Open Access Publisher and Free Library
03-crime prevention.jpg

CRIME PREVENTION

CRIME PREVENTION-POLICING-CRIME REDUCTION-POLITICS

CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments

By United States. Cybersecurity & Infrastructure Security Agency

The following passage from the document contains multiple links embedded in the text: "The Cybersecurity and Infrastructure Security Agency (CISA) conducts Risk and Vulnerability Assessments (RVAs) for the federal civilian executive branch (FCEB), high priority private and public sector critical infrastructure (CI) operators, and select state, local, tribal, and territorial (SLTT) stakeholders. Concurrently, the United States Coast Guard (USCG) conducts RVAs on maritime CI operated by SLTT and private-sector organizations. The RVA is intended to assess the entity's network capabilities and network defenses against known threats. In Fiscal Year 2023 (FY23), CISA and the USCG conducted a combined total of '143' RVAs across multiple CI sectors. [...] The goal of the RVA analysis is to develop effective strategies to improve the security posture of FCEB, CI, maritime, and SLTT stakeholders. During each RVA, CISA and the USCG collect data through remote and onsite actions. This data is combined with national threat and vulnerability information to provide organizations with actionable remediation recommendations prioritized by risk of compromise. CISA designed RVAs to identify vulnerabilities threat actors could exploit to compromise network security controls. After completing an RVA, CISA and the USCG provide the assessed entity a final report that includes recommendations, specific findings, potential mitigations, and technical attack path details. The FY23 reports provided these general observations: [1] Assessors completed their most successful attacks via common methods, such as phishing, valid accounts, and default credentials. [2] Assessors used a variety of tools and techniques CISA has captured in previous RVA analyses to successfully conduct common attacks. [3] Many organizations across varying CI sectors exhibited the same vulnerabilities. [4] CISA assessment personnel used common vulnerabilities facilitated by shortcomings in secure by design and default principles and other misconfigurations to compromise systems."

UNITED STATES. Government. Washington DC. SEP, 2024. 24p.