The United States government and the computing industry are stepping up efforts to address what appear to be out-of-control cybersecurity threats, which may fall under the “better late than never” category.
The Cyber Safety Review Board (CSRB) of the Department of Homeland Security (DHS) said on Friday that it will examine cloud security in relation to the malicious targeting of cloud settings.
The program will concentrate on offering suggestions for improving identity management and authentication in the cloud to the public sector, private sector, and cloud service providers (CSPs).
The first step will be to examine the Microsoft cloud compromise from last month, which revealed that Chinese hackers used authentication tokens that had been generated with a stolen Azure Active Directory corporate signing key to access M365 email inboxes. As a result of the attack, emails from approximately 25 organizations.
The board will then broaden its discussion to include challenges with cloud-based identity and authentication infrastructure that affect relevant CSPs and their clients. This section of the examination could be even more crucial in repairing faulty cybersecurity procedures.
Improved Cloud Security Measures by the US
Assessing key occurrences and ecosystem vulnerabilities is the responsibility of the CSRB, which then formulates recommendations based on the lessons learned. Government representatives claim that the board combines the best knowledge from business and the government.
Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, stated that the Board’s conclusions and recommendations “will advance cybersecurity practises across cloud environments and ensure that we can collectively maintain trust in these critical systems.”
On August 8, the National Institute of Standards and Technology (NIST) made a related announcement and released a draught of the extended cybersecurity framework version 1.0 it first unveiled in 2014. The first update to the cybersecurity assessment tool since then is called Cybersecurity Framework (CSF) 2.0.
To assist organizations in comprehending, reducing, and communicating cybersecurity risk, NIST recently released the updated draught version of the Cybersecurity Framework (CSF) 2.0 after taking into account more than a year’s worth of community comments. It takes into account developments in the cybersecurity environment and makes it simpler for all organizations to apply the cybersecurity framework.
“With this update, we are trying to reflect current usage of the Cybersecurity Framework and to anticipate future usage as well,” said Cherilyn Pascoe, the lead developer for NIST and the framework.
The CSF was created for vital sectors of the economy including the banking and energy sectors, but it has proven valuable for everyone from local and foreign governments to schools and small companies. We want to make sure that it is a tool that all sectors can utilize, not just those that have been given the designation of being critical,” she continued.
Integrating Previous Cyber-Safety Initiatives
The White House released a call for information on open-source software security and memory-safe programming languages on Thursday.
The objective is to increase its investment in the creation of secure software and software development methodologies. The White House’s initiative 4.1.2 of the National Cybersecurity Strategy Implementation Plan, which aims to secure the Internet’s infrastructure, is also being advanced with the request for public input.
The National Cybersecurity Strategy Implementation Plan (“NCSIP”) was released by the White House on July 13. It lists 65 projects run by 18 various departments and agencies that serve as a road map for carrying out the U.S. National Cybersecurity Strategy, which was published in March.
On October 9, 2023, at 5:00 p.m. EDT, responses are required. See the Fact Sheet for details on how to submit comments. Office of the National Cyber Director Requests Public Comment on Memory Safe Programming Language and Open-Source Software Security.
Microsoft’s response could become standard
The above-mentioned Microsoft cloud intrusion, in the opinion of Claude Mandy, chief evangelist for data security at Symmetry Systems, revealed two problems.
First, it demonstrated how Microsoft’s marketing strategies combine essential security features with other goods. According to him, the goal is to prevent buyers from commercially choosing rival items.
This prevents businesses from acquiring necessary security features without spending more money than necessary. According to Mandy, the authentication procedure in this instance utilizes logs.
The second discovery is that Microsoft has not supplied any assurances regarding the manner in which the incident happened or the potential consequences for data security. That took place despite Microsoft’s attention to and investment in cybersecurity as a source of revenue.
“As an industry, we are demanding more transparency,” he said to TechNewsWorld.
“Most interesting in the short term from this review will be how far the precedent that Microsoft has set in committing to provide these logs at zero cost will be adopted or enforced upon other cloud service providers,” the author added.
Half of Faults in Cloud Security Ignored
Early this month, the Qualys Threat Research Unit conducted an analysis of cloud security and published its findings.
According to Travis Smith, VP – Threat Research Unit at Qualys, researchers found that misconfigurations in cloud security providers offered plenty of opportunities for threat actors to target organizations, especially when combined with externally facing vulnerabilities that remained exposed and put organizations at risk.”Only correctly enabled configuration settings were used across the three major cloud security providers to harden cloud architectures and workloads.”
“On average, just around 50% of the configuration options intended to harden cloud architectures and workloads were correctly enabled across the three major cloud security providers. Similar to that, 50.85% of vulnerabilities that are exposed to the outside world are still unpatched, he informed TechNewsWorld.
Although a review would shed light on the dangers of transferring computing resources to the cloud, Smith admitted that it doesn’t seem as though organizations are taking this advice to heart.
This finding is not encouraging for improved cybersecurity. First, the researchers examined Log4J’s security flaws. He said that according to cyber experts, Log4Shell is still frequently used in cloud environments and that patches are discovered 30% of the time.
Key-Based Cloud Security Has No Fix
Early this month, the Qualys Threat Research Unit conducted an analysis of cloud security and published its findings.
According to Travis Smith, VP – Threat Research Unit at Qualys, researchers found that misconfigurations in cloud security providers offered plenty of opportunities for threat actors to target organizations, especially when combined with externally facing vulnerabilities that remained exposed and put organizations at risk.
“Configuration options intended to harden cloud architectures and workloads were only correctly activated approximately 50% of the time across the three major cloud security providers. Similar to that, 50.85% of vulnerabilities that are exposed to the outside world are still unpatched, he informed TechNewsWorld.
Although a review will shed light on the dangers of migrating computer resources to the cloud, it doesn’t seem that businesses are taking this advice to heart. Smith confided
Key-based cloud security has no solutions
This breaching issue will always exist with key-based security. Krishna Vishnubhotla, vice president of product strategy at Zimperium, asserted that there is always a master key, one key that opens all locks. Therefore, selecting secure cryptographic algorithms and schemes alone is insufficient.
“Protection of the keys from theft and abuse is the more important worry. In most businesses, keeping keys secure is not a wise practice, he told TechNewsWorld.
From computing to authentication, multi-cloud and hybrid cloud are present across the entire organization. The master key therefore grants access to all corporate systems.
“The real question is whether enterprises should take on this responsibility or entrust their master keys to Cloud Providers,” he stated.
The Potential of the New Cybersecurity Framework
Beyond actual cyber professionals, updating security suggestions could be a difficult task. John Bambenek, the main threat hunter at Netenrich, said that one of the persistent issues in cybersecurity is how to statistically discuss security with the board and leadership.
“Opening the door to being able to do so in a consistent manner across the economy opens the door to being able to do so with all organizations and not just critical infrastructure,” he told TechNewsWorld. “Hopefully, this will lead to more buy-in of using security to reduce business risk.”
The addition of a sixth function, “govern,” sends a clear signal to organizations that in order for them to succeed, the policies and procedures supporting the other functional areas must also be actively controlled. commended Bud, CEO of Viakoo Broomhead