Articles

NIST releases software, IoT, and consumer cybersecurity labeling guidance

The new guidance aims to tighten security requirements for federally purchased software and give consumers better insight into the security of software and devices they buy.

On February 4, the National Institute of Standards and Technology (NIST) issued several documents and updates that spell out software security guidance and recommended consumer labeling practices for software and IoT devices. NIST also laid out its approach to consumer cybersecurity labeling projects.

These initiatives were mandated under President Biden’s wide-ranging executive order (EO) issued last May. They aim to tighten the federal government’s security requirements for the software products it purchases, hoping that the benefits will also flow to the private sector. The labeling initiatives aim to provide consumers greater insight into the security of the software and devices they purchase and spur greater transparency by consumer software and IoT device makers.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

 

Articles

4 alternatives to encryption backdoors, but no silver bullet

Alternatives to backdoors in end-to-end encryption exist, but not all address privacy and security concerns, say experts at last week’s Enigma conference.

End-to-end encrypted communication has been a boon to security and privacy over the past 12 years since Apple, Signal, email providers, and other early adopters first started deploying the technology. At the same time, law enforcement authorities around the globe have pushed for technological solutions to pry open the chain of protected end-to-end encrypted content, arguing that the lack of visibility provides a haven for criminals, terrorists and child abusers to hatch their plans with impunity.

In 2016, Apple prevailed in a now-famous legal standoff with FBI Director James Comey to unlock an encrypted phone used by a mass shooter in San Bernardino, California. In 2019, Attorney General William Barr revived the so-called backdoor debate to advocate some means of breaking encryption to thwart those who distribute child sexual abuse material. Last month, the UK government kicked off a PR campaign to lay the groundwork for killing off end-to-end encryption ostensibly to crack down on child sex abusers.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Tumisu, please consider ☕ Thank you! 🤗 from Pixabay

 

Alejandro Mayorkas

DHS creates Cyber Safety Review Board to review significant…

The CSRB will advise the President and Department of Homeland Security director, as well as review major security events starting with the Log4j exploits.

Following President Biden’s cybersecurity executive order issued last May, the Department of Homeland Security (DHS) announced on February 3 the creation of the Cyber Safety Review Board (CSRB). This public-private initiative is charged with reviewing and assessing significant cybersecurity incidents across government and the private sector. “The CSRB will provide a unique forum for collaboration between government and private sector leaders who will deliver strategic recommendations to the President and the Secretary of Homeland Security,” DHS said in announcing the statement.

The CSRB will start with 15 top cybersecurity leaders from the federal government and the private sector, including Robert Silvers, DHS undersecretary for policy, who will serve as chair, and Heather Adkins, Google’s senior director for security engineering, who will serve as deputy chair. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will manage, support and fund the board. CISA Director Jen Easterly is responsible for appointing CSRB members, in consultation with Silvers, and convening the board following significant cybersecurity events.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash

 

Articles

Alpha-Omega Project takes a human-centered approach to open-source software…

The Linux Foundation and OpenSSF project, with backing from Microsoft and Google, aims to improve security of 10,000 open-source projects.

The Log4j vulnerability crisis that erupted in late-2021 heightened the security world’s awareness of supply chain risks in free and universally deployed open-source software. Following an intense holiday season push by admins and cybersecurity professionals to track and remediate the Log4j flaw, the White House held a meeting of industry leaders to discuss improving open source software security.

In a sign that the tech sector is stepping up efforts, the Linux Foundation and the Open Source Security Foundation (OpenSSF) have announced the Alpha-Omega Project. Backed by $5 million in initial funding from Microsoft and Google, the project seeks to improve software supply chain security for 10,000 open-source software projects by systematically looking for undiscovered vulnerabilities in open-source code and then working with project maintainers to get them fixed.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash

 

Articles

OMB issues zero-trust strategy for federal agencies

All federal agencies must meet zero-trust goals that the U.S. Office of Management and Budget has set by 2024, building on earlier federal cybersecurity initiatives.

Through a memo issued by the Office of Management and Budget (OMB), the Biden administration issued a 30-page strategy to move the U.S. government toward a zero trust approach to cybersecurity. The strategy “represents a key step forward” in delivering on the president’s sweeping May executive order (EO) on cybersecurity, which contains a directive for federal government agencies to develop a plan to advance towards a zero trust architecture.

A hot buzz phrase in the cybersecurity world, zero trust is a model premised on the notion of “never trust, always verify.” The executive order defines zero trust as a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.” OMB says that a “key tenet of a zero trust architecture is that no network is implicitly considered trusted.”

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

SEC eyes more expansive cybersecurity requirements

New rules for publicly traded companies could add protections for consumer information, strengthen incident reporting, and require assessment of third-party risk.

Gary Gensler, chair of the Securities and Exchange Commission (SEC), has laid out an ambitious cybersecurity plan for his agency that could give it a far more expansive regulatory footprint than it currently has. Speaking to Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Gensler said that “the financial sector remains a very real target of cyberattacks” and is becoming “increasingly embedded within society’s critical infrastructure.”

Although the SEC participates in several advisory bodies, such as the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC), among others, that deal directly with cybersecurity requirements, the agency has no hard and fast cybersecurity rules or cybersecurity incident reporting requirements for publicly traded companies. It does, however, have data protection and other security requirements for the financial segments it directly regulates, including exchanges, brokers, financial advisers, and others.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by lo lo on Unsplash

 

Articles

Biden memo aims to bolster cybersecurity in national security…

A national security memorandum places new cybersecurity requirements for reporting and preventing security incidents involving sensitive national security systems.

United States President Joe Biden issued a 17-page National Security Memorandum (NSM) yesterday containing new cybersecurity requirements for national security systems (NSS). The memo’s purpose is to ensure that these more sensitive systems employ the same or more stringent cybersecurity measures spelled out for federal civilian systems in Biden’s comprehensive cybersecurity executive order issued in May 2021.

National security systems are information systems, including telecommunication systems, that involve intelligence or cryptologic activities related to national security, command and control of military forces, weapons systems, other activity critical to the direct fulfillment of military or intelligence missions, and classified information related to national defense or foreign policy. This latest effort to boost cybersecurity follows the order issued last May and an NSM for critical infrastructure owners, a directive to bolster pipeline cybersecurity, and several other actions by the administration to prioritize cybersecurity following a year of growing threats and attacks.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Russia-linked cyberattacks on Ukraine: A timeline

Cyber incidents are playing a central role in the Russia-Ukraine conflict. Here’s how events are unfolding along with unanswered questions.

On Saturday night, January 15, Microsoft shook the cybersecurity world with a report that destructive wiper malware had penetrated dozens of government, non-profit, and IT organizations in Ukraine. This news capped a week of mounting apprehension of cyberattacks in Ukraine that could presage or accompany a real-world Russian military invasion of the country.

Since January 11, several possibly interconnected developments related to Russia’s cybersecurity posture paint a complex and unclear portrait of what’s happening in Ukraine. The following is a timeline of these increasingly high-stakes developments:

January 11: U.S. releases cybersecurity advisory

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint cybersecurity advisory (CSA) providing an overview of Russian state-sponsored cyber operations. It covered commonly observed tactics, techniques and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.

CISA also recommended that network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

Tech sector embraces public-private collaboration on open-source software security

Participants in a White House meeting on securing open-source software expressed optimism for working effectively with government to help prevent Log4j-like events.

Hoping to foster improved security of open-source software, the White House hosted a meeting last week with some of the largest public and private users and maintainers of open-source software. Widely used open-source software “brings unique value, and has unique security challenges, because of its breadth of use and the number of volunteers responsible for its ongoing security maintenance,” the White House said.

The meeting was organized in December, shortly after a dangerous vulnerability in the Java-based logging utility Log4j emerged. That easy-to-exploit flaw has the potential to compromise hundreds of millions of machines globally. The FBI, the NSA and the Cybersecurity and Infrastructure Agency (CISA) quickly branded it as “a threat to organizations and governments everywhere.” In a letter inviting tech leaders to the meeting, National Security Advisor Jake Sullivan said that “open-source software is a key national security concern.”

The meeting included attendees from a wide range of government departments and agencies, including the Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, National Cyber Director Chris Inglis, and officials from the Office of the National Cyber Director, CISA, and the National Institute of Standards and Technology (NIST). Private sector participants included executives and top-level representatives from Akamai, Amazon, Apache Software Foundation, Apple, Cloudflare, Facebook (Meta), GitHub, Google, IBM, the Linux Foundation, OpenSSF, Microsoft, Oracle and RedHat.

This article appeared in CSO Online. To read the rest of the article please visit here.

 

Articles

CISA sees no significant harm from Log4j flaws but…

The U.S. cybersecurity agency can’t rule out that adversaries are using Log4j to gain persistent access to launch attacks later.

Officials at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) say that despite initial fears of widespread compromise, they have yet to see significant harm stemming from a vulnerability in the Java-based Log4j logging utility that became public in December. They can’t rule out that adversaries haven’t already used the vulnerability to monitor targeted machines silently, however, biding their time for later attacks.

“We’ve been actively monitoring for threat actors looking to exploit” the vulnerability, and “at this time we have not seen the use in significant intrusions,” Jen Easterly, director of CISA, said at a press briefing. “Adversaries may be utilizing this vulnerability to gain persistent access that they could use in the future, which is why we are so focused on remediating the vulnerability across the country and ensuring that we are detecting any intrusions if and when they arise.”

However, the vulnerability has been exploited by threat actors in minor ways. “We are seeing some prevalence of what we would call low-level activities, such as installation of cryptomining and software installation of malware that could be used historically in botnets,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said.

This article appeared in CSO Online. To read the rest of the article please visit here.