My information Resource (blog.mir.net) – Page 7 – A users view of technology by Jay Ferron

Protecting Your Small Business from Phishing Risks: A NIST Small Business Cybersecurity Webinar

Date: August 14, 2025

Time: 2:00PM – 3:00PM EDT

Location: Virtual

Description:

Phishing is one of the most common types of cyber crime. These scams use convincing emails or other messages, such as text messages or social media messages, to trick users into opening harmful links, downloading malicious software, or submitting sensitive information, such as credentials. These messages are often disguised as coming from a trusted source, such as a bank, credit card company, or even a leader within the business.

Small and medium-sized businesses are not immune to phishing. They are at risk just like their larger counterparts—only smaller organizations typically have fewer resources to prepare for and mitigate phishing risks. However, even with fewer resources, there are still proactive steps organizations of all sizes can take to reduce phishing risks.

During this NIST small business cybersecurity webinar, we will convene a panel to highlight:

An overview of different types of phishing attacks in addition to modern, real-world examples;
Why it’s important to be proactive in protecting your business against phishing;
Tips for how to spot a phishing attempt;
Steps to take if you become the victim of a phishing scam;
Practical steps small businesses can take to reduce your likelihood of falling victim to phishing attempts; and
Free phishing resources available to businesses for staff training.

Speakers:

Shanée Dawkins, Computer Scientist, Visualization and Usability Group, NIST
Lessie Skiba, Deputy Managing Director, Cyber Readiness Institute
Daniel Eliot, Lead for Small Business Engagement, Applied Cybersecurity Division, NIST

Two Weeks Left to Comment on Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems

There are two weeks left to comment on the Initial Public Draft (IPD) of NIST Special Publication 800-18 Revision 2, Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for System. The comment period closes at 11:59 p.m. EDT on July 30, 2025.

NIST invites comments on the initial public draft (ipd) of Special Publication (SP) 800-18r2 (Revision 2), Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems.

The system security plan, privacy plan, and cybersecurity supply chain risk management plan consolidate information about the assets and individuals being protected within an authorization boundary and its interconnected systems. These system plans serve as a centralized point of reference for information about the system and risk management decisions, including data being created, collected, disseminated, used, stored, and disposed of; the individuals responsible for system risk management efforts; details about the internal and external environments of operation, system components, and data flows; and controls that are planned or in place to manage risks.

The major changes for this revision include:

Expanded guidance to address the development of system plans within the context of the NIST Risk Management Framework, the NIST Privacy Framework, and SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
Insights into the development of a consolidated system plan that encompasses security, privacy, and cybersecurity supply chain risk management plan elements
Updated descriptions of system plan elements
Considerations for automating the development and maintenance of system plans using information management tools, such as governance, risk, and compliance (GRC) applications

Additionally, the following supplemental materials are available:

Security Plan Example Outline
Privacy Plan Example Outline
C-SCRM Plan Example Outline
System Plan Related Roles and Responsibilities

The comment period is open through July 30, 2025. See the publication details for a copy of the draft, supplemental files, and a comment template. Commenters are encouraged to use that template and submit feedback to sec-cert@nist.gov with “SP 800-18r2 ipd comments” in the subject.

Imposters Among Us: Charity Scams After Disasters Strike

In light of several recent natural disasters, the NJCCIC reminds users to exercise caution and conduct due diligence before donating funds. Cybercriminals often exploit the compassion and generosity of the public by conducting fraudulent schemes to steal funds and credentials in the aftermath of tragic events. Individuals seeking to donate to relief efforts are targeted in charity scams initiated by threat actors using social engineering tactics through emails, SMS text messaging, phone calls, and direct messages via social media. They often create a sense of urgency and may impersonate reputable organizations. For example, display name spoofing may be used in phishing emails to appear as though they are sent from a known or trusted charity in an attempt to convince the potential donor to open an attachment or a link that directs them to a spoofed website impersonating the legitimate charity.

Although many legitimate organizations call to solicit donations, potential donors are advised to take the time to research the charity properly, understand who they are and their cause, and where the funds are directed before donating. Also, search the name of the charity to determine if there are any bad reviews, complaints, scams, or fraud associated with the charity. Credit card payments offer more consumer protections and are easier to track than payments of gift cards, wire transfers, cash, or cryptocurrency. Additionally, donations are not recommended through payment apps, such as Venmo, CashApp, or Zelle, as funds through these apps should only be sent to known and familiar individuals, such as family and friends.

Considerations for Achieving Crypto Agility | Second Public Draft Available for Comment

Advances in computing capabilities, cryptographic research, and cryptanalytic techniques necessitate the replacement of cryptographic algorithms that no longer provide adequate security. A typical algorithm transition is costly, takes time, raises interoperability issues, and disrupts operations. Cryptographic (crypto) agility refers to the capabilities needed to replace and adapt cryptographic algorithms in protocols, applications, software, hardware, firmware, and infrastructures while preserving security and ongoing operations.

The initial public draft (ipd) of NIST Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility: Strategies and Practices, was released on March 5, 2025. It offered a common understanding of challenges and identified existing approaches related to crypto agility. The first draft was based on discussions that NIST conducted with various organizations and stakeholders and provided read-ahead material for a virtual Crypto Agility workshop hosted by NIST on April 17-18, 2025.

This second public draft (2pd) reflects the workshop findings and the feedback received during the first draft’s public comment period. It includes sections on crypto agility for security protocols and applications, crypto agility strategic plans, and considerations for future work.

To advance crypto agility, NIST encourages ongoing dialogue among stakeholders to establish strategies, frameworks, requirements, and metrics tailored to specific sectors and environments. This will help inform a maturity model with key performance indicators (KPIs) and facilitate the development of common crypto Application Programming Interfaces (APIs) and tools.

The public comment period for this second draft is open through August 15, 2025. See the publication details for a copy of the draft and instructions for submitting comments.

Microsoft SharePoint Server Spoofing Vulnerability

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.

These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.

Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.

Go here for full details

Vulnerability in GrafanaCould Allow for Arbitrary Code Execution

A vulnerability exists in Grafana which could result in arbitrary code execution. Grafana is an open-source platform used for visualizing and analyzing time series data. It allows users to connect to various data sources, query and transform data, and create interactive dashboards to monitor and explore metrics, logs, and traces. Successful exploitation could allow threat actors to run malicious plugins and take over user accounts without needing elevated privileges. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence

The OX.Security research team made use of a working exploit and successfully demonstrated account takeover on local Grafana instances. The results show the vulnerability is not only exploitable but easily weaponized, posing a significant risk to organizations running affected versions.

Systems Affected

Grafana versions prior to 10.4.19

Risk

Government:
– Large and medium government entities: High
– Small government entities: Medium

Businesses:
– Large and medium business entities: High
– Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Grafana to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

References

Grafana:
https://grafana.com/blog/2025/05/23/grafana-security-release-medium-and-high-severity-security-fixes-for-cve-2025-4123-and-cve-2025-3580/
OX.Security:
https://www.ox.security/confirmed-critical-the-grafana-ghost-exposes-36-of-public-facing-instances-to-malicious-account-takeover/#poc
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4123

Astaroth’s Hidden LNK

Image Source: Proofpoint

The NJCCIC’s email security solution observed an uptick in campaigns spreading Astaroth malware from TA2725 . Astaroth, first spotted in 2017, is an information-stealing trojan that primarily targets businesses in Brazil, Europe, and other countries throughout Latin America. Recently observed phishing emails from TA275 contain Portuguese lures masquerading as curriculum vitae (CV), invoices, or DocuSign.

Image Source: Proofpoint

In these observed campaigns, a ZIP archive containing an LNK file is downloaded upon clicking the provided URLs. Extracting and running the LNK file ultimately leads to Astaroth’s installation. During installation, Astaroth creates an LNK file in the system’s Startup folder to maintain persistence on the infected system and ensure Astaroth runs upon system startup. While TA2725 has recently been primarily distributing Astaroth, they have also been tracked spreading Mispadu, Grandoreiro, and, most recently, ScreenConnect.

Weaponized SVG Phishing Campaigns

Scalable Vector Graphics (SVG) image files are commonly used for legitimate web graphics and marketing purposes. Unlike JPEG or PNG files, SVG files are written in XML and support JavaScript and HTML code. They can contain scripts, hyperlinks, and interactive elements, which can be exploited by embedding malicious code within harmless SVG files. Although this tactic is not new, SVG files have become a common attack vector for cross-site scripting (XSS), phishing campaigns, and remote code execution (RCE) since the beginning of 2025. Threat actors increasingly leverage these weaponized SVG files to bypass traditional security filters, reach intended targets, and initiate credential harvesting and multi-stage malware infections. In multiple cases, these SVG files are not flagged as malicious in various anti-virus engines and threat intelligence platforms. These campaigns may also use advanced evasion tactics to ensure execution is only in non-sandboxed, real-user environments.

The NJCCIC’s email security solution detected an uptick in multiple phishing campaigns using SVG files. In one campaign, threat actors use lures of salary adjustment notifications via voicemail messages. Typically, human resources (HR) notifications originate internally from within an organization’s domain or network and are not communicated through voicemail messages. The malicious message has an EXTERNAL tag with a top-level domain (TLD) for Germany, and the sender’s display name references “software-team” instead of an internal HR department. The voicemail transcript in the email displays the first part of the message, which is conveniently truncated and vague, to convince users to click on the attached unnamed SVG file to listen to the entire voicemail message. If clicked, a JavaScript file called “download[.]js” downloads and executes, potentially putting sensitive information and devices at risk.

In another HR-themed campaign, threat actors send phishing emails with an EXTERNAL tag with a TLD for the European Union. The emails reference the “Compensation & Benefits Unit” in the sender’s display name, which differs from the “Billing | Finance Team” in the email signature. The subject line indicates an attached PDF file in the message but is disguised as an SVG file. The messages contain a thumbnail lure of the attachment to persuade users to click on the SVG file. If clicked, users are directed to a malicious website with a TLD for Tanzania that could not be displayed in a sandboxed environment.

Additionally, threat actors weaponized SVG files and targeted financial institutions across multiple regions using SWIFT -themed lures. When executed, it drops a ZIP archive containing a JavaScript file to download a Java-based loader. If Java is present, it deploys malware such as Blue Banana RAT, SambaSpy, and SessionBot. The malware abuses legitimate infrastructure, such as Amazon S3 and Telegram, for payloads and Command and Control (C2) communications.

Threat actors also utilized SVG files and targeted users in a credential phishing campaign. If clicked, the SVG file executes JavaScript code that loads a webpage, presents a CAPTCHA window, and directs targets to a fake Microsoft login page prepopulated with their email address. If they enter their password, it will be sent to the threat actors in the background.

NIST Publishes Final Special Publication 1800-35, Implementing a Zero Trust Architecture

The NIST National Cybersecurity Center of Excellence (NCCoE) has released the final practice guide, Implementing a Zero Trust Architecture (NIST SP 1800-35). This publication outlines results and best practices from the NCCoE effort featuring work with 24 vendors to demonstrate end-to-end Zero Trust Architectures.

As an enterprise’s data and resources have become distributed across on-premises and multiple-cloud environments, protecting them has become increasingly challenging. Many users need options to access information across the globe, at all hours, across devices. The NCCoE addressed these unique challenges by collaborating with industry participants to demonstrate 19 sample Zero Trust Architecture implementations.

Detailed technical information for each sample implementation can serve as a valuable resource for technology implementers by providing models they can replicate. The best practices and lessons learned from the implementations and integrations can help organizations save time and resources.

Two resources of NIST SP 1800-35 have been released:

A “High-Level Document in PDF Format” serves as introductory reading with insight into the project effort, including a high-level summary of project goals, reference architecture, various ZTA implementations, and findings.
A “Full Document in Web Format” provides in-depth details about technologies leveraged, their integrations and configurations, and the use cases and scenarios demonstrated. It also contains information on the implemented security capabilities and their mappings to the NIST Cybersecurity Framework (CSF), NIST SP 800-53r5, and NIST critical software security measures.

Learn More

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

Adobe InCopy is a word processor within Adobe Creative Cloud that allows copywriters and editors to write, edit, and format text in InDesign documents, while designers work on the same file in InDesign simultaneously.
Adobe Experience Manager (AEM) is a comprehensive content management system (CMS) and digital asset management (DAM) platform that helps businesses create, manage, and deliver digital experiences across multiple channels.
Adobe Commerce is a comprehensive, enterprise-grade e-commerce platform, formerly known as Magento Commerce, that allows businesses to build, personalize, and manage online stores.
Adobe InDesign is a professional-grade software used for desktop publishing and page layout design.
Adobe Substance 3D Sampler is a 3D scanning and material creation software that transforms real-life pictures into photorealistic materials, 3D objects, and HDR environments.
Adobe Acrobat Reader is a free software that serves as the industry standard for viewing, printing, and interacting with PDFs.
Adobe Substance 3D Painter is a software application primarily used for texturing 3D models.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Adobe Substance 3D Painter 11.0.1 and earlier versions
Adobe InCopy 20.2 and earlier versions
Adobe InCopy 19.5.3 and earlier versions
Adobe Experience Manager (AEM)
AEM Cloud Service (CS) 6.5.22 and earlier versions
Adobe Commerce 2.4.8
Adobe Commerce 2.4.7-p5 and earlier versions
Adobe Commerce 2.4.6-p10 and earlier versions
Adobe Commerce 2.4.5-p12 and earlier versions
Adobe Commerce 2.4.4-p13 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.4.2-p5 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.3.5-p10 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.3.4-p12 and earlier versions
Adobe Commerce B2B 1.5.2 and earlier 1.3.3-p13 and earlier versions
Magento Open Source 2.4.8
Magento Open Source 2.4.7-p5 and earlier versions
Magento Open Source 2.4.6-p10 and earlier versions
Magento Open Source 2.4.5-p12 and earlier versions
Adobe InDesign ID20.2 and earlier versions
Adobe InDesign ID19.5.3 and earlier versions
Adobe Substance 3D Sampler 5.0 and earlier versions
Acrobat DC 25.001.20521 and earlier versions
Acrobat Reader DC 25.001.20521 and earlier versions
Acrobat 2024 24.001.30235 and earlier versions
Acrobat 2020 20.005.30763 and earlier versions
Acrobat Reader 2020 20.005.30763 and earlier versions

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203):

Substance 3D Painter:

Out-of-bounds Write (CVE-2025-47108)

Adobe InCopy:

Integer Overflow or Wraparound (CVE-2025-30327)
Heap-based Buffer Overflow (CVE-2025-47107)

Adobe Experience Manager:

Improper Authorization (CVE-2025-46840)
Improper Input Validation (CVE-2025-46837, CVE-2025-47096)
Cross-site Scripting (DOM-based XSS) (CVE-2025-46838, CVE-2025-46848, CVE-2025-46854, CVE-2025-46865, CVE-2025-46866, CVE-2025-46870, CVE-2025-46872, CVE-2025-46877, CVE-2025-46890, CVE-2025-46898, CVE-2025-46954, CVE-2025-46955, CVE-2025-46956, CVE-2025-46959, CVE-2025-46963, CVE-2025-46964, CVE-2025-46966, CVE-2025-46970, CVE-2025-46972, CVE-2025-46973, CVE-2025-46974, CVE-2025-46975, CVE-2025-46976, CVE-2025-46977, CVE-2025-46984, CVE-2025-46988, CVE-2025-46989, CVE-2025-47005, CVE-2025-47022, CVE-2025-47025, CVE-2025-47027, CVE-2025-47032, CVE-2025-47033, CVE-2025-47034, CVE-2025-47035, CVE-2025-47036, CVE-2025-47037, CVE-2025-47038, CVE-2025-47039, CVE-2025-47040, CVE-2025-47041, CVE-2025-47042, CVE-2025-47044, CVE-2025-47045, CVE-2025-47047, CVE-2025-47048, CVE-2025-47049, CVE-2025-47050, CVE-2025-47051, CVE-2025-47052, CVE-2025-47056, CVE-2025-47057, CVE-2025-47063, CVE-2025-47102, CVE-2025-47117)
Cross-site Scripting (Stored XSS) (CVE-2025-46841, CVE-2025-46842, CVE-2025-46843, CVE-2025-46844, CVE-2025-46846, CVE-2025-46845, CVE-2025-46847, CVE-2025-46850, CVE-2025-46851, CVE-2025-46853, CVE-2025-46855, CVE-2025-46858, CVE-2025-46859, CVE-2025-46860, CVE-2025-46861, CVE-2025-46862, CVE-2025-46863, CVE-2025-46864, CVE-2025-46871, CVE-2025-46873, CVE-2025-46876, CVE-2025-46878, CVE-2025-46879, CVE-2025-46880, CVE-2025-46881, CVE-2025-46882, CVE-2025-46883, CVE-2025-46884, CVE-2025-46885, CVE-2025-46886, CVE-2025-46887, CVE-2025-46888, CVE-2025-46891, CVE-2025-46892, CVE-2025-46893, CVE-2025-46894, CVE-2025-46895, CVE-2025-46899, CVE-2025-46900, CVE-2025-46901, CVE-2025-46902, CVE-2025-46903, CVE-2025-46904, CVE-2025-46905, CVE-2025-46906, CVE-2025-46907, CVE-2025-46908, CVE-2025-46909, CVE-2025-46910, CVE-2025-46911, CVE-2025-46912, CVE-2025-46913, CVE-2025-46914, CVE-2025-46915, CVE-2025-46916, CVE-2025-46917, CVE-2025-46918, CVE-2025-46919, CVE-2025-46920, CVE-2025-46922, CVE-2025-46923, CVE-2025-46924, CVE-2025-46926, CVE-2025-46927, CVE-2025-46929, CVE-2025-46930, CVE-2025-46931, CVE-2025-46933, CVE-2025-46934, CVE-2025-46935, CVE-2025-46939, CVE-2025-46940, CVE-2025-46941, CVE-2025-46942, CVE-2025-46943, CVE-2025-46944, CVE-2025-46945, CVE-2025-46946, CVE-2025-46947, CVE-2025-46950, CVE-2025-46953, CVE-2025-46957, CVE-2025-46958, CVE-2025-46960, CVE-2025-46965, CVE-2025-46967, CVE-2025-46968, CVE-2025-46971, CVE-2025-46978, CVE-2025-46979, CVE-2025-46981, CVE-2025-46982, CVE-2025-46983, CVE-2025-46985, CVE-2025-46986, CVE-2025-46987, CVE-2025-46990, CVE-2025-46991, CVE-2025-46992, CVE-2025-46995, CVE-2025-46997, CVE-2025-46999, CVE-2025-47000, CVE-2025-47002, CVE-2025-47003, CVE-2025-47004, CVE-2025-47006, CVE-2025-47007, CVE-2025-47008, CVE-2025-47010, CVE-2025-47011, CVE-2025-47012, CVE-2025-47013, CVE-2025-47014, CVE-2025-47015, CVE-2025-47016, CVE-2025-47017, CVE-2025-47019, CVE-2025-47020, CVE-2025-47021, CVE-2025-47026, CVE-2025-47029, CVE-2025-47030, CVE-2025-47031, CVE-2025-47055, CVE-2025-47060, CVE-2025-47062, CVE-2025-47065, CVE-2025-47066, CVE-2025-47067, CVE-2025-47068, CVE-2025-47069, CVE-2025-47070, CVE-2025-47071, CVE-2025-47072, CVE-2025-47073, CVE-2025-47074, CVE-2025-47075, CVE-2025-47076, CVE-2025-47077, CVE-2025-47078, CVE-2025-47079, CVE-2025-47080, CVE-2025-47081, CVE-2025-47082, CVE-2025-47083, CVE-2025-47084, CVE-2025-47085, CVE-2025-47086, CVE-2025-47087, CVE-2025-47088, CVE-2025-47089, CVE-2025-47090, CVE-2025-47091, CVE-2025-47092, CVE-2025-47093, CVE-2025-47100, CVE-2025-47113, CVE-2025-47114, CVE-2025-47115, CVE-2025-47116)
Cross-site Scripting (Reflected XSS) (CVE-2025-46857, CVE-2025-46874, CVE-2025-46875, CVE-2025-47094)
Improper Access Control (CVE-2025-46889)
URL Redirection to Untrusted Site (‘Open Redirect’) (CVE-2025-47095)

Adobe Commerce:

Cross-site Scripting (Reflected XSS) (CVE-2025-47110)
Improper Authorization (CVE-2025-43585)
Improper Access Control (CVE-2025-27206, CVE-2025-27207, CVE-2025-43586)

Adobe InDesign:

Heap-based Buffer Overflow (CVE-2025-30317)
Out-of-bounds Write (CVE-2025-43558, CVE-2025-43590, CVE-2025-43593)
Use After Free (CVE-2025-43589, CVE-2025-47106)
Out-of-bounds Read (CVE-2025-47104, CVE-2025-47105)
NULL Pointer Dereference (CVE-2025-30321)

Substance 3D Sampler:

Out-of-bounds Write (CVE-2025-43581, CVE-2025-43588)

Adobe Acrobat and Reader:

Use After Free (CVE-2025-43573, CVE-2025-43574, CVE-2025-43576, CVE-2025-43550, CVE-2025-43577)
Out-of-bounds Write (CVE-2025-43575)
Out-of-bounds Read (CVE-2025-43578, CVE-2025-47112)
NULL Pointer Dereference (CVE-2025-47111)
Information Exposure (CVE-2025-43579)

RECOMMENDATIONS:

We recommend the following actions be taken:

Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
- Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
- Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
- Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
- Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
- Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
- Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
- Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
- Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
- Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
- Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES: