Cybersecurity Framework | Breaking Cybersecurity News | The Hacker News

In the modern enterprise, data security is often discussed using a complex lexicon of acronyms—DLP, DDR, DSPM, and many others. While these acronyms represent critical frameworks, architectures, and tools for protecting sensitive information, they can also overwhelm those trying to piece together an effective security strategy. This article aims to demystify some of the most important acronyms in data security today and offer practical guidance to help businesses navigate the data security landscape and protect their most valuable assets with confidence. What's driving data security? In today's ever-evolving digital landscape, data security has become a top priority for businesses of all sizes. As data continues to be the most valuable asset for organizations, the need to protect it from breaches, unauthorized access, and other security threats grows. But what exactly is driving businesses to prioritize data security? From compliance with regulations to safeguarding intellectual pr...

It's been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally tailored for Critical infrastructure, 2018's version 1.1 was designed for any organization looking to address cybersecurity risk management.  CSF is a valuable tool for organizations looking to evaluate and enhance their security posture. The framework helps security stakeholders understand and assess their current security measures, organize and prioritize actions to manage risks, and improve communication within and outside organizations using a common language. It's a comprehensive collection of guidelines, best practices, and recommendations, divided into five core functions: Identify, Pr...

Everybody knows browser extensions are embedded into nearly every user's daily workflow, from spell checkers to GenAI tools. What most IT and security people don't know is that browser extensions' excessive permissions are a growing risk to organizations. LayerX today announced the release of the Enterprise Browser Extension Security Report 2025 , This report is the first and only report to merge public extension marketplace statistics with real-world enterprise usage telemetry. By doing so, it sheds light on one of the most underestimated threat surfaces in modern cybersecurity: browser extensions. The report reveals several findings that IT and security leaders will find interesting, as they build their plans for H2 2025. This includes information and analysis on how many extensions have risky permissions, which kinds of permissions are given, if extension developers are to be trusted, and more. Below, we bring key statistics from the report. Highlights from the Enterprise Browse...

The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world's most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.  One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.  However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we'll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps' security posture.  Start with Admins Role-based access control (RBAC) is a key to NIST adherence and should be applied to ev...

Discover all the ways MITRE ATT&CK can help you defend your organization. Build your security strategy and policies by making the most of this important framework. What is the MITRE ATT&CK Framework? MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes the  tactics, techniques, and procedures (TTPs) used in cyberattacks . Created by the nonprofit organization MITRE, this framework provides security professionals with insights and context that can help them comprehend, identify, and mitigate cyber threats effectively. The techniques and tactics in the framework are organized in a dynamic matrix. This makes navigation easy and also provides a holistic view of the entire spectrum of adversary behaviors. As a result, the framework is more actionable and usable than if it were a static list. The MITRE ATT&CK Framework can be found here:  https://attack.mitre.org/ Loo...

If you're a cybersecurity professional, you're likely familiar with the sea of acronyms our industry is obsessed with. From CNAPP, to CWPP, to CIEM and all of the myriad others, there seems to be a new initialism born each day. In this article, we'll look at another trending acronym – CTEM, which stands for Continuous Threat Exposure Management – and the often-surprising challenges that come along with seeing a CTEM program through to maturity. While the concept of CTEM isn't brand spanking new, having made its in-print debut in July of 2022, we are now at the point where many organizations are starting to try to operationalize the programs that they've been setting into motion over the last few months. And as organizations start to execute their carefully designed plans, they may find themselves bumping up against some unexpected challenges which can lead to setbacks.  What is Continuous Threat Exposure Management (CTEM)? But first, to backtrack, let's just...

Cobalt, Lazarus, MageCart, Evil, Revil — cybercrime syndicates spring up so fast it's hard to keep track. Until…they infiltrate  your  system. But you know what's even more overwhelming than rampant cybercrime? Building your organization's security framework.  CIS, NIST, PCI DSS, HIPAA, HITrust, and the list goes on. Even if you had the resources to implement every relevant industry standard and control to a tee, you still couldn't keep your company from getting caught up in the next SolarWinds. Because textbook security and check-the-box compliance won't cut it. You've got to be strategic ( especially when manpower is limited! ). And lean. Learn the ropes now.  3 Pro Tips for Building Your Lean Security Framework Without a framework in place, you're either navigating the cyber-risk universe with blinders on — or buried so deep in false positives you couldn't spot a complex attack until it's already laterally advancing. But why build your secu...

When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point. NIST plays a key role as a US standard-setter, due to the organization's professionalism and the external experts who help to create NIST documents. The NIST Cybersecurity Framework (CSF) was initially released in 2014 and last updated in 2018. The framework enables organizations to improve the security and resilience of critical infrastructure with a well-planned and easy-to-use framework. The continuing growth in SaaS, and the major changes to the work environment due to COVID-19 bring new security challenges. Although the CSF was written and updated while SaaS was on the rise, it is still geared towards the classic legacy critical infrastructure security challenges. However, organizations can bet...

End-user passwords are one of the weakest components of your overall security protocols. Most users tend to reuse passwords across work and personal accounts. They may also choose relatively weak passwords that satisfy company password policies but can be easily guessed or brute-forced. Your users may also inadvertently use  breached passwords  for their corporate account password. The  National Institute of Standards and Technology (NIST)  has a cybersecurity framework that helps organizations address common cybersecurity pitfalls in their environment, including weak, reused, and breached passwords. This post will take a closer look at the NIST password guidelines and see how you can effectively audit your password policies to ensure these meet the standards recommended by NIST. NIST Password Guidelines and Best Practices Specific guidance around passwords is addressed within the chapter titled  Memorized Secret Verifiers . NIST has several recommendations...

Microsoft, in collaboration with MITRE, IBM, NVIDIA, and Bosch, has released a  new open framework  that aims to help security analysts detect, respond to, and remediate adversarial attacks against machine learning (ML) systems. Called the  Adversarial ML Threat Matrix , the initiative is an attempt to organize the different techniques employed by malicious adversaries in subverting ML systems. Just as artificial intelligence (AI) and ML are being deployed in a wide variety of novel applications, threat actors can not only  abuse the technology  to power their malware but can also leverage it to  fool machine learning models  with poisoned datasets, thereby causing beneficial systems to make incorrect decisions, and pose a threat to stability and safety of AI applications. Indeed, ESET researchers last year found  Emotet  — a notorious  email-based malware  behind several botnet-driven spam campaigns and ransomware attacks — to...