Month: December 2023

This is an updated notification with the correct date.

The NIST National Cybersecurity Center of Excellence (NCCoE) has released two preliminary draft practice guides for Migration to Post-Quantum Cryptography Project for public comment. The comment period is open now through February 20, 2024.

NIST SP 1800-38B, Quantum Readiness: Cryptographic Discovery, is a preliminary draft offering (1) a functional test plan that exercises the cryptographic discovery tools to determine baseline capabilities; (2) a use case scenario to provide context and scope our demonstration; (3) an examination of the threats addressed in this demonstration; (4) a multifaceted approach to start the discovery process that most organizations can start today; and (5) a high-level architecture based on our use case that integrates contributed discovery tools in our lab.

NIST SP 1800-38C, Quantum Readiness: Testing Draft Standards for Interoperability and Performance, is a preliminary draft offering (1) identification of compatibility issues between quantum ready algorithms, (2) resolution of compatibility issues in a controlled, non-production environment, and (3) reduction of time spent by individual organizations performing similar interoperability testing for their own PQC migration efforts.

About the Project

NIST’s NCCoE initiated the Migration to Post-Quantum Cryptography (PQC) project to share insights and findings to ease migration from current public-key cryptographic algorithms to soon-to-be standardized PQC algorithms.

Why migrate to PQC? PQC algorithms are being standardized because advances in quantum computing could enable the compromise of many of the current cryptographic algorithms being widely used to protect digital information. Implementing PQC will protect digital information from an attack by cryptanalytically relevant quantum computer (CRQC) and cryptanalytically relevant classical computer.

Why did the NCCoE start this project? Previous initiatives to update or replace cryptographic algorithms in hardware, firmware, operating systems, communication protocols, cryptographic libraries, and applications employed in data centers on-premises or in the cloud and distributed compute, storage, and network infrastructures have taken many years. The NCCoE identified the need to bring together a collaborative team with expertise in cryptography to work together in the NCCoE PQC lab to perform cryptographic discovery and share what we have learned together as one means to reduce how long it will take an organization to achieve quantum readiness via PQC adoption.

Why should I read the Cryptographic Discovery publication? The publication assumes you are supporting your organization’s quantum readiness project, and you have a need for information to assess the risk of a CRQC to your organization. The information you need comes from discovery of where and how cryptographic products, algorithms, and protocols are used by your organization to protect the confidentiality and integrity of your organization’s important data and digital systems. This publication shares insights and findings about cryptographic discovery tools that may aid your progress.

Why should I read the Interoperability and Performance publication? The publication assumes you are supporting upgrading your use of quantum-vulnerable public-key cryptographic implementations, and you want to build your understanding of aspects of interoperability and performance for the soon-to-be standardized PQC algorithms to determine your approach for making your public-key cryptographic implementations quantum-resistant.

Submit Comments

The public comment period for both Migration to PQC preliminary drafts, 1800-38B and 1800-38C, closes on February 20, 2024.

1. View the publications.
2. Submit comments via the webform on the project page.
3. Email questions to [email protected].

Why should I submit comments? We value and welcome your input on ways we can improve the publication and look forward to your comments.

Join the Community of Interest

If you would like to help shape this project, consider joining the NCCoE Migration to Post-Quantum Cryptography Community of Interest (COI) to receive the latest project news and updates!

Join here.

---

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: January 24, 2024 | 12:00 PM – 3:45 PM | (GMT-05:00) Eastern Time (US & Canada) January 25, 2024 | 12:00 PM – 2:15 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

This National Security Agency (NSA) Cybersecurity Information Sheet is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cyber criminals.

Software Defined Networking (SDN) is a networking paradigm that enables enterprises to employ a centralized network management server to command and control network devices and control access to applications. This server is referred to as an SDN Controller (SDNC). Unlike traditional networks that require administrators to log in to each device, SDN allows administrators to scale device configuration and maintenance by only logging in to the SDNC to make changes to many devices at once. Often with little or no additional human interaction, SDN enables dynamic changes to switching and routing functions based on changing conditions detected in the network environment. Additionally, SDNCs may support integration with other servers and applications in an enterprise environment, typically via application programming interfaces (APIs). This integration can allow the SDNC to be part of an enterprise’s greater automation and orchestration effort.

The SDNC benefits enterprise network management due to its centralized nature, but it also brings risk and could become a high priority target for adversaries. The SDNC’s attack surface includes its management interface, the API it uses to communicate with other devices, the SDNC device itself, and the endpoints and switches that the SDNC manages. Malicious cyber actors could compromise these attack surfaces to perform management functions as if they were legitimate administrators, find sensitive configuration or authentication data, trick network devices into following a rogue SDNC’s commands, or misconfigure the SDNC or SDN environment.

Given the critical nature of the SDNC, it requires additional oversight to prevent both malicious activity as well as unintentional changes to the network. The purpose of this Cybersecurity Information Sheet is to describe mitigations for SDNC risks.

Today, CISA published guidance on How Manufacturers Can Protect Customers by Eliminating Default Passwords as a part of our new Secure by Design (SbD) Alert series.

This SbD Alert urges technology manufacturers to proactively eliminate the risk of default password exploitation by implementing principles one and three of the joint guidance, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software:

• Take ownership of customer security outcomes.
• Build organizational structure and leadership to achieve these goals. 

By implementing these two principles in their design, development, and delivery processes, software manufactures will prevent exploitation of static default passwords in their customers’ systems. CISA urges technology manufacturers to read and implement the guidance in this second SbD Alert in our new series that focuses on how vendor decisions can reduce harm at a global scale.

The Cybersecurity and Infrastructure Security Agency (CISA) has released a Cybersecurity Advisory detailing the agency’s key findings and activities during a Risk and Vulnerability Assessment (RVA) conducted at a healthcare and public health (HPH) organization in early 2023. Even though this advisory is based on HPH findings and activities, it provides mitigation strategies that are applicable to all organizations.

The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for HPH organizations of all sizes as well as for all critical infrastructure organizations, the advisory provides several recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA. Also, the advisory provides three mitigation strategies that all organizations should implement:

Asset management and security, Identity management and device security, and Vulnerability, patch, and configuration management.

Each strategy has specific focus areas with details and steps on how HPH entities can implement them to strengthen their cybersecurity posture.

This advisory builds on the CISA and Health and Human Services Healthcare and Public Health Cybersecurity Toolkit and CISA’s Mitigation Guide for HPH Sector  that were recently released. The recommended mitigations for network defenders are mapped to the Cross-Sector Cybersecurity Performance Goals (CPGs).

All HPH sector and other critical infrastructure organizations deploying on-premises software, as well as software manufacturers, are encouraged to apply the recommended mitigations to harden networks against malicious activity and to reduce the likelihood of domain compromise.

According to the Verizon 2023 Mobile Security Index white paper, the number of diverse endpoints is increasing, especially those that are mobile or using mobile connectivity. Mobile devices offer users convenience, connection, control, and content, both personally and professionally. However, they transmit and store data and could be exploited by threat actors to compromise networks, devices, or accounts. Unpatched vulnerabilities in mobile devices increase the risk of compromised devices and cyberattacks. Additionally, mobile devices routinely connected to a home network can have further implications when subsequently connected to corporate networks and may introduce additional vulnerabilities and risks. Therefore, it is vital for users to employ cybersecurity best practices and ensure mobile devices currently in use are properly protected and secured.

The Open Web Application Security Project (OWASP) raises software security awareness and provides quality information regarding risks and vulnerabilities. OWASP posted an initial release of the top 10 mobile risks of 2023, including inadequate supply chain security, insecure authentication/authorization, insecure communication, inadequate privacy controls, and security misconfiguration. These risks are evident in the recent vulnerabilities highlighted below.

Security researchers discovered a credential-stealing vulnerability, dubbed AutoSpill, in the autofill functionality of Android mobile password manager apps. This vulnerability is a concern when both Android calls a login page via WebView and a password manager is used. Affected password managers include 1Password, LastPass, Enpass, Keeper, and Keepass2Android. DashLane and Google Smart Lock are also affected if the credentials are shared via a JavaScript injection method. This vulnerability does not require phishing or malicious in-app code.

Additionally, vulnerabilities in Qualcomm and MediaTek 5G modems, collectively dubbed 5Ghoul, impact many 5G Android and Apple smartphone models, routers, and USB modems. Threat actors do not need the target’s SIM card, as the attack can occur before the NAS authentication step. Therefore, they can impersonate a legitimate 5G base station using known Cell Tower connection parameters and cause temporary service disruptions and network downgrades to the 4G domain, potentially introducing more vulnerabilities. These vulnerabilities highlight the implications for mission-critical environments dependent on cellular service.

Furthermore, a Bluetooth authentication bypass vulnerability, CVE-2023-45866, was discovered in the Bluetooth protocol. Threat actors trick Bluetooth devices into pairing with a fake keyboard to connect to Android, Apple, and Linux devices without user confirmation. They can then inject keystrokes to install apps, run malicious code, and more.

Zero-day exploits pose a significant security risk as threat actors take advantage of vulnerabilities in software or apps that may be unknown to the vendor. Threat actors exploit these vulnerabilities before the vendor can release security patches or updates. Zero-day exploits may bypass device security measures, potentially resulting in data theft and exfiltration or the installation of malware.

Threat actors may also employ zero-click attacks, which do not require user interaction, such as opening malicious attachments or links. Instead, zero-click attacks rely on unpatched vulnerabilities in messaging, SMS text messaging, or email apps. These apps allow threat actors to hide manipulated data in text or images to exploit vulnerabilities and execute malicious code without user knowledge.

A critical concern of unpatched vulnerabilities is data leakage, which refers to the unauthorized transmission of sensitive data from an organization to an external recipient. It is typically due to unencrypted connections, weak mobile security settings, or when apps have excessive permissions that permit access and share user data without consent. Data leakage exposes personal or corporate data, which leads to privacy breaches and regulatory implications.

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event: January 8, 2024 | 12:00 PM – 3:45 PM | (GMT-05:00) Eastern Time (US & Canada) January 9, 2024 | 12:00 PM – 2:15 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: January 16, 2024 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada) January 17, 2024 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Critical Updates to NIST’s CUI Publications: What You Need to Know

On January 10, 2024, from 1 p.m. to 2 p.m. EST, NIST will host a webinar to provide an overview of the significant changes in draft Special Publication (SP) 800-171r3 (Revision 3) and SP 800-171Ar3. This is the first time that NIST has concurrently released both the draft controlled unclassified information (CUI) security requirements and the draft CUI assessment procedures for public comment. 

During this webinar, the authors will:

• Provide an overview of the significant changes in the final public draft of SP 800-171r3 and the initial public draft of SP 800-171Ar3
• Describe the design principles and rationale behind the changes
• Identify areas where NIST seeks additional and specific input
• Share information about how to engage, provide feedback, and next steps
• Take live audience Q&A

Capacity is limited so reserve your seat today!

Additionally, NIST is announcing an extension of the public comment period on both publications to January 26, 2024. See the SP 800-171 publication details and SP 800-171A publication details for a copy of each draft, additional resources, and instructions for submitting comments.

Please direct questions and comments to [email protected]. 

Recording Note: The event will be recorded, and audience Q&A or comments may be captured. The recorded event may be edited and rebroadcast or otherwise made publicly available by NIST.  Slides will also be made available following the eventNIST Cybersecurity and Privacy Program
Questions/Comments about this notice: [email protected]
CSRC Website questions: [email protected]

NICE has proposed a new Work Role for addition to the NICE Workforce Framework for Cybersecurity (NICE Framework) and the comment deadline is quickly approaching! Please share your thoughts by email to [email protected] by December 22, 2023. Proposed Insider Threat Analysis Work Role: As insider threats and their tactics have evolved to encompass network and digital assets, analysts with cybersecurity skills are required to examine and respond to those threats as part of an enterprise cybersecurity risk program. Codifying the Insider Threat Analysis Work Role in the NICE Framework supports learning and career pathways that help ensure that organizations are well equipped to address insider threats and manage cybersecurity risks. This proposed role includes a name, description, and Task, Knowledge, and Skill (TKS) statements. It also identifies the Work Role category this role would fall under. Review the proposed Work Role, Insider Threat Analysis (clicking the link downloads an XLSX file)

DON’T FORGET! REFACTORED TASK STATEMENTS ARE ALSO AVAILABLE FOR COMMENT

Proposed updates to the NICE Framework Task statements have also been announced. These updates include improvements that address consistency, clarity, and redundancy in alignment with the Task, Knowledge, Skill (TKS) Statements Authoring Guide for Workforce Frameworks. Comments on the proposed updates to Task statements are due by January 29, 2024. Read the Task Statement Summary of Updates and review the refactored Task statements (clicking the link downloads an XLSX file)

WE WANT TO HEAR FROM YOU!

All comments should be submitted by email to [email protected]. Take Action:  Submit comments to [email protected] Join the NICE Framework Users Group to join community discussions Visit the NICE Framework Resource Center for additional information