For example, governance should ensure that all systems are visible and operational and that enterprise-level security processes and policies are in place.
The addition of a sixth function, “govern,” is a clear message to organizations that to be successful, there also must be actively managed policies and processes underpinning the other functional areas, praised Viakoo CEO Bud Broomhead.
“This is already the case with cyber insurance, and NIST’s recent update will help organizations not just reduce their threat landscape but also be better positioned for compliance, audit, and insurance requirements on cybersecurity,” he told TechNewsWorld.
Step in the Right Direction
“With this update, we are trying to reflect current usage of the Cybersecurity Framework and to anticipate future usage as well,” said NIST’s Cherilyn Pascoe, the framework’s lead developer.
“This includes the new govern pillar acknowledging the changes in the way organizations now respond to threats to support their overall cybersecurity strategy.”
منبع
The second revelation is that details on how the breach occurred and what potential impact and data could be impacted are still vague, with no certainty provided by Microsoft, Mandy proffered. That happened despite the focus and investment from Microsoft on cybersecurity as a revenue stream.
After considering more than a year’s worth of community feedback, NIST released the new draft version of the Cybersecurity Framework (CSF) 2.0 to help organizations understand, reduce, and communicate about cybersecurity risk. It reflects changes in the cybersecurity landscape and makes it easier to implement the cybersecurity framework for all organizations.
The most significant lesson from this breach for organizations, he noted, is that logging and monitoring of data events — or data detection and response — is the biggest lever that one has in the cloud to detect, investigate, and respond to security incidents, particularly those involving third parties.
Given that NIST expands its scope to include smaller organizations, many will find that a managed service provider is the best way to make their organization compliant with the NIST Cybersecurity Framework v2.0.
Multicloud and hybrid cloud are pervasive throughout the enterprise, from computing to authentication. Therefore, the master key represents access to all enterprise systems.
First, it revealed how Microsoft’s commercial constructs bundle needed security features with other products. The intent is to restrict customers from selecting competitive products on a commercial basis, he said.
“The Board’s findings and recommendations from this assessment will advance cybersecurity practices across cloud environments and ensure that we can collectively maintain trust in these critical systems,” offered Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.
While a review will provide visibility into the risks of moving computing resources to the cloud, it does not appear that organizations are heeding that warning, Smith confided.
The goal is to build on its commitment to invest in developing secure software and software development techniques. The request for public comment also seeks to advance initiative 4.1.2 of the National Cybersecurity Strategy Implementation Plan the White House released to secure the foundation of the internet.
“The more significant concern is protecting the keys from being exfiltrated and abused. Keeping keys secure is not a sound practice in most enterprises,” he told TechNewsWorld.
That restricts companies from having essential security features without paying for more than what is needed. In this case, it involves logs in the authentication process, according to Mandy.
That finding does not bode well for better cybersecurity. The researchers’ first review focused on vulnerabilities in Log4J. Cyber experts are seeing that Log4Shell is still widely prevalent in cloud environments, with patches found 30% of the time, he offered.
No Solution for Key-Based Cloud Security
“It’s great to see the framework moving on from simply a focus of critical infrastructure organizations and adapting to cybersecurity threats by providing guidance to all sectors,” he told TechNewsWorld.
On Friday, the Department of Homeland Security announced that its Cyber Safety Review Board (CSRB) will conduct a review on cloud security involving the malicious targeting of cloud environments.
The initiative will focus on providing recommendations for government, industry, and cloud services providers (CSPs) to improve identity management and authentication in the cloud.
“Most interesting in the short term from this review will be how far the precedent that Microsoft has set in committing to provide these logs at zero cost will be adopted or enforced upon other cloud service providers,” he said.
Half of Cloud Security Faults Ignored
Responses are due by 5:00 p.m. EDT on October 9, 2023. For information on submitting comments, see the Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Language.
Microsoft Response May Set Precedent
ADVERTISEMENT
“Expanding these frameworks to all organizations and not just critical infrastructure opens the door to being able to do so in a consistent way across the economy and hopefully will lead to more buy-in of using security to reduce business risk,” he told TechNewsWorld.
Initial efforts will review last month’s Microsoft cloud hack in which researchers found that Chinese hackers forged authentication tokens using a stolen Azure Active Directory enterprise signing key to break into M365 email inboxes. The hack led to the theft of emails from approximately 25 organizations.
“Across the three major cloud security providers, configuration settings designed to harden cloud architectures and workloads were only enabled correctly roughly 50% of the time. On a similar note, 50.85% of externally facing vulnerabilities remain unpatched,” he told TechNewsWorld.
To the five main pillars of a successful cybersecurity program, NIST has added a sixth, the “govern” function, which emphasizes that cybersecurity is a major source of enterprise risk and a consideration for senior leadership. (Credit: N. Hanacek/NIST)
In what might belong in the “better late than never” category, the U.S. government and the computing industry are ramping up efforts to deal with seemingly runaway cybersecurity issues.