Update Ad-Hoc Alerts for BOD 23-02
Closed this issue ยท 7 comments
๐ก Summary
Please update the language, table, and csv for ad-hoc alerts in support of BOD 23-02.
Motivation and context
Internal and external stakeholders need to be notified within 24 hours of the initial detection of potentially risky services that potentially fall within BOD 23-02. Currently we have a table that covers potentially risky service, however nothing specifies that this is covered under the new BOD.
Implementation notes
Language for Ad-hoc alert
Change from
These services warrant your attention. All services are potentially at risk of attack, but some can be more risky when open to the public (e.g. RDP, Telnet, etc.) CISA recommends validating that each service below is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
Change to
These services warrant your attention. All services are potentially at risk of attack, but some can be more risky when open to the public (e.g. RDP, Telnet, etc.), especially if they are open as Networked Management Interfaces. CISA recommends validating that each service below is intended to be available to the public and, where applicable, the service is up-to-date on the latest version, correctly configured, and uses strong authentication.
As part of BOD 23-02 <--- Should be hyperlinked to https://www.cisa.gov/news-events/directives/binding-operational-directive-23-02, within 14 days of notification, Networked Management Interfaces exposed to the public internet must either be removed from the public internet or protected by capabilities that enforce access control to the interface through a policy enforcement point separate from the interface itself as part of a Zero Trust Architecture.
Table Updates
Update the table in the body of the PDF to highlight red and asterisk the five services/categories (See Image Below):
- File Transfer Protocol (FTP)
- Teletype Network (Telnet)
- Trivial File Transfer Protocol (TFTP)
- Remote Desktop Protocol (RDP)
- Server Message Block (SMB)
Attachment Update
Add a new column denoting "possible_nmi" to the potentially-risky-services.csv embedded attachment.
Acceptance criteria
The Ad-hoc alerts will have the following:
- Updated language referenced above for BOD 23-02 reports (see cisagov/cyhy-reports#84)
- Table will be updated to flag the 5 specified services in red with asterisks (see cisagov/cyhy-reports#87)
- A new column denoting "possible_nmi" will be included within the potentially-risky-services.csv embedded attachment (see cisagov/cyhy-reports#87)
Language updates made here: cisagov/cyhy-reports#84
@KeithBonesJr, @climber-girl Please confirm that this is the subset of services that you would like to highlight in red and add an asterisk to:
"bftp", # FTP
"ftp", # FTP
"microsoft-ds", # SMB
"ms-wbt-server", # RDP
"ni-ftp", # FTP
"rsftp", # FTP
"rtelnet", # Telnet
"smbdirect", # SMB
"telnet", # Telnet
"tftp", # TFTP
@dav3r just checked my notes from @climber-girl. Yes this correct! Thank you!
See below for screenshots of anonymized output with the requested code changes - please let me know ASAP if you'd like anything changed:
I will be creating a pull request soon for code review.
@dav3r this looks great and is exactly what we wanted for this. About to create an issue for the main report changes as well here shortly.
@KeithBonesJr and @climber-girl, these code changes are being reviewed in cisagov/cyhy-reports#87.
This issue should now be resolved via:
Reminder that these changes will not go into Production until the next CyHy reporter AMI is built and deployed.