Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label NIST. Show all posts
Password Privacy
Cyberattacks Cybersecurity CyberThreat NIST online threats Password Privacy

Rethinking Password Security: Why Length Matters More Than Complexity

 



The growing number of online accounts has made managing passwords increasingly difficult. With users juggling dozens of accounts, creating secure yet memorable passwords has become a major challenge.

Traditional password guidelines emphasize complexity, requiring combinations of uppercase and lowercase letters, numbers, and special characters. While intended to enhance security, these rules often lead to predictable, unsafe practices:

  • Reusing passwords across multiple platforms.
  • Writing down passwords in insecure locations.
  • Choosing overly simple yet easy-to-guess passwords.

Recent research indicates that the emphasis on complexity may be counterproductive. The US National Institute of Standards and Technology (NIST) has revised its password management guidelines, prioritizing password length over complexity. Key changes include:

  • Eliminating the need for frequent password changes.
  • Removing restrictions on special characters.
  • Discouraging security questions for account recovery.

Longer passwords, even without special characters, are significantly harder to crack and easier to remember. This shift marks a departure from the belief that complexity alone ensures safety.

The Risks of Complexity

Overly complex passwords often lead users to adopt risky behaviours, such as:

  • Writing passwords on paper or digital notes.
  • Using the same password for multiple accounts.
  • Neglecting password updates due to frustration.

These habits compromise security, leaving accounts vulnerable to brute-force attacks or credential theft. Reports such as the 2021 Verizon Breach Investigations indicate that 80% of hacking-related breaches stem from stolen or brute-forced credentials.

Managing an average of 85 passwords presents a significant burden for individuals and organizations. Enterprises, for instance, spend substantial resources—around $495,000 annually for every 1,000 employees—resolving access-related issues. Despite the availability of password managers, gaps in security remain.

The Rise of Passwordless Authentication

As "security fatigue" grows, passwordless authentication methods are gaining traction. Technologies such as biometrics and adaptive single sign-on (SSO) offer enhanced security and convenience. By leveraging machine learning, these solutions adjust access controls dynamically, reducing login friction and improving the user experience.

Length plays a decisive role in password security. Advanced computing power has diminished the effectiveness of short, complex passwords, while longer ones remain resilient against brute-force attacks. For example, Eric Adams, Mayor of New York City, increased his smartphone passcode from four to six digits, dramatically raising the number of possible combinations.

NIST now recommends passwords up to 64 characters in length. Even a password composed solely of lowercase letters becomes exponentially harder to crack when its length increases. Adding uppercase letters and symbols makes it virtually impenetrable.

Practical Solutions for Stronger Security

In today’s cybersecurity landscape, balancing usability and security is essential. Experts recommend:

  • Creating long, memorable passwords instead of complex ones.
  • Avoiding password reuse across platforms.
  • Utilizing tools such as password managers and two-factor authentication.

By adopting practical measures, users can minimize risky behaviours and enhance digital security. As cyber threats evolve, prioritizing password length and implementing user-friendly solutions are key to safeguarding online accounts.

Read more »
USA
Advanced Technology AI Risks AI Safety AI Systems AI technology Innovation NIST Technology USA

NIST Introduces ARIA Program to Enhance AI Safety and Reliability

 

The National Institute of Standards and Technology (NIST) has announced a new program called Assessing Risks and Impacts of AI (ARIA), aimed at better understanding the capabilities and impacts of artificial intelligence. ARIA is designed to help organizations and individuals assess whether AI technologies are valid, reliable, safe, secure, private, and fair in real-world applications. 

This initiative follows several recent announcements from NIST, including developments related to the Executive Order on trustworthy AI and the U.S. AI Safety Institute's strategic vision and international safety network. The ARIA program, along with other efforts supporting Commerce’s responsibilities under President Biden’s Executive Order on AI, demonstrates NIST and the U.S. AI Safety Institute’s commitment to minimizing AI risks while maximizing its benefits. 

The ARIA program addresses real-world needs as the use of AI technology grows. This initiative will support the U.S. AI Safety Institute, expand NIST’s collaboration with the research community, and establish reliable methods for testing and evaluating AI in practical settings. The program will consider AI systems beyond theoretical models, assessing their functionality in realistic scenarios where people interact with the technology under regular use conditions. This approach provides a broader, more comprehensive view of the effects of these technologies. The program helps operationalize the framework's recommendations to use both quantitative and qualitative techniques for analyzing and monitoring AI risks and impacts. 

ARIA will further develop methodologies and metrics to measure how well AI systems function safely within societal contexts. By focusing on real-world applications, ARIA aims to ensure that AI technologies can be trusted to perform reliably and ethically outside of controlled environments. The findings from the ARIA program will support and inform NIST’s collective efforts, including those through the U.S. AI Safety Institute, to establish a foundation for safe, secure, and trustworthy AI systems. This initiative is expected to play a crucial role in ensuring AI technologies are thoroughly evaluated, considering not only their technical performance but also their broader societal impacts. 

The ARIA program represents a significant step forward in AI oversight, reflecting a proactive approach to addressing the challenges and opportunities presented by advanced AI systems. As AI continues to integrate into various aspects of daily life, the insights gained from ARIA will be instrumental in shaping policies and practices that safeguard public interests while promoting innovation.
Read more »
NVD
CVE CVE vulnerability Cyber Security data security data vulnerability database NIST NVD

NIST to establish consortium that can collaborate on research to improve the NVD

 

The US National Institute of Standards and Technology (NIST) is to establish  a consortium to partner with NIST in responding to challenges presented by the current and expected growth in CVEs, such as through development of a way to automate some analysis activities.

The official announcement came during VulnCon, a cybersecurity conference hosted by the Forum of Incident Response and Security Teams (FIRST), held from March 25 to 27, 2024. Tanya Brewer, the NVD program manager, disclosed the news, addressing the longstanding speculation surrounding the fate of the NVD. 

In February 2024, NIST halted the enrichment of Common Vulnerabilities and Exposures (CVEs) data on the NVD website, leading to a backlog of unanalyzed vulnerabilities. This development raised alarms among security researchers and industry professionals, as the NVD plays a critical role in identifying and addressing software vulnerabilities. 

The implications of the NVD backlog are profound, potentially impacting the security posture of organisations worldwide. Without timely analysis and remediation of vulnerabilities, companies face increased risks of cyberattacks and data breaches. The situation prompted some security companies to explore alternative solutions to supplement the NVD's functions temporarily. Amidst the challenges, speculation swirled regarding the underlying causes of the NVD's issues. 

Budget constraints, contractual changes, and discussions around updating vulnerability standards were among the factors cited. The uncertainty underscored the need for transparency and clarity from NIST regarding the future of the NVD. In response to the concerns, Brewer acknowledged the challenges faced by the NVD program, attributing them to a "perfect storm" of circumstances. Despite the setbacks, NIST remains committed to addressing the issues and revitalizing the NVD. 

Plans for the establishment of an NVD Consortium, aimed at fostering collaboration and innovation, signal a proactive approach to future management. Looking ahead, NIST aims to enhance the NVD's capabilities and processes within the next one to five years. Proposed initiatives include expanding partnerships, improving software identification methods, and leveraging automation to streamline CVE analysis. 

These efforts reflect a concerted push to modernize the NVD and ensure its relevance in an ever-evolving cybersecurity landscape. The announcement at VulnCon provided much-needed clarity and reassurance to the cybersecurity community. While challenges persist, the collaborative efforts of industry stakeholders and government agencies offer hope for a resilient and robust NVD ecosystem.
Read more »
U.S. Patent and Trademark Office
Cyber Security Cyber Trust Mark FCC Federal Communications Commission Home Security Joe Biden NIST U.S. government U.S. Patent and Trademark Office

Cyber Trust Mark: U.S. Administration Introduces Program to Boost Home Security


This Tuesday, Joe Biden’s government announced a ‘U.S. Cyber Trust Mark’ program that will focus on cybersecurity certification and product labels of smart home tech, as a step to help consumers choose products that provide better protection against cyber activities.

The new program was proposed by the Federal Communications Commission Chairwoman Chairperson Jessica Rosenworcel. The program apparently aims at helping consumers make well-informed decisions over purchasing products, like identifying the marketplace with advance cybersecurity standards.

"The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes," the administration said.

U.S. Cyber Trust Mark

Under the proposed programs, consumers are likely to see a newly formed “U.S. Cyber Trust Mark” label, that will serve as a shield logo, distinguishing the products that satisfies the established cybersecurity criteria. Apparently, these criteria will be decided by the National Institute of Standards and Technology (NIST), which will include criteria like unique and strong default passwords, data protection, software updates and incident detection capabilities.

According to the administration, a number of significant retailers, trade groups, and manufacturers of consumer goods such electronics, appliances, and consumer goods have made voluntarily commitments to improve cybersecurity for the products they sell. Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung Electronics are among the participants.

Plans for the program was prior discussed by the Biden administration in late 2022 to establish a voluntary initiative with internet of things makers to help ensure products meet minimum security standards.

Reportedly, the FCC, which is responsible for regulating wireless communication devices is set to seek public comment regarding the labeling program by 2024.

According to the administration, the FCC is applying for registration to the U.S. Patent and Trademark Office to register a national trademark that would be used on products that satisfy the predetermined standards. 

"The proposal seeks input on issues including the scope of devices for sale in the U.S. that should be eligible for inclusion in the labeling program, who should oversee and manage the program, how to develop the security standards that could apply to different types of devices, how to demonstrate compliance with those security standards, how to safeguard the cybersecurity label against unauthorized use, and how to educate consumers about the program," the FCC notice says.

The proposal highlights inclusion of a QR code to products that will provide consumers with information, pending a certification mark approval by the U.S. Patent and Trademark Office.

Read more »
Supply Chain Attack
Cyber Security NIST Private Sectors Risk Management Supply Chain Attack

NIST Seeking Feedback for a New Cybersecurity Framework and Supply Chain Guidance

 

Addressing the SolarWinds disaster and other major third-party assaults targeting vital infrastructure, the National Institute of Standards and Technology is due to publish advice for securing organizations against supply chain breaches. [Special Publication 800-161] is the most important cybersecurity supply chain risk management guidance.' Angela Smith of the National Institute of Standards and Technology (NIST) stated. 

Angela Smith of the NIST talked at an Atlantic Council session on Tuesday about initiatives to protect information and communications technology supply chains. The first big revised version will be released by the end of next week, so stay tuned if you haven't already reviewed some of the public drafts. 

The NIST upgrade comes as the Biden administration tries to use the government's procurement power to prod contractors such as IT management firm SolarWinds and other software vendors to improve the security of their environments. 

Vendors of the underlying information and communications technology are pitching in and the Cybersecurity and Infrastructure Security Agency consider expanding private-sector partnerships and taking a more comprehensive approach to tackling dangers to critical infrastructure. 

Future guidelines on trying to manage cybersecurity risks that emerge through the supply chain, according to Smith, would focus more on actions for providers along the chain to address, in addition to the upcoming change. The current literature on the subject has been centered on the organizations' responsibilities for integrating supply-chain aspects into existing surroundings. 

The previous draft version, R2, which was released in October 2021, had a new appendix, Appendix F, which gave implementation assistance for Executive Order 14028 to government agencies. Following NIST's February 4, 2022, Secure Software Development Framework (SSDF) Recommendations, the SP 800-161 release scheduled for next week is likely to deliver more EO 14028 guidance.

The CSF was last updated by NIST in 2018. "There is no single reason causing this transition, This is a scheduled upgrade to keep the CSF current and consistent with other regularly used tools," said Kevin Stine, Chief Cybersecurity Advisor at the NIST. NIST is seeking public input on three primary topics to help guide the revision: revisions to the CSF itself, relationships and alignment between the CSF and other resources, and approaches to improve supply chain cybersecurity. President Barack Obama directed NIST to develop the CSF and directed federal agencies to use it, as well as advising the private sector to do so.

NIST should give a definition for an agency to "use" the framework, and agencies should furnish NIST with cybersecurity risk documents developed and used to comply with this requirement. For enterprises that are utilizing or considering adopting the NIST Cybersecurity Framework, seeing how it is used by US government entities would be extremely beneficial.
Read more »
Vulnerabilities and Exploits
CVE NIST NVD Redscan Vulnerabilities and Exploits

NIST NVD Report Shows Increase in Low-Complexity CVEs

 

Common vulnerabilities and exposures, or CVEs, are seemingly increasing at a faster rate as a proportion of the overall number of bugs reported, which, according to a survey, have increasingly risen as per the cybersecurity teams. These are very easy to exploit. 

Recently, Redscan, a managed detection, response, and pen-testing professional, evaluated more than 18,000 CVEs filed in the National Vulnerability Database (NVD) of the U.S. National Institute of Standards and Technology (NIST) in 2020 and published a report, NIST Security Vulnerability Trends in 2020: An Analysis.

It shows that just over half (57%) is graded as "high" and "critical" - the most significant figure reported in any year till date. The report often discusses the increase in low difficulty vulnerabilities and the rise of those vulnerabilities that do not involve user interaction. That means that an attacker can take advantage of the user with limited technical skills as well. According to the research, this number has hiked since 2017, after declining dramatically between 2001 and 2014. These developments demonstrate the need for companies to enhance the awareness of wild vulnerabilities and to follow a multi-layered approach for the management of vulnerabilities. In 2020, almost 4000 vulnerabilities can be defined as the “worst of worst” – meeting the worst criteria for all types of NVD filters. 

The research report says, “The prevalence of low complexity vulnerabilities in recent years means that sophisticated adversaries do not need to ‘burn’ their high complexity zero-days on their targets and have the luxury of saving them for future attacks instead.” 

“Low complexity vulnerabilities lend themselves to mass exploitation as the attacker does not need to consider any extenuating factors or issues with an attack path. This situation is worsened once exploit code reaches the public and lower-skilled attackers can simply run scripts to compromise devices.” 

Another vulnerability trend is to be tackled: low-complex CVEs, 63 percent of vulnerabilities found in 2020, are increasing. A rising challenge for safety teams has been a large number of vulnerabilities with low complexity. Complexity is one of the most critical things to consider while evaluating vulnerability risks and in-wild exploitation the timeframes. The low-complex CVEs are loaned to rapid mass manipulation because attackers do not have to consider extenuating circumstances or route problems. 

Alongside, companies also need to improve oversight of tech vendors' activities. They must determine how their manufacturers test their custom code and the use of their goods of non-member libraries. 

“Vulnerabilities which require no interaction to exploit present a complex challenge for security teams, underscoring the need for defense-in-depth. This includes enhancing the visibility of attack behaviors once a compromise has occurred,” added George Glass, Head of Threat Intelligence at Redscan
Read more »
Subscribe to: Posts (Atom)