Tenable Blog

Navigating the SEC’s Cybersecurity Disclosure Rules: One Year On(link is external)

Tenable Blog
3 months ago

In December 2023, as cyberattacks surged, the U.S. Securities and Exchange Commission (SEC) began enforcing new cybersecurity disclosure rules. This pushed C-level executives and boards to adopt measures for compliance and transparency. In this post, we look at the enforcement actions the SEC has taken and what public company CISOs should do to stay in compliance.

Cyberattacks surge, the SEC takes action and boards pay attention

In recent years, cyberattacks have become more sophisticated, affecting public and private organizations alike. Recognizing the critical need for transparency and robust cybersecurity measures, the U.S. Securities and Exchange Commission adopted new cybersecurity disclosure rules in July 2023, which took effect in September 2023, with compliance required by December 2023.

These rules, which mandate that all public companies disclose material cybersecurity incidents within four business days and detail their risk management strategies, highlight that cybersecurity is a board-level risk management concern.

As part of their fiduciary duties, boards play a key role in the oversight of risks from cybersecurity threats. In partnership with senior executives, they need to pay close attention to the risks their companies face and the strategies those companies put in place to comply.

As the rules were authorized in late 2023, we shared what we see as the implications for infosec leaders. This post explores the impact of these regulations after one year. We also look at recent enforcement actions and measures that companies should consider adopting to promote compliance and bolster their cybersecurity posture.

An important note: In 2025, there will be changes in SEC leadership, which could affect these rules. But they’re just one example of the additional attention governments around the world are giving to cyber risk.

The EU recently issued the network and information systems (NIS)2 Directive, aimed at improving cybersecurity across member states. It requires the reporting of “significant” incidents within 24 hours, a more detailed report within 72 hours and a final report within a month. Other more focused rules, such as the General Data Protection Regulation (GDPR) in Europe, although it doesn’t have incident disclosure provisions, have driven significant change for companies that want to do business in that region.

It comes down to trust. Tenable CEO Amit Yoran had a clear point of view when he wrote about the rules as they took effect.

“The SEC’s rule will force what companies should have been implementing all along; informed cyber risk management practices,” he said. “Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will force leadership to pay attention and keep customers and investors better informed as to who they trust with their business.”

Key requirements of the SEC’s cybersecurity disclosure rules

With that as a backdrop, CISOs looking to support stakeholders like legal, finance, investor relations and boards in these efforts should understand a few things about the SEC rules.

The SEC requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality using an 8-K form. This requirement aims to give investors timely and relevant information about potential risks that could impact business operations and financial performance.

At a conference held by the American Institute of Certified Public Accountants (AICPA) and the Chartered Institute of Management Accountants (CIMA) in December, Sebastian Gomez Abero, Associate Director of the Division of Corporate Finance (DCF) Disclosure Review Program emphasized that materiality, rather than the discovery of a breach, is the trigger for disclosing a cybersecurity incident. According to an EY summary of his remarks provided by the conference organizations, Gomez Abero also reminded registrants that both quantitative and qualitative factors should be considered in their materiality assessment of a cybersecurity incident.

In addition, companies must include descriptions of their cybersecurity risk management and governance practices annually in their 10-K or 20-F reports. The rules essentially validate cybersecurity as an important component of risk management, within a robust corporate governance program. Recent 10-Ks from a number of companies incorporated these new requirements.

According to the EY conference summary, Gomez Abero reminded registrants to provide sufficient detail in their annual cybersecurity disclosures for a reasonable investor to understand the organization’s processes to assess, identify and manage material risks from cybersecurity threats, rather than just stating that a process exists. In addition, registrants that have a management group to assess material cybersecurity risk need to disclose each member’s individual expertise.

Big fines and penalties from enforcement actions

Since the introduction of the cybersecurity rules, the SEC has taken significant enforcement actions to ensure compliance, including issuing fines and negotiating settlements with various companies.

For example, in October 2024, the SEC fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Limited a combined total of almost $7 million for allegedly misleading disclosures related to their exposure to the SolarWinds cyberattack.

In the same order, the SEC alleged that these firms downplayed their involvement, which led to misleading investors about potential impacts. Each company settled without admitting or denying the allegations.

In another notable enforcement action by the SEC, R.R. Donnelley & Sons Company (RRD) agreed in June 2024 to pay more than $2.1 million for inadequate disclosure and poor management of significant cybersecurity incidents from 2021. The SEC found that RRD’s internal processes failed to properly elevate and disclose these incidents to senior management in a timely manner, underscoring the importance of having robust incident management frameworks in place.

Lessons learned

There are three key lessons to keep in mind as you work to help your organization meet the SEC cybersecurity requirements:

  1. Be transparent. Your organization’s incident management and disclosure practices are being scrutinized. It’s not just the board and senior executives paying attention — your company’s investors want to understand your organization’s cyber risk. Choose a forthright and straightforward approach to meet the 8-K disclosure requirements, such as establishing a cybersecurity disclosure committee and a materiality framework for regularly assessing cyber incidents. Doing so could help your organization avoid fines.
  2. View cyber risk as business risk. Your cybersecurity risk management and governance practices are of strategic importance to your organization. The 10-K and 20-F requirements codify the importance of having a robust strategy for cybersecurity. Rather than seeing it as a compliance chore, consider it an opportunity to educate the board and investors about all the ways your organization is reducing cyber risk.
  3. Be proactive. Don’t treat your cybersecurity strategy as merely a once-a-year compliance task. Make sure the cybersecurity systems and processes you have in place provide continuous visibility into the entirety of your attack surface, so that you’re always ready to answer the questions “how secure are we?” and “where are we at risk?”
Exposure management can help meet the SEC requirements

So what can a CISO do about this? It starts with a comprehensive cybersecurity program, including exposure management, which gives CISOs the information they need to communicate with legal, finance, investor relations, boards and other internal stakeholders about vulnerabilities and cyber incidents so that those can be appropriately captured in the company’s cyber risk management and public reporting.

Exposure management equips an organization with the tools needed to meet the SEC’s cybersecurity disclosure requirements by aligning cybersecurity efforts with business risk management.

Exposure management provides comprehensive visibility into the organization’s attack surface, prioritizes vulnerabilities based on their potential business impact and delivers actionable insights that inform the preparation of risk management filings. Moreover, exposure management is part of a cyber program that can identify cyber risks and incidents that may need to be reported in filings. With easily understood, dynamically updated dashboards that a CISO can use to gain visibility into companywide exposures, exposure management is critical for ensuring compliance and demonstrating a strong security posture.

Plus, an exposure management strategy that integrates asset visibility, risk prioritization and incident response — along with strong partnerships between the CISO, legal, IR and finance — ensures that organizations can accurately report their practices and responses at any point in time because of the continuous monitoring built into exposure management.

By focusing on vulnerabilities that pose the greatest threat to business operations, companies can allocate resources effectively and build a cybersecurity program that supports regulatory compliance.

What the C-suite should consider

For CISOs, adopting an exposure management program ensures they can provide legal, finance, investor relations, boards and other executives with clear, actionable insights into the organization’s cybersecurity risks.

Exposure management helps inform decision-making and supports the development of comprehensive risk management frameworks, enabling companies to address threats proactively and build confidence among investors and stakeholders.

The entire C-suite should approach the SEC’s new rules with an eye toward integrated and forward-looking cybersecurity strategies. As part of that effort, it’s crucial to develop and maintain comprehensive incident response plans that can be deployed swiftly to meet the four-day disclosure mandate.

Preventative measures for compliance

To meet the SEC’s cybersecurity disclosure rules and reduce the risk of breaches that could lead to significant regulatory and financial consequences, organizations must adopt proactive strategies that strengthen their defenses. The following preventative measures outline key steps companies should take to enhance their cybersecurity posture and ensure compliance.

  • Vulnerability management: Effective vulnerability management is essential for maintaining a strong cybersecurity posture. Automated vulnerability assessment tools can regularly inspect infrastructure and promptly identify security gaps.
  • Zero trust architecture: A zero trust security model operates on the principle that no user or device, whether inside or outside the organization’s network, should be trusted by default. Implementing zero trust means continuously verifying each user and device that attempts to access company resources, ensuring strict authentication, authorization and validation throughout the user session.
Takeaways

The SEC’s cybersecurity disclosure rules underscore the critical importance of transparency and proactive risk management in today’s digital landscape.

Although compliance requires effort and resources, it also presents an opportunity for companies to build trust with investors and stakeholders.

By prioritizing robust cybersecurity practices that focus on prevention, enterprises can better align with regulatory expectations and be prepared for critical reporting requirements. They can close exposures and become resilient, responsible leaders in an increasingly risky world.

Learn more
Steve Vintz

Cybersecurity Snapshot: What Looms on Cyberland’s Horizon? Here’s What Tenable Experts Predict for 2025(link is external)

Tenable Blog
3 months ago

Wondering what cybersecurity trends will have the most impact in 2025? Check out six predictions from Tenable experts about cyber issues that should be on your radar screen in the new year — including AI security, data protection, cloud security … and much more!

1 - Data protection will become even more critical as AI usage surges

Because AI tools rely on vast amounts of data, widespread AI adoption will lead to the exponential growth of data volumes. In addition, this data will be distributed across a complex multi-cloud landscape of locations, accounts and applications. As a result, cybercriminals will have more opportunities to target AI systems to access and exfiltrate their data — especially as hackers themselves leverage powerful AI tools like virtual assistants that can streamline and amplify their attacks.



This convergence of advanced AI attack tools and abundant data will make it increasingly difficult for organizations to stay ahead of evolving cyberthreats. Yet, far from being deterred from using AI, organizations must develop robust strategies for secure and responsible AI adoption, focusing on integrating AI into their systems securely rather than viewing it as a risky proposition. After all, data is the fuel that powers businesses.

For more information about data and AI security posture management (DSPM and AI-SPM), check out these Tenable resources:

VIDEO

Integrated DSPM features - enable data protection today!

2 - CISOs will turn to multi-cloud security platforms

When it comes to the cloud, enterprises are increasingly wary of putting all their eggs in one basket. Relying solely or mostly on a single cloud-services provider is risky and restrictive. Thus, multi-cloud environments will become the norm in 2025, as organizations avoid vendor lock-in and increase their cloud options and flexibility. 

As a result, more and more CISOs next year will embrace security platforms that allow them to protect cloud environments from multiple cloud vendors — enjoying benefits such as centralized, consistent monitoring and management of cloud security and compliance.

Watch Liat Hayun, VP of Product and Research at Tenable Cloud Security, address this topic in this short video:


For more information about multi-cloud security, check out these Tenable resources:

3 - Post-breach costs will spike, forcing a focus on recovery tools

As breaches become more frequent, post-breach costs will rise, pushing businesses to think critically about what data has been compromised and rethink their recovery strategies. According to IBM, the average cost of a data breach rose 10% to almost $5 million in 2024, but the true damage lies in downtime, reputational damages and regulatory fines, particularly in cloud-heavy industries. 

 
In 2025, businesses will pivot toward more robust post-breach playbooks to minimize fallout, focusing on rapid incident response, data visibility, better containment protocols and enhanced forensic capabilities. This shift signals a broader evolution in cybersecurity, with organizations embracing a more balanced approach that prioritizes both breach prevention and effective recovery.

For more information about cloud data security and cloud data-breach prevention, check out these Tenable resources:

4 - CISOs will be pressed to balance AI and cloud adoption with security

As organizations prioritize efficiency and return on investment, the adoption of technologies like AI and cloud continues to surge. However, this creates a challenge: the knowledge gap. Many users and organizations are struggling to keep pace with the education and training needed to comprehensively understand and protect these technologies.

 
This generates a pressing dilemma: How can we safeguard innovations like AI and cloud when their complexity and growth outstrip our readiness? In 2025, CISOs will be challenged to strike a balance between driving forward technological adoption and ensuring the security and resilience of these tools. Bridging this gap sooner rather than later will be critical for organizations.

For more information about how CISOs should balance cloud adoption with AI security:

5 - Orgs with a holistic approach to cybersecurity will win 

As the attack surface continues to expand and threat actors grow more sophisticated, cybersecurity teams will face an overwhelming flood of fragmented vulnerability and threat intelligence data. The days of linear attacks are fading, giving rise to multifaceted, rapid incursions that exploit numerous entry points. In this increasingly chaotic landscape, the inability to remediate “everything, everywhere, all at once” will make context king.

 
Organizations that prioritize understanding the greatest risk to their business and the most critical vulnerabilities will win. This contextual approach will redefine vulnerability management, enabling cybersecurity teams to act strategically, swiftly and with greater precision to mitigate threats effectively.

For more information about the importance of risk context for holistic cybersecurity, check out these Tenable resources:

6 - Make 2025 the year of transparency and accountability in cybersecurity 

As 2024 comes to an end, we’re left with the feeling — as in previous years — that too many cyberattacks affected too many people and too many organizations. Anyone whose personal information is now available on the dark web deserves answers and those responsible need to be held accountable. Anyone whose medical records can’t be accessed because systems are down deserves a better service. Anyone whose car has been stolen because criminals were able to hack the keyless tech deserves justice.

 
It’s impossible to achieve perfection – mistakes happen and we’re all human. But how we respond when flaws are found makes all the difference. And that’s on all of us. There has to be accountability at every level. The culture of toxic obfuscation in cybersecurity has to stop. 

Here are some blogs in which Tenable offers transparency about its security practices and shares lessons learned with the cybersecurity community:

Juan Perez

Cybersecurity Snapshot: CISA Hands Down Cloud Security Directive, While Threat from North Korean IT Workers Gets the Spotlight(link is external)

Tenable Blog
3 months 1 week ago

Check out the new cloud security requirements for federal agencies. Plus, beware of North Korean government operatives posing as remote IT pros. Also, learn how water plants can protect their HMIs against cyberattacks. And get the latest on the U.S. cyber incident response framework; the CIS Benchmarks; and local and state governments’ cyber challenges.

Dive into six things that are top of mind for the week ending Dec. 20.

1 - CISA issues cloud security mandate for federal agencies

To boost its cloud security, the U.S. government this week released a set of cybersecurity actions that federal civilian agencies will be required to take during the first half of 2025 — mostly focused on applying secure configuration baselines to their cloud apps.

The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01 — titled “Implementing Secure Practices for Cloud Services” — from the Cybersecurity and Infrastructure Security Agency (CISA).

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly said in a statement.

The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors, Easterly added. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services.

 
These are the directive’s cloud security requirements at a high level:

  • Identify all cloud tenants by February 21, 2025, and update this inventory annually.
  • Deploy all assessment tools from CISA’s SCuBA project by April 25, 2025, and report assessment results to CISA.
  • Implement all mandatory SCuBA policies by June 20, 2025.
  • Implement all future updates to mandatory SCuBA policies.
  • Implement all mandatory SCuBA secure configuration baselines.

Agencies may deviate from mandatory SCuBA policies if needed, but they’ll have to identify these deviations and explain them to CISA.

To learn more about cloud security, check out these Tenable resources:

2 - Feds: North Korea plants IT workers to commit fraud in the U.S.

In a years-long fraud scheme, North Korean IT workers have gotten jobs in the U.S. using fake identities, and then have gone on to steal information, such as proprietary source code, and extort their employers.

That’s according to the U.S. Department of Justice, which recently indicted 14 North Korean nationals, charging them with sanctions violations, wire fraud, money laundering and identity theft.

The suspects worked as remote IT professionals for front companies controlled by the North Korean government. The six-year cyber conspiracy netted North Korea’s government at least $88 million, as it banked the IT workers’ hefty salaries and extortion payments. North Korea reportedly uses the money to fund its weapons-development efforts.

The North Korean IT workers got jobs with U.S. firms using fake identities crafted via the use of phony email addresses, fictitious social media profiles, fraudulent payment platform accounts, bogus job site profiles and sham websites; and by hiding their tracks with proxy computers and virtual private networks.

 
They also duped U.S. residents into unwittingly helping them by recruiting them to receive and set up laptops in their homes, which the fraudsters would then access remotely. That way, victimized employers would think the hired IT workers were based in the U.S.

The indictment “... should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime,” Deputy Attorney General Lisa Monaco said in a statement.

The DOJ is offering a reward of up to $5 million for more information about this fraud scheme and about those involved with the North Korean front companies Yanbian Silverstar and Volasys Silverstar, based in China and Russia, respectively.

The U.S. government issued its first alert about North Korea’s attempts to plant IT workers in the U.S. in 2022 and updated it in 2023 with more due diligence recommendations for employers to avoid falling for the scam. Employers in other countries have also fallen victim to this North Korean IT worker scam.

For more information:

VIDEO

North Korean nationals indicted in scheme using IT workers to funnel money for weapons programs (KSKD News)

3 - Water treatment plants get tips for securing HMIs

Identifying human-machine interfaces (HMIs) as a weak cyber link in many water treatment plants, the U.S. government has published recommendations for protecting these operational technology (OT) components.

The fact sheet “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems” is aimed at helping water and wastewater systems facilities harden remote access to HMIs.

Using HMIs, OT operators are able to read supervisory control and data acquisition (SCADA) systems connected to programmable logic controllers (PLCs). By tampering with HMIs, hackers could disrupt water and wastewater treatment, endangering people’s health.

 
Here are some of the recommendations in the fact sheet, which was jointly published by CISA and the Environmental Protection Agency:

  • Inventory all internet-exposed devices.
  • Identify HMIs that don’t need to be accessible from the internet and take them offline.
  • Secure with a strong password the HMIs that must be connected to the internet.
  • Track remote logins to HMIs, including failed and atypical attempts. 
  • Protect with multifactor authentication and a strong password the HMI and OT network.
  • Segment your network by adding a DMZ or bastion host at the OT network boundary; and by implementing geo-fencing.

For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources:

4 - U.S. publishes national cyber incident response plan update

Curious about how the U.S. government would respond to a major cybersecurity crisis? Now you can find out — and give your opinion about it.

CISA has just released an update to the U.S. National Cyber Incident Response Plan (NCIRP), whose current version dates back to 2016, and is asking for the public to comment on it. The NCIRP update has been in the works since October 2023.

“CISA is seeking more perspectives to help strengthen the NCIRP and invites stakeholders from across the public and private sectors to share their knowledge and experiences, further informing our findings and contributing to this revision,” CISA said in a statement. 

The NCIRP aims to provide a flexible, agile, coherent and repeatable framework for how the U.S. federal, state and local governments, along with the private sector and international partners, will collaborate to respond to a major cybersecurity incident.

“This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector,” CISA Director Jen Easterly said in a statement.

 
The NCIRP addresses coordination mechanisms, decision points and priority activities; and it focuses on four aspects of the cyber response:

  • Asset response to assist affected parties in protecting their assets
  • Threat response, which would be led by federal law enforcement agencies like the Department of Justice and the FBI
  • Intelligence support, which would be overseen by the Office of the Director of National Intelligence (ODNI)
  • Affected entity response, led by the affected federal agencies in coordination with CISA (civilian agencies); the U.S. Cyber Command (Defense Department agencies); or the IC Security Coordination Center (intelligence agencies)

You can provide feedback on the new NCIRP in the Federal Register. The public comment period ends on January 15, 2025.

For more information about cyber incident response planning:

5 - CIS updates Benchmarks for Cisco, Google, Microsoft products

Cisco IOS XE, Google Kubernetes Engine and Microsoft 365 are among the products whose CIS Benchmarks got updated in November by the Center for Internet Security.

Specifically, these secure-configuration recommendations were updated:


In addition, CIS released a brand new Benchmark: CIS Microsoft Azure Storage Services Benchmark v1.0.0

The CIS Benchmarks’ secure-configuration guidelines are designed to help organizations harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families in categories including: 

  • cloud platforms
  • databases
  • desktop and server software
  • mobile devices
  • operating systems

To get more details, read the CIS blog “CIS Benchmarks December 2024 Update.”

For more information about the CIS Benchmarks list, check out its home page, as well as:

6 - Local gov’t cybersecurity hurt by lack of funds, complex threats

Insufficient funding and more sophisticated threats top the list of cybersecurity concerns among U.S. state and local governments.

That’s according to the “2023 Nationwide Cybersecurity Review (NCSR),” a free cybersecurity assessment program from the Center for Internet Security (CIS).

The 4,210 state, local, tribal and territorial government organizations that participated also reported being concerned about: 

  • emerging technologies
  • lack of cyber incident-documentation processes
  • difficulty finding qualified cybersecurity professionals



On the positive side, the number of program participants increased 14%, with K-12 school districts recording their highest participation ever.  

Returning participants saw their cyber maturity level increase by an average of 4%. Those that have participated at least two years scored 23% higher in cyber maturity, while those with nine years in the program scored 41% higher.

Overall, NCSR participants are doing a good job monitoring and protecting their IT environments. They also have incident response plans in place, as well as access-control policies.

Areas for improvement include:

  • Risk management
  • Disaster recovery plans
  • Cyber team understaffing
Juan Perez

Web App Scanning 101: What Security Pros Need to Know About CI/CD Pipelines(link is external)

Tenable Blog
3 months 1 week ago

Git, repositories and pipelines…oh my! We unpack standard practices in the web app development process and provide guidance on how to use Tenable Web Application Scanning to secure your code.

Awesome! This should be easy. All you need to start is … Wait… what's a pipeline?

Well, let's start there. Have you ever used a code repository to track code changes? Every time you make an update to the repository files/code, you have to do what's called a “git commit” and “git push.” Developers use Git as a foundation to run their CI/CD pipelines.

Wait … what's Git, and what does CI/CD mean?

To be clear, continuous integration and continuous deployment (CI/CD) is a methodology — not a tool.

The “D” in CI/CD is often referred to as “delivery” instead of deployment. For the purposes of this blog post, since we are talking about the deployment side of it, I will use that here.

Before we get there, let’s talk about version control. Time to roll back a few years. In 2005, Linus Torvalds, the creator of Linux, built something called “Git,” an open source version control software. Version control allows you to track and control all changes to a codebase.

These codebases, called repositories, are generally used for managing code that is the basis for any software or website that you can think of. Git is the most commonly used version control system while GitHub, now owned by Microsoft, is one of the cloud-based repository hosting platforms utilizing Git.

Developers have been using this great version control tool ever since, but every time they wanted to test their production applications/software, they had to do the following:

  1. Log on to a server
  2. Pull code from a repository
  3. Package code up in a nice zip-type file
  4. Send that package to another server that was the staging/testing environment
  5. Run the application and confirm it still runs at all
  6. Run any tests needed against it, such as allowing other developers to come in and poke at it to find broken parts of the application

The most efficient developers would make scripts to automate some or all of this work, but there was an even better way…

Source: Tenable, December 2024 What is continuous integration?

Integration here might not mean what it sounds like. It means that you are building your application and running tests on a schedule or every single time you make a change to your code. Think about how much time this can save. Instead of having to assign tasks out to a team of testers, those tests run every time you change the code. Can you imagine knowing about all of your issues right away?

On top of that, continuous integration automatically builds your application, so you don’t have to package and run it yourself, letting you keep working on building.

For security pros, this is the spot in a pipeline where the dynamic application security testing (DAST) scanner — available in Tenable Web Application Scanning — can help.

At Tenable, we want developers to know about security issues as soon as possible. For reference, this is where software composition analysis (SCA) and static application security testing (SAST) scanning also live. Those tools are used for looking at source code, whereas Tenable Web Application Scanning looks at a built application and scans it with real network requests.

Jenkins is considered the first main and widely adopted CI tool. Jenkins helped teams adopt this methodology. Some teams were already doing this with homegrown solutions. We have documentation on how to deploy the web app scanner in a Jenkins CI/CD pipeline.

What is continuous deployment?

Deployment is when you take what you have built and push it out for real use. It’s building an application for production use rather than just for quick testing. Back in the day, developers would log onto their servers and make updates to the applications on the fly. If something broke, well, you’d better remember the changes you made and have fun spinning that back up.

Automated deployment allowed developers to run one script that would spin up an entire environment or application all in one go. Application falls down? No problem! Run the deployment and it can be back up soon.

Continuous deployment allows for changes to be made in the source code and for those to be automatically sent to production. No dev or IT team time is wasted in changing live servers.

Wrapping it all up

PHEW. Ok. A CI/CD pipeline is where you combine version control (Git), continuous integration and continuous deployment. It allows teams to develop applications very quickly and not waste time. The pipeline is the ongoing stream of tests and automated actions that all happens based on code changes.

Over time, tools became better and more appeared, such as Bamboo and CircleCI and some others. GitHub Actions came out in 2015, allowing developers to automate software development workflows from within GitHub.

Tenable Web Application Scanning can scan any pipeline. It offers code examples for testing for various tools, but you can throw a test into any pipeline.

For more documentation on how to implement, see Tenable’s Documentation

Now, back to the original question: So, you want to scan some web apps in the pipeline?

You can walk through the “how to run Web App Scans in your CI/CD pipeline” in this public demo: https://demo.tenable.com/share/lajsp7ujjmzb

Learn more


 
Evan Grace

Cybersecurity Snapshot: Telecoms May Face Tougher Regulations After Salt Typhoon Hacks, as Study Finds Cyber Pros More Stressed at Work(link is external)

Tenable Blog
3 months 2 weeks ago

The FCC wants stronger cyber regulations for telecoms after cyber espionage breaches. Meanwhile, find out why cyber pros say work has become more difficult. Plus, check out tips to prevent AI-boosted financial fraud. And get the latest on vulnerability management, EU cyber challenges and CIS predictions for 2025.

Dive into six things that are top of mind for the week ending Dec. 13.

1 - FCC seeks tighter cyber regulations for telecoms

U.S. telecommunications companies may have to comply with tougher cybersecurity regulations after at least eight of them got breached by Salt Typhoon, a cyber espionage group affiliated with the Chinese government.

“The attack underscores the urgent need for robust cybersecurity frameworks to protect against escalating threats targeting the telecommunications sector,” reads a fact sheet published by the U.S. Federal Communications Commission (FCC) this week.

Here are two key ways in which the FCC wants to tighten telecoms’ regulatory screws:

  • Have telecoms annually create, update and adopt cybersecurity risk-management plans and certify the plans are compliant with FCC requirements. The FCC is seeking to implement this new cybersecurity compliance framework via a Notice of Proposed Rulemaking.
  • Clarify that telecoms are legally bound to secure their networks — not just their equipment — against unlawful access and interception. This would be achieved via a declaratory ruling about Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).
     


If FCC commissioners vote in favor of these two measures, the declaratory ruling would go into effect right away, while the cybersecurity compliance framework would be opened for public comment.

To get more details, read the FCC document, titled “Fact Sheet: Implications of Salt Typhoon Attack and FCC Response.”

For more information about the Salt Typhoon cyber espionage attacks against telecoms:

2 - Life is tough for cybersecurity pros

More cybersecurity complexity and workloads. An increase in cyberthreats. Thornier regulatory compliance. Understaffed cyber teams.

Those are the top factors making work more difficult for cybersecurity professionals, according to a report from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA).

The Life and Times of Cybersecurity Professionals,” for which 369 IT and cybersecurity professionals were polled, found that 65% of respondents said cybersecurity work is harder today than it was two years ago.

Factors Making Cybersecurity Work More Difficult Than Two Years Ago

(Source: ““The Life and Times of Cybersecurity Professionals” by ESG and ISSA, December 2024)

Moreover, 57% of respondents said their job is stressful at least half the time, citing as the main reasons an overwhelming workload; disinterested business managers; IT initiatives launched without security oversight; and constant emergencies and disruptions.

So what can help strengthen cybersecurity professionals’ job satisfaction? These are the top five happiness boosters:

  • Commitment from the leadership team to a strong cybersecurity posture
  • Competitive compensation
  • Career-advancement opportunities
  • Strong leadership from the CISO and other cyber leaders
  • Working with talented cybersecurity peers

“Organizations with a strong cybersecurity culture that empower the CISO and collaborate with and support the cybersecurity staff can not only improve security efficacy and efficiency but also create a harmonious and healthy work environment for cybersecurity teams,” Jon Oltsik, ESG analyst emeritus and report author, said in a statement.

For more information about stress and burnout among cybersecurity pros:

3 - CIS experts forecast 2025 cyber trends

The Center for Internet Security (CIS) has published a bunch of 2025 predictions from its cybersecurity experts. Here’s a small sampling.

  • Zero trust adoption in the enterprise will gain momentum as cybersecurity teams scramble to secure resources and data from a wider number and variety of devices and locations, driving the need to continuously verify access and authorization.
  • The IT/OT convergence will deepen, as more operational technology / industrial control systems (ICS) get connected to IT networks for purposes like remote management. Consequently, organizations will emphasize vulnerability management, threat detection and security frameworks for converged environments.
  • Many enterprises have accumulated a glut of cybersecurity products and are struggling to use them effectively. In 2025, many of these organizations will consolidate their tool stack, discarding redundant and unused products, which will lead to a more impactful use of the products that are kept.
  • Adoption of multicloud strategies will expand, as enterprises pursue this approach to comply with new data-sovereignty laws that create geographic-location requirements for cloud data storage.
  • Regulation of AI systems will increase, and as a result AI compliance frameworks will be introduced, pushing companies to improve AI security in areas such as data privacy; AI model integrity; and use of AI-generated content.
  • The concept of security-by-design will be embraced by IT teams, who will accordingly incorporate security, compliance and governance early in the design phase of their IT projects.

For more information about some of these topics, check out these Tenable resources:

4 - Tenable poll looks at patch management, vulnerability fixes

During two recent webinars about vulnerability management, we polled attendees about their involvement with patch management and about their plans for automating vulnerability remediation. Check out how they responded.

(232 webinar attendees polled by Tenable, December 2024)

(235 webinar attendees polled by Tenable, December 2024)

Watch the on-demand webinars to learn about the latest in Tenable Vulnerability Management and in Tenable Security Center.

5 - FBI spotlights financial fraudsters’ use of GenAI

Cybercrooks are leveraging generative AI tools to sharpen financial fraud schemes against individuals and businesses, but there are ways to prevent becoming a victim.

That’s the message from the FBI in its new public service announcement titled “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud.

With generative AI tools, cybercriminals create believable text, images, videos and audio that seem legit, making it hard to detect financial fraud efforts, including romance scams, impersonation schemes and investment rackets.

For example, these tools allow a cybercriminal to clone voices of real people and create fake audio that sounds like them to use in phone calls. Similarly, generative AI lets scammers doctor real videos of, say, a CEO, and turn them into a clip of the CEO instructing an employee into transferring money to a fraudulent account.
 


To protect yourself in your personal life and at work from fraud attempts that use generative AI, FBI tips include:

  • Look for subtle imperfections in images and videos.
  • Pay attention to the caller’s tone of voice and word choice in phone calls.
  • Verify the identity of callers by hanging up and dialing directly the organization they said they’re calling you from, like a bank.
  • Don’t share sensitive information with people you’ve only met online or over the phone, nor send them money, gift cards, cryptocurrency or other assets. 

For more information about the confluence of AI and financial cybercrime, including trends and prevention tips:

6 - EU cyber agency calls for stronger supply chain security

Software supply chain security is a key challenge for European Union member nations, requiring concerted risk assessments and the development of common policies.

So said the European Union Agency for Cybersecurity, better known as ENISA, in its “2024 Report on the State of Cybersecurity in the Union,” whose goal is to assess the cyber landscape in the EU and offer policy recommendations to strengthen cybersecurity in all 27 EU countries. Securing the software supply chain is one of the priority areas identified in the report. 

Currently, hackers are continuously trying to insert malware into legitimate software updates that are then distributed to customers via trusted delivery channels. By 2030, attacks against software supply chains are expected to become the top emerging cybersecurity threat.
 


Right now, 74% of EU countries have legislation that defines supply chain security measures, a percentage expected to increase with new EU regulatory requirements. Meanwhile, 77% of digital service providers (DSP) and operators of essential services (OES) have a policy in place to manage third-party risk.

To shore up supply chain security, ENISA proposes “stepping up EU wide coordinated risk assessments and the development of an EU horizontal policy framework,” the report reads.

The report also tackles three other critical challenges: the cybersecurity skills gap; the management of cybersecurity crises; and the need for a coordinated approach to cybersecurity policy adoption.

Juan Perez

New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers(link is external)

Tenable Blog
3 months 2 weeks ago

Recent guidance from CISA and the FBI highlights best practices to monitor and harden network infrastructure. The guidance, published in response to high-profile attacks on telecom infrastructure, is applicable to a wider audience. This blog unpacks important points and explains how Tenable products can help with compliance scans.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint statement concerning an investigation into cyberattacks on commercial telecommunications infrastructure. The ongoing investigation centers on threat actors believed to be affiliated with the People’s Republic of China (PRC) government. In response to the cyberattacks, U.S. and international government agencies, including CISA and the FBI, authored joint guidance to help network defenders improve network visibility and security. This guidance highlights the importance of monitoring and alerting, but also provides specific ways to strengthen cybersecurity with increased configuration management and strong identity hygiene. 

What’s this all about?

The U.S. government has been monitoring PRC-sponsored groups such as Volt Typhoon and Salt Typhoon because it suspects they may be preparing for a large-scale disruption of U.S. critical infrastructure. A press release from mobile telecom provider T-Mobile highlights the activity that it has identified, the controls that it had in place to help prevent a greater threat, as well as how it is collaborating with the authorities’ investigation. According to U.S. government officials, at least eight telecommunications companies have been targeted so far but there may be more. 

The new guidance can help prevent these attacks, whose main goal is to reportedly carry out cyber espionage activities on behalf of the Chinese government by, among other things, stealing customer call-records data. The guidelines pair well with recommendations in Center for Internet Security (CIS) Benchmarks for specific network devices. CIS Benchmarks are written and maintained by industry professionals with the goal of simplifying the implementation of security controls to help mitigate risk. By using CIS Benchmarks, network and security engineers can identify and harden configurations, and establish a more secure posture as suggested by the guidance.

We’ll be taking a closer look at the specific sections in the recent guidance and highlight CIS Benchmark recommendations that align with these objectives.

Strengthening visibility

This section highlights monitoring and alerting best practices. It breaks these guidelines into two sets of tasks: one for network engineers and another one for network defenders. However, the common goal is to help them find and trigger alerts on misconfigurations, changes and user account activity. One key recommendation is to use an independent and centralized log-storage environment, and if possible, a security information and event management (SIEM) solution built specifically to analyze the logs to produce alerts. 

Alerting should be focused on configuration changes; configurations that don’t meet specific criteria; and open ports or enabled services. In addition, devices that accept traffic from outside of the network (external facing) should be reviewed to ensure that only necessary services are accessible to and from the internet.

Examples of centralized logging criteria can be found in CIS Benchmarks for Cisco, Fortinet, Juniper Networks and Palo Alto Networks devices:

This section also focuses on monitoring user- and service-account logins to ensure that anomalous login activity is detected and prevented. Unused accounts should be disabled whenever possible. Some examples of this criteria can be found in CIS Benchmarks for Check Point Software and Palo Alto Networks devices:

Hardening systems and devices

This section aims to help reduce risk by limiting access to the network and network devices; ensuring that communication is encrypted and secure; and providing more direct guidance with regards to Cisco-based devices. This section includes recommendations regarding access control and network segmentation, provides specific protocol guidelines (such as using only SNMPv3 when SNMP is necessary), and details what is considered to be “strong” encryption. 

First, network segmentation helps to limit movement across the network and to make it easier to inspect inbound and outbound traffic. It also helps to maintain a DMZ to contain the services that must face externally (towards the internet) and prevent direct access to backend resources and networks. Segmentation also involves creating and using VLANs, and the recommendation is that these VLANs should be used to group together devices of a similar nature, which is common in most networks. In addition to segmenting the network, the authoring agencies also recommend adopting Transport Layer Security-everywhere using strong algorithms. These guidelines can help keep threat actors out of corporate networks, as well as ensure that these actors are limited in what they can do and/or see if they manage to penetrate the outermost defenses. 

Another component of segmentation is initializing a default-deny access-control list (ACL), which can be done at the firewall level. This is important for all traffic types, but especially so when isolating management traffic for network devices. Most physical network devices, such as routers and switches, have dedicated ports for management traffic that can be attached to a physically segmented network in order to limit administrative access. Further controls on lateral movement are also recommended for the management network, and it is advisable to not manage devices directly from the internet. Some examples of segmentation and ACL firewall configurations can be found in CIS Benchmarks for Cisco, Juniper Networks, and Palo Alto Networks products.

The guidance further identifies numerous insecure protocols and services and notes that they should be disabled. These include FTP, TFTP, SSHv1, HTTP, and SNMP v1/v2. Additionally, any network protocols or services in use should require authentication when available, including routing protocols. Meanwhile, you should use SNMP Version 3 with encryption and authentication. Having centralized authentication, authorization, and accounting (AAA) logging is emphasized here, in addition to prior mentions of syslog configuration. Examples of identifying and disabling protocols can be found in several CIS Benchmarks for Cisco, Fortinet, Juniper Networks, and Palo Alto Networks products:

This section highlights specific criteria for Cisco devices. Disabling the Smart Install and Guest Shell features is recommended, as is disabling Telnet in favor of SSH. Specific commands are also provided to disable HTTP-only access so that device management is performed over HTTPS instead. If UI access is not necessary, the secure service should also be disabled. The specific password type recommended is type-8 when possible, and type-6 encryption for securing the Terminal Access Controller Access-Control System + (TACACS+) key. The document also links to the hardening guide for Cisco IOS XE and a guide for securing NX-OS devices.

Secure by design

The secure-by-design concept helps introduce the security conversation earlier in the development lifecycle. This approach helps ensure that security considerations are addressed at the beginning of the product lifecycle. Customers should make sure that products they plan to buy adhere to this principle. CISA has more information on its “Secure by Design” site. Tenable has committed to a secure-by-design approach, as can be seen in a recent initiative reported on here and here.

How Tenable can help

This overview is meant to help give network and security engineers a summary of the best practices, as well as provide insight on how CIS Benchmarks cover many of the guidance’s topics. Still, engineers should read the guidance to ensure they fully understand the material and how it relates to their own networks. It’s equally important to map out the network and understand what devices exist and where they are placed. However, this is only a first step in securing the network.

Tenable has several products, such as Tenable Vulnerability Management, Tenable Security Center, and Nessus that support auditing a wide array of devices and operating systems using CIS Benchmarks. These products could help with maintaining control over risk factors that threat actors often attempt to exploit. Tenable audits are written to test for the criteria of each automated recommendation in CIS Benchmarks. After an evaluation is run against the target, a result is provided as well as remediation text from the CIS Benchmark so that engineers can remediate and harden the device or operating system.

Tenable provides audit files for the following CIS Benchmarks to help organizations assess device configurations:

These CIS Benchmarks align with the intent of the CISA hardening guidance. The example below highlights the CIS Cisco IOS XE 17.x v2.1.1 CIS Benchmark, and how it relates to the CISA hardening guidance:

Section 1.1 - Authentication, Authorization and Accounting (AAA) configuration

  • Strengthening visibility as AAA logging supports user account login monitoring, and tracking changes
  • Hardening systems and devices by providing identity management and policy enforcement

Section 1.2 - Access Rules for device administration

  • Hardening systems and devices by restricting device management, and ensuring sessions are limited

Section 1.3 - Banner Rules to communicate legal rights to users

  • Strengthening visibility by informing users they are subject to monitoring, and the event logs can support prosecution

Section 1.4 - Password Rules to enforce secure credentials and password lifecycle

  • Hardening systems and devices by ensuring strong passwords are utilized, and passwords are securely stored

Section 1.5 - SNMP Rules provides guidance for secure configuration parameters

  • Hardening systems and devices by ensuring SNMP is disabled, or is configured with secure parameters

Section 2.1 - Global Service Rules to reduce attack surface and disable unnecessary services

  • Hardening systems and devices by disabling unnecessary, unused, exploitable, or plaintext services and protocols

Section 2.2 - Logging Rules configures log collection and forwarding

  • Strengthening visibility by collecting event logs, and forwarding to a central log collection source
  • Hardening systems and devices by forwarding logs to a central log collection source

Section 2.3 - NTP Rules ensures system time is provided by a single, consistent source

  • Strengthening visibility by ensuring a consistent time source for event logs
  • Hardening systems and devices by requiring that NTP is authenticated

Section 2.4 - Lookback Rules for configuring device initiated connections to supporting services such as AAA, SYSLOG, or NTP

  • Hardening systems and devices by ensuring that traffic is initiated from a specific source, which can be used to set ACLs/filtering

Section 3.1 - Routing Rules to disable unneeded services

  • Hardening systems and devices by disabling unneeded services such as source routing

Section 3.2 - Border Router Filtering defines filtering between internal and external networks

  • Hardening systems and devices by implementing a strategy to control inbound and egress traffic

Section 3.3 - Neighbor Authentication configures routing protocol authentication

  • Hardening systems and devices by requiring routing protocols are authenticated
Learn more
Tenable Research

Microsoft Patch Tuesday 2024 Year in Review(link is external)

Tenable Blog
3 months 2 weeks ago

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.

Background

Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.

Analysis

In 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.

Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.

In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.

Patch Tuesday 2024 by severity

Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.

Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.

Patch Tuesday 2024 by impact

In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.

Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.

Patch Tuesday 2024 zero-day vulnerabilities

According to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.

In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.

While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.

CVEDescriptionExploitation ActivityCVE-2024-21338Windows Kernel Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group to deploy the FudModule rootkitCVE-2024-21412Internet Shortcut Files Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. This APT has also exploited this CVE to deploy the DarkMe remote access trojan (RAT)CVE-2024-30051Windows DWM Core Library Elevation of Privilege VulnerabilityUsed to deploy QakBot malwareCVE-2024-30088Windows Kernel Elevation of Privilege VulnerabilityExploited by APT34 (aka OilRig)CVE-2024-38112Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee to deploy the malware known as Atlantida stealer.CVE-2024-38178Scripting Engine Memory Corruption VulnerabilityExploited by APT37 (aka RedEyes, Reaper, ScarCruft, Group123 and TA-RedAnt)CVE-2024-38193Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group (aka Diamond Sleet) to deploy the FudModule rootkitCVE-2024-38213Windows Mark of the Web Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. Vulnerability was named “Copy2Pwn” by Trend Micro’s Zero Day Initiative (ZDI)CVE-2024-43451NTLM Hash Disclosure Spoofing VulnerabilityExploited by APT known as UAC-0194 to deploy Spark RAT malware.CVE-2024-43461Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee in an attack chain with CVE-2024-38112CVE-2024-49039Windows Task Scheduler Elevation of Privilege VulnerabilityExploited by the threat actor tracked as RomCom to deploy the RomCom RAT malware.Conclusion

As we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.

View the video below for a summary of key takeaways:

The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza, Satnam Narang

Microsoft’s December 2024 Patch Tuesday Addresses 70 CVEs (CVE-2024-49138)(link is external)

Tenable Blog
3 months 2 weeks ago
  1. 16Critical
  2. 54Important
  3. 0Moderate
  4. 0Low

Microsoft addresses 70 CVEs with 16 rated critical, including one zero-day that was exploited in the wild.

Microsoft patched 70 CVEs in its December 2024 Patch Tuesday release, with 16 rated critical, and 54 rated as important.

This month’s update includes patches for:

  • GitHub
  • Microsoft Defender for Endpoint
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office Publisher
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Remote Desktop Client
  • Role: DNS Server
  • Role: Windows Hyper-V
  • System Center Operations Manager
  • Windows Cloud Files Mini Filter Driver
  • Windows Common Log File System Driver
  • Windows File Explorer
  • Windows IP Routing Management Snapin
  • Windows Kernel
  • Windows Kernel-Mode Drivers
  • Windows LDAP - Lightweight Directory Access Protocol
  • Windows Local Security Authority Subsystem Service (LSASS)
  • Windows Message Queuing
  • Windows Mobile Broadband
  • Windows PrintWorkflowUserSvc
  • Windows Remote Desktop
  • Windows Remote Desktop Services
  • Windows Resilient File System (ReFS)
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Task Scheduler
  • Windows Virtualization-Based Security (VBS) Enclave
  • Windows Wireless Wide Area Network Service
  • WmsRepair Service

Remote code execution (RCE) vulnerabilities accounted for 42.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 38.6%.

ImportantCVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.

In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

This is the ninth vulnerability in the Windows CLFS driver patched in 2024, and the first that was exploited in the wild as a zero-day this year. In 2023, there were 10 CLFS vulnerabilities patched, including two zero-day vulnerabilities in the CLFS driver that were exploited (CVE-2023-28252, CVE-2023-23376). CLFS driver vulnerabilities have been a popular attack vector and exploited in the wild by ransomware operators in the last few years according to researchers.

ImportantCVE-2024-49070 | Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”

In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

CriticalCVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin ID 174933 to identify systems that have this service running.

CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

CriticalCVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.

Tenable Solutions

A list of all the plugins released for Microsoft’s December 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Data Security in Healthcare: How Tenable Cloud Security Can Help(link is external)

Tenable Blog
3 months 3 weeks ago

Healthcare is one of the most highly regulated industry sectors in the world. Adhering to compliance standards while also ensuring optimal patient experiences is a challenge. DSPM capabilities in Tenable Cloud Security can ease the burden on cybersecurity teams.

When it comes to cybersecurity, the healthcare sector can find itself stuck between a rock and a hard place. To improve patient care, organizations in this sector are constantly trying to innovate, adopting new technologies to improve the patient experience.

In parallel, healthcare organizations must also ensure that they have the proper cybersecurity guardrails in place to use and store the influx of new patient data they collect. Such data includes personal health information (PHI), which is subject to strict regulations like the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the EU’s General Data Protection Regulation (GDPR).

Organizations in this sector must be forward-thinking and embrace innovation while maintaining rigorous data security and ensuring compliance with ever-evolving industry regulations.

Tenable Cloud Security’s Data Security Posture Management (DSPM) capabilities empower healthcare organizations to navigate this balancing act and provide their patients with care and services powered by the most cutting-edge technology, while holistically securing their most sensitive data.

Data security posture and overall health

Think of your organization's data security posture as its overall health. Just as a healthy individual has strong natural immunity defenses that fight off illnesses, a strong data security posture is one that has proactive measures implemented to prevent data breaches and unauthorized access.

Tenable Cloud Security provides unmatched value to healthcare organizations, helping them build strong security postures in several ways:

  • Continuous monitoring: Tenable Cloud Security constantly monitors cloud environments for suspicious activity, unauthorized access attempts and potential vulnerabilities. This allows cybersecurity teams to identify and address threats before they can cause harm.
  • Automated threat detection: Tenable Cloud Security utilizes advanced technology to detect sophisticated cyberthreats before data is exfiltrated or compromised. This ensures that organizations do not rely solely on manual detection methods, which can be time-consuming, ineffective and prone to error.
  • Compliance management: Healthcare is one of the most highly regulated and stringently controlled sectors in the market. Tenable Cloud Security helps organizations remain continuously compliant with industry standards and government regulations by providing tools and insights to identify and manage sensitive data.
Data discovery: X-raying the unknown

Just as a doctor uses an X-ray to reveal and diagnose hidden health issues, data discovery plays a crucial role in identifying unknown cybersecurity threats. Tenable Cloud Security utilizes advanced data discovery techniques to uncover sensitive data residing across an organization’s cloud environment, even in unexpected locations. This comprehensive understanding of your company’s data landscape allows you to implement appropriate security controls and close any potential security gaps.

Tenable Cloud Security takes data discovery a step further by:

  • Automating the process: Tenable Cloud Security automates the discovery of sensitive data, eliminating the need for manual searches and reducing the risk of human error.
  • Data classification: Tenable Cloud Security classifies your data based on its sensitivity level, allowing you to prioritize your security efforts and focus on protecting the most critical information.
  • Continuous discovery: Tenable Cloud Security continuously monitors your cloud environment for new data and automatically identifies any new sensitive information that is added.

By understanding and classifying your data, Tenable easily implements appropriate security controls such as access restrictions and encryption to ensure its confidentiality and integrity.

Taking a proactive approach to data security: Addressing underlying issues

Just as regular checkups and proactive healthcare are crucial for maintaining good health, continuously monitoring and addressing underlying security posture issues are essential for securing sensitive data. Ignoring potential cyberthreats, even if they seem minor, can lead to serious consequences down the line, including data exfiltration and malicious activity.

With Tenable Cloud Security, healthcare organizations can achieve the perfect balance of innovation and compliance. This ensures the confidentiality, integrity and availability of sensitive patient data, allowing you to focus on your core mission of providing excellent care and driving advancements in healthcare.

Learn more
Liat Hayun

Cybersecurity Snapshot: Study Raises Open Source Security Red Flags, as Cyber Agencies Offer Prevention Tips Against Telecom Spying Attacks(link is external)

Tenable Blog
3 months 3 weeks ago

Don’t miss the Linux Foundation’s deep dive into open source software security. Plus, cyber agencies warn about China-backed cyber espionage campaign targeting telecom data. Meanwhile, a study shows the weight of security considerations in generative AI projects. And get the latest on ransomware trends, financial cybercrime and critical infrastructure security.

Dive into six things that are top of mind for the week ending Dec. 6.

1 - Study: Security of open source software projects must improve

Improperly secured developer accounts. Lack of a standard naming schema for software components. The persistence of legacy software.

Those three issues put the reliability and security of free and open source software (FOSS) at risk, a new Linux Foundation study has found. 

Published this week, “Census III of Free and Open Source Software — Application Libraries” is based on about 12 million observations of FOSS at 10,000-plus companies. Its aim: to provide a better understanding of FOSS use and security challenges, given FOSS’ widespread adoption globally.

“Our goal is to not only provide an updated list of the most widely used FOSS, but to also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem,” the study reads.

Data sharing, coordination and investment are keys to preserving the value of FOSS, which has become critical for the digital economy, the authors wrote.


Here are more details about the three key security issues identified in the study:

  • To conduct their FOSS work, developers often use individual accounts, which typically lack the security protections of organizational accounts. Hosting FOSS projects under individual developer accounts creates multiple risks, such as making it easier for hackers to breach individual computing environments and tamper with FOSS code.
  • A lot of legacy FOSS software still exists that isn’t being maintained nor updated, which makes the software more vulnerable to attacks.
  • The FOSS ecosystem needs a standardized schema for naming software components, a key issue for supply chain security. “Until one is widely used, strategies for software security, transparency and more will have limited effect,” the study reads.

For more information about open source security:

2 - How to protect comms infrastructure from China-backed Salt Typhoon hackers

Security teams in charge of defending networks and communications infrastructure should take steps to prevent attacks from China-affiliated hackers that have recently compromised the networks of major global telecom providers.

So said cyber agencies from Australia, Canada, New Zealand and the U.S. this week in a joint document that offers network and communications-infrastructure engineers recommendations for strengthening network visibility and hardening systems.

The silver lining: The cyberattackers are exploiting known, existing weaknesses in their victims’ infrastructure. “No novel activity has been observed,” reads the publication, titled “Enhanced Visibility and Hardening Guidance for Communications Infrastructure.


“Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity,” the document adds.

These are some of the recommendations for defenders of networks and communications systems.

  • To enhance visibility
    • Adopt alerting mechanisms to detect unauthorized changes to the network and configuration modifications to network devices.
    • Monitor anomalous logins into user and service accounts, and disable inactive accounts.
    • Implement a centralized logging system that can analyze data from multiple sources.
  • To harden systems and devices
    • Implement strong network segmentation.
    • Adopt an access control list (ACL) strategy that denies access to the network by default, and log all denied traffic.
    • Disconnect unneeded internet-facing infrastructure and monitor the infrastructure that does need to be exposed to the internet.

The joint document doesn’t name the hacking group. However, The Wall Street Journal identified it as Salt Typhoon when, citing anonymous sources, it reported in September that the group had breached several U.S. telecoms, including Verizon and AT&T. 

Salt Typhoon’s main goal is reportedly to carry out cyber espionage activities on behalf of the Chinese government. Salt Typhoon’s cyber espionage campaign is “ongoing” and authorities feel there is still much to be discovered about it, a Cybersecurity and Infrastructure Security Agency (CISA) official told reporters this week.

“We cannot say with certainty that the adversary has been evicted,” CISA official Jeff Greene said during a press call, as quoted by Politico. According to NBC News, Greene also recommended that Americans use encrypted messaging apps to protect themselves from Salt Typhoon.

Last month, CISA and the FBI described the Chinese-government backed cyber espionage campaign as “broad and significant,” resulting in the theft of customer call records data; the compromise of private communications of government officials and politicians; and the copying of law enforcement information related to wiretap requests.

For more information about Salt Typhoon and its ongoing cyber espionage campaign:

3 - Survey: Security a key element in GenAI projects

As organizations deepen their generative AI use, security and data protection considerations feature prominently in their plans — including whether to build their own generative AI infrastructure.

That’s according to the Linux Foundation’s “Shaping the Future of Generative AI” report, which polled 316 respondents familiar with their organizations’ generative AI adoption. 

“Security remains a cornerstone of this transformation. As organizations embrace GenAI, safeguarding sensitive data and ensuring compliance with industry standards have become critical imperatives,” reads an Open Source Security Foundation blog about the report.

Among organizations deploying their own generative AI infrastructure, security and data control ranked as the top motivation for doing so. Three other data security priorities — data sovereignty; privacy; and intellectual property protection — ranked third, fifth and eighth, respectively.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

Meanwhile, respondents, who were based primarily in the Americas, Europe and Asia-Pacific, ranked security as the second most important criteria when choosing a generative AI model or tool, with privacy and regulatory compliance ranking fourth and fifth, respectively.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

Furthermore, respondents, who included executives, developers, consultants, data scientists and operations staffers, also ranked security and data protection risks high when asked about their concerns when adopting generative AI models and tools.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

For more information about AI security, check out these Tenable blogs:

4 - CISA finds gaps in critical infrastructure org’s network, shares lessons learned

Here’s a report that cyber teams at critical infrastructure organizations will likely find useful and informative.

The topic: How CISA’s red team breached a critical infrastructure organization’s IT network and then compromised a domain controller and a human machine interface (HMI), which served as an operational technology (OT) dashboard.

The unnamed organization requested that CISA conduct the red team assessment (RTA), in which CISA acted like a cyberattacker to probe the organization’s cybersecurity detection and response processes and procedures.

In broad strokes, here are some of the ways in which CISA’s red team circumvented the critical infrastructure organization’s cyber defenses:

  • After failing to gain initial success via spearphishing, CISA’s red team hit pay dirt when it discovered a web shell left on a Linux web server by mistake.
  • Using the web shell, CISA’s red team ran arbitrary commands on the Linux web server and moved laterally into the internal network. 
  • Using valid accounts, it compromised the organization’s domain and several sensitive business systems.
  • Eventually, CISA’s team compromised a Windows domain controller, which allowed it to move laterally to all Windows hosts. 
  • With persistent access to Linux and Windows systems across the organization’s networks, CISA’s red team probed further, accessing, among other assets, the HMI OT dashboard.

Timeline of CISA's red team cyberthreat activity

(Source: CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization,” November 2024)

Key findings include:

  • The organization didn’t properly block access from the perimeter network to the internal network.
  • The organization relied too much on host-based tools, while lacking sufficient network-layer protections.
  • Multiple systems were insecurely configured.
  • The organization failed to review security alerts that were triggered by the red team’s actions.
  • Identity management was poor.
  • The organization used software that is known to be insecure and outdated.

Some of CISA’s mitigation recommendations for cybersecurity teams are:

  • Adopt the principle of least privilege, segment the perimeter network, and adopt firewalls, access control lists and intrusion prevention systems.
  • Tune network appliances to detect anomalous behavior, and limit the use of admin tools.
  • Harden system configuration by, for example, removing “unconstrained delegation” functionality from all servers.
  • Keep systems and software up to date.
  • Adopt a centralized identity and access management system.
  • Prohibit the storage of passwords in plaintext.

To get all the details, read CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization.

To learn more about securing OT systems in critical infrastructure environments, check out these Tenable resources:

5 - Report: VPNs were weakest link in Q3 ransomware attacks

Here’s a stat to remind your organization to make sure its virtual private network (VPN) system is configured correctly, has no vulnerabilities and is up to date: Almost 30% of ransomware attacks in the third quarter compromised insecure VPNs to gain initial access, sharply up from about 5% in the second quarter.

That’s according to Corvus Insurance’s “Q3 2024 Cyber Threat Report,” which said many of the ransomware attacks in Q3 leveraged outdated VPN software and poorly protected VPN gateways. 

Specifically, organizations shouldn’t allow the use of common usernames and weak passwords in their VPN user accounts, and should protect them with multi-factor authentication. 

“The persistence of weak credentials and lack of multi-factor authentication on VPN gateways has facilitated these attacks, making secure access controls crucial for mitigating threats,” reads the report.


The Corvus ransomware report also found that five ransomware groups — RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International — accounted for 40% of all attacks. However, the ransomware ecosystem remains diverse, with almost 60 groups active during the third quarter, which makes the threat landscape more complex for cyber teams to manage.

For more information about ransomware prevention:

VIDEO

Ultimate Guide to Ransomware for Businesses (TechTarget)

6 - Interpol tackles financial cybercrime with thousands of arrests

A five-month Interpol operation led by South Korea has led to the arrest of 5,500-plus suspected financial cybercriminals and to the seizure of more than $400 million in assets.

With Operation HAECHI, Interpol and law enforcement partners from 40 countries went after cyber crooks involved in a variety of financial scams, including:

  • voice phishing
  • romance scams
  • investment fraud
  • e-commerce fraud

International collaboration is key to fighting financial cybercrime, which has devastating effects on its victims, Interpol Secretary General Valdecy Urquiza said in a statement.

“It’s only through united efforts that we can make the real and digital worlds safer,” he said.

Juan Perez

Making Zero Trust Architecture Achievable(link is external)

Tenable Blog
3 months 3 weeks ago

How NIST is working with Tenable and other private sector stakeholders to better enable zero trust implementation.

Trust no one. Verify everything. All the time. When it comes to cybersecurity and protecting your expanding attack surface, that’s more than a catchphrase. It’s the way you must approach access to your network, systems and assets. Ultimately, this is an approach the federal government must use, expand upon and intertwine into its cybersecurity standards.

When thinking about zero trust, it’s important to understand this is an evolving practice that goes beyond traditional “trust but verify” approaches to cybersecurity. According to a Tenable blog by John Kindervag, who created the Zero Trust Model of Cybersecurity when he was a principal analyst at Forrester Research, “While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it's built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.”

It’s time to rethink the trust-but-verify model of cybersecurity

The principles of zero trust require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and calls for removing the notion of trust from digital systems.

Zero trust is a proactive cybersecurity approach. However, with anything proactive, it’s important to remember there is a constant need for adaptation and new protocols that can withstand the changing threat landscape.

On Dec. 4, NIST released the draft Guidance for Implementing Zero Trust Architecture for public comment. Tenable has been proud to work alongside the NIST National Cybersecurity Center of Excellence (NCCoE) to launch the Zero Trust Architecture Demonstration Project. This collaborative project has brought together multiple industry participants to launch end-to-end zero trust architecture implementations to help industry and government reduce the risk of cyberattacks. As part of this collaborative project, Tenable has participated in a lab demonstration of how to deploy examples of zero trust architecture in hybrid enterprise environments using commercially available technology contributions.

“The [...] demonstration project, 'Implementing a Zero Trust Architecture,' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations.”

—Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST

“The NCCoE ZTA demonstration project, 'Implementing a Zero Trust Architecture,' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations,” explained Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST. “Each implementation combines a strategic mix of commercially available products and services, contributed by partner organizations such as Tenable. Their invaluable role in providing enhanced visibility and insights has been essential in strengthening our defenses, ensuring we can safeguard our networks against the ever-evolving landscape of cyberthreats.”

As a main collaborator, Tenable contributed exposure management technology and capabilities for the ZTA Demonstration Protect. As a leader in cybersecurity, Tenable was able to harness its expertise to best use security analytics, building out a program that had orchestration and enforcement capabilities through scanning and assessment, endpoint monitoring, traffic inspection and network discovery.

When implementing a zero trust architecture, it is a foundational imperative for organizations and enterprises to inventory, enumerate and assess every asset on the network. This allows for a better understanding of assets in context and how they are interconnected. Analyzing data from operational technology (OT), internet of things (IoT), IT, cloud and network plays a critical role in helping organizations gain visibility into how assets are interconnected, evaluate exposure based on real-world threats and context, and prioritize remediation and mitigation efforts. Ultimately, it’s important for an organization to completely understand the entire attack surface in order to evaluate which assets are most vulnerable. Zero trust architecture is a way to programmatically collect risk telemetry and make informed decisions that can help reduce exposure. By adopting zero trust architecture approaches, it is possible to make significant progress toward this objective.

At Tenable, we are proud to partner with our government’s leading agencies to develop strategic ways to approach cybersecurity practices. Our technology solutions help the NCCoE develop a use case that exemplifies the ZTA motto — Trust no one. Verify everything. All the time. Organizations, enterprises and federal agencies need a security model that adapts to today’s modern network, embraces remote work and protects users, applications and data wherever they’re located. The NCCoE ZTA practice guide and reference architecture can serve as an outstanding model to help them achieve their cybersecurity objectives.

Learn more
Robert Huber

If You Only Have 1 Minute: Quick Tips for Effective Exposure Response(link is external)

Tenable Blog
3 months 4 weeks ago

Comprehensive, action-oriented workflows and key metrics are the cornerstones of a successful exposure response program. Here’s what you need to know.

In today’s fast-paced digital landscape, managing vulnerabilities is essential — but it’s about more than identifying weaknesses. Effective vulnerability management requires prioritizing and addressing risks in ways that drive security improvements and prevent major exposures. 

Exposure response strategies support this goal, delivering workflows that go beyond traditional risk scoring, enabling teams to prioritize vulnerabilities, set goals and track service level agreements (SLAs) by owner — ensuring a true end-to-end remediation process. Tracking progress by SLA compliance rather than by cumulative risk scores or vulnerability counts ensures accountability.

The golden metrics for exposure response workflows

Effective exposure response focuses on three "golden metrics" that every remediation workflow should track for maximum impact:

  • Vulnerability age: This is the age of your unresolved vulnerabilities. 
  • Mean time to remediate (MTTR): Measures how long your vulnerabilities remain open.
  • Percentage of vulnerabilities remediated: Reflects the scope of remediation efforts and the team’s overall effectiveness.

Tracking these indicators is essential for prioritizing and resolving vulnerabilities that matter most.

For a deeper dive, watch the video below, where we break down each metric’s importance in exposure response workflows. 

Learn more
Dave Farquhar

If You Only Have 2 Minutes: Best Practices for Setting Exposure Response SLAs(link is external)

Tenable Blog
3 months 4 weeks ago

Keeping vulnerability management efforts focused on achievable goals is key to avoiding cybersecurity team burnout. Here’s how exposure response workflows and SLAs can help.

As organizations grow in the digital age, vulnerability management has become a vital cybersecurity practice. But managing vulnerabilities effectively means more than just identifying potential issues; it’s about setting priorities that align with your organization’s goals and resources. A robust exposure response program elevates this process by creating comprehensive, actionable workflows that prioritize based on real-world impact rather than just risk scores or vulnerability counts. This approach shifts vulnerability management from a reactive scramble into a proactive, sustainable strategy, driven by clear accountability and performance metrics.

Exposure response workflows help teams prioritize risks based on impact and urgency. But prioritizing isn’t enough on its own — effective exposure response requires a practical approach to execution, which is where service level agreements (SLAs) make the difference.

Setting the pace: How SLAs guide effective exposure response

A crucial part of exposure response is establishing SLAs. Unlike traditional methods that rely on cumulative risk scores or vulnerability counts, SLA-based workflows measure performance by individual campaigns and specific accountability metrics. This approach prevents “learned helplessness,” where constant urgency can overwhelm teams and make the workload feel insurmountable. 

Managing SLAs for achievable goals

SLAs help teams focus on attainable goals by defining what ‘critical’ or ‘high’ means based on your organization’s risk appetite, using Common Vulnerability Scoring System (CVSS) or Tenable Vulnerability Priority Rating (VPR) score ranges as benchmarks. This approach reduces the count of past-due critical and high vulnerabilities to zero instead of attempting to fix every issue at once — even if not every vulnerability is resolved immediately.

Moreover, SLAs offer flexibility for specific needs. Industry requirements, such as Payment Card Industry Data Security Standard (PCI-DSS) compliance, may necessitate stricter SLAs for certain areas. Exposure Response in Tenable Vulnerability Management allows teams to set customized SLAs in these contexts without disrupting the overall program.

Moving forward with exposure response

By establishing realistic SLAs, teams can maintain focus and ensure that critical vulnerabilities are addressed promptly, preventing chaos and inefficiency.

For a deeper dive into these concepts, check out the video below.

Learn more
Dave Farquhar

If You Only Have 3 Minutes: Key Elements of Effective Exposure Response(link is external)

Tenable Blog
3 months 4 weeks ago

Learned helplessness and lack of prioritization are two vulnerability management pitfalls cybersecurity teams face. Here’s how an exposure response program can help.

In today’s complex cybersecurity landscape, effective vulnerability management is crucial. Organizations are bombarded with a staggering volume of vulnerabilities every month, and traditional methods often fall short. They tend to just identify issues without offering a sustainable way to tackle them.

Enter exposure response. This approach transforms how teams prioritize, remediate and manage vulnerabilities. Instead of overwhelming teams, exposure response workflows empower them to focus on the most critical threats to their cybersecurity posture.

Why should you care? Here are some common pitfalls organizations face:

  • Learned helplessness: Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.
  • Emergency mode: When every vulnerability feels urgent, it becomes impossible to prioritize effectively.

Exposure response workflows address these challenges head-on. By leveraging Service Level Agreements (SLAs), teams can maintain focus and drive measurable progress. This shift enhances security outcomes and fosters a resilient, sustainable cybersecurity strategy that adapts to evolving threats.

Why exposure response matters

Exposure response programs are essential for creating a sustainable cybersecurity strategy. By implementing exposure response workflows, teams can avoid being overwhelmed by vulnerabilities.

Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.

Instead of trying to fix every issue, they can work within SLAs to prioritize and tackle what matters most, using tools like the Tenable Vulnerability Priority Rating (VPR) and the Common Vulnerability Scoring System (CVSS). This structured approach mitigates risk and empowers leaders to make data-driven decisions, enhancing their cybersecurity posture.

SLAs: The foundation of effective exposure response

SLAs are tailored deadlines reflecting organizational priorities. SLA-based workflows outperform traditional methods by enabling measurement at the campaign level, providing clearer accountability. This unique approach allows organizations to compare progress internally and against industry peers, driving continuous improvement.

When every vulnerability feels urgent, it becomes impossible to prioritize effectively.

Setting practical SLAs helps teams focus on achievable goals, such as reducing past-due vulnerabilities rather than addressing everything at once. This targeted approach not only supports compliance but also enhances the team's ability to manage workloads sustainably.

The golden metrics: Keys to a well-functioning exposure response program

Tracking key metrics provides an accurate assessment of exposure response effectiveness. Three “golden metrics” serve as essential indicators:

  • Vulnerability age: This is the age of your unresolved vulnerabilities. Shorter ages indicate rapid identification and resolution.
  • Mean time to remediate (MTTR): Measures how long your vulnerabilities remain open.
  • Percentage of vulnerabilities remediated: Reflects the scope of remediation efforts and the team’s overall effectiveness.

When all three metrics are favorable, the exposure response program is performing well. Detailed tracking and reporting offer clear accountability and visibility into remediation efforts, reinforcing the importance of consistent progress.

Moving forward

Incorporating exposure response into vulnerability management gives organizations a structured way to handle cybersecurity risks proactively. By focusing on SLAs and tracking critical metrics, organizations can maintain resilience against threats while fostering a sustainable, impactful security posture. For more insights, check out the accompanying video and other posts in this series.

Learn more
Dave Farquhar

Cybersecurity Snapshot: AI Security Roundup: Best Practices, Research and Insights(link is external)

Tenable Blog
4 months ago

In this special edition, we’ve selected the most-read Cybersecurity Snapshot items about AI security this year. ICYMI the first time around, check out this roundup of data points, tips and trends about secure AI deployment; shadow AI; AI threat detection; AI risks; AI governance; AI cybersecurity uses — and more.

ICYMI, here are six things that’ll help you better understand AI security.

1 - Best practices for secure AI system deployment

Looking for tips on how to roll out AI systems securely and responsibly? The guide “Deploying AI Systems Securely” has concrete recommendations for organizations setting up and operating AI systems on-premises or in private cloud environments. 

“Deploying AI systems securely requires careful setup and configuration that depends on the complexity of the AI system, the resources required (e.g., funding, technical expertise), and the infrastructure used (i.e., on premises, cloud, or hybrid),” reads the 11-page document, jointly published by cybersecurity agencies from the Five Eyes Alliance countries: Australia, Canada, New Zealand, the U.K. and the U.S.

The agencies recommend that organizations developing and deploying AI systems incorporate the following: 

  • Ensure a secure deployment environment: Confirm that the organization’s IT infrastructure is robust, with good governance, a solid architecture and secure configurations in place. 
  • Require a threat model: Have the primary developer of the AI system — whether it’s a vendor or an in-house team — provide a threat model that can guide the deployment team in implementing security best practices, assessing threats and planning mitigations.
  • Promote a collaborative culture: Encourage communication and collaboration among the organization’s data science, IT infrastructure and cybersecurity teams to address any risks or concerns effectively.
  • Design a robust architecture: Implement security protections at the boundaries between the IT environment and the AI system; address identified blind spots; protect proprietary data sources; and apply secure design principles, including zero trust frameworks.
  • Harden configurations: Follow best practices for the deployment environment, such as using hardened containers for running ML models; applying allowlists on firewalls; encrypting sensitive AI data; and employing strong authentication.

For more information about deploying AI systems securely:

2 - Dealing with the “shadow AI” problem 

As organizations scale up their AI adoption, they must closely monitor the usage of unapproved AI tools by employees — an issue known as “shadow AI.”

So how do you identify, manage and prevent shadow AI? The Cloud Security Alliance’s “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper offers recommendations to tackle shadow AI, including:

  • Creating a comprehensive inventory of AI systems
  • Conducting gap analyses to spot discrepancies between approved and actual AI usage
  • Implementing ways to detect unauthorized AI wares
  • Establishing effective access controls
  • Deploying monitoring techniques

 

“By focusing on these key areas, organizations can significantly reduce the risks associated with shadow AI, ensuring that all AI systems align with organizational policies, security standards, and regulatory requirements,” the white paper reads.

For example, to create an inventory that offers the required visibility into AI assets, the document explains different elements each record should have, such as:

  • The asset’s description
  • Information about its AI models
  • Information about its data sets and data sources
  • Information about the tools used for its development and deployment
  • Detailed documentation about its lifecycle, regulatory compliance, ethical considerations and adherence to industry standards
  • Records of its access control mechanisms

Meanwhile, the report “Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2024-2025” from the National Cybersecurity Alliance (NCA) adds insights to the issue of employee use AI, with its finding that almost 40% of employees have fed sensitive work information to AI tools without their employers’ knowledge

These findings, according to the NCA, highlight why organizations must urgently adopt AI usage policies and offer AI security training so employees understand the risks of using this technology.

Have you ever shared sensitive work information without your employer’s knowledge?

(Source: “Oh, Behave! The Annual Cybersecurity Attitudes and Behaviors Report 2024-2025” study by the National Cybersecurity Alliance, September 2024)

For more information about AI risks to cybersecurity, check out these Tenable blogs:

3 - How AI boosts real-time threat detection

AI has greatly impacted real-time threat detection by analyzing large datasets at unmatched speeds and identifying subtle, often-overlooked, changes in network traffic or user behavior. For example, AI can detect when a system atypically accesses sensitive data. Traditional tools may miss these nuanced anomalies, but AI systems are adept at spotting them.

For security, GenAI can revolutionize the field if applied correctly, especially when it comes to threat detection and response. It enhances efficiency and productivity by swiftly processing and delivering critical information when it matters most,” Nicholas Weeks, a Tenable senior product marketing manager, wrote in a blog post.

One of AI's significant advantages in threat detection is its ability to be proactive. AI-powered systems continuously refine their algorithms as new malware strains and attack techniques emerge, learning from each event and integrating new insights into their threat detection mechanisms. This allows them to respond to both known and unknown threats more effectively than traditional, static, signature-based tools.

 

 

"There has been automation in threat detection for a number of years, but we're also seeing more AI in general. We're seeing the large models and machine learning being applied at scale," Josh Schmidt, partner in charge of the cybersecurity assessment services team at BPM, a professional services firm, told TechTarget.

In addition to monitoring internal network behavior, AI systems can more comprehensively analyze external sources of intelligence like RSS feeds, cybersecurity forums and global threat data. This wide-reaching capability helps AI gather actionable insights and recommend defense strategies that are tailored to current attack trends. For example, AI can flag a spike in phishing attacks targeting specific industries and suggest measures to counter these emerging threats. 

Additionally, as AI-generated phishing lures become nearly impossible for humans to detect, researchers and operators are turning to AI-based systems to assess if an email was AI-generated by looking for subtle telltales or differences when compared to a legitimate human-sourced email. 

For more information about ways in which AI can help boost cybersecurity programs:

4 - New database aims to round up all AI risks

Finding it hard to track all the cyber risks impacting AI systems? Check out the Massachusetts Institute of Technology’s AI Risk Repository, which aims to consolidate in a single place all risks associated with the use of artificial intelligence.

To compile the database’s initial set of 700-plus risks, MIT analyzed 43 existing AI risk frameworks, and found that even the most comprehensive framework overlooked about 30% of all risks currently listed in the database.

“Since the AI risk literature is scattered across peer-reviewed journals, preprints, and industry reports, and quite varied, I worry that decision-makers may unwittingly consult incomplete overviews, miss important concerns, and develop collective blind spots,” project leader and MIT postdoctoral researcher Peter Slattery said in a statement.

The AI Risk Repository’s risk domains include:

  • AI system safety, failures, and limitations
  • Socioeconomic and environmental harms
  • Discrimination and toxicity
  • Privacy and security
  • Malicious actors and misuse

The risk domains are further subdivided into 23 subdomains. The AI Risk Repository is a “living database” that’ll be expanded and updated, according to MIT.

Meanwhile, the January publication from the U.S. National Institute of Standards and Technology (NIST) “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST.AI.100-2)” aims to help AI developers and users understand the types of attacks their AI systems can be vulnerable to, as well as ways to mitigate these threats.

Specifically, the publication zeroes in on four attack types:

  • Evasion attacks, which focus on altering an input to trick the AI system into responding erratically to it, such as tampering with a road stop sign to confuse an autonomous vehicle
  • Poisoning attacks, in which corrupted data is fed to an AI system during its training phase, so that its output is erratic, inaccurate and inappropriate
  • Privacy attacks, which are launched during an AI system’s deployment and attempt to uncover confidential training data to then misuse the information
  • Abuse attacks, in which incorrect information is loaded into a legitimate but compromised source of data used by the AI system

Taxonomy of attacks on generative AI systems

(Source: NIST’s “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST.AI.100-2)” document, January 2024) 

For more information about protecting AI systems from cyberattacks:

5 - Why cybersecurity pros are warming up to AI’s potential

A majority of cybersecurity professionals feel cautiously hopeful about artificial intelligence’s potential for strengthening their organizations’ cyber defenses, while also recognizing AI’s risks and adoption obstacles.

That’s according to a global survey of almost 2,500 IT and security professionals conducted by the Cloud Security Alliance (CSA).

“While there’s optimism about AI’s role in enhancing security, there’s also a clear recognition of its potential misuse and the challenges it brings,” reads the “State of AI and Security Survey Report,” which was commissioned by Google.

Specifically, 63% of respondents said AI can potentially boost their organizations’ cybersecurity processes. Only 12% felt the opposite way. The rest had no opinion.

Already, 22% of polled organizations use generative AI for security. More than half (55%) plan to use it within the next year, with the top use cases being rule creation, attack simulation and compliance monitoring. C-level and board support is driving generative AI adoption.

Furthermore, 67% have tested AI for security purposes, and 48% feel either “very” or “reasonably” confident in their organizations’ ability to use AI for security successfully.

What are your desired outcomes when it comes to implementing AI in your security team?

(Source: Cloud Security Alliance’s “State of AI and Security Survey Report,” April 2024)

Meanwhile, in a commissioned study conducted by Forrester Consulting on behalf of Tenable in October 2023, 44% of IT and security leaders polled said they were either “extremely confident” or “very confident” about their ability to use generative AI to enhance their organization’s cybersecurity strategy.

 

In addition, 68% of respondents showed some level of interest in using GenAI to align IT/security goals with business goals; and a similar number — 67% — showed interest in using it to increase or improve the way their organization practices preventive cybersecurity.

 

To get more details, check out the CSA report’s announcement “More Than Half of Organizations Plan to Adopt Artificial Intelligence (AI) Solutions in Coming Year” and the full 33-page report “State of AI and Security Survey Report.

For more information about how AI can help cybersecurity teams:

6 - A new GenAI governance guide for your org’s leaders

Here’s a guide that might interest business and tech chiefs eager to ensure their organizations develop and deploy generative AI securely and responsibly.

The Open Worldwide Application Security Project (OWASP) guide “LLM AI Cybersecurity & Governance Checklist” is aimed at business, privacy, compliance, legal and cybersecurity leaders, among others, tasked with setting guardrails for their organization’s generative AI use.

 

 

The goal: Help them stay abreast of AI developments so that their organizations will reap business success from their generative AI use while avoiding legal, security and regulatory pitfalls.

“These leaders and teams must create tactics to grab opportunities, combat challenges, and mitigate risks,” reads the document, which was created by the same OWASP team in charge of the group’s “OWASP Top 10 for LLM Applications” list.

Areas covered by the checklist include:

  • Adversarial risk
  • Threat modeling
  • Asset inventorying
  • Security and privacy training
  • Legal and regulatory considerations

For more information about using generative AI responsibly and securely:

Juan Perez

Walking the Walk: How Tenable Embraces Its "Secure by Design" Pledge to CISA(link is external)

Tenable Blog
4 months ago

As a cybersecurity leader, Tenable was proud to be one of the original signatories of CISA’s “Secure by Design" pledge earlier this year. Our embrace of this pledge underscores our commitment to security-first principles and reaffirms our dedication to shipping robust, secure products that our users can trust. Read on to learn how we’re standing behind our pledge. 

In May, Tenable was part of the first wave of supporters of the “Secure by Design” pledge from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), joining 67 other leading software makers. We decided to sign this pledge enthusiastically and with a deep sense of commitment, as we believe this CISA initiative will help strengthen the global digital ecosystem against cyberthreats. In this blog post, we delve deeper into how we’re embracing secure-by-design practices in our products.

Multi-factor authentication (MFA)

MFA is the first principle on CISA’s pledge. Specifically, signatories commit to “measurably increase” their use of MFA across their products within one year of signing the pledge. Here’s where Tenable stands with regards to MFA.

MFA is not only a good-to-have security measure, but it’s also a critical component of a modern security strategy, enhancing identity protection and making it significantly more difficult for attackers to succeed. 

Research has consistently shown that any form of MFA provides substantial protection against identity compromise. However, adopting more secure forms of MFA, such as phishing-resistant MFA, further enhances protections. These methods, including hardware tokens and biometric verification, offer superior protection against sophisticated targeted attacks. 

Organizations should prioritize increasing MFA enrollment among their users. Special attention should be given to administrators and high-privilege users, ensuring they utilize the most secure MFA methods available. This approach helps mitigate risks associated with critical access points and protects sensitive information. 

The Tenable One Exposure Management Platform supports SMS for MFA and also allows customers to bring their own authenticator app. Additionally, customers can enforce MFA through their identity provider, which streamlines user management, reduces authentication friction, and supports scalability as organizations grow. By empowering customers with control over their MFA settings, Tenable builds trust and provides a more secure, efficient, and user-friendly platform.

Pledge:

Tenable is committed to enhancing the security of our platform. Recognizing that MFA is the greatest defense against password-based attacks such as credential stuffing and password theft, we pledge to phase out SMS-based MFA, which, while useful, does not offer the highest level of protection.

We will require MFA by default for all our customers, emphasizing the adoption of more secure, phishing-resistant MFA methods. By increasing MFA enrollment across the board, we aim to provide an even more secure environment for our users. Our commitment is to ensure that our platform remains robust against evolving threats and provides the best possible security for our customers.

Tenable CSO Bob Huber signs CISA's Secure by Design pledge Default passwords

The CISA pledge addresses default passwords next, calling on backers to reduce their use of default passwords across their products within one year of signing the pledge.

We’re happy to say that our Tenable One Exposure Management Platform does not provide default passwords for users. Default passwords, as defined by CISA, are shared passwords preset across various products. These passwords are a significant security risk, as they can be easily exploited in attacks, especially on internet-facing assets. Reducing the number of default passwords in use is crucial to minimizing these vulnerabilities.

To mitigate the risk posed by default passwords, they should be replaced with more secure authentication mechanisms. Examples include unique, strong passwords for each user or non-human identity. Ideally, these should be complemented by MFA, which provides an additional layer of security as discussed above. 

Additionally, we have strong password requirements for our SaaS platform. Specifically, passwords must be at least 12 characters long and contain the following:

  • An uppercase letter
  • A lowercase letter
  • A number
  • A special character
Pledge:

We are dedicated to advancing the security of our platform by addressing the vulnerabilities associated with passwords, as highlighted by CISA. We will introduce password expiry policies to ensure that passwords are regularly updated, reducing the window of opportunity for potential attackers. This practice will ensure that stale credentials are routinely refreshed, enhancing overall security.

In addition, we are committed to implementing passkeys by the end of 2025. Passkeys offer a robust and phishing-resistant form of authentication, utilizing cryptographic methods to ensure that only authorized users can access their accounts. This shift represents a significant enhancement of our password security practices, ensuring that our platform remains resilient against evolving cyber threats.

Reducing entire classes of vulnerability

The CISA pledge continues by addressing the topic of vulnerability classes, and the importance for software makers to proactively reduce the prevalence of one or more vulnerability classes from their products within a year of signing the pledge.

The vast majority of exploited vulnerabilities today stem from preventable issues, such as SQL injection, cross-site scripting (XSS), and memory safety flaws. Addressing these vulnerabilities at scale is crucial for enhancing the security of software products.

Tenable is committed to mitigating these risks by leveraging secure-by-design principles throughout the Tenable One platform. 

None of the services in the Tenable One platform are developed using memory unsafe languages. Our platform’s backend is built in Kotlin, and the frontend is implemented in TypeScript – both modern, memory-safe languages. This inherently helps avoid many memory safety vulnerabilities, like buffer overflows and memory leaks, thus contributing to a more secure foundation for our platform. 

Pledge:

By continuing to develop our platform with a focus on memory-safe languages and secure coding practices, we pledge to reduce the prevalence of exploitable vulnerabilities, enhancing the security and trustworthiness of our products.

Security patches

Next, the CISA pledge calls on signatories to “measurably increase” the installation of security patches by customers.

It is essential for software manufacturers to take full responsibility for their customers’ security outcomes, even after the products are shipped. This means that our obligation to ensure security doesn’t end at deployment. Instead, we continue to safeguard our users’ environments throughout the lifecycle of the platform. 

Customers automatically receive security updates for all Tenable SaaS products without any action needed by the customer. We have application security tools to detect supply chain vulnerabilities and leaked secrets. These tools are run as gates in CI/CD pipelines.

Tenable also leverages golden image templates for our server infrastructure. These templates are generated weekly and are applied to all newly created servers until the next template is available. Each template is configured to run daily security updates to minimize vulnerabilities. Additionally, each server has a 7-day time-to-live (TTL) to prevent the accumulation of kernel-level vulnerabilities. 

As a cybersecurity leader, we go beyond securing the infrastructure. We secure the entire supply chain by running security tools as a blocking gate in CI/CD pipelines. Each build is required to meet our security threshold in the following tools:

  • Static analysis: We scan the entire codebase for security weaknesses. 
  • Secret scanning: We scan every pull request to mitigate any potential secret leak. 
  • Software composition analysis: We scan open-source dependencies to ensure we are keeping software up-to-date while managing risk.
  • Container scanning: We scan each container image for vulnerabilities. We also go further by signing images we build before pushing them to our artifact registry, and we verify the image before pulling it into the runtime environment. 
  • Dynamic application security testing (DAST): The Tenable One platform regularly undergoes web application scanning to detect any potential weaknesses. 
Pledge:

We recognize the critical importance of timely security patches. We will continue to provide timely security patches to better support the platform. By prioritizing the prompt release of security patches, we aim to make security a seamless experience for our customers, enhancing protection and confidence in our platform. Our dedication to security does not end at deployment; it is an ongoing commitment to our users’ safety and peace of mind. 

Tenable CSO Bob Huber with CISA Director Jen Easterly during the Secure by Design pledge signing event at RSA Conference 2024 Vulnerability disclosure policy

The “Secure by Design Pledge” calls on software manufacturers to publish a vulnerability disclosure policy (VDP) that provides a way for the public to disclose vulnerabilities. 

Since our very beginning, Tenable has always maintained a vulnerability disclosure policy. We also leverage a public HackerOne VDP to continuously hunt for defects in our products. We reaffirm our commitment to not pursue legal action against individuals who follow our VDP in good faith. Our VDP will continue to provide clear channels for reporting vulnerabilities, ensuring prompt and effective responses. 

Additionally, we have an available security.txt on our website and Tenable Trust to be as transparent as we can about vulnerability management and software security within our products. 

Pledge:

Tenable will continue its vulnerability disclosure program to ensure customers have a way to disclose any vulnerabilities discovered in the Tenable One platform.

CVEs

Tenable is committed to demonstrating transparency in our vulnerability reporting practices. Tenable has historically provided security advisories for any defects found in our products. We are transparent about timelines and about giving credit for responsible disclosure. 

Incorporating accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) details enhances the clarity and usefulness of our vulnerability reports. CWEs help categorize the type of vulnerabilities, while CPEs provide specifics about the affected software or hardware. We are committed to issuing CVEs promptly whether they are discovered by us or by third parties. This is crucial for enabling our customers to take immediate action to protect their environment. 

By adhering to these practices, we reinforce our commitment to security and transparency, helping our customers stay informed against evolving threats.

Pledge:

Tenable will continue to demonstrate transparency while working with all parties in reporting vulnerabilities in our products.

We pledge to publish accurate CWE and CPE fields in every CVE record for our products.

We also plan to implement CVSS v4.0 scoring for our security advisories where available, with a fallback to v. 3.1. This enrichment of our CVE records will provide our customers with a comprehensive understanding of the severity and potential impact of vulnerabilities. 

Evidence of intrusions

Lastly, the CISA pledge calls on signatories to show a “measurable increase” in their customers’ ability to gather evidence of cybersecurity intrusions in their products.

Ensuring that organizations can detect and understand cybersecurity incidents is crucial for maintaining a robust security program. This capability enables timely responses to intrusions, minimizing potential damage and facilitating effective remediation. 

Software manufacturers can empower their customers by providing tools and artifacts, such as audit logs that allow them to gather evidence of intrusions. Audit logs are essential for tracking activities and identifying unusual behaviors that may indicate a security breach. 

Tenable provides activity logs inside of the Tenable One platform since its launch. Unlike some SaaS companies, these activity logs are available to customers at no extra charge. These logs include Actor, Action, Target, Description, and Date/Time. These logs can be exported to a CSV or JSON file and are available in the UI and via the API.

Providing these tools aligns with the Secure by Design principle, which emphasizes taking ownership of customers’ security outcomes. This proactive approach ensures that security is integrated into the core of the product. It reflects Tenable’s commitment to helping customers achieve and maintain high security standards. 

Additionally the Tenable Trust page provides status on platform availability, major announcements, and information on security assurances in our platform.

Pledge:

Tenable is committed to enhancing the security and transparency of our platform. In October, Tenable released an updated add-on for Splunk to empower our customers in detecting and understanding cybersecurity incidents. Through continuous customer feedback, we pledge to expand our Security Information and Event Management (SIEM) integration capabilities. This enables customers to monitor audit logs using their in-house SIEM solutions, providing them with comprehensive visibility and timely insights into potential solutions. 

In closing, we want to express our appreciation to CISA Director Jen Easterly and CISA Senior Technical Advisors Bob Lord and Jack Cable for their leadership in the creation of the "Secure by Design" pledge program.

Learn more
Blake Kizer

Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps (link is external)

Tenable Blog
4 months 1 week ago

Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks..

Dive into six things that are top of mind for the week ending Nov. 22.

1 - OWASP ranks top security threats impacting GenAI LLM apps

As your organization extends its usage of artificial intelligence (AI) tools, is your security team scrambling to boost its AI security skills to better protect these novel software products?

If so, then you might want to check out OWASP’s updated list of the main dangers threatening large language model (LLM) apps, which are popular generative AI apps that produce text, like ChatGPT.

OWASP — the Open Worldwide Application Security Project — released its first “Top 10 Risks for LLMs” last year. A significantly revised version of the list came out this week that OWASP says is based on a better understanding of LLM threats and use cases.

“The list guides developers, security professionals, and organizations as they prioritize their efforts to identify and mitigate critical generative AI application security risks,” reads an OWASP statement.

The new list, put together by the OWASP Top 10 for LLM Applications and Generative AI Project, seeks to help defenders secure generative AI LLM applications throughout their lifecycle, including development, deployment and management.

Each entry in the “OWASP Top 10 for LLM Applications 2025” report includes a description of the security risk; its different types; examples of attack scenarios; related frameworks and taxonomies; and more.

Here’s the list:

  1. Prompt injection
  2. Sensitive information disclosure
  3. Supply chain
  4. Data and model poisoning
  5. Improper output handling
  6. Excessive agency
  7. System prompt leakage
  8. Vector and embedding weaknesses
  9. Misinformation
  10. Unbounded consumption

“As LLMs are embedded more deeply in everything from customer interactions to internal operations, developers and security professionals are discovering new vulnerabilities — and ways to counter them,” reads the 45-page report.

For more information about AI security, check out these Tenable resources:

2 - 2024’s nastiest software weaknesses

Cybersecurity teams, take notice: The list of this year’s most critical software weaknesses is out, so that you can factor them into your vulnerability management and application security programs.

The “2024 CWE Top 25 Most Dangerous Software Weaknesses” rankings, published this week by the U.S. government, can also help software developers create safer applications. Meanwhile, procurement and risk managers can use the list when evaluating software vendors.

“Organizations are strongly encouraged to review this list and use it to inform their software security strategies,” reads a Cybersecurity and Infrastructure Security Agency (CISA) statement. 

“Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle,” the statement adds.

 

Here are the top 10 software weaknesses for 2024:

  1. Improper neutralization of input during web page generation (“Cross-site scripting”) — CWE-79
  2. Out-of-bounds write — CWE-787 
  3. Improper neutralization of special elements used in an SQL command (“SQL injection”) — CWE-89
  4. Cross-site request forgery (CSRF) — CWE-352
  5. Improper limitation of a pathname to a restricted directory (“Path traversal”) — CWE-22
  6. Out-of-bounds read — CWE-125
  7. Improper neutralization of special elements used in an OS command (“OS command injection”) — CWE-78
  8. Use after free — CWE-416
  9. Missing authorization — CWE-862
  10. Unrestricted upload of file with dangerous type — CWE-434

CISA compiled the list in collaboration with MITRE’s Homeland Security Systems Engineering and Development Institute (HSSEDI).

MITRE’s Common Weakness Enumeration (CWE) community project maintains a master list of software and hardware weaknesses that is updated three or four times per year. MITRE defines “weakness” as a condition that could contribute to the introduction of vulnerabilities. 

The annual list of the top 25 software CWEs is a subset of the main list. Check out this page to learn about the methodology used to rank the year’s top 25 CWEs.

For more information about software security:

3 - DHS unveils secure AI framework for critical infrastructure

Those involved with artificial intelligence in critical infrastructure organizations have a new framework to help them safely develop and deploy AI.

Published by the U.S. Department of Homeland Security (DHS), the “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure” outlines a set of voluntary tasks for five key types of participants in the adoption of AI in these organizations.

  • Cloud and compute providers
  • AI developers
  • Critical infrastructure owners and operators
  • Civil society, including research institutions, academia and professional associations
  • Public sector

The framework aims to help evaluate how these players contribute across five areas of responsibility:

  • Environment security
  • Responsible design of systems and models
  • Data governance implementation
  • Safe and secure deployment
  • Performance and impact monitoring

“This Framework intends to further AI safety and security in critical infrastructure, including the harmonization of safety and security practices, improve the delivery of critical services, enhance trust and transparency among entities, protect civil rights and civil liberties, and advance AI safety and security research,” reads the 35-page document.

For example, the table below illustrates how the framework envisions the responsibilities for cloud and compute providers, including reporting and managing vulnerabilities; ensuring data privacy and availability; and instituting best practices for access management.

(Source: “Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure,” DHS, November 2024)

To get more details, check out:

4 - Report: Many U.S. water systems at risk from serious vulnerabilities

Vulnerabilities rated “critical” and “high” are present in the IT environments of 97 U.S. drinking water systems that collectively serve almost 27 million people, putting these systems at an elevated risk for cyberattacks.

That’s according to a report from the Environmental Protection Agency’s Office of Inspector General (OIG), whose findings are based on a passive assessment of the public-facing networks of about 1,000 drinking water systems.

“If malicious actors exploited the cybersecurity vulnerabilities we identified in our passive assessment, they could disrupt service or cause irreparable physical damage to drinking water infrastructure,” the report reads.


Another 211 drinking water systems have medium and low-risk vulnerabilities. Those facilities collectively serve almost 83 million people.

The vulnerabilities also put the drinking water facilities at risk for data theft, including of customer information and other confidential data. The OIG scanned the facilities’ public-facing networks in October of this year, analyzing about 75,000 IP addresses and almost 14,500 domains.

The findings highlight the challenges of securing critical infrastructure organizations’ IT networks against cyberthreats which could disrupt essential services for the general population, and, in this case, even compromise the safety of drinking water.

The OIG also found that the EPA lacks its own system that water and wastewater facilities can use to report cybersecurity incidents. It relies on CISA for this reporting capability.

For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources:

5 - TSA proposes cyber requirements for rail, pipeline operators

New cybersecurity risk management (CRM) requirements may soon apply to rail and pipeline operators in the U.S.

The Transportation Security Agency (TSA) has proposed a set of rules aimed at enhancing the cybersecurity capabilities of freight railroads, passenger railroads, rail transit and pipeline facilities.

“The requirements proposed in this rule would strengthen cybersecurity and resiliency for the surface transportation sector by mandating reporting of cybersecurity incidents and development of a robust CRM program,” reads the TSA’s Notice of Proposed Rulemaking published in the Federal Register.

 

Specifically, the owners and operators of these rail and pipeline services would need to adopt a cybersecurity assessment program (CAP) approved by the TSA. The program would need to contain three core elements:

  • An annual, enterprise-wide evaluation that compares the organization’s current cybersecurity capabilities with the target capabilities, which need to include outcomes outlined in the TSA’s proposed rules and in NIST’s Cybersecurity Framework.
  • The development of a Cybersecurity Operational Implementation Plan (COIP) that includes: 
    • an identification of critical cybersecurity systems
    • concrete measures to monitor and protect these systems
    • specific measures to detect, respond to and recover from cyber incidents
  • A schedule for assessments, an annual report of assessment results, and identification of unaddressed vulnerabilities. 

The TSA expects that the cybersecurity risk-management requirements will include:

  • Adopting patch management, system segmentation and firewalls
  • Having backups to restore systems, recover data and continue operations
  • Continuous network monitoring
  • Drawing up an incident response plan

The proposed rules are open for public comment until February 5, 2025.

6 - New data released about BianLian ransomware group tactics

A U.S. government advisory about the BianLian ransomware gang has been updated with new information about its tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs).

Likely based in Russia, BianLian is a “ransomware developer, deployer and data extortion cybercriminal group” that has attacked critical infrastructure organizations in the U.S. and Australia since mid-2022, according to the advisory.

 

Here’s how the advisory, updated this week and authored by CISA, the FBI and the Australian Cyber Security Centre, describes BianLian’s modus operandi:

  • Access victims’ systems using valid Remote Desktop Protocol (RDP) credentials.
  • Utilize open-source tools and command-line scripting to discover and harvest more credentials.
  • Exfiltrate data via file transfer protocol (FTP) and other methods.
  • Extort money from victims by threatening to release the stolen data.

The authoring agencies urge cybersecurity teams to take these actions immediately to protect themselves from BianLian cyberattacks:

  • Strictly limit your use of Microsoft’s RDP and other similar remote desktop services.
  • Disable command-line and scripting activities and permissions.
  • Restrict PowerShell usage and update to the latest version of Windows PowerShell or PowerShell Core.

To get all the details about BianLian’s TTPs and IOCs, and about the mitigation recommendations, read: 

For more information about ransomware:

Juan Perez

Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps(link is external)

Tenable Blog
4 months 1 week ago

A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.

Microsoft’s Active Directory (AD) is at the heart of identity and access management (IAM) for organizations worldwide, making it an attractive target for cyberattackers. Concerns over the risks of AD compromise prompted cybersecurity agencies from Australia, Canada, New Zealand, U.K. and U.S. to issue a landmark report, Detecting and Mitigating Active Directory Compromises. The report, released in September, details 17 attack techniques, from Kerberoasting to Golden Ticket attacks, which, left unchecked, can enable attackers to take total control over systems.

In the first of our two-part series, we look beyond the report’s guidance for detecting and mitigating AD compromises to explore how organizations can institute a dynamic, proactive AD cybersecurity strategy. We discuss how continuous monitoring, adaptive defenses and risk-based prioritization can help security leaders protect their AD infrastructure. We provide five action items you can use to operationalize your identity security strategy.

In part two, we go beyond the basics to provide insight and guidance about additional areas of AD exposure worth addressing.

Attackers see AD as a gateway

As the backbone of authentication and authorization in most organizations, AD controls access to sensitive data and critical systems. Identity has become the modern control plane for enterprises, and attackers know that compromising AD can be their gateway to a treasure trove of information and control. High-profile attacks, such as those by Storm-0501 and Conti ransomware, demonstrate the devastating financial and operational impact that can result when AD security is breached.

It’s important to note that the report issued by the cyberagencies — known collectively as the Five Eyes Alliance — is much more than a compliance checklist. Too often, we see organizations approach such cybersecurity guidance by taking a series of one-off actions, assuming that ticking a few boxes ensures lasting security.

In reality, attackers exploit vulnerabilities as soon as they arise. Point-in-time compliance efforts can't keep up with the adaptive nature of today's cyberthreats. To stay ahead, organizations must go beyond compliance, adopting a continuous, adaptive approach that anticipates and mitigates risks in real-time, ensuring that AD remains secure against evolving threats.

From insight to action: Operationalizing the report's recommendations

The guidance from the cybersecurity agencies makes it clear: Active Directory isn't a "set-it-and-forget-it" system.

As AD environments continuously evolve — whether through new users, permission updates or expanded cloud integrations — cybersecurity strategies must evolve in tandem. Misconfigurations and identity-based vulnerabilities open new doorways to risk because they don't stay put. This is precisely why organizations must adopt a structured, real-time approach to managing AD, including continuous monitoring, risk-based prioritization and adaptive security practices responsive to the shifting threat landscape.

Operationalizing the report’s guidance requires more than static point-in-time tech fixes. It calls for a series of game-changing steps to keep your AD secure.

Below, we break down five key areas to focus on as you turn the report's guidance into actionable steps.

1. Continuously monitor with real-time visibility

Organizations often behave as though AD is a static system, a thing to be configured once and then assumed to be secure. However, as the Five Eyes report illustrates, AD is in constant flux, with each change potentially opening new vulnerabilities. From new hires and permission updates to expanding cloud connections, any shift in AD can create an unseen entry point for attackers. Real-time visibility and continuous monitoring are behavioral steps to stay ahead of evolving risks.

Why it matters

Attackers thrive on hidden weaknesses, like subtle misconfigurations and creeping permission drift, exploiting tactics like DCSync and Kerberoasting to infiltrate your systems silently. Without real-time oversight, these tactics can remain undetected. That's why it’s essential to identify and prioritize identity weaknesses as soon as they surface — catching risks early stops attackers in their tracks.

What to do
  • Automate monitoring: Implement tools that trigger real-time alerts on AD changes — flagging unexpected privilege escalations, risky permission shifts and service account modifications that could indicate an active breach attempt.
  • Detect toxic combinations: Continuous monitoring allows security teams to spot dangerous combinations of permissions and misconfigurations — such as high privileges combined with weak passwords or accounts with overlapping permissions — before they're exploited.
  • Implement immediate remediation: Establish processes for immediate response when high-risk changes are detected. The ability to revoke excessive permissions or adjust configurations in real-time significantly limits opportunities for attackers to escalate their actions.
2. Automate risk-based prioritization

Not every weakness in Active Directory carries the same level of risk Treating each issue with equal priority can drain resources while leaving critical exposures unattended. A risk-based model automatically prioritizes AD weaknesses and allows security teams to focus on the exposures that matter most, rather than getting bogged down in low-risk issues.

Why it matters

Among the 17 attack tactics highlighted in the Five Eyes report, some — like DCSync — might be more critical in traditional infrastructures, while others, such as password spraying, may pose a higher risk in cloud-heavy environments. Automated risk scoring tailors prioritization to your organization's unique setup, ensuring that high-impact threats are addressed promptly.

What to do
  • Focus on dynamic risk scoring: Leverage tools that continuously evaluate and rank vulnerabilities, prioritizing them by exposure level, privilege escalation risks and known attack vectors. Start pinpointing the most exploitable risks so teams can zero in, ensuring critical exposures don't go unnoticed.
  • Map potential attack paths: Visualizing attack paths to critical assets helps pinpoint which weaknesses are likely to be targeted and enables teams to allocate resources effectively.
  • Prioritize for your environment: Tailor prioritization to fit your specific infrastructure — whether it's primarily on-premises, cloud-based or hybrid — so that the highest-risk exposures in your unique environment are addressed first.
3. Build operational resilience through least-privilege access

A resilient Active Directory environment relies on enforcing least-privilege access, granting users only the permissions they need to perform their roles. However, over time, privileges can expand unintentionally — through changes in group memberships, role adjustments or emergency access that is not promptly revoked. This "privilege creep" broadens the attack surface attackers can exploit, as excessive permissions make lateral movement and privilege escalation easier.

Why it matters

Excessive permissions in Active Directory enable various attack techniques, including Silver Ticket compromises where adversaries forge Kerberos tickets for unauthorized access. Without least-privilege enforcement, attackers can exploit over-permissioned accounts to move laterally and access sensitive resources undetected. Proper privilege management is essential to prevent these and other AD-based cyberattacks.

What to do
  • Implement automated monthly scans: These can identify accounts with excessive privileges or permissions, flagging them for immediate review.
  • Use role-based permission templates: These can standardize access across accounts, ensuring only the necessary privileges are granted.
  • Enforce a 24-hour revoke policy: This limits temporary or emergency access, quickly closing off potential attack paths.
  • Regularly audit service accounts: Giving service providers a regular "check-up" ensures their privileges align with their job description and that they aren't offering attackers any uninvited perks.
4. Set the stage for success with a preventive mindset

Your security mindset sets the stage for securing AD. We all know that responding to incidents after they occur is painful, especially when there is a chance to preemptively identify and address potential threats. The nature of the Five Eyes guidance is proactive. Understanding Indicators of Exposure (IoE) and looking for those early warning signs can help teams address vulnerabilities before they become an attacker's foothold in the network.

Why it matters

A reactive approach leaves security teams in constant catch-up mode, dealing with incidents as they happen instead of eliminating root causes. Focusing on IoE systematically closes off pathways that adversaries exploit to infiltrate environments. It also allows security teams to expand their protective reach without adding to their alert fatigue. This equates to a broader security strategy prioritizing long-term resilience over short-term fixes.

What to do
  • Adopt an "assume breach" mindset: Treat every vulnerability as a potential entry point and monitor for exposure gaps around critical assets.
  • Focus on IoE: Identify and track early signs of risk, such as misconfigurations or unusual permission changes. It is better to prevent breaches than to detect them after they happen.
  • Battle-test defenses: Red team like you mean it. Don't just defend — pressure test. The best defenders aren't the ones who've never been hit — they're the ones who've learned from every attempted breach, actual or simulated.
  • Continuously tune detection and response processes: Ensure your detection and response strategies are agile and adapt to the evolving threat landscape.
5. Ensure scalable, unified security operations across the enterprise

Enterprise expansion pits cybersecurity teams against a sprawling landscape of domains, assets and identities — each adding layers of complexity. When security forms a phalanx, with a unified approach of shared insights and tools, efficiency emerges and gaps close. Scaling security demands a cohesive strategy that seamlessly integrates identity management, asset visibility and threat detection into a single, unified framework, ensuring consistent security practices.

Why it matters

Lack of unification is a recipe for disaster. Without a platform that normalizes data and promotes shared understanding, teams work in silos, widening gaps in coverage and leaving critical assets vulnerable. In complex, multi-domain environments, it’s essential to take a unified approach — fostered by integrated, scalable platforms — for fast, coordinated responses to cyberthreats. By closing these gaps, organizations can maintain comprehensive oversight, enabling teams to keep pace with growth while ensuring consistent security across the enterprise.

What to do
  • Integrate AD monitoring with broader IT operations: Align AD security monitoring with other IT functions through a unified platform. This will ensure all domains, whether cloud-based or on-premises, are monitored under a single pane of glass.
  • Streamline IAM: Implement centralized IAM solutions to consistently manage identities across all environments, reducing the risk of orphaned accounts or inconsistent permissions.
  • Automate policy enforcement: Use automation to enforce security policies across all domains, ensuring real-time adjustments and adherence to best practices as infrastructure changes.
  • Enable cross-functional collaboration: Break down silos by fostering collaboration between IT, security and operations teams, enabling quicker response times and better information sharing.
What’s next: Additional considerations for comprehensive AD security

The above five steps offer a solid foundation for operationalizing the Five Eyes guidance. But stopping there misses important considerations for enhancing and adapting security strategies. In part two of this series, we go beyond the basics, offering guidance on achieving full coverage, addressing modern attack techniques and securing Active Directory and Entra ID as part of a holistic identity security approach.

Learn more
Brinton Taylor

Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics(link is external)

Tenable Blog
4 months 1 week ago

A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.

The landmark report Detecting and Mitigating Active Directory Compromises — released in September by cybersecurity agencies in Australia, Canada, New Zealand, U.K. and U.S. — shines a bright light on the risks organizations face if their identity and access management (IAM) system is targeted by cyberattackers.

In the first of our two-part series, we discussed five steps organizations can take to operationalize the report findings and develop a cybersecurity strategy for protecting their Microsoft Active Directory (AD) infrastructure. While these steps are important, stopping there misses crucial considerations that can further enhance security strategies.

Here, in part two, we look beyond the basics to provide three key areas cybersecurity leaders can consider in order to achieve full coverage, address modern attack techniques and secure Active Directory and its cloud-based counterpart Entra ID (formerly Azure AD) as part of a holistic identity security approach.

1. Implement full coverage for Active Directory in hybrid environments

While basic AD assessment tools provide valuable insights, they fall short in today's hybrid environments, where on-premises AD and cloud identities intersect. Point-in-time scans risk missing active threats like Kerberoasting, DCSync and password spraying — techniques that cyberattackers can execute repeatedly to evade periodic checks.

Why full coverage matters
  • Classic AD threats persist: Traditional attacks targeting AD authentication and replication remain powerful weapons for attackers, requiring constant vigilance.
  • Unified identity monitoring: Modern environments sync on-premises AD with cloud services. Changes in either domain can create vulnerabilities in the other, demanding unified visibility.
  • Cross-environment risks: Attackers combine classic AD exploitation with cloud service attacks. Monitoring must track permissions and configurations across this expanded attack surface.
  • Real-time response: Effective security requires immediate visibility into hybrid threats — from password spraying against synced accounts to privileged credential theft.
What to do
  • Enable unified monitoring: Use tools that offer continuous visibility across both AD and Entra ID to catch threats wherever they arise, maintaining seamless oversight.
  • Set up key threat alerts: Configure automated alerts for threats like Kerberoasting and DCSync, particularly for synced accounts, to react immediately to suspicious activity.
  • Map and review permissions: Regularly audit permissions across AD and Entra ID to spot gaps or misconfigurations that attackers might exploit.
  • Enforce multi-factor authentication (MFA) and conditional access: Strengthen high-privilege accounts with MFA and adaptive policies, aligning access controls to risk signals across both environments.
2. Address modern attack techniques

While the report from the five cybersecurity agencies — known collectively as the Five Eyes Alliance — highlights 17 AD compromise methods, these cover only the most common tactics. If attackers were only so simple! Their approaches are also exploiting AD's connections with Entra ID, software as a service (SaaS) applications and hybrid clouds. To stay secure, organizations must look beyond static techniques and adapt to today's dynamic threat landscape.

Why modernizing matters

Focusing only on known techniques can leave a lot on the table for today’s attackers, who leverage AD's complex integrations, developing methods that fall outside standard tactics yet pose serious risks. A comprehensive, adaptive security approach prepares teams to counter both established and evolving threats.

What to do
  • Update your threat model: Adapt threat assessments to include new, advanced techniques relevant to your network.
  • Foster a proactive culture: Encourage education on evolving threats and a flexible response approach.
  • Use real-time threat intelligence: Integrate real-time insights to detect and respond to emerging techniques.
3. Don't Overlook Entra ID

While the Five Eyes report highlights compromises in on-premises Active Directory, protecting cloud-based directory services, like Entra ID, is equally important as organizations expand into the cloud. Attackers are increasingly pivoting between on-premises AD and cloud-based directories to maximize impact, as demonstrated by recent breaches. In hybrid environments, attackers exploit the gaps between AD and Entra ID, often bypassing defenses that cover only one system. Think of your directory infrastructure as a house with two front doors: securing only one leaves the other exposed. For modern enterprises, unified security monitoring across AD and Entra ID is essential to prevent attackers from exploiting inconsistencies between on-premises and cloud defenses. Your identity security strategy is only as strong as its most vulnerable directory.

Why securing both AD and Entra ID matters
  • Consistent coverage across environments: As organizations adopt hybrid environments, the separation between on-premises and cloud-based IAM systems creates potential gaps. Unified security across both prevents attackers from finding weak points in transitioning from on-premises to cloud.
  • Strengthening your identity security strategy: Attackers target identity as a primary entry point. Treating AD and Entra ID as interdependent systems ensures that your entire identity framework is resilient, regardless of where the threat originates.
What to do
  • Set adaptive access controls: Use conditional access policies to assess user risk in real time, blocking high-risk login attempts automatically.
  • Monitor third-party access: Regularly review and control permissions granted to third-party apps, catching unsanctioned apps and shadow IT early.
  • Enforce least-privilege and OAuth limits: Restrict OAuth permissions to essentials, and identify over-permissioned accounts to maintain least-privilege across cloud and AD environments.
  • Enable real-time identity threat detection: Set identity protection policies to respond instantly to risky logins, such as by triggering MFA or blocking access on suspicious activity.
  • Continuously audit and adjust policies: Regularly assess conditional access and third-party permissions to keep your identity security strategy aligned with evolving threats.
Conclusion: Embrace continuous, identity-first security

Active Directory compromises remain a focal point for attackers. The Five Eyes report underscores its continued relevance and clarifies why identity is the modern control plane in exposure management. As you review the guidance, refrain from letting this become another checklist. Rethink how your organization is approaching its AD security. Do you have continuous monitoring, risk-based prioritization, least-privilege access and unified operations? Are you employing an identity-first security approach that naturally achieves compliance? Are you unifying protection across on-premises AD and Entra ID to close gaps attackers exploit?

Learn more
Brinton Taylor

Volt Typhoon: What State and Local Government Officials Need to Know(link is external)

Tenable Blog
4 months 1 week ago

Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.

Recent activity from the state-sponsored group Volt Typhoon, from the People’s Republic of China (PRC), has prompted federal agencies — including the Cybersecurity and Infrastructure Security Agency (CISA) and international partners — to issue urgent warnings and advisories. This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments. Since U.S. critical infrastructure is owned and operated by both public sector and private sector organizations, the threat is a concern for government agencies as well as corporate enterprises.

Volt Typhoon is a sophisticated threat group, typically gaining initial access to targets by exploiting unpatched vulnerabilities, including zero-day flaws, as well as through phishing techniques. Once initial access is gained, Volt Typhoon stays persistent for as long as possible, blending in with normal traffic and operating systems. This is achieved through “living off the land” (LOTL) techniques, leveraging native operating system tools to evade detection and favoring manual operations over automated manual scripts, further enhancing their adaptability within the environment.

State and local governments (SLG) have real options though, thanks to the Tenable Security Response Team’s examination of Volt Typhoon’s tactics, techniques and procedures (TTP). Additionally, with the Fiscal Year 2024 State and Local Cybersecurity Grant Program (SLCGP) Notice of Funding Opportunity (NOFO) open for eligible applicants through December 3, SLG officials can apply for funding to strengthen the security of critical infrastructure against malicious threats and to bolster the resilience of the services that state and local governments provide to their communities.

Based on the Tenable Security Response Team’s findings, Tenable recommends state and local government officials consider the following measures to address, patch and mitigate the identified Volt Typhoon vulnerabilities. In addition to these recommendations, implementing cyber hygiene best practices is essential for effective defense.

Patching known vulnerabilities and identifying affected systems

State and local government agencies have the tools and capabilities to protect themselves against the vast majority of attacks, including those from APT actors. Too many entities, however, are failing to take even the minimum steps to protect themselves and their communities.

Let’s start with the basics: it’s critical to have holistic exposure management capabilities that concentrate on discovering and remediating publicly disclosed CVEs. Exposure management combines the people, processes and technologies needed to effectively reduce cyber risk. Technologies such as vulnerability management, web application security, cloud security, identity security, attack path analysis and attack surface management are used to help organizations understand the full breadth and depth of their exposures and take the actions needed to reduce them through remediation and incident response workflows. This proactive approach gives organizations the power to identify and patch known vulnerabilities before they can be exploited.

By implementing proactive exposure management measures, state and local officials can significantly strengthen their resilience against cyberattacks and better protect their communities.

Given the heightened activity by Volt Typhoon, advisories have been released by the respective vendors for specific patching and mitigation tactics for the CVEs commonly exploited; learn more here.

If you are unsure whether your systems have been affected by Volt Typhoon or another APT, Tenable offers several solutions to help identify potential exposures and attack paths, as well as identify systems vulnerable to the CVEs noted in the research linked above.

Implementing cyber hygiene best practices

Basic cyber hygiene practices, including asset management, vulnerability management and identity and access management are crucial in today's digital landscape. State and local governments need to ensure they have visibility across their entire attack surface, including their IT, internet of things (IoT) and operational technology (OT) assets to know where they are exposed. This is critical when a vulnerability is discovered, especially as state-sponsored groups like Volt Typhoon are continuing to target U.S. critical infrastructure.

Understanding Volt Typhoon's TTPs equips state and local governments with valuable insights to enhance their cybersecurity posture. By implementing proactive exposure management measures, state and local officials can significantly strengthen their resilience against cyberattacks and better protect their communities.

If you want to learn more about Volt Typhoon and the Tenable Security Response Team’s research, review the findings here.

Learn more
Mark Weatherford
Checked
1 hour 42 minutes ago
URL
https://www.tenable.com/(link is external)
Tenable Blog feed

Managed ad