Topics that are top of mind for the week ending Sept. 9 | Software supply chain security in the spotlight. Guidance for evaluating IoT security tools. Increasing diversity in cybersecurity. Another look at the major cloud security threats. And much more!
U.S. government stresses software supply chain security
Developers got concrete guidance and specific recommendations for protecting their software supply chains via a 64-page document from the U.S. government.
This new guide reflects lessons learned from recent major supply chain attacks, like the one against SolarWinds, and from the discovery of the Log4Shell vulnerability.
Attackers are increasingly targeting software development environments, commonly used frameworks and widely adopted libraries in order to compromise components of otherwise legitimate applications that are then distributed through trusted channels to customers.
Published by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Office of the Director of National Intelligence, the document groups its recommendations into five main categories:
- Secure product criteria and management, including:
- Creating threat models of the products while in development and of their critical components
- Defining and implementing security test plans
- Establishing how vulnerabilities in the product will be handled throughout its lifecycle
- Develop secure code, following principles like:
- Least privilege
- Fail-safe defaults
- Open design
- Verify third-party components through practices including:
- Vulnerability analysis
- Secure composition analysis
- Source code evaluation
- Harden the build environment with steps like:
- Lock down and monitor for data leakage all systems that interact with the dev and build processes
- Use version control for pipeline configurations
- Make sure all systems use multi-factor authentication
- Deliver code safely through practices like:
- Scan binaries with software composition analysis tools to ensure the integrity of the final build and create a software bill of materials (SBOM)
- After receiving the build from the vendor, customers can perform their own scanning to ensure its safety and integrity
Alongside the guidance from these U.S. agencies, the Open Source Security Foundation released a best practice guide for securing npm, the largest package ecosystem that undergirds countless software projects.
(Claire Tills, senior research engineer with Tenable's Security Response Team, contributed to this item.)
For more information:
- Video: “Using CNCF Best Practices for Software Supply Chain” (Cloud Native Computing Foundation – CNCF)
- “Software Supply Chain Best Practices” (CNCF)
- “Software Supply Chain Security Guidance” (National Institute of Standards and Technology)
- “The Open Source Software Security Mobilization Plan” (The Linux Foundation and The Open Source Security Foundation)
Guidance for testing IoT security products
The Anti-Malware Testing Standards Organization (AMTSO) has released a guide for helping security teams test and benchmark IoT security products, an area the non-profit group says is still in its infancy.
In providing its recommendations after gathering input from testers and vendors, the AMTSO noted that there are particular challenges involved in testing IoT security wares because these products:
- Protect a wide variety of smart devices both for home and work, which complicates the setup of a test environment
- Are used in smart devices that overwhelmingly run on Linux, so testers must use specific threat samples for their evaluations
The document focuses on areas including sample selection, determination of detection, test environments, specific security functionality assessment and performance benchmarking.
For more information:
- “IoT Security Acquisition Guidance” (CISA)
- “Ten best practices for securing IoT in your organization” (ZDNet)
- “4 advanced IoT security best practices to boost your defense” (TechTarget)
- “Secure IoT best practice guidelines” (IoT Security Foundation)
- “NIST cybersecurity for IoT program” (NIST)
Consumer protection agency to businesses: Failure to protect customer data is illegal
Here’s yet another reminder to businesses that they can get into legal hot water if they don’t properly secure sensitive customer data.
The U.S. Consumer Financial Protection Bureau (CFPB) has issued a formal circular addressing this specific question:
“Can entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?”
Answer: Yes.
So what could be considered “insufficient” protection for this data? For example, organizations that lack:
- Multi-factor authentication to protect access to the accounts of employees and customers
- Adequate password management policies and practices
- Timely patching of the software products they use
New efforts to increase diversity in cybersecurity
A couple of new initiatives are seeking to increase the number of female and of African American cybersecurity professionals.
The National Cybersecurity Alliance (NCA), a non-profit that promotes cybersecurity education and awareness, launched the Historically Black Colleges and Universities Career Program, in partnership with top HBCUs and cybersecurity organizations.
The NCA noted in its announcement that currently only 9% of cybersecurity professionals identify as black, and that there are about 715,000 unfilled cybersecurity roles in the U.S.
Meanwhile, a group of about 90 women working in leadership positions in cybersecurity formed The Forte Group, an advocacy and education non-profit whose mission is supporting current and future female leaders in cybersecurity.
For more information:
- “4 Barriers to Diversity in Cybersecurity and How to Address Them” (Society of Women Engineers)
- “The defensive power of diversity in cybersecurity(TechCrunch)
- “Making Space for Diversity in Cybersecurity” (Ms. Magazine)
- “Diversity, Equity, and Inclusion in Cybersecurity” (Aspen Institute)
Revisiting the CSA’s top cloud security threats
The Cloud Security Alliance published its “Top Threats to Cloud Computing” report earlier this summer, and every month it zooms in on each threat on its blog. So, as we prepare to welcome the fall, we thought it’d be good to refresh our memory and take another look at this list, which the CSA dubbed “the pandemic eleven.”
- Insufficient identity, credentials, access and key management
- Insecure interfaces and APIs
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insecure software development
- Unsecured third-party resources
- System vulnerabilities
- Accidental cloud data disclosure
- Misconfiguration and exploitation of serverless and container workloads
- Organized crime/hackers/APT
- Cloud storage data exfiltration
You can check out the blogs about the first three threats here, here and here.
For more information:
- Video: “Cloud Security for Dummies” (SANS Institute)
- “Cloud security in 2022: A business guide to essential tools and best practices” (ZDNet)
- Video: “Cloud Security for Beginners: Part 1 and Part 2” (SANS Institute)
- “The cloud security principles” (U.K. National Cyber Security Centre)
Quick takes
Check out this roundup of important vulnerabilities, trends, news and incidents.
- The Los Angeles Unified School District, the second-largest school district in the U.S., was hit by a ransomware attack that gained national attention. On the same day, the U.S. government issued an advisory about the targeting of educational institutions by the Vice Society ransomware group. It’s not yet known which attacker hit the Los Angeles school district.
- QNAP patched a zero-day vulnerability in some of its network attached storage (NAS) devices that had been exploited by the DeadBolt ransomware group, which has targeted QNAP several times this year.
- The hacking group AgainstTheWest claimed it stole 2 billion records with data on TikTok and WeChat users from an Alibaba database, but TikTok countered that the data sampled is publicly available and that its systems weren’t breached. In related news, Microsoft said it discovered a now-fixed vulnerability in the TikTok Android app that could lead to account hijacking.
- Google rushed out an emergency patch for the sixth zero-day vulnerability in Chrome so far this year. Users are advised to install the update immediately.
- Montenegro was hit by a large-scale ransomware attack that prompted the U.S. embassy in the Balkan country to warn American citizens living there about disruptions to critical services, as a team from the U.S. Federal Bureau of Investigation flew in to help with the investigation.