The IT Nerd

The CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory warning of widespread Ghost ransomware attacks targeting and compromising organizations in more than 70 countries with outdated versions of software and firmware on their internet facing services:

Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“The joint release has a few new surprises. One is that the ransomware groups move from initial compromise to deployment of ransomware very quickly, often on the same day. This is quite different from traditional ransomware groups that may have days, weeks, or even months from the initial access gained to the deployment of the ransomware. Second, the frequent use of Cobalt Strike. I see the use of Cobalt Strike by ransomware groups fairly common. If you’re not looking for and detecting Cobalt Strike instances, you’re just asking for trouble. Last, unpatched software and firmware (and zero-days) are involved in at least a third of successful compromises. Every organization has a patching process, but most don’t get it perfect and if one-third of all successful compromises involved finding and exploiting vulnerable software and firmware, it really should be a primary focus for all organizations. You can’t just make it one of the many things you do out of hundreds of things you do. It has to be something you focus on and dedicate significant resources to (as you also need to do to mitigate social engineering). Because if you don’t, you’ll miss something and become the next ransomware victim.”

I would recommend that anyone that is responsible for securing their organizations from cyberattacks take a look at the mitigation section of this advisory as this is pretty serious.

The CISA has just issued an ICS Medical Advisory alert on the Qardio Heart Health app for vulnerabilities that may result in exposure of private personal information to a cyber attacker, and that successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information, cause a denial-of-service condition, or other implications. All of which are bad.

George McGregor, VP, Approov had this to say:

   “This recent vulnerability shows once more that mobile apps are the weakest link in the healthcare ecosystem and that it’s not just consumer access to PHI that is the issue.

   “Medical practitioner apps are increasingly used from personal devices, outside the security provided by campus networks. In addition, mobile apps have become a key means of access and control for every new medical device.

   “This is why the upcoming HIPAA Security Rule (https://www.regulations.gov/document/HHS-OCR-2024-0020-0001) must be updated to explicitly target known mobile app attack surfaces and eliminate the risks to US Healthcare posed by the proliferation of Healthcare apps.”

Given how much we all have become reliant on apps to manage our health in some way, this is not good news. But at least there is some good news coming in the form of the HIPAA rule that is inbound. Hopefully that will make something like this an edge case.

Over the past week, President Donald Trump repealed former President Joe Biden’s AI-focused executive order, issued in October 2023. The order had mandated that developers of advanced AI submit safety reports to the federal government. It also outlined plans for setting standards, revising procurement processes, and establishing the U.S. AI Safety Institute.

The new Trump administration also terminated all existing members of advisory committees that report to the Department of Homeland Security which includes members of CISA’s Cyber Safety Review Board (CSRB) in alignment with DHS’s “commitment to eliminating the ‘misuse of resources and ensuring that DHS activities prioritize our national security.”

The CSRB’s purpose has been to examine and assess cyber incidents and construct recommendations for improved security within private and public sectors, providing advise to the Secretary of Homeland Security and the President. At the time of dismissal, the board was apparently deep in the investigation of the Salt Typhoon hacking incident, the Chinese hacking campaign that penetrated telecommunications companies, spying on the calls and messages of US citizens.

Other advisory boards that have been dismantled include the Artificial Intelligence Safety and Security Board, Critical Infrastructure Partnership Advisory Council, National Security Telecommunications Advisory Committee, National Infrastructure Advisory Council, and the USSS Cyber Investigations Advisory Board.

Dismissed members are welcome to submit reapplications for their posts.

Willy Leichter, CMO, AppSOC

  “As the Trump administration continues to throw wrenches into anything the Biden administration championed, there will inevitably be negative repercussions. This will delay or eliminate any proactive role for the US government in guiding AI technology. While you can argue that the private sector should drive this, the government has a legitimate role in issues around privacy and security. Gutting expertise and funding from federal agencies will inevitably put critical infrastructure, cyber security, and individual privacy at risk.”

Trump is putting the nation at risk. And this will come back to haunt the US sooner rather than later. There’s simply no other way to say it. You might want to remember that in four years time.

This week, CISA shared guidance for government agencies and enterprises on using expanded cloud logs in their Microsoft 365 tenants as part of their forensic and compliance investigations:

This playbook provides an overview of the newly introduced logs in Microsoft Purview Audit (Standard), which enable organizations to conduct forensic and compliance investigations by accessing critical events, such as mail items accessed, mail items sent, and user searches in SharePoint Online and Exchange Online. In addition, the playbook also discusses significant events in other M365 services such as Teams. Lastly, administration/enabling actions and ingestion of these logs to Microsoft Sentinel and Splunk Security Information and Event Management (SIEM) systems are covered in detail.

The desired outcome of this playbook is to empower enterprises seeking to operationalize these expanded cloud logs in their M365 tenant. It provides guidance on how to navigate to the logs within M365 and how to perform administration actions to enable the logs. A key outcome from the playbook is making the newly available logs an actionable part of enterprise cybersecurity operations. The analytical methodologies tied to using these logs to detect advanced threat actor behavior are covered in detail.

Botond Botyánszki, founder and CTO at NXLog, commented:

“Compromised business email accounts remain the most common type of security breaches, underscoring the need for accurate and timely log collection and processing. Audit logs of relevant events — such as email activity, mailbox access, and user searches in Exchange Online and SharePoint Online — are vital for investigating potential intrusions and continuous monitoring can help detect and prevent breaches before it’s too late.”

“The release of the “Microsoft Expanded Cloud Logs Implementation Playbook” is a significant step forward in enhancing organizational security posture. The playbook empowers organizations to detect and respond to potential intruders targeting M365 more effectively, aligning with modern cybersecurity needs.”

“The newly added logs available with Microsoft Purview Audit (Standard) include events such as email items accessed, email items sent, user searches in SharePoint and OneDrive, and Exchange Online activities. These audit logs provide critical visibility into key actions, such as monitoring email access for unauthorized data access, tracking outbound email activity to detect possible exfiltration, and identifying unusual searches for sensitive files. The guidance on integrating these logs with SIEM solutions like Microsoft Sentinel and Splunk ensures that security teams can seamlessly leverage their existing tools for proactive threat hunting and incident response. This initiative underscores the importance of robust log management practices in a cloud-first world, empowering organizations to defend against advanced intrusion tactics effectively.”

Every organization should read this playbook from the CISA as it offers excellent guidance which will help them to better defend against cyberthreats which are always evolving.

In a report released Friday, CISA said it saw a 201% increase in its Cyber Hygiene (CyHy) service enrollment from critical infrastructure organizations between Aug. 1, 2022, through Aug. 31, 2024.

Of the 7,791 critical infrastructure organizations that enrolled in the agency’s vulnerability scanning service during that period. The following industries lead the surge:

• Communications – 300% 
• Emergency services – 268%
• Critical manufacturing – 243%
• Water and wastewater systems 242%

CISA cited a steady decrease in the number of monitored exploitable services from 12 services per CyHy enrollee in August 2022 to roughly 8 apiece. The number of KEV tickets also declined, with critical-severity KEVs falling 50% and high-severity KEVs dropping by 25%. 

Remediation times for SSL vulnerabilities fell as well, with tickets resolved in less than 50 days, down from about 200 days as of August 2022.

CISA’s report also highlighted the high exposure rate of operational technology protocols to the public internet: 

• 63% – Government services and facilities
• 10% – IT
• 10% – Energy
• 5% – Healthcare

Lawrence Pingree, VP, Dispersive.io had this to say:

  “I think it’s admirable that CISA offers a free scanning service. It’s no surprise that enterprises leverage the free service to check for vulnerabilities, given you get a report regularly from the government for free (no cost). Seeking to find any vulnerabilities in your external attack surface is certainly one of the first priorities that enterprises should have. Keep in mind, it doesn’t necessarily represent the only way that attackers can breach an environment, and there’s no guarantee that a zero day isn’t used instead. Attackers just rotate to whatever they need to in order to accomplish their goals. So, if the external surface is too much of a challenge, they rotate to third parties, or malware+phishing, or even social engineering. The importance of my past research work in preemptive cyber defense (PCD) and automated moving target defense (AMTD) at Gartner was to point to the need to move to preemptive models instead of the whack-a-mole we play with vulnerabilities and patching.”

I am pretty impressed by this as it shows that organizations may actually be taking cybersecurity seriously. That is a good thing as we’ve seen what happens when cyber criminals are allowed to run wild.

Emily Phelps, Director, Cyware follows with this:

  “CISA’s Cyber Hygiene service growth reflects the critical sectors’ increasing focus on cybersecurity, but the report also highlights persisting risks, like high exposure of operational technology protocols. Improved remediation times are encouraging, but organizations must go beyond addressing vulnerabilities to build resilience against evolving threats. Protecting critical infrastructure demands real-time threat detection, intel and defensive strategy sharing, coordinated responses, and robust strategies to secure essential services.”

The CISA has recently put out a Binding Operational Directive on Implementing Secure Practices for Cloud Services:

Malicious threat actors have increasingly targeted cloud environments and evolved tactics to gain initial cloud access. In recent cybersecurity incidents, the improper configuration of security controls in cloud environments introduced substantial risk and resulted in actual compromises. To combat these threats, the Cybersecurity and Infrastructure Security Agency (CISA) initiated the Secure Cloud Business Applications (SCuBA) project. Through the SCuBA project, CISA developed Secure Configuration Baselines, providing consistent and manageable cloud security configurations and assessment tools, allowing agencies and CISA to improve security for Federal Civilian Executive Branch (FCEB) assets hosted in cloud environments. This Directive requires agencies to implement a set of SCuBA Secure Configuration Baselines for certain Software as a Service (SaaS) products widely used in the FCEB, deploy CISA developed automated configuration assessment tools to measure against the required baselines, integrate with CISA’s continuous monitoring infrastructure, and remediate deviations from the secure configuration baselines. These steps reduce risks highlighted by recent adversary activity and increase resiliency for FCEB agencies against cyber threats. 

Jim Routh, Chief Trust Officer, Saviynt had this comment:

“IT Hygiene is a way of describing an enterprise’s capabilities to identify IT assets, manage the configuration of those assets, apply vulnerability management to those assets and to update those assets when necessary. The new Directive from CISA is requiring federal agencies to improve their IT Hygiene for cloud hosted services supporting their needs. The configuration management requirements in cloud computing are different from IT assets hosted in proprietary data centers. Federal agencies with legacy infrastructure (non-cloud) must apply a different way to manage the configuration of cloud hosted IT assets that includes discovery, asset inventory management, configuration management and vulnerability management.”

Paul Zolfaghari, President, Saviynt follow up with this:

“As we navigate an increasingly complex cyber landscape, the issuance of Binding Operational Directive 25-01 by the Cybersecurity and Infrastructure Security Agency (CISA) represents a pivotal advance in cloud security. This directive underscores our collective commitment to not only securing our nation’s digital infrastructure but also setting a benchmark for future cloud security measures. By mandating secure configuration baselines and integrating continuous monitoring, CISA is leading the charge in fortifying our federal networks against sophisticated cyber threats. This proactive approach is essential in ensuring the resilience and security of our cloud environments, and we are proud to support these vital initiatives.”

The CISA really has a great grasp as to what it needs to do to ensure that government does not become a target for threat actors. Private industry needs to copy what they are doing as they are really on the ball.

 UPDATE: Chris Botelho, Sr. Solutions Engineer, LimaCharlie adds this:

“The directive forces these agencies to modernize their security controls in order to better protect against malicious actors and software. Given the increase in activity of both nation-state actors and ransomware groups targeting third-parties that contract with the federal government rather than the federal government itself, it has become even more important to not only ensure federal systems are protected, but also the organizations that the federal government contracts with in order to protect data and prevent large-scale incidents. Malicious actors will always go for the weakest link in the chain, which currently are the SMBs that frequently don’t have the knowledge, time, expertise, or budget for implementing recommended security controls.

“Most of the controls being required by the directive are part of Microsoft’s own best practices and should already in place. The controls and scanner are provided for free from CISA, so they can be implemented without any licensing costs. If an organization is using an enterprise M356 license, then they will likely have all the required controls available to them. However, organizations using F3 licenses or purchasing their M365 subscriptions through a third-party provider will likely need to upgrade their licenses or purchase additional licenses to gain access to the security controls required by the directive, such as Microsoft Purview. There will also be a time cost to implement the controls and update internal policies such as password management policies to reflect the new control requirements.

“Controls required by federal agencies frequently influence the controls implemented by private businesses both directly, through direct implementation of the controls based on the agency’s requirements, but also indirectly through regulatory bodies such as HITRUST and PCI-DSS that adopt the federal agency’s requirements as part of their own requirements. Additionally, by adopting federal controls, the effort required by leadership to create their own security controls is reduced while providing a tested and vetted method for ensuring the controls are implemented and can be easily tested through readily-available tools such as CISA’s SCuBA, without additional cost.

“The biggest challenge will be changing the user and management mindset for many of the historical security controls that no longer apply or work in today’s computing environments as well as the cost that would be involved if a business’s current license(s) don’t include the controls prescribed by the mandate. This could be something such as MFA, which may not be included in a business’s current service license and historically is seen by many as an unnecessary extra step, but significantly increases the authentication security of a business. Additionally, there may be regulations in place that a business has to follow that are in conflict with the CISA directive. For example, the new controls require that passwords are set to never expire. Historically, the industry standard was to change passwords every 60-90 days. However, research has shown that this actually decreases password security, but many organizations still do this because it has been the practice for decades and regulations such as PCI-DSS still require it.”

Earlier this week, CISA released its The 2025-2026 International Strategic Plan aimed at enhancing global collaboration to address cyber threats to critical infrastructure.

The plan recognizes the intricate and geographically dispersed nature of cyber risks, emphasizing the importance of quickly sharing threat information and risk reduction guidance with international partners.

CISA International Strategic Plan Goals sets out three goals for CISA to achieve over the 2025-2026 period:

1. Bolster the Resilience of Foreign Infrastructure on which the US Depends – CISA will work with interagency and international partners to identify and understand which international systems and assets are critical and assess how they are vulnerable to create strategies to manage shared risks.
2. Strengthen Integrated Cyber Defense – CISA plans to collaborate with partners, international organizations, and NGOs to shape global cybersecurity practices and standards, promoting widespread cyber safety and security.
3. Unify Agency Coordination of International Activities – The CISA Stakeholder Engagement Division will create a governance structure to advise on international issues and clearly outline the agency’s international priorities. This will involve enhancing systematic information sharing across CISA to ensure situational awareness of ongoing and future international activities.

CISA will also focus on enhancing the skills of its workforce to better influence the international landscape including developing training programs for employees overseas and providing guidance on international affairs for all traveling staff.

“In following this plan, CISA will improve coordination with our partners and strengthen international relationships to reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day,” CISA Director Jen Easterly commented.

Emily Phelps, Director, Cyware:

“CISA’s 2025-2026 International Strategic Plan underscores the urgency of an interconnected approach to securing critical infrastructure across borders. As cyber threats grow increasingly complex and far-reaching, swift, collaborative information-sharing becomes essential to mitigate risks that could impact not just a single nation but the global landscape. CISA’s commitment to bolstering the resilience of international assets and systems vital to U.S. security reflects a forward-thinking acknowledgement of interdependencies in today’s cyber ecosystem. The focus on strengthening integrated cyber defenses and establishing clearer governance structures is a strategic leap towards a unified, cohesive response to these shared threats. This approach—fostering resilience, enhancing standards, and emphasizing interagency coordination—can set a precedent for global cybersecurity initiatives, reinforcing that collective defense is the linchpin in navigating future cyber challenges.”

A collective approach to defending critical infrastructure is the way to go. And once again I applaud the CISA in terms of leading the way. Hopefully other countries take this just as seriously as the CISA does.

Yesterday, CISA published a joint advisory stating that Iranian hackers are acting as initial access brokers to gain access to critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks by other threat actors. 

The government agencies warn that since October 2023, Iranian actors have used brute force, such as password spraying, and MFA ‘push bombing’ or fatigue to compromise user accounts and obtain access to organizations.

Once threat actors obtain persistent access, they typically register their own devices with the organization’s MFA system, collect more credentials, escalate privileges, and learn about the breached systems and the network, allowing them to move laterally and identify other points of access and exploitation.

The agencies made numerous recommendations including but not limited to:

• Reviewing authentication logs for failed logins
• Looking for MFA registrations with MFA in unexpected locales/devices
• Checking for suspicious privileged account use after resetting passwords 
• Applying user account mitigations after password resets
• Investigating unusual activity in typically dormant accounts
• Scanning for unusual user agent strings

The alert is co-authored by the FBI, NSA, the Communications Security Establishment Canada, the Australian Federal Police, and the Australian Signals Directorate’s Australian Cyber Security Centre.

Evan Dornbush, former NSA cybersecurity expert has some perspective on this:

   “Google released a report noting 70% of exploited flaws disclosed in 2023 were zero-days. Mandiant released a report noting attackers have incredibly decreased the time it takes to convert a disclosed flaw into an easily-available exploit product. Microsoft released a report noting that 78% of nation state activity is against the private sector, often in the form of for-profit actions. And CISA in collaboration with the UK and Australia are noting that criminals and governments are working together, sharing tools and access.

“The essential insight here is the necessity to evolve from purely reactive posturing, and shift to take proactive measures as part of one’s applied cybersecurity strategy. The amount of money criminals can earn is getting too little attention. It is too costly to defend, and too cheap to attack, and until we can affect a paradigm shift, things will continue to escalate.”

This is another one of those documents that’s required reading if your job is to keep your organization from getting pwned. Something that is getting harder to do these days.

UPDATE: I have two more comments on this. Starting with Avishai Avivi, CISO, SafeBreach:

“The CISA alert of Iranian cyber actors’ brute force and credential access activity is a good reminder – especially during cybersecurity awareness month – that these malicious actors are working to abuse ‘Multifactor Authentication (MFA) Exhaustion.’ If, as a good cyber-aware person, you’ve enabled MFA on your social networking, WhatsApp or other messaging apps, and bank accounts, you may have grown used to getting and approving MFA requests. The malicious actors hope you won’t pay attention and approve any MFA push notification you may receive. So, as a reminder, when you are prompted to authorize a session, please take a quick second to verify that you are the one who made that request. Malicious actors are constantly testing credentials they’ve obtained through breaches. They hope that the combination of these credentials and MFA exhaustion will let them take over your account. While the CISA alert specifically mentions critical infrastructure as the target of these malicious actors, this diligence is important to prevent access to your work and personal accounts.”

Followed by James Winebrenner, Chief Executive Officer, Elisity:

“On October 16, 2024, FBI, CISA, NSA, and other global government agencies published an advisory about how Iranian cyber actors recently compromised critical infrastructure organizations using brute force attacks and MFA bombing, then performed network discovery and lateral movement. This is just one more example of a nation-state cyber attack that used lateral movement. Also in 2024, China’s Volt Typhoon group compromised IT networks of multiple critical infrastructure organizations in the U.S., using lateral movement to access operational technology assets for potential disruptive attacks. North Korean hackers targeted aerospace and defense organizations with a new ransomware variant called FakePenny, using lateral movement for intelligence gathering. A modern identity-based microsegmentation platform would detect and prevent such unauthorized lateral movement attempts, preventing attackers from accessing sensitive systems even if initial credentials are compromised. CISOs and security architects want to look for a platform that provides comprehensive asset discovery and visibility and enables identity-based policies that enforce least-privilege access across users, devices, and applications, significantly reducing the attack surface and stopping threat actors from moving laterally within the network.”

Finally Ryan Patrick, VP of Adoption, HITRUST:

“In response to the recent joint advisory issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and their international counterparts, HITRUST acknowledges the escalating threat posed by Iranian cyber actors who are actively targeting critical infrastructure sectors, including healthcare and public health (HPH).

We recognize the critical importance of safeguarding sensitive data and systems in these highly targeted industries. The advisory highlights the need for organizations across healthcare, government, energy, and information technology to reinforce their defenses against advanced tactics, including brute force credential attacks. Cybercriminals are increasingly sophisticated in their efforts to exploit vulnerabilities and sell access to compromised networks, putting critical infrastructure at risk. A key aspect of preventing these attacks lies in integrating threat intelligence into cybersecurity strategies. HITRUST emphasizes that assessments and controls informed by up-to-date threat intelligence are crucial in identifying and mitigating emerging risks. By embedding intelligence-driven controls into their operational security, organizations can proactively defend against evolving tactics used by cybercriminals, including brute force attacks. This continuous monitoring and refinement process allows for stronger protection of sensitive data and critical infrastructure.

We encourage all organizations, especially those in the healthcare and public health sectors, to review the joint cybersecurity advisory and ensure that appropriate safeguards are in place, including the use of strong authentication methods, continuous monitoring, and proactive threat intelligence. HITRUST will continue to support these efforts by delivering the tools and resources necessary to meet the highest standards of information protection and compliance.”

The CISA put out an alert that caught my eye yesterday:

CISA continues to respond to active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, including those in the Water and Wastewater Systems (WWS) Sector. Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.   

CISA urges OT/ICS operators in critical infrastructure sectors to apply the recommendations listed in Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity to defend against this activity. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. For more information and guidance on protection against the most common and impactful threats, tactics, techniques, and procedures, visit CISA’s Cross-Sector Cybersecurity Performance Goals.

The word “Unsophisticated” is what caught my eye. That’s because this warning comes after the Arkansas City water treatment facility cyberattack:

The City of Arkansas City revealed that its water treatment facility had been breached on September 22. The city notified relevant authorities and moved the water plant to manual control to ensure safe operations.

Evan Dornbush, former NSA cybersecurity expert had this comment:

  “CISA’s guidance of recommended practices may be ideal for defenders who are well staffed or are perhaps building out new networks.

  “In terms of overall practicality, changing default passwords and patching and moving HMI devices behind firewalls or hardened VNC can be laborious.

  “Keeping with defense in depth philosophy, it may be more efficient for established OT/ICS operators to add a network detection capability to their existing infrastructure. Using modern advancements in computation, the market is full of quality options for those looking to glean intelligence from their network data.

  “Subscribing to a cyber threat intelligence platform is another low-friction avenue. Those purport to increase awareness of known exploited vulnerabilities (KEV) which can help steer defenders towards highest priority infrastructure.”

I truly hope that organizations take these warnings seriously. There’s enough evidence out there that should suggest that not doing so will end badly for all concerned.

As the 2024 election nears, election officials finalize preparations to protect themselves against the most common threats seen targeting voters and campaigns. CISA recently released an Election Infrastructure Cybersecurity Readiness and Resilience Checklist, providing guidance on potential security incidents that may impact election infrastructure. 

Tom Marsland, VP of Technology for Cloud Range who has personally led live-fire simulation attacks on election infrastructure, including forensic analysis of voting machines and misinformation campaigns, has shared his thoughts on CISA’s checklist:

This checklist by CISA is a great reminder to election officials and participants about the basics – however, with less than two months until the election, many of these will be hard to implement if not at least begun already.  That said, it provides a clean slate for officials to take a step back and give their practices of cyber hygiene a holistic overview, and an honest look as they enter the final stages of preparation. I’ll repeat the findings from CISA that our elections are as secure as they’ve ever been. We really have to stay on top of misinformation campaigns and social engineering in that realm, but this is a great product for CISA, and I hope we see it used. 

A great way for election officials to test their readiness against the checklist provided by CISA is by conducting hands-on, tabletop exercises that test the organizations policies and playbooks against the very items called out in the checklist. Lessons learned from table top exercises should be incorporated into the organization’s continuous improvement, made actionable, and tracked to completion.

The CISA has put out a number of these sorts of checklists. But checklists aren’t good if they’re not followed. So here’s hoping that this one is followed as this November’s elections are going to be extremely important to the future of the US.