Juan Perez

Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!

Check out invaluable cloud security insights and recommendations from the “Tenable Cloud Risk Report 2024.” Plus, a PwC study says increased collaboration between CISOs and fellow CxOs boosts cyber resilience. Meanwhile, a report finds the top cyber skills gaps are in cloud security and AI. And get the latest on SBOMs; CIS Benchmarks; and cyber pros' stress triggers.

Looking for help with shadow AI? Want to boost your software updates' safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU's new cyber law; and CISOs' communications with boards.

Should critical infrastructure orgs boost OT/ICS systems' security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups.

Evaluating whether non-opiate anesthesia provides a promising option for pain management for patients undergoing temporomandibular joint surgery. Read more

CISA is warning about a spear-phishing campaign that spreads malicious RDP files. Plus, OWASP is offering guidance about deepfakes and AI security. Meanwhile, cybercriminals have amplified their use of malware for fake software-update attacks. And get the latest on CISA's international plan, Interpol's cyber crackdown and ransomware trends.

Check out the CVEs attackers targeted the most last year, along with mitigation tips. Plus, a new guide says AI system audits must go beyond check-box compliance. Meanwhile, a report foresees stronger AI use by defenders and hackers in 2025. And get the latest on cloud security, SMBs' MFA use and the CIS Benchmarks.

Check out the CVEs attackers targeted the most last year, along with mitigation tips. Plus, a new guide says AI system audits must go beyond check-box compliance. Meanwhile, a report foresees stronger AI use by defenders and hackers in 2025. And get the latest on cloud security, SMBs' MFA use and the CIS Benchmarks.Dive into six things that are top of mind for the week ending Nov. 15.1 - Report ranks 2023’s most frequently exploited vulnerabilitiesWondering what were attackers’ preferred vulnerabilities last year? Cyber agencies from the Five Eyes countries have ranked these go-to bugs in a joint advisory titled “2023 Top Routinely Exploited Vulnerabilities.”Published this week, the advisory details the 47 Common Vulnerabilities and Exposures (CVEs) that attackers most often exploited in 2023, along with their associated Common Weakness Enumerations (CWEs).The advisory also offers prevention and mitigation recommendations both to end-user organizations, and to software vendors and developers.A key takeaway: the majority of the CVEs listed were initially exploited as zero-days, unlike in 2022, when fewer than half were. In addition, the report found that attackers typically strike gold with vulnerabilities that are less than two years old.Here are some of the recommendations from the authoring cyber agencies in Australia, Canada, New Zealand, the U.K. and the U.S. for end-user organizations:Update software, including operating systems, applications and firmware, and prioritize patching CVEs included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, especially those listed in the report. Maintain a continuously updated inventory of all your assets – both hardware and software, and on-prem and in the cloud. Deploy an automated, centralized patch-management system and adopt a patch-management process.Document the secure baseline configurations for all IT/OT systems.Require phishing-resistant multi-factor authentication for all users and on all VPN connections.Adopt the principle of least privilege when configuring access control.Secure internet-facing devices.Monitor your attack surface continuously.Contractually require your software vendors to provide you with software bills of materials (SBOMs) for their products, and inquire whether they employ secure-by-design principles.The five CVEs atop the list are:CVE-2023-3519CVE-2023-4966CVE-2023-20198CVE-2023-20273CVE-2023-27997To get all the details, read the full advisory “2023 Top Routinely Exploited Vulnerabilities.”For more information about vulnerability management, check out these Tenable resources:“From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25” (blog)“Turning Data into Action: Intelligence-Driven Vulnerability Management” (blog)“Context Is King: From Vulnerability Management to Exposure Management” (blog)“Secure Your Sprawling Attack Surface With Risk-based Vulnerability Management” (blog)“Mitigating AI-Related Security Risks: Insights and Strategies with Tenable AI Aware” (on-demand webinar)2 - CSA: AI systems require holistic auditsWhen it comes to auditing artificial intelligence (AI) systems, auditors need to go beyond basic regulatory compliance requirements, and instead aim to assess their trustworthiness in a holistic, comprehensive manner.That’s the main message in the Cloud Security Alliance’s new report “Artificial Intelligence (AI) Risk Management: Thinking Beyond Regulatory Boundaries,” which was published this week and offers a risk-based framework for auditing AI systems throughout their lifecycle.While it’s critical for AI audits to be accurate, “trust in AI can only be achieved through a far-reaching approach to auditing that goes beyond what’s required,” researcher Ryan Gifford, a leader in the CSA’s AI Governance & Compliance Working Group, said in a statement.The paper addresses a wide range of AI audit elements, including AI governance; the role of data and sensors; applicable laws, regulations and standards; data and privacy; algorithms, training methods and models; and security systems – to name just a few.The 101-page document also includes hundreds of suggested questions to include in an AI audit, covering 25 topics. For example, the paper suggests 19 questions to ask about AI security systems, organized into seven sub-categories, including authentication and access control; data sanitization; encryption and key management; and security monitoring.These are just a few of the questions in the AI security systems section:How are security vulnerabilities actively identified and mitigated in software and hardware components? Through regular updates and patching?How is security data from multiple sources integrated and analyzed to provide a centralized platform for threat detection, incident response, and comprehensive security monitoring?How is the legitimacy of people and system accounts requesting access confirmed?Which authentication methods are used to ensure that only authorized entities gain access?For more information about AI system audits:“Auditing AI: The emerging battlefield of transparency and assessment” (Thomson Reuters)“AI transparency: What is it and why do we need it?” (TechTarget)“US agency calls for audits of AI systems to ensure accountability” (Roll Call)“Navigating the AI Audit: A Comprehensive Guide to Best Practices” (Law)“Trust but verify: Digging into audits for AI algorithm bias” (TechTarget)3 - Google: Attackers will deepen AI use in 2025Expect the AI cyberwars to get nastier and more sophisticated next year.In 2025, hackers will double down on their use of AI to boost their cyberattacks, while security teams will further leverage AI security tools to improve their cyberdefenses.That’s one of the main takeaways from Google Cloud’s “Cybersecurity Forecast 2025” report, released this week.“While AI is rapidly bringing new tools for threat detection and response, it also provides malicious actors with powerful capabilities for social engineering, disinformation, and other attacks,” reads the report. Here are some ways in which Google Cloud expects cyberattackers to more aggressively employ generative AI tools, LLMs, deepfakes and other AI technologies in 2025:To further scale and enhance social engineering attacks, including phishing and vishingTo supercharge cybercrime and cyberespionage To research vulnerabilities they can exploitTo streamline and accelerate development of malicious codeTo rapidly create content for disinformation campaigns“As AI capabilities become more widely available throughout 2025, enterprises will increasingly struggle to defend themselves against these more frequent and effective compromises,” the report reads.By the same token, cybersecurity teams will move into what the report calls “a second phase” of AI use. During the first phase, defenders used AI tools for repetitive tasks, such as summarizing reports and querying data sets. In 2025, cybersecurity teams will extend their AI use towards “semi-autonomous” security operations.“This includes being able to parse through alerts - even with false positives - to create a list of the highest priority items, enabling security teams to further triage and remediate the risks that matter most,” the report reads.However, the output of these AI security operations will still need to be verified by a security professional.The report also looks at how trends like geopolitical cyberthreats, ransomware and infostealer malware are likely to develop in 2025.For more information about cloud security trends:“Who’s Afraid of a Toxic Cloud Trilogy?” (Tenable)“Top Ten Cloud Security Mitigation Strategies” (U.S. National Security Agency)“What is cloud security management? A strategic guide” (TechTarget)“How to choose, configure and use cloud services securely” (U.K. National Cyber Security Centre)“How To Protect Your Cloud Environments and Prevent Data Breaches” (Tenable)4 - Tenable poll looks at cloud security practicesDuring our recent webinar “Empower Your 2025 Cloud Security Planning with Tenable's Data Insights,” we informally polled attendees about cloud security issues, such as workloads afflicted by the “toxic trilogy” of cloud risks. Check out the results!(51 webinar attendees polled by Tenable, November 2024)(39 webinar attendees polled by Tenable, November 2024)Check out this on-demand webinar for a discussion of the valuable insights in the new “Tenable Cloud Risk Report 2024,” including concrete recommendations for improving your organization’s cloud security.5 - Report: MFA widely underused, misunderstood by SMBsA majority of small and medium-sized businesses (SMBs) surveyed about multi-factor authentication (MFA) haven’t adopted this identity and access management (IAM) technology and ignore its security benefits.That’s a key finding from a report based on a global survey of almost 2,300 SMBs conducted by the Cyber Readiness Institute (CRI) and published this week.“MFA is no longer a luxury or optional security measure - it is a fundamental necessity in today’s digital landscape. The time for SMBs to act is now,” the report reads.Specifically, 65% of SMBs polled said they haven’t implemented MFA, and most of them (61%) have no plans to adopt MFA in the foreseeable future.Barriers to adoption include: the cost to acquire and deploy MFA toolslack of technical expertise to choose the right productlack of awareness about MFA's benefitsA bright spot for MFA adoption is the U.S., where SMBs buck the global trend, with 89% of respondents saying they’ve adopted the technology, and 55% saying they’re “very aware” of MFA and its benefits.The following best describes the level of awareness you have of MFA and the related security benefits at your companySo what can be done to promote MFA adoption among SMBs? Here are some recommendations from the report:Government agencies, industry groups, non-profit organizations and cybersecurity vendors should collaborate on campaigns to educate SMBs about the benefits of MFA.Software vendors should include MFA capabilities as part of broader software packages at no additional cost. Governments should offer incentives to SMBs, such as tax breaks and subsidies, while larger businesses should reward their SMB partners that adopt MFA.Vendors, government agencies and industry groups should offer SMBs technical assistance after they adopt MFA to ensure their continued success with the technology.To get more details, read: The CRI report “Unlocking MFA Adoption: Why Small and Medium-Sized Businesses Must Act Now to Strengthen Their Cybersecurity”The report’s announcement “New Study Underscores Slow Adoption of Multifactor Authentication By Global SMBs”6 - CIS Benchmarks for Apple, Azure, Oracle get updatedThe Center for Internet Security (CIS) just announced the latest updates to its CIS Benchmarks, including the ones for Azure Kubernetes Service (AKS), Oracle Cloud Infrastructure for Kubernetes (OKE) and several versions of Apple's macOS.Specifically, these CIS Benchmarks were updated in October:CIS Amazon Web Services Foundations Benchmark v4.0.0CIS Apple macOS 13.0 Ventura Benchmark v3.0.0CIS Apple macOS 14.0 Sonoma Benchmark v2.0.0CIS Apple macOS 13.0 Ventura Cloud-tailored Benchmark v1.1.0CIS Azure Kubernetes Service (AKS) Benchmark v1.6.0CIS MongoDB 6 Benchmark v1.2.0CIS MongoDB 7 Benchmark v1.1.0CIS Oracle Cloud Infrastructure for Kubernetes (OKE) Benchmark v1.6.0CIS SUSE Linux Enterprise 12 Benchmark v3.2.0In addition, these three new CIS Benchmarks were released:CIS Apple iOS 18 Benchmark v1.0.0CIS Apple iPadOS 18 Benchmark v1.0.0CIS Apple macOS 15.0 Sequoia Benchmark v1.0.0 The CIS Benchmarks’ secure-configuration guidelines are designed to help security teams harden software against attacks. There are currently more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.To get more details, read the CIS blog “CIS Benchmarks November 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:“Getting to Know the CIS Benchmarks” (CIS)“Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)“How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)“CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)“CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

Don't miss OWASP's update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the cybersecurity of water and transportation systems.

Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks..Dive into six things that are top of mind for the week ending Nov. 22.1 - OWASP ranks top security threats impacting GenAI LLM appsAs your organization extends its usage of artificial intelligence (AI) tools, is your security team scrambling to boost its AI security skills to better protect these novel software products?If so, then you might want to check out OWASP’s updated list of the main dangers threatening large language model (LLM) apps, which are popular generative AI apps that produce text, like ChatGPT.OWASP — the Open Worldwide Application Security Project — released its first “Top 10 Risks for LLMs” last year. A significantly revised version of the list came out this week that OWASP says is based on a better understanding of LLM threats and use cases.“The list guides developers, security professionals, and organizations as they prioritize their efforts to identify and mitigate critical generative AI application security risks,” reads an OWASP statement.The new list, put together by the OWASP Top 10 for LLM Applications and Generative AI Project, seeks to help defenders secure generative AI LLM applications throughout their lifecycle, including development, deployment and management.Each entry in the “OWASP Top 10 for LLM Applications 2025” report includes a description of the security risk; its different types; examples of attack scenarios; related frameworks and taxonomies; and more.Here’s the list:Prompt injectionSensitive information disclosureSupply chainData and model poisoningImproper output handlingExcessive agencySystem prompt leakageVector and embedding weaknessesMisinformationUnbounded consumption“As LLMs are embedded more deeply in everything from customer interactions to internal operations, developers and security professionals are discovering new vulnerabilities — and ways to counter them,” reads the 45-page report.For more information about AI security, check out these Tenable resources:“Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)“Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)“Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach” (blog)“Mitigating AI-Related Security Risks” (on-demand webinar)“How AI Can Boost Your Cybersecurity Program” (blog)“6 Best Practices for Implementing AI Securely and Ethically” (blog)2 - 2024’s nastiest software weaknessesCybersecurity teams, take notice: The list of this year’s most critical software weaknesses is out, so that you can factor them into your vulnerability management and application security programs.The “2024 CWE Top 25 Most Dangerous Software Weaknesses” rankings, published this week by the U.S. government, can also help software developers create safer applications. Meanwhile, procurement and risk managers can use the list when evaluating software vendors.“Organizations are strongly encouraged to review this list and use it to inform their software security strategies,” reads a Cybersecurity and Infrastructure Security Agency (CISA) statement. “Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle,” the statement adds. Here are the top 10 software weaknesses for 2024:Improper neutralization of input during web page generation (“Cross-site scripting”) — CWE-79Out-of-bounds write — CWE-787 Improper neutralization of special elements used in an SQL command (“SQL injection”) — CWE-89Cross-site request forgery (CSRF) — CWE-352Improper limitation of a pathname to a restricted directory (“Path traversal”) — CWE-22Out-of-bounds read — CWE-125Improper neutralization of special elements used in an OS command (“OS command injection”) — CWE-78Use after free — CWE-416Missing authorization — CWE-862Unrestricted upload of file with dangerous type — CWE-434CISA compiled the list in collaboration with MITRE’s Homeland Security Systems Engineering and Development Institute (HSSEDI).MITRE’s Common Weakness Enumeration (CWE) community project maintains a master list of software and hardware weaknesses that is updated three or four times per year. MITRE defines “weakness” as a condition that could contribute to the introduction of vulnerabilities. The annual list of the top 25 software CWEs is a subset of the main list. Check out this page to learn about the methodology used to rank the year’s top 25 CWEs.For more information about software security:“From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25” (Tenable)“What is software security and why is it important?” (IEEE Computer Society)“Top 10 open source software security risks — and how to mitigate them” (U.K. National Cyber Security Centre)“4 Best Practices for Secure Application Development” (U.S. National Institute of Standards and Technology)“What is application security?” (TechTarget)3 - DHS unveils secure AI framework for critical infrastructureThose involved with artificial intelligence in critical infrastructure organizations have a new framework to help them safely develop and deploy AI.Published by the U.S. Department of Homeland Security (DHS), the “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure” outlines a set of voluntary tasks for five key types of participants in the adoption of AI in these organizations.Cloud and compute providersAI developersCritical infrastructure owners and operatorsCivil society, including research institutions, academia and professional associationsPublic sectorThe framework aims to help evaluate how these players contribute across five areas of responsibility:Environment securityResponsible design of systems and modelsData governance implementationSafe and secure deploymentPerformance and impact monitoring“This Framework intends to further AI safety and security in critical infrastructure, including the harmonization of safety and security practices, improve the delivery of critical services, enhance trust and transparency among entities, protect civil rights and civil liberties, and advance AI safety and security research,” reads the 35-page document.For example, the table below illustrates how the framework envisions the responsibilities for cloud and compute providers, including reporting and managing vulnerabilities; ensuring data privacy and availability; and instituting best practices for access management.(Source: “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure,” DHS, November 2024)To get more details, check out:The full “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure”The framework’s announcement “Groundbreaking Framework for the Safe and Secure Deployment of AI in Critical Infrastructure Unveiled by Department of Homeland Security”4 - Report: Many U.S. water systems at risk from serious vulnerabilitiesVulnerabilities rated “critical” and “high” are present in the IT environments of 97 U.S. drinking water systems that collectively serve almost 27 million people, putting these systems at an elevated risk for cyberattacks.That’s according to a report from the Environmental Protection Agency’s Office of Inspector General (OIG), whose findings are based on a passive assessment of the public-facing networks of about 1,000 drinking water systems.“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” the report reads.Another 211 drinking water systems have medium and low-risk vulnerabilities. Those facilities collectively serve almost 83 million people.The vulnerabilities also put the drinking water facilities at risk for data theft, including of customer information and other confidential data. The OIG scanned the facilities’ public-facing networks in October of this year, analyzing about 75,000 IP addresses and almost 14,500 domains.The findings highlight the challenges of securing critical infrastructure organizations’ IT networks against cyberthreats which could disrupt essential services for the general population, and, in this case, even compromise the safety of drinking water.The OIG also found that the EPA lacks its own system that water and wastewater facilities can use to report cybersecurity incidents. It relies on CISA for this reporting capability.For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources:“Keep the Water Flowing for the DoD: Securing Operational Technology from Cyberattacks” (blog)“Tenable OT Exposure: Securing water facilities” (solution overview) “Safeguarding Your Water Utility” (on-demand webinar)“Enhancing Critical Infrastructure Cybersecurity for Water Utilities” (infographic)“The Constant Drip: EPA Water Regulations, Funding Sources, And How Tenable Can Help” (on-demand webinar)5 - TSA proposes cyber requirements for rail, pipeline operatorsNew cybersecurity risk management (CRM) requirements may soon apply to rail and pipeline operators in the U.S.The Transportation Security Agency (TSA) has proposed a set of rules aimed at enhancing the cybersecurity capabilities of freight railroads, passenger railroads, rail transit and pipeline facilities.“The requirements proposed in this rule would strengthen cybersecurity and resiliency for the surface transportation sector by mandating reporting of cybersecurity incidents and development of a robust CRM program,” reads the TSA’s Notice of Proposed Rulemaking published in the Federal Register. Specifically, the owners and operators of these rail and pipeline services would need to adopt a cybersecurity assessment program (CAP) approved by the TSA. The program would need to contain three core elements:An annual, enterprise-wide evaluation that compares the organization’s current cybersecurity capabilities with the target capabilities, which need to include outcomes outlined in the TSA’s proposed rules and in NIST’s Cybersecurity Framework.The development of a Cybersecurity Operational Implementation Plan (COIP) that includes: an identification of critical cybersecurity systemsconcrete measures to monitor and protect these systemsspecific measures to detect, respond to and recover from cyber incidentsA schedule for assessments, an annual report of assessment results, and identification of unaddressed vulnerabilities. The TSA expects that the cybersecurity risk-management requirements will include:Adopting patch management, system segmentation and firewallsHaving backups to restore systems, recover data and continue operationsContinuous network monitoringDrawing up an incident response planThe proposed rules are open for public comment until February 5, 2025.6 - New data released about BianLian ransomware group tacticsA U.S. government advisory about the BianLian ransomware gang has been updated with new information about its tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs).Likely based in Russia, BianLian is a “ransomware developer, deployer and data extortion cybercriminal group” that has attacked critical infrastructure organizations in the U.S. and Australia since mid-2022, according to the advisory. Here’s how the advisory, updated this week and authored by CISA, the FBI and the Australian Cyber Security Centre, describes BianLian’s modus operandi:Access victims’ systems using valid Remote Desktop Protocol (RDP) credentials.Utilize open-source tools and command-line scripting to discover and harvest more credentials.Exfiltrate data via file transfer protocol (FTP) and other methods.Extort money from victims by threatening to release the stolen data.The authoring agencies urge cybersecurity teams to take these actions immediately to protect themselves from BianLian cyberattacks:Strictly limit your use of Microsoft’s RDP and other similar remote desktop services.Disable command-line and scripting activities and permissions.Restrict PowerShell usage and update to the latest version of Windows PowerShell or PowerShell Core.To get all the details about BianLian’s TTPs and IOCs, and about the mitigation recommendations, read: The CISA alert “CISA and Partners Release Update to BianLian Ransomware Cybersecurity Advisory”The full, updated advisory “#StopRansomware: BianLian Ransomware Group”For more information about ransomware:“Ransomware Is ‘More Brutal’ Than Ever in 2024” (Wired)“Ransomware on track for record profits, even as fewer victims pay” (SC Magazine)“How Can I Protect Against Ransomware?” (CISA)“How to prevent ransomware in 6 steps” (TechTarget)“Steps to Help Prevent & Limit the Impact of Ransomware” (Center for Internet Security)