Author: blogmirnet

Managing cybersecurity risks is essential in today’s digital world, and cybersecurity is an increasingly interdisciplinary field that offers high-paying, in-demand work opportunities. The NICE Framework uses clear language to describe cybersecurity work and those who perform it in a standardized way, regardless of where they are positioned in the organizational structure. It is used across the public and private sectors and from large to small organizations for career discovery, education and training, and hiring and workforce planning. The updates to the NICE Framework components help individuals, educators, and employers prepare to meet today’s demands for cybersecurity-related jobs by describing cybersecurity Work Roles and Competency Areas and the tasks, knowledge, and skills needed to support them. 

What we’ve seen as a result is…

Read the Blog

Contractors and other organizations that do business with the federal government now have clearer, more straightforward guidance for protecting the sensitive data they handle.

The National Institute of Standards and Technology (NIST) has finalized its updated guidelines for protecting this data, known as controlled unclassified information (CUI), in two publications: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171, Revision 3), and its companion, Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A, Revision 3).

Read More

This week, NIST released Special Publication 800-229, Fiscal Year (FY) 2023 Cybersecurity and Privacy Annual Report. This publication shares key highlights of our major cybersecurity and privacy accomplishments as we wrapped up our celebration of NIST’s 50 years of work in the cybersecurity arena.

In FY 2023, the NIST Information Technology Laboratory’s (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in the world of cybersecurity and privacy. This Annual Report highlights key research activities for the ITL Cybersecurity and Privacy Program across key priorities such as:

• Cryptography
• Education, training, and workforce development
• Emerging technologies
• Human-centered cybersecurity
• Identity and access management
• Privacy
• Risk management
• Trustworthy networks and platforms
• The NIST National Cybersecurity Center of Excellen

Read the Report

Agencies face significant challenges in protecting beneficiary information and ensuring the integrity of their programs. Appropriately balancing access and security—while considering nuanced program circumstances and populations—is vital to meaningfully improving public benefits and delivery. NIST, along with the Digital Benefits Network at the Beeck Center for Social Impact + Innovation at Georgetown University and the Center for Democracy and Technology are working on this issue with the launch of a two-year-long collaborative research and development project.

This project works to adapt NIST’s Digital Identity Guidelines to better support the implementation of public benefits policy and delivery while balancing security, privacy, equity, and usability. The project will result in a voluntary community profile of NIST’s Digital Identity Guidelines to support and empower practitioners and public sector leaders in evaluating the necessity and degree of authentication (and identity-proofing practices) in benefits delivery. 

Learn More

Multiple vulnerabilities have been discovered in Fortinet FortiSIEM which could allow for remote code execution. FortiSIEM is a multi-tenant SIEM that offers real-time infrastructure and user awareness for precise threat detection, analysis, and reporting. Successful exploitation could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Open-source reports have stated that proof of concept exploits are available for CVE-2024-23108 and CVE-2023-34992.

Systems Affected

Fortinet FortiSIEM versions 7.1.0 – 7.1.1, 7.0.0 – 7.0.2 , 6.7.0 – 6.7.8 , 6.6.0 – 6.6.3 , 6.5.0 – 6.5.2 , 6.4.0 – 6.4.2

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate patches provided by FortiNet to vulnerable systems immediately after appropriate testing. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Block execution of code on a system through application control, and/or script blocking. Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

References FortiNet: https://www.fortiguard.com/psirt/FG-IR-23-130

Help Net Security: https://www.helpnetsecurity.com/2024/05/29/cve-2024-23108-cve-2023-34992-poc/

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34992 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23108 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23109

SECON New Jersey 2024 – Securing the Connected World SECON New Jersey 2024 is open for registration! With less than two weeks away, ISC2 New Jersey Chapter and ISACA New Jersey Chapter will be hosting the 2024 SECON conference and it’s going to be the best one yet! Check out some of the conference highlights to date: 🔥 Four Keynote speakers: Michael Geraghty, Michael Redmond, Ira Winkler and Dr. Erdal Ozkaya 🔥 +40 speakers (most of them are either NJ ISC2 or ISACA chapter members) 🔥 Several panel discussions 🔥 Our career track will be run by professional career coaches 🔥 SWAG will be awesome, as usual 🔥 Roughly 90% tickets have already been purchased. (Last year, it was sold out!) 🔥 We’ll be offering ISC2 exam scholarships for those that qualify 🔥 Student tickets are only $10 🔥 Our event is hybrid, in case you can’t make it in person 🔥 Earn up to 7 CPEs Stan Mierzwa, CISSP, CCSK, Assoc. CCISO, ITIL and the Kean Center for Cybersecurity have been fantastic partners over the past several years. Thank you again for letting us host our event at your facility! Get your tickets soon before they sell out! Event: SECON NJ 2024 Date: Thursday, June 13th, 2024| 9:00 a.m. to 5:00 p.m. Location: Kean University, 1075 Morris Avenue, NJCSTM/STEM Building, Union, NJ 07083 Virtual Location: gather.town Register here. njsecon.org

Securing the Digital Frontier: Global Regulatory Readiness   The regulatory environment is more complex than ever—and compliance is only getting more complicated. Address your most pressing regulatory needs confidently by listening to the latest episode of the Uncovering Hidden Risks podcast from Microsoft Security. You’ll hear a lively exploration of how security leaders like you are navigating the rapidly evolving world of cybersecurity, with insights on: Balancing technology solutions with regulatory compliance.The need for strong data management practices.AI’s role in surfacing security issues within organizations.The importance of responsible AI practices rooted in ethical principles.

Listen now

The Data Breach Investigations Report (DBIR) 
has data that can help protect your business 
from cyber threats.

You can get it here

Registration is about to close for Boost Developer Productivity with AI. Improve workflows and minimize mundane tasks for faster delivery. Join us to learn more about Azure, Visual Studio, and GitHub Copilot, the AI-powered developer platform from Microsoft. Give your developers more freedom to focus on innovation and creativity. Reserve your spot now. Explore the latest AI advancements in software development. Join us at Microsoft Tech Brief: Boost Developer Productivity with AI, a free event, to discover how to accelerate developer productivity and innovate faster with GitHub, the Microsoft AI–powered development platform. Learn how to build new apps using GitHub Copilot and Visual Studio tools and see how to integrate existing apps with Azure services and data storage capabilities. You’ll preview the latest version of GitHub Copilot Chat along with powerful debugging tools in Visual Studio 2022. Gain insights from Microsoft experts as they create an app from the ground up using GitHub Copilot, Visual Studio, Microsoft Dev Box, and GitHub Enterprise Cloud with GitHub Advanced Security. Discover how to help teams deploy software faster with Azure Deployment Environments and GitHub actions. You’ll have the opportunity to: Accelerate coding processes using generative AI workflows that deliver simple code suggestions to complete assembly. Build apps and collaborate seamlessly using self-service tools and flexible solutions, backed by a commitment to open source and DevOps practices. Learn how to write more secure code, respond quickly to vulnerabilities in software supply chains, and adopt best practices to help secure development environments. Embrace a complete development toolkit using ready-to-code, self-service products that easily fit into your tech stacks. Registration closes soon, and space is limited. Sign up for free today. Delivery language: English Closed captioning provided in: English Microsoft Teams delivers a rich, interactive experience that works best with the Teams app. We recommend downloading the app if you don’t have it, as not all browsers are supported. When you join this event, your name, email, or phone number may be viewable by other session participants in the attendee list. By joining this event, you’re agreeing to this experience. When: Wednesday, June 19, 2024, 2:00 – 3:30 PM (GMT-04:00) Where: Online

Microsoft Tech Brief: Boost Developer Productivity with AI

Register now >

Registration is about to close for Boost Developer Productivity with AI. Improve workflows and minimize mundane tasks for faster delivery. Join us to learn more about Azure, Visual Studio, and GitHub Copilot, the AI-powered developer platform from Microsoft. Give your developers more freedom to focus on innovation and creativity. Reserve your spot now. Explore the latest AI advancements in software development. Join us at Microsoft Tech Brief: Boost Developer Productivity with AI, a free event, to discover how to accelerate developer productivity and innovate faster with GitHub, the Microsoft AI–powered development platform. Learn how to build new apps using GitHub Copilot and Visual Studio tools and see how to integrate existing apps with Azure services and data storage capabilities. You’ll preview the latest version of GitHub Copilot Chat along with powerful debugging tools in Visual Studio 2022. Gain insights from Microsoft experts as they create an app from the ground up using GitHub Copilot, Visual Studio, Microsoft Dev Box, and GitHub Enterprise Cloud with GitHub Advanced Security. Discover how to help teams deploy software faster with Azure Deployment Environments and GitHub actions. You’ll have the opportunity to: Accelerate coding processes using generative AI workflows that deliver simple code suggestions to complete assembly. Build apps and collaborate seamlessly using self-service tools and flexible solutions, backed by a commitment to open source and DevOps practices. Learn how to write more secure code, respond quickly to vulnerabilities in software supply chains, and adopt best practices to help secure development environments. Embrace a complete development toolkit using ready-to-code, self-service products that easily fit into your tech stacks. Registration closes soon, and space is limited. Sign up for free today. Delivery language: English Closed captioning provided in: English Microsoft Teams delivers a rich, interactive experience that works best with the Teams app. We recommend downloading the app if you don’t have it, as not all browsers are supported. When you join this event, your name, email, or phone number may be viewable by other session participants in the attendee list. By joining this event, you’re agreeing to this experience. When: Wednesday, June 19, 2024, 2:00 – 3:30 PM (GMT-04:00) Where: Online

Microsoft Tech Brief: Boost Developer Productivity with AI

Register now >