Month: May 2023

Internal and external reporting of security vulnerabilities in software and information systems owned or utilized by the Federal Government is critical to mitigating risk, establishing a robust security posture, and maintaining transparency and trust with the public. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities and exposures.

NIST Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, describes a flexible, unified framework for establishing policies and implementing procedures for reporting, assessing, and managing vulnerability disclosures for systems within the Federal Government. Per the Internet of Things Cybersecurity Improvement Act of 2020 (Public Law 116-207) and in alignment with ISO/IEC 29147 and ISO/IEC30111, these guidelines address:

• The establishment of a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs)
• The receipt of information about potential security vulnerabilities in information systems owned or controlled by a government agency
• The dissemination of information about security vulnerability resolutions to government agencies and the public

NIST led this government-wide effort in coordination with other agencies, including the Office of Management and Budget (OMB), the Department of Defense (DoD), and the Department of Homeland Security (DHS). Please contact sp800-216-comments@nist.gov with any questions.

Read More

The Benefits of Mobile Device Management The NCCoE Buzz: Mobile Security Edition is a recurring email on timely topics in mobile device cybersecurity and privacy from the National Cybersecurity Center of Excellence’s (NCCoE’s) Mobile Device Security project team. What is it? Mobile devices allow employees to conveniently do their work from home, at the office, or on the go. While this provides flexibility and convenience, it could expose an organization to potential threats. Managing mobile devices’ security and device health is vital to minimizing an organization’s risk posture. Mobile device management (MDM), sometimes included within a unified endpoint management (UEM) solution, is an enterprise tool that allows organizations to secure mobile devices that are used to access organizational resources. An employee’s personal or corporate-owned device can be enrolled into an MDM solution to apply enterprise configurations, manage enterprise applications, and enforce compliance with enterprise policies. How does it work? Mobile devices connect to the MDM solution via an application running on the device. Enterprise administrators use the MDM product to manage and enforce policies on connected devices. If a device is found out of compliance with a policy, an organization can enforce a compliance action. Another common use for an MDM solution is installing and managing applications on the device that will be used for work. For example, the MDM can install an email application that is pre-configured with the user’s work login. How does it address security and privacy concerns? The main goal behind using an MDM solution is to ensure that devices are in a more secure state before allowing access to corporate resources. These policies can specify certain privacy- and security-enhancing configurations, such as requiring a passcode to unlock the device or preventing data loss by restricting copy/paste/screenshot capabilities. In addition, privacy-preserving mechanisms are built into both the MDM and the devices themselves to limit unnecessary exposure of employees’ personal information. For example, when personal devices are used for work (i.e., bring your own device, or “BYOD”), the device has built-in mechanisms to ensure that personal and work data are completely separate, and that work applications cannot access any personal information on the device, such as pictures or SMS messages. What can you do? Download our SP 1800-21 and 1800-22 guides to learn more about mobile device management and other mobile device security and privacy capabilities, including how these solutions can strengthen the security and privacy of your enterprise environment.   The NCCoE Mobile Device Security Team NIST Cybersecurity and Privacy Program Questions/Comments about this notice: mobile-nccoe@nist.gov NCCoE Website questions: nccoe@nist.gov

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide , as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware.

The #StopRansomware Guide serves as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. The authoring organizations recommend that entities review this joint guide to prepare and protect their facilities, personnel, and customers from the impacts of ransomware and data exfiltration. For more information and to access the latest resources about how to stop ransomware, please visit  stopransomware.gov.

This joint guide was developed through the Joint Ransomware Task Force (JRTF), an interagency collaborative effort to reduce the prevalence and impact of ransomware attacks. JRTF was established by Congress in 2022 and is co-chaired by CISA and FBI. For additional information about the JRTF, please visit CISA’s newly launched Joint Ransomware Task Force webpage.

Synopsis

The Department of Commerce’s workforce development agenda is guided by a set of best practices and principles that values workforce investments. These workforce investments are employer-led to connect skilled workers to quality job opportunities, guided by multiple community partners such as educational institutions and economic development organizations, and lead to stackable, industry-recognized credentials. Cybersecurity workforce needs exist in every sector of the economy; therefore, cross-sector and community-supported partnerships must align with the skill needs of industries in the regional or local economy. This webinar will explore the foundations for creating multistakeholder, community-based partnerships that can lead to good jobs in cybersecurity.

Register here

Build skills that help you create new technology possibilities and explore foundational cloud concepts at Azure Virtual Training Day: Fundamentals from Microsoft Learn. Join us for this free training event to expand your knowledge of cloud models and cloud service types. You’ll also review Azure services focused on computing, networking, and storage. You will have the opportunity to: Understand the value of the shared responsibility model between consumers and cloud providers. Identify the tools and services that can help you manage, secure, and stay compliant across your Azure cloud ecosystem and in on-premises, hybrid, and multicloud environments. See how to use Azure services to rapidly expand your cloud footprint while maintaining data security and privacy. Join us at an upcoming two-part event: Delivery Language: English Closed Captioning Language(s): English   14th and 15th June  11:00 AM – 1:45 PM 11:00 AM – 2:00 PM | (GMT-08:00) Pacific Time (US & Canada)   26th and 27th June  10:00 AM – 12:45 PM 10:00 AM – 1:00 PM | (GMT-05:00) Eastern Time (US & Canada)     Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

Take full advantage of the flexibility and scalability of the cloud with a modern cloud-native infrastructure. Read the O’Reilly e-book, Cloud Native Infrastructure with Azure, to learn how to adapt your applications early in the design phase to get the most out of the cloud. Plus, get best practices for how to use, deploy, and maintain cloud-native technology components effectively with Azure.

Read the e-book to learn how to:

• Build and manage cloud-native applications.
• Determine the right technology for different infrastructure design stages.
• Anticipate challenges you may face while managing and operating cloud-native infrastructure and learn about technologies that can help you overcome them.

Go here to register to get the free book.

Join other Software Architects and Technical Decision Makers, Microsoft technical experts, and partners to discuss and learn how to reimagine data strategies for cloud-native, intelligent apps.  This two-day event will offer technical insights, share real-world success stories, and dive into the technical underpinnings of robust data strategies for modern applications built in the cloud. 

Our Azure Cosmos DB team will be visiting the following cities: 

• Dallas: May 31 – June 1 
• Silicon Valley: June 5 – 6 
• Irvine, CA: June 8 – 9 
• Chicago: June 12 – 13 
• Atlanta: June 19 – 20 
• Toronto: June 22 – 23 
• New York, NY: June 26 – 27
   

Your options over the two days include: 

Day & Time	Title	Description
	Leading in the age of Intelligent Apps Strategy Workshop	Get an update from data experts from Microsoft. Use this as an opportunity to ask questions and explore strategies for powering modern apps with scalable and high-performance cloud data using Azure Cosmos DB.
	Azure Cosmos DB for NoSQL technical workshop (2-day workshop)	Join technical experts who will work with you to dive deep into the -how- of building modern apps with cloud-scale data using Azure Cosmos DB. This is a combination of instruction and hands on labs.
	Azure Cosmos DB for PostgreSQL technical workshop	Join technical experts who will work with you to dive deep into the how of building modern apps with cloud-scale data using Azure Cosmos DB. This is a combination of instruction and hands on labs.
	Whiteboarding 1:1 session

This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version 5.7.2.

The security vulnerability in Essential Addons for Elementor

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. The described vulnerability was fixed in version 5.7.2 and assigned CVE-2023-32243.

To read the full story go here

Become a Collaborator on the NCCoE Software Supply Chain and DevOps Security Practices Project

The National Cybersecurity Center of Excellence (NCCoE) has issued a Federal Register Notice (FRN) inviting industry participants and other interested collaborators to participate in the Software Supply Chain and DevOps Security Practices project. This NCCoE DevSecOps project will focus on developing and documenting an applied risk-based approach and recommendations for DevSecOps practices.

There are two ways to join the NCCoE for this project:

• Become an NCCoE Collaborator – Collaborators are members of the project team that work alongside the NCCoE staff to build the demonstration by contributing products, services, and technical expertise.
• Get Started Today – If you are interested in becoming an NCCoE collaborator for the Software Supply Chain and DevOps Security Practices project, first review the requirements identified in the Federal Register Notice. To become a collaborator, visit the project page to see the final project description and request a Letter of Interest (LOI) template–you will then receive a link to download the LOI template. Complete the LOI template and send it to the NCCoE DevSecOps team at devsecops-nist@nist.gov.
• Join our Community of Interest – By joining the NCCoE DevSecOps Community of Interest (COI), you will receive project updates and the opportunity to share your expertise to help guide this project. Request to join our DevSecOps COI by visiting our project page.

If you have any questions, please contact our project team at devsecops-nist@nist.gov.

Project Page 

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Apple is aware of a report that CVE-2023-32367 may have been actively exploited.

Systems Affected

Safari prior to 16.5 iOS prior to 16.5 iPadOS prior to 16.5 watchOS prior to 9.5 tvOS prior to 16.5 macOS Big Sur prior to 11.7.7 macOS Monterey prior to 12.6.6 macOS Ventura prior to 13.4

Risk Government: – Large and medium government entities: High – Small government entities: High

Businesses: – Large and medium business entities: High – Small business entities: High

Home Users: Low

Technical Summary Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

Recommendations

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

References Apple:  https://support.apple.com/en-us/HT213757 https://support.apple.com/en-us/HT213758

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23542  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27931  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27940  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27945  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28191  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28204  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32352  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32354  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32354  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32355  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32357  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32360  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32369  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32372  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32376  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32384  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32386  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32388  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32389  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32390  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32391  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32392  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32395  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32397  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32399  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32400  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32402  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32403  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32404  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32407  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32408  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32409  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32410  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32411  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32414   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32415  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32423