Author: blogmirnet

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this Joint Cybersecurity Advisory  to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.

CISA and FBI encourage organizations to implement the recommendations in the mitigations section of the advisory to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this advisory and report key findings to a local FBI Field Office or CISA at cisa.gov/report.

For a downloadable copy of IOCs, see: AA23-242A.stix.xml | AA23-242A.stix.json.

This advisory contains technical details, IOCs, mitigation recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

The initial public draft (ipd) of NIST Special Publication (SP) 800-204D, Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines, is now available for public comment.

Cloud-native applications are made up of multiple loosely coupled components called microservices. This class of applications is generally developed through an agile software development life cycle (SDLC) paradigm called DevSecOps, which uses flow processes called continuous integration/continuous delivery (CI/CD) pipelines. Analyses of recent software attacks and vulnerabilities have led both government and private-sector organizations to focus on the activities involved in the entire SDLC. The collection of these activities is called the software supply chain (SSC). The integrity of these individual operations contributes to the overall security of an SSC, and threats can arise from attack vectors unleashed by malicious actors as well as defects introduced when due diligence practices are not followed during the SDLC.

Executive Order (EO) 14028, NIST’s Secure Software Development Framework (SSDF), other government initiatives, and industry forums have addressed security assurance measures for SSCs to enhance the security of all deployed software. This document focuses on actionable measures to integrate the various building blocks of SSC security assurance into CI/CD pipelines to prepare organizations to address SSC security in the development and deployment of their cloud-native applications.

The public comment period is open through October 13, 2023. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More

NIST’s Crypto Publication Review Board announced the review of SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007) in August 2021. In response, NIST received public comments.

NIST proposes revising SP 800-38D to address many of the technical and editorial suggestions in the public comments, such as the following:

• to remove support for authentication tags whose lengths are less than 96 bits,
• to clarify that the construction of initialization vectors (IVs) for GCM in the Transport Layer Security (TLS) 1.3 protocol is approved,
• to clarify the guidance in connection with the IV constructions, and
• to update the references.

Send comments on this decision proposal by October 9, 2023 to [email protected] with “Comments on SP 800-38D decision proposal” in the subject line.

Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.

Rationale

The Galois/Counter Mode specified in SP 800-38D continues to be an important, widely adopted technique for authenticated encryption. Its security depends strongly on the provision of IVs that are not repeated for distinct messages, as well as the length of the authentication tag. The planned changes to the publication will improve the security of GCM and clarify that the construction of IVs for GCM in TLS 1.3 is approved.

Read More

NIST has chosen the first group of encryption tools that are designed to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day — such as online banking and email software. 

Read More

Last year, the National Institute of Standards and Technology (NIST) selected four algorithms designed to withstand attack by quantum computers. Now the agency has begun the process of standardizing these algorithms — the final step before making these mathematical tools available so that organizations around the world can integrate them into their encryption infrastructure.

Today NIST released draft standards for three of the four algorithms it selected in 2022. A draft standard for FALCON, the fourth algorithm, will be released in about a year.

Read More

Cybersecurity Career Week October 16-21, 2023 nist.gov/nice/ccw

Cybersecurity Career Week is a campaign to promote the discovery of cybersecurity careers and share resources that increase understanding of the multiple learning pathways that lead to those careers.

ATTEND THE INFORMATIONAL WEBINAR

There is still time to register! Join us next week Wednesday, September 6, 2023, for an informational webinar and question and answer session about Cybersecurity Career Week. We will share topics, example activities, and advice on what you can do to prepare for and participate in Cybersecurity Career Week 2023. Register to Attend

BROWSE ON-DEMAND MATERIALS

Plentiful resources are available at the click of a button on the Cybersecurity Career Week website. Explore Online Resources

DID YOU KNOW

Did you know that roles in Data Analysis are among the highest in-demand cybersecurity jobs? That’s right! Skills such as generating queries and reports, determining sources and characteristics of data, and even identifying hidden patterns or relationships are commonly used in these roles. Want to learn more? The NICE Framework Data Analyst Work Role has more information about typical tasks someone in this role is responsible for.   Cybersecurity Career Week is coordinated by NICE and supported by a community of government, academic, non-profit, and private industry stakeholders. Commercial entities, materials, and resources provided in support of Cybersecurity Career Week may be included in this email or on the nist.gov/nice/ccw web site or linked web sites. Such identification is not intended to imply recommendation or endorsement by NIST.

INFORMATION AND UPDATES Help make Cybersecurity Career Week a success! Visit our website to see what tools and resources you can use to help promote the week-long effort to your connections. For more information, visit nist.gov/nice/ccw.

NIST Workshop on Multi-party Threshold Schemes (MPTS) 2023, September 26th–28th (Virtual)

• What: MPTS 2023 (Virtual): NIST Workshop on Multi-Party Threshold Schemes
• Date & time: 2023-September-26–28, 10:00–15:00 (Eastern Time)
• Featured topics: The NIST First Call for Multi-Party Threshold Schemes (NISTIR 8214C)
• Featured topics: Threshold cryptography; threshold schemes; multi-party computation (MPC); fully-homomorphic encryption (FHE); zero-knowledge proofs (ZKP); attribute-based encryption (ABE); MPC/FHE/ZKP-friendly primitives; useful gadgets.
• Presentations: There is a call for presentation abstracts (deadline 2023-September-05)
• Workshop format: Three days of webinars for feedback about the Threshold Call and Process
• Detailed info: https://csrc.nist.gov/events/2023/mpts2023
• Contacts about the workshop: [email protected]
• Free registration (via Webex): https://nist-secure.webex.com/webappng/sites/nist-secure/webinar/webinarSeries/register/ceb61702e61047a7ad27c00f11fbaa94
• Tweet: https://twitter.com/NISTcyber/status/1691816957128200595
• Host: Multi-Party Threshold Cryptography (MPTC) and Privacy-Enhancing Cryptography (PEC) projects @ NIST Cryptographic Technology Group (CTG)
• Public-Forums: For future related announcements, join the “MPTC-Forum” and the “PEC-forum” mailing lists.

MPTS 2023: The NIST workshop on Multi-Party Threshold Schemes 2023 will gather diverse public feedback about the process envisioned in the NIST First Call for Multi-Party Threshold Schemes [NISTIR 8214C ipd (2023)] (the “Threshold Call”). The process includes an exploration of threshold schemes for diverse cryptographic primitives standardized by NIST, and of other primitives (such as those related to FHE, ZKP and ABE) and assumptions not present in current NIST standards. The success of the envisioned process (collecting reference material, performing public analysis, devising recommendations) hinges on active involvement of the international cryptography community. To that effect, expert stakeholders are encouraged to submit abstracts of short talks (5–15 min) to present at MPTS 2023. Attendance is open to the wider community of stakeholders and people interested in the topic. Live attendance is free but requires registration.

Read More

Draft NIST Special Publication (SP) 800-50r1 (Revision 1), Building a Cybersecurity and Privacy Learning Program, is now available for public comment. The document was first published in 2003 as Building an Information Technology Security Awareness and Training Program. The public comment period for this draft is open through October 27, 2023.

About NIST SP 800-50r1:

Cybersecurity awareness and training resources, methodologies, and requirements have evolved since NIST SP 800-50 was introduced in 2003. New guidance from the National Defense Authorization Act (NDAA) for FY2021 and the Cybersecurity Enhancement Act of 2014 have informed this revision. In addition, the 2016 update to Office of Management and Budget (OMB) Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs. Additionally, the NICE Workforce Framework for Cybersecurity (NICE Framework), which was published as NIST SP 800-181 in 2017 and revised in 2020, further informed the development of the draft of SP 800-50.

Work on a companion guide — NIST SP 800-16r3, Information Technology Security Training Requirements: A Role- and Performance-Based Model — will cease and the original NIST SP 800-16 (1998) will be withdrawn with the final publication of NIST SP 800-50r1.

Goals of this update:

• Integrate privacy with cybersecurity in the development of organization-wide learning programs
• Introduce a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events
• Introduce a learning program concept that incorporates language found in other NIST documents
• Leverage current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework
• Propose an employee-focused cybersecurity and privacy culture for organizations
• Integrate learning programs with organizational goals to manage cybersecurity and privacy risks
• Address the challenge of measuring the impacts of cybersecurity and privacy learning programs

Submit comments:

The public comment period is open through October 27, 2023. See the publication details for a copy of the draft and instructions for submitting comments.

Read More

Image Source: NIST

According to NIST’s IT Asset Management , the typical asset lifecycle goes through the enrollment, operation, and end-of-life phases. IT assets include magnetic and optical media (hard drives, DVDs, USB flash drives, and SD cards) and components found in internet-connected devices. Examples include mobile devices (smartphones, tablets, and PDAs), laptops, desktops, servers, networking devices (routers and switches), scanners, copiers, printers, fax machines, and Internet of Things (IoT) devices (surveillance cameras and smart door locks). As the requirement to retire and upgrade IT assets increases, organizations and individuals may not know of how to properly “dispose” IT assets and data during the end-of-life phase. Once an IT asset reaches the disposal phase, it is prepared for both data removal and physical removal.

Decommissioning is the process of removing or retiring an old or obsolete IT asset from service and sanitizing the data from the media. When decommissioning IT assets, it is critical to properly sanitize, or wipe, all data securely from the media to help protect personally identifiable information (PII), sensitive data, and corporate information from unauthorized access. The sanitization method to be used depends on the type of storage media, the classification and sensitivity of the data which it stores, and the purpose of the media after it is sanitized.

The sanitization process removes information from the media, such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, and physical destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal (such as recycling, reselling, donating, or discarding in the trash). Several key factors for improper disposition include disorder, lack of organization, and maintaining a chain of custody often required by industry regulations. IT asset disposition (ITAD) services or reputable electronic waste (e-waste) vendors are frequently used by organizations and individuals to certify their data has not been compromised in the disposition of their IT assets.

Routers and printers with limited storage can hold sensitive information, such as ownership data, IP topology maps, pointers to external data stores, vendor network connection data, VPN details, trusted credentials, “crackable” or reusable administrator login credentials, cryptographic keys, and application-specific data. For example, the ESET cybersecurity firm discovered discarded Cisco, Fortinet, and Jupiter Networks’ enterprise routers that were not properly sanitized and contained configuration data. The routers also contained sensitive corporate information, such as IPsec or VPN credentials, hashed root passwords, customer information, data allowing third-party connections to the network, credentials for connecting to other networks, router-to-router authentication keys, and connection details for specific applications. Also, Canon warned users of home, office, and large format inkjet printers that their Wi-Fi connection settings in memory storage were not wiped as anticipated during the initialization process. Typical settings for these devices include network SSID, password, network type, assigned IP address, MAC address, and network profile. A threat actor could use this information to gain unauthorized access to the network that the printer was connected to, access shared resources, steal data, and perform other cyberattacks.

Additionally, Rapid7 security researchers discovered discarded medical infusion pumps sold on secondary markets, such as eBay, that exposed sensitive information, including access credentials and wireless authentication data from their previous owners. The information can then be used to gain internal access to the original owner’s network, exploit other vulnerable devices on the network, distribute malware or ransomware, or access and exfiltrate personal health information (PHI).

Failure to sanitize data and properly dispose of IT assets creates security vulnerabilities, privacy and industry regulatory violations, financial impacts, reputational damage, or environmental implications and could undermine cybersecurity controls and efforts in place. Furthermore, mission-critical or regulated data found on improperly disposed IT assets could be used for malicious purposes and have devastating consequences. The exposed information can provide insight into the overall security defenses of the device’s original owner, providing threat actors the means to target specific “crown jewel” assets, impersonate users, infiltrate networks or internal hosts, sell the information on the dark web marketplace, and more.

There’s Still Time to Comment on the Draft NIST IR 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure

The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the initial public draft of NIST Internal Report (NIST IR) 8473, Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. The comment period is open through August 28, 2023.

About the Report

This Cybersecurity Framework Profile (Profile) has been developed for the Electric Vehicle Extreme Fast Charging (EV/XFC) ecosystem and the subsidiary functions that support each of the four domains: (i) Electric Vehicles (EV); (ii) Extreme Fast Charging (XFC); (iii) XFC Cloud or Third-Party Operations; (iv) and Utility and Building Networks. The document provides a foundation that relevant parties may use to develop profiles specific to their organization to assess their cybersecurity posture as a part of their risk management process. This non-regulatory, voluntary profile is intended to supplement, not replace, an existing risk management program or the current cybersecurity standards, regulations, and industry guidelines that are in current use by the EV/XFC industry.

Purpose

The EV/XFC Cybersecurity Framework Profile is designed to be part of an enterprise risk management program to aid organizations in managing threats to systems, networks, and assets within the EV/XFC ecosystem. The EV/XFC Cybersecurity Framework Profile is not intended to serve as a solution or compliance checklist. Users of this profile will understand that its application cannot eliminate the likelihood of disruption or guarantee some level of assurance.

Use of the Profile will help organizations:

• Identify key assets and interfaces in each of the ecosystem domains.
• Address cybersecurity risk in the management and use of EV/XFC services.
• Identify the threats, vulnerabilities, and associated risks to EV/XFC services, equipment, and data.
• Apply protection mechanisms to reduce risk to manageable levels.
• Detect disruptions and manipulation of EV/XFC services.
• Respond to and recover from EV/XFC service anomalies in a timely, effective, and resilient manner.

Submit Comments

The public comment period closes at 11:59 p.m. EDT on Monday, August 28, 2023. Please email all draft comments to [email protected]. We encourage you to submit all feedback using the comment template found on our project page.

Join the Community of Interest

If you have expertise in EV/XFC and/or cybersecurity, consider joining the Community of Interest (COI) to receive the latest project news and announcements. Email the team at [email protected] declaring your interest or complete the sign-up form on our project page.

Learn More