資訊：CISA與合作伙伴發(fā)布應(yīng)對(duì)網(wǎng)絡(luò)威脅的指南

CISA and partners release guide for civil society organisations to address cyber threats
CISA 與合作伙伴為民間社會(huì)組織發(fā)布應(yīng)對(duì)網(wǎng)絡(luò)威脅的指南

The US Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and several international partners from the UK, Estonia, Canada, Japan, and Finland, released a guide on Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society.
美國(guó)網(wǎng)絡(luò)安全和基礎(chǔ)設(shè)施安全局 (CISA) 與國(guó)土安全部 (DHS)、聯(lián)邦調(diào)查局 (FBI) 以及來(lái)自英國(guó)、愛(ài)沙尼亞、加拿大、日本和芬蘭的幾個(gè)國(guó)際合作伙伴合作，發(fā)布了一份 《利用有限資源緩解網(wǎng)絡(luò)威脅：民間社會(huì)指南》。

This publication provides civil society organizations (CSOs) and individuals with recommended actions and mitigations to reduce the risk of cyber intrusions. Additionally, the guide encourages software manufacturers to implement security-by-design practices that are necessary to help protect vulnerable and high-risk communities.
本出版物為民間社會(huì)組織 (CSO) 和個(gè)人提供建議的行動(dòng)和緩解措施，以降低網(wǎng)絡(luò)入侵的風(fēng)險(xiǎn)。此外，該指南鼓勵(lì)軟件制造商實(shí)施必要的設(shè)計(jì)安全實(shí)踐，以幫助保護(hù)脆弱和高風(fēng)險(xiǎn)社區(qū)。

‘These high-risk community organizations often lack cyber threat information and security resources. With our federal and international partners, we are providing this resource to help these organizations better understand the cyber threats they face and help them improve their cyber safety’, added Jen Easterly, Director of CISA.
“這些高風(fēng)險(xiǎn)社區(qū)組織往往缺乏網(wǎng)絡(luò)威脅信息和安全資源。我們與我們的聯(lián)邦和國(guó)際合作伙伴一起提供這一資源，以幫助這些組織更好地了解他們面臨的網(wǎng)絡(luò)威脅，并幫助他們提高網(wǎng)絡(luò)安全”，CISA 總監(jiān) Jen Easterly 補(bǔ)充道。

According to the guide, civil society, comprised of organizations and individuals—such as nonprofit, advocacy, cultural, faith-based, academic, think tanks, journalists, dissidents, and diaspora organizations, communities involved in defending human rights and advancing democracy—are considered high-risk communities. Authors note that often, these organizations and their employees are targeted by state-sponsored threat actors who seek to undermine democratic values and interests. Recommendations include regular software updates, adopting multi-factor authentication (MFA), and implementing the principle of least privilege to reduce vulnerabilities and others.
根據(jù)該指南，公民社會(huì)由組織和個(gè)人組成，例如非營(yíng)利組織、倡導(dǎo)組織、文化組織、信仰組織、學(xué)術(shù)組織、智囊團(tuán)、記者、持不同政見(jiàn)者和僑民組織、參與捍衛(wèi)人權(quán)和推進(jìn)民主的社區(qū)，被視為高風(fēng)險(xiǎn)社區(qū)。作者指出，這些組織及其員工常常成為國(guó)家支持的威脅行為者的目標(biāo)，這些威脅行為者試圖破壞民主價(jià)值觀和利益。建議包括定期軟件更新、采用多重身份驗(yàn)證 (MFA) 以及實(shí)施最小權(quán)限原則以減少漏洞等。

CISA and partners also encourage software manufacturers to review and implement mitigations and practices to protect CSOs. In particular, the guide says software manufacturers should implement vulnerability management to eliminate entire classes of vulnerability in their products, enable MFA by default in all products, provide logging at no additional charge to the customer, and alert customers of suspicious behaviour on their networks; and include details of a secure by design concept in corporate financial reports.
CISA 和合作伙伴還鼓勵(lì)軟件制造商審查并實(shí)施緩解措施和實(shí)踐，以保護(hù) CSO。該指南特別指出，軟件制造商應(yīng)實(shí)施漏洞管理，以消除其產(chǎn)品中的所有類別的漏洞，在所有產(chǎn)品中默認(rèn)啟用 MFA，向客戶免費(fèi)提供日志記錄，并提醒客戶網(wǎng)絡(luò)上的可疑行為；并在公司財(cái)務(wù)報(bào)告中包含安全設(shè)計(jì)概念的詳細(xì)信息。