potentially risky services image on the Cyber Hygiene Report Card page:
Image of Updated Potentially Risky Services Image
Language Update
Add Following to New Section, New Page Right after BOD 22-01
For the Fed reports, reword the body as the following
Threat actors often use certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet. Most device management interfaces are designed to be accessed from dedicated physical interfaces and/or management networks and are not meant to be accessible directly from the public internet.
CISA issued Binding Operational Directive (BOD) 23-02 to push the federal government to take steps toward reducing the attack surface created by insecure or misconfigured management interfaces across certain classes of devices. The BOD requires networked management interface(s) (NMIs) using certain protocols over the internet to be removed from the public internet or to be protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture (ZTA) within 14 days of discovery.
We also recommend reviewing all hosts with potentially risky open services, especially if they are functioning as networked management interfaces, to ensure that each service is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
You can find a list of potentially risky services detected as available on your external network within this report's potentially-risky-services.csv attachment. In it, there is a column which denotes those that may be associated with NMIs to help with prioritization.
For the Non Fed reports, reword the body as the following
Threat actors often use certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet. Most device management interfaces are designed to be accessed from dedicated physical interfaces and/or management networks and are not meant to be accessible directly from the public internet.
CISA recommends that networked management interface(s) (NMIs) using certain protocols over the internet be removed from the public internet or be protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture (ZTA).
We also recommend reviewing all hosts with potentially risky open services, especially if they are functioning as networked management interfaces, to ensure that each service is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
You can find a list of potentially risky services detected as available on your external network within this report's potentially-risky-services.csv attachment. In it, there is a column which denotes those that may be associated with NMIs to help with prioritization.
Note: This will be section 3 (numbers below will shift and table of contents will be changed). There probably won't be anything else that will fit on the page with this. See image below:
Add Table Below
Does a count for detected potentially risky services that falls under the BOD.
Add language below table
The details for these findings can be found within the “potentially-risky-services.csv” file located under "Appendix G: Attachments". You will need to ensure you open the report with a dedicated PDF reader (such as Adobe Acrobat), and click on the paper clip icon to the left of the CSV file in order to open it.
Full Image Below for Federal reports
Attachment Update Add a new column denoting "possible_nmi" to the potentially-risky-services.csv embedded attachment. This may already be captured in https://github.com/cisagov/cyhy-system/issues/88
Acceptance criteria
The VS report will have the following: