NIST Official: Revised Cybersecurity Supply-Chain Guidance Imminent
Source: Nextgov
Published: April 27, 2022
The National Institute of Standards and Technology is about to publish guidance for securing enterprises against supply chain hacks following the SolarWinds event and other major third-party attacks targeting critical infrastructure. “The flagship cybersecurity supply chain risk management guidance is [Special Publication 800-161],” NIST’s Angela Smith said. “We’re going to actually be releasing the first major revision—revision one—by the end of next week, so everybody should be on the lookout for that if you’ve not already had a chance to review some of the public drafts that have come out.”
Cybersecurity Threats in The Cloud Software Supply Chain
January 20, 2022 — Cybersecurity Threats in the Cloud Software Supply Chain
Register now for ATARC’s Cybersecurity Threats in the Cloud Software Supply Chain event on January 20, 2022, from 1:30 PM – 2:30 PM ET. High-profile software supply chain attacks, such as SolarWinds and Kaseya VSA, have shed a glaring light on the disparity between agencies’ perceptions of security within their cloud infrastructure and the reality of supply chain threats that can impact business catastrophically. Tune in to this panel to hear what topic experts have to say on threat assessment within the cloud, and how the Executive Order impacted agencies’ cloud security practices. Register here.
SolarWinds Public Sector Cybersecurity Survey Report 2021
SolarWinds released the findings of its seventh Public Sector Cybersecurity Survey Report. The Public Sector Cybersecurity Survey Report includes responses from 400 IT operations and security decision makers, including 200 federal, 100 state and local, and 100 education respondents.
“These results demonstrate that while IT security threats have increased—primarily from the general hacking community and foreign governments—the ability to detect and remediate such threats has not increased at the same rate, leaving public sector organizations vulnerable,” said Brandon Shopp, Group Vice President, Product Strategy, SolarWinds. “But the data also shows an increased awareness and adoption of zero trust, as well as a commitment to invest in IT solutions and adopt cybersecurity best practices outlined in the Administration’s Cybersecurity Executive Order. It’s through these steps that public sector organizations can enhance their cybersecurity posture and fight the rising tide of external threats.”
On the Feasibility of Detecting Software Supply Chain Attacks
Published in: MILCOM 2021 – 2021 IEEE Military Communications Conference (MILCOM)
Date of Conference: 29 Nov.-2 Dec. 2021
The Supply chain attack is the stealthy and sophisticated cyberattack that aims to compromise a target by exploiting weaknesses and vulnerabilities in its supply chain. Recent supply chain attacks (e.g., SolarWinds attack) have compromised some of the most secured IT infrastructures of government agencies and enterprises. The European Union Agency for Cybersecurity, ENISA, has predicted that there will be 3 times more supply chain attacks in 2021 than in 2020. In this paper, we look into the problem of supply chain attacks, the challenges of defending software supply chain attacks. We analyze what it takes to effectively prevent software supply chain attacks, and show that it is indeed feasible and practical for the customers to detect certain software supply chain attacks. We propose an information flow based detection approach that enables end users to detect many software supply chain attacks without dealing with any of the underlying software suppliers.
Log4j Highlights Need for Better Handle on Software Dependencies
Dark Reading
January 3, 2022
Log4j Highlights Need for Better Handle on Software Dependencies
It’s a new year and the cybersecurity community now faces the long-term consequences of yet another software supply chain security nightmare. After a year full of application security zero-day fallout, the Log4j vulnerability debacle (also referred to as Log4Shell) was like a thematic bookend for 2021 that closed out the year much in the way SolarWinds started it. The real-world consequences of these incidents schooled enterprise IT teams in too many ways to count. But perhaps the most important lesson to bubble up is how much work many organizations need to do to truly understand and manage what code is running under the hood across their software portfolios. Like the SolarWinds incident before it, the Log4j fiasco highlighted how many hidden software dependencies exist in enterprise software — and how hard it is to stamp out critical underlying flaws when these dependencies aren’t sufficiently understood.
Rocky Mountain Cyberspace Symposium 2022
Rocky Mountain Cyberspace Symposium 2022 (eventsquid.com)
Rocky Mountain Cyberspace Symposium 2022 AFCEA Rocky Mountain Chapter
Mon, February 21, 2022 — Thu, February 24, 2022
The Rocky Mountain Cyberspace Symposium’s theme this year is: “Securing Partnerships and Technologies.” Modern organizations, whether Federal or Commercial, are increasingly interdependent on each other for mission critical pieces of their operations. Events in late 2020 and early 2021 highlighted some of the risks and vulnerabilities that can come with this dependence. Whether it is supply chain risk as demonstrated by the SolarWinds hack, or more traditional exploitations like those seen against Microsoft Exchange; as we all increasingly rely on trusted partners for our success, a critical look at existing and new strategies for securing our shared requirements becomes necessary.
Register at the link above by February 24, 2022 @ 12:00 pm