At a glance.
- EU to open Silicon Valley office to monitor big tech.
- US Army working on Risk Management Framework 2.0.
- NIST requests comments on new 5G network publication.
- Joint advisory on 2021’s most exploited vulnerabilities.
EU to open Silicon Valley office to monitor big tech.
The EU has plans to set up shop in Silicon Valley in order to keep closer tabs on the tech giants like Apple, Google, and Meta that operate there and make sure they are adhering to European data regulations like Digital Markets Act and the Digital Services Act. An EU official told Politico, “The EU plans to open an office in San Francisco, oriented towards the U.S. West Coast, including Silicon Valley, with a focus on digital policies and technology.” The new office will be run under the guidance of the EU’s existing Washington, DC office, which is overseen by the European External Action Service.
US Army working on Risk Management Framework 2.0.
Breaking Defense reports that the US Army is updating its cyber security risk management framework in an effort to minimize the governmental quicksand of bureaucracy. Speaking at the AFCEA TechNet Cyber 2022 conference this week, Army deputy chief of staff Lt. Gen. John Morrison said the Risk Management Framework 2.0 will help the Army to implement “continuous monitoring much faster so we spend a vast majority of our time actually focusing on the security of applications, systems and networks that are in operation and not spending, where we traditionally were, about 80% of our time just getting the paperwork ready so we could get an approval to operate.” The service will also establish an Army Risk Management Council, chaired by the Army’s G-3 and chief information officer, to determine what risk levels are acceptable and allocate resources to minimize risk where necessary. “We now have a mechanism to adjudicate that risk at the Army level that will help us move forward much more rapidly than we have in the past,” Morrison explained.
NIST requests comments on new 5G network publication.
The US National Institute of Standards and Technology (NIST) has released a preliminary draft publication aimed at detailing the cybersecurity capabilities of 5G technology and providing guidance to the network operators who will need to navigate the new demands and risk factors presented by 5G networks. “5G Cybersecurity Volume B: Approach, Architecture and Security Characteristics” uses NIST’s standalone 5G network, currently being constructed by the National Cybersecurity Center of Excellence (NCCoE), to demonstrate the possible usage scenarios 5G tech could present. NIST information technology specialist Jeff Cichonski, one of the publication’s authors, states, “Understanding what’s available can be critical to help operators and users of 5G understand and manage their cybersecurity risk when it comes to 5G.” NIST is requesting comments on the draft be submitted by June 27, 2022.
Joint advisory on 2021’s most exploited vulnerabilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) announced the release of “2021 Top Routinely Exploited Vulnerabilities,” a joint cybersecurity advisory from CISA, the National Security Agency (NSA), the Federal Bureau of Investigation, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre. Detailing the fifteen most common vulnerabilities exploited in 2021, the advisory is aimed at helping organizations understand the most prevalent vulnerabilities of the 20,0000 disclosed last year and prioritize their mitigation efforts accordingly. CISA Director Jen Easterly explains, “We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them…We urge all organizations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities.” NSA explains that recommended mitigation strategies include vulnerability and configuration management, identity and access management, and positive controls and architecture. Sami Khoury, Head of the Canadian Centre for Cyber Security, stated, “We encourage all organizations to take action and follow the appropriate mitigations in this report against known and routinely exploited vulnerabilities, and make themselves more secure.”
Andreas Berger, lead product engineer, application security at Dynatrace wrote to point out that the list is important to businesses, but that it's unlikely to surprise security teams:
“These findings should be of significant concern to business leaders, but ultimately won’t come as a surprise to their security teams. The simple truth is today’s applications contain countless known vulnerabilities because it’s become so much harder to weed them out. This is because organizations increasingly build applications on cloud-native architectures and with open-source code. While this accelerates innovation, it also creates complexity.
"Even with a robust layered approach to cybersecurity, many organizations still lack solutions that can see inside containerized applications, or understand the context needed to distinguish potential vulnerability from critical exposure. As a result, it’s very difficult for security teams to prioritize their workload effectively, so even the most well-documented vulnerabilities, like the Log4j library flaw, can go unchecked for months, or even years. It’s especially pertinent to see Log4Shell at the top of the list of the most routinely exploited vulnerabilities in 2021, as it was only discovered in the final month of the year – underscoring just how bad it was.
"To reduce their exposure risk to Log4Shell and many other critical vulnerabilities in their applications, organizations need the ability to see which code libraries are running in production in real time, and identify flaws that could affect the security of their data and customers. This can be achieved only by converging observability with security, so teams can identify exposures as they emerge in as near to real time as possible, and have the context needed to prioritize them based on business risk and impact. That’s only possible by combining full-stack observability, to eliminate blind spots, with AI and automation capabilities that can reveal the precise cause, nature, and severity of vulnerabilities as they arise.”