Author: blogmirnet

Webinar date: Tuesday, May 9, 2023 9:00 AM Pacific Time / 12:00 PM Eastern Time Hi, Choosing the best cloud migration approach is essential to effectively migrating mission-critical apps and data. Infrastructure as a service (IaaS) and platform as a service (PaaS) are both great options, but which one is right for your organization? Get your questions answered by our team of SQL experts. Register now to join the conversation during this live digital event, which will cover: Solution assessments SQL IaaS versus SQL PaaS solutions Data and application migration Planning and migration

Ask the Experts: Migrate to IaaS or PaaS? Modernize your mission-critical apps on the cloud

Register Now >

Blog post from Microsoft.

To get the most value from your Security solutions, you need to understand the business value of the different features they include to decide if, when, and how to go about turning them on. And when you’re ready to enable new features, you need clear guidance to make it happen.  
 
This is why we recently published new Microsoft Security solution feature guides on Microsoft Defender for Office 365 and Defender for Endpoint. Each guide briefly highlights five key product features and the value they provide, then points directly to step-by-step enablement instructions.  

Microsoft Security solution feature guide: Microsoft Defender for Office 365  
Defender for Office 365 provides integrated threat protection for your email and collaboration tools. With this guide, you can learn about and enable: 

1. Incident and alert management 
2. Attack simulations and training campaigns 
3. Automated investigation and response triggers 
4. Scanning with Safe Links 
5. Attachment checks with Safe Attachments 

Microsoft Security solution feature guide: Microsoft Defender for Endpoint 
Defender for Endpoint helps you rapidly stop attacks, scale security resources, and evolve defenses across your operating systems and network devices. The guide covers the following features and links to instructions so you can:  

1. Define manual response actions 
2. Explore automated investigations 
3. Enable endpoint reporting and policy settings 
4. Engage in advanced threat hunting 
5. Choose either active or passive mode for antivirus 

Check out the Microsoft Defender for Office 365 and Defender for Endpoint solution feature guides to learn how you can get more value from Microsoft Security and take your first steps toward enabling more features today.  

The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.

As the 6th annual National Supply Chain Integrity Month concludes, CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in Defending Against Software Supply Chain Attacks—a joint CISA and NIST resource that provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework to identify, assess, and mitigate risks. All critical infrastructure organizations are also urged to enroll in CISA’s free Vulnerability Scanning service for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List. To learn more about CISA’s supply chain efforts and to view resources, visit CISA.gov/supply-chain-integrity-month

NIST to Revise SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques

In May 2021, NIST’s Crypto Publication Review Board initiated a review process for the following two publications, and received public comments:

• NIST Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques (December 2001)
• NIST SP 800-38A Addendum, Three Variants of Ciphertext Stealing for CBC Mode (October 2010)

In March 2022, the board proposed revising SP 800-38A and converting the SP 800-38A Addendum by merging it into the revised SP 800-38A, and received additional comments on that proposed decision.

NIST has decided to revise SP 800-38A and to convert the SP 800-38A Addendum. See the full announcement for more details, links to comments received, and ways to monitor future developments such as the Third NIST Workshop on Block Cipher Modes of Operation 2023, scheduled for October 3-4, 2023.

Read More

One Week Left to Register for the NCCoE Supply Chain Assurance Community of Interest Update

Date/Time: Wednesday, May 3, 2023 | 2:00-3:00 PM ET

Next week, the National Cybersecurity Center of Excellence (NCCoE) Supply Chain Assurance team will host a webinar update to discuss the finalized NIST Special Publication 1800-34, Validating the Integrity of Computing Devices.

Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This practice guide demonstrates how organizations can verify that the internal components of the computing devices they acquire are genuine and have not been unexpectedly altered or tampered with.

Join the NCCoE Supply Chain Assurance team to discuss the following topics:

• Project Overview
• Lessons Learned/Takeaways
• NCCoE DevSecOps Presentation
• Next Steps/Q&A

If you have any questions that you would like to submit in advance for the Q&A session, please send them via email to our team at supplychain-nccoe@nist.gov.

Event Page

Here is a post from Microsoft

Fifty percent of Microsoft cybersecurity recovery engagements relate to ransomware,¹ and 61 percent of all breaches involve credentials.² In this second report in our ongoing Cyberattack Series, we look at the steps taken to discover, understand, and respond to a push-bombing request that targeted a legitimate user, allowing an attacker to authenticate and register their own mobile device.

Credential-based attacks begin with the process of stealing or obtaining credentials illegitimately. Often attackers target individuals who they believe have the credentials they need, then conduct social and dark web research on them. Phishing emails and websites created to target corporate targets only need to succeed once to gain credentials that can be sold to and shared with other bad actors.

Push-bombing is when an attacker uses a bot or script to trigger multiple access attempts with stolen or leaked credentials. The attempts trigger a rush of push notifications to the target user’s device, which should be denied. But multiple attempts can confuse a target and cause them to mistakenly allow authentication. Other times, multifactor authentication fatigue can weigh on the target, causing them to believe the access attempts are legitimate. Just one mistaken “allow” is all it takes for an attacker to gain access to an organization’s applications, networks, or files.

On average, people receive between 60 and 80 push notifications each day, with some of us viewing more than 200.³ The time it takes to swipe, tap, flag, click, save, and close every ding, buzz, pop-up, text, and tab takes a toll. Researchers believe the onslaught of notifications is causing us to get tired faster and lose focus, leaving us especially prone to distraction as the day wears on.⁴ This is what attackers count on. If an attacker gains the credentials to operate like a registered, legitimate user, identifying the intrusion and tracing their possible paths of destruction becomes paramount.

Late last year, a large enterprise customer asked Microsoft Incident Response to investigate an incursion into their on-premises Active Directory environment. Due to the risk of ongoing threats and the need for continued vigilance, the organization and attacker will be kept anonymous for this incident, and we will refer to it as “the inCREDible attack.” This credential-based incident highlights the critical need for establishing healthy habits in our security maintenance processes to combat the regular, repeated, and overwhelming credential attacks faced by today’s organizations.

In this report, we examine the factors contributing to the threat actor’s initial incursion and explore what could have happened without prompt, tactical mitigation efforts. Then we detail the required work streams, recommended timing, and activities involved with regaining control and establishing a plan going forward. We’ll also explore four core steps customers can take to “eat their vegetables” and establish healthy habits that help minimize the risk of attack. And then we share five elements of a defense-in-depth approach that can help businesses maintain a robust defense against ransomware attacks.

Many attacks can be prevented—or at least made more difficult—through the implementation and maintenance of basic security controls. Organizations that “eat their vegetables” can strengthen their cybersecurity defenses and better protect against attacks. That means establishing a solid inventory of all technology assets, continually patching operating systems and software, and implementing comprehensive centralized log collection—all while following a well-defined retention policy. Read the report to go deeper into the details of the push-bombing attack, including the response activity, and lessons that other organizations can learn from this inCREDible case.

What is the Cyberattack Series?

With this Cyberattack Series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:

• How the attack happened
• How the breach was discovered
• Microsoft’s investigation and eviction of the threat actor
• Strategies to avoid similar attacks

Read the first blog in the Cyberattack Series, Solving one of NOBELIUM’s most novel attacks.

¹Microsoft Digital Defense Report 2022, Microsoft. 2022.

²2022 Data Breach Investigation Report, Verizon. 2022.

³Batching smartphone notifications can improve well-being, Nicholas Fitz, et al. December 2019.

⁴Phone Notifications are Messing with your Brain, Molly Glick. April 29, 2022.

WWT isn’t a physical telescope — it’s a suite of free and open source software and data sets that combine to create stunning scientific visualizations and stories. While WWT started out as a standalone Windows application, it’s evolved into a powerful astronomy visualization toolkit that you can use on the desktop, in the browser, and from Python. To learn more, visit the WWT homepage.

An “edition” is a coordinated release of the many software and data components that comprise the WWT ecosystem. This edition homepage covers:

• What’s New
• See WWT 2022 In Action
• Get Started with WWT 2022
• Release Notes
• Donate to WWT
• Additional Resources

NIST Releases Draft NIST IR 8460: State Machine Replication and Consensus with Byzantine Adversaries

Most applications on the internet are run by centralized service providers that are a single point of failure: if the provider crashes or is malicious, users may lose access to the application, or it may return erroneous or inconsistent results. Consensus algorithms and state machine replication enable a set of mutually distrusting parties to emulate a centralized service in a fault-tolerant and distributed manner. Although the study of these algorithms began in the 1980s, research has accelerated dramatically since the advent of Bitcoin in 2008.

NIST announces the release of draft NIST IR 8460, State Machine Replication and Consensus with Byzantine Adversaries, which is now available for public comment. This document provides a survey on consensus algorithms, state machine replication, and distributed ledger technology for readers who already possess a high-level understanding of distributed ledgers, such as that provided by NIST IR 8202, Blockchain Technology Overview. After introducing the properties of these systems, the models they operate in, and the subprotocols used to implement them, this document provides a detailed look at many of the most prominent permissioned and permissionless algorithms in the literature with a focus on performance and security considerations. Finally, a variety of related topics are discussed, including state machine design, interoperability, scalability mechanisms such as sharding and “layer 2” technologies, and how incentives can impact system security.

The public comment period is open through September 1, 2023. See the publication details for a copy of the draft and instructions for submitting comments.

Read more here

Celebrate National Small Business Week with the NCCoE! 

NIST’s National Cybersecurity Center of Excellence (NCCoE) will be hosting two virtual events during National Small Business Week (April 30–May 6, 2023) as part of its NCCoE Learning Series. The webinars will feature new and existing NIST small business resources and will give attendees the opportunity to share ideas, ask questions, and engage with NIST subject matter experts. View and register below:

---

Overview of the NIST Small Business Cybersecurity Corner

Date: Tuesday, May 2, 2023

Time: 2:00–2:45 PM (ET)

Event Description:

Join us on May 2, 2023 for a 30-minute overview of the NIST Small Business Cybersecurity Corner. We’ll not only provide an overview of what resources are currently available on the site, but will give attendees an opportunity to express what resources they want to see there. Additionally, attendees will be introduced to the new NIST Small Business Community of Interest, which will convene companies, trade associations, and others who can share business insights, expertise, challenges, and perspectives to guide our work and assist NIST to better meet the cybersecurity needs the small businesses community.  

Register Here

Data Analytics for Small Businesses: How to Manage Privacy Risks

Date: Thursday, May 4, 2023

Time: 3:00–3:45 PM (ET)

Event Description:

Data analytics are being promoted as a method to help small businesses increase innovation, enhance customer experience, save money, and improve their brand. If your small business is using data analytics—whether in-house or relying on a service provider to do it for you—it is important to be aware of the privacy implications of these activities.

Join us for an interactive discussion about how to manage privacy risks associated with data analytics.

During the webinar we will cover:

• A brief introduction to data analytics
• Common privacy risks that arise from data analytics practices
• Tips to help you meet your privacy objectives
• Resources for enhancing privacy risk management within your small business

Register Here

The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated remote attacker to register arbitrary services. This could allow an attacker to use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor.

Researchers from Bitsight and Curesec have discovered a way to abuse SLP—identified as CVE-2023-29552—to conduct high amplification factor DoS attacks using spoofed source addresses.

As noted by Bitsight, many SLP services visible on the internet appear to be older and likely abandoned systems. Administrators should consider disabling or restricting network access to SLP servers. Some organizations such as VMware have evaluated CVE-2023-29552 and have provided a response, see VMware Response to CVE-2023-29552 – reflective Denial-of-Service (DoS) amplification vulnerability in SLP for more information. CISA urges organizations to review Bitsight’s blog post for more details and see CISA’s article on Understanding and Responding to Distributed Denial-of-Service Attacks for guidance on reducing the likelihood and impact of DoS attacks