CISA needs to rally citizen cybersecurity army

The Cybersecurity and Infrastructure Security Agency (CISA) is advising organizations to implement a series of steps to thwart social engineering and phishing attacks that span everything from making sure Domain-based Message Authentication, Reporting, and Conformance (DMARC) for received emails is turned on to defining denylists at the email gateway and enabling firewall rules to prevent malware infestations.

Recognizing that most cyberattacks can be traced back to stolen credentials, CISA is also encouraging organizations to regularly train end users to both identify suspicious emails and links and document and report them as part of an incident response plan.

In effect, CISA is attempting to mobilize an army of IT administrators to better secure messaging systems that while critical to the global economy have been weaponized by cybercriminals.

At the core of that effort is DMARC, which along with the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), verify the server that sent emails against a set of published rules. If an email fails the check, it is deemed a spoofed email address, and the mail system will quarantine and report it as malicious. Just as importantly, DMARC reports provide a mechanism for notifying the owner of a spoofed domain that they need to alert the Internet Corporation for Assigned Names and Numbers (ICANN) and registrars to take down that site.

CISA is also encouraging organizations to implement multifactor authentication (MFA) to make their organization more resistant to phishing attacks. They also recommend these best practices:

• Monitor messaging systems
• Restrict administrative rights on endpoints and maintain the least privilege approach to end-user accounts
• Create application whitelists and block macros by default
• Implement remote browser isolation and free tools that detect malware in the browser
• Adopt free tools, such as OpenDNS Home, to prevent traffic from being redirected to malicious websites

Additionally, when resources allow CISA is encouraging organizations to adopt identity access management (IAM) and single sign-on (SSO) capabilities.

Most cybersecurity professionals are generally familiar with most of these tools but there are millions of organizations where one, maybe two, IT administrators provide a very thin line of defense. In addition to being responsible for cybersecurity, these same individuals are responsible for everything from managing networks to configuring printers. In many cases, they are office managers who have assumed responsibility for IT alongside a host of other tasks that include everything from basic accounting to ordering lunch.

The odds these individuals found the time to discover a CISA advisory are remote. Many of them don’t even know CISA exists. If governments want to recruit these people to help defend the integrity of IT environments from attacks by well-organized cybercriminals there needs to be a lot more outreach. It may not be possible to personally visit everyone but if the Federal government is serious about cybersecurity education, they need to find ways to reach the people that manage IT environments where they live and work. Events and seminars at the local library are, for example, going to ultimately have a bigger impact than any public service announcement (PSA). Government agencies would be better off investing in training instructors to teach and, just as critically, motivate the folks who are on the frontline of a global war for cybersecurity.

Otherwise, the citizen army needed to win that war will continue to remain largely oblivious to just how much of a difference they might actually make.