Author: blogmirnet

New Privacy-Preserving Federated Learning Blog Post!

Dear Colleagues,   

ln our last Privacy-Preserving Federated Learning (PPFL) post, we explored the problem of providing input privacy in PPFL systems for the horizontally-partitioned setting. In this new post, Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two, we focus on techniques for providing input privacy when data is vertically partitioned. This is particularly challenging, and organizations will need to grapple with trade-offs between data leakage and performance costs. Learn more in the fifth post of our series.   

Protecting Model Updates in Privacy-Preserving Federated Learning: Part Two by David Darais, Joseph Near, Mark Durkee, and Dave Buckley

Read blogs #1 – #5 on our PPFL Blog Series page. We encourage readers to ask questions by contacting us at privacyeng@nist.gov.

Meanwhile—stay tuned for the next PPFL blog post!  

All the best, 
NIST Privacy Engineering Program

Read the Post

The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the initial public draft of NIST CSWP 32 ipd, NIST Cybersecurity Framework 2.0: A Guide to Creating Community Profiles. The comment period is open through May 3, 2024.

About the Guide

The NIST Cybersecurity Framework (CSF) 2.0 introduced the term “Community Profiles” to reflect the use of the CSF for developing use case-specific cybersecurity risk management guidance for multiple organizations. This guide provides considerations for creating and using Community Profiles to help implement the Framework. The guide describes Community Profiles, provides guidance for the content that may be conveyed through a Community Profile, and offers a Community Profile Lifecycle (Plan, Develop, Use, Maintain).

Read more about this guide, including the benefits of using Community Profiles. 

Submit Comments

The public comment period closes at 11:59 p.m. EDT on Friday, May 3, 2024. Please email all draft comments to framework-profiles@nist.gov. We encourage you to submit all feedback using the comment template found on our project page.

Join the Community of Interest

Consider joining the Community of Interest (COI) to receive the latest project news and announcements. Email the team declaring your interest or complete the sign-up form on our project page.

Learn More

Create apps customized to your organization’s needs. Join us at Microsoft Tech Brief: Build Your Own Copilot with Azure, a free event, and learn how to use organizational data to help you build copilots and AI-powered intelligent applications to empower employees and transform customer engagement. You’ll learn the requirements and recommended architectures to build copilot applications and the elements that make up a copilot stack. You’ll also participate in a live demo to see how to build a customized, scalable, high-performing, and flexible copilot application based on Azure Kubernetes Service (AKS), Azure Cosmos DB, and Azure OpenAI Service. You’ll have the opportunity to: Discover how to build intelligent apps using Azure. Explore Azure AI services to support building your own copilot. Get experience with Azure Kubernetes Service (AKS), Azure Cosmos DB, and Azure OpenAI Service. Space is limited. Register for free today. Delivery language(s): English Closed captioning language(s): English Microsoft Teams delivers a rich, interactive experience that works best with the Teams app. We recommend downloading the app if you don’t have it, as not all browsers are supported. When you join this event, your name, email, or phone number may be viewable by other session participants in the attendee list. By joining this event, you’re agreeing to this experience. When: Thursday, May 02, 2024, 2:00 – 3:30 PM (GMT-04:00)

Microsoft Tech Brief: Build Your Own Copilot with Azure

Register now >

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Prepare Your Organization for Microsoft Copilot for Microsoft 365 to learn how to implement AI to help ignite creativity, enhance productivity, and strengthen computing and collaboration skills. You’ll learn about the capabilities of Copilot, including how it works, how to configure it, and how to set it up for more powerful searches. You’ll also explore how Copilot works with Microsoft Graph—and your existing Microsoft 365 apps—to provide intelligent, real-time assistance. You will have the opportunity to: Understand the key components of Copilot for Microsoft 365 and how it works. Learn how to extend Copilot with plugins. Get guidance on completing the necessary Copilot technical and business requirements to prepare for implementation. Learn how to assign Copilot licenses, prepare your organization’s Microsoft 365 data for Copilot searches, and create a Copilot Center of Excellence. Join us at an upcoming Prepare Your Organization for Microsoft Copilot for Microsoft 365 event: May 29, 2024 | 12:00 PM – 2:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Uptick in BEC Scams

According to the FBI IC3 Internet Crime Report 2023, business email compromise (BEC) scams are the second most expensive type of cybercrime. Over the past three years, the number of US victims increased from 19,954 (2021) to 21,832 (2022) but decreased slightly to 21,489 (2023). However, the reported losses from BEC scams showed an upward trend of $2.3 billion (2021) to $2.7 billion (2022) to $2.9 million (2023). Additionally, New Jersey claimed 628 victims in BEC scams in 2023 and ranked second in the nation with an average loss per victim of $223,041.73. There was a significant increase in the total reported losses from 2022 (almost $63 million) to 2023 (over $140 million), and the trend is likely to increase.

Unlike generic phishing scams, BEC scams are a highly targeted form of social engineering, often incorporating preliminary reconnaissance on potential victims and using various impersonation techniques, including email spoofing and look-alike domains. To convey a sense of legitimacy, threat actors commonly spoof a familiar contact’s source name or email address, use domain names that mimic a trusted source, or compromise a legitimate account. The messages typically instruct the target to transfer funds or other sensitive information to the threat actors posing as trusted individuals. Common types of BEC attacks include wire transfer scams, direct deposit scams, real estate wire transfer scams, W-2 scams, and invoice scams. BEC scams can result in system compromises, data breaches, financial losses, and reputational damages.

The NJCCIC observed an uptick in various BEC scams, especially invoice, direct deposit, and real estate wire transfer scams. In invoice scams, threat actors impersonate trusted vendors with whom the target organization does business. They send emails to redirect outstanding and future invoices for products or services to a new bank account. Threat actors may attach legitimate or fraudulent invoices with inflated amounts and provide new payment policies with payment instructions and updated bank account details to steal funds from the vendor’s customers.

In direct deposit or payroll diversion scams, threat actors impersonate an employee, typically by registering a free email address using the employee’s name and utilizing display name spoofing in the messages. They usually send fraudulent emails to payroll or human resources departments, and direct deposit change forms are requested. Sometimes, the threat actors locate an organization’s direct deposit change form online and include a filled-out form in the email. They intend to divert an employee’s direct deposit account information to an account under the threat actor’s control. These emails may have noticeable red flags; however, they may be well-crafted and more challenging to identify as suspicious.

In real estate wire transfer scams, threat actors impersonate and target real estate attorneys or title agents to defraud homebuyers. These requests typically instruct the buyer to perform a wire transfer and transfer the closing costs to an account controlled by the threat actors. The attorney’s signature in the spoofed email may contain information obtained from the law firm’s website or social media platform. The subject and body of these emails often portray a sense of urgency to entice targets to provide sensitive information or immediately wire money before they can thoroughly review the email’s content and question its legitimacy. If successful, funds are transferred to the threat actors before the fraud scheme is detected.

Cyberthreats are more sophisticated and frequent than ever, and the devastating impact of a breach is a reality that every organization must face. Join us at Microsoft Discovery Day: Building Cyberthreat Resilience to learn how Microsoft empowers security operations teams to protect, detect, and respond against these cyberthreats. During this free event, you’ll discover how to expedite your response by pairing extended detection and response (XDR) with security information and event management (SIEM). Gain a deeper perspective on the current state of cybersecurity and global threat intelligence and explore a roadmap for machine learning and AI at Microsoft. You’ll have the opportunity to: Uncover the latest challenges and trends facing the cybersecurity world and what it means for your organization. Discover how to protect, detect, and respond to cyberthreats effectively by using XDR and SIEM together. Improve your security posture by learning how other business leaders have implemented comprehensive cyberthreat protection in their security strategies. Space is limited. Register for free today. Microsoft Teams delivers a rich, interactive experience that works best with the Teams app. We recommend downloading the app if you don’t have it, as not all browsers are supported. When you join this event, your name, email, or phone number may be viewable by other session participants in the attendee list. By joining this event, you’re agreeing to this experience. Thursday, May 02, 2024 | 2:00 PM – 3:00 PM | (GMT-05:00) Eastern Time (US & Canada)

Microsoft Discovery Hour: Building Cyberthreat Resilience

Register now >

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Palo Alto Networks has released workaround guidance for CVE-2024-3400 affecting PAN-OS versions 10.2, 11.0, and 11.1. Palo Alto Networks has reported active exploitation of this vulnerability in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Palo Alto Networks Security Advisory, apply the current mitigations, and update the affected software when Palo Alto Networks makes the fixes available. Additionally, CISA has also added this vulnerability to its  Known Exploited Vulnerabilities Catalog.

Featured Get Started with Evaluating Answers in a Chat App >After creating a chat application, developers should ensure it’s delivering high-quality answers to customers.This article demonstrates how to evaluate a chat app’s answers against a set of correct or ideal answers.

What’s New Real-time Translation Using the azure_ai Extension >Learn how to use the new text translation capabilities of the azure_ai extension on Azure Database for PostgreSQL. (in English) Dev Proxy v0.15, Now Available >Review the new features of Dev Proxy v0.15 that allow you to spend more time building your application. (in English) AI in action: 5 Popular AI Apps You Can Build on Azure >Build your own copilot. Process transactions at scale. Detect Fraud. Create a recommendations engine Learn how to build all these AI-powered apps.

Events Microsoft Build / May 21 – 23 / Seattle >Learn from experts, get hands-on with AI, and make connections with peers, Microsoft engineers, and industry leaders. POSETTE: An Event for Postgres 2024 / June 11-13 >Join us for 4 unique livestreams to hear from open source users, Azure database customers, and experts in PostgreSQL and Citus. Azure Cosmos DB Conf / On Demand >Catch up on all the streamed sessions and exclusive bonus content. PyCon US May 17-19 / Pittsburgh and Online >Register for three days’ worth of the Python community’s best talks, amazing keynote speakers, and our famed lightning talks to close out each day. Microsoft AI Tour / Multiple Cities >Learn what developers need to know about AI today and explore new paths forward in your organization and career.

Learning Learn Cloud-Native Development >Create independently deployable, highly scalable, and resilient services using .NET. Create Reusable Customizations in Microsoft Dev Box > Use Copilot to Write .NET MAUI Apps >Discover how Copilot can help you build an app and learn how it works within the context of your code.

The deadline is approaching to submit proposals in response to NIST’s Notice of Funding Opportunity (NOFO) to support Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development. The funding expands the existing RAMPS program* and anticipates awarding an additional fifteen awards of up to $200,000 through cooperative agreements.

As part of the Department of Commerce’s Principles for Highly Effective Workforce Investments and Good Jobs Principles, RAMPS will support the NIST-led NICE program. Effective partnerships will focus on bringing together employers and educators to focus on developing the skilled and diverse workforce to meet industry needs within a local or regional economy. 

Applicants must demonstrate through letters of commitment that, in addition to the applicant, at least one of each of the following types of organizations is committed to being part of the proposed regional alliance:

• at least one institution of higher education or nonprofit training organization, and
• at least one local employer or owner or operator of critical infrastructure.

Deadline to apply: May 24, 2024

More information about the RAMPS NOFO may be found in the recording of the webinar for interested applicants and an FAQ. 

View this Funding Opportunity on Grants.gov

The National Institute of Standards and Technology (NIST) has released four draft publications intended to help improve the safety, security and trustworthiness of artificial intelligence (AI) systems. All are part of the agency’s response to Executive Order 14110 on the Safe, Secure and Trustworthy Development of AI. Comments on each draft are requested by June 2, 2024. NIST has also launched a challenge series that will support development of methods to distinguish between content produced by humans and content produced by AI.

The publications cover varied aspects of AI technology: The first two are guidance documents designed to help manage the risks of generative AI — the technology that enables chatbots and text-based image and video creation tools — and serve as companion resources to NIST’s AI Risk Management Framework (AI RMF) and Secure Software Development Framework (SSDF), respectively. A third offers approaches for promoting transparency in digital content, which AI can generate or alter; the fourth proposes a plan for global engagement for development of AI standards.

• NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
• NIST SP 800-218A, Secure Software Development Practices for Generative AI and Dual-Use Foundation Models
• NIST AI 100-4, Reducing Risks Posed by Synthetic Content: An Overview of Technical Approaches to Digital Content Transparency
• NIST AI 100-5, A Plan for Global Engagement on AI Standards

Drafts of NIST AI 600-1, NIST AI 100-5 and NIST AI 100-4 are available for review and comment on the NIST Artificial Intelligence Resource Center website; and the draft of NIST SP 800-218A is available for review and comment on the NIST Computer Security Resource Center website.

NIST GenAI Challenge

In addition to the four documents, NIST is also announcing NIST GenAI Challenge, a new program to evaluate and measure generative AI technologies. The program is part of NIST’s response to the Executive Order, and its efforts will help inform the work of the U.S. AI Safety Institute at NIST.

The NIST GenAI program will issue a series of challenge problems designed to evaluate and measure the capabilities and limitations of generative AI technologies. These evaluations will be used to identify strategies to promote information integrity and guide the safe and responsible use of digital content. One of the program’s goals is to help people determine whether a human or an AI produced a given text, image, video or audio recording. Registration opens in May for participation in the pilot evaluation, which will seek to understand how human-produced content differs from synthetic content. More information about the challenge and how to register can be found on the NIST GenAI website.

Read News Release