CISA publishes list of free security tools for business protection

Agency quiet on the selection criteria but at least the price is right

The US Cybersecurity and Infrastructure Agency (CISA) has published a web catalog of free cybersecurity resources in the hope that those overseeing critical infrastructure can use the tools to better secure their systems.

"CISA is super proud to announce the start of a new catalog of free resources available to those critical infrastructure owners and operators who would benefit from tools to help their security and resilience," said CISA director Jen Easterly in a statement.

"Many organizations, both public and private, are target rich and resource poor. The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment."

The "Free Cybersecurity Services and Tools" webpage is intended to be starting point for improving organizational security. Easterly said the products and services listed will expand over time as additional tools from other partners are added.

The Register asked CISA to clarify the selection criteria for inclusion on the list. A CISA spokesperson responded by pointing to the agency press release. The Register wrote back to say that doesn't address the question. We'll let you know if any clarification is forthcoming.

A certain lack of review

The catalog webpage touches on the issue: "CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service."

The fact that CISA is asserting "unreviewable discretion" over its list of tools suggests the agency isn't keen to explain the presence or absence of any particular application or service. At some point, CISA intends to establish a process by which organizations can submit tools for inclusion in the catalog.

CISA says its list is organized to conform with its recent advisory [PDF] on protecting against cyber threats. The cyber defense agency's mitigation playbook focuses on: reducing the chance of incidents by avoiding malicious sites and scanning for weaknesses; detecting and responding to malicious activity quickly; responding effectively to confirmed incidents; and maximizing resilience through backups and threat modeling.

And for each of these goals, there's a section in the CISA tools catalog. Under the "Reducing the Likelihood of a Damaging Cyber Incident" section, for example, you can presently find 72 listings that point to CISA security testing resources, open source tools like PGP, ad blocking software, Google's safe browsing toolset, and the like. And each of the other three sections offers a similar list of resources focused on specific strategic goals.

CISA's protective tool shed has been built atop the Biden administration's efforts to shore up US cybersecurity following serious cyber attacks on SolarWinds, Microsoft Exchange, and Colonial Pipeline, among others, last year. In his executive order to improve national cybersecurity last May, President Biden urged private sector entities "take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents."

With this catalog of free tools, not much investment is necessary. ®

Other stories you might like

  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Oracle sued by one of its own gold-level Partners of the Year over government IT contract
    We want $56 million, systems integrator tells court

    Oracle has been sued by Plexada System Integrators in Nigeria for alleged breach of contract and failure to pay millions of dollars said to be owed for assisting with a Lagos State Government IT contract.

    Plexada is seeking almost $56 million in denied revenue, damages, and legal costs for work that occurred from 2015 through 2020.

    A partner at Plexada, filed a statement with the Lagos State High Court describing the dispute. The document, provided to The Register, accuses Oracle of retaliating against Plexada and trying to ruin the firm's business for seeking to be paid.

    Continue reading
  • US cyber chiefs: Moving to Shields Down isn't gonna happen
    Promises new alert notices but warn 'we can sometimes predict thunderstorms but not lightning strikes'

    RSA Conference A heightened state of defensive cyber security posture is the new normal, according to federal cyber security chiefs speaking at the RSA Conference on Tuesday. This requires greater transparency and threat intel sharing between the government and private sector, they added.

    "There'll never be a time when we don't defend ourselves –— especially in cyberspace," National Cyber Director Chris Inglis said, referencing an opinion piece that he and CISA director Jen Easterly published earlier this week that described CISA's Shields Up initiative as the new normal. 

    "Now, we all know that we can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about, number one, what's that relationship that government needs to have with the private sector," Easterly said on the RSA Conference panel with Inglis and National Security Agency (NSA) cybersecurity director Rob Joyce.

    Continue reading

Biting the hand that feeds IT © 1998–2022