Closed KeithBonesJr closed 1 year ago
Update Cyber Exposure Scorecard to include asterisks for services flagged as the following
Add the following below the scorecard:
Image of Updated Scorecard
[ ] Scorecard will be updated to have asterisks for potential NMIs [ ] Scorecard will have an annotation for * potentially risky services under BOD 23-02
@KeithBonesJr Please update the details of this issue to reflect an important wording change (unless I am mistaken). In several places, you refer to the "Cyber Exposure Scorecard" or the "Scorecard", however I think you mean to refer to the "Report Card" section within the customer CyHy (VS) report.
The Cyber Exposure Scorecard is a completely separate document from the customer CyHy (VS) report, so it's important that we are very clear with our wording here.
Please let me know if you have any questions about this.
Yes agreed @dav3r. I've updated all instances of scorecard.
Also @KeithBonesJr, you should remove TFTP from the list of services (in this issue description) that should have an asterisk in the "Potentially Risky Open Services" table in the Report Card because TFTP services are included under the FTP category in that table.
It's been updated @dav3r. Thanks! Let me know if there any other changes you'd like for me to make.
@KeithBonesJr For the current BOD 22-01 section, we handle Federal Executive orgs slightly differently than non-Federal Executive orgs.
For Federal Executive orgs, that section is called "Binding Operational Directive 22-01 --- Reducing the Significant Risk of Known Exploited Vulnerabilities". For non-Federal Executive orgs, that section is called "Reducing the Significant Risk of Known Exploited Vulnerabilities".
If you look here, you can see the differences in language for the section header as well as some other content on that page. Content within <<#owner_is_federal_executive>>
blocks is displayed for FedExec orgs, while content within <<^owner_is_federal_executive>>
blocks is displayed for non-FedExec orgs.
Do you want to do something similar for the new BOD 23-02 section?
@dav3r I agree with that change. The BOD related stuff should be removed for non-fedExec orgs.
Great, can you please document in this issue what that section's header and content should be for FedExec and non-FedExec orgs?
Yes @dav3r, working on getting the new language/layout approved. Have my sync with @climber-girl tomorrow morning and will get some quick eyes over this.
@KeithBonesJr Since it isn't explicitly stated, for the "Potentially Risky Services Count" chart that you are asking for in the new BOD 23-02 section, do you want that chart to only show the 4 categories of potential NMI services (FTP, RDP, SMB, Telnet)? As opposed to all of the potentially risky services, which are already displayed in the Report Card section.
Yeah, I'd leave just those 4 categories for now, and then rename the chart "Potential NMI Service Counts" or something like that
@KeithBonesJr @climber-girl Here's how it will look for Federal Executive orgs (you can ignore the "DRAFT" watermark in the background):
Note: The bar colors will be the same for each NMI category- this makes the code simpler and also more robust if the number of NMI categories ever changes. I chose yellow as the color for the bars, but if you prefer something different, it can be switched to either blue, orange, or red (those are our existing low/med/high/critical severity colors in the report).
Let me know when you have figured out the text for non-FedExec orgs.
@climber-girl @AbeB999 please review when you have a chance.
~As part of BOD 23-02 <--- Should be hyperlinked to https://www.cisa.gov/news-events/directives/binding-operational-directive-23-02, n~ Network management interface(s) (NMIs) using certain network protocols over the internet ~must~ should be removed from the network or have Zero Trust Architecture (ZTA) protection implemented. NMIs exposed to the public internet ~must~ should either be removed from the public internet or protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture.
CISA ~is supporting the directive by providing~ provided a list of the potentially risky services within the potentially-risky-services.csv attachment within the agency’s weekly Cyber Hygiene report. We also recommend reviewing hosts with potentially risky open services (e.g. RDP, Telnet, etc.), especially if they are functioning as networked management interfaces, to ensure that each service is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
How about the following for the body of the Non-Fed reports?
`Threat actors often use certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet. Most device management interfaces are designed to be accessed from dedicated physical interfaces and/or management networks and are not meant to be accessible directly from the public internet.
CISA recommends that networked management interface(s) (NMIs) using certain protocols over the internet be removed from the public internet or be protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture (ZTA).
We also recommend reviewing all hosts with potentially risky open services, especially if they are functioning as networked management interfaces, to ensure that each service is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
You can find a list of potentially risky services detected as available on your external network within this report's potentially-risky-services.csv attachment. In it, there is a column which denotes those that may be associated with NMIs to help with prioritization.`
For the Fed reports, can we reword the body as the following?
`Threat actors often use certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet. Most device management interfaces are designed to be accessed from dedicated physical interfaces and/or management networks and are not meant to be accessible directly from the public internet.
CISA issued Binding Operational Directive (BOD) 23-02 to push the federal government to take steps toward reducing the attack surface created by insecure or misconfigured management interfaces across certain classes of devices. The BOD requires networked management interface(s) (NMIs) using certain protocols over the internet to be removed from the public internet or to be protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture (ZTA) within 14 days of discovery.
We also recommend reviewing all hosts with potentially risky open services, especially if they are functioning as networked management interfaces, to ensure that each service is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
You can find a list of potentially risky services detected as available on your external network within this report's potentially-risky-services.csv attachment. In it, there is a column which denotes those that may be associated with NMIs to help with prioritization.`
@KeithBonesJr @climber-girl If the language above is finalized, can you please let me know and also update the info in this issue description above to reflect the finalized language?
It's good to go @dav3r! I added in the language approved by@climber-girl as well as updated the requirements sections for non federal and federal. Let me know if you have any additional questions.
Resolved via https://github.com/cisagov/cyhy-reports/pull/89.
💡 Summary
Please update the language, table, and csv for the main VS report in support of BOD 23-02.
Motivation and context
Internal and external stakeholders need to have potentially risky services covered by the BOD identified explicitly in the report. Currently we have a table that covers potentially risky service, however nothing specifies that this is covered under the new BOD.
Implementation notes
Update Cyber Hygiene Report Card to include asterisks for services flagged as the following:
Add the following below the potentially risky services image on the Cyber Hygiene Report Card page:
Image of Updated Potentially Risky Services Image
Language Update
Add Following to New Section, New Page Right after BOD 22-01
For the Fed reports, reword the body as the following
Threat actors often use certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet. Most device management interfaces are designed to be accessed from dedicated physical interfaces and/or management networks and are not meant to be accessible directly from the public internet.
CISA issued Binding Operational Directive (BOD) 23-02 to push the federal government to take steps toward reducing the attack surface created by insecure or misconfigured management interfaces across certain classes of devices. The BOD requires networked management interface(s) (NMIs) using certain protocols over the internet to be removed from the public internet or to be protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture (ZTA) within 14 days of discovery.
We also recommend reviewing all hosts with potentially risky open services, especially if they are functioning as networked management interfaces, to ensure that each service is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
You can find a list of potentially risky services detected as available on your external network within this report's potentially-risky-services.csv attachment. In it, there is a column which denotes those that may be associated with NMIs to help with prioritization.
For the Non Fed reports, reword the body as the following
Threat actors often use certain classes of network devices to gain unrestricted access to organizational networks leading to full scale compromises. Inadequate security, misconfigurations, and out of date software make these devices more vulnerable to exploitation. The risk is further compounded if device management interfaces are connected directly to, and accessible from, the public-facing internet. Most device management interfaces are designed to be accessed from dedicated physical interfaces and/or management networks and are not meant to be accessible directly from the public internet.
CISA recommends that networked management interface(s) (NMIs) using certain protocols over the internet be removed from the public internet or be protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture (ZTA).
We also recommend reviewing all hosts with potentially risky open services, especially if they are functioning as networked management interfaces, to ensure that each service is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
You can find a list of potentially risky services detected as available on your external network within this report's potentially-risky-services.csv attachment. In it, there is a column which denotes those that may be associated with NMIs to help with prioritization.
Note: This will be section 3 (numbers below will shift and table of contents will be changed). There probably won't be anything else that will fit on the page with this. See image below:
Add Table Below
Does a count for detected potentially risky services that falls under the BOD.
Add language below table
The details for these findings can be found within the “potentially-risky-services.csv” file located under "Appendix G: Attachments". You will need to ensure you open the report with a dedicated PDF reader (such as Adobe Acrobat), and click on the paper clip icon to the left of the CSV file in order to open it.
Full Image Below for Federal reports
Attachment Update Add a new column denoting "possible_nmi" to the potentially-risky-services.csv embedded attachment. This may already be captured in https://github.com/cisagov/cyhy-system/issues/88
Acceptance criteria
The VS report will have the following: