Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Cybersecurity Snapshot: U.K. Cyber Agency Urges Software Vendors To Boost Product Security, While U.S. Gov’t Wants Info on Banks’ AI Use

$
0
0

Check out the NCSC’s call for software vendors to make their products more secure. Plus, why the Treasury Department is looking at how financial institutions are using AI. And the latest on the cybersecurity skills gap in the U.S. And much more!

Dive into six things that are top of mind for the week ending June 14.

1 - NCSC issues “code of practice” for software makers

Software vendors improve the security of their products.

That’s the goal of the U.K. National Cyber Security Centre’s new “Code of Practice for Software Vendors.” The document from the U.K.’s cybersecurity agency outlines a minimum baseline of secure development processes for software vendors.

Compliance with the “Code of Practice for Software Vendors” is voluntary for now “but further policy interventions to support its uptake and impact are currently being explored,” reads the NCSC blog “Raising the cyber resilience of software 'at scale.'

 

NCSC issues “code of practice” for software makers

 

The document is structured around four core principles software vendors should follow:

  • Adopt secure design and development by, for example, establishing and following a secure development framework and understanding their software products’ components.
  • Secure build environments to protect the software’s integrity and quality by, for example, preventing unauthorized access to the build environment.
  • Ensure products remains secure after deployment by, for example, adopting a vulnerability disclosure process; detecting and managing vulnerabilities; and releasing timely updates and patches.
  • Provide the necessary information to customers for effective risk and incident management.

The “Code of Practice for Software Vendors” also includes implementation guidance for its best practices and recommendations.

For more information about the security of commercial software products:

2 - How are banks using AI? The U.S. gov’t wants to know

What obstacles to responsible use of artificial intelligence (AI) do financial institutions face? How is AI impacting their operations? And when banks use AI, how does that affect their consumer and corporate customers, as well as their investors and other third parties?

These are some of the questions the U.S. Treasury Department is seeking answers to. To that end, it has issued a formal request for information about how the financial services sector is using AI.

 

How are banks using AI? The U.S. gov’t wants to know

 

If you want to contribute to this fact-finding effort, check out the formal document titled “Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector” and add your comment on the Regulations.gov website.

“Treasury is seeking a broad range of perspectives on this topic and is particularly interested in understanding how AI innovations can help promote a financial system that delivers inclusive and equitable access to financial services,” reads a Treasury Department statement.

For more information about AI usage trends in the financial services sector:

3 - Insurer: Cyber claims hit all-time high in 2023

Looking for insights about how the cyber insurance market is evolving? Data released by insurance broker Marsh McLennan offers interesting clues about this dynamic market.

For starters, the 1,800-plus claims submitted by its U.S. and Canadian customers in 2023 were a record for Marsh McLennan. Drivers included the growing sophistication of attacks, the exploitation of the MOVEit Transfer vulnerabilities, privacy-related claims and an increase in cyber insurance customers. 

Unsurprisingly, ransomware remains top-of-mind for insurance companies and for their customers, although it accounted for under 20% of total claims. Ransomware concern centers on its potential for significant financial losses, reputation harm, lost sales, litigation costs, regulatory scrutiny and more, according to the insurer.

More interesting data points include:

  • About 1 in 5 Marsh cyber customers filed a claim last year, a rate that’s remained consistent over the past five years.
  • The hardest hit industries in 2023 were healthcare, communications, retail/wholesale, financial services and education.
  • The median cost of breach responses was $160,000 and the average was $1 million

Also of note, the percentage of organizations paying ransoms remains on a downward trend.

Cyber claims hit all-time high in 2023

(Source: Marsh McLennan, June 2024)

Ultimately, it’s key for organizations to continually boost their cybersecurity strategy and controls.

“Organizations’ cyber resilience strategy should incorporate a view of cyber risk across the enterprise, including its potential economic and operational impact and taking account of cybersecurity at vendors and other third parties,” reads a Marsh McLennan statement.

To learn more about cyber insurance, check out these Tenable resources:

4 - Tenable takes pulse on GenAI app usage policies

With generative AI adoption on fire in the enterprise, Tenable took the opportunity to poll attendees at several of our webinars this month about this topic. Specifically, we asked them whether their organizations have crafted usage policies for generative AI applications. Check out the results!

Tenable takes pulse on GenAI app usage policies

(377 webinar attendees polled by Tenable, June 2024)

For more information about this topic:

5 - U.S. can only fill 85% of cyber jobs with current workforce

The U.S. needs more than 220,000 new cybersecurity pros to close its cyber talent gap. Currently, the U.S. has enough cyber workers to fill 85% of cybersecurity jobs.

That’s according to CyberSeek, which provides data about the cybersecurity job market. It’s a joint initiative between the National Institute of Standards and Technology’s NICE program; Lightcast; and CompTIA.

“Although demand for cybersecurity jobs is beginning to normalize to pre-pandemic levels, the longstanding cyber talent gap persists,” Will Markow, vice president of applied research at Lightcast, said in a CompTIA statement about the CyberSeek data.

To address the skills gap, employers should try training less experienced cybersecurity pros to perform advanced jobs, as well as consider candidates who have cybersecurity expertise but who only have a professional certification, according to CompTIA.

Other interesting insights include:

  • Between May 2023 and April 2024, U.S. employers posted almost 470,000 cybersecurity jobs, down 29% from the same period the year prior. By comparison, job postings for all tech positions declined 37%.
  • Currently, 1.2 million people hold cybersecurity jobs in the U.S., a number that’s been growing for years.
  • Cybersecurity skills are evolving quickly as hackers craft new types of attacks.

For more information about the cyber skills shortage in the U.S. and globally:

6 - CIS updates Benchmarks for AWS, Google, Microsoft products

The Center for Internet Security has announced the latest batch of updates for its popular CIS Benchmarks, including new secure-configuration recommendations for Amazon Elastic Kubernetes Service, Google Container-Optimized OS and Microsoft SQL Server.

Specifically, these CIS Benchmarks were updated in May:

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.5.0
  • CIS Google Container-Optimized OS Benchmark v1.2.0
  • CIS Google Workspace Foundations Benchmark v1.2.0
  • CIS Microsoft SQL Server 2019 Benchmark v1.4.0
  • CIS Microsoft Windows 10 EMS Gateway Benchmark v3.0.0
  • CIS Microsoft Windows 11 Stand-alone Benchmark v3.0.0
  • CIS Microsoft Windows Server 2019 Benchmark v3.0.1
  • CIS Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) Benchmark v1.5.0
  • CIS Palo Alto Firewall 10 Benchmark v1.2.0
  • CIS Palo Alto Firewall 11 Benchmark v1.1.0

 

CIS updates Benchmarks for AWS, Google, Microsoft products


In addition, CIS released brand new Benchmarks for Apple’s macOS 12, macOS 13 and macOS 14 running in a cloud environment.

CIS Benchmarks are secure-configuration guidelines for hardening products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families. There are Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks June 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:


Viewing all articles
Browse latest Browse all 1935

Trending Articles