Security Boulevard

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Temperature Scales’ appeared first on Security Boulevard.

Cary, NC, 22nd October 2024, CyberNewsWire

The post INE Security Launches New Training Solutions to Enhance Cyber Hygiene for SMBs appeared first on Security Boulevard.

Authors/Presenters:Elad Pticha, Oreen Livni

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their timely DEF CON 32 erudite content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – AppSec Village – Your CI CD Pipeline Is Vulnerable, But It’s Not Your Fault appeared first on Security Boulevard.

Authors/Presenters:Shubham Agarwal, Subrata Mitra, Sarthak Chakraborty, Srikrishna Karanam, Koyel Mukherjee, Shiv Kumar Saini

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – Approximate Caching for Efficiently Serving Text-to-Image Diffusion Models appeared first on Security Boulevard.

Articles related to cyber risk quantification, cyber risk management, and cyber resilience.

The post Best Cybersecurity Metrics to Use in the Boardroom | Kovrr appeared first on Security Boulevard.

MixMode has been recognized by USA Today as one of the Top 10 AI Companies to Watch in 2024. This prestigious acknowledgment highlights MixMode’s vital contributions to cybersecurity and ability to shape the industry's future through advanced AI.

The post MixMode Recognized By USA Today As One Of The Top 10 AI Companies To Watch in 2024 appeared first on Security Boulevard.

Meeting SOC 2 standards demonstrates your commitment to security and boosts trust—especially when you have a report to prove it. The American Institute of Certified Public Accountants (AICPA) created these standards and the coordinating reports, known as SOC 1, SOC 2, and SOC 3. While they aren’t legally required, they’re a great way to highlight your security protocols. 

The post SOC 2 Compliance Requirements and Criteria appeared first on Security Boulevard.

The first step to improving your security posture is knowing where you stand. That’s what a security assessment report (SAR) tells you.

The post Security Assessment Reports: A Complete Overview appeared first on Security Boulevard.

The Russian disinformation group Storm-1516 reportedly was behind a deepfake video that claimed so show a former student accusing vice presidential candidate Tim Walz of abusing him, the latest incident in a U.S. election season targeted for disruption by Russia, Iran, and China.

The post Russian Disinformation Group Behind Bogus Walz Conspiracy: Report appeared first on Security Boulevard.

Introduction A while ago, we discovered an interesting vulnerability in Apple’s M-series chips that allowed us to freeze and crash Apple devices by exploiting a flaw in the GPU’s driver. This vulnerability, which we’ve dubbed ShadyShader, leverages a shader program that overloads Apple’s GPU, triggering temporary freezes that add up to a crash. Apple issued […]

The post ShadyShader: Crashing Apple M-Series Devices with a Single Click appeared first on Blog.

The post ShadyShader: Crashing Apple M-Series Devices with a Single Click appeared first on Security Boulevard.

SailPoint Technologies today added a bevy of capabilities that makes it possible for organizations to manage identities on a more granular level. Announced at the SailPoint Navigate 2024 conference, the company is also previewing a set of artificial intelligence (AI) agents, available in beta, to simplify the management of identities that it plans to make..

The post SailPoint Adds Raft of Capabilities to Better Manage Privileges appeared first on Security Boulevard.

Cyber GRC (Governance, Risk, and Compliance) tools are software solutions that help organizations manage and streamline their cybersecurity, risk management, and compliance processes. These tools integrate the three core components—governance, risk, and compliance—into a unified platform, providing a centralized and efficient way to monitor, assess, and respond to cyber threats while ensuring regulatory compliance.

The post Putting the “R” back in GRC – Insights from Gartner on Emerging Cyber GRC Technologies appeared first on Security Boulevard.

Reading Time: 6 min Discover the best Proofpoint alternatives for email protection. Compare leading competitors to find the right solution for your business's cybersecurity needs.

The post Proofpoint Alternatives and Competitors: Find the Best appeared first on Security Boulevard.

75% of Mobile Apps Fail Basic Security Tests. Hackers are increasingly focusing on the mobile channel, making mobile apps a prime target for fraud and security breaches. With this growing threat, it’s essential for organizations and app developers to adopt a proactive approach to mobile application security. The OWASP Top 10 Mobile Risks outlines the […]

The post OWASP Mobile Top 10 2024: Update Overview appeared first on Kratikal Blogs.

The post OWASP Mobile Top 10 2024: Update Overview appeared first on Security Boulevard.

Identity Revolution: Welcome to the Dynamic World of IAM 360
madhav
Tue, 10/22/2024 - 05:02

It’s been quite the journey, but here it is—the first issue of IAM 360!

For too long, Identity and Access Management (IAM) has played a background role—a fundamental but ‘invisible’ part of digital transformation. That’s why I’m so excited to present IAM 360—the magazine where IAM shifts from a behind-the-scenes function into a dynamic, forward-thinking conversation.

Thales’ new publication could potentially redefine how we think and talk about IAM. Gone are the days when IAM was seen as a ‘dry’ technical detail—a footnote in IT infrastructure. It’s time to view identity and access management in a whole new light! And that’s exactly what this magazine is here to do.

We’re about to hit publish — and as the editor — I’m holding my breath, just a little. A tremendous amount of thought, expertise, and passion has gone into making this debut happen. Before you grab your copy, I want to share the inspiration behind IAM 360 and give you a sneak peak of what’s inside.

Why IAM 360?

“Identity is as diverse as the technology involved and the people who shape it,” writes Danny de Vreeze, Thales VP of IAM, in his Word of Welcome. His powerful statement emphasizes that identity is far too complex to be understood from a single perspective. Much like a 360-degree view, we must examine identity from every angle – and that’s what we’ll do.

Identity is at the center of everything. It follows us from birth, weaving through every milestone and daily activity—from earning a degree and joining the workforce to booking travel or filing an insurance claim. It’s an orbit that constantly circles around us – connected to everything.

We’ll explore how to manage and protect digital identities in today’s world—whether for employees, partners, or customers. But that’s just the beginning. We’ll also dive into unconventional topics, emerging trends, and technologies that are transforming IAM into a dynamic field, filled with challenges and opportunities.

Diverse industry voices, expert insights, best-practices, and fresh thinking

In this issue, you’ll find expert articles that challenge the status quo and ignite fresh perspectives around IAM and the concept of digital transformation. Here’s a glimpse of what’s inside:

• Martin Kuppinger: How the landscape is shifting
• AI in IAM: Can we trust it?
• Digital Twins: What’s IAM got to do with it?
• Passwordless workforce? How can your organization finally get rid of the password headache?
• What’s happening with digital identity wallets?
• What we need to consider around deep fakes.
• Identity at the Center: Inside conversations with Jim and Jeff
• Consumer and data privacy under an entirely new lens
• And much more!

AI as a conversation

AI’s role in IAM is one of the hottest topics in cybersecurity today, and we’re not shying away from the tough questions. We’ll examine whether AI is a tool that will help or harm us. One article provocatively state: “Within cybersecurity, AI is rewriting the rules as we know them, presenting significant challenges and immense opportunities.”

For those who are excited yet cautious about AI, I echo your sentiments, as many of us do. We share this mix of enthusiasm and concern about its implications. IAM360 dive into these critical conversations, examining the rapid evolution of AI and its impact on IAM – and society.

A ‘wallflower’ perhaps, but IAM was always significant

Before joining this industry, I didn’t think much about identity management; I just assumed it was there somehow. Sure, I’d be the first to flee a website with a poor onboarding experience, never to return, but I never considered the orchestration behind it.

I now understand that IAM is a make-or-break element in determining whether a customer actually stays or leaves. IAM was never just about the mechanics of access control, it’s about the future of digital interactions in an increasingly interconnected world – a subject well-worthy of its industry publication.

IAM 360 aims to shed light on a field that impacts everything from user experience to cybersecurity, and in doing so, it seeks to bring IAM from its shadows into the spotlight of innovation and relevance. So, while some (much like I did) still consider IAM as a ‘wallflower’ of digital transformation, prepare to see it in full color.

Everything begins with identity and the IAM conversation continues here

So, whether you’re here for the insights, the debates, or simply to stay a step ahead, we hope IAM360 can become your go-to resource for all things identity. On that note, I'd love to hear from you. What topics, people or tech features would you like to see in the issues to come.

Read the full first edition of IAM 360 Magazine, available now!

Identity & Access Management Cloud Computing

Sara Sokorelis | Product Marketing Manager, Thales
More About This Author > Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "Identity Revolution: Welcome to the Dynamic World of IAM 360",
"author": {
"@type": "Person",
"name": "Sara Sokorelis",
"url": "https://cpl.thalesgroup.com/blog/author/ssokorelis",
"sameAs": "https://www.linkedin.com/in/saravie/"
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
},
"datePublished": "2024-10-22",
"dateModified": "2024-10-22",
"mainEntityOfPage": "https://cpl.thalesgroup.com/blog/access-management/identity-revolution-dynamic-world-iam-360",
"description": "Explore the evolving world of Identity and Access Management with IAM 360. Learn about innovative trends, expert insights, and AI's role in shaping the future of IAM.",
"url": "https://cpl.thalesgroup.com/blog/access-management/identity-revolution-dynamic-world-iam-360"
}

basic

The post Identity Revolution: Welcome to the Dynamic World of IAM 360 appeared first on Security Boulevard.

In recent weeks, underground forums on the dark web have continued to flourish as bustling marketplaces where cybercriminals sell unauthorized access to corporate networks. From VPN credentials to Remote Desktop Protocol (RDP) access, threat actors take advantage of compromised corporate environments, often leveraging data from recent breaches or stolen via infostealers. This analysis highlights the …

The post Inside the Dark Web: How Threat Actors Are Selling Access to Corporate Networks appeared first on Security Boulevard.

 

It is good to see US government leaders realize that
ransomware is a growing existential threat to our country, at the hands of our
adversaries. 

 

A top US national cybersecurity advisor stated
in a recent op-ed, “This is a troubling practice that must end.”  The government is looking at ways to disrupt
ransomware attacks.  One tactic is to get
cyber insurance companies to stop reimbursements for ransoms.

 

Undermining ransomware is possible, but the only path is to
outlaw digital extortion payments.  This
targets the root of the problem by undermining the motivation of the attacker. 

 

For decades, cybersecurity and insurance companies have taken
advantage of growing attacks and fears to sell their products, which have not provided
a meaningful solution to stop the widespread surge of ransomware.  It has become a self-serving profit center to
motivate customers to purchase more tools and policies for a problem they are
not solving.

 

Security controls are a costly tactic where the attacker
maintains a significant overall advantage because they can quickly adapt, thereby
requiring more tools to be purchased by the potential victims who are caught in
an endless spending cycle.  Insurance
does nothing to reduce attacks, as it is a mechanism to transfer risk.  In fact, paying the attacker simply motivates
them more, thereby precipitating even more attacks!

 

There are feasible and practical plans
that would work.  However, security and
insurance companies are the first to cast doubt on any plans that may disrupt
their revenue streams.  Their narratives
are foreboding, but when closely examined, the fears of outlawing payments are largely unfounded. 

 

As a nation, we are beginning to see how digital extortion is
effectively being used by international adversaries and cybercriminals.  The trend will continue, rapidly causing more
extensive harm.  Traditional measures,
like continually adding more security tools, continue to fail in fundamental
ways, and we must take a different approach.

 

It is time for the US government to take a serious step
forward to undermine ransomware, without creating an unnecessary financial
burden on the potential victims, by outlawing digital extortion payments.

The post Are Leaders Ready to Break the Ransomware Cycle appeared first on Security Boulevard.

Authors/Presenters:Jun Huang, Zhen Zhang, Shuai Zheng, Feng Qin, Yida Wang

Our sincere thanks to USENIX, and the Presenters & Authors for publishing their superb 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI '24) content, placing the organizations enduring commitment to Open Access front and center. Originating from the conference’s events situated at the Hyatt Regency Santa Clara; and via the organizations YouTube channel.

Permalink

The post USENIX NSDI ’24 – DISTMM: Accelerating Distributed Multimodal Model Training appeared first on Security Boulevard.

Cybersecurity audits are key to maintaining compliance with regulations and upholding a strong security posture. They evaluate your organization’s systems, identify vulnerabilities, and offer the insights you need to optimize security. But there are many different kinds to choose from, depending on your needs.

The post Types of Security Audits: Overview and Best Practices appeared first on Security Boulevard.

Cloud technologies increase access to information, streamline communication between government agencies and citizens, and accelerate information sharing. And that’s why the U.S. government has become a champion of cloud computing.

But each perk comes with a risk, and in response, the Office of Management and Budget (OMB) created the Federal Risk and Authorization Management Program (FedRAMP). If you’re a cloud service provider (CSP), software-as-a-service (SaaS) company, or other vendor interested in working with federal government agencies, FedRAMP certification proves that your organization meets the security standards required to successfully safeguard information.

Here’s how to get FedRAMP certification.

What Is FedRAMP?

FedRAMP is a set of standards and certification processes that helps CSPs mitigate risk when working with government agencies. Federal data is sensitive, and for cloud software to be eligible for government use, it needs to be FedRAMP certified. This means the software has to undergo standardized authorizations, security assessments, and continuous monitoring to ensure trustworthiness.

While the OMB initially developed FedRAMP in 2011, many other entities have come together to operate the program, including the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST).

Think of the Department of the Treasury. This agency uses cloud services to manage highly sensitive financial information across the country. By working with a FedRAMP-compliant CSP, the agency knows that data is as safe as possible.

FedRAMP Compliance Requirements: How to Earn a FedRAMP Cloud Certification

Here’s a quick guide to the FedRAMP certification process:

1. Gather FedRAMP Documents

As a CSP or other vendor, you have to start by gathering documentation. Visit the FedRAMP website to filter through various templates and documents and find the ones that apply to you. These resources equip you with the documentation necessary to prepare, authorize, and monitor your cloud security.

2. Complete the FIPS 199 Assessment

The Federal Information Processing Standard (FIPS) 199 assessment gauges the sensitivity of the data your organization stores and transmits. It has three categories: low, moderate, or high impact. The higher the impact, the stricter the requirements you must meet. Most organizations are considered moderate.

Here’s a more detailed look at the FIPS 199 Assessment categories:

Low Impact

If your organization only stores login details as personally identifiable information (PII), you fall into the low-impact category. This is because a data breach wouldn’t significantly impact the agency’s operations or tarnish its trustworthiness meaningfully.

Moderate Impact

About 80% of the CSPs applying to become FedRAMP certified are moderate-impact. If information gets lost at this level, it would substantially impact the agency’s team, operations, or assets.

High Impact

High-impact CSPs have the strictest guidelines because if data is stolen, unavailable, or has integrity issues, the consequences would be catastrophic and far-reaching. Financial services and healthcare organizations often fall into this category because they deal with sensitive data.

3. Complete the 3PAO Readiness Assessment

For the third-party assessment organization (3PAO), you participate in a third-party cybersecurity attestation and receive a Readiness Assessment Report (RAR). Choose an accredited organization from the FedRAMP marketplace to perform the assessment.

This step isn’t mandatory depending on which authorization path you follow for certification (which we’ll cover below), but it’s recommended regardless. The assessment helps you identify potential improvements and offers insight into your risk posture, which is invaluable.

4. Develop a POA&M and Implement It

Develop a plan of action and milestones (POA&M), a document that describes how your security control implementation efforts are going. This helps you analyze, spot, and close any security gaps before FedRAMP certification. Include a structured timeline and clearly detail the actions you’ll take to address the gaps. 

The key to this step is clear documentation. When you can’t fix gaps immediately, you need a concrete plan that both you and any third-party organizations can refer to as a source of truth.

5. Decide on the Authorization Route

Determine which of the two authorization routes you want to follow: Agency or Joint Authorization Board (JAB). The steps toward certification differ slightly within these two routes, but they’re relatively similar. With JAB, you must be chosen by the FedRAMP board, and with the agency route, you partner with a 3PAO independently. We’ll discuss each option in depth later.

6. Ensure Continuous Monitoring

To achieve FedRAMP compliance, your organization must maintain continuous monitoring, both internally and externally. The 3PAO might conduct penetration testing, vulnerability scanning, and other assessments on a monthly or annual basis to make sure security efforts don’t stop at FedRAMP.

Types of FedRAMP Certifications

As of August 2024, there will be one level of certification: FedRAMP Authorized. With this, the former tiers of authorizations and different “paths” to certification will be removed.

Previously, there were two FedRAMP authorization processes you could choose.

Agency Authorization

For the Agency Authorization route, you have to find a federal agency sponsor to guide the certification. Choose one from the same federal marketplace linked above. You partner with this organization throughout the authorization process. The Agency Authorization process will be standard moving forward.

This starts with pre-authorization, where you meet with the agency, formalize the partnership, and address any required changes and compliance details. Then, the 3PAO conducts a security assessment and prepares an RAR and POA&M. If everything looks good, it issues an Authorization to Operate (ATO).

This route offers flexibility and speed, but it requires developing a close relationship with the 3PAO sponsor. If the sponsor churns, you have to start again, which can be a huge roadblock.

JAB Authorization

The JAB was FedRAMP’s highest governing body, which included officials from the Department of Defense, the General Services Administration (which manages the FedRAMP program), and the Department of Homeland Security. It’s been replaced by the FedRAMP Board to oversee certification. 

This path is becoming defunct as all certifications become FedRAMP Authorized and the JAB is replaced. Before, if JAB selected your organization, you then worked with a 3PAO to compile an RAR, Security Assessment Plan (SAP), and POA&M. When successful, you’d receive a Provisional Authorization to Operate (P-ATO), indicating that you’re approved for federal use. Now, no P-ATO statuses will be given. Only FedRAMP Authorized.

Navigate Security Reporting With Legit Security

If you want to work with federal agencies, FedRAMP certification is a must.

Need help getting started? Try Legit Security. We offer tools that automate reports for FedRAMP compliance so you can leave the heavy lifting to us. Request a demo today and see how Legit Security can improve your security practices and keep all information safe—governmental or otherwise.

The post FedRAMP Certification and Compliance: What It Is and Why It Matters appeared first on Security Boulevard.