Nextgov: CISA Official Calls for Update of Identity Management Guidance in Wake of SolarWinds Compromise

“The way the adversary behind the SolarWinds hack used legitimate credentials to execute a widespread compromise of public and private-sector entities should spur the creation of new guidance on protecting identities, especially as organizations move to the cloud, a Cybersecurity and Infrastructure Security Agency official said.

‘With regards to identity, I think that the guidance should be updated to go with the cloud,’ CISA Technical Strategist Jay Gazlay told the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board Wednesday.

Gazlay provided a forensic brief of the hacking campaign, which leveraged a trojanized update from network management company SolarWinds and techniques like password spraying to gain unauthorized access to at least nine federal agencies and more than 100 private companies. He described actions NIST and the broader government should take in the wake of the breaches, focusing on protection and detection.

‘Our takeaway from this at CISA’s space is that identity is everything now,’ he said, noting that the level of success the adversary achieved with tactics like password spraying was not normal. ‘We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really identity has become the boundary, and we need to start readdressing our infrastructures in that manner’…” Read the full article here.

Source: CISA Official Calls for Update of Identity Management Guidance in Wake of SolarWinds Compromise – By Mariam Baksh, March 3, 2021. Nextgov.

0
Tags:

This topic contains 0 replies, has 1 voice, and was last updated by  Jackie Gilbert 1 month, 1 week ago.

  • Author
    Posts
  • #121034

    Replies viewable by members only

    0

You must be logged in to reply to this topic.

CONTACT US

Questions?. Send us an email and we'll get back to you, asap.

Sending

©2021 MileMarker10, LLC all rights reserved | Community and Member Guidelines | Privacy Policy | About G2Xchange FedCiv

Opportunities. Starting Points.

About our Data

The Vault is a listing of expiring contracts, task orders, etc. within a certain set of parameters, to include:

  • Have an initial total estimated contract value of $10 million or above
  • Federal Civilian Only – DHS, Transportation, Justice, Labor, Interior, Commerce, Energy, State, and Treasury Actions
  • NAICS codes include: 511210, 518210, 519130, 519190, 541511,
    541512, 
    541513, 541519, 541611, 541618,
    541690, 541720, 541990
  • Were modified within the last 12 calendar months
  • The data represented is based on information provided by the government

Who has access? Please note that ALL G2Xchange FedCiv Members will receive access to all basic and much of the advanced data. G2Xchange FedCiv Corporate Members will receive access to ALL Vault content (basic and advanced).

Feedback/Suggestions? Contact us at Vault@G2Xchange.com and let us know what you think. 

G2Xchange FedCiv

Log in with your credentials for G2Xchange FedCiv

Forgot your details?