Month: November 2023

Information and Communications Technology (ICT) spans all tools, devices, data, infrastructure, and components and it’s a broad concept that continues to evolve. Enterprise Risk Management (ERM) programs should consider ICT risks alongside those in other risk disciplines like financial or legal which consider the impact on mission and business objectives, strategic planning, and oversight. To aid in this endeavor, NIST is providing guidance, especially for executive decision-makers, risk officers, and those responsible for governance and risk management practices.

Today, NIST is issuing best practices on how to better integrate ICT risk programs into an overarching ERM portfolio—given special attention to coordination and communication across risk programs. These resources will help ICT risk practitioners at all levels of the enterprise and across private and public sectors to better understand and practice ICT risk management in coordination with ERM. 

• NIST Special Publication 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk PortfolioThis publication helps in understanding the relationship between ICT risk management and ERM—and the benefits of integrating those approaches.  This includes ICT risk guidance on how all ICT risk programs, including individual programs such as privacy, supply chain, and cybersecurity, integrate into ERM.
• NIST Special Publication 800-221A Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio 
  This publication provides desired outcomes and applicable references common across all types of ICT risk; it offers a common language for understanding, managing, and expressing ICT risk to internal and external stakeholders and can help identify and prioritize actions to reduce ICT risk.  The core of this publication can be browsed and downloaded in popular formats such as JavaScript Object Notation (JSON) and Microsoft Excel (XSLS) using the NIST Cybersecurity and Privacy Tool (CPRT).

These publications were developed in close collaboration with private and public sector experts. NIST appreciates and looks forward to further collaboration and feedback from the community. Questions or ideas? Reach out to us via [email protected].

The final version of NIST Special Publication (SP) 800-140Br1 (Revision 1), CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B, is now available.

This document introduces four significant changes to NIST SP 800-140B:

1. Defines a more detailed structure and organization for the Security Policy
2. Captures Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759
3. Builds the Security Policy document as a combination of the subsection information
4. Generates the approved algorithm table based on lab/vendor selections from the algorithm tests

This final version addresses the comments made on the initial and second public drafts, including concerns with the structure of the Security Policy and the process for creating it.

The NIST SP 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The series specifies modifications to ISO/IEC 19790 Annexes and ISO/IEC 24759 as permitted by the validation authority.

Read More

The NIST Phish Scale User Guide is Now Available!

The National Institute of Standards and Technology Human-Centered Cybersecurity program is pleased to announce the release of the NIST Phish Scale User Guide.  

The Phish Scale is a method designed to rate an email’s human phishing detection difficulty. It has been adopted by organizations globally to provide an additional metric in their phishing awareness training programs. Phishing training implementers, who run these programs, use the Phish Scale to provide context to the click rate and report rate results from their simulated phishing exercises. 

This Phish Scale User Guide is intended for use by practitioners and provides instructional step-by-step guidance on how to apply the Phish Scale in their phishing awareness training programs. It provides background and components of the NIST Phish Scale, detailed cue descriptions, interpretation of phish scale results, and an interactive NIST Phish Scale Worksheet to apply the Phish Scale to phishing emails.  

Email [email protected] with any questions. Learn more about the NIST Phish Scale and the Human-Centered Cybersecurity program’s phishing research.

Read More

When social media platforms were first created, some companies had lofty goals of bringing people together.

To some extent, they succeeded. Social media has allowed people to connect. But it has also led to hate speech, violence, bullying, self-esteem issues in teenagers and other harms.

Decades into the social media era, it’s clear that new technologies come with both upsides and downsides.

Read More

Our Cybersecurity Awareness Month may have come to a close at the end of October — but the importance of enhancing cybersecurity and engaging with our international partners to enhance cybersecurity is at the forefront of our minds all year long.

Here are some updates on our international work:

• Conversations have continued with our partners throughout the world on the update to the NIST Cybersecurity Framework (CSF) 2.0, and NIST hosted its final workshop on September 19 and 20 with in-person and hybrid attendance featuring international participation (via both speakers and panelists). While formal comments on the current Draft CSF 2.0 were due on November 6, please continue to provide us your valuable feedback.
• NIST is also currently working with industry partners to amplify our international outreach — as an example…

Read More on the Blog

Identify, remediate, and limit data risks at Security Virtual Training Day: Protect Data and Mitigate Risk from Microsoft Learn. At this free event, you’ll learn how to secure data and reduce risks with Microsoft Purview Information Protection and risk management solutions. You’ll also explore how to manage data protection policies across your organization to help protect people and data against cyberthreats. You will have the opportunity to: Manage and monitor data in new, comprehensive ways to help prevent data loss with Microsoft Purview. Identify privacy risks and help protect personal data using Microsoft Priva. Discover sensitive data and respond to inquiries efficiently with Microsoft Purview. Join us at an upcoming two-part event: December 04, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) December 05, 2023 | 12:00 PM – 2:30 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Featured Announcing .NET 8 > .NET releases are one of the many ways your .NET apps get better over time. .NET 8 is here, and it’s packed with updates that help you customize your development and app experience.

What’s New What’s new in .NET 8 > Find out what is new for .NET developers across all workloads including cloud, mobile, desktop, web, AI, IoT, and so much more.   On.NET weekly show > Join members from the .NET team each week as they host and interview amazing .NET contributors from the .NET team and the community.   Announcing Microsoft Playwright Testing Preview> Microsoft Playwright Testing enables faster test runs and broader scenario coverage, speeding up the delivery of features without sacrificing coverage.

Events See local events > Microsoft Ignite sessions are now available on demand > Catch up on the latest announcements on AI/Copilot advancements, demos, and insights into the trajectory of tech developments.   .NET Conf 2023 sessions available on demand > Celebrate the release of .NET 8! Watch on-demand sessions to catch up on all the latest features and functions.   Global AI Conference 23 / Dec.12, 2023 / Virtual > Jump into the worldwide livestream, check out a local conference in person, or chat and connect with AI experts on the Discord Channel.   Microsoft for Startups: Discovery Day / Dec.14 / Virtual > Learn about Microsoft for Startups Founders Hub and how to get started building on Azure and OpenAI for free.   Quantum Innovator webinar series / On demand > Get a firsthand account of the Microsoft strategy for scaled quantum computing.

Learning Microsoft Ignite Cloud Skills Challenge > Validate your skills in real time and earn a new Microsoft Applied Skills credential. This special edition tests your skills across new innovations announced at Ignite.   Visit the Microsoft Learn Exam Readiness Zone > In this video learning series, Microsoft experts provide tips, tricks, and strategies for preparing for a Microsoft Certification exam.   Let’s Learn: .NET beginner video series > This monthly series will walk through the fundamentals of using C# and .NET for everyday living. Leave with something built together, live with experts.

The number of reported card skimming incidents increased 20 percent during the first half of 2023 compared to the same period in 2022. More specifically, New Jersey is one of several states with the most significant increases in skimming incidents, with at least a 50 percent year-over-year increase in incidents occurring during the first half of 2023. Based on this trend, the upcoming holiday shopping season means increased card skimming opportunities for threat actors to capture and steal customer data and financial information through various digital and physical realms, such as stores, restaurants, gas stations, and ATMs. Threat actors continue to seek out better methods to conceal their attacks and evade various security measures. This stolen data has severe consequences for consumers and businesses, including loss in revenue, legal damages, compliance issues, cross-site contamination, identity theft, fraud, and subsequent malicious activity.

Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious JavaScript code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Once payment card data is stolen, it can be used by the threat actors to make fraudulent purchases or sell on dark web or other marketplaces. These attacks continue to be prevalent, with a new campaign observed abusing 404 error pages and targeting many large organizations in the retail and food industries. Manipulating the website’s default 404 error page to hide malicious code is one of the more advanced obfuscation techniques seen before and creates challenges for detection and mitigation. Similar to the recent uptick in Magecart attacks, the Kritec campaign is ramping up its activity in time for the holiday shopping season based on the number of newly registered domain names attributed to the threat actor. In this skimming campaign, threat actors create compelling customized templates in local languages that make detection difficult.

Card skimming is not just limited to online transactions. Threat actors can discretely install small card-reading devices in point-of-sale (POS) terminals to steal card information. These devices can be installed at stores, restaurants, and gas stations. This past year, the Walmart retailer has been a frequent target of card skimming at 16 different US locations. Also, skimming devices were found on two gas pumps at a Delaware BP gas station. Threat actors are also targeting ATMs and shifting in terminal types and locations of card compromises. Non-bank ATMs at convenience stores and gas stations are becoming more prevalent than bank ATMs. In September 2023, skimming devices were discovered at an ATM inside a Wawa convenience store in Cinnaminson, NJ and may have been installed for two months prior to its discovery.

The Health Information Sharing and Analysis Center (Health-ISAC) has released a white paper on vulnerability management prioritization to provide insight into the different ways security teams can assess their organization’s level of risk against vulnerabilities while facing the challenge of addressing ongoing disclosures.

Network security teams are often encumbered with the ongoing release of vulnerabilities that are either publicly disclosed or identified as zero-days by vendors and security researchers. Each of these vulnerabilities’ severity and exploitability levels is associated with a Common Vulnerability Scoring System (CVSS) score and, often, with a Common Vulnerabilities and Exposures (CVE) number. These swaths of information have proven cumbersome and, at times, can pose a conundrum to organizations concerning their vulnerability management capabilities.

The concept of prioritization in vulnerability management is significant as it helps to support effective mitigation and remediation strategies across different organizational capability levels. The correlation between prioritization and organizations’ capability level is closely aligned as it can help security teams communicate effectively with stakeholders, identify asset value, and develop remediation policies conducive to the continuity of business-critical systems. Prioritization is a process that spans all capability levels and allows security teams to properly allocate resources to address vulnerabilities associated with severity levels that exceed the organization’s risk appetite.

The paper takes into consideration different factors that influence decisions in vulnerability management prioritization and provides comprehensive guidance on the application of well-known concepts used to maintain the confidentiality, integrity, and availability of enterprise systems.

This updated Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are re-releasing this Joint Cybersecurity Advisory to add new TTPs, IOCs, and information related to Royal Ransomware activity.

Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD. Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors. There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal. A previous Joint Cybersecurity Advisory for Royal ransomware was published on March 2, 2023. This joint advisory provides updated IOCs identified through FBI investigations.

FBI and CISA encourage organizations to implement the recommendations in the mitigations section of this Joint Cybersecurity Advisory to reduce the likelihood and impact of ransomware incidents.