Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: Strengthen Identity and Access Management Security with New CISA/NSA Best Practices

Cybersecurity Snapshot: Strengthen Identity and Access Management Security with New CISA/NSA Best Practices

Learn about a new guide packed with best practices recommendations to improve IAM systems security. Plus, cybersecurity ranks as top criteria for software buyers. Also, guess who’s also worried about ChatGPT? Oh, and do you know what a BISO is? And much more! 

Dive into six things that are top of mind for the week ending March 24.

1 - Best practices to boost IAM security from CISA and NSA

Feel like your organization could boost the security of its identity and access management (IAM) systems? You might want to check out a guide published this week by the U.S. government titled “Identity and Access Management Recommended Best Practices Guide for Administrators.

Created by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), the document seeks to help organizations better prevent, detect and respond to IAM attacks.

Specifically, CISA and the NSA offer IAM security best practices focused on five areas:

  • Proper, centralized, policy-based IAM governance that strengthens enterprise IT security and regulatory compliance
  • Techniques and methods to harden the IT environment and make it harder for threat actors to launch successful IAM attacks 
  • Implementation of identity federation and single sign-on, both of which beef up IAM security
  • Adoption of multi-factor authentication, which reduces the chances that bad actors will compromise user accounts
  • Establishment of effective IAM monitoring and auditing processes to make it easier to detect suspicious activity

Best practices to boost IAM security

For more information about IAM security, check out these Tenable resources:

2 - Study: Security is top of mind for software buyers 

Security is the main factor that U.S. businesses take into consideration when buying software It also plays a large part in their decision to stop using a software product. 

That’s according to the “Security Features Survey” released this week by Capterra, an online marketplace for software and tech services. The report is based on a survey of 289 respondents involved in their companies’ software purchasing process.

The report features interesting findings about how and why organizations assess the security features of cloud and on-prem software they’re considering for purchase, including:

  • Half of respondents rank security as the most important criteria when choosing a software product
  • 45% of surveyed organizations have stopped using a software product as a result of security concerns
  • The top “must have” security features are data backup capabilities, vendor security notifications, and in-transit and at-rest encryption

Security is top of mind for software buyers
The report also found that the use of two-factor authentication jumped from 64% in 2021 to 92% last year, and that software buyers are not only interested in traditional password-based authentication but also in emerging methods, including software tokens (52%), hardware tokens (40%) and biometric authentication (39%).

Moreover, many respondents said they place importance on product security certifications and security attestations from technology industry organizations like the Cloud Security Alliance and the Payment Card Industry, and from government agencies like the U.S. National Institute of Standards and Technology.

For more information about the importance of prioritizing strong security features in software-purchasing decisions:

3 - SEC wants securities market players to boost cybersecurity

The U.S. Securities and Exchange Commission has proposed new requirements for stronger cybersecurity measures and controls from participants in U.S. securities markets, including broker-dealers, clearing agencies and national securities exchanges.

SEC wants securities market players to boost cybersecurity

The SEC’s proposed new requirements for these organizations include:

  • Immediately inform the SEC via “written electronic notice” of any “significant” cybersecurity incident they suffer
  • Have and enforce written policies and procedures that address their cybersecurity risks
  • Review and assess the effectiveness of these policies and procedures at least annually

For more information, you can read the SEC’s announcement, fact sheet and the full proposed rule, as well as coverage and commentary from The Record, Security Magazine, Davis Polk, Retail Banker International and The Wall Street Journal.

4 - Ransomware threat against EU transport skyrockets in 2022

Transportation providers in the European Union experienced an upswing in ransomware, denial of service and supply chain attacks in 2022.

That’s according to the European Union Agency for Cybersecurity’s “ENISA Threat Landscape: Transport Sector” report, which was released this week.

The report analyzed cyber incidents targeting EU providers of aviation, maritime, railway and road transport between January 2021 and October 2022.

Main Threats to EU Transport Sector

Ransomware threat against EU transport skyrockets in 2022

(Source: “ENISA Threat Landscape: Transport Sector”, March 2023)

Overall for the 22 month-period, ransomware emerged as the main cyberthreat impacting transportation providers, accounting for 38% of incidents, followed by data-related attacks (30%).

Most cyberattacks against the transport sector were carried out by cybercriminals (55%) motivated by financial gain, followed by hacktivists (23%) seeking to effect political or social change.

Types of Cyberthreat Actors Targeting EU Transportation Organizations

Ransomware threat against EU transport balloons in 2022

(Source: “ENISA Threat Landscape: Transport Sector”, March 2023)

In terms of the highest impact of the cyberattacks, services ranked as the most affected (28%), followed by data (26%) and IT systems (18%). On a positive note, ENISA states that for the period covered, it didn’t receive any reliable report of a cyberattack compromising the safety of transport. 

ENISA also found that the majority of cyberattacks against transportation providers were aimed at their IT systems, while operational technology (OT) systems were “rarely targeted,” although the agency expects ransomware groups to “target and disrupt” OT operations “in the foreseeable future.”

For more information, you can read the full report and the report announcement, as well as coverage from The Record, Infosecurity Magazine, SecurityWeek and International Railway Journal

5 - OpenAI CEO worries about the potential to abuse ChatGPT

Add OpenAI’s chief executive to the ranks of people who feel uneasy about malicious uses of ChatGPT, his company’s ultra-famous generative AI chatbot, and of similar AI technologies.

In an interview last week with ABC News, Sam Altman expressed extreme optimism about artificial intelligence’s potential to benefit society, saying it can be “the greatest technology humanity has yet developed."

However, he conceded that he also worries about potential abuse. "I'm particularly worried that these models could be used for large-scale disinformation," Altman said. "Now that they're getting better at writing computer code, [they] could be used for offensive cyberattacks."

While Altman said OpenAI will continue to develop ChatGPT to prevent malicious uses of it, the generative AI chatbot has already reportedly been used to create malware, write phishing emails and spread falsehoods. And this week it was reported that a ChatGPT bug exposed the titles of some users' conversations with the chatbot.

For more information about cybersecurity concerns regarding ChatGPT and other generative AI tools like it, check out these Tenable blogs:

VIDEO

Anatomy of a Threat: GPT-4 and ChatGPT Used as Lure in Phishing Scams Promoting Fake OpenAI Tokens

6 - What’s a BISO? Do you need one?

In recent years, a new security executive role has emerged in enterprises and steadily gained traction: the BISO, or business information security officer. As the role continues to be discussed, more organizations may wonder if they’d benefit from hiring a BISO. Here are some resources to help you figure this out.

You can start with a well-researched feature story SecurityWeek published just last week titled “The Rise of the BISO in Contemporary Cybersecurity,” which examines how the role has evolved and includes interviews with various security leaders and with multiple BISOs themselves.

Next, you might want to check out a blog IANS Research posted also last week titled “Guidelines for the BISO Role,” which offers its explanation of what a BISO does – “connects the dots between the central security agenda and the various divisional CIOs” – and then dives deeper into the role’s responsibilities and desired skills, before providing a full-blown BISO job description.

Meanwhile, Cybersecurity Guide this week updated its “Business information security officer: A complete career guide” article, which, while aimed at folks interested in becoming BISOs, offers great insight into the potential value of the role for some organizations. Another good deep dive into the BISO role is CSO Online’s feature “The BISO: bringing security to business and business to security,” which ran earlier this year. 

To get a sense about the compensation BISOs command, you can check out this Glassdoor page about BISO salaries.

While it’s not exclusively about BISOs, a blog Tenable Chief Security Officer Robert Huber published in 2020 about the importance of aligning cybersecurity and business mentions the role, noting that “the vast majority of business-aligned organizations (80%) have a BISO or similar title.” 

You may also find these videos useful:

Business Information Security Officer: A Cybersecurity Secret Weapon (RSA Conference)

The Rise of the BISO Role (RSA Conference)

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training