Friday Five: New Government Guidance, a Crackdown on Vulnerability Management, & Public Charging Station Malware
CISA has released new guidance for Zero Trust Security and secure-by-design principles for software manufacturers, Russian hackers were linked to attacks against NATO and the EU, and more. Catch up on all the latest stories in this week's Friday Five!
CISA RELEASES UPDATED GUIDANCE FOR ZERO TRUST SECURITY ARCHITECTURES BY CHRIS RIOTTA
The Cybersecurity and Infrastructure Security Agency published updated guidance for its Zero Trust Maturity Model this past Tuesday, which features recommendations CISA received during a public comment period, and incorporates elements of the Office of Management and Budget memo about implementing zero trust security principles from January 2022. According to the latest model, "an optimal zero trust architecture features continuous validation and risk analysis in addition to enterprise-wide identity integration and tailored, as-needed automated access to specific systems and applications." Per CISA, roughly 60% of the 378 public comments they received were accepted for inclusion with the new guidance.
GOOGLE LAUNCHES NEW CYBERSECURITY INITIATIVES TO STRENGTHEN VULNERABILITY MANAGEMENT BY RAVIE LAKSHMANAN
In a recent announcement made this past Thursday, Google outlined a set of initiatives aimed at improving the vulnerability management ecosystem and establishing greater transparency measures around exploitation. Google is reportedly forming a Hacking Policy Council along with Bugcrowd, HackerOne, Intel, Intigriti, and Luta Security to "ensure new policies and regulations support best practices for vulnerability management and disclosure." Learn more about Google's reasoning behind its latest security push, what it indicates, and more in the full story from The Hacker News.
CISA AND PARTNERS ISSUE SECURE-BY-DESIGN PRINCIPLES FOR SOFTWARE MANUFACTURERS BY NIHAL KRISHAN
For the first time, the Cybersecurity and Infrastructure Security Agency, FBI, National Security Agency, and cybersecurity authorities of other international allies published joint guidance urging software manufacturers to bake secure-by-design and-default principles into their products. Key principles of the new guidance include: taking ownership of security outcomes of products, embracing “radical transparency” and ensuring that companies have c-suite support to prioritize product security. And more specifically, the new guidance states that a secure configuration should be “the default baseline, in which products automatically enable the most important security controls needed to protect enterprises from malicious cyber actors.”
RUSSIAN HACKERS LINKED TO WIDESPREAD ATTACKS TARGETING NATO AND EU BY SERGIU GATLAN
Poland's Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government's Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries, warning that the campaign is still ongoing and in development." The attackers have reportedly targeted diplomatic personnel using spear phishing emails impersonating European countries' embassies with links to malicious websites or attachments designed to deploy malware via ISO, IMG, and ZIP files.
FBI & FCC WARN ON 'JUICE JACKING' AT PUBLIC CHARGERS, BUT WHAT'S THE RISK? BY NATE NELSON
US government agencies are advising the public to avoid public charging stations for phones and other electronics warning that they may be planted with malware that can infect electronic devices. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead," said an announcement from Denver's FBI office. Malware installed through a corrupted USB port can reportedly lock a device or export personal data and passwords directly to the perpetrator.