CISA Outlines Voluntary Protections Against Software Hacks
The information technology and product design sector should implement voluntary standards to strengthen software security, the Cybersecurity and Infrastructure Security Agency said Tuesday.
Sign up for a free preview to unlock the rest of this article
CISA is working with the Treasury Department to mitigate a recent Chinese-linked cyberattack against the agency. Hackers gained access to a stolen key used by BeyondTrust, one of Treasury’s cloud service vendors, according to the agency (see 2501060039).
CISA on Tuesday released a series of recommendations for the private sector after consulting with the IT Sector Coordinating Council, which includes experts and associations. The agency urged companies to “separate all software development environments from each other.” Companies were directed to regularly log and monitor “trust relationships used for authorization.”
CISA recommended use of phishing-resistant multifactor authentication and implementation of software supply chain risk management programs. Companies should encrypt sensitive data or credentials, instead of storing it in source code, said CISA.