Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.

Dive into six things that are top of mind for the week ending Oct. 25.

1 - CSA: How to prevent “shadow AI” 

As organizations scale up their AI adoption, they must closely track their AI assets to secure them and mitigate their cyber risk. This includes monitoring the usage of unapproved AI tools by employees — an issue known as “shadow AI.”

So how do you identify, manage and prevent shadow AI? You may find useful ideas in the Cloud Security Alliance’s new “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper.

The white paper covers shadow AI topics including:

• Creating a comprehensive inventory of AI systems
• Conducting gap analyses to spot discrepancies between approved and actual AI usage
• Implementing ways to detect unauthorized AI wares
• Establishing effective access controls
• Deploying monitoring techniques

“By focusing on these key areas, organizations can significantly reduce the risks associated with shadow AI, ensuring that all AI systems align with organizational policies, security standards, and regulatory requirements,” the white paper reads.

For example, to create an inventory that offers the required visibility into AI assets, the document explains different elements each record should have, such as:

• The asset’s description
• Information about its AI models
• Information about its data sets and data sources
• Information about the tools used for its development and deployment
• Detailed documentation about its lifecycle, regulatory compliance, ethical considerations and adherence to industry standards
• Records of its access control mechanisms

Shadow AI is one of four topics covered in the publication, which also unpacks risk management; governance and compliance; and safety culture and training.

To get more details, read:

• The full “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper
• A complementary slide presentation
• The CSA blog “Shadow AI Prevention: Safeguarding Your Organization’s AI Landscape”

For more information about AI security issues, including shadow AI, check out these Tenable blogs:

• “Do You Think You Have No AI Exposures? Think Again”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach”
• “6 Best Practices for Implementing AI Securely and Ethically”
• “Compromising Microsoft's AI Healthcare Chatbot Service”

2 - Best practices for secure software updates

The security and reliability of software updates took center stage in July when an errant update caused massive and unprecedented tech outages globally.

To help prevent such episodes, U.S. and Australian cyber agencies have published “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers.”

“It is critical for all software manufacturers to implement a safe software deployment program supported by verified processes, including robust testing and measurements,” reads the 12-page document.

Although the guide is aimed primarily at commercial software vendors, its recommendations can be useful for any organization with software development teams that deploy updates internally.

The guide outlines key steps for a secure software development process, including planning; development and testing; internal rollout; and controlled rollout. It also addresses errors and emergency protocols.

“A safe software deployment process should be integrated with the organization’s SDLC, quality program, risk tolerance, and understanding of the customer’s environment and operations,” reads the guide, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Australian Cyber Security Centre.

To get more details, read:

• The “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers” guide
• The CISA alert “CISA, US, and International Partners Release Joint Guidance to Assist Software Manufacturers with Safe Software Deployment Processes”

For more information about secure software updates:

• “Tenable’s Software Update Process Protects Customers’ Business Continuity with a Safe, Do-No-Harm Design” (Tenable)
• “The critical importance of robust release processes” (Cloud Native Computing Foundation)
• “Software Deployment Security: Risks and Best Practices” (DevOps.com)
• “Software Updates, A Double-Edged Sword for Cybersecurity Professionals” (Infosecurity)
• “DevOps Best Practices for Faster and More Reliable Software Delivery” (DevOps.com)

3 - Report: GenAI, attack variety, data security drive cyber strategies

What issues act as catalysts for organizations’ cybersecurity actions today? Hint: They’re fairly recent concerns. The promise and peril of generative AI ranks first. It’s closely followed by the ever growing variety of cyberattacks; and by the intensifying urgency to protect data.

That’s according to CompTIA’s “State of Cybersecurity 2025” report, based on a survey of almost 1,200 business and IT pros in North America and in parts of Europe and Asia. 

These three key factors, along with others like the scale of attacks, play a critical role in how organizations currently outline their cybersecurity game plans.

“Understanding these drivers is essential for organizations to develop proactive and adaptive cybersecurity strategies that address the evolving threat landscape and safeguard their digital assets,” reads a CompTIA blog about the report.

Organizations are eagerly trying to understand both how generative AI can help their cybersecurity programs and how this technology is being used by malicious actors to make cyberattacks harder to detect and prevent.

Meanwhile, concern about data protection has ballooned in the past couple of years. “As organizations become more data-driven, the need to protect sensitive information has never been more crucial,” reads the blog.

Not only are organizations focused on securing data at rest, in transit and in use, but they’re also creating foundational data-management practices, according to the report.

“The rise of AI has accelerated the need for robust data practices in order to properly train AI algorithms, and the demand for data science continues to be strong as businesses seek competitive differentiation,” the report reads.

To get more details, read:

• The report’s announcement “Cybersecurity success hinges on full organizational support, new CompTIA report asserts”
• CompTIA’s blogs “Today’s top drivers for cybersecurity strategy” and “Cybersecurity’s maturity: CompTIA’s State of Cybersecurity 2025 report”
• The full “State of Cybersecurity 2025” report

For more information about data security posture management (DSPM) and preventing AI-powered attacks, check out these Tenable resources:

• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)
• “Mitigating AI-Related Security Risks” (on-demand webinar)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)

4 - CISA lists software dev practices most harmful for security

Recommended best practices abound in the cybersecurity world. However, CISA and the FBI are taking the opposite tack in their quest to improve the security of software products: They just released a list of the worst security practices that software manufacturers ought to avoid.

Titled “Product Security Bad Practices,” the document groups the “no-nos” into three main categories: product properties; security features; and organizational processes and policies.

“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop,” CISA Director Jen Easterly said in a statement.

“These product security bad practices pose unacceptable risks in this day and age, and yet are all too common,” she added.

Here are some of the worst practices detailed in the document, which is part of CISA’s “Secure by Design” effort:

• Using programming languages considered “memory unsafe”
• Including user-provided input in SQL query strings
• Releasing a product with default passwords
• Releasing a product with known and exploited vulnerabilities
• Not using multi-factor authentication
• Failing to disclose vulnerabilities in a timely manner

Although the guidance is aimed primarily at software makers whose products are used by critical infrastructure organizations, the recommendations apply to all software manufacturers.

If you’re interested in sharing your feedback with CISA and the FBI, you can submit comments about the document until December 16, 2024 on the Federal Register.

To get more details, check out:

• CISA’s announcement “CISA and FBI Release Product Security Bad Practices for Public Comment”
• The full document “Product Security Bad Practices”

For more information about how to develop secure software:

• “Tenable Partners with CISA to Enhance Secure By Design Practices” (Tenable)
• “Ensuring Application Security from Design to Operation with DevSecOps” (DevOps.com)
• “What is application security?” (TechTarget)
• “Guidelines for Software Development (Australian Cyber Security Centre)

5 - New EU law focuses on cybersecurity of connected digital products

Makers of digital products — both software and hardware — that directly or indirectly connect to networks and to other devices will have to comply with specific cybersecurity safeguards in the European Union.

A newly adopted law known as the “Cyber Resilience Act” outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of these types of products, including IoT wares such as connected cars.

For example, it specifies a number of “essential cybersecurity requirements” for these products, including that they:

• Aren’t shipped with known exploitable vulnerabilities
• Feature a “secure by default” configuration
• Can fix their vulnerabilities via automatic software updates
• Offer access protection via control mechanisms, such as authentication and identity management
• Protect the data they store, transmit and process using, for example, at-rest and in-transit encryption

“The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components (...) are made secure throughout the supply chain and throughout their lifecycle,” reads a statement from the EU’s European Council.

The law will “enter into force” after its publication in the EU’s official journal and will apply and be enforceable 36 months later, so most likely in October 2027 or November 2027. However, some of its provisions will be enforceable a year prior.

For more information and analysis about the EU’s Cyber Resilience Act:

• “Cyber Resilience Act Requirements Standards Mapping” (ENISA)
• “The Cyber Resilience Act, an Accidental European Alien Torts Statute?” (Lawfare)
• “EU Cybersecurity Regulation Adopted, Impacts Connected Products” (National Law Review)
• “Open source foundations unite on common standards for EU’s Cyber Resilience Act” (TechCrunch)
• “The Cyber Resilience Act: A New Era for Mobile App Developers” (DevOps.com)

VIDEO

The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation) 

6 - UK cyber agency: CISOs must communicate better with boards

CISOs and boards of directors are struggling to understand each other, and this is increasing their organizations’ cyber risk, new research from the U.K.’s cyber agency has found.

For example, in one alarming finding, 80% of respondents, which included board members, CISOs and other cyber leaders in medium and large enterprises, confessed to being unsure of who is ultimately accountable for cybersecurity in their organizations.

“We found that in many organisations, the CISO (or equivalent role) thought that the Board was accountable, whilst the Board thought it was the CISO,” reads a blog about the research titled “How to talk to board members about cyber.”

As a result, the U.K. National Cyber Security Centre (NCSC) has released new guidance aimed at helping CISOs better communicate with their organizations’ boards titled “Engaging with Boards to improve the management of cyber security risk.”

“Cyber security is a strategic issue, which means you must engage with Boards on their terms and in their language to ensure the cyber risk is understood, managed and mitigated,” the document reads.

Here’s a small sampling of the advice:

• Understand your audience, including who are the board’s members and their areas of expertise; and how the board works, such as its meeting formats and its committees.
• Talk about cybersecurity in terms of risks, and outline these risks concretely and precisely, presenting them in a matter-of-fact way.
• Don’t limit your communication with board members to formal board meetings. Look for opportunities to talk to them individually or in small groups outside of these board meetings.
• Elevate the discussions so that you link cybersecurity with your organization’s business challenges, goals and context.
• Aim to provide a holistic view, and avoid using technical jargon.
• Aim to advise instead of to educate.

The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.

Last month, the Department of Homeland Security announced the availability of $279.9 million in grant funding for the Fiscal Year (FY) 2024 State and Local Cybersecurity Grant Program (SLCGP). Now in its third year, the four-year, $1 billion program provides funding for State, Local and Territorial (SLT) governments to implement cybersecurity solutions that address the growing threats and risks to their information systems. Applications must be submitted by December 3, 2024.

While there are no significant modifications to the program for FY 2024, the Federal Emergency Management Agency (FEMA), which administers SLCGP in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), identified key changes, some of which we highlight below:

The FY 2024 NOFO adds CISA’s KEV catalog as a new performance measure and recommended resource

The FY 2024 notice of funding opportunity (NOFO) adds the CISA Known Exploited Vulnerabilities (KEV) catalog as a recommended resource to encourage governments to regularly view information related to cybersecurity vulnerabilities confirmed by CISA, prioritizing those exploited in the wild. In addition, CISA has added “Addressing CISA-identified cybersecurity vulnerabilities” to the list of performance measures it will collect through the duration of the program.

Tenable offers fastest, broadest coverage of CISA’s KEV catalog

At Tenable, our goal is to help organizations identify their cyber exposure gaps as accurately and quickly as possible. To achieve this goal, we have research teams around the globe working to provide precise and prompt coverage for new threats as they are discovered. Tenable monitors and tracks additions to the CISA KEV catalog on a daily basis and prioritizes developing new detections where they do not already exist.

Tenable updates the KEV coverage of its vulnerability management products — Tenable Nessus, Tenable Security Center and Tenable Vulnerability Management — allowing organizations to use KEV catalog data as an additional prioritization metric when figuring out what to fix first. The ready availability of this data in Tenable products can help agencies meet the SLCGP performance measures. This blog offers additional information on Tenable’s coverage of CISA’s KEV catalog.

FY 2024 NOFO adds “Adopting Enhanced Logging” as a new performance measure

The FY 2024 NOFO also adds “Adopting Enhanced Logging” to the list of performance measures CISA will collect throughout the program duration.

How Tenable’s library of compliance audits can help with Enhanced Logging

Tenable's library of Compliance Audits, including Center for Internet Security (CIS) and Defense Information Systems Agency (DISA), allows organizations to assess systems for compliance, including ensuring Enhanced Logging is enabled. Tenable's vulnerability management tools enable customers to easily schedule compliance scans. Users can choose from a continuously updated library of built-in audits or upload custom audits. By conducting these scans regularly, organizations can ensure their systems are secure and maintain compliance with required frameworks.

FY 2024 NOFO continues to require applicants to address program objectives in their applications

As with previous years, the FY 2024 NOFO sets four program objectives. Applicants must address at least one of the following in their applications:

• Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

How Tenable can help agencies meet Objective 2 of the program

Tenable is uniquely positioned to help SLTs meet Objective 2 through the Tenable One Exposure Management Platform. In addition to analyzing traditional IT environments, Tenable One analyzes cloud instances, web applications, critical infrastructure environments, identity access and privilege solutions such as Active Directory and more — including highly dynamic assets like mobile devices, virtual machines and containers. Once the complete attack surface is understood, the Tenable One platform applies a proactive risk-based approach to managing exposure, allowing SLT agencies to successfully meet each of the sub-objectives outlined in Objective 2 (see table below).

Source: Tenable, October 2024

Tenable One deployment options offer flexibility for SLT agencies

Tenable offers SLT agencies flexibility in their implementation models to help them best meet the requirements and objectives outlined as part of the SLCGP. Deployment models include:

• Centralized risk-based vulnerability program managed by a state Department of Information Technology (DoIT)
• Multi-entity projects
• Decentralized deployments of Tenable One managed by individual municipalities,
• Managed Security Service Provider (MSSP) models that allow agencies to rapidly adopt solutions by utilizing Tenable’s Technology Partner network.

Whole-of-state approach enables state-wide collaboration and cooperation

A “whole-of-state” approach — which enables state-wide collaboration to improve the cybersecurity posture of all stakeholders — allows state governments to share resources to support cybersecurity programs for local government entities, educational institutions and other organizations. Shared resources increase the level of defense for SLTs both individually and as a community and reduce duplication of work and effort. States get real-time visibility into all threats and deploy a standard strategy and toolset to improve cyber hygiene, accelerate incident response and reduce statewide risk. For more information, read Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach.

FY 2024 NOFO advises SLT agencies to adopt key cybersecurity best practices

As in previous years, the FY 2024 NOFO again recommends SLT agencies adopt key cybersecurity best practices. To do this, they are required to consult the CISA Cross-Sector Cybersecurity Performance Goals (CPGs) throughout their development of plans and projects within the program. This is also a statutory requirement for receiving grant funding.

How Tenable One can help agencies meet the CISA CPGs

The CISA CPGs are a prioritized subset of cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations and the American people. They provide a common set of IT and operational technology (OT) fundamental cybersecurity best practices to help SLT agencies address some of the most common and impactful cyber risks. Learn more about how Tenable One can help agencies meet the CISA CPGs here.

Learn more

• $1 Billion State and Local Cybersecurity Grant Program Now Open for Applicants
• Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach
• How to Meet FY 2023 U.S. State and Local Cybersecurity Grant Program Objectives
• New U.S. SLCGP Cybersecurity Plan Requirement: Adopt Cybersecurity Best Practices Using CISA's CPGs
• Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog

Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.

Dive into six things that are top of mind for the week ending Nov. 1.

1 - Securing OT/ICS in critical infrastructure with zero trust

As their operational technology (OT) computing environments become more digitized, converged with IT systems and cloud-based, critical infrastructure organizations should beef up their cybersecurity by adopting zero trust principles.

That’s the key message of the Cloud Security Alliance’s “Zero Trust Guidance for Critical Infrastructure,” which focuses on applying zero trust methods to OT and industrial control system (ICS) systems.

While OT/ICS environments were historically air gapped, that’s rarely the case anymore. “Modern systems are often interconnected via embedded wireless access, cloud and other internet-connected services, and software-as-a-service (SaaS) applications,” reads the 64-page white paper, which was published this week.

The CSA hopes the document will help cybersecurity teams and OT/ICS operators enhance the way they communicate and collaborate.

Among the topics covered are:

• Critical infrastructure’s unique threat vectors
• The convergence of IT/OT with digital transformation
• Architecture and technology differences between OT and IT

The guide also outlines this five-step process for implementing zero trust in OT/ICS environments:

• Define the surface to be protected
• Map operational flows
• Build a zero trust architecture
• Draft a zero trust policy
• Monitor and maintain the environment

A zero trust strategy boosts the security of critical OT/ICS systems by helping teams “keep pace with rapid technological advancements and the evolving threat landscape,” Jennifer Minella, the paper’s lead author, said in a statement.

To get more details, read:

• The report’s announcement “New Paper from Cloud Security Alliance Examines Considerations and Application of Zero Trust Principles for Critical Infrastructure”
• The full report “Zero Trust Guidance for Critical Infrastructure”
• A complementary slide presentation

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “Tenable Cloud Risk Report 2024” (white paper)

2 - Five Eyes publish cyber guidance for tech startups

Startup tech companies can be attractive targets for hackers, especially if they have weak cybersecurity and valuable intellectual property (IP).

To help startups prevent cyberattacks, the Five Eyes countries this week published cybersecurity guides tailored for these companies and their investors.

“This guidance is designed to help tech startups protect their innovation, reputation, and growth, while also helping tech investors fortify their portfolio companies against security risks," Mike Casey, U.S. National Counterintelligence and Security Center Director, said in a statement.

These are the top five cybersecurity recommendations from Australia, Canada, New Zealand, the U.S. and the U.K. for tech startups:

• Be aware of threat vectors, including malicious insiders, insecure IT and supply chain risk.
• Identify your most critical assets and conduct a risk assessment to pinpoint vulnerabilities.
• Build security into your products by managing intellectual assets and IP; monitoring who has access to sensitive information; and ensuring this information’s protection.
• Conduct due diligence when choosing partners and make sure they’re equipped to protect the data you share with them.
• Before you expand abroad, prepare and become informed about these new markets by, for example, understanding local laws in areas such as IP protection and data protection.

“Sophisticated nation-state adversaries, like China, are working hard to steal the intellectual property held by some of our countries’ most innovative and exciting startups,” Ken McCallum, Director General of the U.K.’s MI5, said in a statement.

To get more details, check out these Five Eyes’ cybersecurity resources for tech startups:

• The announcement “Five Eyes Launch Shared Security Advice Campaign for Tech Startups”
• The main guides: 
  • “Secure Innovation: Security Advice for Emerging Technology Companies”
  • “Secure Innovation: Security Advice for Emerging Technology Investors”
• These complementary documents:
  • “Secure Innovation: Scenarios and Mitigations”
  • “Secure Innovation: Travel Security Guidance”
  • “Secure Innovation: Due Diligence Guidance”
  • “Secure Innovation: Companies Summary”

3 - Survey: Unapproved AI use impacting data governance

Employees’ use of unauthorized AI tools is creating compliance issues in a majority of organizations. Specifically, it makes it harder to control data governance and compliance, according to almost 60% of organizations surveyed by market researcher Vanson Bourne.

“Amid all the investment and adoption enthusiasm, many organisations are struggling for control and visibility over its use,” reads the firm’s “AI Barometer: October 2024” publication. Vanson Bourne polls 100 IT and business executives each month about their AI investment plans.

To what extent do you think the unsanctioned use of AI tools is impacting your organisation's ability to maintain control over data governance and compliance?

^{(Source: Vanson Bourne’s “AI Barometer: October 2024”)}

Close to half of organizations surveyed (44%) believe that at least 10% of their employees are using unapproved AI tools.

On a related front, organizations are also grappling with the issue of software vendors that unilaterally and silently add AI features to their products, especially to their SaaS applications.

While surveyed organizations say they’re reaping advantages from their AI usage, “such benefits are dependent on IT teams having the tools to address the control and visibility challenges they face,” the publication reads.

For more information about the use of unapproved AI tools, an issue also known as “shadow AI,” check out:

• “Do You Think You Have No AI Exposures? Think Again” (Tenable)
• “Shadow AI poses new generation of threats to enterprise IT” (TechTarget)
• “10 ways to prevent shadow AI disaster” (CIO)
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach” (Tenable)
• “Shadow AI in the ‘dark corners’ of work is becoming a big problem for companies” (CNBC)

VIDEO

Shadow AI Risks in Your Company

4 - NCSC explains nuances of multi-factor authentication

Multi-factor authentication (MFA) comes in a variety of flavors, and understanding the differences is critical for choosing the right option for each use case in your organization.

To help cybersecurity teams better understand the different MFA types and their pluses and minuses, the U.K. National Cyber Security Centre (NCSC) has updated its MFA guidance.

“The new guidance explains the benefits that come with strong authentication, while also minimising the friction that some users associate with MFA,” reads an NCSC blog.

In other words, what type of MFA method to use depends on people’s roles, how they work, the devices they use, the applications or services they’re accessing and so on.

Topics covered include:

• Recommended types of MFA, such as FIDO2 credentials, app-based and hardware-based code generators and message-based methods
• The importance of using strong MFA to secure users’ access to sensitive data
• The role of trusted devices in boosting and simplifying MFA
• Bad practices that weaken MFA’s effectiveness, such as:
  • Retaining weaker, password-only authentication protocols for legacy services
  • Excluding certain accounts from MFA requirements because their users, usually high-ranking officials, find MFA inconvenient

To get more details, read:

• The NCSC blog “Not all types of MFA are created equal”
• The NCSC guide “Multi-factor authentication for your corporate online services”

For more information about MFA:

• “Multifactor Authentication Cheat Sheet” (OWASP)
• “Deploying Multi Factor Authentication – The What, How, and Why” (SANS Institute)
• “How MFA gets hacked — and strategies to prevent it” (CSO)
• “How Multifactor Authentication Supports Growth for Businesses Focused on Zero Trust” (BizTech)
• “What is multi-factor authentication?” (TechTarget)

5 - U.S. gov’t outlines AI strategy, ties it to national security 

The White House has laid out its expectations for how the federal government ought to promote the development of AI in order to safeguard U.S. national security.

In the country’s first-ever National Security Memorandum (NSM) on AI, the Biden administration said the federal government must accomplish the following:

• Ensure the U.S. is the leader in the development of safe, secure and trustworthy AI
• Leverage advanced AI technologies to boost national security
• Advance global AI consensus and governance

“The NSM’s fundamental premise is that advances at the frontier of AI will have significant implications for national security and foreign policy in the near future,” reads a White House statement.

The NSM’s directives to federal agencies include:

• Help improve the security of chips and support the development of powerful supercomputers to be used by AI systems.
• Help AI developers protect their work against foreign spies by providing them with cybersecurity and counterintelligence information.
• Collaborate with international partners to create a governance framework for using AI in a way that is ethical, responsible and respects human rights. 

The White House also published a complementary document titled “Framework To Advance AI Governance and Risk Management in National Security,” which adds implementation details and guidance for the NSM.

6 - State CISOs on the frontlines of AI security

As the cybersecurity risks and benefits of AI multiply, most U.S. state CISOs find themselves at the center of their governments' efforts to craft AI security strategies and policies.

That’s according to the “2024 Deloitte-NASCIO Cybersecurity Study,” which surveyed CISOs from all 50 states and the District of Columbia.

Specifically, 88% of state CISOs reported being involved in the development of a generative AI strategy, while 96% are involved with creating a generative AI security policy.

However, their involvement in AI cybersecurity matters isn’t necessarily making them optimistic about their states’ ability to fend off AI-boosted attacks.

None said they feel “extremely confident” that their state can prevent AI-boosted attacks, while only 10% reported feeling “very confident.” The majority (43%) said they feel “somewhat confident” while the rest said they are either “not very confident” or “not confident at all.”

Naturally, most state CISOs see AI-enabled cyberthreats as significant, with 71% categorizing them as either “very high threat” (18%) or “somewhat high threat” (53%).

At the same time, state CISOs see the potential for AI to help their cybersecurity efforts, as 41% are already using generative AI for cybersecurity, and another 43% have plans to do so by mid-2025.

Other findings from the "2024 Deloitte-NASCIO Cybersecurity Study" include:

• 4 in 10 state CISOs feel their budget is insufficient.
• Almost half of respondents rank cybersecurity staffing as one of the top challenges.
• In the past two years, 23 states have hired new CISOs, as the median tenure of a state CISO has dropped to 23 months, down from 30 months in 2022.
• More state CISOs are taking on privacy protection duties — 86% are responsible for privacy protection, up from 60% two years ago.

For more information about CISO trends:

• “What’s important to CISOs in 2024” (PwC)
• “The CISO’s Tightrope: Balancing Security, Business, and Legal Risks in 2024” (The National CIO Review)
• “State of CISO Leadership: 2024” (SC World)
• “4 Trends That Will Define the CISO's Role in 2024” (SANS Institute)

Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.

Imagine a bustling bank, made not of bricks and mortar, but of a swirling mass of data in the cloud. Account numbers, transaction histories and personally identifiable information (PII) zip across servers, powering the financial world. Holding all this sensitive data requires tremendous care. Therefore, securing this sensitive information is paramount.

This is where Tenable Cloud Security steps in, offering a data security shield specifically designed for the unique needs of financial institutions.

The challenge: A data deluge demands vigilance

Financial institutions generate massive volumes of data daily. While the public cloud offers unparalleled capacity to store such data, along with agility and scalability, the cloud also expands the attack surface. Legacy cybersecurity solutions are often unable to manage — let alone secure — the sheer volume of data and the variety of ways it is accessed, leaving organizations exposed to malicious actors. At the same time, financial institutions must keep up with new and evolving compliance standards and regulations set forth by governing bodies. Financial institutions need a security platform that helps them protect their data and maintain compliance.

Tenable Cloud Security’s advantage: Seeing beyond the walls

Tenable Cloud Security actively scrutinizes every corner of the cloud data vault, continuously and automatically.

"Without [Tenable Cloud Security], we would've been virtually blind to risks and threats impacting our sensitive data. [Tenable Cloud Security] allows us to preempt any issues and meet the requirements we're receiving from our business partners, with minimal effort.

— VP Security at a leading Fintech platform

Here's how Tenable empowers financial institutions:

• Protecting sensitive data: Tenable doesn't just guard the door; it knows what's inside and how to best protect it. It identifies and labels all data, like financial records and social security numbers, understanding its sensitivity and prioritizing its protection.
• Continuous monitoring: Imagine guards constantly scanning every inch of the vault. Tenable does the same digitally, using advanced technology to constantly search for suspicious activity and potential breaches. Any unusual movement of the data, either exfiltration or copying to a different and inaccessible location, triggers an alarm, allowing for immediate intervention.
• Policy enforcement: Just like a vault needs clear access protocols, so does your data. Tenable automates setting and enforcing cybersecurity policies across the entire cloud, ensuring everyone plays by the book and no unauthorized hands touch the valuables.
• Following mandated regulations: Financial institutions juggle a complex set of regulations and industry standards like the Payment Card Industry Data Security Standard (PCI-DSS). Tenable simplifies compliance with a host of international regulations by providing timely reports and audit trails.

Beyond traditional security: More than just a lock

Modern technology stacks for data storage require a modern cybersecurity stack. Traditional security solutions are unable to address the unique risks associated with storing data in cloud technologies. Financial organizations that leverage Tenable’s data security platform are able to meet existing and future challenges, including:

• Preventing data loss: Early detection and prevention of unauthorized data access can help organizations minimize financial losses and reputational damage, keeping valuable assets safe from even the most cunning thieves.
• Complying with regulations: Automated reports and adherence to the most stringent regulations and industry standards ensure compliance, saving time and resources.
• Automating workflows: Tenable automates tasks and provides deeper insights into how data behaves, enabling organizations to free up their valuable resources for other endeavors and make their security teams more efficient.
• Managing access: Just like knowing who has access to the vault is crucial. Tenable tracks who and what has access to data, ensuring only authorized parties can handle the data.

The future of financial security is data-centric

Tenable Cloud Security's data-centric approach positions it as a valuable partner, not just for guarding the perimeter but for understanding the inner workings of the vault and the most sensitive data within it. By leveraging Tenable’s capabilities, financial institutions can confidently embrace the cloud while ensuring the highest level of security for their most valuable assets — their data.

To learn more about how you can secure your data

• Webinar: Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?
• Data Sheet: Data Security in a Unified Cloud Security Solution
• Infographic: When CNAPP met DSPM
• Demo Video

CISA is warning about a spear-phishing campaign that spreads malicious RDP files. Plus, OWASP is offering guidance about deepfakes and AI security. Meanwhile, cybercriminals have amplified their use of malware for fake software-update attacks. And get the latest on CISA’s international plan, Interpol’s cyber crackdown and ransomware trends.

Dive into six things that are top of mind for the week ending Nov. 8.

1 - CISA: Beware of nasty spear-phishing campaign

Proactively restrict outbound remote-desktop protocol (RDP) connections. Block transmission of RDP files via email. Prevent RDP file execution.

Those are three security measures cyber teams should proactively take in response to an ongoing and “large scale” email spear-phishing campaign targeting victims with malicious RDP files, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

A foreign threat actor is carrying out the campaign. Several vertical sectors, including government and IT, are being targeted.

“Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network,” CISA’s alert reads.
 

Other CISA recommendations include:

• Adopt phishing-resistant multi-factor authentication (MFA), such as FIDO tokens, and try to avoid SMS-based MFA
• Educate users on how to spot suspicious emails
• Hunt for malicious activity in your network looking for indicators of compromise (IoCs) and tactics, techniques and procedures

Although CISA didn’t name the hacker group responsible for this campaign, its alert includes links to related articles from Microsoft and AWS that identify it as Midnight Blizzard. Also known as APT29, this group is affiliated with Russia’s government.

To get more details, check out the CISA alert “Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments.”

For more information about securing RDP tools:

• “Commonly Exploited Protocols: Remote Desktop Protocol (RDP)” (Center for Internet Security)
• “What is remote desktop protocol (RDP)?” (TechTarget)
• “Wondering Whether RDP IS Secure? Here's a Guide to Remote Desktop Protocol” (AllBusiness)
• “Why remote desktop tools are facing an onslaught of cyber threats” (ITPro)
• “'Midnight Blizzard' Targets Networks With Signed RDP Files” (Dark Reading)

2 - OWASP issues AI security resources

How should your organization respond to deepfakes? What’s the right way of establishing a center of excellence for AI security in your organization? Where can you find a comprehensive guide of tools to secure generative AI applications?

These questions are addressed in a new set of resources for AI security from the Open Worldwide Application Security Project’s OWASP Top 10 for LLM Application Security Project. 

The new resources are meant to help organizations securely adopt, develop and deploy LLM and generative AI systems and applications “with a comprehensive strategy encompassing governance, collaboration and practical tools,” OWASP said in a statement.

These are the new resources:

• “The Guide for Preparing and Responding to Deepfake Events,” which unpacks four types of deepfake schemes – financial fraud, job interview fraud, social engineering and misinformation – and offers guidance about each one in these areas:
  • preparation
  • detection and analysis
  • containment eradication and recovery
  • post-incident activity
• “The LLM and GenAI Center of Excellence Guide,” which aims to help CISOs and fellow organization leaders create a center of excellence for generative AI security that facilitates collaboration among various teams, including security, legal, data science and operations, so they can develop:
  • Generative AI security policies
  • Risk assessment and management processes
  • Training and awareness
  • Research and development
• “The AI Security Solution Landscape Guide,” which offers security teams a comprehensive catalog of open source and commercial tools for securing LLMs and generative AI applications.

To get more details, read OWASP’s announcement “OWASP Dramatically Expands GenAI Security Guidance.”

For more information about protecting your organization against deepfakes:

• “How to prevent deepfakes in the era of generative AI” (TechTarget)
• “Deepfake scams escalate, hitting more than half of businesses” (Cybersecurity Dive)
• “The AI Threat: Deepfake or Deep Fake? Unraveling the True Security Risks” (SecurityWeek)
• “How deepfakes threaten biometric security controls” (TechTarget)
• “Deepfakes break through as business threat” (CSO)

3 - Fake update variants dominate list of top malware in Q3

Hackers are doubling down on fake software-update attacks.

That’s the main takeaway from the Center for Internet Security’s list of the 10 most prevalent malware used during the third quarter.

Malware variants used to carry out fake browser-update attacks took the top four spots on the list: SocGholish, LandUpdate808, ClearFake and ZPHP. Collectively, they accounted for 77% of the quarter’s malware infections. It's the first time LandUpdate808 and ClearFake appear on this quarterly list.

^{(Source: “Top 10 Malware Q3 2024”, Center for Internet Security, October 2024)}

In a fake software-update attack, a victim gets duped into installing a legitimate-looking update for, say, their preferred browser, that instead infects their computers with malware.

Here’s the full list, in descending order:

• SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
• LandUpdate808, a JavaScript downloader distributed through malicious websites via fake browser updates
• ClearFake, another JavaScript downloader used for fake browser-update attacks
• ZPHP, another JavaScript downloader used for fake software-update attacks
• Agent Tesla, a remote access trojan (RAT) that captures credentials, keystrokes and screenshots
• CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
• Arechclient2, also known as SectopRAT, is a .NET RAT whose capabilities include multiple stealth functions
• Mirai, a malware botnet that compromises IoT devices to launch DDoS attacks
• NanoCore, a RAT that spreads via malspam as a malicious Excel spreadsheet
• Lumma Stealer, an infostealer used to swipe personally identifiable information (PII), credentials, cookies and banking information

To get more information, the CIS blog “Top 10 Malware Q3 2024” offers details, context and indicators of compromise for each malware strain.

For details on fake update attacks:

• “Fake browser updates spread updated WarmCookie malware” (BleepingComputer)
• “Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware” (The Hacker News)
• “Hackers Use Fake Browser Updates for AMOS Malware Attacks Targeting Mac Users” (MSSP Alert)
• “Malware crooks find an in with fake browser updates, in case real ones weren't bad enough” (The Register)
• “Fake Google Chrome errors trick you into running malicious PowerShell scripts” (BleepingComputer)

VIDEO

Fake Chrome Update Malware (The PC Security Channel)

4 - CISA’s first international plan unveiled

CISA has released its first-ever international plan, which outlines a strategy for boosting the agency’s collaboration with cybersecurity agencies from other countries.

Aligning cybersecurity efforts and goals with international partners is critical for tackling cyberthreats in the U.S. and abroad, according to the agency.

The three core pillars of CISA’s “2025 - 2026 International Strategic Plan” are:

• Help make more resilient other countries’ assets, systems and networks that impact U.S. critical infrastructure
• Boost the integrated cyber defenses of the U.S. and its international partners against their shared global cyberthreats
• Unify the coordination of international activities to strengthen cyberdefenses collectively

The plan will allow CISA to “reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day,” CISA Director Jen Easterly said in a statement.

5 - Interpol hits phishers, ransomware gangs, info stealers

Interpol and its partners took down 22,000 malicious IP addresses and seized thousands of servers, laptops, and mobile phones used by cybercriminals to conduct phishing scams, deploy ransomware and steal information.

The four-month global operation, titled Synergia II and announced this week, involved law enforcement agencies and private-sector partners from 95 countries and netted 41 arrests.

“Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime,” Neal Jetton, Director of Interpol’s Cybercrime Directorate, said in a statement.

In Hong Kong, more than 1,000 servers were taken offline, while authorities in Macau, China took another 291 servers offline. Meanwhile, in Estonia, authorities seized 80GB of server data, which is now being analyzed for links to phishing and banking malware.

For more information about global cybercrime trends:

• “AI-Powered Cybercrime Cartels on the Rise in Asia” (Dark Reading)
• “AI Now a Staple in Phishing Kits Sold to Hackers” (MSSP Alert)
• “The Business of Cybercrime Explodes” (BankDirector)
• “Nation state actors increasingly hide behind cybercriminal tactics and malware” (CSO)

6 - IST: Ransomware attacks surged in 2023

Ransomware gangs went into hyperdrive last year, increasing their attacks by 73% compared with 2022, according to the non-profit think tank Institute for Security and Technology (IST).

The IST attributes the sharp increase in attacks to a shift by ransomware groups to “big game hunting” – going after prominent, large organizations with deep pockets. 

“Available evidence suggests that government and industry actions taken in 2023 were not enough to significantly reduce the profitability of the ransomware model,” reads an IST blog.

Global Ransomware Incidents in 2023

Another takeaway: The ransomware-as-a-service (RaaS) model continued to prove extremely profitable in 2023, and it injected dynamism into the ransomware ecosystem. 

The RaaS model prompted ransomware groups “to shift allegiances, form new groups, or iterate existing variants,” the IST blog reads.

The industry sector that ransomware groups hit the hardest was construction, followed by hospitals and healthcare, and by IT services and consulting. Financial services and law offices rounded out the top five.

To learn more about ransomware trends:

• “Ransomware Is ‘More Brutal’ Than Ever in 2024” (Wired)
• “Ransomware on track for record profits, even as fewer victims pay” (SC Magazine)
• “How Can I Protect Against Ransomware?” (CISA)
• “How to prevent ransomware in 6 steps” (TechTarget)
• “Steps to Help Prevent & Limit the Impact of Ransomware” (Center for Internet Security)

TORONTO – The Capital Markets Tribunal is seeking applications for membership to the Securities Proceedings Advisory Committee (SPAC).

TORONTO – Participating Canadian securities regulators today published the results of their 10th consecutive annual review of disclosures relating to women on boards and in executive officer positions, as well as the underlying data that was used to prepare the report.

TORONTO – The Canadian Securities Administrators (CSA) today published

TORONTO - The Canadian Securities Administrators (CSA) today published its biennial

Article PDF (download)

موجز:

وجز :

Montréal –The Canadian Securities Administrators (CSA) warns the public about investment schemes involving fraudulent websites that solicit investments in foreign exchange (often referred to as “forex”), binary options and/or crypto assets.

Montreal - The Canadian Securities Administrators (CSA) is warning the public to be vigilant for unsolicited communications that come from scammers posing as CSA staff or staff of CSA members.

Toronto – The Canadian Securities Administrators (CSA) is warning the public that Nova Tech Ltd (NovaTech), which operates the website www.novatechfx.com, is not registered with a securities regulator in any province or territory in Canada.

https://www.youtube.com/watch?v=UHhFYrwJjow

https://www.youtube.com/watch?v=Ata12_CZy4A

The objective of this analysis is to gain more insight into the coping behavior of households in Mali when facing covariate shocks and stressors of different kinds Source: IFPRI Africa Regional Office (AFR)

The objective of this analysis is to gain more insight into the coping behavior of households in Mali when facing covariate shocks and stressors of different kinds Source: IFPRI Africa Regional Office (AFR)

Desde el inicio de la pandemia del COVID-19, los productores agrícolas de Guatemala han afrontado múltiples restricciones de movimiento tanto locales como nacionales, así como también disrupciones en las cadenas de valor agrícolas. Asimismo, los productores han estado expuestos a varios choques externos como las tormentas tropicales de ETA e IOTA hacia finales de 2020 y el reciente conflicto bélico en Europa del Este y crisis de precios.

La desnutrición y la deficiencia de micronutrientes es un problema grave en Guatemala. Los resultados de la IV Encuesta Nacional de Salud Materno-Infantil 2014-15 (MSPAS, INE, ICF, 2017) indican que el 46.5% de los niños menores de cinco años padecen de desnutrición crónica. Según el portal de datos del Banco Mundial, Guatemala es el país con mayor prevalencia de desnutrición crónica de América Latina y el Caribe y sexto en el mundo.

América Latina y el Caribe es un importante protagonista en la producción y el comercio de productos agroalimentarios, ya que es el principal exportador neto de estos productos. La región cuenta con los recursos naturales (tierra, agua y energía renovable) y la capacidad necesaria para producir alimentos de manera sostenible y para satisfacer sus necesidades y abastecer al mundo. Sin embargo, durante 2021, la inseguridad alimentaria moderada o grave afectó al 40,6% de la población en la región (267,7 millones de personas), cifra considerablemente superior al promedio mundial (29,3%).

When the Fire Nation begins to believe that the country will perish if Zuko stays in power, Avatar Aang and his friends must protect the ruler.

"Children are disappearing in the Fire Nation capitol! Avatar Aang and his friends are doing everything in their power to save them--but will it be enough?! What's worse, when Azula--the mad sister of Fire Lord Zuko--appears on the scene, Zuko locks down the capitol to catch her, igniting fear and riots in the streets! Will Zuko follow in his evil father's footsteps in order to save those he holds dear?!"--Amazon.com.

"It's been a year since the horrific events at Freddy Fazbear's Pizza, and Charlie is just trying to move on. Even with the excitement of a new school and a fresh start, she's still haunted by nightmares of a masked murderer and four gruesome animatronic puppets. Charlie thinks her ordeal is over, but when a series of bodies are discovered near her school bearing wounds that are disturbingly familiar she finds herself drawn back into the world of her father's frightening creations. Something twisted is hunting Charlie, and this time if it finds her, it's not letting her go." -- Publisher's description.

This document is only available in PDF format.

Ethiopia’s agricultural sector, which is dominated by smallscale, mixed crop, and livestock farming, is the mainstay of the country’s economy. It constitutes more than half the nation’s gross domestic product (GDP), generates more than 85 percent of the foreign exchange earnings, and employs about 80 percent of the population. Ethiopia’s dependence on agriculture makes the country particularly vulnerable to the adverse impacts of climate change on crop and livestock production.

In this episode of the IoT Insider podcast, Bernard Montel provides a brief history of the evolution of the Cloud and the challenges of securing it.

Tenable®, the exposure management company, announced today that Shelly Raban, senior cloud security researcher for Tenable, will give a presentation at fwd:cloudsec Europe 2024, taking place on 17 September, 2024 in Brussels, Belgium.

During the session titled, “Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines (and Beyond),” Raban will explore techniques adversaries use to exploit modern policy-as-code and Infrastructure-as-code (IaC) domain-specific languages (DSLs), compromise cloud identities and exfiltrate sensitive data. Raban will conclude her presentation by sharing various detection strategies that cyber defenders can implement to detect malicious activity. 

The session will be hosted in the Main Room from 2:50 - 3:10 pm CEST. 

More information on the event is available on the fwd:cloudsec Europe website. 

More information about Tenable Cloud Security is available at: https://www.tenable.com/products/tenable-cloud-security 

About Tenable

Tenable® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for more than 44,000 customers around the globe. Learn more at tenable.com. 

###

Media Contact:

Tenable

tenablepr@tenable.com

Tenable®, the exposure management company, today announced the release of AI Aware, advanced detection capabilities designed to rapidly surface artificial intelligence solutions, vulnerabilities and weaknesses available in Tenable Vulnerability Management, the world’s #1 vulnerability management solution. Tenable AI Aware provides exposure insight into AI applications, libraries and plugins so organizations can confidently expose and close AI risk, without inhibiting business operations.

The rapid development and adoption of AI technologies in the past two years has introduced major cybersecurity and compliance risks that organizations must proactively address without established best practices. As a result, cybersecurity teams face significant AI-related challenges, such as vulnerability detection and remediation, containing data leakage and reining in unauthorized AI use. 

According to recent Tenable Research, more than one-third of security teams are finding usage of AI applications in their environment that might not have been provisioned via formal processes. In fact, during a 75-day period between late June and early September, Tenable found over 9 million instances of AI applications on more than 1 million hosts. The cybersecurity risk of unfettered AI usage is compounded by the increasing volume of AI vulnerabilities. Tenable Research has found and disclosed several vulnerabilities in AI solutions, including in Microsoft Copilot, Flowise, Langflow, among others.

With AI Aware, Tenable transforms proactive security for AI solutions. Tenable AI Aware uniquely leverages agents, passive network monitoring, dynamic application security testing and distributed scan engines to detect approved and unapproved AI software, libraries and browser plugins, along with associated vulnerabilities, thereby mitigating risks of exploitation, data leakage and unauthorized resource consumption. The combined depth of these multiple assessment methods delivers the most complete detection of AI in the modern ecosystem. 

[Watch the Tenable AI Aware product demo video here.]

“In an effort to keep pace with the sea change introduced by AI, organizations around the world ran full speed ahead, potentially bypassing countless cybersecurity, privacy and compliance red flags,” said Shai Morag, chief product officer, Tenable. “Perhaps more so than with any other new technology we’ve seen, there are many risk factors to consider, especially with rushed development and deployment. Tenable AI Aware empowers organizations to deploy AI confidently, ensuring their security measures keep pace with the rapid evolution of AI technologies.”

In addition to AI software and vulnerability detection, key AI Aware features available in Tenable Vulnerability Management, Tenable Security Center and Tenable One include:

• Dashboard Views provide a snapshot of the most common AI software discovered in the ecosystem, top assets with vulnerabilities related to AI and the most common communication ports leveraged by AI technologies. 
• Shadow Software Development Detection illuminates the unexpected existence of the building blocks of AI development in the environment, enabling businesses to align initiatives with organizational best practices.
• Filter Findings for AI Detections enable teams to focus on AI-related findings when reviewing vulnerability assessment results. Combined with the power of Tenable Vulnerability Prioritization Rating (VPR), teams can effectively assess and prioritize vulnerabilities introduced by AI packages and libraries. 
• Asset-Centric AI-Inventory provides a complete inventory of AI-related packages, libraries and browser plugins while reviewing the detailed profile of an asset. 

Join the upcoming Tenable webinar titled, "Mitigating AI-Related Security Risks: Insights and Strategies with Tenable AI Aware" on October 9, 2024 at 11:00 am ET, by registering here.

More information on Tenable AI Aware is available at: https://www.tenable.com/products/vulnerability-management/ai-aware 

About Tenable

Tenable® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for more than 44,000 customers around the globe. Learn more at tenable.com. 

###

Media Contact:

Tenable

tenablepr@tenable.com

Tenable®, the exposure management company, today announced the availability of Tenable Enclave Security, a solution that supports the needs of customers operating in highly secure environments, such as those that are classified or otherwise air-gapped. Backed by Tenable Security Center, Tenable Enclave Security protects IT assets and modern workloads with risk assessment and contextual insight so organizations can identify exposures before they cause damage.

Federal agencies face unique security and compliance regulations when deploying cloud solutions, and Tenable Enclave Security is key to supporting public sector customers, as well as commercial organizations with strict data residency, security or privacy requirements. 

Built to support the strictest security requirements, including FedRAMP High and Impact Level 5, Tenable Enclave Security empowers agencies to know, expose and close IT and container exposures from a single, highly secure platform. This consolidated approach also eliminates tool sprawl, reduces costs and boosts efficiency for public sector organizations.

“As a leader in vulnerability management and cloud security and a longtime partner of governments all around the world, we’re perfectly positioned to tap into our expertise and deliver mission critical capabilities to assist government agencies as they transform their IT strategy and safely embrace modern workloads to speed innovation,” said Robert Huber, chief security officer and president, Tenable Public Sector, Tenable. “With Tenable Enclave Security, agencies are now able to gain a fuller understanding of their exposure and risk with the ability to continuously discover, assess and prioritize vulnerabilities across IT assets and container images, all from a single, highly secure framework.”

Tenable Enclave Security will immediately enable organizations to: 

• Meet cloud security and data residency restrictions: Tenable Enclave Security enables customers to meet stringent cloud security and data residency requirements, such as FedRAMP High or Impact Level 5. It can meet customers’ needs wherever they reside, with the ability to be deployed on-prem, in a virtual private cloud or commercial cloud.
• Secure containers before they hit production: As agencies modernize their infrastructure, containers create a more efficient manner to create applications and modernize existing ones. Tenable Enclave Security empowers organizations to quickly assess the risk in their container images, expose their vulnerabilities and understand the breadth of impact.
• Centralize security tools: Unlike siloed solutions with fragmented visibility, Tenable Enclave Security provides protection for IT assets and modern workloads from a single deployment architecture. 

For more information on Tenable Enclave Security, please visit: https://www.tenable.com/products/enclave-security 

About Tenable

Tenable® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for more than 44,000 customers around the globe. Learn more at tenable.com. 

###

Media Contact:

Tenable

tenablepr@tenable.com

Tenable®, the exposure management company, today announced new data security posture management (DSPM) and artificial intelligence security posture management (AI-SPM) capabilities for Tenable Cloud Security, the actionable cloud security solution. By extending exposure management capabilities to cloud data and AI resources, Tenable Cloud Security reduces risk to two of the biggest emerging threats.

Today’s cloud environments are more complex than ever. The challenge of managing this complexity has led to preventable security gaps caused by misconfigurations, risky entitlements and vulnerabilities, leaving sensitive data and AI resources vulnerable. In fact, Tenable Research found that 38% of organizations are battling a toxic cloud trilogy – cloud workloads that are publicly exposed, critically vulnerable and highly privileged. 

Tenable Cloud Security exposes risk from across hybrid and multi-cloud environments, including vulnerabilities, misconfigurations and excess privilege, that affects data and AI resources. Integrating DSPM and AI-SPM into Tenable Cloud Security enables users to automatically discover, classify and analyze sensitive data risk with flexible, agentless scanning. With Tenable Cloud Security’s intuitive user interface, security leaders can easily answer tough questions – such as “What type of data do I have in the cloud and where is it located?,” “What AI resources are vulnerable and how do I remediate the issue?” and “Who has access to my sensitive cloud and AI data?”

“Data is constantly on the move and new uses for data in today’s AI-driven world have created new risks,” said Liat Hayun, vice president of product management for Tenable Cloud Security. “DSPM and AI-SPM capabilities from Tenable Cloud Security bring context into complex risk relationships, so teams can prioritize threats based on the data involved. This gives customers the confidence to unlock the full potential of their data without compromising security.”

“The importance of cloud data has made communicating data exposure risk one of the biggest security challenges for CISOs,” said Philip Bues, senior research manager, Cloud Security at IDC. “Tenable is at the forefront of this emerging DSPM-CNAPP conversation, enabling customers to contextualize and prioritize data risk and communicate it, which is pertinent to almost every domain in CNAPP.”

AI-SPM features enable customers to confidently forge ahead with AI adoption by enforcing AI and machine learning configuration best practices and securing training data. With the combined power of AI-SPM and Tenable Cloud Security’s market-leading cloud infrastructure entitlement management (CIEM) and Cloud Workload Protection (CWP) capabilities, customers can manage AI entitlements, reduce exposure risk of AI resources, and safeguard critical AI and machine learning training data to ensure data integrity. 

Available to all Tenable Cloud Security and Tenable One customers, these new features enable customers to:

• Gain complete visibility and understanding of cloud and AI data - Tenable Cloud Security continuously monitors multi-cloud environments to discover and classify data types, assign sensitivity levels and prioritize data risk findings in the context of the entire cloud attack surface. 
• Effectively prioritize and remediate cloud risk - Backed by vulnerability intelligence from Tenable Research, context-driven analytics provides security teams with prioritized and actionable remediation guidance to remediate the most threatening cloud exposures.
• Proactively identify cloud and AI data exposure - Unique identity and access insights enable security teams to reduce data exposure in multi-cloud environments and AI resources by monitoring how data is being accessed and used and detect anomalous activity. 

Join the upcoming Tenable webinar, “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” on October 22, 2024 at 10 am BST and 11 am ET, by registering here. 

Read today’s blog post, “Harden your cloud security posture by protecting your cloud data and AI resources” here. 

With a Net Promoter Score of 73, Tenable Cloud Security helps customers around the world expose and close priority threats. More information about DSPM and AI-SPM capabilities available in Tenable Cloud Security is available at: https://www.tenable.com/announcements/dspm-ai-spm

About Tenable

Tenable® is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation and trust. The company’s AI-powered exposure management platform radically unifies security visibility, insight and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. By protecting enterprises from security exposure, Tenable reduces business risk for approximately 44,000 customers around the globe. Learn more at tenable.com. 

###

Media Contact:

Tenable

tenablepr@tenable.com

Créée notamment pour promouvoir le commerce intra-régional de biens dans la région, la Communauté économique des États d'Afrique de l'Ouest devait aussi permettre d'y réduire l'insécurité alimentaire. Mais les « points de sécurité », dressés le long des corridors de commerce par les autorités administratives qui prélèvent des pots-de-vin, sont venus limiter cette ambition. S’élevant jusqu’à 576 dollars aux 100 kms au Togo en 2017, cette corruption se mesure aussi en temps perdu, avec plus de trois heures aux 100 kms.

Survey: Rural Papua New Guinea faces an array of food security challenges

Starch-heavy diets, the reach of extension instruction, and other issues.

The post Survey: Rural Papua New Guinea faces an array of food security challenges appeared first on IFPRI.

"An extraordinary, path-breaking, and penetrating book on the life and work and creative inspirations of the great children's book genius Maurice Sendak, who since his death in 2012 has only grown in his stature and recognition as a major American artist, period. Polymath and master interviewer Jonathan Cott first interviewed Maurice Sendak in 1976 for Rolling Stone, just at the time when Outside Over There, the concluding and by far the strangest volume of a trilogy that began with Where The Wild Things Areand In the Night Kitchen, was gestating. Over the course of their wide-ranging and revelatory conversation about his life, work, and the fantasies and obsessions that drove his creative process, they focused on many of the themes and images that would appear in the new book five years later. Drawing on that interview, There's a Mystery There is a profound examination of the inner workings of a complicated genius's torments and inspirations that ranges over the entirety of his work and his formative life experiences, and uses Outside Over There, brilliantly and originally, as the key to understanding just what made this extravagantly talented man tick. To gain multiple perspectives on that intricate and multifaceted book, Cott also turns to four "companion guides": a Freudian analyst, a Jungian analyst, an art historian, and Sendak's great friend and admirer, the playwright Tony Kushner. The book is richly illustrated with examples from Sendak's work and other related images." -- Provided by publisher.

Event Begins: Wednesday, November 13, 2024 4:00pm
Location: Palmer Commons
Organized By: DCMB Seminar Series

Abstract: The initial Human Genome Project was a landmark achievement, serving as an essential resource for basic and clinical science, as well as for understanding human history, for over two decades. However, it needs an upgrade due to missing data, inaccurately assembled regions, and its inability to fully represent and identify sequence variants equitably. A single reference map, regardless of its completeness, cannot encapsulate the variation across the human population, leading to biases and ultimately inequity in genomic studies. Recognizing this limitation, the new initiative known as the Human Pangenome Project aims to deliver hundreds of highly accurate and complete genomes. This effort intends to define all bases of each chromosome from telomere to telomere (T2T), ensuring a broader representation of common variants across the human species. Achieving these goals will require the rise of new tools and technology standards for complete genome assemblies and pangenomics, which will have broad and lasting impact on genomic research.

Short bio: Throughout her career, she has developed innovative computational and experimental approaches to advance understanding of centromeric and pericentromeric DNAs. She works at the forefront of genome technologies as part of the T2T and Pangenome initiative to construct genetic and epigenetic maps to expand our understanding of their structure and function. As a group leader, she prioritizes fostering a creative and scientifically rigorous environment that supports inclusivity and diversity within our scientific team. She also prioritizes training that operates at the intersection of science, justice, and equity.

Event Begins: Wednesday, November 13, 2024 12:00pm
Location: Tribute Room, 1322
Organized By: Sessions @ Michigan

Join us for an engaging "Lunch and Learn" event hosted by the Eileen Lappin Weiser Center for the Learning Sciences. As part of our inaugural series celebrating the theme of curiosity, we invite you to a thought-provoking conversation featuring Kishonna L. Gray, Professor of Information and Matthew Solomon, Professor of Film, Television, and Media, facilitated by Professors Natalie Davis and Jon Wargo.

In this session, each of our panelists will delve into how curiosity intersects with learning in their fields, from curiosity-driven research to innovative teaching practices. Panelists will briefly share multimedia examples to complement the storytelling and discussion.
Then we’ll open up the conversation, asking how fostering curiosity can lead to deeper knowledge and broader perspectives? How can these insights be applied to create more equitable and dynamic learning environments?

Bring your lunch, your questions, and your curiosity! Please register due to limited space.

Presentations:

Kishonna L. Gray - “We got next!” Getting Curious with Others in Gaming

This interactive experience centers on what we’ve learned from youth cultures in gaming. Youth are full of curiosity and imagination and engage gaming in truly innovative ways. So by exploring how they play, make, and create, we can develop better tools for gaming.


Matthew Solomon - Getting Curious and Collaborative with the Canon: From Archival Research to New Media

Sometimes, there can be a sense that there’s “nothing more to be said or done” with certain works that have prominent places in the canon of the arts and humanities. The film Citizen Kane (Orson Welles, 1941) is one such canonical work, but my feeling has been that there is always more work to be done, although inevitably new approaches are needed. In my presentation, I will discuss the collaborative and pedagogical work I’ve done since 2017 at the University of Michigan examining Citizen Kane through the Welles papers in the Mavericks & Makers collections in the UM Special Collections Research Center; co-creating the “VR Citizen Kane” teaching and learning tool with Dr. Vincent Longo (Western Michigan University) in collaboration with the Emerging Technologies Group at the UM Duderstadt Center with generous grant support from LSA Technology Services; and teaching a course exclusively devoted to Citizen Kane, FTVM 307 (Film Analysis for Filmmakers), in which students have examined archival sources while rethinking the film from the inside out through virtual reality, virtual production, and reenactment.

Learning Support for a Multi-Country Climate Resilience Programme for Food Security

The Learning Support for a Sub-Saharan Africa Multi-Country Climate Resilience Program for Food Security, launched in 2023, aims to enhance food security and climate resilience across 14 African countries. This collaboration among CGIAR, the World Food Programme, and the Norwegian Agency for Development Cooperation (Norad) has three pillars: scaling disaster risk financing, transforming food systems […]

The post Learning Support for a Multi-Country Climate Resilience Programme for Food Security appeared first on IFPRI.

Advancing Sustainable Agri-food Systems for Climate Resilience, Food Security, and Global Collaboration

The livestream will be available on Tuesday November 12, 2024 at 5:00 – 6:30 pm (America/Sao_Paulo) / 3:00 – 4:30 pm (US/Eastern). Join us for an in-depth discussion on Avanzar2030, an evidence-based initiative that identifies promising innovations in agri-food systems and estimates the costs of implementing them. Launched in response to the 2021 UN Food […]

The post Advancing Sustainable Agri-food Systems for Climate Resilience, Food Security, and Global Collaboration appeared first on IFPRI.

Virtual Event: June 18, 2024 at 9:30am-11:00am EDT. This event will discuss key results from the report and hear from policymakers, practitioners, and partners on how they are working to generate relevant evidence and make a difference on the ground.   

Washington DC, June 14, 2024: A study by authors from the International Food Policy Research Institute (IFPRI), published today in Nature Sustainability, reaffirms the world’s growing dependence on depleting groundwater systems. Although efforts to slow down groundwater depletion need to be urgently accelerated, this study indicates that such efforts – in the absence of other accompanying measures – would likely lead to significant food security impacts.

Re-imagining Africa’s food security within the context of climate change and ecological sustainability

This press-release was initially published by WWF on December 12, 2023.  WWF, the Alliance of Bioversity International and CIAT, IFPRI, CGIAR, and AfDB have released a new report to help African countries to achieve food security and implement climate and nature commitments. The report is based on a joint study, executed with the technical support […]

The post Re-imagining Africa’s food security within the context of climate change and ecological sustainability appeared first on IFPRI.

New study emphasizes tradeoffs between arresting groundwater depletion and food security

A new study published today in Nature Sustainability, reaffirms the world’s growing dependence on depleting groundwater systems.

The post New study emphasizes tradeoffs between arresting groundwater depletion and food security appeared first on IFPRI.

Global crisis: 1.7 billion people in urban and peri-urban areas face food insecurity

New UN report highlights urgent need to strengthen urban and peri-urban food systems for global food security and nutrition.

The post Global crisis: 1.7 billion people in urban and peri-urban areas face food insecurity appeared first on IFPRI.

Sudan is now confronting its most severe food security crisis on record (The Conversation Africa)

An op-ed by IFPRI’s Khalid Siddig and Rob Vos analyses Sudan’s ongoing severe food crisis: “After 14 months of escalating internal conflict, Sudan is now confronting its most severe food security crisis on record. The latest situation report, released on 27 June, reveals a grim picture: more than half the population of 47.2 million is […]

The post Sudan is now confronting its most severe food security crisis on record (The Conversation Africa) appeared first on IFPRI.

Proteomics of mouse brain endothelium uncovers dysregulation of vesicular transport pathways during aging  Nature.com

As part of its continued efforts to enhance the security of riders and our employees, the Chicago Transit Authority (CTA) today announced the pilot implementation of a proactive Artificial Intelligence (AI)-based technology that leverages existing security cameras to specifically monitor for and alert security officials to only brandished firearms.

The Australian musician talks about the motivation and meaning behind Wild God, a new album with his band The Bad Seeds.

Learn more about sponsor message choices: podcastchoices.com/adchoices

NPR Privacy Policy