Michele Chubirka

I often hear the question "Where/What are our biggest security exposures?" Cyentia Institute recently had the opportunity to explore this question using data from hundreds of thousands of attack path assessments conducted through the XM Cyber Continuous Exposure Management (CEM) platform. The attached figure gives a categorical breakdown of what we observed based on all entities (digital assets), total security exposures, and exposures affecting critical assets. . The left-most chart represents the attack surface based on broad categories of digital entities discovered during attack path assessments. Active Directory constitutes just over half of entities identified across all environments. On-premises IT and network devices account for another 31% of entities and cloud environments house the remaining 17%. Not all entities, however, are exposed via attack paths. If we change the scope of the attack surface to include only vetted exposures (entities susceptible to attack techniques), things look different. The middle chart captures this perspective and Active Directory exposures dominate the attack surface. But not all of those exposures affect critical assets. To be truly effective, Exposure Management must encompass all environments and account for where critical assets are most at risk. If we once again rescope the attack surface to focus on exposures to critical assets, a very different picture emerges, which is captured in the rightmost chart. Cloud environments now encompass over half of all critical asset exposures, followed by AD at 33% and IT/Network devices at 11%. Does this sync with exposures across your attack surface? Which perspective/view/chart is your primary guide for managing exposures? The full report contains tons of additional insights on exposure management. Download here: https://lnkd.in/dPfqXG7y #cybersecurity #exposuremanagement #cyberrisk

48

8 Comments

Thrilled to have the opportunity to analyze #vulnerability remediation timelines again, this time using data from NopSec. The chart below is based on a survival analysis of vulnerabilities across an environment. Essentially - the time it takes to remediate all affected assets after a vuln is discovered. Everytime I see analysis like this, I'm reminded of how different the real world of #vulnerabilitymanagement is from the "just patch it all yesterday" shallow advice that's so often bandied about. If it were that easy, vuln survival curves wouldn't look like this time after time. How does this square with your experience? I'll be discussing this chart and several others in a webinar next week. Register here and bring your questions, comments, and rants! https://lnkd.in/eHWDrEYN

92

26 Comments

ATTENTION: HEALTHCARE BOARD MEMBERS AND C-SUITE EXECUTIVES. ODDS ARE YOUR ORGANIZATION HAS NOT CONDUCTED AN OCR-QUALITY® RISK ANALYSIS! Shocking? NO! Since ... 90% of the organizations subjected to an OCR investigation involving electronic Protected Health Information (ePHI) are found to have failed to conduct the very first requirement (risk analysis implementation specification) in the very first standard (Security Management Process) in the very first area (Administrative Safeguards) of the ol' HIPAA Security Rule. OCR Audits produced equally dismal compliance findings. How can you address your cyber risks if you don't know what they are? EASY FIX! Attend the upcoming COMPLIMENTARY Clearwater OCR-Quality® Risk Analysis Working Lab. #HIPAA #riskanalysis #riskmanagement #cyberriskmanagement #boardcyberoversight #boardofdirectors

2

CMMC Level 2 Assessment Objective: Data in Transit PRACTICE: Organizations must implement cryptographic mechanisms to prevent unauthorized disclosure of controlled unclassified information (CUI) during transmission unless otherwise protected by alternative physical safeguards. ASSESSMENT: The intent of this requirement is to ensure CUI is cryptographically protected during transit, particularly on the internet. The most common way to accomplish this is to establish a transport layer security (TLS) tunnel between the source and destination using the most current version of TLS. Because the use of cryptography in this requirement is to protect the confidentiality of CUI, the cryptography used must meet the criteria specified in requirement SC.L2-3.13.11. Be prepared! Your assessor could ask to 🔍 EXAMINE system and communications protection policy. 🗣 INTERVIEW system or network administrators. 📝 TEST cryptographic mechanisms or mechanisms supporting or implementing transmission confidentiality. (CMMC Assessment Guide: Level 2 Version 2.11, page 222) #CMMC #DoD #cybersecurity #NIST #InformationSecurity https://bit.ly/45HMpUs

41

Heads up on this once in 5 years opportunity to sponsor Cyentia Institute research into the largest #cybersecurity incidents. See the call for sponsors for the 2025 "Xtreme" edition of the Information Risk Insights Study at the link below. #cyberrisk #cyberresilience #cyberattacks https://lnkd.in/etc6FjsY

39

2 Comments

Earlier this year, Cyentia Institute published a meta-study analyzing the top ATT&CK techniques reported across 20+ industry sources. NOT ONE OF THEM reported observing T1195.003 - Compromise Hardware Supply Chain. Hold on - my aid has an urgent message for me...oh my...they what?!...pagers exploding - really?...I see...got it...will do... Sorry for the interruption. As I was saying, T1195.003 was THE MOST REPORTED sub-technique in the entire study! Download it today from the compromised device of your choice: https://lnkd.in/eafNi5u3 #supplychain #cybersecurity #fud

91

6 Comments

🔒Cybersecurity Compliance Made Simple? Not quite. For many navigating NIST SP 800-53, it’s a complex but essential journey. Compliance isn’t just a checkbox—it’s a commitment to security. Let’s explore the top challenges and practical ways to address them. 👇 𝗧𝗼𝗽 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 Achieving compliance with **NIST SP 800-53** is critical for organizations working with government systems. However, many face hurdles that complicate the process, leading to delays and frustration. Here are the top three challenges—and actionable strategies to overcome them. 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 𝟭: 𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱𝗶𝗻𝗴 𝘁𝗵𝗲 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸’𝘀 𝗖𝗼𝗺𝗽𝗹𝗲𝘅𝗶𝘁𝘆 NIST SP 800-53 outlines hundreds of controls across categories like Risk Assessment and Access Control. Its technical language can overwhelm teams trying to implement them effectively. 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀: - Simplify**: Tackle one control family at a time. - Bring in Experts**: Work with consultants experienced in federal compliance. - Use Tools**: Automate mapping controls to existing processes for efficiency. 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 𝟮: 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗶𝗻𝗴 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗶𝗻𝘁𝗼 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝘀 Compliance is often treated as a “bolt-on” after development, leading to costly rework and inefficiencies. 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀: - Start Early**: Embed compliance into the development process. - Collaborate**: Form cross-functional teams with developers, security, and compliance experts. - Adopt DevSecOps**: Integrate compliance into development pipelines for ongoing alignment. 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 𝟯: 𝗞𝗲𝗲𝗽𝗶𝗻𝗴 𝗨𝗽 𝘄𝗶𝘁𝗵 𝗖𝗵𝗮𝗻𝗴𝗶𝗻𝗴 𝗦𝘁𝗮𝗻𝗱𝗮𝗿𝗱𝘀 NIST SP 800-53 evolves with emerging threats. Revision 5, for example, emphasizes supply chain risk and privacy controls, challenging organizations to adapt quickly. 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀: - Stay Updated: Regularly review updates from [NIST.gov](https://www.nist.gov). - Train Continuously: Equip teams to understand revisions and implement changes effectively. - Perform Audits: Regularly assess compliance gaps and address them proactively. 𝗪𝗵𝘆 𝗧𝗵𝗶𝘀 𝗠𝗮𝘁𝘁𝗲𝗿𝘀 Non-compliance isn’t just about penalties—it’s about protecting critical systems and data. Organizations that prioritize compliance also position themselves as trusted partners in the federal space, enhancing security and reliability. 𝗬𝗼𝘂𝗿 𝗡𝗲𝘅𝘁 𝗦𝘁𝗲𝗽𝘀 At Steel Rail Security, we help organizations navigate these challenges with tailored guidance. Whether it’s gap analyses, strategy development, or full compliance support, we’ve got you covered. What’s your biggest challenge with NIST SP 800-53 compliance? 👇Share your thoughts below or reach out to start simplifying your journey to compliance. 🔑 Let’s build a more secure future—together.

1

⚡️Some domains likely used by #transparentTribe #APT36 counciling[.]com nbssedelhi[.]org ashifdigitalseva[.]xyz birthdeath[.]in gov-certificate[.]com viewss[.]click admin-mcas-df[.]ms admin-mcas[.]ms mcas-df[.]ms mcas[.]ms verifycertificate[.]info nimsme[.]org

1

1 Comment

Brilliant article Lee Parrish; thank you! Context is so very important here. While risk management has long been one of the top three oversight areas for directors, it is clear that cyber risk management is unique. Apologies in advance, CISOs, but too many of you and your team members still confuse simple terms like threat, vulnerability, and risk. Don't bother to ask the C-suite or board members. =#enterprisecyberriskmanagement #cyberriskmanagement #cyberriskilliteracy #cyberopportunitymanagement #cybersecurityvalue #boardcyberoversight #boardofdirectors

10

1 Comment

AC-02 is in the top 5 most important controls I'd recommend developing familiarity with 🚨 Let's continue our Neverending Story through NIST 800-53 with: AC-02 Access Control Account Management Simply stated: AC-02 governs: - Accounts and people (users, managers, roles, groups, etc.) - Access authorizations and privileges - Account management processes - Account monitoring and review - Account PII privacy ➡️ There are 12 control elements (A-L) within AC-02 🙂‍↕️ which each need to be fulfilled or inherited for overall AC-02 compliance How to simplify control implementation: - Consider how account management is conducted throughout the enterprise, application team, cloud service provider, data center, etc. - Map to Identity and Access Management tools and services - Leverage inheritance for external team services - Revisit onboarding and off-boarding processes How to automate control implementation & assessment: - Integrate configuration checks for access control mechanisms - Leverage Identity and Access Management capabilities - Configure logging and alerts for audits and monitoring - Automate account review checks ⬇️ Let me know what I missed ⬇️ #GRCEngineering #NIST #NIST80053 #Cybersecurity #ZeroTrust #GRC #AccessControl #PoliciesandProcedures #AI #AccountManagement

19

5 Comments

If you’re at the Zywave Cyber Risk Insights conference today, look for me! I’ll be joining a panel at 1:45 to discuss whether we’ve reached a critical mass yet with data to adequately model and manage #cyberrisk. https://lnkd.in/dK2d3HHe

13

1 Comment

Responsible for managing #operationaltechnology (OT)? In this guide, we explore actionable strategies to fortify your organization’s OT security posture and extend your IT vulnerability management strategy to safeguard OT and IoT. #ot 🔗: http://ow.ly/aNte105NAtF

5

⚠ Areas of Overlap and Gaps between AICPA SOC2 Trust Services Criteria (TSC) and ISO 42001 - PART 2⚠ -Questions for Realistic Controls Cross Mapping- ❓ Scoping 1. What are the specific AI systems and components within the organization’s scope? 2. What are the boundaries and applicability of the AI management system within the organization? 3. What external and internal issues are relevant to the organization's AI systems? ❓TSCs Included in Scope 1. Which TSC criteria are relevant to the AI systems? (Security, Availability, Processing Integrity, Confidentiality, Privacy) 2. How do the TSC criteria map to the specific AI controls and requirements in ISO 42001? ❓Detailed Cross Mapping Questions 1. Governance and Accountability: ◾How does the organization’s governance structure ensure accountability for AI systems (ISO 42001, Clause 5.1 and AICPA TSC, Common Criteria)? ◾What roles and responsibilities are defined for AI systems, and how do they align with TSC criteria? 2. Risk Management: ◾How are AI risks identified, assessed, and mitigated (ISO 42001, Clause 6.1.2, 6.1.3 and AICPA TSC, Risk Assessment and Mitigation)? ◾How are AI impact assessments integrated into the risk management process? 3. Security and Confidentiality: ◾What controls are in place to ensure the security and confidentiality of AI systems (ISO 42001, Annex A controls and AICPA TSC, Security, Confidentiality)? ◾How is the integrity of AI data and systems maintained? 4. Monitoring and Evaluation: ◾What monitoring and evaluation processes are in place for AI systems (ISO 42001, Clause 9.1 and AICPA TSC, Monitoring of Controls)? ◾How are performance and effectiveness of AI systems measured and reported? 5. Ethics and Fairness: ◾What measures are in place to ensure ethical use and fairness of AI systems (ISO 42001, Annex A controls)? ◾How are bias and ethical considerations integrated into AI system development and deployment? 6. Documentation and Communication: ◾What documentation is maintained for AI systems (ISO 42001, Clause 7.5.1 and AICPA TSC, Information and Communication)? ◾How are AI policies, procedures, and impact assessments documented and communicated? For those of you who currently carry SOC2 attestation that are considering pursuing ISO42001 certification, please know that while the frameworks don't necessarily directly align, you will find ways to repurpose existing controls (administrative and technical) if you ask the right questions in context. As always, if you need help getting started, please reach out! A-LIGN #AICPA #SOC2 #ISO42001 #TheBusinessofCompliance #ComplianceAlignedtoYou

14

4 Comments

ICYMI: The inaugural study on EPSS performance and broader vulnerability exploitation trends published this week. If you've ever wanted data-driven answers to questions like these listed in the ToC shown here, download it today (free, no registration req'd): https://lnkd.in/gBbsgwQM #vulnerabilitymanagement #vulnerabilities #infosec

51

8 Comments

Internet-exposed Human Machine Interfaces (HMIs) pose significant risks to the Water and Wastewater Systems (WWS) sector, according to a new fact sheet jointly released by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA). Titled Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems and published last week, the document outlines vulnerabilities and provides actionable guidance for operators to protect critical infrastructure. HMIs are essential tools that enable facility operators to manage operational technology (OT) systems, such as supervisory control and data acquisition (SCADA) systems. When these interfaces are exposed online without adequate safeguards, they can become targets for malicious actors. https://lnkd.in/g5spr-q3

11

1 Comment

NIST New Password Guidelines 🚨 NIST (National Institute of Standards and Technology) is taking password composition rules a step further. What was previously "not recommended" (SHOULD NOT) is now moving to "not allowed" (SHALL NOT). This change emphasizes the shift away from complex password requirements that often hinder usability without significantly improving security. Instead, the focus is on longer, more user-friendly passphrases and improved authentication methods. And also a reminder: Passwords are a bad solution, Phishingproof authentication #PKI and #FIDO are better whenever possible.

20

1 Comment

The #FBI and the Cybersecurity and Infrastructure Security Agency (#CISA) have released guidance to help companies reduce the prevalence of cross-site scripting vulnerabilities and to urge software developers to take a “secure by design” approach. Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs. These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts. Although some developers employ input sanitization techniques to prevent #XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures. The #FBI and #CISA urge #CEOs and other business leaders at technology companies to request their technical leaders to analyze past occurrences of this class of defect and develop a plan to eliminate them in the future:

5

“AI systems give rise to new types of harms that do not require malicious intent. This, in turn, means that the traditional incident-response playbook needs to be updated for AI systems.”

7

2 Comments