NIST Offers Draft Guidance on Evaluating a Privacy Protection Technique for the AI Era

Here’s a tricky situation: A business that sells fitness trackers to consumers has amassed a large database of health data about its customers. Researchers would like access to this information to improve medical diagnostics. While the business is concerned about sharing such sensitive, private information, it also would like to support this important research. So how do the researchers obtain useful and accurate information that could benefit society while also keeping individual privacy intact?

Helping data-centric organizations to strike this balance between privacy and accuracy is the goal of a new publication from the National Institute of Standards and Technology (NIST) that offers guidance on using a type of mathematical algorithm called differential privacy. Applying differential privacy allows the data to be publicly released without revealing the individuals within the dataset.

Read More

December 11, 2023   NJCCIC Public/Private Sector IT-Security Professional Members,      The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and industry partners have released a guide developed by the Enduring Security Framework entitled, Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials (SBOMs).   This report provides guidance in line with industry best practices and principles, including managing open source SBOM to maintain and provide awareness about the security of software. Specifically, the report provides more details on Open Source Software (OSS) adoption and the areas to consider when evaluating and deploying an open source component into an existing product development environment including: its composition; process and procedures used when adopting OSS; and management, tracking and distribution of approved software components using an SBOM.    OSS is an essential and valuable component in many commercial and public-sector products and services, and collaboration on OSS often enables great cost-savings for participants. However, organizations that do not follow a consistent and secure by design management practice for the OSS they utilize are more likely to become vulnerable to known exploits in open source packages and encounter more difficulty when reacting to an incident.    The Enduring Security Framework is a cross-sector working group that operates under the auspices of Critical Infrastructure Partnership Advisory Council (CIPAC) to address threats and risks to the security and stability of US national security systems. It is comprised of experts from the US government as well as industry representatives from information technology, communications, and the Defense Industrial Base.    For more information on CISA’s work in these areas, visit Open Source Software Security and Software Bill of Materials.

A Note on Progress…NIST’s Digital Identity Guidelines.

In August 2023 the Digital Identity Guidelines team hosted a two-day workshop to provide a public update on the status of revision 4. As part of that session, we committed to providing further information on the status of each volume going forward. In fulfillment of this commitment, we wanted to offer a quick update on where we stand.

Our goal remains to have the next version of each volume out by the Spring of 2024. With our gratitude for the robust and substantive engagement we received during the comment period, at this time we would like to announce that all four volumes of Special Publication 800-63-4 will have a second public comment period, which will last at least 45 days.

• NIST SP 800-63 Base Volume. We are making substantive changes to the volume including updating the digital identity model to account for “Issuer, Holder, Verifier” frameworks of digital identity, new content…

Read More

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Apple is aware of a report that CVE-2023-42916 and CVE-2023-42917 may have been actively exploited against versions of iOS released before iOS 16.7.1.

Systems Affected

Versions prior to macOS Ventura 13.6.3 Versions prior to macOS Sonoma 14.2 Versions prior to macOS Monterey 12.7.2 Versions prior to iOS 16.7.3 and iPadOS 16.7.3 Versions prior to iOS 17.2 and iPadOS 17.2 Versions prior tvOS 17.2 Versions prior watchOS 10.2 Versions prior Safari 17.2

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution.

Recommendations

Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Block execution of code on a system through application control, and/or script blocking. Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

References Apple: https://support.apple.com/kb/HT214039 https://support.apple.com/kb/HT214035 https://support.apple.com/kb/HT214034 https://support.apple.com/kb/HT214036 https://support.apple.com/kb/HT214038 https://support.apple.com/kb/HT214037 https://support.apple.com/kb/HT214040 https://support.apple.com/kb/HT214041

A vulnerability has been discovered in the Backup Migration Plugin for WordPress, which could allow for remote code execution. The Backup Migration Plugin helps admins automate site backups to local storage or a Google Drive account. Successful exploitation could allow for remote code execution in the context of the Server. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence Wordfence reports CVE-2023-6553 has been exploited in the Wild. Bleeping Computer reports WordPress administrators are also being targeted by a phishing campaign attempting to trick them into installing malicious plugins using fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 as bait.

Systems Affected

Backup Migration versions prior to 1.3.7

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Technical Summary A vulnerability has been discovered in the Backup Migration Plugin for WordPress, which could allow for remote code execution.

Recommendations

Apply appropriate updates provided by WordPress to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the issuance and use of Personal Identity Verification (PIV) Credentials, including the credentials on PIV Cards and the derived PIV credentials on alternate form factors. NIST Special Publication (SP) 800-79 has subsequently been revised to align with FIPS 201 and is now available for public comment.

The initial public draft (ipd) of SP 800-79r3 (Revision 3), Guidelines for the Authorization of PIV Card and Derived PIV Credential Issuers, provides appropriate and useful guidelines for assessing the reliability of PIV Card and derived PIV credential issuers. The major changes for this revision encompass:

• Updates to issuer controls based on Revision 3 of FIPS 201, specifically to:
  • Add controls for supervised remote identity proofing
  • Account for the inclusion of PIV identity accounts
• Updates to issuer controls for derived PIV credentials based on SP 800-157r1, Guidelines for Derived PIV Credentials, specifically to add controls for non-PKI-based credentials issued at authentication assurance level (AAL) 2 or 3
• Updates to issuer controls based on the adjudicative guidelines update for PIV credential eligibility issued by the Office of Personnel Management (OPM)

The comment period for SP 800-79r3 ipd is open through January 29, 2024. See the publication details for a copy of the draft. We encourage you to use the comment template provided there and submit comments and inquiries to piv_comments@nist.gov.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More

The Cybersecurity and Infrastructure Security Agency (CISA)—in coordination with the United Kingdom’s National Cyber Security Centre (UK-NCSC), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and the US National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cyber Command Cyber National Mission Force (CNMF)—released a Joint Cybersecurity Advisory to raise awareness of the specific tactics, techniques, and delivery methods used by this Russia-based threat actor group to target individuals and organizations. Known Star Blizzard techniques include:

Impersonating known contacts’ email accounts, Creating fake social media profiles, Using webmail addresses from providers such as Outlook, Gmail, and others, and Creating malicious domains that resemble legitimate organizations.

CISA encourages network defenders and critical infrastructure organizations to review the advisory to improve their cybersecurity posture and protect against similar exploitation based on threat actor activity. CISA also urges software manufacturers to incorporate secure-by-design and security-by-default principles into their software development practices, limiting the impact of threat actor activity.

For more guidance to protect against the most common and impactful threats, visit CISA’s Cross-Sector Cybersecurity Performance Goals. For more information on secure by design, see CISA’s Secure by Design webpage.

It is commonplace for consumers to purchase gift cards as a present, especially for special occasions or the holidays. Threat actors seek to exploit this common task in gift card scams. For example, threat actors initiate fraudulent requests by spoofing a known or trusted person—such as a person in leadership or a position of authority within an organization, a friend, or a loved one—to make the request appear more legitimate. They also create a sense of urgency with a fake story or emergency to convince the recipient to act quickly without verifying. These fraudulent requests may be sent through email, SMS text messages, and social media platforms.

Automation Support for Control Assessments: Project Update and Vision

NIST has released Cybersecurity White Paper (CSWP) 30, Automation Support for Control Assessments – Project Update and Vision, which describes planned updates to the NIST Interagency Report (IR) 8011 series. These updates to IR 8011’s methodology, language, and guidance will align with revisions to SP 800-53, SP 800-53A, and SP 800-53B and will be applied to existing (IR 8011 Volumes 1–4) and upcoming volumes. CSWP 30 also shares the vision for the IR 8011 project, as well as a development and maintenance roadmap.

Existing IR 8011 volumes can be downloaded at the NIST Risk Management Framework (RMF) project site (select the project’s Publications page link). Individuals and organizations who may be interested in participating in a planned IR 8011 Community of Interest — especially those who are involved with the development of Governance, Risk, and Compliance (GRC) solutions — are welcome to inform the IR 8011 team at 8011comments@list.nist.gov. Questions about IR 8011 can be sent to the same address.

Read More

Today, as part of the Secure by Design campaign, CISA published The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously in collaboration with the following partners:

• United States National Security Agency
• United States Federal Bureau of Investigation
• Australian Signals Directorate’s Australian Cyber Security Centre
• Canadian Centre for Cyber Security
• United Kingdom National Cyber Security Centre
• New Zealand National Cyber Security Centre
• Computer Emergency Response Team New Zealand

Malicious cyber actors routinely exploit memory safety vulnerabilities, which are common coding errors and the most prevalent type of disclosed software vulnerability. Preventing and responding to these vulnerabilities cost both software manufacturers and their customer organizations significant time and resources.

The Case for Memory Safe Roadmaps details how software manufacturers can transition to memory safe programming languages (MSLs) to eliminate memory safety vulnerabilities. The guidance provides manufacturers steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products—key Secure by Design tenets.

CISA and our partners urge C-suite and technical experts at software manufacturers to read this guidance and implement memory safe roadmaps to eliminate memory safety vulnerabilities from their product.

For more information and resources, visit CISA.gov/SecureByDesign.