#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

NIST | Breaking Cybersecurity News | The Hacker News

SaaS Compliance through the NIST Cybersecurity Framework

SaaS Compliance through the NIST Cybersecurity Framework
Feb 20, 2024 Cybersecurity Framework / SaaS Security
The US National Institute of Standards and Technology (NIST) cybersecurity framework is one of the world's most important guidelines for securing networks. It can be applied to any number of applications, including SaaS.  One of the challenges facing those tasked with securing SaaS applications is the different settings found in each application. It makes it difficult to develop a configuration policy that will apply to an HR app that manages employees, a marketing app that manages content, and an R&D app that manages software versions, all while aligning with NIST compliance standards.  However, there are several settings that can be applied to nearly every app in the SaaS stack. In this article, we'll explore some universal configurations, explain why they are important, and guide you in setting them in a way that improves your SaaS apps' security posture.  Start with Admins Role-based access control (RBAC) is a key to NIST adherence and should be applied to every SaaS a

Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now

Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now
Feb 13, 2024 Vulnerability / Email Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday  added  a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The issue, tracked as  CVE-2023-43770  (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of linkrefs in plain text messages. "Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure via malicious link references in plain/text messages," CISA said. According to a description of the bug on NIST's National Vulnerability Database (NVD), the vulnerability impacts Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The flaw was  addressed  by Roundcube maintainers with  version 1.6.3 , which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar has been credited with dis

How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities
Feb 15, 2024SaaS Security / Risk Management
With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications. Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023.  Their study reveals  how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.  The TL;DR Version Of SaaS Security 2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizat

Combined Security Practices Changing the Game for Risk Management

Combined Security Practices Changing the Game for Risk Management
Feb 05, 2024 Data Protection / Threat Intelligence
A significant challenge within cyber security at present is that there are a lot of risk management platforms available in the market, but only some deal with cyber risks in a very good way. The majority will shout alerts at the customer as and when they become apparent and cause great stress in the process. The issue being that by using a reactive, rather than proactive approach, many risks just sit there, dormant, until an emergency happens.  'Dealing with SOC Operations for more than a decade, I have seen nearly 60 percent of SOC Incidents are repeat findings that keep re-surfacing due to underlying unmitigated Risks. Here the actors may be different, however the risk is mostly the same. This is causing significant alert fatigue.' – Deodatta Wandhekar, Head of Global SOC, SecurityHQ. Combining Frameworks and Best Practices These risks can be prevented. A platform that combines the best practices of multiple frameworks is the solution to tackle this issue.  What is NIST?

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

cyber security
websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.

NIST Warns of Security and Privacy Risks from Rapid AI System Deployment

NIST Warns of Security and Privacy Risks from Rapid AI System Deployment
Jan 08, 2024 Artificial Intelligence / Cyber Security
The U.S. National Institute of Standards and Technology (NIST) is calling attention to the  privacy and security challenges  that arise as a result of increased deployment of artificial intelligence (AI) systems in recent years. "These security and privacy challenges include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities to adversely affect the performance of the AI system, and even malicious manipulations, modifications or mere interaction with models to exfiltrate sensitive information about people represented in the data, about the model itself, or proprietary enterprise data," NIST  said . As AI systems become integrated into online services at a rapid pace, in part driven by the emergence of generative AI systems like OpenAI ChatGPT and Google Bard, models powering these technologies face a number of threats at various stages of the machine learning operations. These include corrupted training data, security flaw

Everything You Wanted to Know About AI Security but Were Afraid to Ask

Everything You Wanted to Know About AI Security but Were Afraid to Ask
Sep 04, 2023 Artificial Intelligence / Cyber Security
There's been a great deal of AI hype recently, but that doesn't mean the robots are here to replace us. This article sets the record straight and explains how businesses should approach AI. From musing about self-driving cars to fearing AI bots that could destroy the world, there has been a great deal of AI hype in the past few years. AI has captured our imaginations, dreams, and occasionally, our nightmares. However, the reality is that AI is currently much less advanced than we anticipated it would be by now. Autonomous cars, for example, often considered the poster child of AI's limitless future, represent a narrow use case and are not yet a common application across all transportation sectors. In this article, we de-hype AI, provide tools for businesses approaching AI and share information to help stakeholders educate themselves.  AI Terminology De-Hyped AI vs. ML AI (Artificial Intelligence) and ML (Machine Learning) are terms that are often used interchangeably, but the

Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116

Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116
Aug 11, 2023 Encryption / Browser Security
Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116. "Chrome will begin supporting  X25519Kyber768  for establishing symmetric secrets in  TLS , starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien  said  in a post published Thursday. Kyber was  chosen  by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing.  Kyber-768  is roughly the security equivalent of  AES-192 . The encryption algorithm has already been adopted by  Cloudflare ,  Amazon Web Services , and IBM. X25519Kyber768 is a hybrid algorithm that combines the output of  X25519 , an elliptic curve algorithm widely used for key agreement in TLS, and Kyber-768 to create a strong session key to encrypt TLS connections. "Hybrid mechanism

Experts Discover Flaw in U.S. Govt's Chosen Quantum-Resistant Encryption Algorithm

Experts Discover Flaw in U.S. Govt's Chosen Quantum-Resistant Encryption Algorithm
Mar 06, 2023 Encryption / Cybersecurity
A group of researchers has revealed what it says is a vulnerability in a specific implementation of  CRYSTALS-Kyber , one of the encryption algorithms chosen by the U.S. government as quantum-resistant last year. The exploit relates to "side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU," Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology  said  in a paper. CRYSTALS-Kyber is one of four post-quantum algorithms  selected  by the U.S. National Institute of Standards and Technology (NIST) after a rigorous multi-year effort to identify a set of next-generation encryption standards that can withstand huge leaps in computing power. A side-channel attack, as the name implies, involves extracting secrets from a cryptosystem through measurement and analysis of physical parameters. Some examples of such parameters include supply current, execution time, and electromagnetic emission. The underlyi

NIST Standardizes Ascon Cryptographic Algorithm for IoT and Other Lightweight Devices

NIST Standardizes Ascon Cryptographic Algorithm for IoT and Other Lightweight Devices
Feb 08, 2023 Encryption / IoT Security
The U.S. National Institute of Standards and Technology (NIST) has announced that a family of authenticated encryption and hashing algorithms known as Ascon will be standardized for  lightweight cryptography  applications. "The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators," NIST  said . "They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles." Put differently, the idea is to adopt security protections via lightweight cryptography in devices that have a "limited amount of electronic resources." That said, NIST still recommends the Advanced Encryption Standard ( AES ) and SHA-256 for general use. Ascon is  credited  to a team of cryptographers from the Graz University of Technology, Infineon Technologies, Lamarr Security Researc

Goodbye SHA-1: NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm

Goodbye SHA-1: NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm
Dec 16, 2022 Encryption / Data Security
The U.S. National Institute of Standards and Technology (NIST), an agency within the Department of Commerce,  announced  Thursday that it's formally retiring the SHA-1 cryptographic algorithm. SHA-1 , short for Secure Hash Algorithm 1, is a 27-year-old  hash function  used in cryptography and has since been  deemed   broken  owing to the risk of  collision attacks . While hashes are designed to be irreversible – meaning it should be impossible to reconstruct the original message from the fixed-length enciphered text – the lack of collision resistance in SHA-1 made it possible to generate the same hash value for two different inputs. In February 2017, a group of researchers from CWI Amsterdam and Google  disclosed  the first practical technique for producing collisions on SHA-1, effectively undermining the security of the algorithm. "For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
Jul 06, 2022
The U.S. Department of Commerce's National Institute of Standards and Technology (NIST) has  chosen  the first set of quantum-resistant encryption algorithms that are designed to "withstand the assault of a future quantum computer." The post-quantum cryptography ( PQC ) technologies include the  CRYSTALS-Kyber  algorithm for general encryption, and  CRYSTALS-Dilithium ,  FALCON , and  SPHINCS+  for digital signatures. "Three of the selected algorithms are based on a family of math problems called structured lattices, while SPHINCS+ uses hash functions," NIST, which kicked off the standardization process in January 2017,  said  in a statement. Cryptography, which underpins the security of information in modern computer networks, derives its strength from the difficulty of solving mathematical problems — e.g., factoring large composite integers — using traditional computers. Quantum computers, should they mature enough, pose a  huge impact  on the current pu

Learn NIST Inside Out With 21 Hours of Training @ 86% OFF

Learn NIST Inside Out With 21 Hours of Training @ 86% OFF
Jun 25, 2022
In cybersecurity, many of the best jobs involve working on government projects. To get a security clearance, you need to prove that you meet  NIST standards . Cybersecurity firms are particularly interested in people who understand the RMF, or Risk Management Framework — a U.S. government guideline for taking care of data. The NIST Cybersecurity & Risk Management Frameworks Course  helps you understand this topic, with over 21 hours of video instruction. The training is worth a total of $295, but readers of The Hacker News can  get the course today for only $39 . Special Offer  — Normally priced at $295, this Risk Management Framework course is  now only $39 for a limited time , with lifetime access included. That's a massive 86% discount! Designed by the United States Government, the Risk Management Framework provides a complete guide to securing sensitive data. It also ensures that cybersecurity professionals comply with the various laws, directives, executive orders, and re

Government Agencies Warn of Increase in Cyberattacks Targeting MSPs

Government Agencies Warn of Increase in Cyberattacks Targeting MSPs
May 12, 2022
Multiple cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. on Wednesday released a  joint advisory  warning of threats targeting managed service providers (MSPs) and their customers. Key among the recommendations include identifying and disabling accounts that are no longer in use, enforcing multi-factor authentication (MFA) on MSP accounts that access customer environments, and ensuring transparency in ownership of security roles and responsibilities. MSPs have emerged as an attractive attack route for cybercriminals to scale their attacks, as a vulnerable provider can be weaponized as an initial access vector to breach several downstream customers at once. The spillover effects of such intrusions, as witnessed in the wake of high-profile breaches aimed at  SolarWinds  and  Kaseya  in recent years, have once again underlined the need to secure the software supply chain. The targeting of MSPs by malicious cyber actors in an effort to "expl

NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks

NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks
May 05, 2022
The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector. "It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination," NIST said in a statement. The new  directive  outlines  major security controls and practices  that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices. The development follows an Executive Order issued by the U.S. President on " Improving the Nation's Cybersecurity (14028) " las

NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance

NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance
Jan 06, 2022
When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point. NIST plays a key role as a US standard-setter, due to the organization's professionalism and the external experts who help to create NIST documents. The NIST Cybersecurity Framework (CSF) was initially released in 2014 and last updated in 2018. The framework enables organizations to improve the security and resilience of critical infrastructure with a well-planned and easy-to-use framework. The continuing growth in SaaS, and the major changes to the work environment due to COVID-19 bring new security challenges. Although the CSF was written and updated while SaaS was on the rise, it is still geared towards the classic legacy critical infrastructure security challenges. However, organizations can bet

NIST and HIPAA: Is There a Password Connection?

NIST and HIPAA: Is There a Password Connection?
Apr 08, 2021
When dealing with user data, it's essential that we design our password policies around compliance. These policies are defined both internally and externally. While companies uphold their own password standards, outside forces like HIPAA and NIST have a heavy influence. Impacts are defined by industry and one's unique infrastructure. How do IT departments maintain compliance with NIST and HIPAA? We'll discuss each compliance measure and its importance in this article. What is NIST compliance? Defined by the National Institute of Standards and Technology, NIST compliance aims to harden federal systems against cyber-attacks. While the agency is non-regulatory, it  is  part of the U.S. Department of Commerce, which has plenty of influence over government agencies and their contractors. For example, NIST guidelines help agencies  satisfy the requirements of the Federal Information Security Management Act  (FISMA). NIST is instrumental in creating Federal Information Proce
Cybersecurity Resources