We all know CISA as the governing agency for federal cybersecurity and the national operating hub for critical infrastructure security. But what are the free critical cyber hygiene services provided by the Cybersecurity and Infrastructure Security Agency (CISA), and how can you take advantage of them in your organization?
What is CISA?
CISA defines itself as “the Nation’s risk advisor” and explains how it is integral to mobilizing a collective defense to best manage risk to critical infrastructure. Despite being a federal agency, they work with both the public and private sectors, leveraging resources wherever they can find them: the Federal Government, commercial vendors, or their own means.
Why Does CISA Offer Free Cyber Hygiene Services?
U.S. critical infrastructure is often under attack, yet many critical infrastructure organizations lack the resources to defend against today’s level of cybercrime. When those sectors are compromised, the consequences can jeopardize national security, such as power outages, healthcare IoT device takeovers, or a poisoned water supply.
The Cybersecurity and Infrastructure Security Agency provides free cyber hygiene services to help U.S.-based governments (federal, state, local, tribal and territorial) and critical infrastructure organizations (both public and private) reduce their exposure to today’s threat landscape; nation state actors, advanced malware, social engineering, AI-driven risks, polymorphic malware, web-based threats, and more.
Elements that are increasingly exposed – and which represent a risk to “public safety, human life, and national security” include:
- Industrial Internet of Things (IIoT)
- Supervisory Control and Data Acquisition (SCADA) Systems
- Industrial Control Systems (ICS)
- Remote Access Technologies
And other critical assets.
What Are CISA’s Free Cyber Hygiene Services?
The free cyber hygiene services which CISA provides are:
- Vulnerability Scanning
- Web Application Scanning
Vulnerability Scanning
Vulnerability scanning is a preventative measure that automatically scans systems and identifies and reports potential network weaknesses before an attacker finds them first. Good vulnerability management will prioritize those weaknesses, alerting you of which presents the greatest threat and where you should channel resources. Continuous vulnerability management automatically scales as you grow, giving you continuous coverage into the vulnerabilities in your organization as new devices, systems, and applications get integrated in over time – occurrences that could introduce new levels of risk.
CISA’s vulnerability scanning services “continuously [monitor] and [assess] internet-accessible network assets (public, static IPv4 addresses) to evaluate their host and vulnerability status.” Within this service, you’ll receive:
- Weekly reports of all findings
- Ad-hoc alerts notifying you of any findings classified as urgent. These include known exploited vulnerabilities and potentially risky services.
Web Application Scanning
Basic web application attacks are the source of a vast number of preventable errors. It’s not always the latest ransomware strain or an advanced persistent threat (APT) that manages to wind its way into a system, but it’s often something as elementary as a cross-site scripting attack or injection error. The Verizon 2023 DBIR illustrates how many of these attacks are successful; out of 1,404 breach attempts, 1,315 had confirmed data exposure (94%).
Web application scanning, therefore, plays a vital role in batting down a lot of the low-hanging fruit attackers use to wind their way into critical infrastructure. CISA’s web application scanning services “deep-dives into publicly accessible web applications to uncover vulnerabilities and misconfigurations that attackers could exploit.” The comprehensive evaluation includes OWASP Top Ten vulnerabilities or the most critical web vulnerabilities at any one time. It also includes:
- Detailed monthly reports
- On-demand reports to keep you current on the security status of your web applications.
The Benefits of CISA’s Free Cyber Hygiene Services
The services are performed by the Cybersecurity and Infrastructure Security Agency’s highly trained information security experts, who are “equipped with top-of-the-line tools.”
For many under-resourced critical infrastructure organizations, these resources will represent their only affordable access to state-of-the-art cybersecurity or government-level security services. In addition to the invaluable value of expertise and enterprise-grade solutions, CISA’s free services empower organizations to:
- Reduce risk, with most organizations seeing their risk exposure lower by 40% in the first year and most noticing a difference within the first three months.
- Improve response by generating fewer false positives thanks to the integration of vulnerability management with existing threat detection and risk management efforts. This match-up helps security teams know which threats to focus on, and so address alerts with greater effectiveness and accuracy.
- Know your network better than attackers. You can either find your vulnerabilities first, or attackers can find them for you. A solid vulnerability management strategy helps prevent the latter.
And most importantly, make risk-informed decisions. You can’t shoot very well in the dark. CISA’s free cyber hygiene services help you identify and inventory your assets and give you daily alerts on threats to your environment. When critical infrastructure organizations know the scope of their security horizons and when a threat crosses the threshold, they are in the best position to make a choice that can outsmart attackers.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.