Month: April 2023

NIST to Revise SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques

In May 2021, NIST’s Crypto Publication Review Board initiated a review process for the following two publications, and received public comments:

• NIST Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques (December 2001)
• NIST SP 800-38A Addendum, Three Variants of Ciphertext Stealing for CBC Mode (October 2010)

In March 2022, the board proposed revising SP 800-38A and converting the SP 800-38A Addendum by merging it into the revised SP 800-38A, and received additional comments on that proposed decision.

NIST has decided to revise SP 800-38A and to convert the SP 800-38A Addendum. See the full announcement for more details, links to comments received, and ways to monitor future developments such as the Third NIST Workshop on Block Cipher Modes of Operation 2023, scheduled for October 3-4, 2023.

Read More

One Week Left to Register for the NCCoE Supply Chain Assurance Community of Interest Update

Date/Time: Wednesday, May 3, 2023 | 2:00-3:00 PM ET

Next week, the National Cybersecurity Center of Excellence (NCCoE) Supply Chain Assurance team will host a webinar update to discuss the finalized NIST Special Publication 1800-34, Validating the Integrity of Computing Devices.

Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This practice guide demonstrates how organizations can verify that the internal components of the computing devices they acquire are genuine and have not been unexpectedly altered or tampered with.

Join the NCCoE Supply Chain Assurance team to discuss the following topics:

• Project Overview
• Lessons Learned/Takeaways
• NCCoE DevSecOps Presentation
• Next Steps/Q&A

If you have any questions that you would like to submit in advance for the Q&A session, please send them via email to our team at supplychain-nccoe@nist.gov.

Event Page

Here is a post from Microsoft

Fifty percent of Microsoft cybersecurity recovery engagements relate to ransomware,¹ and 61 percent of all breaches involve credentials.² In this second report in our ongoing Cyberattack Series, we look at the steps taken to discover, understand, and respond to a push-bombing request that targeted a legitimate user, allowing an attacker to authenticate and register their own mobile device.

Credential-based attacks begin with the process of stealing or obtaining credentials illegitimately. Often attackers target individuals who they believe have the credentials they need, then conduct social and dark web research on them. Phishing emails and websites created to target corporate targets only need to succeed once to gain credentials that can be sold to and shared with other bad actors.

Push-bombing is when an attacker uses a bot or script to trigger multiple access attempts with stolen or leaked credentials. The attempts trigger a rush of push notifications to the target user’s device, which should be denied. But multiple attempts can confuse a target and cause them to mistakenly allow authentication. Other times, multifactor authentication fatigue can weigh on the target, causing them to believe the access attempts are legitimate. Just one mistaken “allow” is all it takes for an attacker to gain access to an organization’s applications, networks, or files.

On average, people receive between 60 and 80 push notifications each day, with some of us viewing more than 200.³ The time it takes to swipe, tap, flag, click, save, and close every ding, buzz, pop-up, text, and tab takes a toll. Researchers believe the onslaught of notifications is causing us to get tired faster and lose focus, leaving us especially prone to distraction as the day wears on.⁴ This is what attackers count on. If an attacker gains the credentials to operate like a registered, legitimate user, identifying the intrusion and tracing their possible paths of destruction becomes paramount.

Late last year, a large enterprise customer asked Microsoft Incident Response to investigate an incursion into their on-premises Active Directory environment. Due to the risk of ongoing threats and the need for continued vigilance, the organization and attacker will be kept anonymous for this incident, and we will refer to it as “the inCREDible attack.” This credential-based incident highlights the critical need for establishing healthy habits in our security maintenance processes to combat the regular, repeated, and overwhelming credential attacks faced by today’s organizations.

In this report, we examine the factors contributing to the threat actor’s initial incursion and explore what could have happened without prompt, tactical mitigation efforts. Then we detail the required work streams, recommended timing, and activities involved with regaining control and establishing a plan going forward. We’ll also explore four core steps customers can take to “eat their vegetables” and establish healthy habits that help minimize the risk of attack. And then we share five elements of a defense-in-depth approach that can help businesses maintain a robust defense against ransomware attacks.

Many attacks can be prevented—or at least made more difficult—through the implementation and maintenance of basic security controls. Organizations that “eat their vegetables” can strengthen their cybersecurity defenses and better protect against attacks. That means establishing a solid inventory of all technology assets, continually patching operating systems and software, and implementing comprehensive centralized log collection—all while following a well-defined retention policy. Read the report to go deeper into the details of the push-bombing attack, including the response activity, and lessons that other organizations can learn from this inCREDible case.

What is the Cyberattack Series?

With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:

• How the attack happened
• How the breach was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar attacks

Read the first blog in the Cyberattack Series, Solving one of NOBELIUM’s most novel attacks.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²2022 Data Breach Investigation Report, Verizon. 2022.

³Batching smartphone notifications can improve well-being, Nicholas Fitz, et al. December 2019.

⁴Phone Notifications are Messing with your Brain, Molly Glick. April 29, 2022.

WWT isn’t a physical telescope — it’s a suite of free and open source software and data sets that combine to create stunning scientific visualizations and stories. While WWT started out as a standalone Windows application, it’s evolved into a powerful astronomy visualization toolkit that you can use on the desktop, in the browser, and from Python. To learn more, visit the WWT homepage.

An “edition” is a coordinated release of the many software and data components that comprise the WWT ecosystem. This edition homepage covers:

• What’s New
• See WWT 2022 In Action
• Get Started with WWT 2022
• Release Notes
• Donate to WWT
• Additional Resources

NIST Releases Draft NIST IR 8460: State Machine Replication and Consensus with Byzantine Adversaries

Most applications on the internet are run by centralized service providers that are a single point of failure: if the provider crashes or is malicious, users may lose access to the application, or it may return erroneous or inconsistent results. Consensus algorithms and state machine replication enable a set of mutually distrusting parties to emulate a centralized service in a fault-tolerant and distributed manner. Although the study of these algorithms began in the 1980s, research has accelerated dramatically since the advent of Bitcoin in 2008.

NIST announces the release of draft NIST IR 8460, State Machine Replication and Consensus with Byzantine Adversaries, which is now available for public comment. This document provides a survey on consensus algorithms, state machine replication, and distributed ledger technology for readers who already possess a high-level understanding of distributed ledgers, such as that provided by NIST IR 8202, Blockchain Technology Overview. After introducing the properties of these systems, the models they operate in, and the subprotocols used to implement them, this document provides a detailed look at many of the most prominent permissioned and permissionless algorithms in the literature with a focus on performance and security considerations. Finally, a variety of related topics are discussed, including state machine design, interoperability, scalability mechanisms such as sharding and “layer 2” technologies, and how incentives can impact system security.

The public comment period is open through September 1, 2023. See the publication details for a copy of the draft and instructions for submitting comments.

Read more here

Celebrate National Small Business Week with the NCCoE! 

NIST’s National Cybersecurity Center of Excellence (NCCoE) will be hosting two virtual events during National Small Business Week (April 30–May 6, 2023) as part of its NCCoE Learning Series. The webinars will feature new and existing NIST small business resources and will give attendees the opportunity to share ideas, ask questions, and engage with NIST subject matter experts. View and register below:

---

Overview of the NIST Small Business Cybersecurity Corner

Date: Tuesday, May 2, 2023

Time: 2:00–2:45 PM (ET)

Event Description:

Join us on May 2, 2023 for a 30-minute overview of the NIST Small Business Cybersecurity Corner. We’ll not only provide an overview of what resources are currently available on the site, but will give attendees an opportunity to express what resources they want to see there. Additionally, attendees will be introduced to the new NIST Small Business Community of Interest, which will convene companies, trade associations, and others who can share business insights, expertise, challenges, and perspectives to guide our work and assist NIST to better meet the cybersecurity needs the small businesses community.  

Register Here

Data Analytics for Small Businesses: How to Manage Privacy Risks

Date: Thursday, May 4, 2023

Time: 3:00–3:45 PM (ET)

Event Description:

Data analytics are being promoted as a method to help small businesses increase innovation, enhance customer experience, save money, and improve their brand. If your small business is using data analytics—whether in-house or relying on a service provider to do it for you—it is important to be aware of the privacy implications of these activities.

Join us for an interactive discussion about how to manage privacy risks associated with data analytics.

During the webinar we will cover:

• A brief introduction to data analytics
• Common privacy risks that arise from data analytics practices
• Tips to help you meet your privacy objectives
• Resources for enhancing privacy risk management within your small business

Register Here

The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.

Researchers from Bitsight and Curesec have discovered a way to abuse SLP—identified as CVE-2023-29552—to conduct high amplification factor DoS attacks using spoofed source addresses.

As noted by Bitsight, many SLP services visible on the internet appear to be older and likely abandoned systems. Administrators should consider disabling or restricting network access to SLP servers. Some organizations such as VMware have evaluated CVE-2023-29552 and have provided a response, see VMware Response to CVE-2023-29552 – reflective Denial-of-Service (DoS) amplification vulnerability in SLP for more information. CISA urges organizations to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks

NIST to Finalize Special Publication (SP) 800-66 Revision 2 and Collaborate on Resources for Small, Regulated Entities 

For the past 18+ months NIST, in collaboration with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has been working to update NIST Special Publication (SP) 800-66, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, from Revision 1 to Revision 2.

Thank you to all who provided feedback during the open comment period; in total, over 250 unique comments were received from dozens of individuals and organizations. Many commenters suggested that more resources be developed for small, regulated entities. We agree and anticipate follow-on work in this area—but we can’t do it alone and plan to work collaboratively with other agencies, entities, and colleagues to produce useful resources (stay tuned for more information about this in the coming months).

NIST and OCR are still in the process of carefully adjudicating the comments received. Once all comments are adjudicated, NIST plans to publish a blog or whitepaper detailing the proposed changes to SP 800-66 Rev. 2 (with the goal being to publish a final version of SP 800-66 Rev. 2 later this year).

Thank you for the opportunity to share this update. Reach out with any questions or comments via sp800-66-comments@nist.gov (and follow us on Twitter  via @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated in the future).

To read more go here

Feedback Appreciated | NIST CSF 2.0 Core – Discussion Draft

NIST is updating the Cybersecurity Framework (CSF) which is widely used to help organizations better understand, manage, reduce, and communicate cybersecurity risks. This recently released CSF 2.0 Core discussion draft identifies the potential Functions, Categories, and Subcategories (also called cybersecurity outcomes) of the NIST CSF 2.0 Core.

This draft Core is preliminary and is intended to increase the overall transparency of the CSF update process, while also provoking discussion about improvements to potential changes to the CSF. Progress updates about NIST’s CSF 2.0 effort, as well as ways to engage, FAQs, and resources can be found on the NIST CSF 2.0 webpage.

Feedback on this Core discussion draft can be submitted via cyberframework@nist.gov at any time and will inform the NIST CSF 2.0 Draft, which is anticipated this summer.

Read the draft Here

---

It provides a checklist for regulators and auditors

Organizations need confidence that their sensitive data is properly protected, no matter where it resides. However, too many businesses have to contend with the lack of a common language for discussing requirements for cloud data management—the CDMC framework provides this. Certification allows organizations to balance data sovereignty controls with generating business value from their data, wherever it resides. Most importantly, certification assures regulators that privacy laws are being followed for data such as:

• Personally Identifiable Information.
• Personal Health Information.
• Company- or client-identifiable information.
• Material Non-public Information.
• Information with sensitivity classifications, such as “Highly Restricted” or “Confidential.”
• Critical data elements used for business processes.
• Licensed data.

To read the Full Article go Here