There are so many tools being released these days and for the most part, they aren’t cheap. But there is good news, the Cybersecurity & Infrastructure Security Agency (CISA) has assembled a group of free cybersecurity services and tools that most businesses can access. And no, you don’t have to be military affiliated. The goal is to provide the private and public sector options to lower the risk of serious exposure for critical infrastructure and data. In this post, we will further discuss free CISA cybersecurity services and tools and CISA resources.
Is CISA Good for Cybersecurity?
As mentioned in the introduction, CISA’s main goal is to provide not only knowledge of possible threat vectors of infrastructure and data but also provide free tools and resources for business owners who maybe don’t feel they have a budget, a limited budget, or just feel unsure about where to start in the process to create a secure environment for client information. When obtaining information, users must first access their website on their Free Cybersecurity Services and Tools page.
CISA suggests that new users start using their services by taking the following three steps.
1. Reach out to your local regional cybersecurity advisor (RCA). The United States is broken out into ten regions. The website will direct users to which region to reach out to based on the correct state cluster. Each RCA provides guidance to do the following:
-
- Aid in the planning, reaction, and recovery steps taken from vulnerabilities that could potentially impact its critical infrastructure.
- Perform or assist in the examination and review of dependencies or effects on an organization’s critical infrastructure in the midst of reacting to or reviewing actions taken during an emergency.
- Assist in the sharing of information and efforts between the public and private sectors.
- Provide information to those who are part of the region with details of current or future cybersecurity risks and incidents that have taken place.
Each region has personnel to assist in these objectives. These security advisors can be known as Protective Security Advisors (PSA), Cyber Security Advisors (CSA), Emergency Communications Coordinators (ECCs), Election Security Advisors (ESAs), and Chemical Security Inspectors (CSIs).
2. Add your contact information related to CISA’s cyber hygiene services. These services are meant to aid in helping its members understand and secure internet-facing services from configurations that are considered weak or vulnerabilities that are known amongst the community. This service is also the first step to the vulnerability scanning and web application scanning provided by CISA. We will review this in more depth in the next section below.
3. The final step is to determine your organization’s Cybersecurity Performance Goal (CPG). While it is the final step, it really is more like the first step to establishing cybersecurity goals and practices within your organization so you can prioritize a budget and lean in on the free services available from CISA based on risk. Geared toward small and medium-sized businesses, the CPG checklist includes key cybersecurity topics along with recommended actions, a breakdown of cost, impact, complexity, and the free tool available from CISA.
Is CISA Vulnerability Scanning Free?
The question “Is CISA Vulnerability Scanning free?” is one of the most common. Luckily the service is available at no cost to the consumer. Per CISA, these services are available to the following “Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.” Your next question may be, “But does my organization fall into that category?” The answer is most likely. Per CISA, these sectors include the following:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agricultural Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors
- Materials and Waste Sector
- Transportation Systems Sector
- Water and Wastewater Systems
To get started, reach out to the following email address:
vu***********@ci**.gov
with the subject line “Requesting Cyber Hygiene Services”. Once an email has been submitted, an advisor should reach out with the appropriate forms. From here the site says that the services should start about 3 days after all forms have been submitted and reports should come in about two weeks once scanning has begun. There are two types of scanning available, vulnerability scanning and web application scanning. Users can expect the reports to come from the following emails respectively:
re*****@ci**.gov
and
vu***********@ci**.gov
.
As previously mentioned, there are two types of scans available for users, vulnerability scanning and web application scanning. Vulnerability scanning reviews the external network or publicly available services by continuously testing and scanning for accessible services and any vulnerabilities that are discovered. Reports are generated weekly or as needed if a critical vulnerability is detected. Additionally, a web application scan is available. This scans web applications that are publicly available and looks for vulnerabilities or weak configurations that could be exploited by bad actors. It not only looks at the vulnerabilities listed in the OWASP Top 10 but also looks for other web application risks considered critical. This report is sent to users monthly or on-demand as requested.
To aid in the remediation of these vulnerabilities, CISA has a national vulnerability database where a vulnerability can be reviewed for references to advisories, solutions, and tools. You can also learn more from our blog on how vulnerability assessments differ from penetration testing.
Other CISA-Supported & Non-Supported Tools
While the main tools provided by CISA are explained above, CISA does provide organizations with a long list of other tools that can be used. These include tabletop exercise packages (such as a BCP or a DRP), cyber incident response information (for management), cyber storm(s) which are meant to simulate an actual cyber-attack, logging tools, malware analysis, and the list goes on. Details of these tools can be reviewed on their website, as well as where and how they can be implemented into the environment.
Finally, CISA provides an opportunity for other tools to share their services on the website. While still free, these are not monitored by CISA but can be reviewed for public use. The tools are listed as advanced, intermediate, or foundational so that the user has information on the complexity and skill required to run and use the tool.
Free Cloud-Supported Tools
Finally, CISA has created a factsheet to help businesses set up cloud environments so that they are done in a way to protect assets which include the infrastructure and data. Tools mentioned within the list include:
- The Cybersecurity Evaluation Tool (CSET)
- SCuBAGear
- The Untitled Goose Tool
- Decider
- Memory Forensic on Cloud
Details of these tools and how they can be used to identify strengths and weaknesses, and provide guidance to configure an environment that is hardened are provided within the factsheet. The fact sheet also provides information on how to get started in the use of these tools.
Summing up CISA’s Free Cybersecurity Services & Tools
Cybersecurity consists of so many things: tools, monitoring, scanning, etc. Success is not easy nor is it cheap. While the cost of a healthy environment will never be $0, the goal of CISA is to help small to medium-sized companies understand where to prioritize their budget so it is applied to high-risk areas. Hopefully, these tools can help your organization too!
And finally, don’t hesitate to reach out to Linford & Company if your quest for cybersecurity results in an audit. We will be here to help!
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.