The National Cybersecurity Center of Excellence (NCCoE) has released a new draft project description, Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps. Publication of this project description begins a process to solicit public comments for the project requirements, scope, and hardware and software components for use in a laboratory environment.
WEBINAR – CISO Handbook: Managing Supply Chain Risk at Scale
Learn how agencies are managing supply chain obstacles in this webinar on Thursday, July 14, 2022 at 2 p.m. ET.
During this exclusive CISO Handbook webinar, moderator Justin Doubleday will explore some of the challenges and best practices associated with supply chain security with Gerald Caron, the chief information officer at the Department of Homeland Security’s Office of the Inspector General. Additionally, Kelly White, the co-founder and president of RiskRecon, a Mastercard Company will provide an industry perspective.
Learning objectives:
• Supply Chain Security Best Practices
• The Zero Trust Approach
80% of Firms Suffered Identity-Related Breaches in Last 12 Months
Rapidly growing employee identities, third-party partners, and machine nodes have companies scrambling to secure credential information, software secrets, and cloud identities, according to researchers.
In a survey of IT and identity professionals released Wednesday from Dimensional Research, almost every organization — 98% — experiences rapid growth in the number of identities that have to be managed, with that growth driven by expanding cloud usage, more third-party partners, and machine identities. Furthermore, businesses are also seeing an increase in breaches because of this, with 84% of firms suffering an identity-related breach in the past 12 months, compared with 79% in a previous study covering two years.
Source: https://www.darkreading.com/operations/identity-related-breaches-last-12-months
Europol Busts Phishing Gang Responsible for Millions in Losses
Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities.
The cross-border operation, which involved law enforcement authorities from Belgium and the Netherlands, saw the arrests of nine individuals in the Dutch nation.
The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse and a 25-year-old woman from Deventer, according to a statement from the National Police Force.
Source: https://thehackernews.com/2022/06/europol-busts-phishing-gang-responsible.html
CISA is Developing Guidelines For Managing Cyber Supply Chain Risks
The Cybersecurity and Infrastructure Security Agency is developing a guide to help agencies overcome the challenges of managing cyber supply chain risks.
According to Brian Paap, Cyber Engineering Consultant at CISA, the agency has been working on how to approach Cyber Supply Chain Risk Management (CSCRIM) over the past two years.
CISA recently ran a pilot designed to figure out all of the measures required to stand up and sustain a CSCRIM program within federal departments and agencies.
Paap noted CISA has recently developed the Overview and Guidelines document, which combines learnings from NIST 161 and elements of NIST 853, Rev 5 and several other resources.
Source: https://governmentciomedia.com/cisa-developing-guidelines-managing-cyber-supply-chain-risks
Registration Open and Request for Information: ANSI July 27–29 Workshop on Global Supply Chain Security for Microelectronics Standardization
New York, June 22, 2022: The American National Standards Institute (ANSI) opened registration today for its workshop on global supply chain security for microelectronics standardization, being held on behalf of the U.S. Department of Defense (DoD). The workshop will take place on July 27–29 at the headquarters of Booz Allen Hamilton, 8283 Greensboro Dr., McLean, VA. While in-person participation is strongly encouraged, remote participation is available. Advance registration is requested by July 20. Note: you must be either a U.S. citizen or a U.S. lawful permanent resident to participate in the workshop. In-person attendees must be fully-vaccinated or provide proof of a negative COVID-19 test taken within 5 days prior to the workshop.
Click here to register for the workshop and view the draft agenda. Speakers contact ANSI staff for promo code.
Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware
The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons.
The APT28 hacking group is believed to be sending emails containing a malicious document name “Nuclear Terrorism A Very Real Threat.rtf.”. The threat actors selected the topic of this email to entice recipients to open it, exploiting the fear that’s spread among Ukrainians about a potential nuclear attack.
Threat actors also used a similar tactic in May 2022, when CERT-UA identified the dissemination of malicious documents warning about a chemical attack.
Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks
Cyber insurance can help offset costs of some common cyber risks, like data breaches or ransomware. But cyber risks are growing, and cyberattacks targeting critical infrastructure—like utilities or financial services—could affect entire systems and result in catastrophic financial loss.
Insurers and the government’s terrorism risk insurance may not be able to cover such losses. For example, the government’s insurance may only cover cyberattacks if they can be considered “terrorism” under its defined criteria.
Software Supply Chain Risk Assessment (C-SCRM) Patent Issued to Reliable Energy Analytics (REA™)
REA is pleased to announce it has been assigned patent number, 11,374,961, with an effective issuance date of June 28, 2022 for its Software Assurance Guardian (SAG™) METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY for software products and the software supply chain (C-SCRM). REA was motivated to develop this patented technology to assess risk and trust in a software supply chain starting in November, 2018 after the Federal Energy Regulatory Commission (FERC) issued Order 850, “Supply Chain Risk Management Reliability Standards” [18CFR40] to protect the bulk electric grid from software supply chain risks.
NASA Experts: ‘No Risk’ is No-Go in Cyber Risk Management
While many cybersecurity officials strive to achieve “no risk” when it comes to cyber risk management, officials from NASA this week explained that’s just not possible and suggested that agencies instead focus on managing risks that are important to the mission.
At the NASA SEWP (Solutions for Enterprise-Wide Procurement) SCRM Hybrid Forum 2022 on May 24, Joanne Woytek, program manager for the NASA SEWP program, explained how cyber risk management does not mean achieving zero risk.