From: CISA Partnerships <CISA.Partnerships@cisa.dhs.gov>
Sent: Tuesday, May 14, 2024 9:39:53 AM (UTC-05:00) Eastern Time (US & Canada)
Subject: Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society
FOR WIDE DISSEMINATION
Colleagues,
Today, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with U.S. and international partners, published a joint guide, “Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society,” for civil society organizations and individuals to mitigate the threat of observed malicious behavior by state-sponsored cyber operations.
Malicious state-sponsored actors are using various tactics to gain initial access to civic society organizations which includes online research of organizations and individuals to develop social engineered “lures” to prompt victims to provide account credentials, download malware, or download apps that have malicious software. With initial access to victim civic society devices, state-sponsored actors will often install spyware on the devices to conduct more extensive surveillance, such as location tracking and access to files.
For civic organizations, recommended mitigations include: implement phishing-resistant multifactor authentication (MFA); avoid having user accounts with extensive permissions; use only vendors that align their practices to Secure by Design principals; and implement basic cybersecurity training. For civic individuals, recommended mitigations include using strong passwords, implementing MFA, using caution when sharing information on social media, staying aware of social engineering tactics, and verifying contacts, and selecting apps carefully using trusted app stores.
Software manufactures are strongly encouraged to publicly commit to and actively implement the Secure by Design pledge, and act on recommended mitigations to improve the security posture of their customers. Recommendations for software manufacturers highlight actions they should take to improve the security posture of their customers, which include those in civil society.
Civil society organizations include those that support nonprofit, advocacy, cultural, faith-based, academic, think tank, journalist, dissident, and diaspora organizations, communities, and individuals involved in defending human rights and advancing democracy.
All civic organizations and individuals, and software manufacturers are encouraged to review this guide and implement recommended actions and mitigations.
For more information, see CISA’s Cybersecurity Resources for High-Risk Communities webpage.
–Cybersecurity and Infrastructure Security Agency