WPEC 2024, the NIST Workshop on Privacy-Enhancing Cryptography 2024, will bring together multiple perspectives of PEC stakeholders. The three-day virtual workshop is organized for sharing insights about PEC capabilities, use cases, real-world deployment, initiatives, challenges and opportunities, and the related context of privacy and auditability. The program will cover:
Private Set Intersection (PSI): for a deep dive into this technique, exploring its technicalities, readiness, feasibility, applicability, variants, and broader context.
Other PEC techniques: for a broader perspective of PEC, including FHE, MPC, and ZKP.
Annual program celebrates honorees’ achievements and their outstanding contributions to the cybersecurity field
Alexandria, Va., September 17, 2024 – ISC2 – the world’s leading nonprofit member organization for cybersecurity professionals – today announced recipients of its 2024 ISC2 Global Achievement Awards, honoring individuals who have made significant contributions to the cybersecurity field, furthering ISC2’s vision of a safe and secure cyber world.
“These cybersecurity professionals are at the forefront of mitigating threats and protecting critical information systems to keep our societies safe and secure around the world,” said ISC2 EVP, Advocacy, Global Markets and Member Engagement, Tara Wisniewski. “The ISC2 Global Achievement Awards provide an opportunity to celebrate and recognize the remarkable contributions of both individuals and ISC2 Chapters as they shape the future of the cybersecurity profession.”
The awards fall into several categories, including Special Recognition, Professional and Chapter and the Center for Cyber Safety and Education.
SPECIAL RECOGNITION AWARDS The Special Recognition Awards recognize outstanding contributions and achievements in cybersecurity throughout a career.
The ISC2 CEO Award recognizes individuals who have made a significant impact on the cybersecurity community through their dedicated and exceptional efforts. They are the trailblazers and true change-makers whose intentions and actions have shaped enduring effects within the industry, leaving a legacy that extends for years to come.
Dr. Bushra AlBlooshi, Director of Governance and Risk Management, Dubai Electronic Security Center
David Koh, Chief Executive, Cyber Security Agency of Singapore
The ISC2 Lifetime Achievement Award is the highest tribute in cybersecurity. In memory of Harold F. Tipton, CISSP, the award recognizes members for their lifelong contributions to the advancement of information security and the profession by serving, over the long term, with sustained excellence and distinction throughout their entire cybersecurity career.
Americas: Teresa Fryer, CISSP, HCISSP, Chief, Security and Data Integration Staff, Administrative Office of U.S. Courts
Europe, Middle East and Africa: H.E. Dr. Mohamed Al Kuwaiti, The Head of UAE Cybersecurity Council, The UAE Cybersecurity Council
The ISC2 Volunteer Service Award recognizes volunteers who have provided sustained and valuable service to ISC2. Named in memory of James R. Wade, an esteemed, long-time contributor to ISC2, this award is ISC2’s privilege to honor his legacy.
Jay Ferron, CISSP, Principal at Interactive Security Training
PROFESSIONAL AWARDS The Professional Awards recognize the achievements and contributions of cybersecurity professionals during different stages of their careers.
The ISC2 Senior Professional Award recognizes an individual regionally who has significantly contributed to the enhancement of the cybersecurity workforce by demonstrating a leadership role in their profession.
Americas: Sametria McKinney, CISSP, Director, National Computer Incident Response Team
Europe, Middle East and Africa: Niel Harper, CISSP, Chief Information Security Officer & Data Protection Officer, Doodle
The ISC2 Mid-Career Award recognizes an individual regionally who is at the mid-career stage and has demonstrated commitment and achievement in their profession.
Americas: Aaron Bond, CISSP, CCSP, Cybersecurity Senior Manager, Defensive Security, The Home Depot
Asia-Pacific: Jadet Khuhakongkit, CISSP, CC, Assistant Secretary General, National Cyber Security Agency of Thailand
Europe, Middle East and Africa: Maxwell Ash, CISSP, Cyber Security Consultant, Inceptiv Ltd
The ISC2 Rising Star Professional Award recognizes the accomplishments and contributions of an up-and-coming professional regionally who has made a significant impact in the cybersecurity industry early in their career.
Americas: Daniel Baloch, CC, Associate of ISC2, Threat Analyst, New York City Office of Technology & Innovation
Asia-Pacific: Tien-Hao Chan, CISSP, CC, Principal Security Engineer, XREX.
Europe, Middle East and Africa: Nadine Hickey, SSCP, Senior Cyber Engagement Technical Analyst, Bank of Ireland
ISC2 PROGRAM AWARDS The ISC2 Program Awards recognize individuals and organizations for their outstanding contributions and community impact within the cybersecurity community.
The Center for Cyber Safety and Education, the charitable arm of ISC2, is committed to making the cyber world a safe place for everyone. The Center’s mission is to grow the cybersecurity profession and its positive impact on the world by raising awareness, building a diverse pipeline of cybersecurity professionals and activating a more secure digital world.
The Outstanding Volunteer Award recognizes an individual who has significantly contributed to the betterment of society and the cybersecurity community through the support of the Center. With a passion for the cybersecurity community and a desire to give back, this recipient is considered a go-to volunteer helping to make society safer while supporting various initiatives within the Center.
Ameen Sharif, CISSP, CEO, ITnIS Consulting
The Outstanding Partner Award recognizes a company or organization for their support of the Center and its mission to grow the cybersecurity profession and its positive impact on the world by raising awareness, building a diverse pipeline of cybersecurity professionals, and activating a more secure digital world. This must be a group or company effort of support – not that of a lone employee or member.
ISC2 New Jersey Chapter
ISC2 Chapter Recognition Awards are presented to official chapters of ISC2 within a specific region that best promotes the vision of ISC2 by inspiring a safe and secure cyber world. The chapter must demonstrate a well-rounded offering of activities and services designed to benefit its members and affiliates while significantly contributing to the profession and local community through the ISC2 Chapter Program of Connect, Educate, Inspire and Secure.
This year’s regional chapter award recipients are:
Asia-Pacific: Colombo, Sri Lanka Chapter
Europe, Middle East and Africa: Hellenic Chapter
Latin America: Guatemala Chapter
North America: New Jersey Chapter
The ISC2 Inclusion Impact Award (formerly Diversity Award) recognizes individuals who have made significant contributions to driving a more diverse workforce in the global cybersecurity community by initiating and leading actions to remove barriers and positively impact the cyber profession’s diversity, equity and inclusion. ISC2 recognizes three regional and one global award recipient demonstrating a significant commitment and passion for increasing diversity, equity and inclusion across the global cybersecurity ecosystem.
Americas: Francisca Boateng, Candidate of ISC2, Director of Operations, Slamm Technologies
Asia-Pacific: Ricson Singson Que, CC, CEO, SQrity Consulting
Europe, Middle East and Africa: Zoé Cuisin, Head of Cybersecurity Governance, Risk & Compliance, Bouygues Construction
For more information on the Global Achievement Awards program, including descriptions of each award category and eligibility details, please visit: https://www.isc2.org/About/Award-Programs.
About ISC2 ISC2 is the world’s leading member organization for cybersecurity professionals, driven by our vision of a safe and secure cyber world. Our nearly 675,000 members, candidates and associates around the globe are a force for good, safeguarding the way we live. Our award-winning certifications – including cybersecurity’s premier certification, the CISSP® – enable professionals to demonstrate their knowledge, skills and abilities at every stage of their careers. ISC2 strengthens the influence, diversity and vitality of the cybersecurity profession through advocacy, expertise and workforce empowerment that accelerates cyber safety and security in an interconnected world. Our charitable foundation, The Center for Cyber Safety and Education, helps create more access to cyber careers and educate those most vulnerable. Learn more and get involved at ISC2.org. Connect with us on X, Facebook and LinkedIn.
The 2024 NY Metro Joint Cyber Security Conference will be held on September 26th, celebrating our 11th year featuring keynotes, panels and sessions aimed at educating everyone on the various aspects of information security and technology. Workshops featuring in-depth extended classroom-style educational courses to expand your knowledge and foster security discussions will take place virtually post-conference.
NIST Special Publication (SP) 800-50r1 (Revision 1), Building a Cybersecurity and Privacy Learning Program, provides updated guidance for developing and managing a robust cybersecurity and privacy learning program in the Federal Government. This revision was informed by National Defense Authorization Act (NDAA) for FY2021, the Cybersecurity Enhancement Act of 2014, and the NICE Workforce Framework for Cybersecurity (NICE Framework). In addition, the 2016 update to Office of Management and Budget (OMB) Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs.
This revision to SP 800-50:
Integrates privacy with cybersecurity in the development of organization-wide learning programs
Introduces a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events
Introduces a learning program concept that incorporates language found in other NIST documents
Leverages current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework
Proposes an employee-focused cybersecurity and privacy culture for organizations
Integrates learning programs with organizational goals to manage cybersecurity and privacy risks
Addresses the challenge of measuring the impacts of cybersecurity and privacy learning programs
Incorporates guidance for using standard instructional design elements, maturity models, and assessment approaches
With the publication of SP 800-50r1, NIST has ceased developing a companion guide—SP 800-16r1 third public draft, A Role-Based Model for Federal Information Technology/Cybersecurity Training—and has withdrawn SP 800-16, Information Technology Security Training Requirements: a Role- and Performance-Based Model (1998).
Under the auspices of NIST’s Cryptographic Publication Review Board, IR 8459 supports the ongoing review of the Special Publication (SP) 800-38 series, which approves a variety of block cipher modes of operation for encryption and authentication. In particular, IR 8459 surveys relevant research results about the modes and their implementations, and it provides a set of recommendations to improve the corresponding standards.
Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455. To mitigate this malicious cyber activity, organizations should take the following actions today: Prioritize routine system updates and remediate known exploited vulnerabilities. Segment networks to prevent the spread of malicious activity. Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
This Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix A) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022
Identity and Access Management is a fundamental and critical cybersecurity capability for businesses of all sizes. To protect your business from fraud and unauthorized system and data access, you want to take steps to ensure that only the right people and technologies have the right level of access to the right resources at the right time.
For many busy small business owners, the use of passwords has been the primary method for locking down access to sensitive systems and data. However, passwords alone are not effective for protecting your data from most attackers. They have become too easy for threat actors to exploit at scale and with limited effort. So that leaves us with the question: what can a small business owner with limited resources do to protect their systems and information from unauthorized access?
During this webinar, we’ll take it back to the fundamentals to discuss practical steps small businesses can take to enhance their identity and access management, resulting in a stronger, more resilient business in the face of increasing cybersecurity risks. We will cover:
Current guidance and leading-practices for multi-factor authentication (MFA), including phishing-resistant MFA.
Identity and Access Management approaches to consider as your business grows.
How identity and access management is covered in the NIST Cybersecurity Framework 2.0.
Speakers:
Ryan Galluzzo, Digital Identity Program Lead, Applied Cybersecurity Division, NIST
The NJCCIC received incident reports indicating that a new version of the well-known sextortion email scam is currently circulating. This version now includes a photo of the recipient’s home, likely found via online mapping applications. The targeted individual’s home address could have been easily obtained in public data records or through compromised personal information resulting from data breaches. This fraudulent scheme claims that the Pegasus spyware was installed on the target’s device and secretly recorded webcam footage of recipients engaging in intimate activities. The targeted individual is then threatened with the release of compromising or sexually explicit photos or videos to contacts and their social media platforms if a Bitcoin payment ranging from $500 to $2,500 is not made. The email states that the targeted individual has 24 hours to pay by scanning the included QR code. The cybercriminal also claims to have embedded a specific pixel to identify when the email was read, starting the 24-hour countdown.
Recommendations
The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization.There is no indication that these threats are credible; therefore, users are advised to refrain from sending funds and disregard these emails.Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.Users can search for and report the bitcoin addresses included in the scam email to the Bitcoin Abuse Database.This scam can be reported to the Federal Trade Commission (FTC), the FBI’s IC3 and the NJCCIC.
OVERVIEW: Multiple vulnerabilities have been discovered in Veeam Products, the most severe of which could allow for remote code execution.
Veeam Backup & Replication is a proprietary backup app.
Veeam ONE is a solution for managing virtual and data protection environments.
Veeam Service Provider Console provides centralized monitoring and management capabilities for Veeam protected virtual, Microsoft 365, and public cloud workloads.
Veeam Agent for Linux is a backup agent that’s designed Linux Instances.
Veeam Backup for Nutanix.
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization.
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
THREAT INTELLEGENCE: There are no reports that these vulnerabilities are being exploited in the wild.
SYSTEMS AFFECTED:
Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds.
Veeam Agent for Linux 6.1.2.1781 and all earlier version 6 builds.
Veeam ONE 12.1.0.3208 and all earlier version 12 builds.
Veeam Service Provider Console 8.0.0.19552 and all earlier version 8 builds.
Veeam Backup for Nutanix AHV Plug-In 12.5.1.8 and all earlier version 12 builds.
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In 12.4.1.45 and all earlier version 12 builds.
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Veeam Products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:
A vulnerability allowing unauthenticated remote code execution (RCE). (CVE-2024-40711)
A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (saved credentials and passwords). Exploiting these vulnerabilities requires a user who has been assigned a low-privileged role within Veeam Backup & Replication. (CVE-2024-40710)
A vulnerability that allows an attacker in possession of the Veeam ONE Agent service account credentials to perform remote code execution on the machine where the Veeam ONE Agent is installed. (CVE-2024-42024)
A vulnerability that allows low-privileged users to execute code with Administrator privileges remotely. (CVE-2024-42023)
A vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server. (CVE-2024-39714)
A vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server. (CVE-2024-39715)
A vulnerability that permits a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server. (CVE-2024-38651)
A vulnerability that allows a user who has been assigned a low-privileged role within Veeam Backup & Replication to alter Multi-Factor Authentication (MFA) settings and bypass MFA. (CVE-2024-40713)
A vulnerability that allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account. (CVE-2024-39718)
A vulnerability in TLS certificate validation allows an attacker on the same network to intercept sensitive credentials during restore operations. (CVE-2024-40714)
A path traversal vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (LPE). (CVE-2024-40712)
A vulnerability that allows a local low-privileged user on the machine to escalate their privileges to root level. (CVE-2024-40709)
A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup & Replication. (CVE-2024-42019)
A vulnerability that allows an attacker with valid access tokens to access saved credentials. (CVE-2024-42021)
A vulnerability that allows an attacker to modify product configuration files. (CVE-2024-42022)
A vulnerability in Reporter Widgets that allows HTML injection. (CVE-2024-42020)
A vulnerability that allows a low privileged attacker to access the NTLM hash of service account on the VSPC server. (CVE-2024-38650)
A vulnerability that allows a low-privileged user to perform local privilege escalation through exploiting an SSRF vulnerability. (CVE-2024-40718)
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate updates provided by Veeam to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5:Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
NIST proposes to update FIPS 202 to improve its editorial quality. For example, text about SHA-1 and Triple DES will be edited to reflect the withdrawal of those techniques, as suggested in the public comments.
NIST proposes to revise SP 800-185 to provide “streaming” specifications of the two extendable output functions (XOFs) SHAKE128 and SHAKE256, to support implementations in which the length of the data output and the complete data input are not necessarily available before the XOF is called.
The public comments included suggestions that NIST specify and approve several other SHA-3 derived functions. NIST is considering whether to specify and approve one or more SHA-3 derived functions for authenticated encryption with associated data in a new, separate Special Publication.
Submit your comments on this decision proposal by October 7, 2024, to cryptopubreviewboard@nist.gov with “Comments on FIPS 202 Decision Proposal” or “Comments on SP 800-185 Decision Proposal” in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.
