Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: 6 Things That Matter Right Now

Cybersecurity Snapshot: 6 Things That Matter Right Now -- Sept 9

Topics that are top of mind for the week ending Sept. 9 | Software supply chain security in the spotlight. Guidance for evaluating IoT security tools. Increasing diversity in cybersecurity. Another look at the major cloud security threats. And much more!

1. U.S. government stresses software supply chain security

Developers got concrete guidance and specific recommendations for protecting their software supply chains via a 64-page document from the U.S. government. 

This new guide reflects lessons learned from recent major supply chain attacks, like the one against SolarWinds, and from the discovery of the Log4Shell vulnerability.

Attackers are increasingly targeting software development environments, commonly used frameworks and widely adopted libraries in order to compromise components of otherwise legitimate applications that are then distributed through trusted channels to customers.

Cybersecurity Snapshot #10 -- image 1

Published by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence, the document groups its recommendations into five main categories:

  • Secure product criteria and management, including:
    • Creating threat models of the products while in development and of their critical components
    • Defining and implementing security test plans
    • Establishing how vulnerabilities in the product will be handled throughout its lifecycle
  • Develop secure code, following principles like:
    • Least privilege
    • Fail-safe defaults
    • Open design
  • Verify third-party components through practices including:
    • Vulnerability analysis
    • Secure composition analysis
    • Source code evaluation
  • Harden the build environment with steps like:
    • Lock down and monitor for data leakage all systems that interact with the dev and build processes
    • Use version control for pipeline configurations
    • Make sure all systems use multi-factor authentication
  • Deliver code safely through practices like:
    • Scan binaries with software composition analysis tools to ensure the integrity of the final build and create a software bill of materials (SBOM)
    • After receiving the build from the vendor, customers can perform their own scanning to ensure its safety and integrity

Alongside the guidance from these U.S. agencies, the Open Source Security Foundation released a best practice guide for securing npm, the largest package ecosystem that undergirds countless software projects. 

(Claire Tills, senior research engineer with Tenable's Security Response Team, contributed to this item.)

For more information:

2. Guidance for testing IoT security products

The Anti-Malware Testing Standards Organization (AMTSO) has released a guide for helping security teams test and benchmark IoT security products, an area the non-profit group says is still in its infancy.

In providing its recommendations after gathering input from testers and vendors, the AMTSO noted that there are particular challenges involved in testing IoT security wares because these products:

  • Protect a wide variety of smart devices both for home and work, which complicates the setup of a test environment
  • Are used in smart devices that overwhelmingly run on Linux, so testers must use specific threat samples for their evaluations

The document focuses on areas including sample selection, determination of detection, test environments, specific security functionality assessment and performance benchmarking.

For more information:

3. Consumer protection agency to businesses: Failure to protect customer data is illegal

Here’s yet another reminder to businesses that they can get into legal hot water if they don’t properly secure sensitive customer data.

The U.S. Consumer Financial Protection Bureau (CFPB) has issued a formal circular addressing this specific question: 

“Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?”

Answer: Yes.

So what could be considered “insufficient” protection for this data? For example, organizations that lack:

  • Multi-factor authentication to protect access to the accounts of employees and customers
  • Adequate password management policies and practices
  • Timely patching of the software products they use

4. New efforts to increase diversity in cybersecurity

A couple of new initiatives are seeking to increase the number of female and of African American cybersecurity professionals.

The National Cybersecurity Alliance (NCA), a non-profit that promotes cybersecurity education and awareness, launched the Historically Black Colleges and Universities Career Program, in partnership with top HBCUs and cybersecurity organizations.

The NCA noted in its announcement that currently only 9% of cybersecurity professionals identify as black, and that there are about 715,000 unfilled cybersecurity roles in the U.S.

Meanwhile, a group of about 90 women working in leadership positions in cybersecurity formed The Forte Group, an advocacy and education non-profit whose mission is supporting current and future female leaders in cybersecurity.

For more information:

5. Revisiting the CSA’s top cloud security threats

The Cloud Security Alliance published its “Top Threats to Cloud Computing” report earlier this summer, and every month it zooms in on each threat on its blog. So, as we prepare to welcome the fall, we thought it’d be good to refresh our memory and take another look at this list, which the CSA dubbed “the pandemic eleven.”

  1. Insufficient identity, credentials, access and key management
  2. Insecure interfaces and APIs
  3. Misconfiguration and inadequate change control 
  4. Lack of cloud security architecture and strategy 
  5. Insecure software development
  6. Unsecured third-party resources
  7. System vulnerabilities 
  8. Accidental cloud data disclosure
  9. Misconfiguration and exploitation of serverless and container workloads
  10. Organized crime/hackers/APT
  11. Cloud storage data exfiltration

Cybersecurity Snapshot #10 -- image 2

You can check out the blogs about the first three threats here, here and here.

For more information:

6. Quick takes

Check out this roundup of important vulnerabilities, trends, news and incidents.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.