Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Rechercher Ressource - BlogRessource - WebinaireRessource - RapportRessource - Événementicons_066 icons_067icons_068icons_069icons_070

Blog Tenable

S'abonner

Cybersecurity Snapshot: NSA Picks Top Cloud Security Practices, while CNCF Looks at How Cloud Native Can Facilitate AI Adoption

NSA Picks Top Cloud Security Practices

Check out the NSA’s 10 key best practices for securing cloud environments. Plus, learn how cloud native computing could help streamline your AI deployments. Meanwhile, don’t miss the latest about cyberthreats against water treatment plants and critical infrastructure in general. Et bien plus encore !

Dive into six things that are top of mind for the week ending March 22.

1 - Ten best practices for beefing up cloud security

Looking for advice on boosting the security of your cloud environment? Check out the U.S. National Security Agency’s new “Top Ten Cloud Security Mitigation Strategies” for improving an organization’s cloud security posture.

“As organizations shift their data to the cloud for ease of processing, storing, and sharing, they must take precautions to maintain parity with on-premises security and mitigate additional cloud-specific threats,” reads the NSA document.

 

Ten best practices for beefing up cloud security

 

Here are the 10 best practices:

  • Understand your cloud service providers’ shared responsibility model, so that you know which security tasks fall on your shoulders and which ones are handled by your CSPs.
  • Adopt secure practices for identity and access management (IAM), such as using multi-factor authentication and properly managing temporary credentials.
  • Employ secure cloud key-management practices.
  • Implement network micro-segmentation and end-to-end encryption.
  • Protect cloud data via, for example, enforcing least privilege; creating immutable backups; and using object versioning.
  • Secure continuous integration and continuous delivery (CI/CD) pipelines with, for example, strong IAM, log audits and secrets management.
  • Use infrastructure-as-code to automate deployment of cloud resources.
  • Prevent security gaps in hybrid and multi-cloud environments by, for example, using vendor-agnostic tools to manage and monitor multiple environments from a single location.
  • Ensure that your managed service providers (MSPs) employ strong security standards and practices.
  • Monitor and analyze cloud logs to detect anomalous events and potential compromises.

2 – CNCF: How cloud native can support AI deployments

While organizations have gone ga-ga over artificial intelligence’s potential to revolutionize their operations, it’s no secret that AI systems need lots of computing power to work their magic. This can be a roadblock for organizations otherwise eager to deploy AI and machine learning tools.

If your business is grappling with this issue, you might want to check out a new white paper published this week by the Cloud Native Computing Foundation which looks at how cloud native (CN) computing could help facilitate the adoption of AI and ML systems.

“While CN technologies readily support certain aspects of AI/ML workloads, challenges and gaps remain, presenting opportunities to innovate and better accommodate,” reads the document titled “Cloud Native Artificial Intelligence.”

 

CNCF: How cloud native can support AI deployments

 

The paper provides an overview of AI and ML techniques; explains what CN technologies offer; discusses existing technical challenges in areas such as data preparation, model training and user experience; and looks at ways to overcome these gaps. 

“The paper will equip engineers and business personnel with the knowledge to understand the changing Cloud Native Artificial Intelligence (CNAI) ecosystem and its opportunities,” the document reads.

For more information about AI’s computing power needs:

3 – Biden administration sounds alarm on water plant cyberattacks

Highlighting the U.S. government’s concern with the cybersecurity of water and wastewater treatment plants, the White House invited representatives from all 50 states to discuss the issue. 

The virtual meeting, held this week, focused on outlining gaps in cyber defenses; fostering collaboration between federal, state and water-plant leaders; and triggering immediate action.

“Disabling cyberattacks are striking water and wastewater systems throughout the United States,” reads the meeting-invitation letter sent to all 50 governors by the White House.

 

Biden administration sounds alarm on water plant cyberattacks

 

Although water treatment plants offer a critical service, they tend to have weak cybersecurity, due to lack of resources and technical knowhow, according to the letter, penned by Environmental Protection Agency Administrator Michael Regan and by Jake Sullivan, Assistant to the President for National Security Affairs.

“In many cases, even basic cybersecurity precautions – such as resetting default passwords or updating software to address known vulnerabilities – are not in place,” Regan and Sullivan wrote.

For more information about protecting water and wastewater systems from cyberattacks, check out these Tenable resources:

VIDEO

Marty Edwards, Tenable Deputy CTO for OT and IoT, testifies during congressional hearing “Securing Operational Technology: A Deep Dive into the Water Sector”

4 - Critical infrastructure leaders warned about Volt Typhoon

Cybersecurity agencies from the U.S. and other countries want critical infrastructure leaders to take concrete steps to protect their organizations from Volt Typhoon, a hacking group backed by the Chinese government.

In the joint fact sheet “PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders,” published this week, the agencies urge leaders of critical infrastructure organizations to take specific steps immediately, including:

  • Apply detection and hardening best practices
  • Involve representatives from across the business, including executive leaders, in developing comprehensive cybersecurity plans
  • Conduct regular tabletop exercises
  • Implement stringent vendor-risk management processes to reduce third-party risk
  • Align cybersecurity measures among IT, OT, cloud, supply chain and business teams

“The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security,” the fact sheet reads.

 

Critical infrastructure leaders warned about Volt Typhoon

 

The guidance, jointly issued by cyber agencies from the U.S., Australia, Canada, the U.K. and New Zealand, comes about a month after these same agencies published a joint advisory about Volt Typhoon aimed at IT and OT security teams.

That joint advisory, titled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” warned that Volt Typhoon has quietly infiltrated the IT and OT environments of multiple critical infrastructure organizations, and could strike at a moment’s notice.

5 - CSA unpacks, contrasts and compares AI safety and AI security

If you’re involved with ensuring your organization uses AI both securely and responsibly, you might find interesting a new blog published this week by the Cloud Security Alliance that delves into how AI security and AI safety intersect and diverge.

AI security refers to the protection of AI systems from cyberattacks, while AI safety encompasses issues like ethics and fairness.

CSA unpacks, contrasts and compares AI safety and AI security


"While AI safety and AI security have distinct priorities and areas of focus, they are inextricably linked and must be addressed in tandem to create responsible, trustworthy and secure AI systems,” reads the article, titled “AI Safety vs. AI Security: Navigating the Commonality and Differences." 

AI security topics addressed include:

  • data privacy, availability and integrity
  • model security and integrity
  • system availability

Among the AI safety issues addressed are:

  • Lack of transparency
  • System bias
  • Facial recognition misidentification

“Effective AI governance and risk management strategies should encompass both domains throughout the entire AI lifecycle, from design and development to deployment and monitoring,” reads the article.

For more information about AI security and AI safety:

VIDEO

Building Safe and Reliable Autonomous Systems (Stanford University)

6 - McKinsey: Four steps to manage GenAI risks

As the generative AI train keeps gathering speed and enterprises everywhere rush to adopt this technology, it’s imperative to properly manage its risks.

If your organization is looking for guidance, check out the most recent advice dispensed by McKinsey in its article “Implementing generative AI with speed and safety.

Specifically, the management consulting firm recommends that enterprises take these four steps:

  • Grasp and respond to inbound risks such as security threats; third-party risk; malicious use; and intellectual property infringement.
  • List the cases for using generative AI and identify potential risks, such as bias in a customer-service chatbot, and outline mitigation and governance strategies.
  • Adapt and expand existing governance by creating a cross-functional generative AI steering group; crafting responsible AI guidelines and policies; and cultivating staff AI skills.
  • Develop an operating model for how four critical roles will interact throughout the generative AI lifecycle: designers, engineers, governors and end users.

For more information about managing generative AI risks:

Articles connexes

Des actualités décisives sur la cyber-sécurité

Saisissez votre adresse e-mail et ne manquez plus aucune alerte ni aucun conseil en matière de sécurité de la part de nos experts Tenable.

Tenable Vulnerability Management

Bénéficiez d'un accès complet à une plateforme cloud moderne de gestion des vulnérabilités qui vous permet de visualiser l'ensemble de vos assets et d'en assurer le suivi avec une précision inégalée.

Votre essai de Tenable Vulnerability Management inclut également Tenable Lumin et Tenable Web App Scanning.

Tenable Vulnerability Management

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

100 assets

Sélectionnez votre option d'abonnement :

Acheter maintenant

Tenable Vulnerability Management

Bénéficiez d'un accès complet à une plateforme cloud moderne de gestion des vulnérabilités qui vous permet de visualiser l'ensemble de vos assets et d'en assurer le suivi avec une précision inégalée.

Votre essai de Tenable Vulnerability Management inclut également Tenable Lumin et Tenable Web App Scanning.

Tenable Vulnerability Management

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

100 assets

Sélectionnez votre option d'abonnement :

Acheter maintenant

Tenable Vulnerability Management

Bénéficiez d'un accès complet à une plateforme cloud moderne de gestion des vulnérabilités qui vous permet de visualiser l'ensemble de vos assets et d'en assurer le suivi avec une précision inégalée.

Votre essai de Tenable Vulnerability Management inclut également Tenable Lumin et Tenable Web App Scanning.

Tenable Vulnerability Management

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

100 assets

Sélectionnez votre option d'abonnement :

Acheter maintenant

Essayer Tenable Web App Scanning

Profitez d'un accès complet à notre dernière offre de scan des applications web conçue pour les applications modernes dans la plateforme de gestion des expositionsTenable One. Scannez l'ensemble de votre portefeuille en toute sécurité et avec une grande précision, sans effort manuel important ni interruption des applications web stratégiques. Abonnez-vous dès maintenant.

Votre essai de Tenable Web App Scanning inclut également Tenable Vulnerability Management et Tenable Lumin.

Acheter Tenable Web App Scanning

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

5 FQDN

3 578,00 $

Acheter maintenant

Essayer Tenable Lumin

Visualisez et explorez votre gestion de l'exposition, suivez la réduction des risques au fil du temps et comparez-la à celle des autres entreprises avec Tenable Lumin.

Votre essai de Tenable Lumin inclut également Tenable Vulnerability Management et Tenable Web App Scanning.

Acheter Tenable Lumin

Contactez un commercial pour découvrir comment Lumin peut vous permettre d'obtenir des informations exploitables sur l'ensemble de votre entreprise et de gérer votre cyber-risque.

Essayer gratuitement Tenable Nessus Professional

GRATUIT PENDANT 7 JOURS

Tenable Nessus est aujourd'hui le scanner de vulnérabilités le plus complet du marché.

NOUVEAU - Tenable Nessus Expert
Maintenant disponible

Nessus Expert offre encore plus fonctionnalités, comme les scans de surface d'attaque externe, et la possibilité d'ajouter des domaines et de scanner l'infrastructure cloud. Cliquez ici pour essayer Nessus Expert.

Remplissez le formulaire ci-dessous pour profiter d'un essai de Nessus Pro.

Acheter Tenable Nessus Professional

Tenable Nessus est aujourd'hui le scanner le plus complet du marché. Tenable Nessus Professional vous permet d'automatiser le processus de scan des vulnérabilités, d'écourter les cycles de mise en conformité et de mieux tirer parti de votre équipe informatique.

Achetez une licence pluriannuelle et faites des économies. Ajoutez l'assistance avancée pour bénéficier de l'accès 24 h/24 et 7 j/7 à une assistance par téléphone, via la communauté et via le chat.

Sélectionnez votre licence

Achetez une licence pluriannuelle et faites des économies.

Ajoutez une assistance et une formation

Essayer gratuitement Tenable Nessus Expert

GRATUIT PENDANT 7 JOURS

Conçu pour la surface d'attaque moderne, Nessus Expert vous permet de bénéficier d'une meilleure visibilité et de protéger votre entreprise des vulnérabilités issues de l'IT, comme du cloud.

Vous avez déjà Nessus Professional de Tenable ?
Passez à Nessus Expert gratuitement pendant 7 jours.

Acheter Tenable Nessus Expert

Conçu pour la surface d'attaque moderne, Nessus Expert vous permet de bénéficier d'une meilleure visibilité et de protéger votre entreprise des vulnérabilités issues de l'IT, comme du cloud.

Sélectionnez votre licence

Achetez une licence pluriannuelle pour économiser davantage.

Ajoutez une assistance et une formation