The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects:

The “Alpha” side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. “Omega” will look more at the broader landscape of open source, running automated testing on the top 10,000.

This is an excellent idea. This code ends up in all sorts of critical applications.

Log4j would be a prototypical vulnerability that the Alpha team might look for ­– an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.

Read More

Our newest Tenable.cs product features are designed to enable organizations to stay agile while reducing risk.

A suite of upgrades to Tenable.cs, our cloud-native application protection platform, are designed to enable organizations to secure cloud resources, container images and cloud assets to provide end-to-end security from code to cloud to workload.

Even as organizations are adopting the cloud at exponential rates, they continue to face the challenges of protecting and securing resources and workloads in the public cloud. And, as the responsibilities of modern security teams continue to evolve and increase in complexity, the pressure to meet workload demands while minimizing security risks continues to mount. Implementing a new framework, one that allows organizations to remain agile while strengthening security is key. Enter Tenable.cs.

Tenable.cs delivers full lifecycle cloud-native security to address cyber risks from build to runtime. It enables organizations to programmatically detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of the Software Development Lifecycle (SDLC) to prevent unresolved insecure configuration or exploitable vulnerabilities from reaching production.

Tenable.cs secures infrastructure as code (IaC) before deployment, maintains a secure posture in runtime and controls drift by synchronizing configuration between runtime and IaC. It enables IaC to remain the single source of truth, eliminating the need for complex and manual processes.

Newest capabilities in Tenable.cs

Tenable.cs offers continuous visibility to assess cloud hosts and container images for vulnerabilities without the need to manage scan schedules, credentials, or agents. It provides Frictionless Assessment and Nessus Vulnerability Assessment for cloud workloads as well as Tenable.io container Security.

With Tenable.cs, all cloud assets —including ephemeral assets —- are continuously reassessed as new vulnerability detections are added and as new assets are deployed. This always-on approach allows organizations to spend more time focusing on the highest priority vulnerabilities and less time on managing scans and software.

Tenable.cs now also supports Tenable.ep

Tenable.cs further expands the scope of Tenable’s comprehensive cyber exposure management platform. Now, with the addition of Tenable.cs to Tenable.ep, organizations can determine the cyber risks of their cloud resources alongside other assets, such as IT assets, web apps, containers and operational technology (OT) devices.

With Tenable.cs, Tenable now delivers an integrated, end-to-end cloud security solution and a complete picture of cyber risks across the modern attack surface with unified visibility into code, configurations, assets and workloads.

Accessing the new features

Tenable.cs gives DevSecOps teams pragmatic, cloud native security solutions to continue the mission of helping organizations innovate in the cloud with confidence.

It is available as both a standalone solution and as a part of Tenable.ep. Additionally, Tenable has further expanded Tenable.ep, adding Tenable.ad for Active Directory environments to its platform’s single and flexible asset-based license for simple procurement and deployment. Tenable.ad will also continue to be sold as a separate solution and will be available Feb. 2

Schedule your free consultation and demo

If you’re not already a Tenable customer, please schedule a free consultation and demo to discuss how we can help you improve your security program and results.

For more information about Tenable.cs, visit tenable.com/products/tenable-cs or join us on March 2nd at 2:00 p.m. EST for a webinar on Introducing Tenable.cs: Cloud-Native Security From Code to Cloud.

Learn more

Visit the Tenable.cs product page
View the Tenable.cs press release
Attend the webinar, Introducing Tenable.cs: Cloud-Native Security From Code to Cloud

Read More

Ambitious information security experts serve as a critical part of cyber risk management.

The corporation is responsible for structuring IT and information security activities to protect its data resources, such as hardware, software, and procedures.

To stay competitive, enterprises must design and establish secure environments that retain confidentiality and privacy while also ensuring the integrity of corporate information. This can be achieved through the use of cyber risk management approaches.

This article explores the need for security and provides an overview of cyber risk assessment. We’ll discuss control categorization and approaches with an example.

Need for security

Organizations have long encountered various types of risk. Still, cyber risk has emerged as a critical component – evaluating risks to corporations, their information, and their financial results is a priority.

Malicious hackers are taking advantage of technological advancements and developments to hack and exploit the resources of businesses.

Cyber risk is the third critical corporate risk in 2021, as per the latest Allianz Risk Barometer.
Cybercrime costs approximately $600 billion per year, accounting for over 1% of global GDP, as per The Center for Strategic and International Studies (CSIS), and 300,562,519 people were affected by publicly disclosed security breaches the previous year, as per the Identity Theft Resource Center.

The following table shows some classifications that reflect realistic and prominent threats to a company’s personnel, data, and technology.

Each organization must prioritize the risks it confronts depending on the security scenario in which it works, its organizational risk approach, and the vulnerability levels at which its resources execute.

Cyber risk management

Risk management is the method of identifying vulnerabilities to a company’s data resources and architecture and implementing strategies to reduce that risk to tolerable levels.

The three primary steps of cyber risk management are:

Risk identification
Risk assessment
Risk control

Cyber risk assessment example

Let’s understand the stages of risk assessment with the help of an example.

For instance, your department head assigns you to perform risk management and shares the network architecture, employee lists, software list, etc., with you.

Risk identification

The first step of identification is to identify the assets, categorize, prioritize and store them in the inventory.

It is simple to identify numerous assets first by glancing at network architecture, but preserving them together in memory is difficult, so why not categorize the assets with the components of information security management.

Traditional Components

SecSDLC Components

Examples

People

Employees

Support Staff
Developers
Application Admin

 

Non-Employees

Stakeholders
Vendors
Operational users

Software, Hardware, Network

System Devices/Networking Components

Server
Firewall
IP
Utilities
Application Layer
Database
Routers

Procedure

Procedure

Network elements
Policies and Procedures
SLA
NDA
Reports

Data

Information

Data Owner
Size of Data
Backups
Who will manage the data?
Transmission
Processing

After identifying and categorizing assets, we need to create an inventory of all assets.

We must not prejudge the worth of every asset when compiling an inventory of data assets.
Whether automated or manual, the inventory approach needs significant planning.
It must also include the sensitivity and security level of each item in the inventory.

After inventory, we perform relative assessments to guarantee that we assign the most significant assets top priority. You can also ask several questions to allocate weight to assets for risk assessment. Questions, such as:

What resource is associated with the highest revenue margin?
Which of the assets is the costliest to replace or to safeguard?
Which asset’s removal or corruption might be the most distressing or expose you to the greatest risk?

After performing initial identification, we start an assessment of the risks affecting the company.

If you presume that every risk will indeed target every asset, the project scope suddenly grows so vast that planning becomes impossible.

We should assess each threat for its ability to put the company in jeopardy. This is threat assessment. Answering a few simple questions can help you start a threat assessment:

What threats pose the greatest hazard to a company’s assets?
How much will the attack cost if data recovery is required?
Which threats pose high risks to the data owned by a company?

Risk assessment

You may assess the comparative risk for each vulnerability now that you’ve identified the organization’s assets and threats. We refer to this as risk assessment. Now, identify the vulnerability associated with assets and threats.

Assets

Threats

Vulnerability

Server

Exploitation
System failure
Overheating in Room
Out of Electricity

Backdoors
Unauthorized Access
Open Ports
Old Cooling Devices (AC)

Websites

Malicious Payloads
DDOS
XSS

Policies & Procedures
Firewall
IDPS

Rogue Devices

Spoofing
MITM
Sniffing

Misconfiguration
Not updating devices

 

Each asset is given a risk level or grade during risk assessment. While this number has no exact value, it helps determine the relative risk associated with every sensitive asset.

There is also a basic formula we use to assess the risk.

Risk = likelihood of occurrence of vulnerability * value of the information asset – the percentage of risk mitigated by current controls + uncertainty of current knowledge of the vulnerability.

Let’s utilize this formula with an example.

We have an “asset A” with a value of 40 and one vulnerability with a probability of 1.0 with no security controls. Your facts are 80% credible*.

(If the reliability is 95%, the uncertainty is 5%.)

(40 × 1.0) – 0% + 5% = 45

So, the vulnerability of asset A ranks as 45.

You’ll most likely have listings of assets with information by the end of the risk assessment. The aim was to discover assets’ information with security flaws and create a compilation of them, graded from most vulnerable to least vulnerable.

You gathered and stored a plethora of facts about the assets, the risks they pose, and the risks they disclose while compiling this list and so on.

Risk control

After completing the risk identification, and risk assessment process, we end the risk management with risk control.

Risk control give us five strategies to deal with the risks, and they are:

Defend
Transfer
Mitigate
Accept
Terminate

Let’s see the below table to learn the control strategies in depth.

Risk Control Strategies

Definition

Examples

Defend

The defend strategy tries to eliminate the vulnerability from being exploited.

a cryptographic-based verification technique RADIUS

Transfer

Using the transfer control technique, we shift the risks to other resources, activities, or companies.

Rethink how services are working and offered.

 

Revising deployment models.

 

Rechecking outsources services.

Mitigate

With planning and response, the mitigation control technique seeks to lessen the effect of vulnerability exploitation.

Incident Response Plan (IR).

 

Disaster Recovery Plan (DRP).

 

Business Continuity Plan (BCP)

Accept

The accept control strategy is doing less to prevent a vulnerability from being exploited and accepting the result of such an attack.

Risk acceptance is related to the risk level and the threat value of the risk.

 

Is the risk risky enough to accept it and do nothing for a while?

Terminate

The company’s terminate control strategy encourages it to eliminate commercial operations that pose unmanageable risks.

 

Instead of applying risk controls, the organization terminates the activity/product, which brings risks.

Risk reporting

The very last step we have is risk reporting. It’s a crucial part of risk assessment. After performing the entire risk management process, you have to document it. Risk reports are a technique of informing those that need to know about the project and company’s risks.

Conclusion

In a nutshell, as you progress along the risk management process, you’ll have a greater understanding of your corporation’s architecture, your most important data, and how you can improve your management and security.

Read More

Cybersecurity champions programs nurture and encourage cybersecurity awareness within a business, combining education with peer-to-peer collaboration to embed a culture of security understanding, support, and positive behavior among a workforce. A typical program consists of individuals from different departments who act as security advocates for their function and help to shape an organization’s cybersecurity approach internally.

Growing in popularity across a wide range of industries, cybersecurity champions programs have proven so beneficial that they became integral components of some organizations’ cybersecurity awareness strategies.

An effective and productive cybersecurity champions program requires several key elements to achieve its goals and avoid being a wasted investment. Here are the advantages of running a cybersecurity champions program for CISOs with five steps to doing so, including advice from security leaders and experts who have first-hand experience in this area.

To read this article in full, please click here

Read More