The document, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”, invites buyers and end users of digital hardware, software, and services to conduct due diligence on the origin and security of components of a digital/technology product.

Supply chain attacks have become one of the most dangerous hacking variants, as they allow threat actors to compromise multiple devices at once, in addition to exploiting vulnerabilities in widely used components. Just remember the SolarWinds attack, which impacted thousands of organizations worldwide.

For Ilkka Turunen, software supply chain security specialist at Sonatype, these measures are important to substantially improve the security of organizations: “This document outlines fundamental best practices, such as generating software bills of materials (SBOM), as well as describing the maintenance activities necessary to maintain effective security practices in the supply chain.”

The researcher adds that software risk mitigation begins with understanding how the use of managed and unmanaged software occurs in an organization, in addition to the progressive mitigation of those risks at the vendor level and with the constant participation of customers.

On the other hand, Cequence Security experts recently alerted the cybersecurity community about the persistence of attacks exploiting flaws such as Log4Shell, discovered a few months ago and that allows abusing the Apache Log4j login utility, considered omnipresent.

A new wave of attacks, identified as LoNg4j, demonstrates the interaction between modern enterprise IT infrastructure and the digital supply chain, spreading across all kinds of applications and creating a critical attack vector in case any vulnerability is exploited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post NIST updates the Cybersecurity Supply Chain Risk Management Guidance (C-SCRM) in Response to Executive Order Signed by President Biden appeared first on Information Security Newspaper | Hacking News.

Something remarkable is that experts point out that the number of critical flaws decreased, going from 4,381 critical vulnerabilities found in 2020 to 3,646 during the last months.

Opinions on this report are diverse, as there is some confusion about the critical vulnerabilities gathered in the report, while some researchers believe that the NIST report fully matches the behavior of the vulnerabilities during 2021.

In this regard, cybersecurity specialist Casey Ellis believes that vulnerability detection is inherent in software development, so it is normal that more and more errors are found every year: “The more software is created, the more critical vulnerabilities will exist,” adds Ellis.

The expert also mentions that lower-impact security issues are relatively easy to find, so the frequency with which they are reported is considerable. Finding a severe fault is a more complicated task, although its correction may be a more accelerated process due to the risks inherent in its exploitation: “They are often given priority for root cause analysis and pattern evasion in the future, and therefore can often be smaller in number,” adds the expert.

On the other hand, cybersecurity specialist Pravin Madhani, CEO of K2 Cyber Security mentions that the lower detection of vulnerabilities is due to the advancement in coding practices implemented by software developers, a practice that has increasingly focused on the integrity of systems.

Experts also point out that the increase in remote work due to the COVID-19 pandemic was a factor that undoubtedly contributed to the increase in the detection of security vulnerabilities, as most public and private organizations began to adopt the use of remote access tools and other software variants to allow their employees to work from home.

NIST concludes that security bugs are something typical of technological development, so it remains for developers and researchers to continue working to avoid the exploitation of the most dangerous security flaws, which will inevitably continue to appear.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post In 2021 maximum security vulnerabilities were reported as compared to past according to NIST appeared first on Information Security Newspaper | Hacking News.

• Find, verify, and combine vulnerabilities in an efficient way
• Have more time to investigate complex vulnerabilities such as business logic, architectural flaws, or virtual hosting sessions
• Demonstrate a true impact despite the short periods of time normally given to test vulnerabilities

The tool is highly customizable and anyone can create simple plugins or add new tests in the configuration files without having development experience. Nonetheless, this tool is not a full security solution and will only be as good as the pentester using it, as it will require understanding and experience to correctly interpret the result of the tool and decide what to investigate further to demonstrate the impact.

According to pentesting specialists, OWTF main features include:

• Resiliency: If a tool happens to fail, OWTF will move to the next tool/test, saving the partial output of the tool until it crashes
• Test Separation: OWTF separates your traffic to the destination into mainly 3 types of plugins
  • Passive: There is no traffic heading to the target
  • Semi passive : normal traffic to the target
  • Active : vulnerability direct probe
• Web Interface: Easily manage high-penetration interactions
• Interactive reports
• Automated classifications of add-ons from the output of the tool, fully configurable by the user
• Configurable risk classifications

The tool is available through the official OWASP platforms.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post OWTF penetration testing framework combines OWASP Top 10, PTES and NIST appeared first on Information Security Newspaper | Hacking News.

The IoT Cybersecurity Improvement Act states that the National Institute of Standards and Technology (NIST) establishes the security requirements to be adhered to by all IoT technology manufacturers seeking to work with the federal government, mainly in areas such as vulnerability correction or user identity verification.

The central theme is to provide federal agencies with the ideal cybersecurity mechanisms, as well as encouraging manufacturers to adopt the highest standards regardless of whether they work with the U.S. government: “We hope to make a significant impact on the overall market, benefiting businesses and consumers,” says Senator Mark Warner, one of the project’s main drivers.

Efforts to improve IoT security did not begin in Congress. Years ago, researchers and consumer advocacy organizations began to point out the need to improve security on these devices, not to mention that the U.S. government is increasingly investing in this technology, so it has become necessary to strengthen its security.

The proposing legislators went through a long process before the approval of the project, which was subject to multiple modifications. The first version, for example, was extremely detailed about the exemptions to apply the standards to contracting companies, which did not reach the Senate.

Changes in the industry have also contributed to the modification of the project to its final version: “In the nearly four years since this bill was introduced, we have seen considerable advances by the industry in areas such as recognition of IoT security risks, either as part of huge DoS attacks such as those related to the Mirai botnet, or in the efforts of threat actors to compromise this infrastructure,” says Senator Warner.

Suzanne Spaulding, director of the Defending Democratic Institutions project at the Center for Strategic and International Studies, believes this is a big step forward in terms of cybersecurity: “The final version may be improved, but it’s a great starting point for important achievements,” she concludes.

The post Government passes IoT Cybersecurity Act to protect Internet of Things devices appeared first on Information Security Newspaper | Hacking News.

Developing enterprises will be helped to implement cybersecurity measures

Almost a year and a half after the introduction of the measure, the National Institute of Standards and Technology (NIST) Small Business Cyber Security Act is officially working after Donald Trump, president of the United States, promulgated the law.

Originally proposed in April 2017, the law requires the director of NIST, within one year of the adoption of the law, to issue guidance and a set of resources to help small and medium-sized enterprises identify, evaluate and reduce their cyber security organization risks. The law also calls on NIST, a division of the Department of Commerce, to consider the needs of small businesses in developing these recommendations, which must be widely applicable and technology-neutral and include elements that promote the implementation of simple and basic controls, culture of cyber security organization in the workplace and relations with interested third parties.

In a press release, Senator Brian Schatz said that “as companies are increasingly reliant on the Internet to operate efficiently and reach more customers, they will continue to be vulnerable to cyber attacks. While big companies have the resources to protect themselves, small businesses don’t, and that’s exactly what makes them an easy target for hackers; this new law will grant small businesses the tools to reinforce their cyber security organization infrastructure and fight against hackers”, the senator mentioned.

“Small businesses are not immune to threats and are often not equipped with resources or IT staff to protect their networks”, a cyber security organization expert said. “NIST’s Small Business Cyber Security Act will provide small and medium-sized entrepreneurs with the minimum resources and a simplified cyber security framework so they can effectively protect their companies from threats”.

Cyber security organization experts from the International Institute of Cyber Security consider that the Small Business Cyber Security Act is a major victory for the cyber security industry and for businesses struggling to operate in accordance with NIST standards.

The post US President signs Small Business Cyber Security Act appeared first on Information Security Newspaper | Hacking News.

Cybersecurity Framework was initially intended for U.S. companies that are considered part of critical infrastructure. Nevertheless, it is suitable for use by any organization that faces cyber security risks.

ISO/IEC 27001 is a cyber security standard published in 2005 and revised in 2013. Even if is not mandatory, it is accepted in most countries as a main framework for data security implementation. It describes the data security management system, and it places in the context of the overall management and processes in a company.

Cybersecurity Framework and ISO 27001 gives you the methodology on how to implement cyber security in an organization. You could implement either of these. Possibly the biggest similarity is that both are based on risk management: this means that they both require the safeguards to be implemented only if cyber security risks were detected.

Cybersecurity Framework

Cybersecurity Framework clearly it is better structured when it comes to planning and implementation.

Framework Core is divided into Functions; Identify, Protect, Detect, Respond, and Recover, and then into 22 related Categories, for example, Asset Management, Risk Management, etc. similar to sections in ISO 27001. 98 Subcategories, and for each Subcategory several references are made to other frameworks like ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and CCS CSC. This way, it is very easy to see what the requirements and where to find out how to implement them.

Framework Implementation Tiers are; Partial, Risk Informed, Repeatable and Adaptive. This way, a company can easily decide how far they want to go with their implementation, taking into account requirements.

Then is the Framework Profile; Current Profile, Target Profile and others help to pictures where the organization is right now, related to the categories and subcategories from Framework Core, and where it wants to be. Further, Framework Profiles could be used for setting the minimum requirements for other organizations like suppliers or partners. This doesn’t exist in ISO 27001.

Overall, Cybersecurity Framework enables both the top management but also engineers and other IT staff to understand easily what is to be implemented, and where the vulnerabilities are.

 ISO 27001

One of the greatest advantages of ISO 27001 is that companies can become certified by it, this means that a company can prove to its clients, partners, shareholders, government agencies, and others that it can indeed keep their information safe.

Further, ISO 27001 is an internationally recognized and accepted standard , if a company wants to prove its ability to its clients, partners, and governments outside of their country, ISO 27001 will be much better.

ISO 27001 focuses on protecting all types of information, not just information processed in IT systems. It is true that paper-based information has less and less importance, but for some companies such information might still pose significant risks. ISO 27001 defines which documents and records are needed, and what is the minimum that must be implemented.

Finally, whereas the Framework focuses only on how to plan and implement data security, ISO 27001 takes a much wider approach, its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that maintains and improves the whole system. Without constant measurement, review, audit, corrective actions, and improvements, such a system will gradually deteriorate and ultimately lose its purpose.

Which one is better

It is not have to be a question of one or other; it seems to me that it would be best to combine the two. Actually Cybersecurity Framework suggests it can easily complement with other program or system, and ISO 27001 has proved to be a very good umbrella framework for different data security methodologies.

So, I think the best results can be achieved if the design of the whole data security would be set according to ISO 27001 and to use Cybersecurity Framework when it comes to risk management and implementation of the particular cyber security areas and safeguards.

The post Cybersecurity Framework or ISO 27001 appeared first on Information Security Newspaper | Hacking News.