What are the Cross-Sector Cybersecurity Performance Goals (CPGs): Part 1

The Biden-Harris Administration in conjunction with the DHS recently released a report for all business and critical infrastructure owners. The Cross-Sector Cybersecurity Performance Goals (CPGs) is a brand-new report offered by the DHS and one of their sub-agencies, The Cybersecurity and Infrastructure Security Agency (CISA) for techies of the American public. This is just my opinion, but the government needs to get better at their naming conventions because this thirty-page report sounds BORING, but I assure you it is not. I understand most people do not have the time to comb through a thirty-page document, so I took the liberty to summarize it for you. We think all the tips are crucial which is why we are breaking the 8 sections of the report into 3 separate blogs:

1. Part 1: Account and Device Security (You’re already here, enjoy!)
2. Part 2: Data Security, Organizational Cybersecurity Leadership, and Mitigating Known Vulnerabilities
3. Part 3: Vendor/Supplier Cybersecurity Requirements, and other honorable mentions

If you have any questions on the CPGs below or need assistance implementing them, use our contact information at the bottom of this blog and contact us today.

Understanding the Fundamentals

With the conclusion of Cybersecurity Awareness Month in October, I hope you are here to put what you learned last month into action in November. This year, CISA has been working with public and private sector partners to identify the key challenges leaving our nation at unacceptable risk. These tips apply to organizations of all sizes, but especially to small and medium-sized businesses because from our experience we know that SMBs often have competing resources and on many occasions, their cyber hygiene scores suffer. Let’s discuss two of these challenges, Account Security and Device Security, which are 2 of the 8 CPGs that will directly reduce the risk or impact of security threats for your organization:

1. Account Security

1.1. Protect organizations from automated, credential-based attacks with the detection of unsuccessful login attempts. Your IT or security team should set up your logging system to send an alert to relevant personnel after a defined number of failed logins. For example, Windows 11 can automatically lock out accounts for 10 minutes after 5 incorrect logins over 10 minutes.

1.2. Change default passwords on all systems, hardware, and firmware to prevent adversaries from using them against your organization to achieve access and move within your network.

1.3. Add a second layer of authentication with Multi-Factor Authentication (MFA).

1.4. Establish a complex password policy! Too often we see great IT teams not enforce that the employees in the company use longer passwords. By nature, longer passwords are harder to guess. You should also disable a set of commonly used passwords like “p@$$word”.

1.5. No user accounts should have administrative-level access. You should separate user and privileged accounts to make it harder for hackers to access admin accounts, even if a user account is compromised.

1.6. This one goes in tandem with tip 1.4 from above: Users should not be able to reuse passwords for accounts, applications, services, etc…

1.7. The risk of an insider threat is still prevalent even after they have left your company. All departing employees should have their access revoked within at most two business days after their termination date. It is possible for hackers to take over accounts of let-go employees, so be sure to make this a priority as well.

2. Device Security

2.1. Create a defined hardware and software approval process to reduce the risk of a user installing unapproved systems or applications.

2.2. Ok, this one may be a little nitty-gritty, but it can be very sneaky: Disable Microsoft Office macros to prevent hidden executable code.

2.3. Keep an asset inventory! It is best to identify all known, unknown (Shadow), and unmanaged assets to rapidly detect and respond when emergencies arise. If a user’s computer is hacked and you do not have an inventory list, it will take much longer to stymy the threat. In cyber, time is of the essence as every second lost is data and money lost.

2.4. Prohibit the connection of unauthorized devices. Your organization should maintain policies and procedures around unauthorized media, or hardware is handled like USB devices and other removable media.

2.5. As you may have noticed many of these tips are not preventative, but preparation. In Cyber it is often a matter of if, not when so planning is crucial. Therefore, you should maintain a baseline of all configurations of your critical IT assets to streamline your recovery in the event of a compromise.

This 3-part blog will be a valuable resource for technical IT experts. Let’s proceed to Part 2 of our CPG coverage.

For more information speak with a QoS consultant today, sales@qosconsultingsolutions.com, or reach out through our contact form on our website, https://qosconsultingsolutions.com/.

Michael Joe

​Michael Joe is a Security Consultant and blog writer at QoS Consulting Solutions, author of several captivating works on our website.  Michael graduated from the College of Charleston in South Carolina with a Bachelor of Arts degree in Communication and with Latin Honors: Cum Laude. Michael’s passion for spreading awareness and knowledge of information technologies and cybersecurity is evident in his unique voice and writing style. As you noticed in his work, Michael’s storytelling and humor have a way of grasping the reader in a way few technology-focused blogs have done. Michael’s aim is to educate and entertain to change the way people perceive IT literature: Moving it away from a hyper-focus on so called “geeks”, towards the greater public. Cybersecurity is for EVERYONE, not just the techies in the trenches! Michael was expertly trained in the art of cybersecurity consulting.

See author's posts