Source URL: https://blog.talosintelligence.com/threat-source-newsletter-oct-10-2024/
Source: Cisco Talos Blog
Title: What NIST’s latest password standards mean, and why the old ones weren’t working
Feedly Summary: Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach.
AI Summary and Description: Yes
**Summary:** The text discusses recent NIST guidelines on password creation and management, highlighting a shift from traditional password complexity requirements towards longer passwords and user-centric practices. It also addresses significant vulnerabilities identified in Microsoft products, implications of breaches by state-sponsored actors, and privacy concerns regarding genetic testing companies.
**Detailed Description:**
The text covers several important security and compliance topics, particularly focusing on password management guidelines proposed by the U.S. National Institute of Standards and Technology (NIST) and vulnerabilities in Microsoft software. Here’s a detailed breakdown of the content:
– **NIST Guidelines on Password Management:**
– NIST proposes that passwords should be a minimum of eight characters, with a recommendation for 15 characters or longer.
– Credential Service Providers (CSPs) should allow passwords up to 64 characters and accept both ASCII and Unicode characters.
– Users should only change their passwords if there is evidence of a breach, moving away from enforced periodic changes.
– There should be no minimum requirements for numbers or special characters.
– Knowledge-based authentication (security questions) should be eliminated.
– These guidelines aim to simplify password management for users while improving security by encouraging longer, more complex passwords that are actually harder to guess. This is a critical shift for organizations aiming to improve their security posture without over-complicating user experience.
– **Microsoft Security Updates:**
– Microsoft’s latest monthly security patch includes fixes for 117 Common Vulnerabilities and Exposures (CVEs), specifically noting two actively exploited vulnerabilities.
– CVE-2024-43572 allows for remote code execution in the Microsoft Management Console.
– CVE-2024-43573 is a platform spoofing vulnerability, posing risks of unauthorized access.
– Organizations need to ensure they implement the latest patch to mitigate these vulnerabilities and protect against potential exploitation.
– **State-Sponsored Breaches:**
– There is a growing concern about breaches by state-sponsored actors, specifically a group dubbed APT Salt Typhoon, suspected of targeting U.S. telecommunications for espionage.
– This breach underscores the importance of robust cybersecurity measures and vigilance against possible exploits in critical infrastructure.
– **Privacy Concerns with Genetic Testing Companies:**
– The financial struggles of 23AndMe raise questions about the protection of personal genetic data, particularly regarding privacy and data sharing agreements.
– Due to its operational model, 23AndMe does not adhere to HIPAA regulations, creating additional concerns about customer data security should the company close its operations.
– This situation highlights the need for consumers to be aware of data privacy practices and to take proactive steps in managing their personal information.
In summary, these insights from NIST and the vulnerabilities highlighted with Microsoft have significant implications for organizations’ security strategies, especially regarding password management and responses to ongoing state-sponsored threats. Compliance professionals should take these recommendations seriously to bolster both operational security and user confidence in their systems.