<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xxxmsonormal, li.xxxmsonormal, div.xxxmsonormal
{mso-style-name:x_x_x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xxxmsolistparagraph, li.xxxmsolistparagraph, div.xxxmsolistparagraph
{mso-style-name:x_x_x_msolistparagraph;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.xcontentpasted0
{mso-style-name:x_contentpasted0;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:908468484;
mso-list-template-ids:-1495090366;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1010445393;
mso-list-template-ids:-1282239056;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<div>
<div>
<div>
<div>
<div>
<p class="xmsonormal" style="background:white"><span style="color:black">FYSA</span><o:p></o:p></p>
<p class="xmsonormal" style="background:white"><o:p> </o:p></p>
<p class="xmsonormal" style="background:white"><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white">Today, the Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency
(NSA) issued a joint </span></span><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:yellow"><a href="https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs"><span style="background:white">Cybersecurity
Information Sheet</span></a></span></span><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black;background:white"> recommending organizations pay attention to the security of their Baseboard Management Controllers
(BMCs). Titled, "Hardening BMCs,” the joint CSI encourages all organizations to apply the recommended actions to properly secure and maintain BMCs.</span></span><span class="xcontentpasted0"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">
</span></span><span style="font-size:12.0pt;color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:black"> </span><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:black">
<o:p></o:p></span></p>
<p class="xxxmsonormal" style="background:white"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Hardened credentials, firmware updates, and network segmentation options are frequently overlooked, leading to a vulnerable BMC. A vulnerable
BMC broadens the attack vector by providing malicious actors the opportunity to employ tactics such as establishing a beachhead with pre-boot execution potential. </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="xxxmsolistparagraph" style="margin-left:.25in;background:white"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="xxxmsonormal" style="background:white"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">The recommended actions align with the cross-sector
<a href="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="https://www.cisa.gov/cross-sector-cybersecurity-performance-goals">
Cybersecurity Performance Goals</a> (CPGs). Some of the actions include: </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Change the default BMC credentials as soon as possible. </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Limit the endpoints that may communicate with BMCs in the enterprise infrastructure—also known as administrative virtual local area network (VLAN). </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Consult vendor guides and recommendations for hardening BMCs against unauthorized access and persistent threats. </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Perform routine BMC update checks which are delivered separately from most other software and firmware updates. </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Monitor BMC integrity to include integrity features for unexpected changes or platform alerts. </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Move sensitive workloads to hardened devices, such as hardware designed to audit both the BMC firmware and the platform firmware. </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Periodically use firmware scanning tools to inspect for integrity and unexpected changes. </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3;background:white">
<span style="font-family:"Franklin Gothic Book",sans-serif">Treat an unused BMC as if it may one day be activated, such as apply patches, harden credentials and restrict network access. </span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></li></ul>
<p class="xxxmsonormal" style="background:white"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black"> </span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="xxxmsonormal" style="background:white"><span style="font-family:"Franklin Gothic Book",sans-serif;color:black">Read the joint
<a href="https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs" title="https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs">
CSI</a> for a complete overview of the threat to BMCs and recommended actions to protect against this threat. <o:p></o:p></span></p>
<p class="xxxmsonormal" style="background:white"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt;color:#0563C1">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_2" src="cid:image001.png@01D99EAD.955A8A90"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="xxxmsonormal" style="background:white"><o:p> </o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</body>
</html>