NIST Unveils Newly Named Human-Centered Cybersecurity Program

The Human-Centered Cybersecurity program (formerly Usable Cybersecurity) is part of the Visualization and Usability Group at NIST. It was created in 2008, but we’ve known for quite some time that we needed to rename our program to better represent the broader scope of work we provide for the cybersecurity practitioner and IT professional communities. We made the decision to update the name to Human-Centered Cybersecurity to better reflect our new (but long-time practiced) mission statement, “championing the human in cybersecurity.” With our new name, we hope to highlight that usability still (and always) will be a very important focus for us, but it is just one component within the broader arena of work in which we specialize.  

Our multi-disciplinary team conducts research at the intersection of cybersecurity, human factors, cognitive science, and psychology…

Read the Blog!

Join the FREE Digital Trust virtual event on 16 October The rapid growth and challenges in the digital ecosystem mean that organizations need to earn the trust of their customers, but how can organizations demonstrate they are doing everything right in a highly connected marketplace? Join us for the free virtual Digital Trust event which takes place on Zoom on Monday 16 October 2023 from 14:00 BST (09:00 EDT / 15:00 CEST). For further details and to register for this free event, click here or on the button below.     >> MORE DETAILS & REGISTRATION   The Digital Trust Ecosystem Framework is a set of principles created by ISACA as a global standard to help individuals and organizations strengthen digital trust within their organization. The framework will help organizations focus on their individual goals as they build a structure that supports trust, agility and resilience. This event is relevant to anyone who has a responsibility to safeguard customer data such as security, risk, legal, compliance, communications, IT, marketing and operations. You will get the opportunity to gain perspectives from industry professionals and an opportunity to ask our world leading experts questions. Join us if you are interested in….     Understanding the impact of Digital Trust on corporate risk     Coming away being able to recall and understand the definition of Digital Trust     Learning the recommended organizational strategies which earn the trust of your customers     Meeting, networking and collaborating with peers in similar roles and with similar challenges     >> MORE DETAILS & REGISTRATION   Registering will ensure you receive links to event recording.

A vulnerabilities has been discovered in Apple products, which could allow for privilege escalation. Successful exploitation of this vulnerability could allow for privilege escalation in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.

Systems Affected

versions of iOS before iOS 16.6

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary A vulnerability has been discovered in Apple products, which could allow for privilege escalation.

Recommendations

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing.  Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References Apple: https://support.apple.com/en-us/HT213961

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42824

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and US Department of the Treasury are releasing this Joint Fact Sheet for senior leadership and operations personnel at operational technology (OT) vendors and critical infrastructure facilities. This fact sheet will assist with better management of risk from open source software (OSS) use in OT products and increase resilience using available resources. While several resources and recommendations within this fact sheet are best suited for execution by the vendor or the critical infrastructure owner, collaboration across parties will result in less friction for operator workflows and promote a safer, more reliable system and provision of National Critical Functions. This fact sheet aims to:

Promote the understanding of OSS and its implementation in OT and industrial control systems (ICS) environments. Highlight best practices and considerations for the secure use of OSS in OT.

Critical infrastructure organizations using OSS in OT and ICS face heightened cybersecurity and safety concerns due to the potential far-reaching impacts of incidents and associated life safety implications. Applying generally applicable cyber hygiene practices, such as routinely updating software, can be challenging for organizations using OSS in OT and ICS applications.

All organizations are encouraged to review the Joint Fact Sheet and visit CISA’s new webpage, Securing Open Source Software in Operational Technology for more information.

Build effective security practices at every level of your organization   Cybersecurity awareness month is here, and this is the perfect time to update security practices and educate employees about safeguarding your organization’s data and resources. The Be Cybersmart Kit includes a series of easy-to-understand infographics to share with your entire organization. Download the kit to: Learn how to defend your organization from common external and internal threats in Aware and Secure: Best practices to safeguard your business.Simplify training with a curated set of infographics designed for employees at all levels of your organization.Help teams improve their data and device security practices.Provide tips for identifying and avoiding tech support scams and phishing.

Get the Be Cybersmart Kit

Identify, remediate, and limit data risks at Security Virtual Training Day: Protect Data and Mitigate Risk from Microsoft Learn. At this free event, you’ll learn how to secure data and reduce risks with Microsoft Purview Information Protection and risk management solutions. You’ll also explore how to manage data protection policies across your organization to help protect people and data against cyberthreats. You will have the opportunity to: Manage and monitor data in new, comprehensive ways to help prevent data loss with Microsoft Purview. Identify privacy risks and help protect personal data using Microsoft Priva. Discover sensitive data and respond to inquiries efficiently with Microsoft Purview. Join us at an upcoming two-part event: November 6, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) November 7, 2023 | 12:00 PM – 2:30 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: November 8, 2023 | 12:00 PM – 3:45 PM | (GMT-05:00) Eastern Time (US & Canada) November 9, 2023 | 12:00 PM – 2:15 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Cybercriminals often exploit the compassion and generosity of the public by conducting fraudulent schemes in the aftermath of events, such as the recent attacks on Israel that began on October 7. Individuals seeking to donate to relief efforts are targeted in charity scams initiated by threat actors using social engineering tactics through emails, SMS text messaging, phone calls, and direct messages via social media. They often create a sense of urgency and may impersonate reputable organizations. For example, phishing emails may contain display name spoofing to appear as a known or trusted charity and attempt to convince the potential donor to open an attachment or click a link directing them to a cloned or spoofed website impersonating the legitimate charity with the intent to steal sensitive information, user credentials, or relief funds.

Although many legitimate organizations call to solicit donations, potential donors are advised to take the time before donating to research the name of the charity properly, understand who they are and their cause, and where the funds are directed. Also, search the name of the charity to determine if there are any bad reviews, complaints, scams, or fraud associated with the charity. Credit card payments offer more consumer protections and are easier to track than payments of gift cards, wire transfers, cash, or cryptocurrency. Additionally, donations are not recommended through payment apps, such as Venmo, CashApp, or Zelle, as funds through these apps should be sent to known and familiar individuals such as family and friends.

Fraudulent charities or fundraising efforts may also be created to aid terrorist organizations. Traditional fiat currency is typically used for fraudulent fundraising and terrorist financial activity. However, Hamas is one of the first terrorist organizations to use cryptocurrency for fundraising efforts, and authorities recently froze cryptocurrency accounts used by Hamas to elicit donations for their operations.

CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.

This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.

Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

Today, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (CSA), NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations, which provides the most common cybersecurity misconfigurations in large organizations, and details the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

The misconfigurations in the CSA illustrate a trend of systemic weaknesses in many large organizations, including those with mature cyber postures, and highlights the importance of software manufacturers embracing secure-by-design principles to reduce the burden on network defenders. Read the Executive Assistant Director at CISA’s blog post on the “Urgency for Software Manufacturers to Incorporate Secure by Design Principles.”

Additionally, NSA and CISA encourage organizations to review the joint CSA for recommended steps and best practices to reduce the risk of malicious actors exploiting the identified misconfigurations. For more information on secure-by-design principles, visit Secure by Design and Security-by-Design and -Default.