Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: 6 Things That Matter Right Now

Cybersecurity Snapshot: 6 Things That Matter Right Now -- Sept 9

Topics that are top of mind for the week ending Sept. 9 | Software supply chain security in the spotlight. Guidance for evaluating IoT security tools. Increasing diversity in cybersecurity. Another look at the major cloud security threats. And much more!

1. U.S. government stresses software supply chain security

Developers got concrete guidance and specific recommendations for protecting their software supply chains via a 64-page document from the U.S. government. 

This new guide reflects lessons learned from recent major supply chain attacks, like the one against SolarWinds, and from the discovery of the Log4Shell vulnerability.

Attackers are increasingly targeting software development environments, commonly used frameworks and widely adopted libraries in order to compromise components of otherwise legitimate applications that are then distributed through trusted channels to customers.

Cybersecurity Snapshot #10 -- image 1

Published by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence, the document groups its recommendations into five main categories:

  • Secure product criteria and management, including:
    • Creating threat models of the products while in development and of their critical components
    • Defining and implementing security test plans
    • Establishing how vulnerabilities in the product will be handled throughout its lifecycle
  • Develop secure code, following principles like:
    • Least privilege
    • Fail-safe defaults
    • Open design
  • Verify third-party components through practices including:
    • Vulnerability analysis
    • Secure composition analysis
    • Source code evaluation
  • Harden the build environment with steps like:
    • Lock down and monitor for data leakage all systems that interact with the dev and build processes
    • Use version control for pipeline configurations
    • Make sure all systems use multi-factor authentication
  • Deliver code safely through practices like:
    • Scan binaries with software composition analysis tools to ensure the integrity of the final build and create a software bill of materials (SBOM)
    • After receiving the build from the vendor, customers can perform their own scanning to ensure its safety and integrity

Alongside the guidance from these U.S. agencies, the Open Source Security Foundation released a best practice guide for securing npm, the largest package ecosystem that undergirds countless software projects. 

(Claire Tills, senior research engineer with Tenable's Security Response Team, contributed to this item.)

For more information:

2. Guidance for testing IoT security products

The Anti-Malware Testing Standards Organization (AMTSO) has released a guide for helping security teams test and benchmark IoT security products, an area the non-profit group says is still in its infancy.

In providing its recommendations after gathering input from testers and vendors, the AMTSO noted that there are particular challenges involved in testing IoT security wares because these products:

  • Protect a wide variety of smart devices both for home and work, which complicates the setup of a test environment
  • Are used in smart devices that overwhelmingly run on Linux, so testers must use specific threat samples for their evaluations

The document focuses on areas including sample selection, determination of detection, test environments, specific security functionality assessment and performance benchmarking.

For more information:

3. Consumer protection agency to businesses: Failure to protect customer data is illegal

Here’s yet another reminder to businesses that they can get into legal hot water if they don’t properly secure sensitive customer data.

The U.S. Consumer Financial Protection Bureau (CFPB) has issued a formal circular addressing this specific question: 

“Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?”

Answer: Yes.

So what could be considered “insufficient” protection for this data? For example, organizations that lack:

  • Multi-factor authentication to protect access to the accounts of employees and customers
  • Adequate password management policies and practices
  • Timely patching of the software products they use

4. New efforts to increase diversity in cybersecurity

A couple of new initiatives are seeking to increase the number of female and of African American cybersecurity professionals.

The National Cybersecurity Alliance (NCA), a non-profit that promotes cybersecurity education and awareness, launched the Historically Black Colleges and Universities Career Program, in partnership with top HBCUs and cybersecurity organizations.

The NCA noted in its announcement that currently only 9% of cybersecurity professionals identify as black, and that there are about 715,000 unfilled cybersecurity roles in the U.S.

Meanwhile, a group of about 90 women working in leadership positions in cybersecurity formed The Forte Group, an advocacy and education non-profit whose mission is supporting current and future female leaders in cybersecurity.

For more information:

5. Revisiting the CSA’s top cloud security threats

The Cloud Security Alliance published its “Top Threats to Cloud Computing” report earlier this summer, and every month it zooms in on each threat on its blog. So, as we prepare to welcome the fall, we thought it’d be good to refresh our memory and take another look at this list, which the CSA dubbed “the pandemic eleven.”

  1. Insufficient identity, credentials, access and key management
  2. Insecure interfaces and APIs
  3. Misconfiguration and inadequate change control 
  4. Lack of cloud security architecture and strategy 
  5. Insecure software development
  6. Unsecured third-party resources
  7. System vulnerabilities 
  8. Accidental cloud data disclosure
  9. Misconfiguration and exploitation of serverless and container workloads
  10. Organized crime/hackers/APT
  11. Cloud storage data exfiltration

Cybersecurity Snapshot #10 -- image 2

You can check out the blogs about the first three threats here, here and here.

For more information:

6. Quick takes

Check out this roundup of important vulnerabilities, trends, news and incidents.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training