Tasked with securing your org’s new AI systems? Check out a new Google paper with tips and best practices. Plus, open source security experts huddled at a conference this week – find out what they talked about. Also, Uncle Sam says it’s time to prep for deepfake attacks. And much more!
Dive into six things that are top of mind for the week ending September 15.
As businesses adopt artificial intelligence (AI) and cybersecurity teams get tasked with protecting these complex new systems, a fundamental question looms: When defending AI systems, what changes and what stays the same?
That’s the topic of the paper “Securing AI: Similar or Different?” published by Google’s Cybersecurity Action Team. It aims to parse out what’s common and what’s unique about AI security in these seven areas:
“By understanding the differences between securing a traditional enterprise software system and an AI system, organizations can develop a more comprehensive security strategy to protect their AI systems from a variety of security threats,” the paper reads.
In a blog about the paper titled “The Prompt: What to think about when you’re thinking about securing AI,” the authors broadly summarize the key differences and similarities in this way:
The paper also includes best-practice recommendations for AI system security, including:
To get more details:
Deepfakes represent such a danger to public- and private-sector organizations alike that they must be ready to identify and respond to these threats. That’s the word from the U.S. government, which this week published an 18-page guide titled “Contextualizing Deepfake Threats to Organizations," intended to help organizations defend themselves from deepfake attacks.
Deepfakes are highly-realistic multimedia created or manipulated using AI with the intention to misinform, trick and confuse people. Attackers use these maliciously crafted videos, photos and audio to create societal unrest, carry out fraud and damage reputations of individuals and brands.
“Organizations can take a variety of steps to identify, defend against, and respond to deepfake threats,” reads the document, published by the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
Those steps include:
To get more details, check out the joint announcement from the NSA, FBI and CISA and the full guide “Contextualizing Deepfake Threats to Organizations”.
For more information about deepfake attacks:
VIDEOS
Stop deepfakes - How to counter presentation attacks (ENISA)
How synthetic media, or deepfakes, could soon change our world (60 Minutes)
Develop more education materials for hands-on and in-depth learning about open source software (OSS) security. Create more security guides. Improve OSS supply-chain integrity. Enhance OSS infrastructure and tooling.
Those are some of the initiatives the Linux Foundation’s Open Source Security Foundation (OpenSSF) plans to undertake in the coming year, the group announced at its “Secure Open Source Software Summit 2023” held in Washington, D.C. this week.
The event featured representatives from the U.S. federal government, including CISA, the National Science Foundation and the National Security Council, as well as from the private sector, including Amazon, Apple and Google.
“By bringing together a diverse group of stakeholders, we aim to foster a culture of collaboration and innovation in addressing the most critical security challenges facing open source software for the public good,” OpenSSF General Manager Omkhar Arasaratnam said in a statement.
Topics discussed at the summit included:
To get more details, check out the “Secure Open Source Software Vision Brief” the organization published at the event.
For more information about OSS security:
And continuing with the OpenSSF’s “Secure Open Source Software Summit 2023,” CISA announced its roadmap for OSS security at the event. Saying it’s focused on securing OSS in the U.S. federal government, as well as on helping make the OSS ecosystem safer for everyone, CISA said it expects to attain four key goals between fiscal years 2024 and 2026.
“We envision a world in which every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community,” reads the eight-page “CISA Open Source Software Security Roadmap.”
Last month, CISA, the White House and other federal agencies issued a formal request for information (RFI) about OSS security, saying that the issue is critical since the usage of OSS software globally is widespread.
To get more details, check out CISA’s announcement of its OSS security roadmap and read the full roadmap document, as well as a blog about it from the OpenSSF.
During our recent webinar “Maximizing Your Cyber Resilience: Why Now is the Right Time to Transition from Vulnerability to Exposure Management,” we polled attendees about a number of related topics. Check out what they said about the size of their cyber toolset and about their ability to prioritize cyber risk across their attack surface.
(105 respondents polled by Tenable, August 2023)
(111 respondents polled by Tenable, August 2023)
For more insights about exposure management and its benefits, check out these Tenable resources:
Noting that ransomware gangs and their partners continue to adapt, the U.K. National Cyber Security Centre this week published a white paper to update cyber teams on the evolution of the ransomware ecosystem.
Titled “Ransomware, extortion and the cyber crime ecosystem,” the 26-page paper shifts the focus away from granular analysis of individual ransomware strains and attacks and puts it on the broader, interconnected supply chain of services, platforms, distributors and affiliates that all play a part.
Simplified Ransomware Workflow
(Source: “Ransomware, extortion and the cyber crime ecosystem” paper from the U.K. NCSC, September 2023)
The U.K. government’s strategy to disrupt ransomware activities “is based on understanding and undermining the increasingly sophisticated criminal ecosystem behind these threats, especially focusing on common enablers and vulnerabilities,” wrote James Babbage, Director of General Threats at the U.K. National Crime Agency (NCA), which contributed to the paper.
Topics covered include:
“The deployment of ransomware relies on a complex supply chain, so focussing on specific ransomware strains can be confusing at best, and unhelpful at worst. We hope that the publication of this white paper shines a light on the motivations of the threat actors further upstream,” reads the NCSC blog “Ransomware and the cyber crime ecosystem” about the paper.
For more information about ransomware:
VIDEO
Anatomy of a Threat: MOVEIt (Tenable)
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
BUY
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Formerly Tenable.io Web Application Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.
Formerly Tenable.io Web Application Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Formerly Tenable.sc
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Formerly Tenable.ot
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Formerly Tenable.ad
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Formerly Tenable.cs
Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.
Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.
Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.
Thank you for your interest in Tenable.cs. A representative will be in touch soon.
Exposure management for the modern attack surface.
Formerly Tenable.asm
Know the exposure of every asset on any platform.
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.