Check out the new cloud security requirements for federal agencies. Plus, beware of North Korean government operatives posing as remote IT pros. Also, learn how water plants can protect their HMIs against cyberattacks. And get the latest on the U.S. cyber incident response framework; the CIS Benchmarks; and local and state governments’ cyber challenges. Dive into six things that are top of mind for the week ending Dec. 20.
1 – CISA issues cloud security mandate for federal agencies
To boost its cloud security, the U.S. government this week released a set of cybersecurity actions that federal civilian agencies will be required to take during the first half of 2025, mostly focused on applying secure configuration baselines to their cloud apps. The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01, titled “Implementing Secure Practices for Cloud Services”, from the Cybersecurity and Infrastructure Security Agency (CISA). “Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly said in a statement. The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors, Easterly added. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services. 
These are the directive’s cloud security requirements at a high level: Identify all cloud tenants by February 21, 2025, and update this inventory annually. Deploy all assessment tools from CISA’s SCuBA project by April 25, 2025, and report assessment results to CISA. Implement all mandatory SCuBA policies by June 20, 2025. Implement all future updates to mandatory SCuBA policies. Implement all mandatory SCuBA secure configuration baselines. Agencies may deviate from mandatory SCuBA policies if needed, but they’ll have to identify these deviations and explain them to CISA. To learn more about cloud security, check out these Tenable resources: “Establishing a Cloud Security Program: Best Practices and Lessons Learned” (blog) “Empower Your Cloud: Mastering CNAPP Security” (white paper) “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar) “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog) “10 Considerations for Securing Stateful Persistent Volumes Attached to Kubernetes Pods and Applications” (white paper)
2 – Feds: North Korea plants IT workers to commit fraud in the U.S.
In a years-long fraud scheme, North Korean IT workers have gotten jobs in the U.S. using fake identities, and then have gone on to steal information, such as proprietary source code, and extort their employers. That’s according to the U.S. Department of Justice, which recently indicted 14 North Korean nationals, charging them with sanctions violations, wire fraud, money laundering and identity theft. The suspects worked as remote IT professionals for front companies controlled by the North Korean government. The six-year cyber conspiracy netted North Korea’s government at least $88 million, as it banked the IT workers’ hefty salaries and extortion payments. North Korea reportedly uses the money to fund its weapons-development efforts. The North Korean IT workers got jobs with U.S. firms using fake identities crafted via the use of phony email addresses, fictitious social media profiles, fraudulent payment platform accounts, bogus job site profiles and sham websites; and by hiding their tracks with proxy computers and virtual private networks. 
They also duped U.S. residents into unwittingly helping them by recruiting them to receive and set up laptops in their homes, which the fraudsters would then access remotely. That way, victimized employers would think the hired IT workers were based in the U.S. The indictment “… should serve as a warning to companies around the globe, be on alert for this malicious activity by the DPRK regime,” Deputy Attorney General Lisa Monaco said in a statement. The DOJ is offering a reward of up to $5 million for more information about this fraud scheme and about those involved with the North Korean front companies Yanbian Silverstar and Volasys Silverstar, based in China and Russia, respectively. The U.S. government issued its first alert about North Korea’s attempts to plant IT workers in the U.S. in 2022 and updated it in 2023 with more due diligence recommendations for employers to avoid falling for the scam. Employers in other countries have also fallen victim to this North Korean IT worker scam. For more information: “‘How not to hire a North Korean plant posing as a techie’ guide” (The Register) “Staying a Step Ahead: Mitigating the DPRK IT Worker Threat” (Google Cloud) “Advisory on the Democratic People’s Republic Of Korea IT Workers” (South Korea Ministry of Foreign Affairs) “Advisory on North Korean IT Workers” (UK Office of Financial Sanctions) “Advisory on Democratic People’s Republic of Korea IT workers” (Australia Department of Foreign Affairs and Trade) VIDEO North Korean nationals indicted in scheme using IT workers to funnel money for weapons programs (KSKD News)
3 – Water treatment plants get tips for securing HMIs
Identifying human-machine interfaces (HMIs) as a weak cyber link in many water treatment plants, the U.S. government has published recommendations for protecting these operational technology (OT) components. The fact sheet “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems” is aimed at helping water and wastewater systems facilities harden remote access to HMIs. Using HMIs, OT operators are able to read supervisory control and data acquisition (SCADA) systems connected to programmable logic controllers (PLCs). By tampering with HMIs, hackers could disrupt water and wastewater treatment, endangering people’s health. 
Here are some of the recommendations in the fact sheet, which was jointly published by CISA and the Environmental Protection Agency: Inventory all internet-exposed devices. Identify HMIs that don’t need to be accessible from the internet and take them offline. Secure with a strong password the HMIs that must be connected to the internet. Track remote logins to HMIs, including failed and atypical attempts. Protect with multifactor authentication and a strong password the HMI and OT network. Segment your network by adding a DMZ or bastion host at the OT network boundary; and by implementing geo-fencing. For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources: “Protecting Public Water Systems from Cyberattacks” (solution overview) “EPA to dial up enforcement of cyber requirements for water systems” (blog) “Safeguarding Your Water Utility” (on-demand webinar) “Enhancing Critical Infrastructure Cybersecurity for Water Utilities” (infographic) “The Constant Drip: EPA Water Regulations, Funding Sources, And How Tenable Can Help” (on-demand webinar)
4 – U.S. publishes national cyber incident response plan update
Curious about how the U.S. government would respond to a major cybersecurity crisis? Now you can find out, and give your opinion about it. CISA has just released an update to the U.S. National Cyber Incident Response Plan (NCIRP), whose current version dates back to 2016, and is asking for the public to comment on it. The NCIRP update has been in the works since October 2023. “CISA is seeking more perspectives to help strengthen the NCIRP and invites stakeholders from across the public and private sectors to share their knowledge and experiences, further informing our findings and contributing to this revision,” CISA said in a statement. The NCIRP aims to provide a flexible, agile, coherent and repeatable framework for how the U.S. federal, state and local governments, along with the private sector and international partners, will collaborate to respond to a major cybersecurity incident. “This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector,” CISA Director Jen Easterly said in a statement. 
The NCIRP addresses coordination mechanisms, decision points and priority activities; and it focuses on four aspects of the cyber response: Asset response to assist affected parties in protecting their assets Threat response, which would be led by federal law enforcement agencies like the Department of Justice and the FBI Intelligence support, which would be overseen by the Office of the Director of National Intelligence (ODNI) Affected entity response, led by the affected federal agencies in coordination with CISA (civilian agencies); the U.S. Cyber Command (Defense Department agencies); or the IC Security Coordination Center (intelligence agencies) You can provide feedback on the new NCIRP in the Federal Register. The public comment period ends on January 15, 2025. For more information about cyber incident response planning: “13 incident response best practices for your organization” (TechTarget) “10 Best Practices for Incident Response Plans” (Daily.dev) “How to build an incident response plan, with examples, template” (TechTarget) “How to effectively detect, respond to and resolve cyber incidents” (UK National Cyber Security Centre) “Best Practices for Cyber Crisis Management” (ENISA)
5 – CIS updates Benchmarks for Cisco, Google, Microsoft products
Cisco IOS XE, Google Kubernetes Engine and Microsoft 365 are among the products whose CIS Benchmarks got updated in November by the Center for Internet Security. Specifically, these secure-configuration recommendations were updated: CIS Cisco IOS XE 17.x Benchmark v2.1.1 CIS Google Kubernetes Engine (GKE) AutoPilot Benchmark v1.1.0 CIS Google Kubernetes Engine (GKE) Benchmark v1.7.0 CIS Microsoft 365 Foundations Benchmark v4.0.0 CIS Red Hat Enterprise Linux 8 STIG Benchmark v2.0.0
In addition, CIS released a brand new Benchmark: CIS Microsoft Azure Storage Services Benchmark v1.0.0. The CIS Benchmarks’ secure-configuration guidelines are designed to help organizations harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families in categories including: cloud platforms databases desktop and server software mobile devices operating systems To get more details, read the CIS blog “CIS Benchmarks December 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as: “Getting to Know the CIS Benchmarks” (CIS) “Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading) “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable) “CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security) “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)
6 – Local gov’t cybersecurity hurt by lack of funds, complex threats
Insufficient funding and more sophisticated threats top the list of cybersecurity concerns among U.S. state and local governments. That’s according to the “2023 Nationwide Cybersecurity Review (NCSR),” a free cybersecurity assessment program from the Center for Internet Security (CIS). The 4,210 state, local, tribal and territorial government organizations that participated also reported being concerned about: emerging technologies lack of cyber incident-documentation processes difficulty finding qualified cybersecurity professionals 
On the positive side, the number of program participants increased 14%, with K-12 school districts recording their highest participation ever. Returning participants saw their cyber maturity level increase by an average of 4%. Those that have participated at least two years scored 23% higher in cyber maturity, while those with nine years in the program scored 41% higher. Overall, NCSR participants are doing a good job monitoring and protecting their IT environments. They also have incident response plans in place, as well as access-control policies. Areas for improvement include: Risk management Disaster recovery plans Cyber team understaffing 
First seen on securityboulevard.com
