NIST requests comments on Draft Special Publication (SP) 800-219, Automated Secure
Configuration Guidance from the macOS Security Compliance Project (mSCP).It
provides resources that system administrators, security professionals, security
policy authors, information security officers, and auditors can leverage to
secure and assess macOS desktop and laptop system security in an automated way.
This publication introduces the mSCP, describes use cases for leveraging the
mSCP content, and gives an overview of the resources available on the project’s
GitHub site. The GitHub site provides practical, actionable recommendations in
the form of secure baselines and associated rules, and it is continuously
curated and updated to support each new release of macOS.
The public comment period is open
through March 23, 2022. See the publication
details for a copy of the draft and instructions for submitting
comments.
To help protect the United States from increasingly sophisticated cyber threats, the White House issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, which requires US Federal Government organizations to take action to strengthen national cybersecurity.1Section 3 of EO 14028 specifically calls for federal agencies and their suppliers “to modernize [their] approach to cybersecurity” by accelerating the move to secure cloud services and implementing aZero Trustarchitecture.
As a company that has embraced Zero Trust ourselves and supports thousands of organizations around the globe on their Zero Trust journey, Microsoft fully supports the shift to Zero Trust architectures that the Cybersecurity EO urgently calls for. We continue to partner closely with the National Institute of Standards and Technology (NIST) to develop implementation guidance by submitting position papers and contributing to communities of interest under the umbrella of the National Cybersecurity Center of Excellence (NCCoE).
Microsoft helps implement Executive Order 14028
The memo clearly describes the government’s strategic goals for Zero Trust security. It advises agencies to prioritize their highest value starting point based on the Zero Trust maturity model developed by the national Cybersecurity & Infrastructure Security Agency (CISA).
Microsoft’s position aligns with government guidelines. Our maturity model for Zero Trust emphasizes the architecture pillars of identities, endpoints, devices, networks, data, apps, and infrastructure, strengthened by end-to-end governance, visibility, analytics, and automation and orchestration.
To help organizations implement the strategies, tactics, and solutions required for a robust Zero Trust architecture, we have developed the following series of cybersecurity assets:
Cloud Adoption Framework: A rich repository of documentation, implementation guidance, and best practices to help accelerate cloud adoption.
Interactive guide on the Cybersecurity EO: Clear, concise guidance to help organizations better understand near- and long-term milestones, build a strategic response aligned to security modernization priorities and Executive Order requirements, and determine how technology partners can help accelerate the journey.
New capabilities in Azure AD to help meet requirements
A blog by my colleague Sue Bohn, Guidance on using Azure AD to meet Zero Trust Architecture and MFA requirements, provides a great summary of how Azure AD can help organizations meet the requirements outlined in EO 14028. We recently announced two additional capabilities developed in response to customer feedback: cloud-native certificate-based authentication (CBA) and cross-tenant access settings for external collaboration.
Certificate-based authentication
Phishing remains one of the most common threats to organizations. It’s also one of the most critical to defend against. According to our own research, credential phishing was a key tactic used in many of the most damaging attacks in 2021. To help our customers adhere to NIST requirements and effectively counter phishing attacks, we announced the preview of Azure AD cloud-native CBA across our commercial and US Government clouds.
CBA enables customers to use X.509 certificates on their PCs or smart cards to authenticate applications using Azure AD natively. This eliminates the need for additional infrastructure such as Active Directory Federation Services (ADFS) and reduces the risk inherent in using on-premises identity platforms.
Cloud-native CBA demonstrates Microsoft’s commitment to the federal Zero Trust strategy. It helps our government customers implement the most prominent phishing-resistant MFA, certificate-based authentication, in the cloud so they can meet NIST requirements. Read the documentation on Azure AD certificate-based authentication to get started.
Cross-tenant access settings for external collaboration
This new capability enables organizations to control how internal users collaborate with external organizations that also use Azure AD. It provides granular inbound and outbound access control settings based on organization, user, group, or application. These settings also make it possible to trust security claims from external Azure AD organizations, including MFA and device claims (compliant claims and hybrid Azure AD joined claims). Consult the documentation on cross-tenant access with Azure AD External Identities to learn more.
More capabilities coming soon
We’re continuing to work on new capabilities to help government organizations meet Zero Trust security requirements:
The ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.
Comprehensive phishing-resistant MFA support, including remote desktop protocol (RDP) scenarios.
Resources for your Zero Trust journey
Microsoft is committed to helping the public and private sectors with a comprehensive approach to security that’s end-to-end, best-in-breed, and AI-driven.
To advance your Zero Trust implementation, we offer the following:
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
CISA has compiled and published a list of free
cybersecurity services and tools to help organizations reduce
cybersecurity risk and strengthen resiliency. This non-exhaustive living
repository includes services provided by CISA, widely used open source tools,
and free tools and services offered by private and public sector organizations
across the cybersecurity community. Before turning to the free offerings, CISA
strongly recommends organizations take certain foundational measures to
implement a strong cybersecurity program:
CISA encourages network defenders to take the measures above and consult the list of
free cybersecurity services and tools to reduce the likelihood of a
damaging cyber incident, detect malicious activity, respond to confirmed
incidents, and strengthen resilience.
CISA has released CISA
Insights: Preparing for and Mitigating Foreign Influence Operations Targeting
Critical Infrastructure, which provides proactive steps organizations can
take to assess and mitigate risks from information manipulation. Malicious
actors may use tactics—such as misinformation, disinformation, and
malinformation—to shape public opinion, undermine trust, and amplify division,
which can lead to impacts to critical functions and services across multiple
sectors.
Current social factors—including heightened polarization and the ongoing global
pandemic—increase the risk and potency of influence operations to U.S. critical
infrastructure. CISA encourages leaders at all organizations to review the CISA
Insights and follow the guidance to assess risk and increase
resilience.
LockBit is the latest ransomware gang whose Linux encryptor has been
discovered to be focusing on the encryption of VMware ESXi virtual
machines.
The enterprise is increasingly moving to virtual machines to save
computer resources, consolidate servers, and for easier backups.
Due to this, ransomware gangs have evolved their tactics to create
Linux encryptors that specifically target the popular VMware vSphere and
ESXi virtualization platforms over the past year.
While ESXi is not strictly Linux, it does share many of its
characteristics, including the ability to run ELF64 Linux executables.
The Greater Hartford Chapter of ISACA is pleased to
present a “Wireless Risk Analysis and Security” webinar on
Wednesday, February 9, 2022
Wireless Risk Analysis and Security is a single-day course that provides a comprehensive view into the methods and mindset used by hackers to compromise wireless networks. Wireless can be complex and effective learning requires mastery of a new set of acronyms and how these technologies fit into the big picture.
The Security professional will learn the skills and knowledge required to understand how wireless networks operate. This course provides the basis for performing wireless reconnaissance and exploitation using tools found in both Kali Linux and Windows.
A real-world demo will demonstrate how security weaknesses are identified, compromised, and exploited to extract data in today’s wireless networks. Wireless Analysis & Exploitation (WAX) imparts these skills to the Security professional: – A review of networking fundamentals – A review of important Linux and Windows commands – Instruction on 802.11 Wi-Fi technologies including standards, Wi-Fi- operation, devices, terminology, acronyms, antennas, radio frequency fundamentals, standard Wi-Fi security methods, and troubleshooting. – Execution of reconnaissance activities – Execution of analysis activities – Approaches to “what happens next” once the Security professional has keys to the 802.11 network – A discussion of non-802.11 wireless technologies such as Bluetooth and Mobile Voice and Data Communications (FMC) – How to secure a wireless network .
In response to recent malicious cyber incidents in Ukraine—including the
defacement of government websites and the presence of potentially destructive
malware on Ukrainian systems—CISA has published CISA
Insights: Implement Cybersecurity Measures Now to Protect Against Potential
Critical Threats. The CISA Insights strongly urges leaders and network
defenders to be on alert for malicious cyber activity and provides a checklist
of concrete actions that every organization—regardless of sector or size—can
take immediately to:
Reduce the likelihood of a damaging cyber
intrusion,
Detect a potential intrusion,
Ensure the organization is prepared to respond if an
intrusion occurs, and
Maximize the organization’s resilience to a destructive
cyber incident.
CISA urges senior leaders and network defenders to review the CISA
Insights and implement the cybersecurity measures on the checklist.
Zoho has released a security advisory to address an authentication bypass
vulnerability (CVE-2021-44757) in ManageEngine Desktop Central and Desktop
Central MSP. An attacker could exploit this vulnerability to take control of an
affected system.
NCCoE Releases Draft
Project Description for IPv6 Transition
The National Cybersecurity Center of Excellence (NCCoE) has
released a new draft project description, Secure IPv6-Only Implementation in the Enterprise.
Publication of this project description begins a process to further identify
project requirements, scope, and hardware and software components for use in a
laboratory demonstration environment.
We want your feedback on this draft to help refine the project.
The comment period is now open and will close on January 27, 2022.
The project will address operational, security, and privacy issues
associated with the evolution to IPv6-only network infrastructures. It will
demonstrate tools and methods for securely implementing IPv6, whether as a
“greenfield” implementation or as a transition from an IPv4 infrastructure to
an IPv6-only network. This project will result in practice guides to encourage
the secure transition to IPv6-only enterprise IT environments.
We Want to Hear from You!
Review the project description and submit comments online on or before January 27, 2022. You
can also help shape and contribute to this project by joining the NCCoE’s IPv6
Transition Community of Interest. Send an email to [email protected] detailing your
interest.
We value and welcome your input and look forward to your comments.
