Tenable Blog

Oracle addresses 186 CVEs in its first quarterly update of 2025 with 318 patches, including 30 critical updates.

On January 21, Oracle released its Critical Patch Update (CPU) for January 2025, the first quarterly update of the year. This CPU contains fixes for 186 CVEs in 318 security updates across 27 Oracle product families. Out of the 318 security updates published this quarter, 9.4% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 56.6%, followed by high severity patches at 32.4%.

This quarter’s update includes 30 critical patches across 18 CVEs.

This quarter, the Oracle REST Data Services product family contained the highest number of patches at 85, accounting for 26.7% of the total patches, followed by Oracle Health Sciences Applications at 39 patches, which accounted for 12.3% of the total patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2025 advisory for full details.

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

• Oracle Critical Patch Update Advisory - January 2025
• Oracle January 2025 Critical Patch Update Risk Matrices
• Oracle Advisory to CVE Map

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Shopping for OT systems? A new CISA guide outlines OT cyber features to look for. Meanwhile, the U.S. government publishes a playbook for collecting AI vulnerability data. Plus, a White House EO highlights AI security goals. And get the latest on IoT security; secure app dev; and tougher HIPAA cyber rules.

Dive into six things that are top of mind for the week ending Jan. 17.

Is your organization evaluating operational technology (OT) products for purchase? If so, a new guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) aims to help OT operators choose OT products designed with strong cybersecurity features.

The publication, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” highlights 12 cybersecurity elements that OT products should have, including:

• Support for controlling and tracking modifications to configuration settings
• Logging of all actions using open-standard logging formats
• Rigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updates
• Strong authentication methods such as role-based access control and phishing-resistant multi-factor authentication to prevent unauthorized access
• Protection of the integrity and confidentiality of data at rest and in transit

According to CISA, many OT products aren’t designed and developed securely, so they ship with security issues such as weak authentication, known vulnerabilities and insecure default settings. 

In fact, the agency says it’s common for hackers to target handpicked OT products instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products built securely by using CISA’s “Secure by Design” principles.

“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)

A new playbook published by the U.S. government aims to facilitate the collective, voluntary sharing of information among AI providers, developers and users about AI vulnerabilities and cyber incidents.

The “AI Cybersecurity Collaboration Playbook” from CISA’s Joint Cyber Defense Collaborative (JCDC) details ways in which AI community members in government and in the private sector – both in the U.S. and abroad – can collaborate to help boost AI security for everybody.

“The development of this playbook is a major milestone in our efforts to secure AI systems through active collaboration,” CISA Director Jen Easterly said in a statement.

AI systems introduce unique cybersecurity challenges which make them vulnerable to attacks including model poisoning, data manipulation and malicious inputs. “These vulnerabilities, coupled with the rapid adoption of AI systems, demand comprehensive strategies and public-private partnership to address evolving risks,” the 33-page playbook reads.

By collecting, analyzing and enriching information on AI vulnerabilities and cyber incidents, CISA would be able to help the AI community in a variety of ways, including by:

• Sharing information to improve detection and prevention of AI threats
• Exposing attackers’ tactics and infrastructure
• Identifying and notifying victims
• Generating threat advisories and intelligence reports
• Offering tailored recommendations, vulnerability management strategies and cyber defense best practices

The playbook’s target audience is operational cybersecurity professionals, including incident responders and security analysts, and its goal is to help them collaborate and share information with CISA and JCDC about AI security.

In addition, CISA also envisions organizations adopting the document’s guidance internally “to enhance their own information-sharing practices, contributing to a unified approach to AI-related threats across critical infrastructure.”

For more information about industry efforts for collaborating on AI security:

• Cloud Security Alliance’s “AI Safety Initiative”
• MITRE’s “AI Incident Sharing initiative”
• Open Worldwide Application Security Project’s “AI Exchange”
• U.S. government’s “Testing Risks of AI for National Security (TRAINS) Taskforce”

The Biden Administration issued a sweeping cybersecurity executive order (EO) this week aimed at boosting U.S. cyberdefenses, and AI security is one area that it says must be strengthened.

The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” calls for promoting security “with and in” AI, saying it can speed up the identification of new vulnerabilities, scale up threat detection and automate cyberdefenses.

“The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity,” the executive order reads.

Among the executive order’s requirements for AI are:

• Launching a pilot program on using AI to improve cyberdefense of critical infrastructure in the energy sector. The Secretaries of Energy, Defense and Homeland Security would be in charge of the program, in collaboration with private-sector critical infrastructure organizations. The program may include:
  • vulnerability detection
  • automatic patch management
  • identification and categorization of anomalous and malicious activity across IT or OT systems
• The Secretary of Defense must establish a program to use advanced AI models for cyberdefense.
• The Secretaries of Commerce, Energy and Homeland Security, and the National Science Foundation Director, must prioritize funding for their respective programs that encourage the development of “large-scale, labeled datasets needed to make progress on cyber defense research.”
• The Secretaries of Defense and Homeland Security, and the Director of National Intelligence must incorporate management of AI software vulnerabilities and compromises into their agencies’ process and “and interagency coordination mechanisms for vulnerability management.” These efforts should include incident tracking, response, reporting and sharing AI systems’ indicators of compromise.

These AI-related actions all must be completed at various dates during 2025.

The executive order covers multiple other areas. To get all the details and expert analysis, read our blog “New Cybersecurity Executive Order: What It Means for Federal Agencies” from Robert Huber, Tenable’s Chief Security Officer, Head of Research and President of Tenable Public Sector.

Software makers interested in improving the security of their development process and of their products have fresh guidance to peruse.

As part of its “Secure by Design” program, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity recommendations for protecting organizations’ software development lifecycle.

The best practices are organized into two categories — Software development process goals; and Product design goals — and include:

• Software development process goals:
  • Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.
  • Separate all software development environments, including development, build and test, to reduce the lateral movement risk.
  • Enforce multi-factor authentication across all software development environments.
  • Securely store and transmit credentials.
• Product design goals
  • Reduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.
  • Provide timely security patches to customers.
  • Don’t use default password in your products.
  • Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.

The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” reads a CISA statement.

To get more details, read the full “Information Technology (IT) Sector-Specific Goals (SSGs)” fact sheet.

For more information about secure software development:

• “CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills” (Tenable)
• “Secure Development” (Software Engineering Institute, Carnegie Mellon Univ.)
• “Secure Software Development Framework” (NIST)
• “Secure development and deployment guidance” (UK NCSC)
• “OWASP Developer Guide” (Open Worldwide Application Security Project )

To encourage the development of safer internet of things (IoT) devices for consumers, the U.S. government has introduced a new label for IoT products that meet National Institute of Standards and Technology (NIST) cybersecurity standards.

Called the U.S. Cyber Trust Mark, the label will also help U.S. consumers know which IoT products are more secure, as they shop for internet-connected ware, such as baby monitors, security cameras, refrigerators, garage door openers and thermostats.

“These devices are part of Americans’ daily lives. But Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations,” reads a White House statement.

IoT manufacturers will soon be able to seek the U.S. Cyber Trust Mark label by submitting their IoT products to accredited labs for testing. Tests will cover areas including password authentication, data protection, software updates and incident detection. 

IoT products that earn the label will also have a QR code that’ll link consumers to information such as:

• How to change default passwords
• How to configure the device securely
• How to access software updates and patches if they’re not delivered automatically
• The end date of the product’s support period

Participation in the U.S. Cyber Trust Mark program is voluntary for IoT manufacturers. IoT devices excluded from the program include motor vehicles, medical devices, and products used for manufacturing, industrial control and enterprise applications.

To get more details, visit the U.S. Cyber Trust Mark home page.

For more information about securing consumer IoT devices, check out resources from the IoT Security Foundation; the European Telecommunications Standards Institute; TechAccord; Internet Society; the U.K. National Cyber Security Centre; and the International Organization for Standardization (ISO). 

Doctors, hospitals, health insurers and other healthcare organizations may face stricter cybersecurity regulations in the U.S.

That’s because the U.S. government is seeking to tighten the cybersecurity requirements in the Health Insurance Portability and Accountability Act (HIPAA).

The new cybersecurity rules proposed by the Department of Health and Human Services (HHS) include:

• Develop and revise on an ongoing basis a technology asset inventory and a network map that illustrates the movement of electronic protected health information (ePHI) throughout the organization’s electronic information systems.
• Make risk analysis more specific by submitting written assessments that include:
  • A review of the technology asset inventory and network map
  • Reasonably anticipated threats to ePHI’s confidentiality, availability and integrity
  • Potential vulnerabilities to the organization’s electronic information systems
  • A risk-level assessment of identified threats and vulnerabilities
• Strengthen contingency planning and security incident response with steps including:
  • Draft written plans to restore certain electronic information systems and data within 72 hours.
  • Prioritize restoration by analyzing criticality of systems and tech assets.
  • Outline in writing how employees and the organization will respond to known or suspected security incidents.
• Conduct an audit at least once per year to ensure the organization’s compliance with HIPAA’s cybersecurity rules.
• With limited exceptions, encrypt ePHI at rest and in transit and require the use of multi-factor authentication.
• Conduct vulnerability scanning at least every six months, and penetration testing at least once a year.

For more details about HHS’ new proposed HIPAA cybersecurity rules and to submit public comments about them, go to the Federal Register’s “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” page. The comment period ends on March 7, 2025.

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity includes guidance on third-party risk management and the need to adopt proven security practices to gain visibility of security threats across network and cloud infrastructure. Here we highlight six key provisions and offer guidance on how federal agencies can prepare.

On Jan. 16, the Biden Administration released the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. In an era of escalating threats, it is important for the U.S. government to take steps toward a more secure digital infrastructure. The EO is being released in the wake of cyberattacks, such as Salt Typhoon, from China-based threat groups supported by the People’s Republic of China, which, as recently as last week, breached the U.S. Department of the Treasury.

The EO is intended to build off President Joseph R. Biden’s previous EO 14028 and focuses on the nation’s ability to address key threats and defend against continued cyber campaigns targeting the United States and Americans, as well as ensuring the security of the services and capabilities most vital to the digital domain.

As the Biden Administration comes to a close and President Donald J. Trump is sworn in on Jan. 20, it’s important to remember that cybersecurity is not a partisan issue, but a national security concern. Similar to our collaboration during the first Trump Administration, Tenable stands ready to engage with the incoming team to assess and defend critical networks in government and throughout enterprise to protect Americans and ensure the resilience of our critical infrastructure.

While the EO is aimed at government agencies, many of the principles behind it are equally relevant to private sector organizations looking to improve their security posture. It includes guidance on third-party management practices, adopting proven security practices to gain visibility of security threats across networks and cloud infrastructure, and securing communications networks. It also provides recommendations on combating cybercrime and fraud, promoting security with artificial intelligence (AI) and aligning policy to practice.

Below we highlight six key provisions of the EO and offer recommendations on how to prepare to meet the requirements.

The EO mandates federal agencies adopt more rigorous third-party risk management practices to ensure the safety and security of the software providers operating within the federal government. It calls for:

• Software providers to submit secure software development attestations and high-level artifacts to validate the attestations to the Cybersecurity and Infrastructure Security Agency (CISA).
• The establishment of National Institute of Standards and Technology (NIST) guidelines and security practices for safe and secure software procurement, which will be incorporated into the Secure Software Development Framework (SSDF) and ultimately the White House Office of Management and Budget Memorandum M-22-18. It will include practices, procedures, controls and implementation examples.
• Federal agencies to comply with the guidance in NIST Special Publication 800-161 Revision 1 to integrate cybersecurity supply chain risk management programs into broader risk management activities.
• CISA and the General Services Administration to issue recommendations to agencies on the management of open source software.

How to prepare: Start with an inventory of all third-party providers working with your agency. How much visibility do you have into the level of risk these providers present? Is their software integral to your agency’s ability to function? Can it access sensitive data, such as personally identifiable information (PII)? Does it offer an opportunity for an attacker to gain entry or move laterally within your infrastructure?

This section of the EO focuses on adopting proven security practices in order to gain visibility of security threats across networks and strengthen cloud security. Key call-outs in this section include:

• Identity and access management (IAM): Identity and access management practices are critical and should be implemented into an agency's broader security strategy.
• Cloud security: In order to secure federal data in the cloud, The EO requires cloud services providers in the FedRAMP marketplace to produce baselines with specifications and recommendations for agency configurations of cloud-based systems.
• Space security: The security of space systems must be enhanced to adapt to evolving threats. The EO mandates that agencies take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions like continuous assessments, testing, exercise and modeling and simulation.

How to prepare: Audit your identity and access management systems. Are you considering user privileges in your overall risk profile? Consider how much access and visibility your security team has into your cloud infrastructure. Does your agency have continuous processes to manage identity and privileges across cloud environments? At what stage is security brought into your cloud deployments? It should be incorporated into the entire process, from ideation to system development and deployment. Are you performing continuous monitoring of IAM, cloud and space systems (if applicable)? Many third-party contracts pre-date supply chain risk-management reviews. Do your contracts account for security requirements and support?

The EO emphasizes the importance of securing our communication networks from cyberattacks and sets forth guidelines and procedures to ensure the security of federal communications. Key points include:

• Strong identity authentication and encryption must be implemented.
• Encrypting DNS traffic is critical.
• Email messages, as well as modern communications such as voice and video conferencing and instant messaging, must be encrypted in transport and where practical use end-to-end encryption.
• Quantum computers pose significant risk to national security. Agencies should require post-quantum cryptography in applicable product categories as defined by CISA.
• The federal government should protect and audit access to cryptographic keys with extended lifecycles. Guidelines will be developed by NIST and FedRAMP requirements will be updated to incorporate those guidelines.

How to prepare: Evaluate your identity authentication and encryption capabilities for all forms of communication, from DNS to email systems. Are you following NIST SP 800-63 Digital Identity Guidelines? Are there gaps in your systems that need to be addressed? Are there product categories within your systems that would require post-quantum cryptography? Non-quantum compliant cyphers will increasingly pose risk as quantum technologies radically redefine encryption.

With the growing demand for digital services, it is essential for agencies to adopt digital identity verification solutions that ensure secure access, enhance accessibility and prevent fraud. This section of the EO encourages the safe and secure use of digital identity documents to access public benefits programs that require identity verification. It states that NIST will issue implementation guidance and the Treasury will develop a pilot program to notify individuals when their identity information is used to request a payment from a public benefits program.

How to prepare: Evaluate your digital identity verification strategy. How are you preventing digital identity fraud? What key performance indicators (KPIs) do you use to track the effectiveness of your program? Have you considered a more rigorous verification strategy that verifies identities at the front end? Are you using a holistic identity verification approach that validates multiple aspects of someone’s identity?

AI is emerging as a game changer in the ongoing battle for federal cybersecurity. As such, the EO calls on the federal government to accelerate the development and deployment of AI, specifically as it relates to improving the cybersecurity of critical infrastructure. The EO further establishes a pilot program on the use of AI to enhance cyber defenses of critical infrastructure and accelerates research at the intersection of AI and cybersecurity.

How to prepare: Evaluate how AI can be implemented in your security strategy in order to reduce risk. Do you have guidelines for using AI in your agency? Have you experimented with AI security tools? Are there ways you can leverage AI to reduce the pressure on your security teams?

This section of the EO focuses on modernizing federal IT infrastructure and networks to better defend against cyberattacks and reduce cyber risk. It focuses on developing guidance to help agencies share and exchange cybersecurity information, obtain enterprise-wide visibility, and prepare to be held accountable for enterprise-wide cybersecurity programs. It further focuses on promoting the adoption of evolving cybersecurity practices, such as the migration to zero trust and ensuring agencies can identify, assess and respond to risk presented by IT vendor concentration.

How to prepare: Assess how much visibility you currently have into your IT infrastructure. Are you able to continuously assess vulnerabilities and misconfigurations in your on-premises and cloud environments with the added context of identity and access privileges so you always have an up-to-date view of your risk? Do you have a way to quickly generate reports that you can share with other agencies?

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity addresses some of the most pressing concerns in cybersecurity, including the safety of the software supply chain, the need for improved visibility across systems such as identity and access management and cloud infrastructure, the need to protect communications with end-to-end encryption, and the promise of AI to aid in cybersecurity efforts. The provisions it provides offer a blueprint for improving cybersecurity for government agencies while providing sound guidance for private-sector organizations to consider in their efforts to reduce cyber risk.

Zero trust as a concept is simple to grasp. Implementing a zero trust architecture, on the other hand, is complex because it involves addressing a unique mix of process, procedure, technology and user education. Here are some considerations to keep in mind as you begin your journey.

Draft guidance on implementing a zero trust architecture, released by the National Institute of Standards and Technology (NIST) on Dec. 4, 2024, gives government agencies and private sector organizations a solid blueprint to follow. There are a number of additional considerations to keep in mind as you begin your journey.

First and foremost, zero trust is an alternative way of thinking about information security that treats trust as a vulnerability. It removes trust entirely from digital systems and is built upon the idea that security must become ubiquitous throughout the infrastructure. The concepts of zero trust are simple:

• All resources are accessed in a secure manner, regardless of location.
• Access control is on a "need-to-know" basis and is strictly enforced.
• All traffic is inspected and logged.
• The network is designed from the inside out.
• The network is designed to verify everything and trust nothing.

A zero trust architecture can be implemented using commercial off-the-shelf technology. It's built upon current cybersecurity best practices and dovetails with a robust exposure management program. In fact, exposure management and zero trust go hand-in-hand.

Here are five considerations as you begin your zero trust journey:

1. Zero trust is a strategy, not a SKU. In most organizations, it can be implemented using existing off-the-shelf cybersecurity products. There is no single zero trust product your organization can purchase and plug in to transform your risk posture overnight.
2. Zero trust requires a foundation of strong exposure management. As the National Institute of Standards and Technology (NIST) guidelines make clear, you can't build a zero trust strategy without first having accurate visibility into all of the organization's assets — including IT, cloud, operational technology (OT) and internet of things (IoT). An exposure management program can provide you with that level of visibility as well as the ability to act on findings in real time.
3. User profiles matter more than ever. A zero trust strategy requires you to continuously monitor all users all the time. Identity and access management capabilities such as Entra ID and Active Directory, which are used to manage user profiles and privileges, must be continuously monitored and kept up to date.
4. No one is trusted — no exceptions. This may not please senior leaders, who can sometimes behave as if the rules don't apply to them. Brushing up on your diplomatic skills is advised. Ultimately, though, a zero trust architecture can be implemented without creating significant friction for end users.
5. Zero trust requires thoughtful communication. There are people throughout the organization who have built their careers on the legacy cybersecurity principles of moat-and-castle and trust-but-verify. They may be threatened or feel that their jobs are in jeopardy if they aren't engaged in the zero trust buildout from day one.

Zero trust as a concept is simple to grasp. What makes zero trust complex to implement are the same factors that make any cybersecurity strategy complex: the unique mix of processes, procedures and technology found in your IT infrastructure, as well as the need for significant user education. It's best to start small and roll out from there, rather than trying to boil the ocean.

For cybersecurity leaders in government agencies, preparing for a zero trust architecture is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:

• What is your agency’s core mission or value proposition?
• What are the workflows required to fulfill that mission?
• Who owns those workflows?
• How does data flow in the organization?
• Which are your high-value assets, the so-called "keys to the kingdom"?
• How does the organization determine who is granted access to these high-value assets?
• How often does the organization audit user permissions once they are set?
• What building blocks do you already have in place to support a zero trust strategy?

Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things (IoT) and operational technology (OT) assets, and the ability to assess the criticality of each asset to deliver on your organization's core mission. No zero trust journey can begin without first addressing these fundamentals of exposure management.

Exposure management transcends the limitations of siloed security programs. Built on the foundations of risk-based vulnerability management, exposure management takes a broader view across your modern attack surface, applying both technical and business context to more precisely identify and more accurately communicate cyber risk, enabling better business outcomes.

An exposure management program combines technologies such as vulnerability management, web application security, cloud security, identity security, attack path analysis and patch management to help an organization understand the full breadth and depth of its exposures and take the actions needed to reduce them through remediation and incident response workflows. Exposure management gives security teams a full, dynamic and accurate picture of the attack surface at any point in time, aiding in the implementation of zero trust policies and architecture.

• Download the Gartner report How to Grow Vulnerability Management into Exposure Management
• Read the blogs Tenable and the Path to Zero Trust and Making Zero Trust Architecture Achievable
• View the updated draft Guidance for Implementing a Zero Trust Architecture, released by NIST on Dec. 4, 2024

Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.

On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.

Zero Day Campaign May Have Been Active Since November

Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.

At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.

Historical exploitation of Fortinet FortiOS and FortiProxy

Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:

CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.

Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.

Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:

• Fortinet FG-IR-24-535 Security Advisory
• Arctic Wolf Blog - Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

1. 10Critical
2. 147Important
3. 0Moderate
4. 0Low

Microsoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being made available.

Microsoft patched 157 CVEs in its January 2025 Patch Tuesday release, with 10 rated critical and 147 rated as important. Our counts omitted two vulnerabilities, one reported by GitHub and another reported by CERT/CC. To date, the January 2025 Patch Tuesday release is the largest ever from Microsoft.

This month’s update includes patches for:

• .NET
• .NET and Visual Studio
• .NET,.NET Framework, Visual Studio
• Active Directory Domain Services
• Active Directory Federation Services
• Azure Marketplace SaaS Resources
• BranchCache
• IP Helper
• Internet Explorer
• Line Printer Daemon Service (LPD)
• Microsoft AutoUpdate (MAU)
• Microsoft Azure Gateway Manager
• Microsoft Brokering File System
• Microsoft Digest Authentication
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office OneNote
• Microsoft Office Outlook
• Microsoft Office Outlook for Mac
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Purview
• Microsoft Windows Search Component
• Power Automate
• Reliable Multicast Transport Driver (RMCAST)
• Visual Studio
• Windows BitLocker
• Windows Boot Loader
• Windows Boot Manager
• Windows COM
• Windows Client-Side Caching (CSC) Service
• Windows Cloud Files Mini Filter Driver
• Windows Connected Devices Platform Service
• Windows Cryptographic Services
• Windows DWM Core Library
• Windows Digital Media
• Windows Direct Show
• Windows Event Tracing
• Windows Geolocation Service
• Windows Hello
• Windows Hyper-V NT Kernel Integration VSP
• Windows Installer
• Windows Kerberos
• Windows Kernel Memory
• Windows MapUrlToZone
• Windows Mark of the Web (MOTW)
• Windows Message Queuing
• Windows NTLM
• Windows OLE
• Windows PrintWorkflowUserSvc
• Windows Recovery Environment Agent
• Windows Remote Desktop Services
• Windows SPNEGO Extended Negotiation
• Windows Security Account Manager
• Windows Smart Card
• Windows SmartScreen
• Windows Telephony Service
• Windows Themes
• Windows UPnP Device Host
• Windows Virtual Trusted Platform Module
• Windows Virtualization-Based Security (VBS) Enclave
• Windows WLAN Auto Config Service
• Windows Web Threat Defense User Service
• Windows Win32K - GRFX

Remote code execution (RCE) vulnerabilities accounted for 36.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.5%.

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. An authenticated, local attacker could exploit this vulnerability to elevate privileges to SYSTEM. Two of the three vulnerabilities were unattributed, with CVE-2025-21333 being attributed to an Anonymous researcher.

According to Microsoft all three vulnerabilities were exploited in the wild as zero-days. No specific details about the in-the-wild exploitation were public at the time this blog post was released.

CVE-2025-21186, CVE-2025-21366 and CVE-2025-21395 are RCE vulnerabilities in Microsoft Access, a database management system. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. A remote, unauthenticated attacker could exploit this vulnerability by convincing a target through social engineering to download and open a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system. This update “blocks potentially malicious extensions from being sent in an email.”

According to Microsoft, these three vulnerabilities were publicly disclosed prior to a patch being available (zero-days). They are attributed to Unpatched.ai, which uses artificial intelligence (AI) to “help find and analyze” vulnerabilities.

CVE-2025-21308 is a spoofing vulnerability affecting Windows Themes. This vulnerability received a CVSSv3 score of 6.5 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to convince a user to load a malicious file, then convince the user to “manipulate the specially crafted file.” Microsoft has provided a list of mitigations including disabling New Technology LAN Manager (NTLM) or using group policy to block NTLM hashes. For more information on the mitigation guidance, please refer to the Microsoft advisory.

CVE-2025-21275 is an EoP vulnerability in the Microsoft Windows App Package Installer. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. These types of flaws are often associated with post-compromise activity, after an attacker has breached a system through other means.

According to Microsoft, this vulnerability was publicly disclosed prior to a patch being available. It is attributed to an Anonymous researcher.

CVE-2025-21297 and CVE-2025-21309 are critical RCE vulnerabilities affecting Windows Remote Desktop Services. Both of these vulnerabilities were assigned CVSSv3 scores of 8.1, however CVE-2025-21309 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index, while CVE-2025-21297 was assessed as “Exploitation Less Likely.”

According to Microsoft, successful exploitation of these flaws requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race-condition that creates a use-after-free scenario which can be leveraged to execute arbitrary code.

CVE-2025-21298 is a RCE vulnerability in Microsoft Windows Object Linking and Embedding (OLE). It was assigned a CVSSv3 score of 9.8 and is rated critical. It has been assessed as “Exploitation More Likely.” An attacker could exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane.

Microsoft’s advisory for this vulnerability recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display other types of content, such as photos, animations or specialized fonts. To configure Outlook in this way, please refer to the following article, Read email messages in plain text.

A list of all the plugins released for Microsoft’s January 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's January 2025 Security Updates
• Tenable plugins for Microsoft January 2025 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Ivanti disclosed two vulnerabilities in its Connect Secure, Policy Secure and Neurons for ZTA gateway devices, including one flaw that was exploited in the wild as a zero-day.

Update January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.

View Change Log

On January 8, Ivanti published a security advisory for two vulnerabilities affecting multiple products including Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) gateways:

CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. An unauthenticated, remote attacker that successfully exploits this flaw would obtain remote code execution on a vulnerable device.

CVE-2025-0283 is also a stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. Unlike CVE-2025-0282, a local, authenticated attacker that successfully exploits this flaw would be able to elevate privileges on a vulnerable device.

In-the-wild exploitation observed for CVE-2025-0282

In a blog post, Ivanti confirmed that they have observed in-the-wild exploitation of CVE-2025-0282 in “a limited number of customers” of Ivanti Connect Secure devices. They reiterate that they have not observed exploitation against Ivanti Policy Secure or Neurons for ZTA gateways.

On-going investigation reveals preliminary insight into malicious activity

On January 8, researchers at Google Mandiant published a blog post outlining their preliminary findings related to the in-the-wild exploitation of CVE-2025-0282. While the researchers have yet to link the attacks to any particular advanced persistent threat (APT) group or cluster, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware (e.g. SPAWNANT, SPAWNMOLE and PAWNSNAIL) as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM. For more information, please visit the Google Mandiant blog.

Historical exploitation of Ivanti Connect Secure

Ivanti Connect Secure, formerly known as Pulse Connect Secure, has been frequently targeted by attackers of all types, including advanced persistent threat (APT) groups as well as ransomware affiliates and opportunistic cybercriminals.

Because of the historical exploitation of these devices, customers are strongly advised to apply the available patch for these flaws as soon as possible.

On January 16, researchers at watchTowr released a public proof-of-concept (PoC) exploit for CVE-2025-0282 on GitHub. The GitHub repository notes that the PoC is "broken in non-trivial ways" adding that it will "require effort to work." It also points to watchTowr's technical write-up, Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) on its blog.

Ivanti has released the following patches for Connect Secure, Policy Secure and Neurons for ZTA Gateways.

Ivanti customers can utilize its Integrity Checker Tool (ICT) to identify exploitation of CVE-2025-0282.

For Connect Secure customers, Ivanti recommends performing a factory reset of devices prior to upgrading to version 22.7R2.5 “out of an abundance of caution” for those with clean ICT scan results and to “ensure any malware is removed” where ICT results “show signs of compromise.”

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-0282 and CVE-2025-0283 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Tenable Attack Surface Management customers are able to quickly identify these assets by leveraging the built in subscription labeled Ivanti Connect Secure (ICS) - v1.

• Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)
• Security Update: Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways

Update January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.

Update January 9: The Analysis section has been updated to include preliminary details from Mandiant's on-going investigation into these attacks.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

It is with profound sadness that we share the news of the passing of our beloved CEO Amit Yoran on January 3. Amit was not only a visionary leader but also a guiding force who profoundly impacted our industry, our company, our culture and our community.

Amit Yoran, chairman and CEO of Tenable, died on January 3

Under Amit's leadership, Tenable achieved significant milestones and he inspired each one of us with his dedication, passion and commitment to make a difference. Amit leaves behind an incredible legacy as a visionary, leader, colleague, mentor, brother, father and friend. He touched the lives of so many within and beyond our company and he will be missed.

As we navigate the days ahead, Mark Thurmond (Tenable COO) and Steve Vintz (Tenable CFO), who took over co-CEO duties on December 5, 2024, will ensure that we communicate any important updates as we drive the business forward just as Amit would have wanted.

As additional details regarding his memorial services are available we will keep you informed. We issued a press release with more details here: https://www.tenable.com/press-releases/tenable-announces-the-passing-of-chairman-and-ceo-amit-yoran

Please join us in remembering and honoring Amit for the indelible mark he left on all of us.

Check out best practices for preventing mobile communications hacking. Plus, how the U.S. government can improve financial firms’ AI use. Meanwhile, the FBI warns about a campaign to hack vulnerable webcams and DVRs. And get the latest on a Chinese APT’s hack of the Treasury Department; the federal government’s AI use cases; and cyber tips for SMBs.

Dive into six things that are top of mind for the week ending Jan. 3.

In light of the hacking of major telecom companies by China-affiliated cyber spies, “highly targeted” people should adopt security best practices to protect their cell phone communications.

So said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the new publication “Mobile Communications Best Practice Guidance,” aimed at high-profile individuals such as senior government officials and political party leaders.

The guidance, which applies to anyone interested in securing their mobile communications, is divided into three categories: general recommendations; best practices for iPhone users; and best practices for Android users.

“While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors,” the guidance reads.

General recommendations include:

• Use messaging applications that offer end-to-end encrypted communications – for text messages, and for voice and video calls – and that are compatible with both iPhone and Android operating systems.
• Don’t use SMS as your second authentication factor because SMS messages aren’t encrypted. Instead, enable Fast Identity Online (FIDO) authentication for multi-factor authentication. Another good MFA option: authenticator codes.
• Regularly update your phone’s operating system and your mobile applications to their latest versions. Get your phone manufacturer’s newest cell phone model to get the latest hardware-dependent security features.

To get all the details, read the full, five-page document “Mobile Communications Best Practice Guidance.”

For more information about how to protect your mobile phone from hackers:

• “Ten Steps to Smartphone Security” (U.S. Federal Communications Commission)
• “Mobile Device Best Practices” (U.S. National Security Agency)
• “8 simple ways to protect your smartphone from hackers” (PC World)
• “Stop hackers cold: Tech tips to secure your phone's data and location” (USA Today)

VIDEO

How to remove a hacker from your phone? (Cybernews)

More precise definitions of AI models and systems. Clarification on AI data privacy standards. Enhanced AI regulatory frameworks. 

Those are just some of the requests that the Treasury Department received after it asked for feedback about artificial intelligence (AI) use in the financial industry.

Financial firms, consumer groups, technology vendors, trade associations and others sent the agency 103 comment letters in response to its “Uses, Opportunities, and Risks of Artificial Intelligence (AI) in the Financial Services Sector” request for information.

“The respondents commented on existing use cases, expansive opportunities, and associated risks, underscoring the potential for AI to broaden opportunities while amplifying certain risks,” reads the report “Artificial Intelligence in Financial Services.”

At a high level, requests from respondents included:

• Align definitions of AI models and systems applicable to the financial services sector to make collaboration and coordination among agencies and stakeholders easier.
• Further clarify standards for data privacy, security, and quality for financial firms developing and deploying AI.
• Expand consumer protections.
• Explain how financial firms can comply with current consumer protection laws that apply to existing and emerging technologies.
• Offer guidance to assist financial firms as they assess AI models and systems for compliance.
• Enhance regulatory frameworks and develop consistent federal-level standards. 
• Facilitate domestic and international collaboration among governments, regulators, and the financial services sector.

For more information about the risks and opportunities of AI in the financial industry:

• “Artificial Intelligence and Machine Learning in Financial Services” (U.S. Congressional Research Service)
• “Artificial Intelligence: Opportunities and Risks for the Financial Sector” (International Banker)
• “The Financial Stability Implications of Artificial Intelligence” (Financial Stability Board)
• “The AI Revolution: Opportunities and Challenges for the Finance Sector” (The Alan Turing Institute)
• “The rise of artificial intelligence: benefits and risks for financial stability” (European Central Bank)

Hackers are unleashing the HiatusRAT malware against web cameras and digital video recorders (DVRs) made by several Chinese vendors whose devices may have unpatched vulnerabilities.

That’s the warning from the FBI, which added that the cybercrooks are looking to exploit weak vendor-supplied password and vulnerabilities including CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044 and CVE-2021-36260.

The hackers have been observed targeting devices from vendors Xiongmai and Hikvision, and using webcam scanning tool Ingram and authentication-cracking tool Medusa.

“The FBI recommends limiting the use of the devices mentioned in this PIN and/or isolating them from the rest of your network,” reads the FBI alert titled “HiatusRAT Actors Targeting Web Cameras and DVRs.”

Other FBI recommendations include:

• Promptly patch and update operating systems, software and firmware.
• Consider removing devices from your network that are no longer supported by their manufacturer.
• Regularly change passwords for network systems and accounts, and don’t use default and weak passwords.
• Require multi-factor authentication.
• Segment your network.
• Back up critical assets and store the backups offline.
• Use monitoring tools that log network traffic and alert you about anomalous network activity.

For more information about securing internet-of-things (IoT) devices, check out these Tenable resources:

• “How to Unlock Advanced IoT Visibility for Cyber-Physical Systems” (blog)
• “Unlock advanced IoT visibility to better secure your OT environment” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “How to Effectively Communicate OT/IoT Risk Across the Enterprise” (on-demand webinar)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)

Is your business in the midst of figuring out how to leverage AI to improve its operations and services? If so, you might be interested in how Uncle Sam is attempting to do the same.

As of mid-December, U.S. federal government agencies had launched 1,700-plus AI use cases, including for evaluating patent applications; analyzing extreme weather; and determining disability benefits.

Specifically, 37 federal agencies submitted their AI uses as of mid-December 2024 to the Office of Management and Budget (OMB), which tallied 1,757 use cases, including almost 230 that can impact people’s rights and safety.

Most AI use cases fell into these three categories:

• Helping agencies fulfill their missions
• Providing health and medical services
• Delivering government services

The agency with the most AI use cases is the Department of Health and Human Services (271), followed by the Department of Veteran Affairs (229) and the U.S. Agency for International Development (137).

Veteran Affairs is by far the agency with the most safety- and rights-impacting use cases (145). For these use cases, agencies must document how they’re implementing safeguards to mitigate the rights and safety risks.

To get more information about the federal government’s AI use, check out:

• The OMB’s Github page “2024 Federal Agency AI Use Case Inventory”
• CIO.gov’s writeup about the AI use case inventory
• AI.gov’s AI use cases page

For more information about responsible usage and AI security, check out these Tenable blogs:

• “AI Security Roundup: Best Practices, Research and Insights”
• “How to Discover, Analyze and Respond to Threats Faster with Generative AI”
• “Never Trust User Inputs — And AI Isn't an Exception: A Security-First Approach”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Do You Think You Have No AI Exposures? Think Again”

An advanced persistent threat (APT) hacking group sponsored by the Chinese government breached a Treasury Department system, an incident the agency describes as “major.”

In a letter sent this week to the U.S. Senate, the Treasury Department said the hackers accessed a key used by a third-party vendor to protect a cloud-based service. That breached system is used to provide remote tech support to Treasury Departmental Offices (DO) users.

“With access to the stolen key, the threat actor was able (to) override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the letter reads.

News agency Reuters posted a copy of the letter, which was penned by Aditi Hardikar, Assistant Secretary for Management at the Treasury Department, and sent to Sen. Sherrod Brown, Chairman of the Committee on Banking, Housing and Urban Affairs; and to Sen. Tim Scott, the committee’s Ranking Member.

The compromised service from the third-party vendor was taken offline and the agency has no evidence that the APT hackers have continued accessing Treasury Department data. It will provide more details in a supplemental report, according to the letter.

For more information about how to protect your organization from APT attacks:

• “Advanced Persistent Threat Security: 5 Modern Strategies” (IEEE Computer Society)
• “Understanding Advanced Persistent Threats and How to Stop Them” (Biz Tech Magazine)
• “How To Defend Against APT Attacks: What You Need To Know” (Endpoint Security for Small Business)
• “Nation-State Cyber Actors” (CISA)
• “What is an advanced persistent threat?” (TechTarget)

It’s “resolutions” time again.

Now that the new year has begun, we take stock of what we could be doing better and pledge to modify certain practices and habits.

So how can small-and-medium sized businesses (SMBs) enhance their cybersecurity posture in 2025? Here are five suggested cyber resolutions from the Cyber Readiness Institute, a non-profit organization created to offer free cyber tools and resources for SMBs.

• Use multi-factor authentication to protect online accounts.
• Designate a “cyber leader” who’ll be tasked with monitoring cyberthreats, share best practices and foster cyber awareness.
• Offer cybersecurity awareness training to your staff.
• Draft a business continuity plan outlining how your SMB will maintain operations if it suffers a cyberattack.
• Acquire cyberinsurance.

For more cybersecurity resolutions to act upon in 2025, check out:

• “New Year’s cybersecurity resolutions that every startup should keep” (TechCrunch)
• “Cybersecurity Resolutions: Skill Sets to Prioritize in 2025” (Bank Infosecurity)
• “Cyber Resolutions for 2025: Because Hackers Won't Take a Day Off” (CyberPeace)
• “5 cybersecurity habits to take into 2025” (TechRadar)
• “8 Cybersecurity Trends and Opportunities for 2025” (MSSP Alert)

Mid-sized enterprises increasingly find themselves in need of a CNAPP, as their cloud adoption matures. But how should they go about selecting the right one? What questions should they ask and what criteria should they use? Here we unpack six key considerations that’ll help them evaluate their options and make an informed decision.

As cloud security technologies evolve, mid-sized enterprises face unique challenges when selecting a cloud native application protection platform (CNAPP). With limited resources and a need for robust protection, they must understand the critical capabilities that define the effectiveness and value of a CNAPP. Here are some of the most important considerations for mid-sized organizations.

In today’s increasingly complex cloud environments, CNAPPs must provide seamless integration across their features to avoid operational and risk silos. Platforms that organically develop features deliver a smoother user experience. With integrated data flows, these platforms allow telemetry to be collated effectively. Disparate technologies with poor integration often lead to gaps in security and inefficiencies in workflows, increasing costs and management overhead.

A strong focus on identity and access management is fundamental for securing complex cloud workloads. Cloud infrastructure entitlement management (CIEM) is particularly crucial, as it helps enterprises govern and enforce least-privilege across multi-cloud environments. By addressing identity-related risks, strong CIEM capabilities enable enterprises to prevent lateral movement, privilege escalation and unauthorized access, which continue to be the most significant threats in cloud security along with misconfigurations.

Mid-sized enterprises often operate on tight budgets, making modular pricing an attractive option. A flexible pricing structure allows companies to start small and add capabilities as needed. Choosing a CNAPP that integrates with a broader exposure management platform ensures future-proofing for hybrid, multi-cloud, and even on-premises workloads. This approach not only minimizes initial costs but also provides scalability to meet evolving business and security requirements.

As regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the EU AI Act introduce increasingly strict penalties for non-compliance, many organizations are reconsidering public cloud deployments in favor of on-premises or hybrid environments. Mid-sized organizations should prioritize CNAPPs that support this shift by offering native integrations with platforms that secure both cloud and on-premises workloads. AI regulations, in particular, may necessitate local data processing, making on-prem integration a critical requirement.

Data security is fundamental to the safety of AI systems. DSPM capabilities in a CNAPP allow enterprises to discover, classify, and label sensitive data, helping ensure compliance with security and privacy regulations. DSPM prevents sensitive information from leaking through AI models or cloud native applications by identifying unauthorized access and data flows. This is particularly important as AI systems increasingly rely on large datasets for training and inference purposes.

For mid-sized enterprises, resource constraints can be significant hurdles to adopting new security technologies. A CNAPP that is quick to deploy and easy to configure is crucial to ensuring a smooth implementation process without overwhelming IT and security teams.

Platforms designed with ease of rollout in mind reduce operational overhead by offering:

• Intuitive user interfaces: Simplified dashboards and workflows that minimize the learning curve for administrators.
• Out-of-the-box integrations: Pre-built connectors for major cloud providers, on-premises security technologies and existing security tools cut down deployment time and customization efforts.
• Automated discovery and configuration: Features such as automated asset discovery, policy enforcement, and the establishment of a baseline configuration model reduce the need for manual setup.
• Minimal downtime: Deployment with minimal disruption to existing workloads and infrastructure ensures business continuity during the rollout.

CNAPPs with these key factors allow mid-sized enterprises to achieve faster time-to-value, enabling security teams to focus on strategic activities rather than troubleshooting implementation issues.

Modern threats require enterprises to adopt a unified approach to managing risks across cloud, on-premises and hybrid environments. CNAPPs should integrate seamlessly into a broader exposure management strategy, enabling centralized visibility and response to vulnerabilities, misconfigurations, and threats.

Tenable Cloud Security and the Tenable One Exposure Management Platform address these challenges head-on by providing:

• Ease of rollout and deployment: A focus on deployment efficiency and ease of use.
• Integrated functionality: Seamless feature development and integration for a streamlined user experience.
• CIEM strength: Robust identity-focused capabilities to minimize access-related risks.
• Flexibility and scalability: Modular pricing that adapts to your business needs and scales with your growth.
• Support for hybrid and on-prem environments: Secure workloads wherever they reside, addressing regulatory and operational needs.
• Comprehensive exposure management: Centralized visibility and management across all environments.
• Advanced DSPM for AI security: Comprehensive data classification and monitoring to protect sensitive information in AI workflows.

Tenable offers a future-ready platform tailored to the needs of mid-sized enterprises, providing the tools and confidence to tackle today’s cloud security challenges regardless of where you are in your cloud security journey. 

Learn more about Tenable Cloud Security and Tenable One.

In December 2023, as cyberattacks surged, the U.S. Securities and Exchange Commission (SEC) began enforcing new cybersecurity disclosure rules. This pushed C-level executives and boards to adopt measures for compliance and transparency. In this post, we look at the enforcement actions the SEC has taken and what public company CISOs should do to stay in compliance.

In recent years, cyberattacks have become more sophisticated, affecting public and private organizations alike. Recognizing the critical need for transparency and robust cybersecurity measures, the U.S. Securities and Exchange Commission adopted new cybersecurity disclosure rules in July 2023, which took effect in September 2023, with compliance required by December 2023.

These rules, which mandate that all public companies disclose material cybersecurity incidents within four business days and detail their risk management strategies, highlight that cybersecurity is a board-level risk management concern.

As part of their fiduciary duties, boards play a key role in the oversight of risks from cybersecurity threats. In partnership with senior executives, they need to pay close attention to the risks their companies face and the strategies those companies put in place to comply.

As the rules were authorized in late 2023, we shared what we see as the implications for infosec leaders. This post explores the impact of these regulations after one year. We also look at recent enforcement actions and measures that companies should consider adopting to promote compliance and bolster their cybersecurity posture.

An important note: In 2025, there will be changes in SEC leadership, which could affect these rules. But they’re just one example of the additional attention governments around the world are giving to cyber risk.

The EU recently issued the network and information systems (NIS)2 Directive, aimed at improving cybersecurity across member states. It requires the reporting of “significant” incidents within 24 hours, a more detailed report within 72 hours and a final report within a month. Other more focused rules, such as the General Data Protection Regulation (GDPR) in Europe, although it doesn’t have incident disclosure provisions, have driven significant change for companies that want to do business in that region.

It comes down to trust. Tenable CEO Amit Yoran had a clear point of view when he wrote about the rules as they took effect.

“The SEC’s rule will force what companies should have been implementing all along; informed cyber risk management practices,” he said. “Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will force leadership to pay attention and keep customers and investors better informed as to who they trust with their business.”

With that as a backdrop, CISOs looking to support stakeholders like legal, finance, investor relations and boards in these efforts should understand a few things about the SEC rules.

The SEC requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality using an 8-K form. This requirement aims to give investors timely and relevant information about potential risks that could impact business operations and financial performance.

At a conference held by the American Institute of Certified Public Accountants (AICPA) and the Chartered Institute of Management Accountants (CIMA) in December, Sebastian Gomez Abero, Associate Director of the Division of Corporate Finance (DCF) Disclosure Review Program emphasized that materiality, rather than the discovery of a breach, is the trigger for disclosing a cybersecurity incident. According to an EY summary of his remarks provided by the conference organizations, Gomez Abero also reminded registrants that both quantitative and qualitative factors should be considered in their materiality assessment of a cybersecurity incident.

In addition, companies must include descriptions of their cybersecurity risk management and governance practices annually in their 10-K or 20-F reports. The rules essentially validate cybersecurity as an important component of risk management, within a robust corporate governance program. Recent 10-Ks from a number of companies incorporated these new requirements.

According to the EY conference summary, Gomez Abero reminded registrants to provide sufficient detail in their annual cybersecurity disclosures for a reasonable investor to understand the organization’s processes to assess, identify and manage material risks from cybersecurity threats, rather than just stating that a process exists. In addition, registrants that have a management group to assess material cybersecurity risk need to disclose each member’s individual expertise.

Since the introduction of the cybersecurity rules, the SEC has taken significant enforcement actions to ensure compliance, including issuing fines and negotiating settlements with various companies.

For example, in October 2024, the SEC fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Limited a combined total of almost $7 million for allegedly misleading disclosures related to their exposure to the SolarWinds cyberattack.

In the same order, the SEC alleged that these firms downplayed their involvement, which led to misleading investors about potential impacts. Each company settled without admitting or denying the allegations.

In another notable enforcement action by the SEC, R.R. Donnelley & Sons Company (RRD) agreed in June 2024 to pay more than $2.1 million for inadequate disclosure and poor management of significant cybersecurity incidents from 2021. The SEC found that RRD’s internal processes failed to properly elevate and disclose these incidents to senior management in a timely manner, underscoring the importance of having robust incident management frameworks in place.

There are three key lessons to keep in mind as you work to help your organization meet the SEC cybersecurity requirements:

1. Be transparent. Your organization’s incident management and disclosure practices are being scrutinized. It’s not just the board and senior executives paying attention — your company’s investors want to understand your organization’s cyber risk. Choose a forthright and straightforward approach to meet the 8-K disclosure requirements, such as establishing a cybersecurity disclosure committee and a materiality framework for regularly assessing cyber incidents. Doing so could help your organization avoid fines.
2. View cyber risk as business risk. Your cybersecurity risk management and governance practices are of strategic importance to your organization. The 10-K and 20-F requirements codify the importance of having a robust strategy for cybersecurity. Rather than seeing it as a compliance chore, consider it an opportunity to educate the board and investors about all the ways your organization is reducing cyber risk.
3. Be proactive. Don’t treat your cybersecurity strategy as merely a once-a-year compliance task. Make sure the cybersecurity systems and processes you have in place provide continuous visibility into the entirety of your attack surface, so that you’re always ready to answer the questions “how secure are we?” and “where are we at risk?”

So what can a CISO do about this? It starts with a comprehensive cybersecurity program, including exposure management, which gives CISOs the information they need to communicate with legal, finance, investor relations, boards and other internal stakeholders about vulnerabilities and cyber incidents so that those can be appropriately captured in the company’s cyber risk management and public reporting.

Exposure management equips an organization with the tools needed to meet the SEC’s cybersecurity disclosure requirements by aligning cybersecurity efforts with business risk management.

Exposure management provides comprehensive visibility into the organization’s attack surface, prioritizes vulnerabilities based on their potential business impact and delivers actionable insights that inform the preparation of risk management filings. Moreover, exposure management is part of a cyber program that can identify cyber risks and incidents that may need to be reported in filings. With easily understood, dynamically updated dashboards that a CISO can use to gain visibility into companywide exposures, exposure management is critical for ensuring compliance and demonstrating a strong security posture.

Plus, an exposure management strategy that integrates asset visibility, risk prioritization and incident response — along with strong partnerships between the CISO, legal, IR and finance — ensures that organizations can accurately report their practices and responses at any point in time because of the continuous monitoring built into exposure management.

By focusing on vulnerabilities that pose the greatest threat to business operations, companies can allocate resources effectively and build a cybersecurity program that supports regulatory compliance.

For CISOs, adopting an exposure management program ensures they can provide legal, finance, investor relations, boards and other executives with clear, actionable insights into the organization’s cybersecurity risks.

Exposure management helps inform decision-making and supports the development of comprehensive risk management frameworks, enabling companies to address threats proactively and build confidence among investors and stakeholders.

The entire C-suite should approach the SEC’s new rules with an eye toward integrated and forward-looking cybersecurity strategies. As part of that effort, it’s crucial to develop and maintain comprehensive incident response plans that can be deployed swiftly to meet the four-day disclosure mandate.

To meet the SEC’s cybersecurity disclosure rules and reduce the risk of breaches that could lead to significant regulatory and financial consequences, organizations must adopt proactive strategies that strengthen their defenses. The following preventative measures outline key steps companies should take to enhance their cybersecurity posture and ensure compliance.

• Vulnerability management: Effective vulnerability management is essential for maintaining a strong cybersecurity posture. Automated vulnerability assessment tools can regularly inspect infrastructure and promptly identify security gaps.
• Zero trust architecture: A zero trust security model operates on the principle that no user or device, whether inside or outside the organization’s network, should be trusted by default. Implementing zero trust means continuously verifying each user and device that attempts to access company resources, ensuring strict authentication, authorization and validation throughout the user session.

The SEC’s cybersecurity disclosure rules underscore the critical importance of transparency and proactive risk management in today’s digital landscape.

Although compliance requires effort and resources, it also presents an opportunity for companies to build trust with investors and stakeholders.

By prioritizing robust cybersecurity practices that focus on prevention, enterprises can better align with regulatory expectations and be prepared for critical reporting requirements. They can close exposures and become resilient, responsible leaders in an increasingly risky world.

• Visit the web page: How to reduce SEC cybersecurity rule compliance challenges
• Read the blog: FAQ: What the new SEC Cybersecurity Rules Mean for Infosec Leaders
• View the on-demand webinar Preparing for the new SEC cybersecurity disclosures
• Download the Gartner report How to Grow Vulnerability Management into Exposure Management

Wondering what cybersecurity trends will have the most impact in 2025? Check out six predictions from Tenable experts about cyber issues that should be on your radar screen in the new year — including AI security, data protection, cloud security … and much more!

Because AI tools rely on vast amounts of data, widespread AI adoption will lead to the exponential growth of data volumes. In addition, this data will be distributed across a complex multi-cloud landscape of locations, accounts and applications. As a result, cybercriminals will have more opportunities to target AI systems to access and exfiltrate their data — especially as hackers themselves leverage powerful AI tools like virtual assistants that can streamline and amplify their attacks.



This convergence of advanced AI attack tools and abundant data will make it increasingly difficult for organizations to stay ahead of evolving cyberthreats. Yet, far from being deterred from using AI, organizations must develop robust strategies for secure and responsible AI adoption, focusing on integrating AI into their systems securely rather than viewing it as a risky proposition. After all, data is the fuel that powers businesses.

For more information about data and AI security posture management (DSPM and AI-SPM), check out these Tenable resources:

• “Data and AI Security Posture Management” (video)
• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)
• “When CNAPP Met DSPM” (infographic)

VIDEO

Integrated DSPM features - enable data protection today!

When it comes to the cloud, enterprises are increasingly wary of putting all their eggs in one basket. Relying solely or mostly on a single cloud-services provider is risky and restrictive. Thus, multi-cloud environments will become the norm in 2025, as organizations avoid vendor lock-in and increase their cloud options and flexibility. 

As a result, more and more CISOs next year will embrace security platforms that allow them to protect cloud environments from multiple cloud vendors — enjoying benefits such as centralized, consistent monitoring and management of cloud security and compliance.

Watch Liat Hayun, VP of Product and Research at Tenable Cloud Security, address this topic in this short video:


For more information about multi-cloud security, check out these Tenable resources:

• “Who’s Afraid of a Toxic Cloud Trilogy?” (blog)
• “Holistic Security for AWS, Azure and GCP: Comprehensive Cloud-Native Application Protection for Multi-Cloud Environments” (white paper)
• “Identities: The Connective Tissue for Security in the Cloud” (blog)
• “Cloud Leaders Sound Off on Key Challenges” (blog)
• “Understanding Cloud-Native Application Protection Platforms” (guide)

As breaches become more frequent, post-breach costs will rise, pushing businesses to think critically about what data has been compromised and rethink their recovery strategies. According to IBM, the average cost of a data breach rose 10% to almost $5 million in 2024, but the true damage lies in downtime, reputational damages and regulatory fines, particularly in cloud-heavy industries. 

 
In 2025, businesses will pivot toward more robust post-breach playbooks to minimize fallout, focusing on rapid incident response, data visibility, better containment protocols and enhanced forensic capabilities. This shift signals a broader evolution in cybersecurity, with organizations embracing a more balanced approach that prioritizes both breach prevention and effective recovery.

For more information about cloud data security and cloud data-breach prevention, check out these Tenable resources:

• “Tenable Cloud Risk Report 2024” (report)
• “How To Protect Your Cloud Environments and Prevent Data Breaches” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “CISA and NSA Cloud Security Best Practices: Deep Dive” (blog)
• “Empower Your 2025 Cloud Security Planning with Tenable's Data Insights” (on-demand webinar)

As organizations prioritize efficiency and return on investment, the adoption of technologies like AI and cloud continues to surge. However, this creates a challenge: the knowledge gap. Many users and organizations are struggling to keep pace with the education and training needed to comprehensively understand and protect these technologies.

 
This generates a pressing dilemma: How can we safeguard innovations like AI and cloud when their complexity and growth outstrip our readiness? In 2025, CISOs will be challenged to strike a balance between driving forward technological adoption and ensuring the security and resilience of these tools. Bridging this gap sooner rather than later will be critical for organizations.

For more information about how CISOs should balance cloud adoption with AI security:

• “A CISO game plan for cloud security” (Infoworld)
• “How CISOs can balance the risks and benefits of AI” (CSO)
• “The CISO's Guide to AI: Embracing Innovation While Mitigating Risk” (SANS Institute)
• “How Will AI Change the CISO Role?” (InformationWeek)
• “8 cloud security gotchas most CISOs miss” (CSO)

As the attack surface continues to expand and threat actors grow more sophisticated, cybersecurity teams will face an overwhelming flood of fragmented vulnerability and threat intelligence data. The days of linear attacks are fading, giving rise to multifaceted, rapid incursions that exploit numerous entry points. In this increasingly chaotic landscape, the inability to remediate “everything, everywhere, all at once” will make context king.

 
Organizations that prioritize understanding the greatest risk to their business and the most critical vulnerabilities will win. This contextual approach will redefine vulnerability management, enabling cybersecurity teams to act strategically, swiftly and with greater precision to mitigate threats effectively.

For more information about the importance of risk context for holistic cybersecurity, check out these Tenable resources:

• “Context Is King: From Vulnerability Management to Exposure Management” (blog)
• “Exposure Management: How to Get Ahead of Cyber Risk” (guide)
• “From Frustration to Efficiency: Optimize Your Vuln Management Workflows and Security with Tenable” (on-demand webinar)
• “3 Real-World Challenges Facing Cybersecurity Organizations: How an Exposure Management Platform Can Help” (white paper)
• “Turning Data into Action: Intelligence-Driven Vulnerability Management” (blog)

As 2024 comes to an end, we’re left with the feeling — as in previous years — that too many cyberattacks affected too many people and too many organizations. Anyone whose personal information is now available on the dark web deserves answers and those responsible need to be held accountable. Anyone whose medical records can’t be accessed because systems are down deserves a better service. Anyone whose car has been stolen because criminals were able to hack the keyless tech deserves justice.

 
It’s impossible to achieve perfection – mistakes happen and we’re all human. But how we respond when flaws are found makes all the difference. And that’s on all of us. There has to be accountability at every level. The culture of toxic obfuscation in cybersecurity has to stop. 

Here are some blogs in which Tenable offers transparency about its security practices and shares lessons learned with the cybersecurity community:

• “Tenable Partners with CISA to Enhance Secure By Design Practices”
• “Walking the Walk: How Tenable Embraces Its ‘Secure by Design’ Pledge to CISA”
• “Establishing a Cloud Security Program: Best Practices and Lessons Learned”
• “Making Zero Trust Architecture Achievable”
• “Tenable’s Software Update Process Protects Customers’ Business Continuity with a Safe, Do-No-Harm Design”

Check out the new cloud security requirements for federal agencies. Plus, beware of North Korean government operatives posing as remote IT pros. Also, learn how water plants can protect their HMIs against cyberattacks. And get the latest on the U.S. cyber incident response framework; the CIS Benchmarks; and local and state governments’ cyber challenges.

Dive into six things that are top of mind for the week ending Dec. 20.

To boost its cloud security, the U.S. government this week released a set of cybersecurity actions that federal civilian agencies will be required to take during the first half of 2025 — mostly focused on applying secure configuration baselines to their cloud apps.

The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01 — titled “Implementing Secure Practices for Cloud Services” — from the Cybersecurity and Infrastructure Security Agency (CISA).

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” CISA Director Jen Easterly said in a statement.

The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors, Easterly added. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services.

 
These are the directive’s cloud security requirements at a high level:

• Identify all cloud tenants by February 21, 2025, and update this inventory annually.
• Deploy all assessment tools from CISA’s SCuBA project by April 25, 2025, and report assessment results to CISA.
• Implement all mandatory SCuBA policies by June 20, 2025.
• Implement all future updates to mandatory SCuBA policies.
• Implement all mandatory SCuBA secure configuration baselines.

Agencies may deviate from mandatory SCuBA policies if needed, but they’ll have to identify these deviations and explain them to CISA.

To learn more about cloud security, check out these Tenable resources:

• “Establishing a Cloud Security Program: Best Practices and Lessons Learned” (blog)
• “Empower Your Cloud: Mastering CNAPP Security” (white paper)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “10 Considerations for Securing Stateful Persistent Volumes Attached to Kubernetes Pods and Applications” (white paper)

In a years-long fraud scheme, North Korean IT workers have gotten jobs in the U.S. using fake identities, and then have gone on to steal information, such as proprietary source code, and extort their employers.

That’s according to the U.S. Department of Justice, which recently indicted 14 North Korean nationals, charging them with sanctions violations, wire fraud, money laundering and identity theft.

The suspects worked as remote IT professionals for front companies controlled by the North Korean government. The six-year cyber conspiracy netted North Korea’s government at least $88 million, as it banked the IT workers’ hefty salaries and extortion payments. North Korea reportedly uses the money to fund its weapons-development efforts.

The North Korean IT workers got jobs with U.S. firms using fake identities crafted via the use of phony email addresses, fictitious social media profiles, fraudulent payment platform accounts, bogus job site profiles and sham websites; and by hiding their tracks with proxy computers and virtual private networks.

 
They also duped U.S. residents into unwittingly helping them by recruiting them to receive and set up laptops in their homes, which the fraudsters would then access remotely. That way, victimized employers would think the hired IT workers were based in the U.S.

The indictment “... should serve as a warning to companies around the globe — be on alert for this malicious activity by the DPRK regime,” Deputy Attorney General Lisa Monaco said in a statement.

The DOJ is offering a reward of up to $5 million for more information about this fraud scheme and about those involved with the North Korean front companies Yanbian Silverstar and Volasys Silverstar, based in China and Russia, respectively.

The U.S. government issued its first alert about North Korea’s attempts to plant IT workers in the U.S. in 2022 and updated it in 2023 with more due diligence recommendations for employers to avoid falling for the scam. Employers in other countries have also fallen victim to this North Korean IT worker scam.

For more information:

• “‘How not to hire a North Korean plant posing as a techie’ guide” (The Register)
• “Staying a Step Ahead: Mitigating the DPRK IT Worker Threat” (Google Cloud)
• “Advisory on the Democratic People’s Republic Of Korea IT Workers” (South Korea Ministry of Foreign Affairs)
• “Advisory on North Korean IT Workers” (UK Office of Financial Sanctions)
• “Advisory on Democratic People's Republic of Korea IT workers” (Australia Department of Foreign Affairs and Trade)

VIDEO

North Korean nationals indicted in scheme using IT workers to funnel money for weapons programs (KSKD News)

Identifying human-machine interfaces (HMIs) as a weak cyber link in many water treatment plants, the U.S. government has published recommendations for protecting these operational technology (OT) components.

The fact sheet “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems” is aimed at helping water and wastewater systems facilities harden remote access to HMIs.

Using HMIs, OT operators are able to read supervisory control and data acquisition (SCADA) systems connected to programmable logic controllers (PLCs). By tampering with HMIs, hackers could disrupt water and wastewater treatment, endangering people’s health.

 
Here are some of the recommendations in the fact sheet, which was jointly published by CISA and the Environmental Protection Agency:

• Inventory all internet-exposed devices.
• Identify HMIs that don’t need to be accessible from the internet and take them offline.
• Secure with a strong password the HMIs that must be connected to the internet.
• Track remote logins to HMIs, including failed and atypical attempts. 
• Protect with multifactor authentication and a strong password the HMI and OT network.
• Segment your network by adding a DMZ or bastion host at the OT network boundary; and by implementing geo-fencing.

For more information about securing operational technology (OT) systems in water plants, check out these Tenable resources:

• “Protecting Public Water Systems from Cyberattacks” (solution overview)
• “EPA to dial up enforcement of cyber requirements for water systems” (blog) 
• “Safeguarding Your Water Utility” (on-demand webinar)
• “Enhancing Critical Infrastructure Cybersecurity for Water Utilities” (infographic)
• “The Constant Drip: EPA Water Regulations, Funding Sources, And How Tenable Can Help” (on-demand webinar)

Curious about how the U.S. government would respond to a major cybersecurity crisis? Now you can find out — and give your opinion about it.

CISA has just released an update to the U.S. National Cyber Incident Response Plan (NCIRP), whose current version dates back to 2016, and is asking for the public to comment on it. The NCIRP update has been in the works since October 2023.

“CISA is seeking more perspectives to help strengthen the NCIRP and invites stakeholders from across the public and private sectors to share their knowledge and experiences, further informing our findings and contributing to this revision,” CISA said in a statement. 

The NCIRP aims to provide a flexible, agile, coherent and repeatable framework for how the U.S. federal, state and local governments, along with the private sector and international partners, will collaborate to respond to a major cybersecurity incident.

“This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector,” CISA Director Jen Easterly said in a statement.

 
The NCIRP addresses coordination mechanisms, decision points and priority activities; and it focuses on four aspects of the cyber response:

• Asset response to assist affected parties in protecting their assets
• Threat response, which would be led by federal law enforcement agencies like the Department of Justice and the FBI
• Intelligence support, which would be overseen by the Office of the Director of National Intelligence (ODNI)
• Affected entity response, led by the affected federal agencies in coordination with CISA (civilian agencies); the U.S. Cyber Command (Defense Department agencies); or the IC Security Coordination Center (intelligence agencies)

You can provide feedback on the new NCIRP in the Federal Register. The public comment period ends on January 15, 2025.

For more information about cyber incident response planning:

• “13 incident response best practices for your organization” (TechTarget)
• “10 Best Practices for Incident Response Plans” (Daily.dev)
• “How to build an incident response plan, with examples, template” (TechTarget)
• “How to effectively detect, respond to and resolve cyber incidents” (UK National Cyber Security Centre)
• “Best Practices for Cyber Crisis Management” (ENISA)

Cisco IOS XE, Google Kubernetes Engine and Microsoft 365 are among the products whose CIS Benchmarks got updated in November by the Center for Internet Security.

Specifically, these secure-configuration recommendations were updated:

• CIS Cisco IOS XE 17.x Benchmark v2.1.1
• CIS Google Kubernetes Engine (GKE) AutoPilot Benchmark v1.1.0
• CIS Google Kubernetes Engine (GKE) Benchmark v1.7.0
• CIS Microsoft 365 Foundations Benchmark v4.0.0
• CIS Red Hat Enterprise Linux 8 STIG Benchmark v2.0.0
   

In addition, CIS released a brand new Benchmark: CIS Microsoft Azure Storage Services Benchmark v1.0.0. 

The CIS Benchmarks’ secure-configuration guidelines are designed to help organizations harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families in categories including: 

• cloud platforms
• databases
• desktop and server software
• mobile devices
• operating systems

To get more details, read the CIS blog “CIS Benchmarks December 2024 Update.”

For more information about the CIS Benchmarks list, check out its home page, as well as:

• “Getting to Know the CIS Benchmarks” (CIS)
• “Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

Insufficient funding and more sophisticated threats top the list of cybersecurity concerns among U.S. state and local governments.

That’s according to the “2023 Nationwide Cybersecurity Review (NCSR),” a free cybersecurity assessment program from the Center for Internet Security (CIS).

The 4,210 state, local, tribal and territorial government organizations that participated also reported being concerned about: 

• emerging technologies
• lack of cyber incident-documentation processes
• difficulty finding qualified cybersecurity professionals

On the positive side, the number of program participants increased 14%, with K-12 school districts recording their highest participation ever.  

Returning participants saw their cyber maturity level increase by an average of 4%. Those that have participated at least two years scored 23% higher in cyber maturity, while those with nine years in the program scored 41% higher.

Overall, NCSR participants are doing a good job monitoring and protecting their IT environments. They also have incident response plans in place, as well as access-control policies.

Areas for improvement include:

• Risk management
• Disaster recovery plans
• Cyber team understaffing

Git, repositories and pipelines…oh my! We unpack standard practices in the web app development process and provide guidance on how to use Tenable Web Application Scanning to secure your code.

Awesome! This should be easy. All you need to start is … Wait… what's a pipeline?

Well, let's start there. Have you ever used a code repository to track code changes? Every time you make an update to the repository files/code, you have to do what's called a “git commit” and “git push.” Developers use Git as a foundation to run their CI/CD pipelines.

Wait … what's Git, and what does CI/CD mean?

To be clear, continuous integration and continuous deployment (CI/CD) is a methodology — not a tool.

The “D” in CI/CD is often referred to as “delivery” instead of deployment. For the purposes of this blog post, since we are talking about the deployment side of it, I will use that here.

Before we get there, let’s talk about version control. Time to roll back a few years. In 2005, Linus Torvalds, the creator of Linux, built something called “Git,” an open source version control software. Version control allows you to track and control all changes to a codebase.

These codebases, called repositories, are generally used for managing code that is the basis for any software or website that you can think of. Git is the most commonly used version control system while GitHub, now owned by Microsoft, is one of the cloud-based repository hosting platforms utilizing Git.

Developers have been using this great version control tool ever since, but every time they wanted to test their production applications/software, they had to do the following:

1. Log on to a server
2. Pull code from a repository
3. Package code up in a nice zip-type file
4. Send that package to another server that was the staging/testing environment
5. Run the application and confirm it still runs at all
6. Run any tests needed against it, such as allowing other developers to come in and poke at it to find broken parts of the application

The most efficient developers would make scripts to automate some or all of this work, but there was an even better way…

Integration here might not mean what it sounds like. It means that you are building your application and running tests on a schedule or every single time you make a change to your code. Think about how much time this can save. Instead of having to assign tasks out to a team of testers, those tests run every time you change the code. Can you imagine knowing about all of your issues right away?

On top of that, continuous integration automatically builds your application, so you don’t have to package and run it yourself, letting you keep working on building.

For security pros, this is the spot in a pipeline where the dynamic application security testing (DAST) scanner — available in Tenable Web Application Scanning — can help.

At Tenable, we want developers to know about security issues as soon as possible. For reference, this is where software composition analysis (SCA) and static application security testing (SAST) scanning also live. Those tools are used for looking at source code, whereas Tenable Web Application Scanning looks at a built application and scans it with real network requests.

Jenkins is considered the first main and widely adopted CI tool. Jenkins helped teams adopt this methodology. Some teams were already doing this with homegrown solutions. We have documentation on how to deploy the web app scanner in a Jenkins CI/CD pipeline.

Deployment is when you take what you have built and push it out for real use. It’s building an application for production use rather than just for quick testing. Back in the day, developers would log onto their servers and make updates to the applications on the fly. If something broke, well, you’d better remember the changes you made and have fun spinning that back up.

Automated deployment allowed developers to run one script that would spin up an entire environment or application all in one go. Application falls down? No problem! Run the deployment and it can be back up soon.

Continuous deployment allows for changes to be made in the source code and for those to be automatically sent to production. No dev or IT team time is wasted in changing live servers.

PHEW. Ok. A CI/CD pipeline is where you combine version control (Git), continuous integration and continuous deployment. It allows teams to develop applications very quickly and not waste time. The pipeline is the ongoing stream of tests and automated actions that all happens based on code changes.

Over time, tools became better and more appeared, such as Bamboo and CircleCI and some others. GitHub Actions came out in 2015, allowing developers to automate software development workflows from within GitHub.

Tenable Web Application Scanning can scan any pipeline. It offers code examples for testing for various tools, but you can throw a test into any pipeline.

For more documentation on how to implement, see Tenable’s Documentation

Now, back to the original question: So, you want to scan some web apps in the pipeline?

You can walk through the “how to run Web App Scans in your CI/CD pipeline” in this public demo: https://demo.tenable.com/share/lajsp7ujjmzb

• View the on-demand webinar Tenable Web Application Scanning Customer Update, April 2024
• Visit the product page, https://www.tenable.com/products/web-app-scanning
• Download the data sheet, Vulnerability Exposure: A simple, scalable approach to dynamic application security testing

The FCC wants stronger cyber regulations for telecoms after cyber espionage breaches. Meanwhile, find out why cyber pros say work has become more difficult. Plus, check out tips to prevent AI-boosted financial fraud. And get the latest on vulnerability management, EU cyber challenges and CIS predictions for 2025.

Dive into six things that are top of mind for the week ending Dec. 13.

U.S. telecommunications companies may have to comply with tougher cybersecurity regulations after at least eight of them got breached by Salt Typhoon, a cyber espionage group affiliated with the Chinese government.

“The attack underscores the urgent need for robust cybersecurity frameworks to protect against escalating threats targeting the telecommunications sector,” reads a fact sheet published by the U.S. Federal Communications Commission (FCC) this week.

Here are two key ways in which the FCC wants to tighten telecoms’ regulatory screws:

• Have telecoms annually create, update and adopt cybersecurity risk-management plans and certify the plans are compliant with FCC requirements. The FCC is seeking to implement this new cybersecurity compliance framework via a Notice of Proposed Rulemaking.
• Clarify that telecoms are legally bound to secure their networks — not just their equipment — against unlawful access and interception. This would be achieved via a declaratory ruling about Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).
   

If FCC commissioners vote in favor of these two measures, the declaratory ruling would go into effect right away, while the cybersecurity compliance framework would be opened for public comment.

To get more details, read the FCC document, titled “Fact Sheet: Implications of Salt Typhoon Attack and FCC Response.”

For more information about the Salt Typhoon cyber espionage attacks against telecoms:

• “New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers” (Tenable)
• “China's 'Salt Typhoon' Hackers Breached US Networks Using Existing Flaws” (PCMag)
• “Salt Typhoon's surge extends far beyond US telcos” (The Register)
• “Telcos struggle to boot Chinese hackers from networks” (Axios)
• “How to protect comms infrastructure from China-backed Salt Typhoon hackers” (Tenable)

More cybersecurity complexity and workloads. An increase in cyberthreats. Thornier regulatory compliance. Understaffed cyber teams.

Those are the top factors making work more difficult for cybersecurity professionals, according to a report from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA).

“The Life and Times of Cybersecurity Professionals,” for which 369 IT and cybersecurity professionals were polled, found that 65% of respondents said cybersecurity work is harder today than it was two years ago.

Factors Making Cybersecurity Work More Difficult Than Two Years Ago

(Source: ““The Life and Times of Cybersecurity Professionals” by ESG and ISSA, December 2024)

Moreover, 57% of respondents said their job is stressful at least half the time, citing as the main reasons an overwhelming workload; disinterested business managers; IT initiatives launched without security oversight; and constant emergencies and disruptions.

So what can help strengthen cybersecurity professionals’ job satisfaction? These are the top five happiness boosters:

• Commitment from the leadership team to a strong cybersecurity posture
• Competitive compensation
• Career-advancement opportunities
• Strong leadership from the CISO and other cyber leaders
• Working with talented cybersecurity peers

“Organizations with a strong cybersecurity culture that empower the CISO and collaborate with and support the cybersecurity staff can not only improve security efficacy and efficiency but also create a harmonious and healthy work environment for cybersecurity teams,” Jon Oltsik, ESG analyst emeritus and report author, said in a statement.

For more information about stress and burnout among cybersecurity pros:

• “Can strategic AI deployment reduce cybersecurity burnout?” (Security Info Watch)
• “Persistent Burnout Is Still a Crisis in Cybersecurity” (Dark Reading)
• “Burnout: A chronic epidemic in the IT industry” (CIO)
• “The Hidden Culture Crisis and Human Burden Undermining Cybersecurity Resilience” (ISACA)
• “The Psychology of Cybersecurity Burnout” (InformationWeek)

The Center for Internet Security (CIS) has published a bunch of 2025 predictions from its cybersecurity experts. Here’s a small sampling.

• Zero trust adoption in the enterprise will gain momentum as cybersecurity teams scramble to secure resources and data from a wider number and variety of devices and locations, driving the need to continuously verify access and authorization.
• The IT/OT convergence will deepen, as more operational technology / industrial control systems (ICS) get connected to IT networks for purposes like remote management. Consequently, organizations will emphasize vulnerability management, threat detection and security frameworks for converged environments.

• Many enterprises have accumulated a glut of cybersecurity products and are struggling to use them effectively. In 2025, many of these organizations will consolidate their tool stack, discarding redundant and unused products, which will lead to a more impactful use of the products that are kept.
• Adoption of multicloud strategies will expand, as enterprises pursue this approach to comply with new data-sovereignty laws that create geographic-location requirements for cloud data storage.
• Regulation of AI systems will increase, and as a result AI compliance frameworks will be introduced, pushing companies to improve AI security in areas such as data privacy; AI model integrity; and use of AI-generated content.
• The concept of security-by-design will be embraced by IT teams, who will accordingly incorporate security, compliance and governance early in the design phase of their IT projects.

For more information about some of these topics, check out these Tenable resources:

• "Making Zero Trust Architecture Achievable" (blog)
• "What is vulnerability management?" (guide)
• "If You Only Have 3 Minutes: Key Elements of Effective Exposure Response" (blog)
• "AI Security Posture Management" (solutions page)
• "Walking the Walk: How Tenable Embraces Its 'Secure by Design' Pledge to CISA" (blog)

During two recent webinars about vulnerability management, we polled attendees about their involvement with patch management and about their plans for automating vulnerability remediation. Check out how they responded.

(232 webinar attendees polled by Tenable, December 2024)

(235 webinar attendees polled by Tenable, December 2024)

Watch the on-demand webinars to learn about the latest in Tenable Vulnerability Management and in Tenable Security Center.

Cybercrooks are leveraging generative AI tools to sharpen financial fraud schemes against individuals and businesses, but there are ways to prevent becoming a victim.

That’s the message from the FBI in its new public service announcement titled “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud.”

With generative AI tools, cybercriminals create believable text, images, videos and audio that seem legit, making it hard to detect financial fraud efforts, including romance scams, impersonation schemes and investment rackets.

For example, these tools allow a cybercriminal to clone voices of real people and create fake audio that sounds like them to use in phone calls. Similarly, generative AI lets scammers doctor real videos of, say, a CEO, and turn them into a clip of the CEO instructing an employee into transferring money to a fraudulent account.
 

To protect yourself in your personal life and at work from fraud attempts that use generative AI, FBI tips include:

• Look for subtle imperfections in images and videos.
• Pay attention to the caller’s tone of voice and word choice in phone calls.
• Verify the identity of callers by hanging up and dialing directly the organization they said they’re calling you from, like a bank.
• Don’t share sensitive information with people you’ve only met online or over the phone, nor send them money, gift cards, cryptocurrency or other assets. 

For more information about the confluence of AI and financial cybercrime, including trends and prevention tips:

• “The near-term impact of AI on the cyber threat” (UK National Cyber Security Centre)
• “How a new wave of deepfake-driven cyber crime targets businesses” (Security Intelligence)
• “Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector” (U.S. Treasury Department)
• “Identity theft is being fueled by AI & cyber-attacks” (Reuters)
• “The Dark Alliance: Addressing the Rise of AI Financial Frauds and Cyber Scams” (Michigan Journal of Economics)

Software supply chain security is a key challenge for European Union member nations, requiring concerted risk assessments and the development of common policies.

So said the European Union Agency for Cybersecurity, better known as ENISA, in its “2024 Report on the State of Cybersecurity in the Union,” whose goal is to assess the cyber landscape in the EU and offer policy recommendations to strengthen cybersecurity in all 27 EU countries. Securing the software supply chain is one of the priority areas identified in the report. 

Currently, hackers are continuously trying to insert malware into legitimate software updates that are then distributed to customers via trusted delivery channels. By 2030, attacks against software supply chains are expected to become the top emerging cybersecurity threat.
 

Right now, 74% of EU countries have legislation that defines supply chain security measures, a percentage expected to increase with new EU regulatory requirements. Meanwhile, 77% of digital service providers (DSP) and operators of essential services (OES) have a policy in place to manage third-party risk.

To shore up supply chain security, ENISA proposes “stepping up EU wide coordinated risk assessments and the development of an EU horizontal policy framework,” the report reads.

The report also tackles three other critical challenges: the cybersecurity skills gap; the management of cybersecurity crises; and the need for a coordinated approach to cybersecurity policy adoption.

Recent guidance from CISA and the FBI highlights best practices to monitor and harden network infrastructure. The guidance, published in response to high-profile attacks on telecom infrastructure, is applicable to a wider audience. This blog unpacks important points and explains how Tenable products can help with compliance scans.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint statement concerning an investigation into cyberattacks on commercial telecommunications infrastructure. The ongoing investigation centers on threat actors believed to be affiliated with the People’s Republic of China (PRC) government. In response to the cyberattacks, U.S. and international government agencies, including CISA and the FBI, authored joint guidance to help network defenders improve network visibility and security. This guidance highlights the importance of monitoring and alerting, but also provides specific ways to strengthen cybersecurity with increased configuration management and strong identity hygiene. 

The U.S. government has been monitoring PRC-sponsored groups such as Volt Typhoon and Salt Typhoon because it suspects they may be preparing for a large-scale disruption of U.S. critical infrastructure. A press release from mobile telecom provider T-Mobile highlights the activity that it has identified, the controls that it had in place to help prevent a greater threat, as well as how it is collaborating with the authorities’ investigation. According to U.S. government officials, at least eight telecommunications companies have been targeted so far but there may be more. 

The new guidance can help prevent these attacks, whose main goal is to reportedly carry out cyber espionage activities on behalf of the Chinese government by, among other things, stealing customer call-records data. The guidelines pair well with recommendations in Center for Internet Security (CIS) Benchmarks for specific network devices. CIS Benchmarks are written and maintained by industry professionals with the goal of simplifying the implementation of security controls to help mitigate risk. By using CIS Benchmarks, network and security engineers can identify and harden configurations, and establish a more secure posture as suggested by the guidance.

We’ll be taking a closer look at the specific sections in the recent guidance and highlight CIS Benchmark recommendations that align with these objectives.

This section highlights monitoring and alerting best practices. It breaks these guidelines into two sets of tasks: one for network engineers and another one for network defenders. However, the common goal is to help them find and trigger alerts on misconfigurations, changes and user account activity. One key recommendation is to use an independent and centralized log-storage environment, and if possible, a security information and event management (SIEM) solution built specifically to analyze the logs to produce alerts. 

Alerting should be focused on configuration changes; configurations that don’t meet specific criteria; and open ports or enabled services. In addition, devices that accept traffic from outside of the network (external facing) should be reviewed to ensure that only necessary services are accessible to and from the internet.

Examples of centralized logging criteria can be found in CIS Benchmarks for Cisco, Fortinet, Juniper Networks and Palo Alto Networks devices:

• Cisco: “Ensure Syslog Logging is configured”
• Fortigate: “Centralized Logging and Reporting”
• Juniper: “Ensure logging data is monitored”
• Palo Alto: “Syslog logging should be configured”

This section also focuses on monitoring user- and service-account logins to ensure that anomalous login activity is detected and prevented. Unused accounts should be disabled whenever possible. Some examples of this criteria can be found in CIS Benchmarks for Check Point Software and Palo Alto Networks devices:

• Check Point: “Ensure Deny access to unused accounts is selected”
• Palo Alto: “Ensure that the User-ID service account does not have interactive logon rights”

This section aims to help reduce risk by limiting access to the network and network devices; ensuring that communication is encrypted and secure; and providing more direct guidance with regards to Cisco-based devices. This section includes recommendations regarding access control and network segmentation, provides specific protocol guidelines (such as using only SNMPv3 when SNMP is necessary), and details what is considered to be “strong” encryption. 

First, network segmentation helps to limit movement across the network and to make it easier to inspect inbound and outbound traffic. It also helps to maintain a DMZ to contain the services that must face externally (towards the internet) and prevent direct access to backend resources and networks. Segmentation also involves creating and using VLANs, and the recommendation is that these VLANs should be used to group together devices of a similar nature, which is common in most networks. In addition to segmenting the network, the authoring agencies also recommend adopting Transport Layer Security-everywhere using strong algorithms. These guidelines can help keep threat actors out of corporate networks, as well as ensure that these actors are limited in what they can do and/or see if they manage to penetrate the outermost defenses. 

Another component of segmentation is initializing a default-deny access-control list (ACL), which can be done at the firewall level. This is important for all traffic types, but especially so when isolating management traffic for network devices. Most physical network devices, such as routers and switches, have dedicated ports for management traffic that can be attached to a physically segmented network in order to limit administrative access. Further controls on lateral movement are also recommended for the management network, and it is advisable to not manage devices directly from the internet. Some examples of segmentation and ACL firewall configurations can be found in CIS Benchmarks for Cisco, Juniper Networks, and Palo Alto Networks products.

• Cisco: “Restrict Access to VTY Sessions” and “Ensure explicit deny in access lists is configured correctly”
• Juniper: “Ensure firewall filters contain explicit deny and log term”
• Palo Alto: “Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone”

The guidance further identifies numerous insecure protocols and services and notes that they should be disabled. These include FTP, TFTP, SSHv1, HTTP, and SNMP v1/v2. Additionally, any network protocols or services in use should require authentication when available, including routing protocols. Meanwhile, you should use SNMP Version 3 with encryption and authentication. Having centralized authentication, authorization, and accounting (AAA) logging is emphasized here, in addition to prior mentions of syslog configuration. Examples of identifying and disabling protocols can be found in several CIS Benchmarks for Cisco, Fortinet, Juniper Networks, and Palo Alto Networks products:

• Cisco: “Set version 2 for 'ip ssh version'”
• Fortigate: “Disable all management related services on WAN port” and “Ensure only SNMPv3 is enabled”
• Juniper: “Ensure Web-Management is not Set to HTTP”
• Palo Alto: “Ensure HTTP and Telnet options are disabled for the management interface”

This section highlights specific criteria for Cisco devices. Disabling the Smart Install and Guest Shell features is recommended, as is disabling Telnet in favor of SSH. Specific commands are also provided to disable HTTP-only access so that device management is performed over HTTPS instead. If UI access is not necessary, the secure service should also be disabled. The specific password type recommended is type-8 when possible, and type-6 encryption for securing the Terminal Access Controller Access-Control System + (TACACS+) key. The document also links to the hardening guide for Cisco IOS XE and a guide for securing NX-OS devices.

The secure-by-design concept helps introduce the security conversation earlier in the development lifecycle. This approach helps ensure that security considerations are addressed at the beginning of the product lifecycle. Customers should make sure that products they plan to buy adhere to this principle. CISA has more information on its “Secure by Design” site. Tenable has committed to a secure-by-design approach, as can be seen in a recent initiative reported on here and here.

This overview is meant to help give network and security engineers a summary of the best practices, as well as provide insight on how CIS Benchmarks cover many of the guidance’s topics. Still, engineers should read the guidance to ensure they fully understand the material and how it relates to their own networks. It’s equally important to map out the network and understand what devices exist and where they are placed. However, this is only a first step in securing the network.

Tenable has several products, such as Tenable Vulnerability Management, Tenable Security Center, and Nessus that support auditing a wide array of devices and operating systems using CIS Benchmarks. These products could help with maintaining control over risk factors that threat actors often attempt to exploit. Tenable audits are written to test for the criteria of each automated recommendation in CIS Benchmarks. After an evaluation is run against the target, a result is provided as well as remediation text from the CIS Benchmark so that engineers can remediate and harden the device or operating system.

Tenable provides audit files for the following CIS Benchmarks to help organizations assess device configurations:

• CIS Check Point Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco ASA 9.x Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco Firewall v8.x Benchmark v4.2.0 - Level 1 
• CIS Cisco IOS XE 16.x Benchmark v2.1.0 - Level 1, Level 2 
• CIS Cisco IOS XE 17.x Benchmark v2.1.1 - Level 1, Level 2 
• CIS Cisco IOS XR 7.x v1.0.0 - Level 1, Level 2 
• CIS Cisco NX-OS Benchmark v1.1.0 - Level 1, Level 2 
• CIS Fortigate 7.0.x Benchmark v1.3.0 - Level 1, Level 2 
• CIS Juniper OS Benchmark v2.1.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 10 Benchmark v1.2.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 11 Benchmark v1.1.0 - Level 1, Level 2 

These CIS Benchmarks align with the intent of the CISA hardening guidance. The example below highlights the CIS Cisco IOS XE 17.x v2.1.1 CIS Benchmark, and how it relates to the CISA hardening guidance:

Section 1.1 - Authentication, Authorization and Accounting (AAA) configuration

• Strengthening visibility as AAA logging supports user account login monitoring, and tracking changes
• Hardening systems and devices by providing identity management and policy enforcement

Section 1.2 - Access Rules for device administration

• Hardening systems and devices by restricting device management, and ensuring sessions are limited

Section 1.3 - Banner Rules to communicate legal rights to users

• Strengthening visibility by informing users they are subject to monitoring, and the event logs can support prosecution

Section 1.4 - Password Rules to enforce secure credentials and password lifecycle

• Hardening systems and devices by ensuring strong passwords are utilized, and passwords are securely stored

Section 1.5 - SNMP Rules provides guidance for secure configuration parameters

• Hardening systems and devices by ensuring SNMP is disabled, or is configured with secure parameters

Section 2.1 - Global Service Rules to reduce attack surface and disable unnecessary services

• Hardening systems and devices by disabling unnecessary, unused, exploitable, or plaintext services and protocols

Section 2.2 - Logging Rules configures log collection and forwarding

• Strengthening visibility by collecting event logs, and forwarding to a central log collection source
• Hardening systems and devices by forwarding logs to a central log collection source

Section 2.3 - NTP Rules ensures system time is provided by a single, consistent source

• Strengthening visibility by ensuring a consistent time source for event logs
• Hardening systems and devices by requiring that NTP is authenticated

Section 2.4 - Lookback Rules for configuring device initiated connections to supporting services such as AAA, SYSLOG, or NTP

• Hardening systems and devices by ensuring that traffic is initiated from a specific source, which can be used to set ACLs/filtering

Section 3.1 - Routing Rules to disable unneeded services

• Hardening systems and devices by disabling unneeded services such as source routing

Section 3.2 - Border Router Filtering defines filtering between internal and external networks

• Hardening systems and devices by implementing a strategy to control inbound and egress traffic

Section 3.3 - Neighbor Authentication configures routing protocol authentication

• Hardening systems and devices by requiring routing protocols are authenticated

• Tenable Nessus
• Tenable Security Center
• Tenable Vulnerability Management
• Tenable Research audits
• Who is CIS?
• "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" joint publication from various U.S. and international government agencies

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.

Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.

In 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.

Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.

In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.

Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.

Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.

In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.

Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.

According to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.

In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.

While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.

As we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.

View the video below for a summary of key takeaways:

The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.

• Tenable Blog: Microsoft Patch Tuesday 2023 Year in Review

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

1. 16Critical
2. 54Important
3. 0Moderate
4. 0Low

Microsoft addresses 70 CVEs with 16 rated critical, including one zero-day that was exploited in the wild.

Microsoft patched 70 CVEs in its December 2024 Patch Tuesday release, with 16 rated critical, and 54 rated as important.

This month’s update includes patches for:

• GitHub
• Microsoft Defender for Endpoint
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office Publisher
• Microsoft Office SharePoint
• Microsoft Office Word
• Remote Desktop Client
• Role: DNS Server
• Role: Windows Hyper-V
• System Center Operations Manager
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows File Explorer
• Windows IP Routing Management Snapin
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Message Queuing
• Windows Mobile Broadband
• Windows PrintWorkflowUserSvc
• Windows Remote Desktop
• Windows Remote Desktop Services
• Windows Resilient File System (ReFS)
• Windows Routing and Remote Access Service (RRAS)
• Windows Task Scheduler
• Windows Virtualization-Based Security (VBS) Enclave
• Windows Wireless Wide Area Network Service
• WmsRepair Service

Remote code execution (RCE) vulnerabilities accounted for 42.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 38.6%.

CVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.

In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

This is the ninth vulnerability in the Windows CLFS driver patched in 2024, and the first that was exploited in the wild as a zero-day this year. In 2023, there were 10 CLFS vulnerabilities patched, including two zero-day vulnerabilities in the CLFS driver that were exploited (CVE-2023-28252, CVE-2023-23376). CLFS driver vulnerabilities have been a popular attack vector and exploited in the wild by ransomware operators in the last few years according to researchers.

CVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”

In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin ID 174933 to identify systems that have this service running.

CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.

A list of all the plugins released for Microsoft’s December 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's December 2024 Security Updates
• Tenable plugins for Microsoft December 2024 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Healthcare is one of the most highly regulated industry sectors in the world. Adhering to compliance standards while also ensuring optimal patient experiences is a challenge. DSPM capabilities in Tenable Cloud Security can ease the burden on cybersecurity teams.

When it comes to cybersecurity, the healthcare sector can find itself stuck between a rock and a hard place. To improve patient care, organizations in this sector are constantly trying to innovate, adopting new technologies to improve the patient experience.

In parallel, healthcare organizations must also ensure that they have the proper cybersecurity guardrails in place to use and store the influx of new patient data they collect. Such data includes personal health information (PHI), which is subject to strict regulations like the U.S. Health Insurance Portability and Accountability Act (HIPAA) and the EU’s General Data Protection Regulation (GDPR).

Organizations in this sector must be forward-thinking and embrace innovation while maintaining rigorous data security and ensuring compliance with ever-evolving industry regulations.

Tenable Cloud Security’s Data Security Posture Management (DSPM) capabilities empower healthcare organizations to navigate this balancing act and provide their patients with care and services powered by the most cutting-edge technology, while holistically securing their most sensitive data.

Think of your organization's data security posture as its overall health. Just as a healthy individual has strong natural immunity defenses that fight off illnesses, a strong data security posture is one that has proactive measures implemented to prevent data breaches and unauthorized access.

Tenable Cloud Security provides unmatched value to healthcare organizations, helping them build strong security postures in several ways:

• Continuous monitoring: Tenable Cloud Security constantly monitors cloud environments for suspicious activity, unauthorized access attempts and potential vulnerabilities. This allows cybersecurity teams to identify and address threats before they can cause harm.
• Automated threat detection: Tenable Cloud Security utilizes advanced technology to detect sophisticated cyberthreats before data is exfiltrated or compromised. This ensures that organizations do not rely solely on manual detection methods, which can be time-consuming, ineffective and prone to error.
• Compliance management: Healthcare is one of the most highly regulated and stringently controlled sectors in the market. Tenable Cloud Security helps organizations remain continuously compliant with industry standards and government regulations by providing tools and insights to identify and manage sensitive data.

Just as a doctor uses an X-ray to reveal and diagnose hidden health issues, data discovery plays a crucial role in identifying unknown cybersecurity threats. Tenable Cloud Security utilizes advanced data discovery techniques to uncover sensitive data residing across an organization’s cloud environment, even in unexpected locations. This comprehensive understanding of your company’s data landscape allows you to implement appropriate security controls and close any potential security gaps.

Tenable Cloud Security takes data discovery a step further by:

• Automating the process: Tenable Cloud Security automates the discovery of sensitive data, eliminating the need for manual searches and reducing the risk of human error.
• Data classification: Tenable Cloud Security classifies your data based on its sensitivity level, allowing you to prioritize your security efforts and focus on protecting the most critical information.
• Continuous discovery: Tenable Cloud Security continuously monitors your cloud environment for new data and automatically identifies any new sensitive information that is added.

By understanding and classifying your data, Tenable easily implements appropriate security controls such as access restrictions and encryption to ensure its confidentiality and integrity.

Just as regular checkups and proactive healthcare are crucial for maintaining good health, continuously monitoring and addressing underlying security posture issues are essential for securing sensitive data. Ignoring potential cyberthreats, even if they seem minor, can lead to serious consequences down the line, including data exfiltration and malicious activity.

With Tenable Cloud Security, healthcare organizations can achieve the perfect balance of innovation and compliance. This ensures the confidentiality, integrity and availability of sensitive patient data, allowing you to focus on your core mission of providing excellent care and driving advancements in healthcare.

• View the on-demand webinar: Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?
• Download the data sheet: Data Security in a Unified Cloud Security Solution
• View the infographic: When CNAPP met DSPM
• Watch the demo video

Don’t miss the Linux Foundation’s deep dive into open source software security. Plus, cyber agencies warn about China-backed cyber espionage campaign targeting telecom data. Meanwhile, a study shows the weight of security considerations in generative AI projects. And get the latest on ransomware trends, financial cybercrime and critical infrastructure security.

Dive into six things that are top of mind for the week ending Dec. 6.

Improperly secured developer accounts. Lack of a standard naming schema for software components. The persistence of legacy software.

Those three issues put the reliability and security of free and open source software (FOSS) at risk, a new Linux Foundation study has found. 

Published this week, “Census III of Free and Open Source Software — Application Libraries” is based on about 12 million observations of FOSS at 10,000-plus companies. Its aim: to provide a better understanding of FOSS use and security challenges, given FOSS’ widespread adoption globally.

“Our goal is to not only provide an updated list of the most widely used FOSS, but to also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem,” the study reads.

Data sharing, coordination and investment are keys to preserving the value of FOSS, which has become critical for the digital economy, the authors wrote.

Here are more details about the three key security issues identified in the study:

• To conduct their FOSS work, developers often use individual accounts, which typically lack the security protections of organizational accounts. Hosting FOSS projects under individual developer accounts creates multiple risks, such as making it easier for hackers to breach individual computing environments and tamper with FOSS code.
• A lot of legacy FOSS software still exists that isn’t being maintained nor updated, which makes the software more vulnerable to attacks.
• The FOSS ecosystem needs a standardized schema for naming software components, a key issue for supply chain security. “Until one is widely used, strategies for software security, transparency and more will have limited effect,” the study reads.

For more information about open source security:

• “Concise Guide for Developing More Secure Software” (Open Source Security Foundation)
• “OWASP Top 10 Risks for Open Source Software” (OWASP)
• “CISA Open Source Software Security Roadmap” (CISA)
• “Seven ways to secure open-source software” (SC World)
• “Is Open Source a Threat to National Security?” (InformationWeek)

Security teams in charge of defending networks and communications infrastructure should take steps to prevent attacks from China-affiliated hackers that have recently compromised the networks of major global telecom providers.

So said cyber agencies from Australia, Canada, New Zealand and the U.S. this week in a joint document that offers network and communications-infrastructure engineers recommendations for strengthening network visibility and hardening systems.

The silver lining: The cyberattackers are exploiting known, existing weaknesses in their victims’ infrastructure. “No novel activity has been observed,” reads the publication, titled “Enhanced Visibility and Hardening Guidance for Communications Infrastructure.”

“Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity,” the document adds.

These are some of the recommendations for defenders of networks and communications systems.

• To enhance visibility
  • Adopt alerting mechanisms to detect unauthorized changes to the network and configuration modifications to network devices.
  • Monitor anomalous logins into user and service accounts, and disable inactive accounts.
  • Implement a centralized logging system that can analyze data from multiple sources.
• To harden systems and devices
  • Implement strong network segmentation.
  • Adopt an access control list (ACL) strategy that denies access to the network by default, and log all denied traffic.
  • Disconnect unneeded internet-facing infrastructure and monitor the infrastructure that does need to be exposed to the internet.

The joint document doesn’t name the hacking group. However, The Wall Street Journal identified it as Salt Typhoon when, citing anonymous sources, it reported in September that the group had breached several U.S. telecoms, including Verizon and AT&T. 

Salt Typhoon’s main goal is reportedly to carry out cyber espionage activities on behalf of the Chinese government. Salt Typhoon’s cyber espionage campaign is “ongoing” and authorities feel there is still much to be discovered about it, a Cybersecurity and Infrastructure Security Agency (CISA) official told reporters this week.

“We cannot say with certainty that the adversary has been evicted,” CISA official Jeff Greene said during a press call, as quoted by Politico. According to NBC News, Greene also recommended that Americans use encrypted messaging apps to protect themselves from Salt Typhoon.

Last month, CISA and the FBI described the Chinese-government backed cyber espionage campaign as “broad and significant,” resulting in the theft of customer call records data; the compromise of private communications of government officials and politicians; and the copying of law enforcement information related to wiretap requests.

For more information about Salt Typhoon and its ongoing cyber espionage campaign:

• “Salt Typhoon's surge extends far beyond US telcos” (The Register)
• “Chinese hackers breached T-Mobile's routers to scope out network” (Bleeping Computer)
• “Telcos struggle to boot Chinese hackers from networks” (Axios)
• “China's 'Salt Typhoon' Hackers Breached US Networks Using Existing Flaws” (PCMag)
• “Salt Typhoon Builds Out Malware Arsenal With GhostSpider” (Dark Reading)

As organizations deepen their generative AI use, security and data protection considerations feature prominently in their plans — including whether to build their own generative AI infrastructure.

That’s according to the Linux Foundation’s “Shaping the Future of Generative AI” report, which polled 316 respondents familiar with their organizations’ generative AI adoption. 

“Security remains a cornerstone of this transformation. As organizations embrace GenAI, safeguarding sensitive data and ensuring compliance with industry standards have become critical imperatives,” reads an Open Source Security Foundation blog about the report.

Among organizations deploying their own generative AI infrastructure, security and data control ranked as the top motivation for doing so. Three other data security priorities — data sovereignty; privacy; and intellectual property protection — ranked third, fifth and eighth, respectively.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

Meanwhile, respondents, who were based primarily in the Americas, Europe and Asia-Pacific, ranked security as the second most important criteria when choosing a generative AI model or tool, with privacy and regulatory compliance ranking fourth and fifth, respectively.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

Furthermore, respondents, who included executives, developers, consultants, data scientists and operations staffers, also ranked security and data protection risks high when asked about their concerns when adopting generative AI models and tools.

(Source: Linux Foundation's "Shaping the Future of Generative AI," November 2024)

For more information about AI security, check out these Tenable blogs:

• “AI Security Roundup: Best Practices, Research and Insights”
• “How to Discover, Analyze and Respond to Threats Faster with Generative AI”
• “Never Trust User Inputs — And AI Isn't an Exception: A Security-First Approach”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Do You Think You Have No AI Exposures? Think Again”

Here’s a report that cyber teams at critical infrastructure organizations will likely find useful and informative.

The topic: How CISA’s red team breached a critical infrastructure organization’s IT network and then compromised a domain controller and a human machine interface (HMI), which served as an operational technology (OT) dashboard.

The unnamed organization requested that CISA conduct the red team assessment (RTA), in which CISA acted like a cyberattacker to probe the organization’s cybersecurity detection and response processes and procedures.

In broad strokes, here are some of the ways in which CISA’s red team circumvented the critical infrastructure organization’s cyber defenses:

• After failing to gain initial success via spearphishing, CISA’s red team hit pay dirt when it discovered a web shell left on a Linux web server by mistake.
• Using the web shell, CISA’s red team ran arbitrary commands on the Linux web server and moved laterally into the internal network. 
• Using valid accounts, it compromised the organization’s domain and several sensitive business systems.
• Eventually, CISA’s team compromised a Windows domain controller, which allowed it to move laterally to all Windows hosts. 
• With persistent access to Linux and Windows systems across the organization’s networks, CISA’s red team probed further, accessing, among other assets, the HMI OT dashboard.

Timeline of CISA's red team cyberthreat activity

(Source: CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization,” November 2024)

Key findings include:

• The organization didn’t properly block access from the perimeter network to the internal network.
• The organization relied too much on host-based tools, while lacking sufficient network-layer protections.
• Multiple systems were insecurely configured.
• The organization failed to review security alerts that were triggered by the red team’s actions.
• Identity management was poor.
• The organization used software that is known to be insecure and outdated.

Some of CISA’s mitigation recommendations for cybersecurity teams are:

• Adopt the principle of least privilege, segment the perimeter network, and adopt firewalls, access control lists and intrusion prevention systems.
• Tune network appliances to detect anomalous behavior, and limit the use of admin tools.
• Harden system configuration by, for example, removing “unconstrained delegation” functionality from all servers.
• Keep systems and software up to date.
• Adopt a centralized identity and access management system.
• Prohibit the storage of passwords in plaintext.

To get all the details, read CISA’s advisory “Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization.”

To learn more about securing OT systems in critical infrastructure environments, check out these Tenable resources:

• “CISA Finding: 90% of Initial Access to Critical Infrastructure Is Gained Via Identity Compromise. What Can You Do About It?” (blog)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)
• “Operational Technology (OT) Security: How to Reduce Cyber Risk When IT and OT Converge” (guide)
• “5 Key OT Security Use Cases For The DoD: Safeguarding OT Networks and Cyber-Physical Systems” (white paper)
• “Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)

Here’s a stat to remind your organization to make sure its virtual private network (VPN) system is configured correctly, has no vulnerabilities and is up to date: Almost 30% of ransomware attacks in the third quarter compromised insecure VPNs to gain initial access, sharply up from about 5% in the second quarter.

That’s according to Corvus Insurance’s “Q3 2024 Cyber Threat Report,” which said many of the ransomware attacks in Q3 leveraged outdated VPN software and poorly protected VPN gateways. 

Specifically, organizations shouldn’t allow the use of common usernames and weak passwords in their VPN user accounts, and should protect them with multi-factor authentication. 

“The persistence of weak credentials and lack of multi-factor authentication on VPN gateways has facilitated these attacks, making secure access controls crucial for mitigating threats,” reads the report.

The Corvus ransomware report also found that five ransomware groups — RansomHub, PLAY, LockBit 3.0, MEOW and Hunters International — accounted for 40% of all attacks. However, the ransomware ecosystem remains diverse, with almost 60 groups active during the third quarter, which makes the threat landscape more complex for cyber teams to manage.

For more information about ransomware prevention:

• “How Can I Protect Against Ransomware?” (CISA)
• “Best practices for protection from ransomware in cloud storage” (TechTarget)
• “Steps to Help Prevent & Limit the Impact of Ransomware (Center for Internet Security)
• “Mitigating malware and ransomware attacks” (UK National Cyber Security Centre)
• “Preventing Ransomware Attacks at Scale” (Harvard Business Review)

VIDEO

Ultimate Guide to Ransomware for Businesses (TechTarget)

A five-month Interpol operation led by South Korea has led to the arrest of 5,500-plus suspected financial cybercriminals and to the seizure of more than $400 million in assets.

With Operation HAECHI, Interpol and law enforcement partners from 40 countries went after cyber crooks involved in a variety of financial scams, including:

• voice phishing
• romance scams
• investment fraud
• e-commerce fraud

International collaboration is key to fighting financial cybercrime, which has devastating effects on its victims, Interpol Secretary General Valdecy Urquiza said in a statement.

“It’s only through united efforts that we can make the real and digital worlds safer,” he said.