When cyberattacks on US entities began to escalate at an unprecedented rate in 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) took proactive measures to safeguard US information assets. Two highly successful security campaigns, Shields Up and Shields Ready, were consecutively established in the aftermath of the Russian invasion of Ukraine to help U.S. organizations defend against and respond to cyber threats.
The first initiative, Shields Up, remains one of CISA’s most successful defense campaigns, providing free assistance and information on cybersecurity to individuals and organizations to help them enhance their defenses and deal with attacks. The second campaign, Shields Ready, was launched following the success of Shields Up. It took a broader reach and put out stronger protocols geared at moving Critical National Infrastructure (CNI) entities towards protecting themselves against cyberattacks. The campaign also aligns with the Federal Emergency Management Agency’s (FEMA) Ready campaign, facilitating collaboration and resource-sharing across emergency management communities.
While each campaign is designed to help US organizations improve their cybersecurity defenses, they cater to different target audiences, offer curated resources and tools, and vetted best practices varying in scale and focus to assist CNI entities. Concerned organizations in the education, healthcare, finance, energy, public service, and other critical sectors should not remain complacent by ignoring these valuable resources, which are provided by CISA at no cost. Instead, they should promptly make use of them, treating them as checklists to ensure they’ve covered all the required protocols.
What Does Shields Up Bring to the Table?
Shields Up encourages proactive participation to increase organizational vigilance in protecting against cyber threats to critical infrastructure. In this campaign, CISA offers several security resources and tools for free, such as cybersecurity evaluations, technical support after a breach, complimentary training, exercises, and a ransomware checklist. With a focus on encouraging cyber breach reporting, CISA has also extended round-the-clock support for users to reach out in case of suspicious cyber activity.
Some of the best free resources that the Shields Up campaign has made available are:
Note: While these resources are certainly helpful they cannot be mistaken for thorough vulnerability scanning measures. They are meant to provide basic levels of security for organizations that do not already have it. For instance, CISA’s vulnerability scanning tool specifically looks for 10 common causes of breaches in Microsoft Active Directory passwords; however, there are many more vulnerabilities out there.
How Does Shields Ready Help Critical Sector Infrastructure?
Shields Ready was designed to protect all critical sector organizations in the United States. Established in collaboration with the Department of Homeland Security (DHS), CISA, and FEMA, this campaign aims to equip and motivate CNI entities to prepare for potential retaliatory cyberattacks.
It emphasizes strategic preparedness with a focus on building resilience into the systems, supply chains, facilities, and processes of CNI organizations.
According to IBM, the five critical infrastructure sectors most affected by cyber attacks in the last two years (based on the overall data breach costs) are: healthcare, finance, pharmaceuticals, energy, and industrial.
Other critical sectors such as Transport, Education, Professional Services, and Communication are not far behind and also fall in the top target range of nation-state actors.
Securin’s recent report conducted a thorough analysis of these attacks, specifically focusing on ransomware incidents. The findings revealed that ransomware groups target entities with vulnerable defenses, high-value data, and substantial user bases. This often includes sectors like healthcare (with confidential patient records), education (containing sensitive information on minors), and finance (such as bank accounts and social security data). Additionally, there is a high likelihood of organizations in these sectors resorting to payouts to mitigate consequences and preserve reputation, especially if they lack the resources to effectively and promptly remediate the breach.
It is this deficit in protection, stemming from lack of knowledge and skilled resources, that CISA aims to address with Shields Ready. The campaign offers all CNI enterprises access to more than 870 custom sector-specific security guides and best practice instructional manuals that they can use to fortify their defenses. These guides offer easy-to-understand and critical-to-implement measures that will help organizations withstand an array of risks from cyberattacks to national disasters.
For Banks and Financial Organizations
- The Financial Services-Sector Specific Plan, which advises creating a program for public-private cybersecurity exercises to boost incident response, expanding information sharing through the Financial Services Information Sharing and Analysis Center (FSISAC) and the establishment of Treasury’s Financial Sector Cyber Intelligence Group (CIG), setting up joint working groups, and formalizing technical assistance coordination.
- Stop Phishing at Phase One is a resource that describes phishing attack techniques and tools targeting MFA-lacking accounts. It offers guidance for SMBs, software manufacturers, and large organizations on prevention, incident handling, and reporting. It also includes fact sheets on implementing phishing- resistant MFA and recommends free security tools like OpenDNS Home to prevent redirection to malicious websites.
- CISA’s Mobile Cybersecurity Services Factsheet details the mobile cybersecurity services that can help enhance federal civilian mobile security. These services include a new Mobile Application Vetting (MAV) service to assess app security, Mobile Device Security (T-VIP) to detect device modifications, and Mobile Network Security to deploy protective DNS services.
For Educational Institutions
There are custom guides, including several for the K-12 sector such as:
- Cyber Threats to K-12 Remote Learning Education discusses how to address cyber threats like doxing, phishing, domain spoofing, and software vulnerabilities. CISA also offers a video conferencing tool for school IT security, along with safety guidelines for application updates, password protection, participant vetting, and screen-sharing control.
- K-12 School Security Guide (3rd Edition) and School Security Assessment Tool helps schools improve safety measures by assessing physical security components. It focuses on protection and mitigation strategies, covering equipment, personnel, policies, and training. Users receive tailored recommendations after completing the assessment.
- Cybersecurity Guidance for K-12 Technology Acquisitions guides K-12 organizations on dealing with third-party vendors encouraging them to request for automatic security updates, robust logging, and multifactor authentication. They must also ensure vendors follow Secure by Design principles, demand pre-deployment vulnerability testing, and establish a vulnerability disclosure program.
In addition to the above, CISA also oversees SchoolSafety.gov, a comprehensive federal website offering a centralized hub for school safety resources, information, and basic tools.
Using these resources, the education sector has successfully and proactively adopted CISA’s cybersecurity resources in almost all US states. For instance, more than 10 schools in Maine joined together to form the Shields Up Maine cohort, while several other prominent organizations like Miami University, the University of Utah, and El Monte Union High School District have implemented cybersecurity measures recommended by CISA, enhancing their resilience against cyber threats and ensuring the protection of sensitive data.
For Healthcare Providers
In healthcare, renowned organizations like the American Hospital Association and the American Optometric Association have embraced Shields Up. Other healthcare organizations can also benefit from this goldmine of resources, including:
- Cyber Threats to Medical Technology and Communication Technology Protocols outlines effective measures to safeguard patient data while using medical devices connected to the internet.
- Healthcare and Public Health Sector-Specific Plan outlines strategies for critical infrastructure resilience, emphasizing collaborative risk management and partnerships. It addresses threats like pandemics, cyber attacks, and supply chain disruptions, prioritizing flexibility and adaptation.
- CISA Resources Applicable to the Healthcare Sector outlines strategies for critical infrastructure resilience, emphasizing collaborative risk management and partnerships. It addresses threats like pandemics, cyber attacks, and supply chain disruptions, prioritizing flexibility and adaptation.
Another good resource is Cyber Storm, a sort of cyberattack drill organized by CISA to enhance policy, coordination, and decision-making in cyber incident response. It helps different groups, including governments and private companies, work together to tackle cyber threats effectively.
Note: This is in no way equivalent to a full-scale penetration test, but instead, is an exercise on incident response training and reporting.
These two campaigns, Shields Up and Shields Ready, have made a concerted effort to emphasize the importance of equipping US critical infrastructure entities with the necessary tools and resources to navigate and recover from disruptions effectively. In response, many U.S organizations have begun to prioritize cybersecurity, adopting basic cybersecurity practices and vulnerability scanning from CISA to improve their attack surface protection.
“If you’re not talking about cybersecurity in the boardroom today, you’ll be doing it during or after an attack.”
– Brandon Wales, CISA’s Executive Director
What Do We Recommend?
Securin encourages users to capitalize on CISA’s sector-specific resources. Shields Up and Shields Ready offer a plethora of options for CNI organizations to bolster security and resilience, especially for those unable to afford managed security services and CTEM solutions amidst rising cyber threats. We also recommend following these best practices to enhance CNI security and resilience:
- Strengthen security with multi-factor authentication
- Prioritize software updates for known vulnerabilities
- Verify data recovery capabilities and secure backups
- Evaluate manual controls for essential systems
- Improve network security by deactivating non-essential ports and protocols
- Utilize CISA’s free cybersecurity services, including vulnerability scanning
- Establish a crisis-response team with clearly defined roles and responsibilities