This article is more than 1 year old
CISA publishes list of free security tools for business protection
Agency quiet on the selection criteria but at least the price is right
The US Cybersecurity and Infrastructure Agency (CISA) has published a web catalog of free cybersecurity resources in the hope that those overseeing critical infrastructure can use the tools to better secure their systems.
"CISA is super proud to announce the start of a new catalog of free resources available to those critical infrastructure owners and operators who would benefit from tools to help their security and resilience," said CISA director Jen Easterly in a statement.
"Many organizations, both public and private, are target rich and resource poor. The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment."
The "Free Cybersecurity Services and Tools" webpage is intended to be starting point for improving organizational security. Easterly said the products and services listed will expand over time as additional tools from other partners are added.
The Register asked CISA to clarify the selection criteria for inclusion on the list. A CISA spokesperson responded by pointing to the agency press release. The Register wrote back to say that doesn't address the question. We'll let you know if any clarification is forthcoming.
A certain lack of review
The catalog webpage touches on the issue: "CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service."
The fact that CISA is asserting "unreviewable discretion" over its list of tools suggests the agency isn't keen to explain the presence or absence of any particular application or service. At some point, CISA intends to establish a process by which organizations can submit tools for inclusion in the catalog.
- US govt: Here are another 15 security bugs under attack right now
- Emergency updates: Adobe, Chrome patch security bugs under active attack
- Russia 'stole US defense data' from IT systems
- You better have patched those Log4j holes or we'll see what a judge has to say – FTC
CISA says its list is organized to conform with its recent advisory [PDF] on protecting against cyber threats. The cyber defense agency's mitigation playbook focuses on: reducing the chance of incidents by avoiding malicious sites and scanning for weaknesses; detecting and responding to malicious activity quickly; responding effectively to confirmed incidents; and maximizing resilience through backups and threat modeling.
And for each of these goals, there's a section in the CISA tools catalog. Under the "Reducing the Likelihood of a Damaging Cyber Incident" section, for example, you can presently find 72 listings that point to CISA security testing resources, open source tools like PGP, ad blocking software, Google's safe browsing toolset, and the like. And each of the other three sections offers a similar list of resources focused on specific strategic goals.
CISA's protective tool shed has been built atop the Biden administration's efforts to shore up US cybersecurity following serious cyber attacks on SolarWinds, Microsoft Exchange, and Colonial Pipeline, among others, last year. In his executive order to improve national cybersecurity last May, President Biden urged private sector entities "take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents."
With this catalog of free tools, not much investment is necessary. ®