NIST CSF 2.0 has a new format and organization that may make it easier to manage, especially for small and medium-sized organizations. 😮😃 Read this article to get the latest on NIST CSF 2.0, including what's hot and what not. 🔥❄👇

Find out why the National Institute of Standards and Technology (NIST) updated the #Cybersecurity Framework (CSF), see what's changed + what's stayed the same, and learn about:
🔺 The new Governance Function
🔺 Other new subcategories in CSF 2.0
🔺 How you can achieve your NIST CSF 2.0 objectives
& more...
https://graylog.org/post/nist-csf-v2-whats-hot-and-whats-not/ #SMB #SMBsecurity #nistcsf #nistcybersecurityframework

If you ever want to protect your system in a real way, guidance in the #nistcybersecurityframework 800-171 is a good start. While this is designed for business, review of it and picking protections that work for you can be very advantageous. #cybersecurity #nist

https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

Paper 2023/331 A Vulnerability in Implementations of SHA-3, SHAKE, EdDSA, and Other NIST-Approved Algorithm

Abstract

This paper describes a vulnerability in several implementations of the Secure Hash Algorithm 3 (SHA-3) that have been released by its designers. The vulnerability has been present since the final-round update of Keccak was submitted to the National Institute of Standards and Technology (NIST) SHA-3 hash function competition in January 2011, and is present in the eXtended Keccak Code Package (XKCP) of the Keccak team. It affects all software projects that have integrated this code, such as the scripting languages Python and PHP Hypertext Preprocessor (PHP). The vulnerability is a buffer overflow that allows attacker-controlled values to be eXclusive-ORed (XORed) into memory (without any restrictions on values to be XORed and even far beyond the location of the original buffer), thereby making many standard protection measures against buffer overflows (e.g., canary values) completely ineffective. First, we provide Python and PHP scripts that cause segmentation faults when vulnerable versions of the interpreters are used. Then, we show how this vulnerability can be used to construct second preimages and preimages for the implementation, and we provide a specially constructed file that, when hashed, allows the attacker to execute arbitrary code on the victim's device. The vulnerability applies to all hash value sizes, and all 64-bit Windows, Linux, and macOS operating systems, and may also impact cryptographic algorithms that require SHA-3 or its variants, such as the Edwards-curve Digital Signature Algorithm (EdDSA) when the Edwards448 curve is used. We introduce the Init-Update-Final Test (IUFT) to detect this vulnerability in implementations. #cryptography #encryption #sha #sha3 #cybersecurity #hash #hashing #algorithm #algorithms #nist #nistcybersecurityframework

https://eprint.iacr.org/2023/331

FYI - Starting in January, I will be teaching a live online training course on Cybersecurity Risk Management Using the NIST Framework for O'Reilly.

One thing I plan to do is cite real-world examples of cybersecurity incidents that can be traced back to obvious shortfalls in risk management practices. I've got my own ideas but if any of the infosec peeps who follow me here want to offer up their suggestions where bad risk management led to hacks, breaches, data leaks, or other unfortunate outcomes, I'm all ears.

Happy to give a big hat tip to you if I use your examples. Let me know and thanks!

#NIST #nistcybersecurityframework #riskmanagement

https://learning.oreilly.com/live-events/cybersecurity-risk-management-with-the-nist-framework/0636920081497/0636920081496/