Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Cybersecurity Snapshot: Critical Infrastructure Security in the Spotlight in November

$
0
0

It’s “Critical Infrastructure Security and Resilience Month” – check out new resources from the U.S. government to better protect these essential organizations. Plus, the U.K.’s cyber agency is offering fresh guidance for mitigating the quantum computing threat. In addition, do you need a generative AI policy in your company? An ISACA guide could be helpful. And much more!

Dive into six things that are top of mind for the week ending November 10.

1 - U.S. focuses on critical infrastructure security in November 

If critical infrastructure security is in your wheelhouse, November is a special month for you. Why? Again this year, the White House has declared November to be “Critical Infrastructure Security and Resilience Month.” 

Although critical infrastructure protection encompasses various threats, such as natural disasters, it’s no surprise that a significant portion of the proclamation is devoted to preventing cybersecurity attacks.

“We know that to protect our critical infrastructure we must improve our cybersecurity,” the document reads.

 

November is Critical Infrastructure Security and Resilience Month

 

As part of the effort, the Cybersecurity and Infrastructure Security Agency (CISA) called on all involved with critical infrastructure security to “resolve to be resilient.” 

CISA also published a “Critical Infrastructure Security and Resilience Month Toolkit” that includes recommendations for private sector organizations, risk management agencies, state and local governments, and members of Congress.

The toolkit also contains links to many resources; communication templates for promoting “Critical Infrastructure Security and Resilience Month”; and an FAQ about protecting critical infrastructure.

To get more details, check out:

CISA's Dr. David Mussington kicks off Critical Infrastructure Security Month

2 - “Shields Ready” campaign promotes critical infrastructure security

And as part of “Critical Infrastructure Security and Resilience Month,” CISA, the Department of Homeland Security and the Federal Emergency Management Agency (FEMA) have launched the “Shields Ready” campaign. It urges critical infrastructure organizations to beef up their resilience so they’re better prepared for cyberattacks and other threats.

“Shields Ready” campaign promotes critical infrastructure security

Recommendations for critical infrastructure operators from the “Shields Ready” campaign include:

  • Identify your most critical systems and assets, as well as the systems they depend on
  • Assess the threats that could disrupt your operations and their consequences
  • Draft strategic risk-management plans as well tactical incident response plans
  • Test your incident response and recovery plans

The “Shields Ready” campaign complements other existing critical infrastructure security campaigns from CISA and FEMA.

To get more details about “Shields Ready,” check out:

3 - U.K.’s cyber agency offers guidance about quantum threat

Is the threat from future quantum computers on your radar screen yet? By all accounts, it should be. The latest warning comes from the U.K. National Cyber Security Centre (NCSC).

Although “quantum resistant” algorithms are in the works, cybercriminals are swiping confidential data now to decrypt it later with quantum computers, which are expected to be available by around 2030.

In its new guidance, the NCSC offers best practices for mitigating the risk these powerful computers will pose to data encrypted with today’s public-key cryptographic (PKC) algorithms. The NCSC advice focuses on helping organizations adopt “post-quantum cryptography” or (PQC).

Also known as “quantum resistant” cryptography, these algorithms will be able to protect data from attacks that use quantum computers, but migrating to this new technology won’t be a simple process.

“These algorithms will not necessarily be drop-in replacements for the current PKC algorithms in protocols or systems, so system owners should begin planning for the migration to PQC,” reads the new NCSC white paper titled “Next steps in preparing for post-quantum cryptography.”

In short, while these new algorithms aren’t yet ready for prime time, organizations should start laying the groundwork for their adoption now.

To get all the details of the NCSC’s guidance, check out:

For more information about the quantum threat:

VIDEOS

Post-Quantum Cryptography: the Good, the Bad, and the Powerful (NIST)

What is Quantum Cryptography? An Introduction (TechTarget)

NIST Post Quantum Cryptography Update (Accredited Standards Committee X9)

4 - A temperature check on cloud security 

During our recent webinar “Tenable & Ermetic: What’s Next and Needed for Truly Effective Enterprise Cloud Security,” we polled participants on various cloud security topics. Here’s what they said when we asked them what their biggest cloud security challenges are, who’s in charge of cloud security at their organization and more.

Biggest cloud security challenges(154 respondents polled by Tenable in October 2023)

Are your cloud tools good at correlating risks(162 respondents polled by Tenable in October 2023)
Who is in charge of cloud security at your organization
(170 respondents polled by Tenable in October 2023)

Want to find out what was discussed at the “Tenable & Ermetic: What’s Next and Needed for Truly Effective Enterprise Cloud Security” webinar? Watch it on demand!

5 - ISACA finds most orgs need a GenAI policy, offers guidelines

As a technology that’s seeing rapid evolution and robust adoption, generative AI represents a challenge for those tasked with drafting policies for its use.

If you work in cyber, compliance or risk management, chances are you’re involved in creating guardrails for your organization’s secure, compliant and legal use of generative AI. 

If so, you might find relevant insights and recommendations in the new guide from ISACA titled “Considerations for Implementing a Generative Artificial Intelligence Policy.”

ISACA finds most orgs need a GenAI policy, offers guidelines

Here’s a small sampling of key considerations ISACA recommends should be taken into account:

  • Are your generative AI systems secure and compliant with privacy regulations?
  • Does the policy address ethical issues to ensure, for example, that the generative AI system doesn't create or reinforce biases?
  • What are acceptable terms of use?
  • Are there guidelines in place for proper data handling?
  • How will the policy encourage transparency?

Along with the guide, ISACA conducted a poll that found that most organizations are using generative AI without having drafted an acceptable usage policy.

The study, based on a poll of 2,300 pros who work in audit, risk, security, data privacy and IT governance, found that:

  • Only 28% of polled organizations say they officially allow employees to use generative AI
  • Only 10% have a formal, comprehensive policy for generative AI use
  • More than one in four lack a policy and have no plans to draft one
  • 54% provide no AI training at all to employees
  • Employees are using generative AI systems at 41% of organizations

To get more details, check out:

6 - CIS updates Benchmarks for macOS, Microsoft 365, others

The Center for Internet Security has announced the updates it made to its CIS Benchmarks in October, including new secure configuration recommendations for Microsoft 365 and for several versions of macOS and Windows Server.

CIS updates Benchmarks for macOS, Microsoft 365, others

Here’s the full list of updated CIS Benchmarks for October:

To get more details, read the CIS blog “CIS Benchmarks November 2023 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

CIS Benchmarks (CIS)


Viewing all articles
Browse latest Browse all 1935

Trending Articles