Tenable Blog

Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.

On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.

Zero Day Campaign May Have Been Active Since November

Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.

At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.

Historical exploitation of Fortinet FortiOS and FortiProxy

Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:

CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.

Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.

Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:

• Fortinet FG-IR-24-535 Security Advisory
• Arctic Wolf Blog - Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

1. 10Critical
2. 147Important
3. 0Moderate
4. 0Low

Microsoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being made available.

Microsoft patched 157 CVEs in its January 2025 Patch Tuesday release, with 10 rated critical and 147 rated as important. Our counts omitted two vulnerabilities, one reported by GitHub and another reported by CERT/CC. To date, the January 2025 Patch Tuesday release is the largest ever from Microsoft.

This month’s update includes patches for:

• .NET
• .NET and Visual Studio
• .NET,.NET Framework, Visual Studio
• Active Directory Domain Services
• Active Directory Federation Services
• Azure Marketplace SaaS Resources
• BranchCache
• IP Helper
• Internet Explorer
• Line Printer Daemon Service (LPD)
• Microsoft AutoUpdate (MAU)
• Microsoft Azure Gateway Manager
• Microsoft Brokering File System
• Microsoft Digest Authentication
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office OneNote
• Microsoft Office Outlook
• Microsoft Office Outlook for Mac
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Purview
• Microsoft Windows Search Component
• Power Automate
• Reliable Multicast Transport Driver (RMCAST)
• Visual Studio
• Windows BitLocker
• Windows Boot Loader
• Windows Boot Manager
• Windows COM
• Windows Client-Side Caching (CSC) Service
• Windows Cloud Files Mini Filter Driver
• Windows Connected Devices Platform Service
• Windows Cryptographic Services
• Windows DWM Core Library
• Windows Digital Media
• Windows Direct Show
• Windows Event Tracing
• Windows Geolocation Service
• Windows Hello
• Windows Hyper-V NT Kernel Integration VSP
• Windows Installer
• Windows Kerberos
• Windows Kernel Memory
• Windows MapUrlToZone
• Windows Mark of the Web (MOTW)
• Windows Message Queuing
• Windows NTLM
• Windows OLE
• Windows PrintWorkflowUserSvc
• Windows Recovery Environment Agent
• Windows Remote Desktop Services
• Windows SPNEGO Extended Negotiation
• Windows Security Account Manager
• Windows Smart Card
• Windows SmartScreen
• Windows Telephony Service
• Windows Themes
• Windows UPnP Device Host
• Windows Virtual Trusted Platform Module
• Windows Virtualization-Based Security (VBS) Enclave
• Windows WLAN Auto Config Service
• Windows Web Threat Defense User Service
• Windows Win32K - GRFX

Remote code execution (RCE) vulnerabilities accounted for 36.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.5%.

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. An authenticated, local attacker could exploit this vulnerability to elevate privileges to SYSTEM. Two of the three vulnerabilities were unattributed, with CVE-2025-21333 being attributed to an Anonymous researcher.

According to Microsoft all three vulnerabilities were exploited in the wild as zero-days. No specific details about the in-the-wild exploitation were public at the time this blog post was released.

CVE-2025-21186, CVE-2025-21366 and CVE-2025-21395 are RCE vulnerabilities in Microsoft Access, a database management system. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. A remote, unauthenticated attacker could exploit this vulnerability by convincing a target through social engineering to download and open a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system. This update “blocks potentially malicious extensions from being sent in an email.”

According to Microsoft, these three vulnerabilities were publicly disclosed prior to a patch being available (zero-days). They are attributed to Unpatched.ai, which uses artificial intelligence (AI) to “help find and analyze” vulnerabilities.

CVE-2025-21308 is a spoofing vulnerability affecting Windows Themes. This vulnerability received a CVSSv3 score of 6.5 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to convince a user to load a malicious file, then convince the user to “manipulate the specially crafted file.” Microsoft has provided a list of mitigations including disabling New Technology LAN Manager (NTLM) or using group policy to block NTLM hashes. For more information on the mitigation guidance, please refer to the Microsoft advisory.

CVE-2025-21275 is an EoP vulnerability in the Microsoft Windows App Package Installer. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. These types of flaws are often associated with post-compromise activity, after an attacker has breached a system through other means.

According to Microsoft, this vulnerability was publicly disclosed prior to a patch being available. It is attributed to an Anonymous researcher.

CVE-2025-21297 and CVE-2025-21309 are critical RCE vulnerabilities affecting Windows Remote Desktop Services. Both of these vulnerabilities were assigned CVSSv3 scores of 8.1, however CVE-2025-21309 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index, while CVE-2025-21297 was assessed as “Exploitation Less Likely.”

According to Microsoft, successful exploitation of these flaws requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race-condition that creates a use-after-free scenario which can be leveraged to execute arbitrary code.

CVE-2025-21298 is a RCE vulnerability in Microsoft Windows Object Linking and Embedding (OLE). It was assigned a CVSSv3 score of 9.8 and is rated critical. It has been assessed as “Exploitation More Likely.” An attacker could exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane.

Microsoft’s advisory for this vulnerability recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display other types of content, such as photos, animations or specialized fonts. To configure Outlook in this way, please refer to the following article, Read email messages in plain text.

A list of all the plugins released for Microsoft’s January 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's January 2025 Security Updates
• Tenable plugins for Microsoft January 2025 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Ivanti disclosed two vulnerabilities in its Connect Secure, Policy Secure and Neurons for ZTA gateway devices, including one flaw that was exploited in the wild as a zero-day.

Update January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.

View Change Log

On January 8, Ivanti published a security advisory for two vulnerabilities affecting multiple products including Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) gateways:

CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. An unauthenticated, remote attacker that successfully exploits this flaw would obtain remote code execution on a vulnerable device.

CVE-2025-0283 is also a stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. Unlike CVE-2025-0282, a local, authenticated attacker that successfully exploits this flaw would be able to elevate privileges on a vulnerable device.

In-the-wild exploitation observed for CVE-2025-0282

In a blog post, Ivanti confirmed that they have observed in-the-wild exploitation of CVE-2025-0282 in “a limited number of customers” of Ivanti Connect Secure devices. They reiterate that they have not observed exploitation against Ivanti Policy Secure or Neurons for ZTA gateways.

On-going investigation reveals preliminary insight into malicious activity

On January 8, researchers at Google Mandiant published a blog post outlining their preliminary findings related to the in-the-wild exploitation of CVE-2025-0282. While the researchers have yet to link the attacks to any particular advanced persistent threat (APT) group or cluster, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware (e.g. SPAWNANT, SPAWNMOLE and PAWNSNAIL) as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM. For more information, please visit the Google Mandiant blog.

Historical exploitation of Ivanti Connect Secure

Ivanti Connect Secure, formerly known as Pulse Connect Secure, has been frequently targeted by attackers of all types, including advanced persistent threat (APT) groups as well as ransomware affiliates and opportunistic cybercriminals.

Because of the historical exploitation of these devices, customers are strongly advised to apply the available patch for these flaws as soon as possible.

On January 16, researchers at watchTowr released a public proof-of-concept (PoC) exploit for CVE-2025-0282 on GitHub. The GitHub repository notes that the PoC is "broken in non-trivial ways" adding that it will "require effort to work." It also points to watchTowr's technical write-up, Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) on its blog.

Ivanti has released the following patches for Connect Secure, Policy Secure and Neurons for ZTA Gateways.

Ivanti customers can utilize its Integrity Checker Tool (ICT) to identify exploitation of CVE-2025-0282.

For Connect Secure customers, Ivanti recommends performing a factory reset of devices prior to upgrading to version 22.7R2.5 “out of an abundance of caution” for those with clean ICT scan results and to “ensure any malware is removed” where ICT results “show signs of compromise.”

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-0282 and CVE-2025-0283 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Tenable Attack Surface Management customers are able to quickly identify these assets by leveraging the built in subscription labeled Ivanti Connect Secure (ICS) - v1.

• Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
• Security Update: Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways

Update January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.

Update January 9: The Analysis section has been updated to include preliminary details from Mandiant's on-going investigation into these attacks.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

It is with profound sadness that we share the news of the passing of our beloved CEO Amit Yoran on January 3. Amit was not only a visionary leader but also a guiding force who profoundly impacted our industry, our company, our culture and our community.

Amit Yoran, chairman and CEO of Tenable, died on January 3

Under Amit's leadership, Tenable achieved significant milestones and he inspired each one of us with his dedication, passion and commitment to make a difference. Amit leaves behind an incredible legacy as a visionary, leader, colleague, mentor, brother, father and friend. He touched the lives of so many within and beyond our company and he will be missed.

As we navigate the days ahead, Mark Thurmond (Tenable COO) and Steve Vintz (Tenable CFO), who took over co-CEO duties on December 5, 2024, will ensure that we communicate any important updates as we drive the business forward just as Amit would have wanted.

As additional details regarding his memorial services are available we will keep you informed. We issued a press release with more details here: https://www.tenable.com/press-releases/tenable-announces-the-passing-of-chairman-and-ceo-amit-yoran

Please join us in remembering and honoring Amit for the indelible mark he left on all of us.

Check out best practices for preventing mobile communications hacking. Plus, how the U.S. government can improve financial firms’ AI use. Meanwhile, the FBI warns about a campaign to hack vulnerable webcams and DVRs. And get the latest on a Chinese APT’s hack of the Treasury Department; the federal government’s AI use cases; and cyber tips for SMBs.

Dive into six things that are top of mind for the week ending Jan. 3.

In light of the hacking of major telecom companies by China-affiliated cyber spies, “highly targeted” people should adopt security best practices to protect their cell phone communications.

So said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the new publication “Mobile Communications Best Practice Guidance,” aimed at high-profile individuals such as senior government officials and political party leaders.

The guidance, which applies to anyone interested in securing their mobile communications, is divided into three categories: general recommendations; best practices for iPhone users; and best practices for Android users.

“While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors,” the guidance reads.

General recommendations include:

• Use messaging applications that offer end-to-end encrypted communications – for text messages, and for voice and video calls – and that are compatible with both iPhone and Android operating systems.
• Don’t use SMS as your second authentication factor because SMS messages aren’t encrypted. Instead, enable Fast Identity Online (FIDO) authentication for multi-factor authentication. Another good MFA option: authenticator codes.
• Regularly update your phone’s operating system and your mobile applications to their latest versions. Get your phone manufacturer’s newest cell phone model to get the latest hardware-dependent security features.

To get all the details, read the full, five-page document “Mobile Communications Best Practice Guidance.”

For more information about how to protect your mobile phone from hackers:

• “Ten Steps to Smartphone Security” (U.S. Federal Communications Commission)
• “Mobile Device Best Practices” (U.S. National Security Agency)
• “8 simple ways to protect your smartphone from hackers” (PC World)
• “Stop hackers cold: Tech tips to secure your phone's data and location” (USA Today)

VIDEO

How to remove a hacker from your phone? (Cybernews)

More precise definitions of AI models and systems. Clarification on AI data privacy standards. Enhanced AI regulatory frameworks. 

Those are just some of the requests that the Treasury Department received after it asked for feedback about artificial intelligence (AI) use in the financial industry.

Financial firms, consumer groups, technology vendors, trade associations and others sent the agency 103 comment letters in response to its “Uses, Opportunities, and Risks of Artificial Intelligence (AI) in the Financial Services Sector” request for information.

“The respondents commented on existing use cases, expansive opportunities, and associated risks, underscoring the potential for AI to broaden opportunities while amplifying certain risks,” reads the report “Artificial Intelligence in Financial Services.”

At a high level, requests from respondents included:

• Align definitions of AI models and systems applicable to the financial services sector to make collaboration and coordination among agencies and stakeholders easier.
• Further clarify standards for data privacy, security, and quality for financial firms developing and deploying AI.
• Expand consumer protections.
• Explain how financial firms can comply with current consumer protection laws that apply to existing and emerging technologies.
• Offer guidance to assist financial firms as they assess AI models and systems for compliance.
• Enhance regulatory frameworks and develop consistent federal-level standards. 
• Facilitate domestic and international collaboration among governments, regulators, and the financial services sector.

For more information about the risks and opportunities of AI in the financial industry:

• “Artificial Intelligence and Machine Learning in Financial Services” (U.S. Congressional Research Service)
• “Artificial Intelligence: Opportunities and Risks for the Financial Sector” (International Banker)
• “The Financial Stability Implications of Artificial Intelligence” (Financial Stability Board)
• “The AI Revolution: Opportunities and Challenges for the Finance Sector” (The Alan Turing Institute)
• “The rise of artificial intelligence: benefits and risks for financial stability” (European Central Bank)

Hackers are unleashing the HiatusRAT malware against web cameras and digital video recorders (DVRs) made by several Chinese vendors whose devices may have unpatched vulnerabilities.

That’s the warning from the FBI, which added that the cybercrooks are looking to exploit weak vendor-supplied password and vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044 and CVE-2021-36260.

The hackers have been observed targeting devices from vendors Xiongmai and Hikvision, and using webcam scanning tool Ingram and authentication-cracking tool Medusa.

“The FBI recommends limiting the use of the devices mentioned in this PIN and/or isolating them from the rest of your network,” reads the FBI alert titled “HiatusRAT Actors Targeting Web Cameras and DVRs.”

Other FBI recommendations include:

• Promptly patch and update operating systems, software and firmware.
• Consider removing devices from your network that are no longer supported by their manufacturer.
• Regularly change passwords for network systems and accounts, and don’t use default and weak passwords.
• Require multi-factor authentication.
• Segment your network.
• Back up critical assets and store the backups offline.
• Use monitoring tools that log network traffic and alert you about anomalous network activity.

For more information about securing internet-of-things (IoT) devices, check out these Tenable resources:

• “How to Unlock Advanced IoT Visibility for Cyber-Physical Systems” (blog)
• “Unlock advanced IoT visibility to better secure your OT environment” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “How to Effectively Communicate OT/IoT Risk Across the Enterprise” (on-demand webinar)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)

Is your business in the midst of figuring out how to leverage AI to improve its operations and services? If so, you might be interested in how Uncle Sam is attempting to do the same.

As of mid-December, U.S. federal government agencies had launched 1,700-plus AI use cases, including for evaluating patent applications; analyzing extreme weather; and determining disability benefits.

Specifically, 37 federal agencies submitted their AI uses as of mid-December 2024 to the Office of Management and Budget (OMB), which tallied 1,757 use cases, including almost 230 that can impact people’s rights and safety.

Most AI use cases fell into these three categories:

• Helping agencies fulfill their missions
• Providing health and medical services
• Delivering government services

The agency with the most AI use cases is the Department of Health and Human Services (271), followed by the Department of Veteran Affairs (229) and the U.S. Agency for International Development (137).

Veteran Affairs is by far the agency with the most safety- and rights-impacting use cases (145). For these use cases, agencies must document how they’re implementing safeguards to mitigate the rights and safety risks.

To get more information about the federal government’s AI use, check out:

• The OMB’s Github page “2024 Federal Agency AI Use Case Inventory”
• CIO.gov’s writeup about the AI use case inventory
• AI.gov’s AI use cases page

For more information about responsible usage and AI security, check out these Tenable blogs:

• “AI Security Roundup: Best Practices, Research and Insights”
• “How to Discover, Analyze and Respond to Threats Faster with Generative AI”
• “Never Trust User Inputs — And AI Isn't an Exception: A Security-First Approach”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Do You Think You Have No AI Exposures? Think Again”

An advanced persistent threat (APT) hacking group sponsored by the Chinese government breached a Treasury Department system, an incident the agency describes as “major.”

In a letter sent this week to the U.S. Senate, the Treasury Department said the hackers accessed a key used by a third-party vendor to protect a cloud-based service. That breached system is used to provide remote tech support to Treasury Departmental Offices (DO) users.

“With access to the stolen key, the threat actor was able (to) override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the letter reads.

News agency Reuters posted a copy of the letter, which was penned by Aditi Hardikar, Assistant Secretary for Management at the Treasury Department, and sent to Sen. Sherrod Brown, Chairman of the Committee on Banking, Housing and Urban Affairs; and to Sen. Tim Scott, the committee’s Ranking Member.

The compromised service from the third-party vendor was taken offline and the agency has no evidence that the APT hackers have continued accessing Treasury Department data. It will provide more details in a supplemental report, according to the letter.

For more information about how to protect your organization from APT attacks:

• “Advanced Persistent Threat Security: 5 Modern Strategies” (IEEE Computer Society)
• “Understanding Advanced Persistent Threats and How to Stop Them” (Biz Tech Magazine)
• “How To Defend Against APT Attacks: What You Need To Know” (Endpoint Security for Small Business)
• “Nation-State Cyber Actors” (CISA)
• “What is an advanced persistent threat?” (TechTarget)

It’s “resolutions” time again.

Now that the new year has begun, we take stock of what we could be doing better and pledge to modify certain practices and habits.

So how can small-and-medium sized businesses (SMBs) enhance their cybersecurity posture in 2025? Here are five suggested cyber resolutions from the Cyber Readiness Institute, a non-profit organization created to offer free cyber tools and resources for SMBs.

• Use multi-factor authentication to protect online accounts.
• Designate a “cyber leader” who’ll be tasked with monitoring cyberthreats, share best practices and foster cyber awareness.
• Offer cybersecurity awareness training to your staff.
• Draft a business continuity plan outlining how your SMB will maintain operations if it suffers a cyberattack.
• Acquire cyberinsurance.

For more cybersecurity resolutions to act upon in 2025, check out:

• “New Year’s cybersecurity resolutions that every startup should keep” (TechCrunch)
• “Cybersecurity Resolutions: Skill Sets to Prioritize in 2025” (Bank Infosecurity)
• “Cyber Resolutions for 2025: Because Hackers Won't Take a Day Off” (CyberPeace)
• “5 cybersecurity habits to take into 2025” (TechRadar)
• “8 Cybersecurity Trends and Opportunities for 2025” (MSSP Alert)

Mid-sized enterprises increasingly find themselves in need of a CNAPP, as their cloud adoption matures. But how should they go about selecting the right one? What questions should they ask and what criteria should they use? Here we unpack six key considerations that’ll help them evaluate their options and make an informed decision.

As cloud security technologies evolve, mid-sized enterprises face unique challenges when selecting a cloud native application protection platform (CNAPP). With limited resources and a need for robust protection, they must understand the critical capabilities that define the effectiveness and value of a CNAPP. Here are some of the most important considerations for mid-sized organizations.

In today’s increasingly complex cloud environments, CNAPPs must provide seamless integration across their features to avoid operational and risk silos. Platforms that organically develop features deliver a smoother user experience. With integrated data flows, these platforms allow telemetry to be collated effectively. Disparate technologies with poor integration often lead to gaps in security and inefficiencies in workflows, increasing costs and management overhead.

A strong focus on identity and access management is fundamental for securing complex cloud workloads. Cloud infrastructure entitlement management (CIEM) is particularly crucial, as it helps enterprises govern and enforce least-privilege across multi-cloud environments. By addressing identity-related risks, strong CIEM capabilities enable enterprises to prevent lateral movement, privilege escalation and unauthorized access, which continue to be the most significant threats in cloud security along with misconfigurations.

Mid-sized enterprises often operate on tight budgets, making modular pricing an attractive option. A flexible pricing structure allows companies to start small and add capabilities as needed. Choosing a CNAPP that integrates with a broader exposure management platform ensures future-proofing for hybrid, multi-cloud, and even on-premises workloads. This approach not only minimizes initial costs but also provides scalability to meet evolving business and security requirements.

As regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the EU AI Act introduce increasingly strict penalties for non-compliance, many organizations are reconsidering public cloud deployments in favor of on-premises or hybrid environments. Mid-sized organizations should prioritize CNAPPs that support this shift by offering native integrations with platforms that secure both cloud and on-premises workloads. AI regulations, in particular, may necessitate local data processing, making on-prem integration a critical requirement.

Data security is fundamental to the safety of AI systems. DSPM capabilities in a CNAPP allow enterprises to discover, classify, and label sensitive data, helping ensure compliance with security and privacy regulations. DSPM prevents sensitive information from leaking through AI models or cloud native applications by identifying unauthorized access and data flows. This is particularly important as AI systems increasingly rely on large datasets for training and inference purposes.

For mid-sized enterprises, resource constraints can be significant hurdles to adopting new security technologies. A CNAPP that is quick to deploy and easy to configure is crucial to ensuring a smooth implementation process without overwhelming IT and security teams.

Platforms designed with ease of rollout in mind reduce operational overhead by offering:

• Intuitive user interfaces: Simplified dashboards and workflows that minimize the learning curve for administrators.
• Out-of-the-box integrations: Pre-built connectors for major cloud providers, on-premises security technologies and existing security tools cut down deployment time and customization efforts.
• Automated discovery and configuration: Features such as automated asset discovery, policy enforcement, and the establishment of a baseline configuration model reduce the need for manual setup.
• Minimal downtime: Deployment with minimal disruption to existing workloads and infrastructure ensures business continuity during the rollout.

CNAPPs with these key factors allow mid-sized enterprises to achieve faster time-to-value, enabling security teams to focus on strategic activities rather than troubleshooting implementation issues.

Modern threats require enterprises to adopt a unified approach to managing risks across cloud, on-premises and hybrid environments. CNAPPs should integrate seamlessly into a broader exposure management strategy, enabling centralized visibility and response to vulnerabilities, misconfigurations, and threats.

Tenable Cloud Security and the Tenable One Exposure Management Platform address these challenges head-on by providing:

• Ease of rollout and deployment: A focus on deployment efficiency and ease of use.
• Integrated functionality: Seamless feature development and integration for a streamlined user experience.
• CIEM strength: Robust identity-focused capabilities to minimize access-related risks.
• Flexibility and scalability: Modular pricing that adapts to your business needs and scales with your growth.
• Support for hybrid and on-prem environments: Secure workloads wherever they reside, addressing regulatory and operational needs.
• Comprehensive exposure management: Centralized visibility and management across all environments.
• Advanced DSPM for AI security: Comprehensive data classification and monitoring to protect sensitive information in AI workflows.

Tenable offers a future-ready platform tailored to the needs of mid-sized enterprises, providing the tools and confidence to tackle today’s cloud security challenges regardless of where you are in your cloud security journey. 

Learn more about Tenable Cloud Security and Tenable One.

In December 2023, as cyberattacks surged, the U.S. Securities and Exchange Commission (SEC) began enforcing new cybersecurity disclosure rules. This pushed C-level executives and boards to adopt measures for compliance and transparency. In this post, we look at the enforcement actions the SEC has taken and what public company CISOs should do to stay in compliance.

In recent years, cyberattacks have become more sophisticated, affecting public and private organizations alike. Recognizing the critical need for transparency and robust cybersecurity measures, the U.S. Securities and Exchange Commission adopted new cybersecurity disclosure rules in July 2023, which took effect in September 2023, with compliance required by December 2023.

These rules, which mandate that all public companies disclose material cybersecurity incidents within four business days and detail their risk management strategies, highlight that cybersecurity is a board-level risk management concern.

As part of their fiduciary duties, boards play a key role in the oversight of risks from cybersecurity threats. In partnership with senior executives, they need to pay close attention to the risks their companies face and the strategies those companies put in place to comply.

As the rules were authorized in late 2023, we shared what we see as the implications for infosec leaders. This post explores the impact of these regulations after one year. We also look at recent enforcement actions and measures that companies should consider adopting to promote compliance and bolster their cybersecurity posture.

An important note: In 2025, there will be changes in SEC leadership, which could affect these rules. But they’re just one example of the additional attention governments around the world are giving to cyber risk.

The EU recently issued the network and information systems (NIS)2 Directive, aimed at improving cybersecurity across member states. It requires the reporting of “significant” incidents within 24 hours, a more detailed report within 72 hours and a final report within a month. Other more focused rules, such as the General Data Protection Regulation (GDPR) in Europe, although it doesn’t have incident disclosure provisions, have driven significant change for companies that want to do business in that region.

It comes down to trust. Tenable CEO Amit Yoran had a clear point of view when he wrote about the rules as they took effect.

“The SEC’s rule will force what companies should have been implementing all along; informed cyber risk management practices,” he said. “Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will force leadership to pay attention and keep customers and investors better informed as to who they trust with their business.”

With that as a backdrop, CISOs looking to support stakeholders like legal, finance, investor relations and boards in these efforts should understand a few things about the SEC rules.

The SEC requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality using an 8-K form. This requirement aims to give investors timely and relevant information about potential risks that could impact business operations and financial performance.

At a conference held by the American Institute of Certified Public Accountants (AICPA) and the Chartered Institute of Management Accountants (CIMA) in December, Sebastian Gomez Abero, Associate Director of the Division of Corporate Finance (DCF) Disclosure Review Program emphasized that materiality, rather than the discovery of a breach, is the trigger for disclosing a cybersecurity incident. According to an EY summary of his remarks provided by the conference organizations, Gomez Abero also reminded registrants that both quantitative and qualitative factors should be considered in their materiality assessment of a cybersecurity incident.

In addition, companies must include descriptions of their cybersecurity risk management and governance practices annually in their 10-K or 20-F reports. The rules essentially validate cybersecurity as an important component of risk management, within a robust corporate governance program. Recent 10-Ks from a number of companies incorporated these new requirements.

According to the EY conference summary, Gomez Abero reminded registrants to provide sufficient detail in their annual cybersecurity disclosures for a reasonable investor to understand the organization’s processes to assess, identify and manage material risks from cybersecurity threats, rather than just stating that a process exists. In addition, registrants that have a management group to assess material cybersecurity risk need to disclose each member’s individual expertise.

Since the introduction of the cybersecurity rules, the SEC has taken significant enforcement actions to ensure compliance, including issuing fines and negotiating settlements with various companies.

For example, in October 2024, the SEC fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Limited a combined total of almost $7 million for allegedly misleading disclosures related to their exposure to the SolarWinds cyberattack.

In the same order, the SEC alleged that these firms downplayed their involvement, which led to misleading investors about potential impacts. Each company settled without admitting or denying the allegations.

In another notable enforcement action by the SEC, R.R. Donnelley & Sons Company (RRD) agreed in June 2024 to pay more than $2.1 million for inadequate disclosure and poor management of significant cybersecurity incidents from 2021. The SEC found that RRD’s internal processes failed to properly elevate and disclose these incidents to senior management in a timely manner, underscoring the importance of having robust incident management frameworks in place.

There are three key lessons to keep in mind as you work to help your organization meet the SEC cybersecurity requirements:

1. Be transparent. Your organization’s incident management and disclosure practices are being scrutinized. It’s not just the board and senior executives paying attention — your company’s investors want to understand your organization’s cyber risk. Choose a forthright and straightforward approach to meet the 8-K disclosure requirements, such as establishing a cybersecurity disclosure committee and a materiality framework for regularly assessing cyber incidents. Doing so could help your organization avoid fines.
2. View cyber risk as business risk. Your cybersecurity risk management and governance practices are of strategic importance to your organization. The 10-K and 20-F requirements codify the importance of having a robust strategy for cybersecurity. Rather than seeing it as a compliance chore, consider it an opportunity to educate the board and investors about all the ways your organization is reducing cyber risk.
3. Be proactive. Don’t treat your cybersecurity strategy as merely a once-a-year compliance task. Make sure the cybersecurity systems and processes you have in place provide continuous visibility into the entirety of your attack surface, so that you’re always ready to answer the questions “how secure are we?” and “where are we at risk?”

So what can a CISO do about this? It starts with a comprehensive cybersecurity program, including exposure management, which gives CISOs the information they need to communicate with legal, finance, investor relations, boards and other internal stakeholders about vulnerabilities and cyber incidents so that those can be appropriately captured in the company’s cyber risk management and public reporting.

Exposure management equips an organization with the tools needed to meet the SEC’s cybersecurity disclosure requirements by aligning cybersecurity efforts with business risk management.

Exposure management provides comprehensive visibility into the organization’s attack surface, prioritizes vulnerabilities based on their potential business impact and delivers actionable insights that inform the preparation of risk management filings. Moreover, exposure management is part of a cyber program that can identify cyber risks and incidents that may need to be reported in filings. With easily understood, dynamically updated dashboards that a CISO can use to gain visibility into companywide exposures, exposure management is critical for ensuring compliance and demonstrating a strong security posture.

Plus, an exposure management strategy that integrates asset visibility, risk prioritization and incident response — along with strong partnerships between the CISO, legal, IR and finance — ensures that organizations can accurately report their practices and responses at any point in time because of the continuous monitoring built into exposure management.

By focusing on vulnerabilities that pose the greatest threat to business operations, companies can allocate resources effectively and build a cybersecurity program that supports regulatory compliance.

For CISOs, adopting an exposure management program ensures they can provide legal, finance, investor relations, boards and other executives with clear, actionable insights into the organization’s cybersecurity risks.

Exposure management helps inform decision-making and supports the development of comprehensive risk management frameworks, enabling companies to address threats proactively and build confidence among investors and stakeholders.

The entire C-suite should approach the SEC’s new rules with an eye toward integrated and forward-looking cybersecurity strategies. As part of that effort, it’s crucial to develop and maintain comprehensive incident response plans that can be deployed swiftly to meet the four-day disclosure mandate.

To meet the SEC’s cybersecurity disclosure rules and reduce the risk of breaches that could lead to significant regulatory and financial consequences, organizations must adopt proactive strategies that strengthen their defenses. The following preventative measures outline key steps companies should take to enhance their cybersecurity posture and ensure compliance.

• Vulnerability management: Effective vulnerability management is essential for maintaining a strong cybersecurity posture. Automated vulnerability assessment tools can regularly inspect infrastructure and promptly identify security gaps.
• Zero trust architecture: A zero trust security model operates on the principle that no user or device, whether inside or outside the organization’s network, should be trusted by default. Implementing zero trust means continuously verifying each user and device that attempts to access company resources, ensuring strict authentication, authorization and validation throughout the user session.

The SEC’s cybersecurity disclosure rules underscore the critical importance of transparency and proactive risk management in today’s digital landscape.

Although compliance requires effort and resources, it also presents an opportunity for companies to build trust with investors and stakeholders.

By prioritizing robust cybersecurity practices that focus on prevention, enterprises can better align with regulatory expectations and be prepared for critical reporting requirements. They can close exposures and become resilient, responsible leaders in an increasingly risky world.

• Visit the web page: How to reduce SEC cybersecurity rule compliance challenges
• Read the blog: FAQ: What the new SEC Cybersecurity Rules Mean for Infosec Leaders
• View the on-demand webinar Preparing for the new SEC cybersecurity disclosures
• Download the Gartner report How to Grow Vulnerability Management into Exposure Management

Wondering what cybersecurity trends will have the most impact in 2025? Check out six predictions from Tenable experts about cyber issues that should be on your radar screen in the new year — including AI security, data protection, cloud security … and much more!

Because AI tools rely on vast amounts of data, widespread AI adoption will lead to the exponential growth of data volumes. In addition, this data will be distributed across a complex multi-cloud landscape of locations, accounts and applications. As a result, cybercriminals will have more opportunities to target AI systems to access and exfiltrate their data — especially as hackers themselves leverage powerful AI tools like virtual assistants that can streamline and amplify their attacks.



This convergence of advanced AI attack tools and abundant data will make it increasingly difficult for organizations to stay ahead of evolving cyberthreats. Yet, far from being deterred from using AI, organizations must develop robust strategies for secure and responsible AI adoption, focusing on integrating AI into their systems securely rather than viewing it as a risky proposition. After all, data is the fuel that powers businesses.

For more information about data and AI security posture management (DSPM and AI-SPM), check out these Tenable resources:

• “Data and AI Security Posture Management” (video)
• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)
• “When CNAPP Met DSPM” (infographic)

VIDEO

Integrated DSPM features - enable data protection today!

When it comes to the cloud, enterprises are increasingly wary of putting all their eggs in one basket. Relying solely or mostly on a single cloud-services provider is risky and restrictive. Thus, multi-cloud environments will become the norm in 2025, as organizations avoid vendor lock-in and increase their cloud options and flexibility. 

As a result, more and more CISOs next year will embrace security platforms that allow them to protect cloud environments from multiple cloud vendors — enjoying benefits such as centralized, consistent monitoring and management of cloud security and compliance.

Watch Liat Hayun, VP of Product and Research at Tenable Cloud Security, address this topic in this short video:


For more information about multi-cloud security, check out these Tenable resources:

• “Who’s Afraid of a Toxic Cloud Trilogy?” (blog)
• “Holistic Security for AWS, Azure and GCP: Comprehensive Cloud-Native Application Protection for Multi-Cloud Environments” (white paper)
• “Identities: The Connective Tissue for Security in the Cloud” (blog)
• “Cloud Leaders Sound Off on Key Challenges” (blog)
• “Understanding Cloud-Native Application Protection Platforms” (guide)

As breaches become more frequent, post-breach costs will rise, pushing businesses to think critically about what data has been compromised and rethink their recovery strategies. According to IBM, the average cost of a data breach rose 10% to almost $5 million in 2024, but the true damage lies in downtime, reputational damages and regulatory fines, particularly in cloud-heavy industries. 

 
In 2025, businesses will pivot toward more robust post-breach playbooks to minimize fallout, focusing on rapid incident response, data visibility, better containment protocols and enhanced forensic capabilities. This shift signals a broader evolution in cybersecurity, with organizations embracing a more balanced approach that prioritizes both breach prevention and effective recovery.

For more information about cloud data security and cloud data-breach prevention, check out these Tenable resources:

• “Tenable Cloud Risk Report 2024” (report)
• “How To Protect Your Cloud Environments and Prevent Data Breaches” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “CISA and NSA Cloud Security Best Practices: Deep Dive” (blog)
• “Empower Your 2025 Cloud Security Planning with Tenable's Data Insights” (on-demand webinar)

As organizations prioritize efficiency and return on investment, the adoption of technologies like AI and cloud continues to surge. However, this creates a challenge: the knowledge gap. Many users and organizations are struggling to keep pace with the education and training needed to comprehensively understand and protect these technologies.

 
This generates a pressing dilemma: How can we safeguard innovations like AI and cloud when their complexity and growth outstrip our readiness? In 2025, CISOs will be challenged to strike a balance between driving forward technological adoption and ensuring the security and resilience of these tools. Bridging this gap sooner rather than later will be critical for organizations.

For more information about how CISOs should balance cloud adoption with AI security:

• “A CISO game plan for cloud security” (Infoworld)
• “How CISOs can balance the risks and benefits of AI” (CSO)
• “The CISO's Guide to AI: Embracing Innovation While Mitigating Risk” (SANS Institute)
• “How Will AI Change the CISO Role?” (InformationWeek)
• “8 cloud security gotchas most CISOs miss” (CSO)

As the attack surface continues to expand and threat actors grow more sophisticated, cybersecurity teams will face an overwhelming flood of fragmented vulnerability and threat intelligence data. The days of linear attacks are fading, giving rise to multifaceted, rapid incursions that exploit numerous entry points. In this increasingly chaotic landscape, the inability to remediate “everything, everywhere, all at once” will make context king.

 
Organizations that prioritize understanding the greatest risk to their business and the most critical vulnerabilities will win. This contextual approach will redefine vulnerability management, enabling cybersecurity teams to act strategically, swiftly and with greater precision to mitigate threats effectively.

For more information about the importance of risk context for holistic cybersecurity, check out these Tenable resources:

• “Context Is King: From Vulnerability Management to Exposure Management” (blog)
• “Exposure Management: How to Get Ahead of Cyber Risk” (guide)
• “From Frustration to Efficiency: Optimize Your Vuln Management Workflows and Security with Tenable” (on-demand webinar)
• “3 Real-World Challenges Facing Cybersecurity Organizations: How an Exposure Management Platform Can Help” (white paper)
• “Turning Data into Action: Intelligence-Driven Vulnerability Management” (blog)

As 2024 comes to an end, we’re left with the feeling — as in previous years — that too many cyberattacks affected too many people and too many organizations. Anyone whose personal information is now available on the dark web deserves answers and those responsible need to be held accountable. Anyone whose medical records can’t be accessed because systems are down deserves a better service. Anyone whose car has been stolen because criminals were able to hack the keyless tech deserves justice.

 
It’s impossible to achieve perfection – mistakes happen and we’re all human. But how we respond when flaws are found makes all the difference. And that’s on all of us. There has to be accountability at every level. The culture of toxic obfuscation in cybersecurity has to stop. 

Here are some blogs in which Tenable offers transparency about its security practices and shares lessons learned with the cybersecurity community:

• “Tenable Partners with CISA to Enhance Secure By Design Practices”
• “Walking the Walk: How Tenable Embraces Its ‘Secure by Design’ Pledge to CISA”
• “Establishing a Cloud Security Program: Best Practices and Lessons Learned”
• “Making Zero Trust Architecture Achievable”
• “Tenable’s Software Update Process Protects Customers’ Business Continuity with a Safe, Do-No-Harm Design”

Check out the new cloud security requirements for federal agencies. Plus, beware of North Korean government operatives posing as remote IT pros. Also, learn how water plants can protect their HMIs against cyberattacks. And get the latest on the U.S. cyber incident response framework; the CIS Benchmarks; and local and state governments’ cyber challenges.

Dive into six things that are top of mind for the week ending Dec. 20.

To boost its cloud security, the U.S. government this week released a set of cybersecurity actions that federal civilian agencies will be required to take during the first half of 2025 — mostly focused on applying secure configuration baselines to their cloud apps.

The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01 — titled “Implementing Secure Practices for Cloud Services” — from the Cybersecurity and Infrastructure Security Agency (CISA).

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly said in a statement.

The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors, Easterly added. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services.

 
These are the directive’s cloud security requirements at a high level:

• Identify all cloud tenants by February 21, 2025, and update this inventory annually.
• Deploy all assessment tools from CISA’s SCuBA project by April 25, 2025, and report assessment results to CISA.
• Implement all mandatory SCuBA policies by June 20, 2025.
• Implement all future updates to mandatory SCuBA policies.
• Implement all mandatory SCuBA secure configuration baselines.

Agencies may deviate from mandatory SCuBA policies if needed, but they’ll have to identify these deviations and explain them to CISA.

To learn more about cloud security, check out these Tenable resources:

• “Establishing a Cloud Security Program: Best Practices and Lessons Learned” (blog)
• “Empower Your Cloud: Mastering CNAPP Security” (white paper)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “10 Considerations for Securing Stateful Persistent Volumes Attached to Kubernetes Pods and Applications” (white paper)

In a years-long fraud scheme, North Korean IT workers have gotten jobs in the U.S. using fake identities, and then have gone on to steal information, such as proprietary source code, and extort their employers.

That’s according to the U.S. Department of Justice, which recently indicted 14 North Korean nationals, charging them with sanctions violations, wire fraud, money laundering and identity theft.

The suspects worked as remote IT professionals for front companies controlled by the North Korean government. The six-year cyber conspiracy netted North Korea’s government at least $88 million, as it banked the IT workers’ hefty salaries and extortion payments. North Korea reportedly uses the money to fund its weapons-development efforts.

The North Korean IT workers got jobs with U.S. firms using fake identities crafted via the use of phony email addresses, fictitious social media profiles, fraudulent payment platform accounts, bogus job site profiles and sham websites; and by hiding their tracks with proxy computers and virtual private networks.

 
They also duped U.S. residents into unwittingly helping them by recruiting them to receive and set up laptops in their homes, which the fraudsters would then access remotely. That way, victimized employers would think the hired IT workers were based in the U.S.

The indictment “... should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime,” Deputy Attorney General Lisa Monaco said in a statement.

The DOJ is offering a reward of up to $5 million for more information about this fraud scheme and about those involved with the North Korean front companies Yanbian Silverstar and Volasys Silverstar, based in China and Russia, respectively.

The U.S. government issued its first alert about North Korea’s attempts to plant IT workers in the U.S. in 2022 and updated it in 2023 with more due diligence recommendations for employers to avoid falling for the scam. Employers in other countries have also fallen victim to this North Korean IT worker scam.

For more information:

• “‘How not to hire a North Korean plant posing as a techie’ guide” (The Register)
• “Staying a Step Ahead: Mitigating the DPRK IT Worker Threat” (Google Cloud)
• “Advisory on the Democratic People’s Republic Of Korea IT Workers” (South Korea Ministry of Foreign Affairs)
• “Advisory on North Korean IT Workers” (UK Office of Financial Sanctions)
• “Advisory on Democratic People's Republic of Korea IT workers” (Australia Department of Foreign Affairs and Trade)

VIDEO

North Korean nationals indicted in scheme using IT workers to funnel money for weapons programs (KSKD News)

Identifying human-machine interfaces (HMIs) as a weak cyber link in many water treatment plants, the U.S. government has published recommendations for protecting these operational technology (OT) components.

The fact sheet “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems” is aimed at helping water and wastewater systems facilities harden remote access to HMIs.

Using HMIs, OT operators are able to read supervisory control and data acquisition (SCADA) systems connected to programmable logic controllers (PLCs). By tampering with HMIs, hackers could disrupt water and wastewater treatment, endangering people’s health.

 
Here are some of the recommendations in the fact sheet, which was jointly published by CISA and the Environmental Protection Agency:

• Inventory all internet-exposed devices.
• Identify HMIs that don’t need to be accessible from the internet and take them offline.
• Secure with a strong password the HMIs that must be connected to the internet.
• Track remote logins to HMIs, including failed and atypical attempts. 
• Protect with multifactor authentication and a strong password the HMI and OT network.
• Segment your network by adding a DMZ or bastion host at the OT network boundary; and by implementing geo-fencing.

For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources:

• “Protecting Public Water Systems from Cyberattacks” (solution overview)
• “EPA to dial up enforcement of cyber requirements for water systems” (blog) 
• “Safeguarding Your Water Utility” (on-demand webinar)
• “Enhancing Critical Infrastructure Cybersecurity for Water Utilities” (infographic)
• “The Constant Drip: EPA Water Regulations, Funding Sources, And How Tenable Can Help” (on-demand webinar)

Curious about how the U.S. government would respond to a major cybersecurity crisis? Now you can find out — and give your opinion about it.

CISA has just released an update to the U.S. National Cyber Incident Response Plan (NCIRP), whose current version dates back to 2016, and is asking for the public to comment on it. The NCIRP update has been in the works since October 2023.

“CISA is seeking more perspectives to help strengthen the NCIRP and invites stakeholders from across the public and private sectors to share their knowledge and experiences, further informing our findings and contributing to this revision,” CISA said in a statement. 

The NCIRP aims to provide a flexible, agile, coherent and repeatable framework for how the U.S. federal, state and local governments, along with the private sector and international partners, will collaborate to respond to a major cybersecurity incident.

“This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector,” CISA Director Jen Easterly said in a statement.

 
The NCIRP addresses coordination mechanisms, decision points and priority activities; and it focuses on four aspects of the cyber response:

• Asset response to assist affected parties in protecting their assets
• Threat response, which would be led by federal law enforcement agencies like the Department of Justice and the FBI
• Intelligence support, which would be overseen by the Office of the Director of National Intelligence (ODNI)
• Affected entity response, led by the affected federal agencies in coordination with CISA (civilian agencies); the U.S. Cyber Command (Defense Department agencies); or the IC Security Coordination Center (intelligence agencies)

You can provide feedback on the new NCIRP in the Federal Register. The public comment period ends on January 15, 2025.

For more information about cyber incident response planning:

• “13 incident response best practices for your organization” (TechTarget)
• “10 Best Practices for Incident Response Plans” (Daily.dev)
• “How to build an incident response plan, with examples, template” (TechTarget)
• “How to effectively detect, respond to and resolve cyber incidents” (UK National Cyber Security Centre)
• “Best Practices for Cyber Crisis Management” (ENISA)

Cisco IOS XE, Google Kubernetes Engine and Microsoft 365 are among the products whose CIS Benchmarks got updated in November by the Center for Internet Security.

Specifically, these secure-configuration recommendations were updated:

• CIS Cisco IOS XE 17.x Benchmark v2.1.1
• CIS Google Kubernetes Engine (GKE) AutoPilot Benchmark v1.1.0
• CIS Google Kubernetes Engine (GKE) Benchmark v1.7.0
• CIS Microsoft 365 Foundations Benchmark v4.0.0
• CIS Red Hat Enterprise Linux 8 STIG Benchmark v2.0.0
   

In addition, CIS released a brand new Benchmark: CIS Microsoft Azure Storage Services Benchmark v1.0.0. 

The CIS Benchmarks’ secure-configuration guidelines are designed to help organizations harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families in categories including: 

• cloud platforms
• databases
• desktop and server software
• mobile devices
• operating systems

To get more details, read the CIS blog “CIS Benchmarks December 2024 Update.”

For more information about the CIS Benchmarks list, check out its home page, as well as:

• “Getting to Know the CIS Benchmarks” (CIS)
• “Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

Insufficient funding and more sophisticated threats top the list of cybersecurity concerns among U.S. state and local governments.

That’s according to the “2023 Nationwide Cybersecurity Review (NCSR),” a free cybersecurity assessment program from the Center for Internet Security (CIS).

The 4,210 state, local, tribal and territorial government organizations that participated also reported being concerned about: 

• emerging technologies
• lack of cyber incident-documentation processes
• difficulty finding qualified cybersecurity professionals

On the positive side, the number of program participants increased 14%, with K-12 school districts recording their highest participation ever.  

Returning participants saw their cyber maturity level increase by an average of 4%. Those that have participated at least two years scored 23% higher in cyber maturity, while those with nine years in the program scored 41% higher.

Overall, NCSR participants are doing a good job monitoring and protecting their IT environments. They also have incident response plans in place, as well as access-control policies.

Areas for improvement include:

• Risk management
• Disaster recovery plans
• Cyber team understaffing

Git, repositories and pipelines…oh my! We unpack standard practices in the web app development process and provide guidance on how to use Tenable Web Application Scanning to secure your code.

Awesome! This should be easy. All you need to start is … Wait… what's a pipeline?

Well, let's start there. Have you ever used a code repository to track code changes? Every time you make an update to the repository files/code, you have to do what's called a “git commit” and “git push.” Developers use Git as a foundation to run their CI/CD pipelines.

Wait … what's Git, and what does CI/CD mean?

To be clear, continuous integration and continuous deployment (CI/CD) is a methodology — not a tool.

The “D” in CI/CD is often referred to as “delivery” instead of deployment. For the purposes of this blog post, since we are talking about the deployment side of it, I will use that here.

Before we get there, let’s talk about version control. Time to roll back a few years. In 2005, Linus Torvalds, the creator of Linux, built something called “Git,” an open source version control software. Version control allows you to track and control all changes to a codebase.

These codebases, called repositories, are generally used for managing code that is the basis for any software or website that you can think of. Git is the most commonly used version control system while GitHub, now owned by Microsoft, is one of the cloud-based repository hosting platforms utilizing Git.

Developers have been using this great version control tool ever since, but every time they wanted to test their production applications/software, they had to do the following:

1. Log on to a server
2. Pull code from a repository
3. Package code up in a nice zip-type file
4. Send that package to another server that was the staging/testing environment
5. Run the application and confirm it still runs at all
6. Run any tests needed against it, such as allowing other developers to come in and poke at it to find broken parts of the application

The most efficient developers would make scripts to automate some or all of this work, but there was an even better way…

Integration here might not mean what it sounds like. It means that you are building your application and running tests on a schedule or every single time you make a change to your code. Think about how much time this can save. Instead of having to assign tasks out to a team of testers, those tests run every time you change the code. Can you imagine knowing about all of your issues right away?

On top of that, continuous integration automatically builds your application, so you don’t have to package and run it yourself, letting you keep working on building.

For security pros, this is the spot in a pipeline where the dynamic application security testing (DAST) scanner — available in Tenable Web Application Scanning — can help.

At Tenable, we want developers to know about security issues as soon as possible. For reference, this is where software composition analysis (SCA) and static application security testing (SAST) scanning also live. Those tools are used for looking at source code, whereas Tenable Web Application Scanning looks at a built application and scans it with real network requests.

Jenkins is considered the first main and widely adopted CI tool. Jenkins helped teams adopt this methodology. Some teams were already doing this with homegrown solutions. We have documentation on how to deploy the web app scanner in a Jenkins CI/CD pipeline.

Deployment is when you take what you have built and push it out for real use. It’s building an application for production use rather than just for quick testing. Back in the day, developers would log onto their servers and make updates to the applications on the fly. If something broke, well, you’d better remember the changes you made and have fun spinning that back up.

Automated deployment allowed developers to run one script that would spin up an entire environment or application all in one go. Application falls down? No problem! Run the deployment and it can be back up soon.

Continuous deployment allows for changes to be made in the source code and for those to be automatically sent to production. No dev or IT team time is wasted in changing live servers.

PHEW. Ok. A CI/CD pipeline is where you combine version control (Git), continuous integration and continuous deployment. It allows teams to develop applications very quickly and not waste time. The pipeline is the ongoing stream of tests and automated actions that all happens based on code changes.

Over time, tools became better and more appeared, such as Bamboo and CircleCI and some others. GitHub Actions came out in 2015, allowing developers to automate software development workflows from within GitHub.

Tenable Web Application Scanning can scan any pipeline. It offers code examples for testing for various tools, but you can throw a test into any pipeline.

For more documentation on how to implement, see Tenable’s Documentation

Now, back to the original question: So, you want to scan some web apps in the pipeline?

You can walk through the “how to run Web App Scans in your CI/CD pipeline” in this public demo: https://demo.tenable.com/share/lajsp7ujjmzb

• View the on-demand webinar Tenable Web Application Scanning Customer Update, April 2024
• Visit the product page, https://www.tenable.com/products/web-app-scanning
• Download the data sheet, Vulnerability Exposure: A simple, scalable approach to dynamic application security testing

The FCC wants stronger cyber regulations for telecoms after cyber espionage breaches. Meanwhile, find out why cyber pros say work has become more difficult. Plus, check out tips to prevent AI-boosted financial fraud. And get the latest on vulnerability management, EU cyber challenges and CIS predictions for 2025.

Dive into six things that are top of mind for the week ending Dec. 13.

U.S. telecommunications companies may have to comply with tougher cybersecurity regulations after at least eight of them got breached by Salt Typhoon, a cyber espionage group affiliated with the Chinese government.

“The attack underscores the urgent need for robust cybersecurity frameworks to protect against escalating threats targeting the telecommunications sector,” reads a fact sheet published by the U.S. Federal Communications Commission (FCC) this week.

Here are two key ways in which the FCC wants to tighten telecoms’ regulatory screws:

• Have telecoms annually create, update and adopt cybersecurity risk-management plans and certify the plans are compliant with FCC requirements. The FCC is seeking to implement this new cybersecurity compliance framework via a Notice of Proposed Rulemaking.
• Clarify that telecoms are legally bound to secure their networks — not just their equipment — against unlawful access and interception. This would be achieved via a declaratory ruling about Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).
   

If FCC commissioners vote in favor of these two measures, the declaratory ruling would go into effect right away, while the cybersecurity compliance framework would be opened for public comment.

To get more details, read the FCC document, titled “Fact Sheet: Implications of Salt Typhoon Attack and FCC Response.”

For more information about the Salt Typhoon cyber espionage attacks against telecoms:

• “New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers” (Tenable)
• “China's 'Salt Typhoon' Hackers Breached US Networks Using Existing Flaws” (PCMag)
• “Salt Typhoon's surge extends far beyond US telcos” (The Register)
• “Telcos struggle to boot Chinese hackers from networks” (Axios)
• “How to protect comms infrastructure from China-backed Salt Typhoon hackers” (Tenable)

More cybersecurity complexity and workloads. An increase in cyberthreats. Thornier regulatory compliance. Understaffed cyber teams.

Those are the top factors making work more difficult for cybersecurity professionals, according to a report from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA).

“The Life and Times of Cybersecurity Professionals,” for which 369 IT and cybersecurity professionals were polled, found that 65% of respondents said cybersecurity work is harder today than it was two years ago.

Factors Making Cybersecurity Work More Difficult Than Two Years Ago

(Source: ““The Life and Times of Cybersecurity Professionals” by ESG and ISSA, December 2024)

Moreover, 57% of respondents said their job is stressful at least half the time, citing as the main reasons an overwhelming workload; disinterested business managers; IT initiatives launched without security oversight; and constant emergencies and disruptions.

So what can help strengthen cybersecurity professionals’ job satisfaction? These are the top five happiness boosters:

• Commitment from the leadership team to a strong cybersecurity posture
• Competitive compensation
• Career-advancement opportunities
• Strong leadership from the CISO and other cyber leaders
• Working with talented cybersecurity peers

“Organizations with a strong cybersecurity culture that empower the CISO and collaborate with and support the cybersecurity staff can not only improve security efficacy and efficiency but also create a harmonious and healthy work environment for cybersecurity teams,” Jon Oltsik, ESG analyst emeritus and report author, said in a statement.

For more information about stress and burnout among cybersecurity pros:

• “Can strategic AI deployment reduce cybersecurity burnout?” (Security Info Watch)
• “Persistent Burnout Is Still a Crisis in Cybersecurity” (Dark Reading)
• “Burnout: A chronic epidemic in the IT industry” (CIO)
• “The Hidden Culture Crisis and Human Burden Undermining Cybersecurity Resilience” (ISACA)
• “The Psychology of Cybersecurity Burnout” (InformationWeek)

The Center for Internet Security (CIS) has published a bunch of 2025 predictions from its cybersecurity experts. Here’s a small sampling.

• Zero trust adoption in the enterprise will gain momentum as cybersecurity teams scramble to secure resources and data from a wider number and variety of devices and locations, driving the need to continuously verify access and authorization.
• The IT/OT convergence will deepen, as more operational technology / industrial control systems (ICS) get connected to IT networks for purposes like remote management. Consequently, organizations will emphasize vulnerability management, threat detection and security frameworks for converged environments.

• Many enterprises have accumulated a glut of cybersecurity products and are struggling to use them effectively. In 2025, many of these organizations will consolidate their tool stack, discarding redundant and unused products, which will lead to a more impactful use of the products that are kept.
• Adoption of multicloud strategies will expand, as enterprises pursue this approach to comply with new data-sovereignty laws that create geographic-location requirements for cloud data storage.
• Regulation of AI systems will increase, and as a result AI compliance frameworks will be introduced, pushing companies to improve AI security in areas such as data privacy; AI model integrity; and use of AI-generated content.
• The concept of security-by-design will be embraced by IT teams, who will accordingly incorporate security, compliance and governance early in the design phase of their IT projects.

For more information about some of these topics, check out these Tenable resources:

• "Making Zero Trust Architecture Achievable" (blog)
• "What is vulnerability management?" (guide)
• "If You Only Have 3 Minutes: Key Elements of Effective Exposure Response" (blog)
• "AI Security Posture Management" (solutions page)
• "Walking the Walk: How Tenable Embraces Its 'Secure by Design' Pledge to CISA" (blog)

During two recent webinars about vulnerability management, we polled attendees about their involvement with patch management and about their plans for automating vulnerability remediation. Check out how they responded.

(232 webinar attendees polled by Tenable, December 2024)

(235 webinar attendees polled by Tenable, December 2024)

Watch the on-demand webinars to learn about the latest in Tenable Vulnerability Management and in Tenable Security Center.

Cybercrooks are leveraging generative AI tools to sharpen financial fraud schemes against individuals and businesses, but there are ways to prevent becoming a victim.

That’s the message from the FBI in its new public service announcement titled “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud.”

With generative AI tools, cybercriminals create believable text, images, videos and audio that seem legit, making it hard to detect financial fraud efforts, including romance scams, impersonation schemes and investment rackets.

For example, these tools allow a cybercriminal to clone voices of real people and create fake audio that sounds like them to use in phone calls. Similarly, generative AI lets scammers doctor real videos of, say, a CEO, and turn them into a clip of the CEO instructing an employee into transferring money to a fraudulent account.
 

To protect yourself in your personal life and at work from fraud attempts that use generative AI, FBI tips include:

• Look for subtle imperfections in images and videos.
• Pay attention to the caller’s tone of voice and word choice in phone calls.
• Verify the identity of callers by hanging up and dialing directly the organization they said they’re calling you from, like a bank.
• Don’t share sensitive information with people you’ve only met online or over the phone, nor send them money, gift cards, cryptocurrency or other assets. 

For more information about the confluence of AI and financial cybercrime, including trends and prevention tips:

• “The near-term impact of AI on the cyber threat” (UK National Cyber Security Centre)
• “How a new wave of deepfake-driven cyber crime targets businesses” (Security Intelligence)
• “Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector” (U.S. Treasury Department)
• “Identity theft is being fueled by AI & cyber-attacks” (Reuters)
• “The Dark Alliance: Addressing the Rise of AI Financial Frauds and Cyber Scams” (Michigan Journal of Economics)

Software supply chain security is a key challenge for European Union member nations, requiring concerted risk assessments and the development of common policies.

So said the European Union Agency for Cybersecurity, better known as ENISA, in its “2024 Report on the State of Cybersecurity in the Union,” whose goal is to assess the cyber landscape in the EU and offer policy recommendations to strengthen cybersecurity in all 27 EU countries. Securing the software supply chain is one of the priority areas identified in the report. 

Currently, hackers are continuously trying to insert malware into legitimate software updates that are then distributed to customers via trusted delivery channels. By 2030, attacks against software supply chains are expected to become the top emerging cybersecurity threat.
 

Right now, 74% of EU countries have legislation that defines supply chain security measures, a percentage expected to increase with new EU regulatory requirements. Meanwhile, 77% of digital service providers (DSP) and operators of essential services (OES) have a policy in place to manage third-party risk.

To shore up supply chain security, ENISA proposes “stepping up EU wide coordinated risk assessments and the development of an EU horizontal policy framework,” the report reads.

The report also tackles three other critical challenges: the cybersecurity skills gap; the management of cybersecurity crises; and the need for a coordinated approach to cybersecurity policy adoption.

Recent guidance from CISA and the FBI highlights best practices to monitor and harden network infrastructure. The guidance, published in response to high-profile attacks on telecom infrastructure, is applicable to a wider audience. This blog unpacks important points and explains how Tenable products can help with compliance scans.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint statement concerning an investigation into cyberattacks on commercial telecommunications infrastructure. The ongoing investigation centers on threat actors believed to be affiliated with the People’s Republic of China (PRC) government. In response to the cyberattacks, U.S. and international government agencies, including CISA and the FBI, authored joint guidance to help network defenders improve network visibility and security. This guidance highlights the importance of monitoring and alerting, but also provides specific ways to strengthen cybersecurity with increased configuration management and strong identity hygiene. 

The U.S. government has been monitoring PRC-sponsored groups such as Volt Typhoon and Salt Typhoon because it suspects they may be preparing for a large-scale disruption of U.S. critical infrastructure. A press release from mobile telecom provider T-Mobile highlights the activity that it has identified, the controls that it had in place to help prevent a greater threat, as well as how it is collaborating with the authorities’ investigation. According to U.S. government officials, at least eight telecommunications companies have been targeted so far but there may be more. 

The new guidance can help prevent these attacks, whose main goal is to reportedly carry out cyber espionage activities on behalf of the Chinese government by, among other things, stealing customer call-records data. The guidelines pair well with recommendations in Center for Internet Security (CIS) Benchmarks for specific network devices. CIS Benchmarks are written and maintained by industry professionals with the goal of simplifying the implementation of security controls to help mitigate risk. By using CIS Benchmarks, network and security engineers can identify and harden configurations, and establish a more secure posture as suggested by the guidance.

We’ll be taking a closer look at the specific sections in the recent guidance and highlight CIS Benchmark recommendations that align with these objectives.

This section highlights monitoring and alerting best practices. It breaks these guidelines into two sets of tasks: one for network engineers and another one for network defenders. However, the common goal is to help them find and trigger alerts on misconfigurations, changes and user account activity. One key recommendation is to use an independent and centralized log-storage environment, and if possible, a security information and event management (SIEM) solution built specifically to analyze the logs to produce alerts. 

Alerting should be focused on configuration changes; configurations that don’t meet specific criteria; and open ports or enabled services. In addition, devices that accept traffic from outside of the network (external facing) should be reviewed to ensure that only necessary services are accessible to and from the internet.

Examples of centralized logging criteria can be found in CIS Benchmarks for Cisco, Fortinet, Juniper Networks and Palo Alto Networks devices:

• Cisco: “Ensure Syslog Logging is configured”
• Fortigate: “Centralized Logging and Reporting”
• Juniper: “Ensure logging data is monitored”
• Palo Alto: “Syslog logging should be configured”

This section also focuses on monitoring user- and service-account logins to ensure that anomalous login activity is detected and prevented. Unused accounts should be disabled whenever possible. Some examples of this criteria can be found in CIS Benchmarks for Check Point Software and Palo Alto Networks devices:

• Check Point: “Ensure Deny access to unused accounts is selected”
• Palo Alto: “Ensure that the User-ID service account does not have interactive logon rights”

This section aims to help reduce risk by limiting access to the network and network devices; ensuring that communication is encrypted and secure; and providing more direct guidance with regards to Cisco-based devices. This section includes recommendations regarding access control and network segmentation, provides specific protocol guidelines (such as using only SNMPv3 when SNMP is necessary), and details what is considered to be “strong” encryption. 

First, network segmentation helps to limit movement across the network and to make it easier to inspect inbound and outbound traffic. It also helps to maintain a DMZ to contain the services that must face externally (towards the internet) and prevent direct access to backend resources and networks. Segmentation also involves creating and using VLANs, and the recommendation is that these VLANs should be used to group together devices of a similar nature, which is common in most networks. In addition to segmenting the network, the authoring agencies also recommend adopting Transport Layer Security-everywhere using strong algorithms. These guidelines can help keep threat actors out of corporate networks, as well as ensure that these actors are limited in what they can do and/or see if they manage to penetrate the outermost defenses. 

Another component of segmentation is initializing a default-deny access-control list (ACL), which can be done at the firewall level. This is important for all traffic types, but especially so when isolating management traffic for network devices. Most physical network devices, such as routers and switches, have dedicated ports for management traffic that can be attached to a physically segmented network in order to limit administrative access. Further controls on lateral movement are also recommended for the management network, and it is advisable to not manage devices directly from the internet. Some examples of segmentation and ACL firewall configurations can be found in CIS Benchmarks for Cisco, Juniper Networks, and Palo Alto Networks products.

• Cisco: “Restrict Access to VTY Sessions” and “Ensure explicit deny in access lists is configured correctly”
• Juniper: “Ensure firewall filters contain explicit deny and log term”
• Palo Alto: “Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone”

The guidance further identifies numerous insecure protocols and services and notes that they should be disabled. These include FTP, TFTP, SSHv1, HTTP, and SNMP v1/v2. Additionally, any network protocols or services in use should require authentication when available, including routing protocols. Meanwhile, you should use SNMP Version 3 with encryption and authentication. Having centralized authentication, authorization, and accounting (AAA) logging is emphasized here, in addition to prior mentions of syslog configuration. Examples of identifying and disabling protocols can be found in several CIS Benchmarks for Cisco, Fortinet, Juniper Networks, and Palo Alto Networks products:

• Cisco: “Set version 2 for 'ip ssh version'”
• Fortigate: “Disable all management related services on WAN port” and “Ensure only SNMPv3 is enabled”
• Juniper: “Ensure Web-Management is not Set to HTTP”
• Palo Alto: “Ensure HTTP and Telnet options are disabled for the management interface”

This section highlights specific criteria for Cisco devices. Disabling the Smart Install and Guest Shell features is recommended, as is disabling Telnet in favor of SSH. Specific commands are also provided to disable HTTP-only access so that device management is performed over HTTPS instead. If UI access is not necessary, the secure service should also be disabled. The specific password type recommended is type-8 when possible, and type-6 encryption for securing the Terminal Access Controller Access-Control System + (TACACS+) key. The document also links to the hardening guide for Cisco IOS XE and a guide for securing NX-OS devices.

The secure-by-design concept helps introduce the security conversation earlier in the development lifecycle. This approach helps ensure that security considerations are addressed at the beginning of the product lifecycle. Customers should make sure that products they plan to buy adhere to this principle. CISA has more information on its “Secure by Design” site. Tenable has committed to a secure-by-design approach, as can be seen in a recent initiative reported on here and here.

This overview is meant to help give network and security engineers a summary of the best practices, as well as provide insight on how CIS Benchmarks cover many of the guidance’s topics. Still, engineers should read the guidance to ensure they fully understand the material and how it relates to their own networks. It’s equally important to map out the network and understand what devices exist and where they are placed. However, this is only a first step in securing the network.

Tenable has several products, such as Tenable Vulnerability Management, Tenable Security Center, and Nessus that support auditing a wide array of devices and operating systems using CIS Benchmarks. These products could help with maintaining control over risk factors that threat actors often attempt to exploit. Tenable audits are written to test for the criteria of each automated recommendation in CIS Benchmarks. After an evaluation is run against the target, a result is provided as well as remediation text from the CIS Benchmark so that engineers can remediate and harden the device or operating system.

Tenable provides audit files for the following CIS Benchmarks to help organizations assess device configurations:

• CIS Check Point Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco ASA 9.x Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco Firewall v8.x Benchmark v4.2.0 - Level 1 
• CIS Cisco IOS XE 16.x Benchmark v2.1.0 - Level 1, Level 2 
• CIS Cisco IOS XE 17.x Benchmark v2.1.1 - Level 1, Level 2 
• CIS Cisco IOS XR 7.x v1.0.0 - Level 1, Level 2 
• CIS Cisco NX-OS Benchmark v1.1.0 - Level 1, Level 2 
• CIS Fortigate 7.0.x Benchmark v1.3.0 - Level 1, Level 2 
• CIS Juniper OS Benchmark v2.1.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 10 Benchmark v1.2.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 11 Benchmark v1.1.0 - Level 1, Level 2 

These CIS Benchmarks align with the intent of the CISA hardening guidance. The example below highlights the CIS Cisco IOS XE 17.x v2.1.1 CIS Benchmark, and how it relates to the CISA hardening guidance:

Section 1.1 - Authentication, Authorization and Accounting (AAA) configuration

• Strengthening visibility as AAA logging supports user account login monitoring, and tracking changes
• Hardening systems and devices by providing identity management and policy enforcement

Section 1.2 - Access Rules for device administration

• Hardening systems and devices by restricting device management, and ensuring sessions are limited

Section 1.3 - Banner Rules to communicate legal rights to users

• Strengthening visibility by informing users they are subject to monitoring, and the event logs can support prosecution

Section 1.4 - Password Rules to enforce secure credentials and password lifecycle

• Hardening systems and devices by ensuring strong passwords are utilized, and passwords are securely stored

Section 1.5 - SNMP Rules provides guidance for secure configuration parameters

• Hardening systems and devices by ensuring SNMP is disabled, or is configured with secure parameters

Section 2.1 - Global Service Rules to reduce attack surface and disable unnecessary services

• Hardening systems and devices by disabling unnecessary, unused, exploitable, or plaintext services and protocols

Section 2.2 - Logging Rules configures log collection and forwarding

• Strengthening visibility by collecting event logs, and forwarding to a central log collection source
• Hardening systems and devices by forwarding logs to a central log collection source

Section 2.3 - NTP Rules ensures system time is provided by a single, consistent source

• Strengthening visibility by ensuring a consistent time source for event logs
• Hardening systems and devices by requiring that NTP is authenticated

Section 2.4 - Lookback Rules for configuring device initiated connections to supporting services such as AAA, SYSLOG, or NTP

• Hardening systems and devices by ensuring that traffic is initiated from a specific source, which can be used to set ACLs/filtering

Section 3.1 - Routing Rules to disable unneeded services

• Hardening systems and devices by disabling unneeded services such as source routing

Section 3.2 - Border Router Filtering defines filtering between internal and external networks

• Hardening systems and devices by implementing a strategy to control inbound and egress traffic

Section 3.3 - Neighbor Authentication configures routing protocol authentication

• Hardening systems and devices by requiring routing protocols are authenticated

• Tenable Nessus
• Tenable Security Center
• Tenable Vulnerability Management
• Tenable Research audits
• Who is CIS?
• "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" joint publication from various U.S. and international government agencies

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.

Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.

In 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.

Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.

In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.

Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.

Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.

In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.

Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.

According to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.

In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.

While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.

As we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.

View the video below for a summary of key takeaways:

The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.

• Tenable Blog: Microsoft Patch Tuesday 2023 Year in Review

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

1. 16Critical
2. 54Important
3. 0Moderate
4. 0Low

Microsoft addresses 70 CVEs with 16 rated critical, including one zero-day that was exploited in the wild.

Microsoft patched 70 CVEs in its December 2024 Patch Tuesday release, with 16 rated critical, and 54 rated as important.

This month’s update includes patches for:

• GitHub
• Microsoft Defender for Endpoint
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office Publisher
• Microsoft Office SharePoint
• Microsoft Office Word
• Remote Desktop Client
• Role: DNS Server
• Role: Windows Hyper-V
• System Center Operations Manager
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows File Explorer
• Windows IP Routing Management Snapin
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Message Queuing
• Windows Mobile Broadband
• Windows PrintWorkflowUserSvc
• Windows Remote Desktop
• Windows Remote Desktop Services
• Windows Resilient File System (ReFS)
• Windows Routing and Remote Access Service (RRAS)
• Windows Task Scheduler
• Windows Virtualization-Based Security (VBS) Enclave
• Windows Wireless Wide Area Network Service
• WmsRepair Service

Remote code execution (RCE) vulnerabilities accounted for 42.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 38.6%.

CVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.

In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

This is the ninth vulnerability in the Windows CLFS driver patched in 2024, and the first that was exploited in the wild as a zero-day this year. In 2023, there were 10 CLFS vulnerabilities patched, including two zero-day vulnerabilities in the CLFS driver that were exploited (CVE-2023-28252, CVE-2023-23376). CLFS driver vulnerabilities have been a popular attack vector and exploited in the wild by ransomware operators in the last few years according to researchers.

CVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”

In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin ID 174933 to identify systems that have this service running.

CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.

A list of all the plugins released for Microsoft’s December 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's December 2024 Security Updates
• Tenable plugins for Microsoft December 2024 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Healthcare is one of the most highly regulated industry sectors in the world. Adhering to compliance standards while also ensuring optimal patient experiences is a challenge. DSPM capabilities in Tenable Cloud Security can ease the burden on cybersecurity teams.

When it comes to cybersecurity, the healthcare sector can find itself stuck between a rock and a hard place. To improve patient care, organizations in this sector are constantly trying to innovate, adopting new technologies to improve the patient experience.

In parallel, healthcare organizations must also ensure that they have the proper cybersecurity guardrails in place to use and store the influx of new patient data they collect. Such data includes personal health information (PHI), which is subject to strict regulations like the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the EU’s General Data Protection Regulation (GDPR).

Organizations in this sector must be forward-thinking and embrace innovation while maintaining rigorous data security and ensuring compliance with ever-evolving industry regulations.

Tenable Cloud Security’s Data Security Posture Management (DSPM) capabilities empower healthcare organizations to navigate this balancing act and provide their patients with care and services powered by the most cutting-edge technology, while holistically securing their most sensitive data.

Think of your organization's data security posture as its overall health. Just as a healthy individual has strong natural immunity defenses that fight off illnesses, a strong data security posture is one that has proactive measures implemented to prevent data breaches and unauthorized access.

Tenable Cloud Security provides unmatched value to healthcare organizations, helping them build strong security postures in several ways:

• Continuous monitoring: Tenable Cloud Security constantly monitors cloud environments for suspicious activity, unauthorized access attempts and potential vulnerabilities. This allows cybersecurity teams to identify and address threats before they can cause harm.
• Automated threat detection: Tenable Cloud Security utilizes advanced technology to detect sophisticated cyberthreats before data is exfiltrated or compromised. This ensures that organizations do not rely solely on manual detection methods, which can be time-consuming, ineffective and prone to error.
• Compliance management: Healthcare is one of the most highly regulated and stringently controlled sectors in the market. Tenable Cloud Security helps organizations remain continuously compliant with industry standards and government regulations by providing tools and insights to identify and manage sensitive data.

Just as a doctor uses an X-ray to reveal and diagnose hidden health issues, data discovery plays a crucial role in identifying unknown cybersecurity threats. Tenable Cloud Security utilizes advanced data discovery techniques to uncover sensitive data residing across an organization’s cloud environment, even in unexpected locations. This comprehensive understanding of your company’s data landscape allows you to implement appropriate security controls and close any potential security gaps.

Tenable Cloud Security takes data discovery a step further by:

• Automating the process: Tenable Cloud Security automates the discovery of sensitive data, eliminating the need for manual searches and reducing the risk of human error.
• Data classification: Tenable Cloud Security classifies your data based on its sensitivity level, allowing you to prioritize your security efforts and focus on protecting the most critical information.
• Continuous discovery: Tenable Cloud Security continuously monitors your cloud environment for new data and automatically identifies any new sensitive information that is added.

By understanding and classifying your data, Tenable easily implements appropriate security controls such as access restrictions and encryption to ensure its confidentiality and integrity.

Just as regular checkups and proactive healthcare are crucial for maintaining good health, continuously monitoring and addressing underlying security posture issues are essential for securing sensitive data. Ignoring potential cyberthreats, even if they seem minor, can lead to serious consequences down the line, including data exfiltration and malicious activity.

With Tenable Cloud Security, healthcare organizations can achieve the perfect balance of innovation and compliance. This ensures the confidentiality, integrity and availability of sensitive patient data, allowing you to focus on your core mission of providing excellent care and driving advancements in healthcare.

• View the on-demand webinar: Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?
• Download the data sheet: Data Security in a Unified Cloud Security Solution
• View the infographic: When CNAPP met DSPM
• Watch the demo video

Don’t miss the Linux Foundation’s deep dive into open source software security. Plus, cyber agencies warn about China-backed cyber espionage campaign targeting telecom data. Meanwhile, a study shows the weight of security considerations in generative AI projects. And get the latest on ransomware trends, financial cybercrime and critical infrastructure security.

Dive into six things that are top of mind for the week ending Dec. 6.

Improperly secured developer accounts. Lack of a standard naming schema for software components. The persistence of legacy software.

Those three issues put the reliability and security of free and open source software (FOSS) at risk, a new Linux Foundation study has found. 

Published this week, “Census III of Free and Open Source Software — Application Libraries” is based on about 12 million observations of FOSS at 10,000-plus companies. Its aim: to provide a better understanding of FOSS use and security challenges, given FOSS’ widespread adoption globally.

“Our goal is to not only provide an updated list of the most widely used FOSS, but to also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem,” the study reads.

Data sharing, coordination and investment are keys to preserving the value of FOSS, which has become critical for the digital economy, the authors wrote.

Here are more details about the three key security issues identified in the study:

• To conduct their FOSS work, developers often use individual accounts, which typically lack the security protections of organizational accounts. Hosting FOSS projects under individual developer accounts creates multiple risks, such as making it easier for hackers to breach individual computing environments and tamper with FOSS code.
• A lot of legacy FOSS software still exists that isn’t being maintained nor updated, which makes the software more vulnerable to attacks.
• The FOSS ecosystem needs a standardized schema for naming software components, a key issue for supply chain security. “Until one is widely used, strategies for software security, transparency and more will have limited effect,” the study reads.

For more information about open source security:

• “Concise Guide for Developing More Secure Software” (Open Source Security Foundation)
• “OWASP Top 10 Risks for Open Source Software” (OWASP)
• “CISA Open Source Software Security Roadmap” (CISA)
• “Seven ways to secure open-source software” (SC World)
• “Is Open Source a Threat to National Security?” (InformationWeek)

Security teams in charge of defending networks and communications infrastructure should take steps to prevent attacks from China-affiliated hackers that have recently compromised the networks of major global telecom providers.

So said cyber agencies from Australia, Canada, New Zealand and the U.S. this week in a joint document that offers network and communications-infrastructure engineers recommendations for strengthening network visibility and hardening systems.

The silver lining: The cyberattackers are exploiting known, existing weaknesses in their victims’ infrastructure. “No novel activity has been observed,” reads the publication, titled “Enhanced Visibility and Hardening Guidance for Communications Infrastructure.”

“Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity,” the document adds.

These are some of the recommendations for defenders of networks and communications systems.

• To enhance visibility
  • Adopt alerting mechanisms to detect unauthorized changes to the network and configuration modifications to network devices.
  • Monitor anomalous logins into user and service accounts, and disable inactive accounts.
  • Implement a centralized logging system that can analyze data from multiple sources.
• To harden systems and devices
  • Implement strong network segmentation.
  • Adopt an access control list (ACL) strategy that denies access to the network by default, and log all denied traffic.
  • Disconnect unneeded internet-facing infrastructure and monitor the infrastructure that does need to be exposed to the internet.

The joint document doesn’t name the hacking group. However, The Wall Street Journal identified it as Salt Typhoon when, citing anonymous sources, it reported in September that the group had breached several U.S. telecoms, including Verizon and AT&T. 

Salt Typhoon’s main goal is reportedly to carry out cyber espionage activities on behalf of the Chinese government. Salt Typhoon’s cyber espionage campaign is “ongoing” and authorities feel there is still much to be discovered about it, a Cybersecurity and Infrastructure Security Agency (CISA) official told reporters this week.

“We cannot say with certainty that the adversary has been evicted,” CISA official Jeff Greene said during a press call, as quoted by Politico. According to NBC News, Greene also recommended that Americans use encrypted messaging apps to protect themselves from Salt Typhoon.

Last month, CISA and the FBI described the Chinese-government backed cyber espionage campaign as “broad and significant,” resulting in the theft of customer call records data; the compromise of private communications of government officials and politicians; and the copying of law enforcement information related to wiretap requests.

For more information about Salt Typhoon and its ongoing cyber espionage campaign:

• “Salt Typhoon's surge extends far beyond US telcos” (The Register)
• “Chinese hackers breached T-Mobile's routers to scope out network” (Bleeping Computer)
• “Telcos struggle to boot Chinese hackers from networks” (Axios)
• “China's 'Salt Typhoon' Hackers Breached US Networks Using Existing Flaws” (PCMag)
• “Salt Typhoon Builds Out Malware Arsenal With GhostSpider” (Dark Reading)

As organizations deepen their generative AI use, security and data protection considerations feature prominently in their plans — including whether to build their own generative AI infrastructure.

That’s according to the Linux Foundation’s “Shaping the Future of Generative AI” report, which polled 316 respondents familiar with their organizations’ generative AI adoption. 

“Security remains a cornerstone of this transformation. As organizations embrace GenAI, safeguarding sensitive data and ensuring compliance with industry standards have become critical imperatives,” reads an Open Source Security Foundation blog about the report.

Among organizations deploying their own generative AI infrastructure, security and data control ranked as the top motivation for doing so. Three other data security priorities — data sovereignty; privacy; and intellectual property protection — ranked third, fifth and eighth, respectively.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

Meanwhile, respondents, who were based primarily in the Americas, Europe and Asia-Pacific, ranked security as the second most important criteria when choosing a generative AI model or tool, with privacy and regulatory compliance ranking fourth and fifth, respectively.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

Furthermore, respondents, who included executives, developers, consultants, data scientists and operations staffers, also ranked security and data protection risks high when asked about their concerns when adopting generative AI models and tools.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

For more information about AI security, check out these Tenable blogs:

• “AI Security Roundup: Best Practices, Research and Insights”
• “How to Discover, Analyze and Respond to Threats Faster with Generative AI”
• “Never Trust User Inputs — And AI Isn't an Exception: A Security-First Approach”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Do You Think You Have No AI Exposures? Think Again”

Here’s a report that cyber teams at critical infrastructure organizations will likely find useful and informative.

The topic: How CISA’s red team breached a critical infrastructure organization’s IT network and then compromised a domain controller and a human machine interface (HMI), which served as an operational technology (OT) dashboard.

The unnamed organization requested that CISA conduct the red team assessment (RTA), in which CISA acted like a cyberattacker to probe the organization’s cybersecurity detection and response processes and procedures.

In broad strokes, here are some of the ways in which CISA’s red team circumvented the critical infrastructure organization’s cyber defenses:

• After failing to gain initial success via spearphishing, CISA’s red team hit pay dirt when it discovered a web shell left on a Linux web server by mistake.
• Using the web shell, CISA’s red team ran arbitrary commands on the Linux web server and moved laterally into the internal network. 
• Using valid accounts, it compromised the organization’s domain and several sensitive business systems.
• Eventually, CISA’s team compromised a Windows domain controller, which allowed it to move laterally to all Windows hosts. 
• With persistent access to Linux and Windows systems across the organization’s networks, CISA’s red team probed further, accessing, among other assets, the HMI OT dashboard.

Timeline of CISA's red team cyberthreat activity

(Source: CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization,” November 2024)

Key findings include:

• The organization didn’t properly block access from the perimeter network to the internal network.
• The organization relied too much on host-based tools, while lacking sufficient network-layer protections.
• Multiple systems were insecurely configured.
• The organization failed to review security alerts that were triggered by the red team’s actions.
• Identity management was poor.
• The organization used software that is known to be insecure and outdated.

Some of CISA’s mitigation recommendations for cybersecurity teams are:

• Adopt the principle of least privilege, segment the perimeter network, and adopt firewalls, access control lists and intrusion prevention systems.
• Tune network appliances to detect anomalous behavior, and limit the use of admin tools.
• Harden system configuration by, for example, removing “unconstrained delegation” functionality from all servers.
• Keep systems and software up to date.
• Adopt a centralized identity and access management system.
• Prohibit the storage of passwords in plaintext.

To get all the details, read CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization.”

To learn more about securing OT systems in critical infrastructure environments, check out these Tenable resources:

• “CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?” (blog)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)
• “Operational Technology (OT) Security: How to Reduce Cyber Risk When IT and OT Converge” (guide)
• “5 Key OT Security Use Cases For The DoD: Safeguarding OT Networks and Cyber-Physical Systems” (white paper)
• “Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)

Here’s a stat to remind your organization to make sure its virtual private network (VPN) system is configured correctly, has no vulnerabilities and is up to date: Almost 30% of ransomware attacks in the third quarter compromised insecure VPNs to gain initial access, sharply up from about 5% in the second quarter.

That’s according to Corvus Insurance’s “Q3 2024 Cyber Threat Report,” which said many of the ransomware attacks in Q3 leveraged outdated VPN software and poorly protected VPN gateways. 

Specifically, organizations shouldn’t allow the use of common usernames and weak passwords in their VPN user accounts, and should protect them with multi-factor authentication. 

“The persistence of weak credentials and lack of multi-factor authentication on VPN gateways has facilitated these attacks, making secure access controls crucial for mitigating threats,” reads the report.

The Corvus ransomware report also found that five ransomware groups — RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International — accounted for 40% of all attacks. However, the ransomware ecosystem remains diverse, with almost 60 groups active during the third quarter, which makes the threat landscape more complex for cyber teams to manage.

For more information about ransomware prevention:

• “How Can I Protect Against Ransomware?” (CISA)
• “Best practices for protection from ransomware in cloud storage” (TechTarget)
• “Steps to Help Prevent & Limit the Impact of Ransomware (Center for Internet Security)
• “Mitigating malware and ransomware attacks” (UK National Cyber Security Centre)
• “Preventing Ransomware Attacks at Scale” (Harvard Business Review)

VIDEO

Ultimate Guide to Ransomware for Businesses (TechTarget)

A five-month Interpol operation led by South Korea has led to the arrest of 5,500-plus suspected financial cybercriminals and to the seizure of more than $400 million in assets.

With Operation HAECHI, Interpol and law enforcement partners from 40 countries went after cyber crooks involved in a variety of financial scams, including:

• voice phishing
• romance scams
• investment fraud
• e-commerce fraud

International collaboration is key to fighting financial cybercrime, which has devastating effects on its victims, Interpol Secretary General Valdecy Urquiza said in a statement.

“It’s only through united efforts that we can make the real and digital worlds safer,” he said.

How NIST is working with Tenable and other private sector stakeholders to better enable zero trust implementation.

Trust no one. Verify everything. All the time. When it comes to cybersecurity and protecting your expanding attack surface, that’s more than a catchphrase. It’s the way you must approach access to your network, systems and assets. Ultimately, this is an approach the federal government must use, expand upon and intertwine into its cybersecurity standards.

When thinking about zero trust, it’s important to understand this is an evolving practice that goes beyond traditional “trust but verify” approaches to cybersecurity. According to a Tenable blog by John Kindervag, who created the Zero Trust Model of Cybersecurity when he was a principal analyst at Forrester Research, “While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it's built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.”

The principles of zero trust require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and calls for removing the notion of trust from digital systems.

Zero trust is a proactive cybersecurity approach. However, with anything proactive, it’s important to remember there is a constant need for adaptation and new protocols that can withstand the changing threat landscape.

On Dec. 4, NIST released the draft Guidance for Implementing Zero Trust Architecture for public comment. Tenable has been proud to work alongside the NIST National Cybersecurity Center of Excellence (NCCoE) to launch the Zero Trust Architecture Demonstration Project. This collaborative project has brought together multiple industry participants to launch end-to-end zero trust architecture implementations to help industry and government reduce the risk of cyberattacks. As part of this collaborative project, Tenable has participated in a lab demonstration of how to deploy examples of zero trust architecture in hybrid enterprise environments using commercially available technology contributions.

“The [...] demonstration project, 'Implementing a Zero Trust Architecture,' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations.”

—Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST

“The NCCoE ZTA demonstration project, 'Implementing a Zero Trust Architecture,' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations,” explained Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST. “Each implementation combines a strategic mix of commercially available products and services, contributed by partner organizations such as Tenable. Their invaluable role in providing enhanced visibility and insights has been essential in strengthening our defenses, ensuring we can safeguard our networks against the ever-evolving landscape of cyberthreats.”

As a main collaborator, Tenable contributed exposure management technology and capabilities for the ZTA Demonstration Protect. As a leader in cybersecurity, Tenable was able to harness its expertise to best use security analytics, building out a program that had orchestration and enforcement capabilities through scanning and assessment, endpoint monitoring, traffic inspection and network discovery.

When implementing a zero trust architecture, it is a foundational imperative for organizations and enterprises to inventory, enumerate and assess every asset on the network. This allows for a better understanding of assets in context and how they are interconnected. Analyzing data from operational technology (OT), internet of things (IoT), IT, cloud and network plays a critical role in helping organizations gain visibility into how assets are interconnected, evaluate exposure based on real-world threats and context, and prioritize remediation and mitigation efforts. Ultimately, it’s important for an organization to completely understand the entire attack surface in order to evaluate which assets are most vulnerable. Zero trust architecture is a way to programmatically collect risk telemetry and make informed decisions that can help reduce exposure. By adopting zero trust architecture approaches, it is possible to make significant progress toward this objective.

At Tenable, we are proud to partner with our government’s leading agencies to develop strategic ways to approach cybersecurity practices. Our technology solutions help the NCCoE develop a use case that exemplifies the ZTA motto — Trust no one. Verify everything. All the time. Organizations, enterprises and federal agencies need a security model that adapts to today’s modern network, embraces remote work and protects users, applications and data wherever they’re located. The NCCoE ZTA practice guide and reference architecture can serve as an outstanding model to help them achieve their cybersecurity objectives.

• View the updated draft Guidance for Implementing a Zero Trust Architecture, released by NIST on Dec. 4
• Find out more about the Zero Trust Architecture demonstration project
• Download the SANS Institute white paper Navigating the Path to a State of Zero Trust in 2024

Comprehensive, action-oriented workflows and key metrics are the cornerstones of a successful exposure response program. Here’s what you need to know.

In today’s fast-paced digital landscape, managing vulnerabilities is essential — but it’s about more than identifying weaknesses. Effective vulnerability management requires prioritizing and addressing risks in ways that drive security improvements and prevent major exposures. 

Exposure response strategies support this goal, delivering workflows that go beyond traditional risk scoring, enabling teams to prioritize vulnerabilities, set goals and track service level agreements (SLAs) by owner — ensuring a true end-to-end remediation process. Tracking progress by SLA compliance rather than by cumulative risk scores or vulnerability counts ensures accountability.

Effective exposure response focuses on three "golden metrics" that every remediation workflow should track for maximum impact:

• Vulnerability age: This is the age of your unresolved vulnerabilities. 
• Mean time to remediate (MTTR): Measures how long your vulnerabilities remain open.
• Percentage of vulnerabilities remediated: Reflects the scope of remediation efforts and the team’s overall effectiveness.

Tracking these indicators is essential for prioritizing and resolving vulnerabilities that matter most.

For a deeper dive, watch the video below, where we break down each metric’s importance in exposure response workflows. 

• Read the blogs: 
• If You Only Have 2 Minutes: Best Practices for Setting Exposure Response SLAs
• If You Only Have 3 Minutes: Key Elements of Effective Exposure Response
• View the data sheet Exposure Response: Identify Exposures and Take Action Fast

Keeping vulnerability management efforts focused on achievable goals is key to avoiding cybersecurity team burnout. Here’s how exposure response workflows and SLAs can help.

As organizations grow in the digital age, vulnerability management has become a vital cybersecurity practice. But managing vulnerabilities effectively means more than just identifying potential issues; it’s about setting priorities that align with your organization’s goals and resources. A robust exposure response program elevates this process by creating comprehensive, actionable workflows that prioritize based on real-world impact rather than just risk scores or vulnerability counts. This approach shifts vulnerability management from a reactive scramble into a proactive, sustainable strategy, driven by clear accountability and performance metrics.

Exposure response workflows help teams prioritize risks based on impact and urgency. But prioritizing isn’t enough on its own — effective exposure response requires a practical approach to execution, which is where service level agreements (SLAs) make the difference.

A crucial part of exposure response is establishing SLAs. Unlike traditional methods that rely on cumulative risk scores or vulnerability counts, SLA-based workflows measure performance by individual campaigns and specific accountability metrics. This approach prevents “learned helplessness,” where constant urgency can overwhelm teams and make the workload feel insurmountable. 

SLAs help teams focus on attainable goals by defining what ‘critical’ or ‘high’ means based on your organization’s risk appetite, using Common Vulnerability Scoring System (CVSS) or Tenable Vulnerability Priority Rating (VPR) score ranges as benchmarks. This approach reduces the count of past-due critical and high vulnerabilities to zero instead of attempting to fix every issue at once — even if not every vulnerability is resolved immediately.

Moreover, SLAs offer flexibility for specific needs. Industry requirements, such as Payment Card Industry Data Security Standard (PCI-DSS) compliance, may necessitate stricter SLAs for certain areas. Exposure Response in Tenable Vulnerability Management allows teams to set customized SLAs in these contexts without disrupting the overall program.

By establishing realistic SLAs, teams can maintain focus and ensure that critical vulnerabilities are addressed promptly, preventing chaos and inefficiency.

For a deeper dive into these concepts, check out the video below.

• Read the blogs:
• If You Only Have 1 Minute: Quick Tips for Effective Exposure Response
• If You Only Have 3 Minutes: Key Elements of Effective Exposure Response
• View the data sheet Exposure Response: Identify Exposures and Take Action Fast

Learned helplessness and lack of prioritization are two vulnerability management pitfalls cybersecurity teams face. Here’s how an exposure response program can help.

In today’s complex cybersecurity landscape, effective vulnerability management is crucial. Organizations are bombarded with a staggering volume of vulnerabilities every month, and traditional methods often fall short. They tend to just identify issues without offering a sustainable way to tackle them.

Enter exposure response. This approach transforms how teams prioritize, remediate and manage vulnerabilities. Instead of overwhelming teams, exposure response workflows empower them to focus on the most critical threats to their cybersecurity posture.

Why should you care? Here are some common pitfalls organizations face:

• Learned helplessness: Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.
• Emergency mode: When every vulnerability feels urgent, it becomes impossible to prioritize effectively.

Exposure response workflows address these challenges head-on. By leveraging Service Level Agreements (SLAs), teams can maintain focus and drive measurable progress. This shift enhances security outcomes and fosters a resilient, sustainable cybersecurity strategy that adapts to evolving threats.

Exposure response programs are essential for creating a sustainable cybersecurity strategy. By implementing exposure response workflows, teams can avoid being overwhelmed by vulnerabilities.

Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.

Instead of trying to fix every issue, they can work within SLAs to prioritize and tackle what matters most, using tools like the Tenable Vulnerability Priority Rating (VPR) and the Common Vulnerability Scoring System (CVSS). This structured approach mitigates risk and empowers leaders to make data-driven decisions, enhancing their cybersecurity posture.

SLAs are tailored deadlines reflecting organizational priorities. SLA-based workflows outperform traditional methods by enabling measurement at the campaign level, providing clearer accountability. This unique approach allows organizations to compare progress internally and against industry peers, driving continuous improvement.

When every vulnerability feels urgent, it becomes impossible to prioritize effectively.

Setting practical SLAs helps teams focus on achievable goals, such as reducing past-due vulnerabilities rather than addressing everything at once. This targeted approach not only supports compliance but also enhances the team's ability to manage workloads sustainably.

Tracking key metrics provides an accurate assessment of exposure response effectiveness. Three “golden metrics” serve as essential indicators:

• Vulnerability age: This is the age of your unresolved vulnerabilities. Shorter ages indicate rapid identification and resolution.
• Mean time to remediate (MTTR): Measures how long your vulnerabilities remain open.
• Percentage of vulnerabilities remediated: Reflects the scope of remediation efforts and the team’s overall effectiveness.

When all three metrics are favorable, the exposure response program is performing well. Detailed tracking and reporting offer clear accountability and visibility into remediation efforts, reinforcing the importance of consistent progress.

Incorporating exposure response into vulnerability management gives organizations a structured way to handle cybersecurity risks proactively. By focusing on SLAs and tracking critical metrics, organizations can maintain resilience against threats while fostering a sustainable, impactful security posture. For more insights, check out the accompanying video and other posts in this series.

• Read the blogs: 
• If You Only Have 1 Minute: Quick Tips for Effective Exposure Response
• If You Only Have 2 Minutes: Best Practices for Setting Exposure Response SLAs
• View the data sheet Exposure Response: Identify Exposures and Take Action Fast