During this one hour webinar, the team will give an overview of their newest Cybersecurity White Paper, which outlines a six-step approach that manufacturers can follow to implement security segmentation and mitigate cyber vulnerabilities in their manufacturing environments.
In addition, the team will discuss the progress on the Respond and Recover project, including a discussion of the planned scenarios. We look forward to feedback from the COI to make sure the needs of manufacturers are covered in these projects.
Event Agenda:
Discussion: Security Segmentation in a Small Manufacturing Environment
Discussion: Responding to and Recovering from a Cyber Attack
Provisioning network credentials to IoT devices in an untrusted manner leaves networks vulnerable to having unauthorized IoT devices connect to them. It also leaves IoT devices vulnerable to being taken over by unauthorized networks. Instead, trusted, scalable, and automatic mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. Trusted network-layer onboarding, in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.
This practice guide aims to demonstrate how organizations can protect both their IoT devices and their networks. The NCCoE is collaborating with product and service providers to produce example implementations of trusted network-layer onboarding and capabilities that improve device and network security throughout the IoT-device lifecycle to achieve this.
Submit Your Comments
The public comment period is open now through June 20, 2023. View the project page for draft copies and instructions for submitting comments.
Contribute
If you have expertise in IoT and/or network security and would like to help shape this project, consider joining the IoT Onboarding Community of Interest. Contact the project team at iot-onboarding@nist.gov declaring your interest.
It’s that time of year again. World Password Day is May 4, 2023.1 There’s a reason it’s still going strong 10 years after being created by cybersecurity professionals. A recent study that analyzed more than 15 billion passwords found that the top 10 most popular passwords still include easy-to-crack combinations like “123456” and “qwerty.”2 With that level of security, many organizations are essentially leaving the front door open. Sharing your password for a streaming service may seem harmless (their accountants might disagree), but this behavior sometimes bleeds into the workplace, where weak or shared employee passwords often become one of the largest security threat vectors that companies face.
In 2022, Microsoft tracked 1,287password attacks every second(more than 111 million per day).3 Phishing is an increasingly favored attack method, up 61 percent from 2021 to 2022.4 And our data for 2023 shows that this trend is continuing. Passwords should play no part in a future-looking credential strategy. That’s why you don’t need a password for Microsoft Accounts—hundreds of thousands of people have deleted their passwords completely.5
For stronger, streamlined security, Microsoft passwordless authentication can help your organization eliminate password vulnerabilities while providing simplified access across your entire enterprise. In honor of World Password Day, this blog will help you make the case to your organization that when it’s time to “verify explicitly” as part of a Zero Trust strategy, modern strong authentication using phishing-resistant passwordless credentials provide the best security and an excellent return on investment (ROI).
Go passwordless for simplicity, security, and savings
If you’ve read my blog on why no passwords are good passwords, you know my feelings on this subject. To quote myself: “Your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or reused.” As Microsoft Chief Information Security Officer Bret Arsenault likes to say, “Hackers don’t break in—they log in.”
Passwords alone are simply not sufficient protection. Old-fashioned multifactor authentication bolts a second factor onto a password to add a layer of protection, but the most popular of these—telephony—is also the most problematic (see my blog about hanging up on phone transports to understand why telephony is a poor option for multifactor authentication). Even with strong methods, like using Microsoft Authenticator to augment a password, you still have the vulnerability of the password itself. The best password is no password—and you can get there today with Windows Hello, security keys, or, my favorite, Microsoft Authenticator.
Figure 1. Identity protection methods are not made equal; certain protections are far more secure than others.
In 2022, Microsoft committed to the next step of making passwords a thing of the past by joining with the FIDO Alliance and other major platforms in supporting passkeys as a common passwordless sign-in method. Passkeys aim to not only replace passwords with something more cryptographically sound, but that’s also as easy and intuitive to use as a password. Passwordless technology, such as Windows Hello, that’s based on the Fast Identity Online (FIDO) standards, strengthens security by doing the verification on the device, rather than passing user credentials through an (often vulnerable) online connection. It also provides a simplified user experience, which can help boost productivity as well.
That was the goal when longtime Microsoft collaborator Accenture decided to simplify their user experience by removing the requirement for password authentication. With 738,000 employees spread across 49 countries, the company decided it was in its best interest to make their identity and access management (IAM) automated and easy. Accenture chose the Microsoft Authenticator app, Windows Hello for Business, and FIDO2 security keys as its passwordless authentication solutions. As described in their case study, the results are already being felt: “The adoption of passwordless has led to faster login times, more reliable experience, fewer failed authentications, and improved overall security posture.”6
Whether you’re part of a global organization like Accenture or a small startup, the authentication methods policy in Microsoft Azure Active Directory (Azure AD)—now part of Microsoft Entra—allows your IAM team to easily manage passwordless authentication for all users from a single pane of glass. Even better, a recent Forrester Consulting study found that a composite organization based on interviewed customers securing its business apps with Azure AD benefited from a three-year 240 percent ROI (a net present value of USD8.5 million over three years) while reducing the number of password reset requests to its help desk by a significant 75 percent annually.7
Multifactor authentication can’t do it all
A 2021 report by the Ponemon Institute found that phishing attacks were costing large United States-based companies an average of USD14.8 million annually.8 That’s way up from 2015’s figure of USD3.8 million. Microsoft alone blocked 70 billion email and identity attacks in 2022. But on the positive side, multifactor authentication has been shown to reduce the risk of compromise by 99.9 percent for identity attacks.9 That’s a pretty stellar statistic, but it’s not bulletproof; especially when considering that SMS is 40 percent less effective than stronger authentication methods.10 Attackers are always learning and improvising, as shown in the rise of multifactor authentication fatigue attacks. In this type of cyberattack:
The threat actor uses compromised credentials (often obtained through a phishing attack) to initiate an access attempt to a user’s account.
The attempt triggers a multifactor authentication push notification to the user’s device, such as “Did you just try to sign in? Yes or no.”
If the targeted person doesn’t accept, the attacker keeps at it—flooding the target with repeated prompts.
The victim becomes so overwhelmed or distracted, they finally click “yes.” Sometimes the attacker will also use social engineering, contacting the target through email, messaging, or phone pretending to be a member of the IT team.
One widely publicized multifactor authentication fatigue attack happened in September 2022, when an 18-year-old hacker used the compromised credentials of a contractor to gain access to a major rideshare company’s internal networks. Once inside, he was able to access tokens for the company’s cloud infrastructure and critical IAM service. Our research was ahead of this type of attack back in 2021 when we built multifactor authentication defenses into the Authenticator app, including number matching and additional context. To learn more, be sure to read my blog post: Defend your users from multifactor authentication fatigue attacks.
All identity protection rests on Zero Trust
Zero Trust is just another way of describing proactive security. Meaning, it’s the measures you should take before bad things happen, and it’s based on one simple principle: “Never trust; always verify.” In today’s decentralized, bring-your-own-device (BYOD), hybrid and remote workplace, Zero Trust provides a strong foundation for security based on three pillars:
Verify explicitly: Authenticate every user based on all available data points—identity, location, device health, service or workload, data classification, and anomalies.
Use least-privilege access: This means limiting access according to the user’s specific role and task. You should also apply risk-based policies and adaptive protection to help secure your data without hindering productivity.
Assume breach: This allows your security team to minimize the blast radius and prevent lateral movement if a breach occurs. Maintaining end-to-end encryption and using analytics will also strengthen threat detection and improve your defenses.
And when it comes to “verify explicitly” as part of Zero Trust, no investment in the field of credentials is better than a passwordless journey; it literally moves the goalposts on the attackers.
May the Fourth be with you all!
Security year round
At Microsoft Security, we believe security is about people. Empowering users with strong, streamlined access from anywhere, anytime, on any device is part of that mission. Learn more about Microsoft passwordless authentication and how it can help your organization eliminate vulnerabilities while providing fast, safe access across your entire enterprise.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.
Grow your skills at Security Virtual Training Day: Defend Against Threats and Secure Cloud Environments from Microsoft Learn. At this free event, you’ll learn to perform advanced hunting, detections, and investigations, and remediate security alerts with Microsoft Defender and Microsoft Sentinel. Using automated extended detection and response (XDR) in Microsoft Defender and unified cloud-native security information and event management (SIEM) through Microsoft Sentinel, you’ll learn to confidently perform investigations and remediations to help defend against threats. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Use Microsoft Defender for Cloud to perform cloud security posture management and to help protect cloud workloads. Understand ways to help protect people and data against cyberthreats with Microsoft technologies. Join us at an upcoming two-part event: Thursday, May 25 2023 | 11:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada) Friday, May 26 2023 | 11:00 AM – 1:45 PM | (GMT-05:00) Eastern Time (US & Canada)
Delivery Language: English Closed Captioning Language(s): English
We invite you to come explore deidentification technologies with us by participating in the Collaborative Research Cycle. This technology challenge seeks to advance our understanding of synthetic data generation and other de-identification technologies. We present the NIST Diverse Community Excerpts, rich demographic data from the American Community Survey, as benchmark data. We invite you to submit deidentified instances of these data using any technique. In return, you will receive detailed utility and privacy reports.
Beginning May 15, we plan to make periodic releases of all of the submitted data alongside detailed method details and evaluation results in a machine-readable ‘research acceleration bundle,’ that we anticipate will become an invaluable resource for comparing and exploring deidentification techniques.
Please visit the project’s website to see the data, the metrology package we have to analyze the de-identified data, and learn more about the program.
Any and all techniques are welcome (even poor performing ones!). We already have a library of techniques, with some open source tools, that you’re welcome to try out.
Submit data by May 9, 2023 to have your data included in the first release of our acceleration bundle. We plan to drop additional releases during the summer. Send a blank email to CRC+subscribe@list.NIST.gov to Join our listserv for updates, and invitations to our biweekly office hour and seminars.
Webinar date: Tuesday, May 9, 2023 9:00 AM Pacific Time / 12:00 PM Eastern Time Hi, Choosing the best cloud migration approach is essential to effectively migrating mission-critical apps and data. Infrastructure as a service (IaaS) and platform as a service (PaaS) are both great options, but which one is right for your organization? Get your questions answered by our team of SQL experts. Register now to join the conversation during this live digital event, which will cover: Solution assessments SQL IaaS versus SQL PaaS solutions Data and application migration Planning and migration
Ask the Experts: Migrate to IaaS or PaaS? Modernize your mission-critical apps on the cloud
To get the most value from your Security solutions, you need to understand the business value of the different features they include to decide if, when, and how to go about turning them on. And when you’re ready to enable new features, you need clear guidance to make it happen.
This is why we recently published new Microsoft Security solution feature guides on Microsoft Defender for Office 365 and Defender for Endpoint. Each guide briefly highlights five key product features and the value they provide, then points directly to step-by-step enablement instructions.
Microsoft Security solution feature guide: Microsoft Defender for Office 365 Defender for Office 365 provides integrated threat protection for your email and collaboration tools. With this guide, you can learn about and enable:
Incident and alert management
Attack simulations and training campaigns
Automated investigation and response triggers
Scanning with Safe Links
Attachment checks with Safe Attachments
Microsoft Security solution feature guide: Microsoft Defender for Endpoint Defender for Endpoint helps you rapidly stop attacks, scale security resources, and evolve defenses across your operating systems and network devices. The guide covers the following features and links to instructions so you can:
Define manual response actions
Explore automated investigations
Enable endpoint reporting and policy settings
Engage in advanced threat hunting
Choose either active or passive mode for antivirus
Check out the Microsoft Defender for Office 365 and Defender for Endpoint solution feature guides to learn how you can get more value from Microsoft Security and take your first steps toward enabling more features today.
The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.
As the 6th annual National Supply Chain Integrity Month concludes, CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in Defending Against Software Supply Chain Attacks—a joint CISA and NIST resource that provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework to identify, assess, and mitigate risks. All critical infrastructure organizations are also urged to enroll in CISA’s free Vulnerability Scanning service for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List. To learn more about CISA’s supply chain efforts and to view resources, visit CISA.gov/supply-chain-integrity-month
NIST to Revise SP 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques
In May 2021, NIST’s Crypto Publication Review Board initiated a review process for the following two publications, and received public comments:
NIST Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation: Methods and Techniques (December 2001)
NIST SP 800-38A Addendum, Three Variants of Ciphertext Stealing for CBC Mode (October 2010)
In March 2022, the board proposed revising SP 800-38A and converting the SP 800-38A Addendum by merging it into the revised SP 800-38A, and received additional comments on that proposed decision.
Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing these risks requires ensuring the integrity of the cyber supply chain and its products and services. This practice guide demonstrates how organizations can verify that the internal components of the computing devices they acquire are genuine and have not been unexpectedly altered or tampered with.
Join the NCCoE Supply Chain Assurance team to discuss the following topics:
Project Overview
Lessons Learned/Takeaways
NCCoE DevSecOps Presentation
Next Steps/Q&A
If you have any questions that you would like to submit in advance for the Q&A session, please send them via email to our team at supplychain-nccoe@nist.gov.
