Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework

Is the software your company wants to buy securely designed? A new guide outlines how you can find out. Meanwhile, a new NIST framework can help you assess your GenAI systems’ risks. Plus, a survey shows a big disconnect between AI usage (high) and AI governance (low). And MITRE’s breach post-mortem brims with insights and actionable tips. And much more!

Dive into six things that are top of mind for the week ending May 10.

1 - How to assess if a tech product is secure by design

Buying a securely designed digital product can lower your risk of breaches, simplify cyber defense efforts and reduce costs. But how can you determine if the manufacturer built the software following secure-by-design principles?

To help organizations make this assessment, cyber agencies from the Five Eyes countries – Australia, Canada, New Zealand, U.S. and U.K. – this week published the guide “Secure-by-Design: Choosing Secure and Verifiable Technologies.”

The 40-page document seeks “to assist procuring organizations to make informed, risk-based decisions” about digital products and services, and is aimed at executives, cybersecurity teams, product developers, risk advisers, procurement specialists and others.

“It is important that customers increasingly demand manufacturers embrace and provide products and services that are secure-by-design and secure-by-default,” reads the guide.

The authoring agencies define the secure-by-design principles that software manufacturers should follow when building digital products and services. Here’s a sampling:

• Adopt a proactive, security-focused approach
• Align cybersecurity goals across all levels of the organization 
• Mitigate threats through software design, development, architecture and security measures
• Design, build and deliver software with fewer vulnerabilities

The guide is divided into two main sections: External procurement considerations, which is by far the longest; and internal procurement considerations. Topics covered include:

• Supply chain risk management
• Open source software usage
• Data sharing
• Development process
• Maintenance and support
• Contracts, licensing and service level agreements

In a related announcement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week said that 68 major software manufacturers voluntarily committed to design their products with stronger security.

“More secure software is our best hope to protect against the seemingly never-ending scourge of cyberattacks facing our nation,” CISA Director Jen Easterly said in a statement about the secure-by-design pledge.

For more information about the secure-by-design concept:

• CISA’s “Secure by Design” home page
• “What Will It Take to Adopt Secure by Design Principles?” (Information Week)
• “10 security-by-design principles to include in the SDLC” (TechTarget)
• “Secure Product Design Cheat Sheet” (OWASP)
• “Lock Down the Software Supply Chain With 'Secure by Design'” (Dark Reading)
   

VIDEOS

Secure by Design (CISA)

Secure by Design: What does it mean? What does it take? (Center for Cyber Security Research) 

2 - NIST issues GenAI risk framework and secure software-development tips

If your organization uses generative AI but hasn’t yet formally assessed its risks, check out a new publication from the National Institute of Standards and Technology (NIST.)

Titled “Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, it aims to help organizations “govern, map, measure and manage” risks that are inherent to generative AI or intensified by it. 

“These risks provide a clear lens through which organizations can frame and execute risk management efforts, and will be updated as the GAI landscape evolves,” the document reads.

 Some of the 12 risks discussed include:

• Easier access to information about chemical, biological, radiological, or nuclear weapons
• Production of incorrect information, also known as hallucinations
• Production of content that promotes violence and crime
• Leakage of individuals’ sensitive data
• Streamlined generation of misinformation
• Lowered barriers for carrying out cyberattacks 

NIST also published a guide for the secure development of generative AI, aimed at producers of AI models and AI systems, and at buyers of AI systems.

Titled “Secure Software Development Practices for Generative AI and Dual-Use Foundation Models,” it highlights challenges faced by generative AI developers, such as:

• The use of training data sets from unknown and untrusted sources
• Malicious tampering of model weights and other training parameters
• The inability to properly assess the security of models that are highly complex
• The use of prompts to trigger unauthorized outputs and to trigger injection attacks

“The goal of this document is to identify the practices and tasks needed to address these novel risks,” reads the publication.

For more information about using managing generative AI risks:

• “Managing the risks of generative AI: A playbook for risk executives” (PwC)
• “Proactive risk management in Generative AI” (Deloitte)
• “Implementing generative AI with speed and safety” (McKinsey)
• “Managing the Risks of Generative AI” (Harvard Business Review)

3 - Study: Most orgs adopt AI without usage policies, training

And continuing with the theme of AI governance, here’s more evidence that most organizations are using AI without proper guardrails.

According to an ISACA survey released this week, the majority of organizations have embraced AI while neglecting to implement a usage policy and offer employees training.

The survey of 3,270 “digital trust” professionals, such as those who work in cybersecurity, audit, governance, risk and privacy, found that while 70% of employees use AI, only 15% of organizations have a formal AI usage policy. 

Moreover, 40% of organizations offer no AI training at all, while 32% limit AI training to tech staff.

"AI is moving at a speed we haven’t seen before, with its use in organizations outpacing the policies, training and skills that are absolutely critical for making sure it is used securely,” Shannon Donahue, ISACA Chief Content and Publishing Officer, said in a statement.

Also concerning: just one-fourth of respondents say they’re “extremely” or “very” familiar with AI; 46% describe themselves as “beginners.” Meanwhile, a majority of respondents worry that hackers will exploit generative AI, and that bad actors will leverage AI to spread misinformation. Unfortunately, addressing AI risks is an immediate priority in only 35% of organizations.

To get more details, check out:

• The survey’s announcement: “The AI Reality: New Research from ISACA Identifies Gaps in AI Knowledge Training and Policies”
• The survey infographic: “The AI Reality: IT Pros Weigh in On Knowledge Gaps, Policies, Jobs Outlook and More”

4 - MITRE’s post-mortem on breach offers actionable tips, best practices

MITRE, recently breached by a nation-state attacker, has detailed the attack and its response, and offered recommendations for detection and network hardening.

In the blog “Advanced Cyber Threats Impact Even the Most Prepared,” MITRE said that the attackers targeted its Networked Experimentation, Research, and Virtualization Environment (NERVE) network by:

• Exploiting a VPN via Ivanti Connect Secure zero-day vulnerabilities
• Using session hijacking to sidestep multi-factor authentication
• Moving laterally and diving deep into its VMware infrastructure using a compromised admin account
• Using backdoors and webshells to maintain presence and steal credentials

“MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure,” the blog reads.

These are some of the tactics, techniques and procedures MITRE observed during the breach:

In the blog “Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion, MITRE added more details, such as:

• The attackers initially accessed NERVE by deploying the ROOTROT webshell on an external-facing Ivanti appliance.
• They exploited Ivanti Connect Secure zero-day vulnerabilities before they were disclosed and patches were available.
• They interacted with VMware’s vCenter from the compromised Ivanti appliance, and established communication with multiple VMware ESXi hosts.
• They logged in to NERVE accounts via remote desktop protocol (RDP).
• By manipulating virtual machines, they took control over the infrastructure and moved laterally, deploying the BRICKSTORM backdoor and the BEEFLUSH webshell.

You can check out this detailed flowchart of how the attack against MITRE unfolded.

MITRE’s incident response efforts included:

• Containment, such as isolating impacted systems and network segments
• Governance and oversight, including the creation of a response committee led by MITRE’s CTO
• Forensic analysis efforts to understand the breach’s scope and techniques employed
• Remediation, including the replacement of the contained, compromised equipment with new compute, storage and networking resources

Among the recommended best practices are:

• Monitor VPN traffic to detect anomalous patterns
• Look for unusual user behavior by analyzing user logs
• Segment networks to limit lateral movement
• Engage the adversary with deception environments and honey tokens to learn more about its tactics
• Add strong network-access controls
• Regularly patch vulnerabilities and update systems
• Adopt least-privilege practices to limit the impact of stolen credentials
• Conduct regular vulnerability assessments

5 - CISA, FBI to software makers: Stamp out traversal vulnerabilities with secure design

And retaking the secure-by-design topic, the U.S. government said it has had it with traversal vulnerabilities, which remain prevalent although software vendors have known how to prevent them for decades.

Traversal vulnerabilities, which allow attackers to manipulate user inputs to access files and directories, could be eradicated if software manufacturers followed simple practices of secure software design.

So said CISA and the FBI said in an alert prompted by the recent exploitation of traversal vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1708) and in Cisco AppDynamics Controller (CVE-2024-20345).

“Approaches to avoid directory traversal vulnerabilities are known, yet threat actors continue to exploit these vulnerabilities which have impacted the operation of critical services, including hospital and school operations,” CISA and the FBI said in a statement.

Recommendations for software manufacturers include:

• Conduct formal testing of all their products to determine if they’re affected by directory traversal vulnerabilities.
• Instead of naming files with user input, generate a random identifier for each file and store associated metadata separately – for example, in a database. 
• Alternatively, limit the character types allowed in file names and verify that uploaded files do not have executable permissions.

Meanwhile, CISA and the FBI also recommend that customers ask software vendors if they have tested their products for directory traversal vulnerabilities.

To get more details, check out:

• The joint statement “CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities”
• The full alert “Eliminating Directory Traversal Vulnerabilities in Software”
• Tenable’s entries for CVE-2024-1708 and CVE-2024-20345
• OWASP’s “Path Traversal” and “Testing Directory Traversal”
• MITRE’s Common Weakness Enumeration (CWE) 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

6 - A check on public cloud tagging practices

In our recent webinar “Tag, You’re It! Best Practices for Optimizing Your Tagging Strategy and Securing the Cloud’s Most Underrated Attack Vector,” we polled attendees about various cloud security issues. Check out what they said about unidentified cloud resources and about their policies for tagging public-cloud resources.

^{(64 webinar attendees polled by Tenable, April 2024)}

^{(70 webinar attendees polled by Tenable, April 2024)}

^{(62 webinar attendees polled by Tenable, April 2024)}

Want to learn how to improve tagging across hybrid cloud and multi-cloud environments? Watch the on-demand webinar “Tag, You’re It! Best Practices for Optimizing Your Tagging Strategy and Securing the Cloud’s Most Underrated Attack Vector.”

Topics include:

• Lessons learned from breaches caused by poor tagging and cloud-resource hygiene
• Strategic workflows to test automation scripts and exception handling
• How and why to use policy-as-code to enforce proper tagging and policy definition