The White House has told government agencies to get signed up to zero-trust security practices in a bid to boost its online protection/
A memo from the Office of Management and Budget (OBM), the White House’s budget management arm, advises all the heads of executive departments and agencies to move towards zero-trust, a cybersecurity model in which devices, apps, and individuals are “never trusted, and always verified”, and access to different resources is only given for the task at hand, with everything authenticated on a case-by-case basis.
Moving towards zero-trust, the memorandum further explains, will mean listing the complete inventory of devices, implementing stronger identity and access controls, and going for more multi-factor authentication. The devices would need to be monitored as per the specifications set by the Cybersecurity and Infrastructure Security Agency (CISA). Simply running antivirus and a firewall won’t suffice, it seems.
Motivated by log4j
“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” said acting OMB director Shalanda Young.
“This zero-trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”
One of the reasons that prompted the White House to publish this memo seems to be the recently discovered log4j flaw. The zero-day, which was first discovered late last year, affected countless online services, and was described as one of the most dangerous flaws ever discovered, due to its destructive potential, and the ease with which it can be exploited.
Apache has since issued multiple patches in an attempt to plug the hole.
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” added CISA director Jen Easterly.
“Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
Via: The Verge