CISA Launches New Cybersecurity Awareness Program “Secure Our World”

The Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of “Secure Our World ,” a nationwide cybersecurity public awareness campaign to educate all Americans on how to stay safe online. The campaign includes a public service announcement (PSA) that will air on stations around the country, as well as digital content, a toolkit, and other resources. Recognizing that technology is an integral part of our modern lives, Congress tasked CISA with creating this program to provide small businesses, communities, and individuals with the guidance and tools they need to protect themselves online. 
By equipping individuals, families and businesses with the knowledge and resources needed to protect ourselves and our digital assets, the Secure Our World program promotes safe online practices as an everyday activity we should all adopt, especially when connected, and helps empower all of us to make informed decisions about our cyber habits. The Secure Our World program is focused on four simple steps everyone can take to stay safe online:
Strong passwords: Use passwords that are long, random, and unique to each account, and use a password manager to generate them and to save them. Multi-factor authentication (MFA): Use MFA for all accounts that offer it. We need more than a password to protect our most important data, including email, financial accounts, and social media.  Recognize and report phishing: Think before you click! Be cautious of unsolicited emails, texts, or calls asking you for personal information. Resist the urge to click on these links and do not click on links or open attachments from unknown sources. Update software: Enable automatic updates on software so the latest security patches keep our devices continuously protected.
The Secure Our World program is a year-round, enduring effort to educate individuals and small to medium-sized businesses about how to stay secure online, and it provides resources to improve cybersecurity habits to increase resilience against cyber threats.
For individuals and families, the Secure Our World program emphasizes the importance of securing personal accounts, offering guidance on personal device safety, safe internet browsing practices, social media usage, and protecting personal information online.  Small and medium-sized businesses (SMBs) face unique challenges, so we are working to help them Secure Our World by offering tools and resources that can help boost SMB’s cybersecurity defenses and minimizes the risk of data breaches or cyberattacks, making not only our businesses, but our communities safer. Tech manufacturers can Secure Our World by implementing security features built-in by design. Default settings should have the highest security measures implemented, and individuals can manually bypass security features if they do not want them. Users should not have to opt-in to necessary security measures.
The Secure Our World program leverages partnerships and collaborations with government, tribes, industry partners, and cybersecurity experts to ensure access to up-to-date resources such as guidance on personal device safety, safe internet browsing practices, social media usage, and protecting personal information online.  We encourage everyone to explore resources to keep you and your family safe by visiting Secure Our World | CISA, following us on X (formerly Twitter), LinkedIn, Facebook and YouTube, and using the hashtag #SecureOurWorld.

Microsoft Azure Virtual Training Day: AI Fundamentals

Explore core AI concepts at Azure Virtual Training Day: AI Fundamentals from Microsoft Learn. Join us for this free training event to learn how organizations use AI technology to solve real-world challenges and see how to build intelligent applications using Azure AI services. This training is suitable for anyone interested in AI solutions—including those in technical or business roles. You will have the opportunity to: Understand foundational AI concepts and real-world use cases. Get started using AI services on Azure and machine learning in Azure Machine Learning Studio. Identify common AI workloads and ways to use AI responsibly. Join us at an upcoming event:
October 6, 2023 | 12:00 PM – 3:30 PM | (GMT-05:00) Eastern Time (US & Canada)


Delivery Language: English
Closed Captioning Language(s): English
 
REGISTER TODAY >

NIST NCCoE Publishes Cybersecurity Framework Profile for Hybrid Satellite Networks

The NIST National Cybersecurity Center of Excellence (NCCoE) has published Final NIST IR 8441, Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)

The HSN Cybersecurity Framework (CSF) Profile provides a practical tool for organizations engaged in the design, acquisition, and operation of satellite buses or payloads involving HSN. Its primary intent is to help those organizations better understand the attack surface, incorporate security, and achieve greater resilience for space systems that may be leveraged by critical infrastructure owners and operators, the Department of Defense, or other government missions, in a manner that is consistent with the organization’s risk tolerance.

The HSN Profile will help organizations:

  • Identify systems, assets, data, and risks from the CSF that pertain to HSN.
  • Protect HSN services by utilizing cybersecurity principles and self-assessment.
  • Detect cybersecurity-related disturbances or corruption of HSN services and data.
  • Respond to HSN service or data anomalies in a timely, effective, and resilient manner.
  • Recover the HSN to proper working order at the conclusion of a cybersecurity incident.

As the space sector is transitioning away from traditional, vertically-integrated entities and towards an aggregation of independently-owned and operated segments, it is becoming more critical for all stakeholders to share a common understanding of the risks and how they can be mitigated.

To learn more about the project and to join our Community of Interest, visit the project page

View the Publication

3rd High-Performance Computing Security Workshop Report: NIST IR 8476

NIST has published Interagency Report (IR) 8476, 3rd High-Performance Computing Security Workshop: Joint NIST-NSF Workshop Report, which offers summaries and key insights from collaborative workshop hosted by NIST and the National Science Foundation (NSF).  

High-performance computing (HPC) is a vital computational infrastructure for processing vast data volumes, conducting intricate simulations, and facilitating advanced machine learning model training. As such, HPC plays a pivotal role in scientific discovery, innovation, and economic competitiveness. Cybersecurity in HPC is crucial for safeguarding against potential attacks and misuses while ensuring the integrity of data and research. Nonetheless, HPC systems often possess unique hardware, software, and user environments that present distinct cybersecurity challenges.

This collaborative workshop successfully brought together stakeholders from government, academia, and industry to engage in discussions pertaining to community needs, ongoing initiatives, and prospective pathways in HPC security. This publicly available workshop report offers comprehensive summaries of technical sessions, key insights from breakout sessions, and a summary of the keynote presentations.

Read More

Microsoft Article: Help prevent 98% of cyberattacks with 5 tips.

  Explore cybersecurity hygiene standards that help prevent 98% of attacks   Routine security practices are still some of the most effective ways to strengthen your defenses and reduce the risk of an attack. In this article, Basic cyber hygiene prevents 98% of attacks, you’ll learn: Which security standards are the most likely to prevent attacks.How security principles like multifactor authentication and Zero Trust work.Effective strategies for implementing these standards across your organization.  
  Read the article   

Microsoft Security Virtual Training Day: Security, Compliance and Identity Fundamentals

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals. You will have the opportunity to: Learn the fundamentals of security, compliance, and identity. Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities. Gain the skills and knowledge to jumpstart your preparation for the certification exam. Join us at an upcoming two-part event:
October 23, 2023 | 12:00 PM – 3:45 PM | (GMT-05:00) Eastern Time (US & Canada)
October 24, 2023 | 12:00 PM – 2:15 PM | (GMT-05:00) Eastern Time (US & Canada)

Delivery Language: English
Closed Captioning Language(s): English
 
REGISTER TODAY >

Vulnerabilities in Apple Products iOS 17

iOS 17.0.1 and iPadOS 17.0.1

Released September 21, 2023

Kernel

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Impact: A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group

Security

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Impact: A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: A certificate validation issue was addressed.

CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group

WebKit

Available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 261544
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: September 21, 2023

Multiple Vulnerabilities in Apple Products

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat Intelligence Apple is aware of a report that CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 may have been exploited in the wild against versions of iOS before iOS 16.7.
Systems Affected
iOS prior to 16.7 iPadOS prior to 16.7 watchOS prior to 9.6.3 macOS Ventura prior to 13.6 macOS Monterey prior to 12.7 Safari prior to 16.6.1
Risk
Government:
– Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Technical Summary Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.
Recommendations
Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction.
References
Apple: 
https://support.apple.com/en-us/HT213926
https://support.apple.com/en-us/HT213927
https://support.apple.com/en-us/HT213928
https://support.apple.com/en-us/HT213929
https://support.apple.com/en-us/HT213930
https://support.apple.com/en-us/HT213931
https://support.apple.com/en-us/HT213932
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41991
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41992
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41993

Microsoft.Source newsletter

Featured
Blog New resource for role-based Microsoft Certification exams > Access to Microsoft Learn is now available as you complete your exam. During the exam, select the Microsoft Learn button on the exam question screen. This is available in all languages. (Blog post in English)  
What’s New
Tutorial Tutorial: Train a classification model > Learn how to train a classification model with no-code AutoML using Azure Machine Learning automated ML in the Azure Machine Learning studio.  
GitHub Copilot for Visual Studio video series > Learn how GitHub Copilot can make you more productive when developing apps with Visual Studio.  
Code Sample Azure Machine Learning examples repository > Explore community-driven Azure Machine Learning examples, tested with GitHub Actions.  
Events See local events >
In person or virtual Microsoft Ignite / November 14-17 / In person or online. > Register for Microsoft Ignite. Experience the latest AI innovations, learn from experts, advance your skills, and connect with your community.  
In person and online > GitHub Universe / November 8-9 / In person and online > Register for the GitHub global developer conference. Stay in the flow, optimize collaboration, and prevent vulnerabilities with AI-powered security.  
Virtual Deconstructing the Contoso Real Estate App / Weekly / Online > Build a composable enterprise-grade app with JavaScript on Azure. This 4-part weekly series runs through October 5 and will also be available on demand.  
Virtual .NET Conf 2023 / November 14-16 / Online > Attend a wide selection of live sessions that feature speakers from the community and .NET team members. This year .NET 8.0 will launch at .NET Conf!  
On demand Microsoft Exam Readiness Zone / On demand > Get help preparing for a Microsoft Certification exam with tips, tricks, and strategies from experts.  
Learning
Learning path collection: Azure OpenAI Service > Get to know the connection between AI, responsible AI, and text, code, and image generation. Learn how to use GPT-4, ChatGPT, and Dall-E.  
Tutorials GitHub skills collection > Learn how to use GitHub with interactive courses designed for beginners and experts. (English only)  
Leaning path Learning path collection: Machine Learning > Discover tools for building and running your own models from your own data, while developing your machine learning skills.  

What’s Wrong With This Picture? NIST Face Analysis Program Helps to Find Answers

Types of presentation attacks: a person in heavy makeup, a person holding up a printed photo, and a hand holding up a phone image.

Face recognition software is commonly used as a gatekeeper for accessing secure websites and electronic devices, but what if someone can defeat it by simply wearing a mask resembling another person’s face? Newly published research from the National Institute of Standards and Technology (NIST) reveals the current state of the art for software designed to detect this sort of spoof attack.

The new study appears together with another that evaluates software’s ability to call out potential problems with a photograph or digital face image, such as one captured for use in a passport. Together, the two NIST publications provide insight into how effectively modern image-processing software performs an increasingly significant task: face analysis.

Read More