Aggregator

Insight No. 1: Stop patching the CVE dumpster fire with Vulnrichment

It's time to integrate the crucial data — Common Vulnerability Scoring System (CVSS) scores and other crucial information  — from CISA's Vulnrichment program directly into the NVD. Centralize, streamline, and then focus on what really matters: runtime analysis of your applications.

Insight No. 2: Zero days don't give a damn about your CVE backlog

Assume there’s been a breach, ditch the outdated tools, and get proactive with deep visibility and context-aware detection. Detect and block attacks before they even know what hit them.

Insight No. 3: Volunteers are noble, but they won't save us from the cyber apocalypse

Cybersecurity needs serious investment, not just spare time and good intentions. Time to step up with government funding, private sector muscle and global collaboration.

The post Cybersecurity Insights with Contrast CISO David Lindner | 12/13/24 appeared first on Security Boulevard.

The FCC wants stronger cyber regulations for telecoms after cyber espionage breaches. Meanwhile, find out why cyber pros say work has become more difficult. Plus, check out tips to prevent AI-boosted financial fraud. And get the latest on vulnerability management, EU cyber challenges and CIS predictions for 2025.

Dive into six things that are top of mind for the week ending Dec. 13.

1 - FCC seeks tighter cyber regulations for telecoms

U.S. telecommunications companies may have to comply with tougher cybersecurity regulations after at least eight of them got breached by Salt Typhoon, a cyber espionage group affiliated with the Chinese government.

“The attack underscores the urgent need for robust cybersecurity frameworks to protect against escalating threats targeting the telecommunications sector,” reads a fact sheet published by the U.S. Federal Communications Commission (FCC) this week.

Here are two key ways in which the FCC wants to tighten telecoms’ regulatory screws:

• Have telecoms annually create, update and adopt cybersecurity risk-management plans and certify the plans are compliant with FCC requirements. The FCC is seeking to implement this new cybersecurity compliance framework via a Notice of Proposed Rulemaking.
• Clarify that telecoms are legally bound to secure their networks — not just their equipment — against unlawful access and interception. This would be achieved via a declaratory ruling about Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).
   

If FCC commissioners vote in favor of these two measures, the declaratory ruling would go into effect right away, while the cybersecurity compliance framework would be opened for public comment.

To get more details, read the FCC document, titled “Fact Sheet: Implications of Salt Typhoon Attack and FCC Response.”

For more information about the Salt Typhoon cyber espionage attacks against telecoms:

• “New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers” (Tenable)
• “China's 'Salt Typhoon' Hackers Breached US Networks Using Existing Flaws” (PCMag)
• “Salt Typhoon's surge extends far beyond US telcos” (The Register)
• “Telcos struggle to boot Chinese hackers from networks” (Axios)
• “How to protect comms infrastructure from China-backed Salt Typhoon hackers” (Tenable)

2 - Life is tough for cybersecurity pros

More cybersecurity complexity and workloads. An increase in cyberthreats. Thornier regulatory compliance. Understaffed cyber teams.

Those are the top factors making work more difficult for cybersecurity professionals, according to a report from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA).

“The Life and Times of Cybersecurity Professionals,” for which 369 IT and cybersecurity professionals were polled, found that 65% of respondents said cybersecurity work is harder today than it was two years ago.

Factors Making Cybersecurity Work More Difficult Than Two Years Ago

(Source: ““The Life and Times of Cybersecurity Professionals” by ESG and ISSA, December 2024)

Moreover, 57% of respondents said their job is stressful at least half the time, citing as the main reasons an overwhelming workload; disinterested business managers; IT initiatives launched without security oversight; and constant emergencies and disruptions.

So what can help strengthen cybersecurity professionals’ job satisfaction? These are the top five happiness boosters:

• Commitment from the leadership team to a strong cybersecurity posture
• Competitive compensation
• Career-advancement opportunities
• Strong leadership from the CISO and other cyber leaders
• Working with talented cybersecurity peers

“Organizations with a strong cybersecurity culture that empower the CISO and collaborate with and support the cybersecurity staff can not only improve security efficacy and efficiency but also create a harmonious and healthy work environment for cybersecurity teams,” Jon Oltsik, ESG analyst emeritus and report author, said in a statement.

For more information about stress and burnout among cybersecurity pros:

• “Can strategic AI deployment reduce cybersecurity burnout?” (Security Info Watch)
• “Persistent Burnout Is Still a Crisis in Cybersecurity” (Dark Reading)
• “Burnout: A chronic epidemic in the IT industry” (CIO)
• “The Hidden Culture Crisis and Human Burden Undermining Cybersecurity Resilience” (ISACA)
• “The Psychology of Cybersecurity Burnout” (InformationWeek)

3 - CIS experts forecast 2025 cyber trends

The Center for Internet Security (CIS) has published a bunch of 2025 predictions from its cybersecurity experts. Here’s a small sampling.

• Zero trust adoption in the enterprise will gain momentum as cybersecurity teams scramble to secure resources and data from a wider number and variety of devices and locations, driving the need to continuously verify access and authorization.
• The IT/OT convergence will deepen, as more operational technology / industrial control systems (ICS) get connected to IT networks for purposes like remote management. Consequently, organizations will emphasize vulnerability management, threat detection and security frameworks for converged environments.

• Many enterprises have accumulated a glut of cybersecurity products and are struggling to use them effectively. In 2025, many of these organizations will consolidate their tool stack, discarding redundant and unused products, which will lead to a more impactful use of the products that are kept.
• Adoption of multicloud strategies will expand, as enterprises pursue this approach to comply with new data-sovereignty laws that create geographic-location requirements for cloud data storage.
• Regulation of AI systems will increase, and as a result AI compliance frameworks will be introduced, pushing companies to improve AI security in areas such as data privacy; AI model integrity; and use of AI-generated content.
• The concept of security-by-design will be embraced by IT teams, who will accordingly incorporate security, compliance and governance early in the design phase of their IT projects.

For more information about some of these topics, check out these Tenable resources:

• "Making Zero Trust Architecture Achievable" (blog)
• "What is vulnerability management?" (guide)
• "If You Only Have 3 Minutes: Key Elements of Effective Exposure Response" (blog)
• "AI Security Posture Management" (solutions page)
• "Walking the Walk: How Tenable Embraces Its 'Secure by Design' Pledge to CISA" (blog)

4 - Tenable poll looks at patch management, vulnerability fixes

During two recent webinars about vulnerability management, we polled attendees about their involvement with patch management and about their plans for automating vulnerability remediation. Check out how they responded.

(232 webinar attendees polled by Tenable, December 2024)

(235 webinar attendees polled by Tenable, December 2024)

Watch the on-demand webinars to learn about the latest in Tenable Vulnerability Management and in Tenable Security Center.

5 - FBI spotlights financial fraudsters’ use of GenAI

Cybercrooks are leveraging generative AI tools to sharpen financial fraud schemes against individuals and businesses, but there are ways to prevent becoming a victim.

That’s the message from the FBI in its new public service announcement titled “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud.”

With generative AI tools, cybercriminals create believable text, images, videos and audio that seem legit, making it hard to detect financial fraud efforts, including romance scams, impersonation schemes and investment rackets.

For example, these tools allow a cybercriminal to clone voices of real people and create fake audio that sounds like them to use in phone calls. Similarly, generative AI lets scammers doctor real videos of, say, a CEO, and turn them into a clip of the CEO instructing an employee into transferring money to a fraudulent account.
 

To protect yourself in your personal life and at work from fraud attempts that use generative AI, FBI tips include:

• Look for subtle imperfections in images and videos.
• Pay attention to the caller’s tone of voice and word choice in phone calls.
• Verify the identity of callers by hanging up and dialing directly the organization they said they’re calling you from, like a bank.
• Don’t share sensitive information with people you’ve only met online or over the phone, nor send them money, gift cards, cryptocurrency or other assets. 

For more information about the confluence of AI and financial cybercrime, including trends and prevention tips:

• “The near-term impact of AI on the cyber threat” (UK National Cyber Security Centre)
• “How a new wave of deepfake-driven cyber crime targets businesses” (Security Intelligence)
• “Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector” (U.S. Treasury Department)
• “Identity theft is being fueled by AI & cyber-attacks” (Reuters)
• “The Dark Alliance: Addressing the Rise of AI Financial Frauds and Cyber Scams” (Michigan Journal of Economics)

6 - EU cyber agency calls for stronger supply chain security

Software supply chain security is a key challenge for European Union member nations, requiring concerted risk assessments and the development of common policies.

So said the European Union Agency for Cybersecurity, better known as ENISA, in its “2024 Report on the State of Cybersecurity in the Union,” whose goal is to assess the cyber landscape in the EU and offer policy recommendations to strengthen cybersecurity in all 27 EU countries. Securing the software supply chain is one of the priority areas identified in the report. 

Currently, hackers are continuously trying to insert malware into legitimate software updates that are then distributed to customers via trusted delivery channels. By 2030, attacks against software supply chains are expected to become the top emerging cybersecurity threat.
 

Right now, 74% of EU countries have legislation that defines supply chain security measures, a percentage expected to increase with new EU regulatory requirements. Meanwhile, 77% of digital service providers (DSP) and operators of essential services (OES) have a policy in place to manage third-party risk.

To shore up supply chain security, ENISA proposes “stepping up EU wide coordinated risk assessments and the development of an EU horizontal policy framework,” the report reads.

The report also tackles three other critical challenges: the cybersecurity skills gap; the management of cybersecurity crises; and the need for a coordinated approach to cybersecurity policy adoption.

2024年已接近尾声，这一年，美亚柏科正式更名为“国投智能”，实现华丽蜕变，业务版图持续扩张，行业影响力不断提升，开启了崭新的辉煌篇章。国投智能的成长离不开广大用户的长期支持，为回馈大家的关注与厚爱，

The FCC wants stronger cyber regulations for telecoms after cyber espionage breaches. Meanwhile, fin

Digital FatigueGiven the current political and social environment globally, we will start seeing a

新出现的网络钓鱼攻击滥用 Microsoft 的 Word 文件恢复功能，将损坏的 Word 文档作为电子邮件附件发送，使它们能够绕过安全软件，但仍可由应用程序恢复。威胁者不断寻找新方法来绕过电子邮件

Sophos found observed a significant rise in Microsoft LOLbins abused by attackers in H1 2024 compared to 2023

Python 的 zipapp 模块提供了一种将 Python 代码打包成可执行 .pyz 档案的便捷方式。通过这种方式，开发者可以将整个 Python 应用程序打包成一个独立的、可执行的压缩文件，这

主站 分类 漏洞 工具 极客

Даже опытные эксперты признают – борьба с этим руткитом напоминает игру в кошки-мышки.

在 Python 开发中，我们经常会遇到这样的问题：不同的项目依赖于不同版本的 Python 包，或者我们需要在一个干净的环境中测试代码，而又不希望影响全局 Python 环境。为了解决这些问题，我们

Популярный фотосток превратил базу изображений в товар.

Consider critical capabilities of MDR solutions such as comprehensive protection across various platforms, seamless integration of existing technology and more.

Consider critical capabilities of MDR solutions such as comprehensive protection across various platforms, seamless integration of existing technology and more.

Last week marked another action-packed year at AWS re:Invent for the SentinelOne Team. Yea

Время как ключевой фактор надёжности интернет-коммуникаций.

In today’s interconnected digital ecosystems, traditional security mechanisms like Web Application Firewalls (WAFs), API gateways, and Content Delivery Networks (CDNs) act as enforcement points. Think of them as bouncers at the entrance of a high-profile nightclub—they decide who gets in and who doesn’t. However, relying solely on these edge solutions to secure APIs is like assuming a bouncer can stop someone sneaking in through a side door or an open window.

Here are three real-world reasons why API security cannot be fully addressed at the edge:

1. API Discovery is Limited at the Edge

Edge solutions, like API gateways, can uncover some APIs, but their discovery capabilities are inherently limited. The real challenge lies in identifying rogue APIs—those shadow endpoints that developers deploy directly into production, bypassing gateways, CDNs, and WAFs.

Example: Imagine a company launches a mobile app in a rush to meet a product deadline. A developer quickly creates a new API for a feature and deploys it without following standard procedures. This API doesn’t pass through the gateway, making it invisible to edge tools. It’s like leaving a side window open in your house and assuming burglars won’t notice.

Edge solutions only see traffic passing through them. They miss APIs that are hidden, misconfigured, or directly exposed, creating blind spots. Without a solution that digs deeper, like a neighborhood watch keeping an eye on every entry point, organizations remain vulnerable to unmonitored risks.

2. Third-Party API Consumption Happens Beyond the Edge

Modern applications increasingly rely on third-party APIs, from payment processors like Stripe to AI-powered tools like ChatGPT. These APIs often operate outside the reach of edge solutions, as communication between internal workloads and third-party services bypasses the edge entirely.

Example: A logistics app might use a third-party API to calculate shipping rates. If this API mishandles sensitive data—like accidentally logging user payment information—the company might never know because the data flow happens directly between internal servers and the external API, avoiding the edge entirely.

Without visibility inside your infrastructure, these interactions are like sending sensitive documents by courier and assuming the delivery process is secure, despite having no insight into who might intercept it. Protecting against third-party API risks requires monitoring within your application environment, not just at the perimeter.

3. Edge Solutions Lack the "Brain" for Sophisticated Detection

Edge tools prioritize speed. Positioned in critical paths, every millisecond counts, so they excel at quick rule-based detections but lack the depth for context-aware analysis. This is like asking a tollbooth operator to spot counterfeit money—they’re focused on speed, not forensic examination.

Example: One of the most common API vulnerabilities, Broken Object Level Authorization (BOLA), requires analyzing user activity over hours or even days. Imagine a hacker incrementally cycling through user IDs to access unauthorized accounts—like testing door keys until one works. Catching this attack requires long-term session tracking and advanced pattern analysis, which edge solutions can’t handle due to their limited computational scope.

Instead, edge tools are like speed cameras—they catch obvious violations but miss nuanced behavior that unfolds over time, such as someone gradually casing a neighborhood before committing a burglary.

The Need for a Comprehensive Approach

To effectively secure APIs, organizations must adopt a holistic strategy that extends beyond traditional edge solutions. Salt Security offers a comprehensive approach encompassing API discovery, posture governance, and threat protection:

1. Comprehensive API Discovery

Salt Security provides automated, continuous visibility into all APIs, including those that are undocumented or hidden. This ensures that organizations can identify and manage every API in their environment, eliminating blind spots. citeturn0search2

Example: A financial institution discovers several shadow APIs that were deployed without proper oversight, allowing them to secure these endpoints before any potential exploitation.

2. Posture Governance

Beyond discovery, Salt Security's platform includes an API posture governance engine that enables organizations to create and enforce custom corporate standards. This ensures compliance throughout the API lifecycle and aligns all stakeholders. citeturn0search8

Example: A healthcare provider uses Salt's posture governance to ensure all APIs handling patient data comply with HIPAA regulations, thereby safeguarding sensitive information.

3. Threat Protection

Salt Security employs AI and machine learning to analyze and correlate activity across millions of APIs and users over time. This approach enables the detection and prevention of sophisticated API attacks, such as those involving credential stuffing or BOLA (Broken Object Level Authorization). citeturn0search2

Example: An e-commerce platform detects and blocks an attacker attempting to enumerate user IDs to access unauthorized accounts, preventing a potential data breach.

By integrating these capabilities, Salt Security ensures organizations have the visibility, control, and intelligence needed to protect APIs comprehensively—not just at the edge but throughout their entire lifecycle.

Looking Beyond the Front Door

Edge security is a crucial component of an organization’s defense, but it’s just one piece of the puzzle. API security requires a broader view—ensuring that every potential entry point, whether it’s a front door, a side window, or a basement hatch, is accounted for and protected. Only then can organizations truly secure their digital ecosystems.  

For more information, you can schedule a free demo and also download the whitepaper that goes into more detail. Register for our December 19th Webinar: Beyond the Perimeter: Achieving Comprehensive API Security.

The post API Security is Not a Problem You Can Solve at the Edge appeared first on Security Boulevard.