Taking Measure Blog

What’s in a Name? The Tesla Do you enjoy flipping on the light switch or plugging in that favorite electrical device? Well, you can thank Nikola Tesla — born 167 years ago today — for that amazing invention.  You may think of Thomas Edison as the main pioneer in electricity. But Nikola Tesla brought us alternating current (AC) electricity, which is the type of electricity that is widely used in our homes and buildings today. As the name implies, alternating current reverses direction at regular intervals, and it turns out that it’s much better for moving electric power over long distances.  Read More

Submit your comments by July 14, 2023, for draft Special Publication (SP) 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171, Rev. 3. See the publication details for a copy of the draft and instructions for submitting comments. 

Significant changes to draft NIST SP 800-171, Rev. 3 include:

1. Updated security requirements and families to reflect updates in NIST SP 800-53, Rev. 5 and the NIST SP 800-53B moderate control baseline
2. Updated tailoring criteria
3. Increased specificity for security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
4. Introduction of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk
5. A prototype CUI overlay

Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Please direct questions and comments to 800-171comments@list.nist.gov.

Read More

Hello Jay,

We’re pleased to present you with the Microsoft Most Valuable Professional (MVP) award in recognition of your exceptional leadership. We’re recognizing your outstanding contributions to the technical community in:

• Security

Explore core AI concepts at Azure Virtual Training Day: AI Fundamentals from Microsoft Learn. Join us for this free training event to learn how organizations use AI technology to solve real-world challenges and see how to build intelligent applications using Azure AI services. This training is suitable for anyone interested in AI solutions—including those in technical or business roles. You will have the opportunity to: Understand foundational AI concepts and real-world use cases. Get started using AI services on Azure and machine learning in Azure Machine Learning Studio. Identify common AI workloads and ways to use AI responsibly. Join us at an upcoming event: Wednesday, July 26, 2023 | 2:00 PM – 5:30 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

A vulnerability has been discovered VMware Aria Operations for Networks which could allow for remote code execution. VMware Aria Operations for Networks is a network monitoring tool that collects and analyzes metrics, APIs, configurations, metadata, integrations, telemetry netflow, sFlow, and IPFIX flow traffic, which traverses the infrastructure. Successful exploitation of this vulnerability could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.   Threat Intelligence Greynoise reports that proof-of-concept exploit code is publicly available for CVE-2023-20887 and that they have observed widespread exploitation of the vulnerability in the wild.   Systems Affected   VMware Aria Operations for Networks Versions 6.2 VMware Aria Operations for Networks Versions 6.3 VMware Aria Operations for Networks Versions 6.4 VMware Aria Operations for Networks Versions 6.5.1 VMware Aria Operations for Networks Versions 6.6 VMware Aria Operations for Networks Versions 6.7 VMware Aria Operations for Networks Versions 6.8 VMware Aria Operations for Networks Versions 6.9 VMware Aria Operations for Networks Versions 6.10   Risk Government: – Large and medium government entities: High – Small government entities: Medium   Businesses: – Large and medium business entities: High Small business entities: Medium   Home Users: Low   Technical Summary A vulnerability has been discovered VMware Aria Operations for Networks which could allow for remote code execution.   Recommendations   Apply appropriate updates provided by VMware to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. Use intrusion detection signatures to block traffic at network boundaries. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.   References VMware: https://www.vmware.com/security/advisories/VMSA-2023-0012.html https://kb.vmware.com/s/article/92684   Greynoise: ​​​​​​https://www.greynoise.io/blog/observed-in-the-wild-new-tag-for-cve-2023-20887-vmware-aria-operations-for-networks   CVE: ​​​​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20887

Create more business impact using proactive and predictive analytics at Azure Virtual Training Day: Digitally Transform with Modern Analytics from Microsoft Learn. Join us for this free training event to learn how to build an analytics solution using Azure Synapse Analytics. Maximize your organization’s intelligent decision-making capabilities and learn to build an end-to-end solution by preparing data for storage, processing, and analysis. You will have the opportunity to: Create a data warehouse in the cloud. Accelerate your big data engineering with Spark in Azure Synapse Analytics. Build automated data integration with Azure Synapse Pipelines. Learn to perform operation analytics with Azure Synapse Link. Join us at an upcoming two-part event: Monday, July 24, 2023 | 9:00 AM – 12:15 PM | (GMT-08:00) Pacific Time (US & Canada) Tuesday, July 25, 2023 | 9:00 AM – 10:45 AM | (GMT-08:00) Pacific Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Build skills that help you create new technology possibilities and explore foundational cloud concepts at Azure Virtual Training Day: Fundamentals from Microsoft Learn. Join us for this free training event to expand your knowledge of cloud models and cloud service types. You’ll also review Azure services focused on computing, networking, and storage. You will have the opportunity to: Understand the value of the shared responsibility model between consumers and cloud providers. Identify the tools and services that can help you manage, secure, and stay compliant across your Azure cloud ecosystem and in on-premises, hybrid, and multicloud environments. See how to use Azure services to rapidly expand your cloud footprint while maintaining data security and privacy. Join us at an upcoming two-part event: Wednesday, July 12, 2023 | 2:00 PM – 4:45 PM | (GMT-05:00) Eastern Time (US & Canada) Thursday, July 13, 2023 | 2:00 PM – 5:00 PM | (GMT-05:00) Eastern Time (US & Canada) Delivery Language: English Closed Captioning Language(s): English

REGISTER TODAY >

Featured Microsoft Build Book of News, 2023 > The Book of News is your guide to key news and announcements at the conference. Use the interactive Table of Contents to browse the topics. Click the Translate button below the Table of Contents to enable translations.

What’s New Next generation AI for developers with the Microsoft Cloud > Scott Guthrie and Tomas Domke discuss the GitHub Copilot and Visual Studio (including Visual Studio Code) developer experience.   Developer career tools: Saying NO to improve mental health, Q&A > Debbie O’Brien, Scott Hanselman and Justin Yoo talk about finding the right life-work balance, challenging yourself and finding motivation as a developer.   Techniques to get the most out of GitHub Copilot > A look at how Copilot works, some best practices and what AI can realistically do for developers in the real world.

Events See local events > Key moments from Microsoft Build 2023 > Check out sessions you may have missed. Now available on demand.   Get started: Generative AI with Azure OpenAI Service > Watch practical code demos and preview plugins for Microsoft Azure services.   Microsoft Build 2023 Community-led Parties > Join an After Party hosted by your local Community, covering your favorite topics in your time zone and language today through July 7.   Data + AI Summit 2023 by Databricks / June 26-29 > Join this event in person or online for technical deep dives, hands-on training, lightning talks and more.   Microsoft Ignite / November 15-16 > Attend Microsoft Ignite to catch up on the latest industry innovations. Sign up to be one of the first to know when registration launches.

Learning Cloud Skills Challenge: Azure AI Fundamentals > Get a solid foundation in machine learning and AI concepts including computer vision, natural language processing, and conversational AI.   Microsoft Learning Room Directory > Join Learning Rooms, a space designed for in-depth conversations with experts and peers, for skilling and training hosted on Microsoft Teams.   Build and scale cloud-native, intelligent apps on Azure > Learn how to run cloud-native serverless and container applications in Azure using Azure Kubernetes Service and Azure Container Apps.

This month’s episode of Uncovering Hidden Risks discusses strategies and best practices to mitigate security and compliance risks by using in-place eDiscovery to support investigations and litigation.  As data volumes continue to balloon, it’s becoming clear that the quickest path to victory does not involve the fewest steps. Let’s explore ways to defensibly move data minimization decisions upstream, to collaboratively expedite the eDiscovery process and reduce risk within the safety of your own tenant.

Joining our host Erica Toelle is our guest, EJ Bastien. EJ is Microsoft’s Director of Discovery Programs, leading the eDiscovery and Litigation Support function for its Litigation Department where he manages a multidisciplinary team of Program Managers, Engineers, Paralegals, and Records Managers.  During his 18-year tenure, he has been an integral part of the small team responsible for re-envisioning Microsoft’s internal approach to eDiscovery from the ground up, architecting the processes for the identification, preservation, and collection of ESI (Electronically Stored Information), and shepherding it through the stages of processing, analytics, and review. 

Caitlin Fitzgerald joins us as our guest host. Caitlin is a Sr. Product Marketing Manager focused on eDiscovery and Audit solutions for Microsoft Purview. She’s been at Microsoft for 10 years. She enjoys helping every organization, small or large, regulated, or unregulated encounter scenarios in which they need to find that needle in the haystack, or evidence to determine what happened in a security breach, or support an internal investigation, including what steps they need to take to reduce that risk in the future.

Together, we’ll explore how eDiscovery can help you reduce data and risks.

In this episode, we’ll cover the following:   

• What trends are affecting the eDiscovery space? 
• What advice would we give to other organizations that are looking to get a handle on the growing amount of data?
• How is Microsoft approaching some of the new technology innovations? 
• How can you implement an effective eDiscovery strategy?
• What benefits has Microsoft seen by using Purview eDiscovery Premium internally?
• What is exciting about the future of eDiscovery?   

Listen to this episode on your favorite podcast platform: 

• Main show page 
• Apple Podcasts 
• Spotify 
• Google Podcasts 
• Amazon 
• RSS Feed 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development (SSDF) practices, highlighted by the NIST IR 8259 series—such as the recommendation for documentation in Action 3.d of NIST IR 8259B, that manufacturers have considered and documented their “secure software development and supply chain practices used.” The NIST SSDF (NIST SP 800-218) describes software development practices that can aid manufacturers in developing IoT products by providing guidance for the secure development of software and firmware. These development practices can also provide assurance to customers regarding how those products were developed and how the manufacturer will support them. When used together, NIST’s SSDF and IoT cybersecurity guidance help manufacturers design and deliver more secure IoT products to customers.Read the Blog