I was presented with a Lifetime Achievement Award at SECON NJ at Kean University. From Ken Fisken president of ISC2 New Jersey Chapter. To say I was shocked is an understatement, I am very honored to be the recipient of this honor. As I say, if all of us would give back to community 1 hour, think how much better the world would be.
NIST Internal Report (IR) 8517, Hardware Security Failure Scenarios: Potential Weaknesses in Hardware Design, is now available for public comment.
There is an incorrect and widespread assumption that hardware is inherently secure. However, this report documents numerous potential security failures that can occur in hardware. It also demonstrates the diverse ways in which hardware can be vulnerable.
The authors leveraged existing work on hardware weaknesses to provide a catalog of 98 security failure scenarios. Each of these is a succinct statement that describes how hardware can be exploited, where such an exploitation can occur, and what kind of damage is possible. This should raise awareness of the many types of hardware security issues that can occur.
The public comment period for this initial public draft is open through July 31, 2024. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
The initial public draft of NIST Internal Report (IR) 8505, A Data Protection Approach for Cloud-Native Applications, is now available for public comment.
Cloud-native applications, which are generally based on microservices-based application architecture, involve the governance of thousands of services with as many inter-service calls. In this environment, ensuring data security involves more than simply specifying and granting authorization during service requests. It also requires a comprehensive strategy to categorize and analyze data access and leakage as data travels across various protocols (e.g., gRPC, REST-based), especially within ephemeral and scalable microservices implemented as containers.
Hence, in addition to techniques for protecting data at rest (e.g., regular expressions), it has become essential to develop in-transit data categorization that performs real-time data analysis to actively monitor and secure data as it moves across services and network protocols. This IR outlines a practical framework for effective data protection using the capabilities of WebAssembly (WASM) — a platform-agnostic, in-proxy approach with compute and traffic processing capabilities (in-line, network traffic analysis at layers 4–7) that can be built and deployed to execute at native speed in a sandboxed and fault-tolerant manner.
The public comment period for this initial public draft is open through August 1, 2024. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
NIST maintains its cryptography standards and guidelines using a periodic review process.
Currently, we are reviewing the following publications:
NIST requests feedback on all aspects of these publications. Additionally, NIST would appreciate feedback on the guidance for CMAC and CCM authentication tag lengths. Currently, both publications recommend a minimum tag length of 64 bits.
The public comment period is open through September 13, 2024. Comments may address the concerns raised in this announcement or other issues around security, implementation, clarity, risk, or relevance to current applications.
Send comments to [email protected] with “Comments on SP 800-38B” or “Comments on SP 800-38C” in the subject.
Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
| Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Prepare Your Organization for Microsoft Copilot for Microsoft 365 to learn how to implement AI to help ignite creativity, enhance productivity, and strengthen computing and collaboration skills. You’ll learn about the capabilities of Copilot, including how it works, how to configure it, and how to set it up for more powerful searches. You’ll also explore how Copilot works with Microsoft Graph—and your existing Microsoft 365 apps—to provide intelligent, real-time assistance. You will have the opportunity to: Understand the key components of Copilot for Microsoft 365 and how it works. Learn how to extend Copilot with plugins. Get guidance on completing the necessary Copilot technical and business requirements to prepare for implementation. Learn how to assign Copilot licenses, prepare your organization’s Microsoft 365 data for Copilot searches, and create a Copilot Center of Excellence. Join us at an upcoming Prepare Your Organization for Microsoft Copilot for Microsoft 365 event: June 28, 2024 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
| REGISTER TODAY > |
| Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Microsoft 365 Fundamentals to learn how to simplify the adoption of cloud services while supporting strong security, compliance, privacy, and trust. Also, discover how applications such as Microsoft Teams and Microsoft Viva help improve productivity, facilitate collaboration, and optimize communications. After completing this training, you’ll be eligible to take the Microsoft 365 Fundamentals certification exam at 50% off the exam price. You will have the opportunity to: Find out how the productivity, collaboration, and endpoint management capabilities of Microsoft 365 empower people to stay connected and get more done across hybrid environments. Discover how Microsoft 365 security, compliance, and identity solutions help secure an entire digital estate, simplify compliance, and reduce risk. Explore the pricing models, licensing, and billing options available to meet the needs of your organization. Join us at an upcoming two-part Microsoft 365 Fundamentals event: June 20, 2024 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada) June 21, 2024 | 12:00 PM – 4:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English |
| REGISTER TODAY > |
| Register now > |
Azure Network Security | Azure Firewall Integration in Microsoft Copilot for Security Wednesday June 12, 2024 | 8:00AM – 9:00AM (PST, Redmond Time) Description: The Azure Firewall integration in Copilot helps analysts perform detailed investigations of the malicious traffic intercepted by the IDPS feature of their Firewalls across their entire fleet using natural language questions in the Copilot for Security standalone experience. Join this webinar to see a live demo of the feature and learn more about what’s to come in the future! Presenter(s):  |
Microsoft Defender for Cloud | Shift Left with Microsoft Defender for Cloud Thursday June 13, 2024 | 8:00AM – 9:00AM (PST, Redmond Time) Description: Learn how to shift security left and work with developers to secure cloud native applications with Defender for Cloud. Presenter(s):  |
| Multiple vulnerabilities have been discovered in PHP, which could allow for remote code execution. PHP is a programming language originally designed for use in web-based applications with HTML content. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. |
| Threat Intelligence Open-source reports have stated that proof of concept exploits are available for CVE-2024-4577. |
| Systems Affected |
| PHP versions: 5 – 8.3.7 |
| Risk Government: – Large and medium government entities: High – Small government entities: Medium |
| Businesses: – Large and medium business entities: High – Small business entities: Medium |
| Home Users: Low |
| Recommendations |
| Apply appropriate patches provided by PHP to vulnerable systems immediately after appropriate testing. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Block execution of code on a system through application control, and/or script blocking. Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
| References PHP: https://www.php.net/ChangeLog-8.php |
| Cybersecurity Help: https://www.cybersecurity-help.cz/vdb/SB2024060501 |
NIST has released three self-guided online introductory courses on the NIST Special Publication (SP) 800-53 security and privacy control catalog, the SP 800-53A control assessment procedures, and SP 800-53B control baselines. The courses provide a high-level overview of foundational security and privacy risk management concepts based directly on their respective NIST Special Publications.
 | Security and Privacy Controls Introductory Course Based on SP 800-53, Security and Privacy Controls for Information Systems and Organizations, the course introduces the SP 800-53 control catalog and each control family. |
 | Assessing Security and Privacy Controls Introductory Course Based on SP 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations, the course covers the methodology for assessing the SP 800-53 controls. The material also explains the structure of the assessment procedures and assessment objectives. |
 | Control Baselines Introductory Course Based on SP 800-53B, Control Baselines for Information Systems and Organizations, the course provides an overview of the security and privacy control baselines and guidance for tailoring security and privacy control baselines. |
The online introductory courses are available at no cost, and registration is not required. The courses can be accessed at https://csrc.nist.gov/Projects/risk-management/rmf-courses.
Please direct questions about the courses to [email protected].
The U.S. Small Business Administration is celebrating National Small Business Week from April 28 – May 4, 2024. This week recognizes and celebrates the small business community’s significant contributions to the nation. Organizations across the country participate by hosting in-person and virtual events, recognizing small business leaders and change-makers, and highlighting resources that help the small business community more easily and efficiently start and scale their businesses.
To add to the festivities, this NIST Cybersecurity Insights blog showcases the NIST Cybersecurity Framework 2.0 Small Business Quick Start Guide, a new resource designed to help the small and medium-sized business (SMB) community begin to manage and reduce their cybersecurity risks. You’ve worked hard to start and grow your business. Are you taking the steps necessary to protect it? As small businesses have become more reliant upon data and technology to operate and scale a modern business, cybersecurity has become a fundamental risk that must be addressed alongside other business risks. This Guide is designed to help…