Sophia Antipolis, 4 September 2024

The ETSI Open Source MANO community is proud to announce OSM Release SIXTEEN, a Long-Term-Support (LTS) release of ETSI OSM, which becomes the most innovative and feature-packed release shipped by OSM to date.

This release brings a revolution in OSM’s functionality, positioning OSM as a generalized cloud-native orchestrator for infrastructure, platforms and services, which extends significantly its former scope. Full cloud-native management of Kubernetes clusters in public clouds, together with the applications or software units running on them, is now possible with Release SIXTEEN. Every operation related to the cluster management (creation, upgrading, scaling, deletion) or the applications running on them is reflected in Git repositories, following the GitOps model. This has been possible thanks to a major change in the internal architecture of OSM.

Read More...

Sophia Antipolis, 30 September 2024

Direct communications between vehicles, pedestrians and infrastructure based on 3GPP and ETSI TC ITS standards have been tested during the 4th C-V2X Plugtests™ interoperability event in Malaga, Spain, hosted by DEKRA (September 10- 13, 2024).

In partnership with 5GAA, this Cellular Vehicle-to-Everything (C-V2X) and ITS technologies event attracted the participation of 24 companies and 82 experts – both onsite and via remote connections – with 94% of the planned tests, based on over 60 test scenarios, successfully completed.

Read More...

The Puritans were a varied group of religious reformers who emerged within the Church of England during the middle of the sixteenth century.

New essay by Trudier Harris, "African American Protest Poetry," added to Freedom's Story: Teaching African American Literature and History, TeacherServe from the National Humanities Center.

This document is only available in PDF format.

This document is only available in PDF format.

Here is a Storify summary of the SpotOn London session: BrainSpace, a global interest graph for

Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.

Background

The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a zero-day vulnerability in Fortinet’s FortiManager.

FAQ

What is FortiJump?

FortiJump is a name given to a zero-day vulnerability in the FortiGate-FortiManager (FGFM) protocol in Fortinet’s FortiManager and FortiManager Cloud. It was named by security researcher Kevin Beaumont in a blog post on October 22. Beaumont also created a logo for FortiJump.

What are the vulnerabilities associated with FortiJump?

On October 23, Fortinet published an advisory (FG-IR-24-423) for FortiJump, assigning a CVE identifier for the flaw.

What is CVE-2024-47575?

CVE-2024-47575 is a missing authentication vulnerability in the FortiGate to FortiManager (FGFM) daemon (fgfmsd) in FortiManager and FortiManager Cloud.

How severe is CVE-2024-47575?

Exploitation of FortiJump could allow an unauthenticated, remote attacker using a valid FortiGate certificate to register unauthorized devices in FortiManager. Successful exploitation would grant the attacker the ability to view and modify files, such as configuration files, to obtain sensitive information, as well as the ability to manage other devices.

Obtaining a certificate from a FortiGate device is relatively easy:

Comment
by from discussion
infortinet

According to results from Shodan, there are nearly 60,000 FortiManager devices that are internet-facing, including over 13,000 in the United States, over 5,800 in China, nearly 3,000 in Brazil and 2,300 in India:

When was FortiJump first disclosed?

There were reports on Reddit that Fortinet proactively notified customers using FortiManager about the flaw ahead of the release of patches, though some customers say they never received any notifications. Beaumont posted a warning to Mastodon on October 13:

Post by @GossiTheDog@cyberplace.social

View on Mastodon

Was this exploited as a zero-day?

Yes, according to both Beaumont and Fortinet, FortiJump has been exploited in the wild as a zero-day. Additionally, Google Mandiant published a blog post on October 23 highlighting its collaborative investigation with Fortinet into the “mass exploitation” of this zero-day vulnerability. According to Google Mandiant, they’ve discovered over 50 plus “potentially compromised FortiManager devices in various industries.”

Which threat actors are exploiting FortiJump?

Google Mandiant attributed exploitation activity to a new threat cluster called UNC5820, adding that the cluster has been observed exploiting the flaw since “as early as June 27, 2024.”

Is there a proof-of-concept (PoC) available for this vulnerability/these vulnerabilities?

As of October 23, there are no public proof-of-concept exploits available for FortiJump.

Are patches or mitigations available for FortiJump?

The following table contains a list of affected products, versions and fixed versions.

Fortinet’s advisory provides workarounds for specific impacted versions if patching is not feasible. These include blocking unknown devices from attempting to register to FortiManager, creating IP allow lists of approved FortiGate devices that can connect to FortiManager and the creation of custom certificates. Generally speaking, it is advised to ensure FGFM is not internet-facing.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-47575 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
• FortiGuard Labs PSIRT FG-IR-24-423 Advisory

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Looking for help with shadow AI? Want to boost your software updates’ safety? New publications offer valuable tips. Plus, learn why GenAI and data security have become top drivers of cyber strategies. And get the latest on the top “no-nos” for software security; the EU’s new cyber law; and CISOs’ communications with boards.

Dive into six things that are top of mind for the week ending Oct. 25.

1 - CSA: How to prevent “shadow AI” 

As organizations scale up their AI adoption, they must closely track their AI assets to secure them and mitigate their cyber risk. This includes monitoring the usage of unapproved AI tools by employees — an issue known as “shadow AI.”

So how do you identify, manage and prevent shadow AI? You may find useful ideas in the Cloud Security Alliance’s new “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper.

The white paper covers shadow AI topics including:

• Creating a comprehensive inventory of AI systems
• Conducting gap analyses to spot discrepancies between approved and actual AI usage
• Implementing ways to detect unauthorized AI wares
• Establishing effective access controls
• Deploying monitoring techniques

“By focusing on these key areas, organizations can significantly reduce the risks associated with shadow AI, ensuring that all AI systems align with organizational policies, security standards, and regulatory requirements,” the white paper reads.

For example, to create an inventory that offers the required visibility into AI assets, the document explains different elements each record should have, such as:

• The asset’s description
• Information about its AI models
• Information about its data sets and data sources
• Information about the tools used for its development and deployment
• Detailed documentation about its lifecycle, regulatory compliance, ethical considerations and adherence to industry standards
• Records of its access control mechanisms

Shadow AI is one of four topics covered in the publication, which also unpacks risk management; governance and compliance; and safety culture and training.

To get more details, read:

• The full “AI Organizational Responsibilities: Governance, Risk Management, Compliance and Cultural Aspects” white paper
• A complementary slide presentation
• The CSA blog “Shadow AI Prevention: Safeguarding Your Organization’s AI Landscape”

For more information about AI security issues, including shadow AI, check out these Tenable blogs:

• “Do You Think You Have No AI Exposures? Think Again”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach”
• “6 Best Practices for Implementing AI Securely and Ethically”
• “Compromising Microsoft's AI Healthcare Chatbot Service”

2 - Best practices for secure software updates

The security and reliability of software updates took center stage in July when an errant update caused massive and unprecedented tech outages globally.

To help prevent such episodes, U.S. and Australian cyber agencies have published “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers.”

“It is critical for all software manufacturers to implement a safe software deployment program supported by verified processes, including robust testing and measurements,” reads the 12-page document.

Although the guide is aimed primarily at commercial software vendors, its recommendations can be useful for any organization with software development teams that deploy updates internally.

The guide outlines key steps for a secure software development process, including planning; development and testing; internal rollout; and controlled rollout. It also addresses errors and emergency protocols.

“A safe software deployment process should be integrated with the organization’s SDLC, quality program, risk tolerance, and understanding of the customer’s environment and operations,” reads the guide, authored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Australian Cyber Security Centre.

To get more details, read:

• The “Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers” guide
• The CISA alert “CISA, US, and International Partners Release Joint Guidance to Assist Software Manufacturers with Safe Software Deployment Processes”

For more information about secure software updates:

• “Tenable’s Software Update Process Protects Customers’ Business Continuity with a Safe, Do-No-Harm Design” (Tenable)
• “The critical importance of robust release processes” (Cloud Native Computing Foundation)
• “Software Deployment Security: Risks and Best Practices” (DevOps.com)
• “Software Updates, A Double-Edged Sword for Cybersecurity Professionals” (Infosecurity)
• “DevOps Best Practices for Faster and More Reliable Software Delivery” (DevOps.com)

3 - Report: GenAI, attack variety, data security drive cyber strategies

What issues act as catalysts for organizations’ cybersecurity actions today? Hint: They’re fairly recent concerns. The promise and peril of generative AI ranks first. It’s closely followed by the ever growing variety of cyberattacks; and by the intensifying urgency to protect data.

That’s according to CompTIA’s “State of Cybersecurity 2025” report, based on a survey of almost 1,200 business and IT pros in North America and in parts of Europe and Asia. 

These three key factors, along with others like the scale of attacks, play a critical role in how organizations currently outline their cybersecurity game plans.

“Understanding these drivers is essential for organizations to develop proactive and adaptive cybersecurity strategies that address the evolving threat landscape and safeguard their digital assets,” reads a CompTIA blog about the report.

Organizations are eagerly trying to understand both how generative AI can help their cybersecurity programs and how this technology is being used by malicious actors to make cyberattacks harder to detect and prevent.

Meanwhile, concern about data protection has ballooned in the past couple of years. “As organizations become more data-driven, the need to protect sensitive information has never been more crucial,” reads the blog.

Not only are organizations focused on securing data at rest, in transit and in use, but they’re also creating foundational data-management practices, according to the report.

“The rise of AI has accelerated the need for robust data practices in order to properly train AI algorithms, and the demand for data science continues to be strong as businesses seek competitive differentiation,” the report reads.

To get more details, read:

• The report’s announcement “Cybersecurity success hinges on full organizational support, new CompTIA report asserts”
• CompTIA’s blogs “Today’s top drivers for cybersecurity strategy” and “Cybersecurity’s maturity: CompTIA’s State of Cybersecurity 2025 report”
• The full “State of Cybersecurity 2025” report

For more information about data security posture management (DSPM) and preventing AI-powered attacks, check out these Tenable resources:

• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)
• “Mitigating AI-Related Security Risks” (on-demand webinar)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)

4 - CISA lists software dev practices most harmful for security

Recommended best practices abound in the cybersecurity world. However, CISA and the FBI are taking the opposite tack in their quest to improve the security of software products: They just released a list of the worst security practices that software manufacturers ought to avoid.

Titled “Product Security Bad Practices,” the document groups the “no-nos” into three main categories: product properties; security features; and organizational processes and policies.

“It’s 2024, and basic, preventable software defects continue to enable crippling attacks against hospitals, schools, and other critical infrastructure. This has to stop,” CISA Director Jen Easterly said in a statement.

“These product security bad practices pose unacceptable risks in this day and age, and yet are all too common,” she added.

Here are some of the worst practices detailed in the document, which is part of CISA’s “Secure by Design” effort:

• Using programming languages considered “memory unsafe”
• Including user-provided input in SQL query strings
• Releasing a product with default passwords
• Releasing a product with known and exploited vulnerabilities
• Not using multi-factor authentication
• Failing to disclose vulnerabilities in a timely manner

Although the guidance is aimed primarily at software makers whose products are used by critical infrastructure organizations, the recommendations apply to all software manufacturers.

If you’re interested in sharing your feedback with CISA and the FBI, you can submit comments about the document until December 16, 2024 on the Federal Register.

To get more details, check out:

• CISA’s announcement “CISA and FBI Release Product Security Bad Practices for Public Comment”
• The full document “Product Security Bad Practices”

For more information about how to develop secure software:

• “Tenable Partners with CISA to Enhance Secure By Design Practices” (Tenable)
• “Ensuring Application Security from Design to Operation with DevSecOps” (DevOps.com)
• “What is application security?” (TechTarget)
• “Guidelines for Software Development (Australian Cyber Security Centre)

5 - New EU law focuses on cybersecurity of connected digital products

Makers of digital products — both software and hardware — that directly or indirectly connect to networks and to other devices will have to comply with specific cybersecurity safeguards in the European Union.

A newly adopted law known as the “Cyber Resilience Act” outlines cybersecurity requirements for the design, development, production and lifecycle maintenance of these types of products, including IoT wares such as connected cars.

For example, it specifies a number of “essential cybersecurity requirements” for these products, including that they:

• Aren’t shipped with known exploitable vulnerabilities
• Feature a “secure by default” configuration
• Can fix their vulnerabilities via automatic software updates
• Offer access protection via control mechanisms, such as authentication and identity management
• Protect the data they store, transmit and process using, for example, at-rest and in-transit encryption

“The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components (...) are made secure throughout the supply chain and throughout their lifecycle,” reads a statement from the EU’s European Council.

The law will “enter into force” after its publication in the EU’s official journal and will apply and be enforceable 36 months later, so most likely in October 2027 or November 2027. However, some of its provisions will be enforceable a year prior.

For more information and analysis about the EU’s Cyber Resilience Act:

• “Cyber Resilience Act Requirements Standards Mapping” (ENISA)
• “The Cyber Resilience Act, an Accidental European Alien Torts Statute?” (Lawfare)
• “EU Cybersecurity Regulation Adopted, Impacts Connected Products” (National Law Review)
• “Open source foundations unite on common standards for EU’s Cyber Resilience Act” (TechCrunch)
• “The Cyber Resilience Act: A New Era for Mobile App Developers” (DevOps.com)

VIDEO

The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software (Linux Foundation) 

6 - UK cyber agency: CISOs must communicate better with boards

CISOs and boards of directors are struggling to understand each other, and this is increasing their organizations’ cyber risk, new research from the U.K.’s cyber agency has found.

For example, in one alarming finding, 80% of respondents, which included board members, CISOs and other cyber leaders in medium and large enterprises, confessed to being unsure of who is ultimately accountable for cybersecurity in their organizations.

“We found that in many organisations, the CISO (or equivalent role) thought that the Board was accountable, whilst the Board thought it was the CISO,” reads a blog about the research titled “How to talk to board members about cyber.”

As a result, the U.K. National Cyber Security Centre (NCSC) has released new guidance aimed at helping CISOs better communicate with their organizations’ boards titled “Engaging with Boards to improve the management of cyber security risk.”

“Cyber security is a strategic issue, which means you must engage with Boards on their terms and in their language to ensure the cyber risk is understood, managed and mitigated,” the document reads.

Here’s a small sampling of the advice:

• Understand your audience, including who are the board’s members and their areas of expertise; and how the board works, such as its meeting formats and its committees.
• Talk about cybersecurity in terms of risks, and outline these risks concretely and precisely, presenting them in a matter-of-fact way.
• Don’t limit your communication with board members to formal board meetings. Look for opportunities to talk to them individually or in small groups outside of these board meetings.
• Elevate the discussions so that you link cybersecurity with your organization’s business challenges, goals and context.
• Aim to provide a holistic view, and avoid using technical jargon.
• Aim to advise instead of to educate.

TORONTO – The Ontario Securities Commission (OSC) today released a new report that studied the impact of gamification on investors.

TORONTO – The Ontario Securities Commission (OSC) today

TORONTO - The Ontario Securities Commission (OSC) is pleased to announce the release of the 2024 Investment Fund Survey (IFS) data dashboard.

TORONTO – The Ontario Securities Commission (OSC) today released the results of a study examining the influence of environmental, social and governance (ESG) factors on retail investor decision making.

TORONTO – The Ontario Securities Commission has today published its

The annual conference, SpotOn London, will be taking place at the Wellcome Trust on Friday,

In true adherence to the age old phrase 'let them eat cake' and its traditional application to the under-funded and under-fed masses, for SpotOn London cakes were duly provided much to the enjoyment of the delegates. Since this act generated its own hashtag, it also deserves a Story...

قدمة تستعرض هذه المذكرة المشهد السياسي المعاصر في السودان،وكيفية تأثيرهعلى جدوى الاستثماراتفي القطاع الزراعيالتي تشتد الحاجة إليها لتحقيق التحول الزراعي في البلاد. ت ركزالمذكرة بشكل خاص على سلاسل القيمة في قطاعي الثروة الحيوانية والبستنة فيولاية الخرطوم،وإدارة الموارد الطبيعية في ولايتي النيل الأزرق وجنوب كردفان. أهملت الحكومات المتعاقبة إلى حد كبير قطاع الزراعة على الرغم من أنه أكبر قطاع توظيف في السودان ويساهم بنحو 56في المئة من إجمالي الصادرات (بنك السودان المركزي، 2020).

The singular journey of Odd Thomas is approaching its unforgettable conclusion in Saint Odd. But before Odd's destiny is revealed, this exclusive eBook short story looks back-way back-to where it all began for Odd Thomas and Stormy Llewellyn, two souls who are destined to be together forever. Amid the dizzying rides, tantalizing games of chance, and fanciful attractions of a state fair, two teenage sweethearts on the cusp of life and love's pleasures find their way to a shadowy carnival tent brimming with curiosities. There, from the bizarre and enthralling Gypsy Mummy, a mechanized merchant of dreams and prognosticator of tomorrows, the young couple learns what fate promises for them. But fate, for Odd Thomas and Stormy Llewellyn, is something altogether different: full of dark corners, sharp edges, and things no seer or soothsayer could ever anticipate. And for Odd Thomas, a gallant fry cook from a sleepy California desert town, the future beckons-to listen to unquiet spirits, pursue unsettling mysteries, and learn shocking truths ...for a purpose far greater than himself.

TORONTO – The Ontario Securities Commission (OSC), in partnership with the Royal Canadian Mounted Police (RCMP) – Integrated Market Enforcement Team (IMET), is warning the public about fraudulent investment opportunities related to the coronavirus (COVID-19).

TORONTO – The Ontario Securities Commission (OSC) is warning Ontario investors regarding the conduct of Sunil Tulsiani, who is permanently banned from trading securities in Ontario, and pleaded guilty to Securities Act offences in 2017.

TORONTO – The Ontario Securities Commission (OSC) is warning Ontario investors that FX Bit Pro and BitFxProSignals are not registered to deal or advise in securities in Ontario.

Toronto – The Canadian Securities Administrators (CSA) is warning the public about scammers claiming to represent large, well-known financial companies.  Recently, the CSA has noted an increase in the number of scams involving the use of professional looking electronic broch

Montréal –The Canadian Securities Administrators (CSA) warns the public about investment schemes involving fraudulent websites that solicit investments in foreign exchange (often referred to as “forex”), binary options and/or crypto assets.

TORONTO - The Ontario Securities Commission (OSC) is warning Ontario investors not to invest with Ernest Anderson (aka Edward Banayoti aka Edward Banayoti Sawiris), or any companies associated with him. Ernest Anderson is permanently banned from trading securities in Ontario.

Montreal - The Canadian Securities Administrators (CSA) is warning the public to be vigilant for unsolicited communications that come from scammers posing as CSA staff or staff of CSA members.

TORONTO – The Ontario Securities Commission (OSC) is warning investors that Nova Tech Ltd (NovaTech), which operates the website www.novatechfx.com, is not registered with the OSC in any capacity.

TORONTO – The Ontario Securities Commission (OSC) is warning the public about GoldberryCo, which is operating through the websites goldberryco.com, Goldbrco.com, GoldberryCo and is not registered to sell investments in Canada.

TORONTO – New Self-Regulatory Organization of Canada (New SRO) and the Canadian Securities Administrators (CSA) are warning Canadian investors not to be fooled by fraudsters impersonating real investment advisors.

TORONTO – The Canadian Securities Administrators (CSA), the Canadian Investment Regulatory Organization (CIRO), and the Ombudsman for Banking Services and Investments (OBSI) remind investors that they all offer investors services related to claims or complaints free of charge.

TORONTO – The Canadian Securities Administrators (CSA) warns Canadians about fraudulent “investment groups” promoted on social media like Facebook and Instagram. These groups could be running a scam called a “pump and dump.”How the scam works:

TORONTO – The Ontario Securities Commission (OSC) is warning Ontario investors that the following companies are not registered to deal or advise in securities in Ontario:

The CGIAR Initiative on National Policies and Strategies (NPS) presents: 'Livestock, Gender, and Agency Amid Conflict in Ethiopia' 📅 Dec 11, 2024, ILRI Info Center, Addis Ababa. Join us as we discuss CGIAR NPS’s latest findings to guide policies that strengthen Ethiopia’s livestock sector. CGIAR International Food Policy Research Institute (IFPRI) International Livestock Research Institute (ILRI) Policy Studies Institute […] Source: IFPRI Ethiopia: Ethiopia Strategy Support Program

Desde el inicio de la pandemia del COVID-19, los productores agrícolas de Guatemala han afrontado múltiples restricciones de movimiento tanto locales como nacionales, así como también disrupciones en las cadenas de valor agrícolas. Asimismo, los productores han estado expuestos a varios choques externos como las tormentas tropicales de ETA e IOTA hacia finales de 2020 y el reciente conflicto bélico en Europa del Este y crisis de precios.

En 2022, el mundo se enfrentó a múltiples crisis. Continuaron las perturbaciones de los sistemas alimentarios debidas a la prolongada pandemia de COVID-19, las grandes catástrofes naturales, los disturbios civiles y la inestabilidad política, así como los crecientes efectos del cambio climático, mientras la guerra entre Rusia y Ucrania y la inflación agravaban una crisis mundial de alimentos y fertilizantes.

La igualdad de género y el empoderamiento de las mujeres y niñas se ve reflejado en distintas prioridades de políticas a nivel global y local. El Objetivo de Desarrollo Sostenible 5 busca lograr la igualdad de género y empoderar a todas las mujeres y niñas.

En el Perú, se estima que hay aproximadamente 6 millones de personas que migraron internamente en algún momento de su vida. Esto equivale al 20.3% de la población, siendo su mayoría originaria de la serranía peruana. Aunque Lima es el principal polo de atracción, en los últimos años, se ha observado un aumento en la migración hacia las regiones de Madre de Dios, Tacna, Arequipa y Moquegua (INEI, 2022). Entre el 2002 y 2007, Madre de Dios fue el departamento que tuvo la mayor cantidad de migrantes con un saldo migratorio neto de 14,8% (Yamada, 2012).

This document is only available in PDF format.

This document is available as PDF only. The following links go to sections in the PDF. 

This document is only available in PDF format.

Numerous studies indicate that agricultural production is sensitive to climate variability, and lack of infrastructure in developing countries increases vulnerability to extreme climate events. In Ethiopia, the historical climate record indicates frequent droughts and floods, which can devastate agricultural production and existing infrastructure. Too much precipitation can flood crops, rot or suffocate roots, and wash out roads, creating similar economic conditions to those resulting from drought.

In this episode of the IoT Insider podcast, Bernard Montel provides a brief history of the evolution of the Cloud and the challenges of securing it.

Named one of Granta's Best Young British Novelists, Esther Freud made her debut with the much-buzzed-about Hideous Kinky and has since delivered one brilliant novel after the next. Set in 1914 along the Suffolk coast, Mr. Mac and Me is the story of Thomas Maggs, whose quiet life is shaken first by the appearance of the decidedly curious Mr. Mac and then by the ravages of World War I.

In the event of a security breach, a software inventory is essential to determine what was breached, and who needs to be notified.  First responders require a software inventory to perform forensic analysis and determine breach notification requirements for vendors, business partners, and regulatory bodies. Organizations that have a clear understanding of software in their environment can quickly assess a breach impact and identify affected areas. If legal proceedings are involved, an organized software inventory greatly assists in limiting data handed over to Law Enforcement and assists technical staff in depositions or testimony. 

Business Continuity and Disaster Recovery plans specify requirements for restoration of critical assets and services, but these need to be identified to establish a Recovery Time Objective (the amount of time to recover a service to an acceptable level of operation) and Recovery Point Objective (the last point of known good data.)  Developing and maintaining a software inventory is a critical first step in implementing an effective cyber security program.

A software inventory helps demonstrate compliance with regulatory controls and Service Level Agreements (SLA) for software used in the environment. From the perspective of “less is more,” a software inventory also identifies unnecessary software running in the environment, which increases the attack surface without providing a business advantage.

Security operations perform scans to identify operating system and application versions, including unsupported software and unpatched systems. This information is used to establish a secure baseline and measure drift from that baseline. A software inventory is necessary to determine if the software is authorized, appropriately licensed, supported, and has the most recent security fixes applied.
Identifying the authorized software assets is an important step to ensure critical assets are protected. The larger the organization, the more difficult the inventory process becomes. Tenable.io and Tenable.sc help organizations build a software inventory. There are several software discovery plugins that run by default in the following scan templates:

• Basic and Advanced Agent Scans
• Advanced (Network) Scan
• Basic (Network) Scan
• Credentialed Patch Audit
• Internal PCI Network Scan

Maintaining a software inventory aids in cyber hygiene and minimizes unauthorized software installation. Many organizations perform an annual audit by an external third party, where they are required to enumerate authorized software that is running in the environment. Organizations that maintain a current software inventory throughout the year can produce information required by auditors and vendors with minimal effort. 

The report and its chapters are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable.sc Feed under the category Discovery and Detection.

The report requirements are: 

• Tenable.sc 5.19.1
• Nessus 10.0.1

Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable.io discovers and analyzes assets continuously to provide an accurate and unified view of an organization’s security posture.

Chapters

Executive Summary This chapter presents data for detected operating systems, browsers, unsupported software, and other software installations on systems within a network.

Installed Software Iteration This chapter displays software detected across the organizations systems. Software enumeration is utilized to detect Installed software.

Issues Gating Remediation This chapter displays known/identified roadblocks to completing remediation efforts.

Every year, over 10,000 letters addressed to Juliet Capulet arrive in Verona, Italy, the famous hometown of Shakespeare's Romeo & Juliet. These handwritten letters come from people all over the world, seeking guidance and support from Juliet herself. Capturing the pain, joy, humor, and confusion of love, the 60 letters in this book offers encouragement, comfort, hope-and a nod to the human condition. Including responses from Juliet herself, this romantic and relatable, and perfect as a Valentine's Day gift, Dear Juliet proves that love is the universal language.

How do we find lasting, trusting, and fulfilling friendships? Is it by being popular? Dazzling others with your genius? Looking for that ultimate BFF? Hiding all your imperfections and trying hard to fit in? Deep and enduring friendships are essential to our psychological and physical well-being. Unfortunately, between bullying, social anxiety, peer pressure, and other issues, many teens feel isolated. In Dear Libby, trusted columnist Libby Kiszner offers a breakthrough approach to friendship and connection. You can create friendships from the inside out-rather than from the outside in. You can experience friendships with vibrant self-expression in every stage of life, making Dear Libby a book that can be read and reread at any age. Containing seven core principles, this life-changing resource not only explains the dynamics of connections and friendships but also gives practical tools to develop them. Integrating contemporary issues, timeless insight, real-life skills, and unique perspectives, Dear Libby provides a hands-on guide for dealing with everyday friendship struggles faced by teens today. Teens and readers of all ages will gain insight and understanding on how to make profound, joyful relationships possible. Find answers to real questions like: What should I do when people who are supposed to be my friends call me names or embarrass me? What should I do I do if I'm being ignored at school? What is the best way to handle loneliness? Someone just stole my friend. What can I do? What can I do when my friends get together and "forget" to invite me?

L’investissement dans les agriculteurs, c’est-à-dire le capital humain de l’agriculture, est crucial pour relever les défis que posent nos systèmes agroalimentaires.

Cette note propose un résumé des politiques, stratégies et plans d’action ayant trait à la nutrition (désignés ici sous le terme de « politiques ») en Afrique de l’Ouest.

Créée notamment pour promouvoir le commerce intra-régional de biens dans la région, la Communauté économique des États d'Afrique de l'Ouest devait aussi permettre d'y réduire l'insécurité alimentaire. Mais les « points de sécurité », dressés le long des corridors de commerce par les autorités administratives qui prélèvent des pots-de-vin, sont venus limiter cette ambition. S’élevant jusqu’à 576 dollars aux 100 kms au Togo en 2017, cette corruption se mesure aussi en temps perdu, avec plus de trois heures aux 100 kms.

Limiting deforestation involves complex tradeoffs: Results from a global land-use model

Many dimensions of combating climate change.

The post Limiting deforestation involves complex tradeoffs: Results from a global land-use model appeared first on IFPRI.

India lifts export restrictions on rice

Assessing impacts on global markets and African consumers.

The post India lifts export restrictions on rice appeared first on IFPRI.