Security Boulevard

via the inimitable Daniel Stori at Turnoff.US!

Permalink

The post Daniel Stori’s Turnoff.US: ‘bash-gptl’ appeared first on Security Boulevard.

Authors/Presenters:Rob Sherwood, Jinghao Shi, Ying Zhang, Neil Spring, Srikanth Sundaresan, Jasmeet Bagga, Prathyusha Peddi, Vineela Kukkadapu, Rashmi Shrivastava, Manikantan KR, Pavan Patil, Srikrishna Gopu, Varun Varadan, Ethan Shi, Hany Morsy, Yuting Bu, Renjie Yang, Rasmus Jönsson, Wei Zhang, Jesus Jussepen Arredondo, Diana Saha, Sean Choi

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – Netcastle: Network Infrastructure Testing At Scale appeared first on Security Boulevard.

Over the past decade, the world of open source software has undergone a seismic transformation, both in terms of its scale and challenges.

The post The transformation of open source: Lessons from the past decade appeared first on Security Boulevard.

Like most businesses, banks are facing a highly competitive future built on digital services. To succeed, they must modernize their IT infrastructure to deliver the experiences that customers now demand, without incurring the wrath of regulators. Yet the wealth of sensitive information managed by financial services firms ensures the sector remains a popular target for state-backed and criminally motivated threat actors.

The post Celebrating Excellence in Financial Services appeared first on Security Boulevard.

The U.S. Army is developing a cloud environment called N-CODE that will give smaller businesses access to the security technologies they need to meet stringent DoD cybersecurity requirements and compete for defense contracts.

The post Army Cloud Program to Help SMBs Meet DoD Cyber Requirements appeared first on Security Boulevard.

Check out invaluable cloud security insights and recommendations from the “Tenable Cloud Risk Report 2024.” Plus, a PwC study says increased collaboration between CISOs and fellow CxOs boosts cyber resilience. Meanwhile, a report finds the top cyber skills gaps are in cloud security and AI. And get the latest on SBOMs; CIS Benchmarks; and cyber pros’ stress triggers.

Dive into six things that are top of mind for the week ending Oct. 18.

1 - Tenable: Riskiest cloud workloads present in 38% of orgs

Almost 40% of global organizations have cloud workloads that put them at the highest risk of attack — an alarmingly high percentage. That’s according to the new “Tenable Cloud Risk Report 2024,” which is based on an analysis of billions of cloud resources scanned through the Tenable Cloud Security platform. 

Specifically, 38% of organizations have at least one cloud workload that suffers from the “toxic triad” of cloud risks: publicly exposed; critically vulnerable; and highly privileged. Those are the three major vectors that organizations must take into account in order to properly assess a cloud workload’s risk level and potential vulnerability impact.

“Securing cloud workloads is about much more than scanning for vulnerabilities,” reads the report, whose telemetry data was collected during the first six months of 2024.

(Source: “Tenable Cloud Risk Report 2024,” October 2024)

Cloud workloads with the “toxic triad” represent “a perfect storm of exposure for cyberattackers to target,” according to a Tenable statement.

“When bad actors exploit these exposures, incidents commonly include application disruptions, full system takeovers, and DDoS attacks that are often associated with ransomware,” the statement reads.

Other key findings include:

• 84% of organizations have risky access keys
• 23% of cloud identities have critical or high severity excessive permissions
• 80% of cloud workloads have an unremediated critical CVE
• 74% of organizations have publicly exposed cloud storage

The 28-page report also offers mitigation guidance aimed at helping organizations limit their cloud exposures.

To get more details, check out:

• The Tenable Cloud Risk Report 2024
• The report’s announcement “Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations”
• The blog "Cloud Workload Protection: The Key to Decreasing Cloud Security Risks"
• The video “Tenable Cloud Risk Report 2024: Toxic cloud triad”

2 - PwC: C-suite disconnect hurting cyber resilience

For global enterprises to boost their cyber resilience, CISOs and their C-suite peers need to collaborate more closely, and CISOs should be more looped into their organizations’ business strategy, according to PwC’s “2025 Global Digital Trust Insights” global survey, which polled about 4,000 business and tech executives.

“To safeguard their organisations, executives should treat cybersecurity as a standing item on the business agenda, embedding it into every strategic decision and demanding C-suite collaboration,” reads a report summary.

Among the barriers to cyber resilience identified in the report are:

• Only 2% of respondents said their organization has adopted cyber resilience measures across all areas included in the survey.
• Organizations feel most vulnerable to the threats that worry them the most, including cloud risks, hack-and-leak attacks and third-party breaches.
• Less than 50% of respondents say their organizations’ CISOs are involved “to a large extent” with strategic planning, reporting to the board and overseeing tech deployments.
• Only 15% of surveyed organizations are able to comprehensively measure the financial impact of cyber risks.

“All of this points to the need for better C-suite collaboration and strategic investment to strengthen cyber resilience,” reads the report summary.

For their part, CISOs can contribute by providing “tech-enabled insights” and by explaining cybersecurity priorities using business metrics, such as costs, opportunities and risk.

For more information about CISO trends:

• “6 ways the CISO role is evolving today” (CSO)
• “Why the CISO role is so demanding – and how leaders can help” (IT Pro)
• “How to land a corporate board seat as a CISO” (TechTarget)
• “How to ensure cybersecurity strategies align with the company’s risk tolerance” (CSO)
• “CISOs Struggle for C-Suite Status Even as Expectations Skyrocket” (Dark Reading)

3 - Report: Biggest cyber skills gaps are in cloud sec, AI threats

When it comes to hiring cybersecurity professionals, it’s particularly difficult to find qualified candidates skilled in securing cloud environments and in mitigating risks introduced by AI usage.

That’s one major finding in O’Reilly’s “2024 State of Security Survey,” which polled about 1,300 tech professionals, including 419 members of security teams, in August of this year.

As companies ramped up their cloud adoption, many downplayed the need to beef up their cloud security expertise. “That’s finally changed, and as a result, we’re seeing a serious shortage of experts in cloud security,” the report reads.

A similar thing has happened with AI, except more abruptly, after the release of OpenAI’s ChatGPT in late 2022. “Everyone, including the security community, was blindsided — both by the possibilities and by the risks,” the report reads.

“Our global survey underscores a security landscape in flux, with critical skills gaps emerging in AI and cloud security,” said Laura Baldwin, president of O’Reilly, in a statement. 

Given this reality, organizations must amp up “continuous, high-quality training,” seeing it as essential, not optional. “Organizations must prioritize ongoing upskilling to stay ahead of evolving risks and build robust defenses,” Baldwin said.

Top security skills shortages (as cited by percentage of security team members)

(Source: O’Reilly’s “2024 State of Security Survey,” October 2024)

Other findings from the 36-page report include:

• The top cybersecurity projects for the next year are the adoption of AI-enabled security tools, cited by 34%; and of security automation wares (28.8%).
• Phishing is respondents’ top security concern, cited by 55%, followed by network intrusion and ransomware.
• About 41% of security team members lack security certifications, although they are an employment requirement in more than half of organizations surveyed.
• Security awareness training ranked as the most important factor for improving the security posture of an organization, topping increased staffing and better security tools.

To get more details, read:

• The full “2024 State of Security Survey” report from O’Reilly
• The report’s announcement “O’Reilly 2024 State of Security Survey Reveals Critical AI Skills Gap as Organizations Grapple with Evolving Cyber Threats”

For more information about recruiting cybersecurity professionals:

• “Cybersecurity skills gap: Why it exists and how to address it” (TechTarget)
• “Cybersecurity Hiring: How to Overcome Talent Shortages and Skills Gaps” (Tech Republic)
• “Navigating the Cybersecurity Skills Gap” (Robert Half)
• “To fill cybersecurity skills gaps, experts look to novel measures” (Cybersecurity Dive)
• “IT Security Hiring Must Adapt to Skills Shortages” (InformationWeek)

4 - ISACA: Cyber pros getting older, more stressed out

Cybersecurity professionals are collectively getting older and feeling heightened pressure at work, as they grapple with an increase in the number and sophistication of cyberattacks, according to ISACA’s “State of Cybersecurity 2024” report, based on a survey of about 1,800 cybersecurity professionals.

Specifically, this is the first time in the report’s 10-year history that the majority of respondents (34%) are between the ages of 45 and 54. The percentage of respondents under the age of 34 stayed the same as last year.

“The current cybersecurity practitioners are aging, and the efforts to increase staffing with younger professionals are making little progress. Left unchecked, this situation will create business continuity issues in the future,” the report reads.

Meanwhile, 66% of respondents said they’re more stressed out at work today than they were five years ago. They attributed the growing work aggravation to various factors, including:

• A more complex threat landscape, cited by 81%
• Insufficient budget (45%) and trained staff (45%)
• Increased difficulty hiring and retaining (45%)
• Improper prioritization of cyber risks (34%)

Regarding attack frequency, 55% of surveyed organizations reported suffering more attacks than a year prior, a jump of 7 percentage points over last year’s report. The most common types of attacks were social engineering; malware; denial of service; and compromise of unpatched systems.

Year-over-Year Comparison of Cybersecurity Attack Reporting

(Source: ISACA’s “State of Cybersecurity 2024” report, October 2024)

When asked to list the security skills their organizations need the most, these ranked as the top five:

• Data protection (46%)
• Identity and access management (45%)
• Incident response (44%)
• Cloud computing (43%)
• Threat detection (31%)

To get more details, check out:

• The full “State of Cybersecurity 2024” report
• The report’s announcement “Nearly Two-thirds of Cybersecurity Pros Say Job Stress Is Growing, According to New ISACA Research”
• The ISACA article “Stress Levels on the Rise for Cybersecurity Professionals”

For more information about helping cybersecurity pros manage work-related stress:

• “How training and recognition can reduce cybersecurity stress and burnout” (CSO)
• “The Psychology of Cybersecurity Burnout” (Information Week)
• “Battling Burnout: A Growing Concern for CISOs and Security Professionals” (Secureworld)
• “How to strengthen cybersecurity teams in a high-stress era” (Security Magazine)
• “Are cybersecurity professionals OK?” (Cybersecurity Dive)

5 - CISA updates SBOM guidance, clarifies SBOM attributes

If you’re looking to learn more about software bills of materials (SBOMs), CISA has just updated a document that offers foundational guidance about these software inventories, such as what they are and how to implement them.

The document, titled “Framing Software Component Transparency,” was last updated in 2021. This new version revises and expands the topic of SBOM attributes, which are used to identify SBOM components.

In theory, SBOMs help boost your software supply chain security by listing all ingredients in a software product, such as an application. Their purpose is to provide granular visibility into all software components in your environment. Thus, an SBOM should help you locate all instances of a component with a newly disclosed flaw, such as a critical vulnerability — as happened with the Log4j utility in late 2021.

However, the software industry is still working through complex SBOM-related challenges in areas including standards, data comprehensiveness, and interoperability.

The new edition of “Framing Software Component Transparency” zeroes in on the challenge of “universally identifying and defining certain aspects of software components.”

Specifically, the CISA guidance states the need to:

• Establish a minimum set of baseline attributes for identifying components “with sufficient relative uniqueness.”
• Identify optional attributes beyond the baseline ones.
• Correlate SBOMs with third-party sources for analysis purposes.

“This document establishes a minimum expectation for creating a baseline SBOM that outlines the minimum amount of information required to support basic and essential features,” the guidance reads.

For more information about SBOMs:

• “How Our Business Complies with SBOM Recommendations” (DevProJournal)
• “US Government and OpenSSF Partner on New SBOM Management Tool” (Infosecurity Magazine)
• “How to create an SBOM, with example and template” (TechTarget)
• “SBOMs – Software Supply Chain Security’s Future or Fantasy?” (SecurityWeek)
• “SBOMs and security: What IT and DevOps need to know” (TechTarget)

VIDEOS

Building and Scaling SBOM Programs: Navigating the Challenges for Effective Risk Management (SANS)

An SBOM Primer (The Linux Foundation)

6 - CIS updates Benchmarks for AWS, Google and Microsoft products

AWS Foundations. Google Kubernetes Engine. Microsoft Azure Foundations. Those are some of the CIS Benchmarks updated in September by the Center for Internet Security.

Specifically, these CIS Benchmarks were updated:

• CIS Amazon Web Services Foundations Benchmark v4.0.0
• CIS Debian Linux 12 Benchmark v1.1.0
• CIS Google Kubernetes Engine (GKE) Benchmark v1.6.1
• CIS Kubernetes Benchmark v1.10.0
• CIS Microsoft Azure Foundations Benchmark v3.0.0

In addition, CIS added a new Benchmark for IBM AIX 7.

 

 

The CIS Benchmarks’ secure-configuration guidelines are intended to help you harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks October 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

• “Getting to Know the CIS Benchmarks” (CIS)
• “Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

The post Cybersecurity Snapshot: Tenable Report Warns About Toxic Cloud Exposures, as PwC Study Urges C-Suite Collaboration for Stronger Cyber Resilience appeared first on Security Boulevard.

Insight #1: Data breach costs are climbing

According to IBM’s latest Cost of a Data Breach report, data breach costs have risen 39.4% over the past decade and are now at almost $5 million per breach. We should make sure our cybersecurity insurance falls in line with these numbers.

 

Insight #2: Ditto for open-source nasties in repos

According to a new report, the number of malicious packages uploaded to open-source repositories has increased 150% in the last year. Security of the supply chain is still a major problem, and the malicious actors are now trying to take advantage of this even more. What are you doing to secure your supply chain?

  Insight #3: Stressed-out security leaders are turning to drugs & booze

The pressures of the modern workplace are driving an alarming number of security leaders to turn to substance abuse as a coping mechanism. Long hours, constant demands and the struggle to maintain work-life bala+nce are taking a significant toll. Prioritizing well-being is crucial. Incorporate stress-reducing activities into your day, such as exercise or mindfulness practices, and ensure you take adequate time off to prevent burnout.

The post Cybersecurity Insights with Contrast CISO David Lindner | 10/18/24 appeared first on Security Boulevard.

There are growing concerns among chief information security officers (CISOs) about the evolving demands of their role, with 84% advocating for a split into separate technical and business-focused positions. The Trellix and Vanson Bourne survey of 5,000 CISOs and IT security leaders found that as cybersecurity threats grow more complex and regulatory frameworks expand, there..

The post CISOs Concerned Over Growing Demands of Role appeared first on Security Boulevard.

Passwordless authentication for end users is taking the world by storm, offering organizations and individuals alike unprecedented security, user experience, and efficiency benefits. By all indications, the next generation of authentication for end users has finally arrived, sending the password the way of the dodo.  Although they don’t get anywhere near the same hype, advanced [...]

The post Beyond Passwords: Advanced API Authentication Strategies for Enhanced Security appeared first on Wallarm.

The post Beyond Passwords: Advanced API Authentication Strategies for Enhanced Security appeared first on Security Boulevard.

Protecting digital identities is essential for individuals and organizations in a world where cyberattacks are becoming more sophisticated and frequent. If anything has proven to boost security massively, it has to be the proper utilization of Multi-Factor Authentication (MFA). While traditional password protection can easily be attacked through phishing, credential stuffing, and brute force, MFA […]

The post Understanding the Importance of MFA: A Comprehensive Guide first appeared on StrongBox IT.

The post Understanding the Importance of MFA: A Comprehensive Guide appeared first on Security Boulevard.

Mastering CentOS commands can help you effectively manage CentOS systems, perform common tasks, and troubleshoot issues. Process management is streamlined using commands like ps and top, which help monitor and troubleshoot system performance in real time. Each command is described with clear explanations, making it easy to understand their purpose and usage. CentOS, a popular […]

The post How to Master CentOS Commands: The Ultimate Cheat Sheet appeared first on TuxCare.

The post How to Master CentOS Commands: The Ultimate Cheat Sheet appeared first on Security Boulevard.

In the most recent US crackdown with Microsoft a total of 107 Russian domains have been seized. Reports claim that these domains were mainly used by state sponsored threat actors for malicious purposes. In this article, we’ll dive into the details of the US crackdown, the threat actor behind the malicious initiatives, and more. Let’s […]

The post US Crackdown With Microsoft: Over 100 Russian Domains Seized appeared first on TuxCare.

The post US Crackdown With Microsoft: Over 100 Russian Domains Seized appeared first on Security Boulevard.

Automated browser detection has changed dramatically throughout the years as bot developers seek easier ways to bypass detection, and bot protection vendors find new ways to identify and stop bots.

The post The Evolution of Automated Browser Detection: A Cat & Mouse Game appeared first on Security Boulevard.

A critical vulnerability (CVE-2024-9381) in Ivanti’s Cloud Services Appliance allows attackers to bypass security measures and execute arbitrary code.  Affected Platform  CVE-2024-9381 impacts Ivanti’s Cloud Services Appliance (CSA), a critical component used in secure remote access for enterprise environments, affecting CSA versions prior to the latest patch. Ivanti CSA provides a secure bridge for cloud...

The post CVE-2024-9381 – Ivanti CSA Security Vulnerability – October 2024 appeared first on TrueFort.

The post CVE-2024-9381 – Ivanti CSA Security Vulnerability – October 2024 appeared first on Security Boulevard.

The post Life in the Swimlane with Abby Shapiro, Customer Success Manager   appeared first on AI-enhanced Security Automation.

The post Life in the Swimlane with Abby Shapiro, Customer Success Manager   appeared first on Security Boulevard.

Remember when we were bracing ourselves for 90-day certificates?  That shift felt like a game-changer, yet here we are, with a new curveball: 45-day certificates are making their way into the mix. It wasn’t too long ago that speculation around Apple’s influence hinted at the possibility of even shorter cert lifespans. Fast forward, and the […]

The post 45-Day Certs? You’ve Got No Time to Lose! first appeared on Accutive Security.

The post 45-Day Certs? You’ve Got No Time to Lose! appeared first on Security Boulevard.

Dive into the world of product-led onboarding for B2B SaaS. This guide explores key strategies and best practices to create an engaging and effective onboarding experience that turns new users into power users. Learn how to optimize user journeys, reduce churn, and drive product adoption.

The post Mastering Product-led Onboarding in B2B SaaS: A Comprehensive Guide appeared first on Security Boulevard.

Good cyber defense involves more than blocking and tackling. Without visibility into what’s happening, where and by whom, enterprises are hard-pressed to maintain solid protection of systems, networks and data. One area where visibility falls short of what you need is the application layer. This obscurity has given rise to a groundbreaking new breed of must-have detection and response solutions: Application Detection and Response (ADR). 

The post ADR Provides Application Visibility for CISOs | Closing Application Layer Gap | Contrast Security appeared first on Security Boulevard.

The World Economic Forum is advocating a shift in security thinking from secure by design to resilience by design in the face of the rapid development and expanding connectivity of emerging technologies like AI, quantum computing, and the Internet of Things.

The post World Economic Forum: AI, Quantum Require ‘Paradigm Shift’ in Security appeared first on Security Boulevard.

Authors/Presenters:Chenyang Zhao, Yuebin Guo, Jingyu Wang, Qi Qi, Zirui Zhuang, Haifeng Sun, Lingqi Guo, Yuming Xie, Jianxin Liao

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

The post USENIX NSDI ’24 – EPVerifier: Accelerating Update Storms Verification with Edge-Predicate appeared first on Security Boulevard.