Starts: Sat, 16 Nov 2024 17:30:00 -0500
11/16/2024 05:30:00PM
Location: North Point, Hong Kong (china)

Starts: Tue, 19 Nov 2024 20:30:00 -0500
11/19/2024 05:30:00PM
Location: Ottawa, Canada

Starts: Wed, 20 Nov 2024 19:30:00 -0500
11/20/2024 06:00:00PM
Location: Toronto, Canada

Starts: Wed, 20 Nov 2024 19:00:00 -0500
11/20/2024 07:00:00PM
Location: Amsterdam, Netherlands

Starts: Fri, 22 Nov 2024 19:00:00 -0500
11/22/2024 05:00:00PM
Location: Montreal, Canada

Starts: Sat, 23 Nov 2024 18:30:00 -0500
11/23/2024 06:30:00PM
Location: Seoul, Korea (south)

Starts: Mon, 25 Nov 2024 20:00:00 -0500
11/25/2024 05:30:00PM
Location: Montreal, Canada

Starts: Sat, 07 Dec 2024 16:30:00 -0500
12/07/2024 01:30:00PM
Location: Ottawa, Canada

Starts: Tue, 10 Dec 2024 19:00:00 -0500
12/10/2024 05:00:00PM
Location: Vancouver, Canada

Starts: Tue, 10 Dec 2024 19:00:00 -0500
12/10/2024 05:30:00PM
Location: Montreal, Canada

Starts: Wed, 11 Dec 2024 19:00:00 -0500
12/11/2024 05:00:00PM
Location: Vancouver, Canada

Starts: Thu, 12 Dec 2024 09:30:00 -0500
12/12/2024 08:00:00AM
Location: Vancouver, Canada

Starts: Thu, 12 Dec 2024 21:00:00 -0500
12/12/2024 07:00:00PM
Location: New York, U. S. A.

Starts: Sat, 30 Nov 2024 19:00:00 -0500
<div>Join us for a magical evening of holiday cheer at the <b>McGill Alumni Association of Calgary</b>'s <b>Holiday Soirée</b>!</div><div><br /></div><div>Immerse yourself in the historic ambiance of Lougheed House as we celebrate the season with festive decorations, delightful canapés, and a cash bar.&nbsp;</div><div><br /></div><div>This is your chance to dress up, socialize, make new friends, and reconnect with old ones-all while enjoying a fun evening with our community. <br /><br /></div><div><i>Get ready to be enchanted by the spirit of the holidays! <br /></i></div>
Location: Calgary, Canada

New essay by Kevin K. Gaines, "Racial Uplift Ideology in the Era of the Negro Problem," added to Freedom's Story: Teaching African American Literature and History, TeacherServe from the National Humanities Center.

New essay, "The New Negro and the Black Image: From Booker T. Washington to Alain Locke," by Henry Louis Gates, Jr., the Alphonse Fletcher University Professor and the Director of the W. E. B. Du Bois Institute for African and African American Research at Harvard University, added to Freedom's Story: Teaching African American Literature and History, TeacherServe from the National Humanities Center.

This document is only available in PDF format.

National Instrument 93-101 Derivatives: Business Conduct (the Rule) will come into force on September 28, 2024 (the Effective Date), pursuant to section 143.4 of the Securities Act (Ontario).

This document is only available as a PDF.

The Minister of Finance has approved amendments to Ontario Securities Commission (OSC) Rule 91-507 Trade Repositories and Derivatives Data Reporting and consequential amendments to OSC Rule 13-502 Fees (collectively, the Amendments) pursuant to

This document is only available in PDF format.

This document is only available in PDF format.

Job Summary The International Food Policy Research Institute (IFPRI) seeks a qualified candidate to serve as a Research Analyst I/II in its Development Strategies and Governance Unit. This position is a one-year, renewable appointment, based at IFPRI’s office in New Delhi, India. The Successful candidate will have experience in using mixed methods for research and excellent writing skills. Interested applicants must have work authorization to work in India. The final grade level will be determined by level of education and years of relevant work experience. Essential Duties:  Specific duties and responsibilities include but are not limited to: Assist with the analysis of climate-smart agricultural (CSA) technologies and interventions and their increasing significance as part of agricultural adaptation in the wake of climate change, particularly in the developing countries. Assist in conducting cost-benefit analysis, constraint analysis, and policy analysis to estimate the extent to of CSA adoption in the South Asia region.  Conduct data analysis (using primary and secondary), statistical and econometric analysis. Familiarity with trade-related data and data sources to assist with the analysis of trade barriers (tariff and non-tariff) associated with various CSA technologies. Preparation of analytical reports and peer-reviewed publishable papers using information from primary surveys and secondary data. Assist in the preparation of project reports, policy briefs and journal articles. Conduct literature reviews & synthesis. Verify or triangulate key data to ensure the robustness and relevance of it in developing indices. Regular travel and meetings with various stakeholders including government officials, extension agents, local service providers, and farmers to gather inputs for drafting reports. Assist in organizing high level policy forum, workshops and seminars. Required Qualifications:  At the Research Analyst I level, Bachelors’ degree plus two years of relevant experience, or Master’s degree in Economics, Rural Development, Public Policy, or a closely related field. At the Research Analyst II level, Master's degree in the above-mentioned fields plus three years of relevant post Master’s work experience. Demonstrated experience working with large quantitative data sets (data cleaning, management, analysis, etc.) Knowledge of standard econometric tools Excellent Stata, data visualization (Tableau/Power BI), MS Excel and ArcGIS skills (knowledge of ArcGIS and Tableau/Power BI is not compulsory)  Demonstrated strong writing skills. Fluency in written and spoken English and Hindi Ability to work independently, with initiative and minimal supervision. Preferred Qualifications:  Experience in fieldwork, using mixed methods for research. Experience in designing and conducting focused group discussions, semi-structured interviews, and analysis of policy documents.   Experience working in rural South Asia Experience in liaison and coordination with ministries and departments.  Physical Demands and Work Environment Employee will sit in an upright position for a long period of time. Employee will lift between 0-10 pounds. Employee is required to have close visual acuity to perform activities such as: preparing and analyzing data and figures; transcribing; viewing computer terminal; extensive reading.  

Job Summary   The International Food Policy Research Institute (IFPRI) seeks a qualified candidate to serve as a Research Analyst I/II in its Development Strategies and Governance Unit. This position is a one-year, renewable appointment, based at IFPRI’s office in New Delhi, India. Successful candidate will engage in quantitative research to generate empirical evidence on efficiency in agricultural research & development, impact of agricultural technologies, farm credits & insurance, innovations in input delivery systems, linkages between agriculture and nutrition etc. Job duties will include support to quantitative data analysis, literature reviews including policy and program reviews and assistance in the preparation of reports and journal manuscripts. The RA is expected to support policy and stakeholder communications activities also. Interested applicants must have work authorization to work in India. The final grade level will be determined by level of education and years of relevant work experience. Essential Duties:  Specific duties and responsibilities include but are not limited to: Assist in various tasks involving Data collection, compilation, cleaning, and analysis of primary and secondary data from various sources.          Coordinate and manage large field surveys. C onduct literature reviews and synthesize findings. Perform economic modeling and statistical analysis. Facilitate coordination between collaborators and stakeholders.                                             Assist in the drafting and editing of research papers, blogs, policy briefs, technical guidance, presentations, etc. Perform other duties as assigned. Required Qualifications:  Research Analyst I: Bachelor’s degree in Economics, Agricultural Economics, Statistics, Agricultural Statistics plus two years of professional experience or Master’s degree in closely related field. Research Analyst II: Master’s degree in one of the above fields plus minimum three years of post-master’s relevant experience. Skills in quantitative research methods and data analysis. Experience of using Stata software for data analysis. Fluency in written and spoken English. Excellent interpersonal skills along with the ability to work independently and with colleagues from diverse cultures. Ability to manage multiple tasks and produce completed products in time. Ability to work independently, with initiative and minimal supervision. Preferred Qualifications:  Experience in handling large agricultural and household survey data from developing countries. Demonstrated strong writing skills. Physical Demand & Work environment: Employee will sit in an upright position for a long period of time.  Employee will lift between 0-10 pounds.    Employee is required to have close visual acuity to perform activities such as: data preparation, web-scraping, preparing, and analyzing data and figures; dashboard; viewing computer terminal; extensive coding.  

Job Summary: The International Food Policy Research Institute (IFPRI) seeks a qualified candidate to serve as a Research Assistants/ Research Analyst I in its Development Strategies and Governance Unit for the Sudan Strategy Support Program. This is a one-year, renewable appointment. The successful candidates will work with senior research staff in the analysis of agriculture, rural development, food and nutrition security and related policies and other research activities including research work related to the ensuing conflict in Sudan. The incumbent will work under the overall guidance of the IFPRI Sudan Program Leader but will be employed directly by IFPRl's organizational host, the Arab Organization for Agricultural Development (AOAD) - employment policies, compensation, and benefits of AOAD will apply to this position. Interested applicants must have authorization to work in Sudan. The final grade level will be determined by level of education and years of relevant work experience. Essential Duties: Specific Duties include but are not limited to: Assist the collection of primary and secondary data, Asist build large dataset from multiple sources, Assist to analyze data using advance analytical methods, Assist in conducting literature reviews and synthesis, Assist in drafting and translating reports, research papers, and blog posts between English and Arabic languages, Assist in capacity building and support outreach activities, Assist to coordinate projects and conduct other duties as assigned. Required Qualifications:  Research Assistant: Bachelor's or its equivalent in Economics, Agricultural Economics, Statistics, or closely related fields, Research Analyst: Bachelor’s degree plus two years of relevant professional experience or Master’s degree in a relevant discipline, Excellent knowledge of macroeconomic and/or microeconomic theory, Excellent knowledge of and quantitative econometric methods and/or economic modeling, Excellent knowledge of Stata and/or GAMS, Excellent analytical mind and drafting skills, Demonstrated fluency in written and spoken English and Arabic , Excellent interpersonal skills and to work in a team-oriented multi-cultural environment, Demonstrated ability to multi-task, meet deadlines, and manage time, Demonstrated professional level of attention to detail and accuracy of work, Ability to work independently and take initiative, Willingness to travel. Preferred Qualifications: Previous experience conducting research on and collecting data in Sudan. Familiarity with the literature on economic and agriculture development, food security, poverty reduction and related fields. Previous experience related to policy analysis and impact evaluation. Experience with spatial analysis and ARC-GIS. Experience with policy communication activities and events organization. Experience with managing websites and updating their contents. Experience in academia, the private sector, a development-oriented organization, or comparable institution,   Physical Demand & Work environment Employee will sit in an upright position for a long period of time. Employee will lift between 0-10 pounds. Employee is required to have close visual acuity to perform activities such as: preparing and analyzing data and figures; transcribing; viewing computer terminal; extensive reading.  

Job Summary: The Director General’s Office (DGO) of the International Food Policy Research Institute (IFPRI) seeks a highly motivated Proposal Coordinator   to join its team. The ideal candidate will be innovative, self-motivated and goal-oriented, with experience creating and executing fundraising strategies and developing successful proposals to secure restricted and unrestricted funding from foundations and government and multilateral agencies.  The incumbent will be responsible for supporting senior staff and research leads with strategic resource mobilization, proposal development, and coordination efforts across the institute. This locally recruited position is a one year, renewable appointment and is located at IFPRI’s headquarters in Washington, DC.    Essential Duties: Specific duties include but are not limited to: Fundraising Assist in advising staff on the development and implementation of fundraising strategies Perform competitive intelligence gathering through research and analytics to identify new donors and funding prospects, including private industry, foundations, high-net worth individuals, multilateral agencies, and government Advise staff on strategies for approaching donor prospects and draft outreach & communication materials Manage cultivation and stewardship for select foundations and individual donors   Proposal Development & Coordination Proactively liaise with research units and corporate services to facilitate proposal development efforts, streamline the process, strengthen the output, and track progress and staff input throughout the proposal process Work closely with and support research units from project concept to full proposal development, incorporating input from multi-disciplinary staff Provide high quality review for key proposals to ensure output complies with proposal requirements, and facilitate professional service support (grant writer, editor, etc.), in collaboration with research units and finance Continually assess and propose improvements for practices/procedures/systems involving IFPRI’s proposal pipeline and funder/funding intelligence Other duties: Assist with partnership-related activities and event coordination as needed.     Required Qualifications: Bachelor’s degree plus 10 years of relevant work experience or master’s degree or equivalent certification plus 8 years of experience, preferably 4 years of experience in a business development team supporting international development clients, including USAID and US government contracting. At least 2 years of management experience. Experience developing and/or implementing fundraising strategies for nonprofit organizations, including prospect research; outreach to funding sources; and donor cultivation and stewardship Experience developing successful proposals/grants targeting various funding sources (government, private industry, foundation and individuals), preferably in agriculture, nutrition and/or relevant fields Highly effective and versatile communication skills—both written and oral. Ability to effectively synthesize scientific/programmatic content for multiple audiences High level of professionalism, including the ability to diplomatically coordinate individuals with various disciplines to accomplish common objections Self-motivated, with proven ability to work independently and multi-task to accomplish key goals and complete projects Strong analytical skills Comfortable in a global team, including working well with team members and collaborators located in multiple time zones and countries Willingness and ability to travel as needed   Preferred Qualifications: Master’s degree Proficiency in a second language of the U.N. system International experience, especially in Africa, Asia and Latin America Working knowledge of Microsoft Office and donor databases Background, or interest in, international development   Physical Demand & Work environment: Employee will sit in an upright position for a long period of time Employee will lift between 0-10 pounds. Employee is required to have close visual acuity to perform activities such as: preparing and analyzing data and figures; transcribing; viewing computer terminal; extensive reading   Salary Range: The expected salary range for this job requisition is between $85,600- $104,900. In determining your salary, we will consider your experience and other job-related factors. Benefits: IFPRI is committed to providing our staff members with valuable and competitive benefits, as it is a core part of providing a strong overall employee experience. This position is eligible for health insurance coverage and a summary of our benefits can be found on our website. Please note that the listed benefits are generally available to active, non-temporary, full-time and part-time US-based employees who work at least 25 hours per week. The International Food Policy Research Institute (IFPRI) is an equal employment opportunity employer - F/M/Disability/Vet/Sexual Orientation/Gender Identity.

Job Summary The International Food Policy Research Institute (IFPRI) seeks a qualified candidate to serve as a Research Analyst in its Development Strategies and Governance Unit (DSG). This is one-year, non-renewable appointment based in Yangon, Myanmar, and may include travel and extended stays in different parts of rural Myanmar. The successful candidate will work on several research projects, involving household survey data collection and analysis. Interested applicants must be authorized to work in Myanmar. Essential Duties: Specific Duties include but are not limited to: Collection, cleaning, and analysis of primary and secondary data Assist in handling household survey data (including survey design, sampling & questionnaire) Assist with development of research instruments and analytical tools Conduct data analysis, statistical analysis, econometric analysis Conduct literature reviews & synthesis Contribute to the writing of discussion papers, donor reports, and other scholarly publications. Coordinate field implementation of survey activities (scoping, pretesting, training survey enumerators, etc.) Prepare large datasets for public access Develop data documentation manuals or other learning materials, as needed Help develop & coordinate technical workshops Interact with collaborators and project partners. Other duties as assigned Required Qualifications: Bachelors degree in Economics, Agricultural Economics, International Development or related field plus two years of professional experience or a Master’s degree in a relevant discipline. Experienced in conducting literature reviews of academic publications, research reports, etc. Demonstrated experience in coordinating activities in the field. Demonstrated experience in effective interaction and coordination with collaborators and project partners. Demonstrated experience working with large quantitative data sets (data cleaning, management, analysis, etc.) Demonstrated ability to perform in-depth statistical analysis and report the results. Demonstrated fluency in written and spoken English and Myanmar language. Proficiency with Microsoft Office (Word, Excel, PowerPoint, Outlook) Excellent interpersonal skills and to work in a team-oriented multi-cultural environment. Demonstrated ability to multi-task as needed, consistently meet deadlines and manage time well Demonstrated professional level of attention to detail and accuracy of work. Ability to work independently, with initiative and minimal supervision. Ability to travel. Preferred Qualifications: Skilled in programming in Stata and in managing household databases. Excellent econometric skills on cross-section and panel data analysis. Experience with data entry and CAPI software packages. Proficiency in Shan, Karen, Kachin, Chin, and/or Mon language. Physical Demand & Work environment: Employee will seat in an upright position for a long period of time. Employee will lift between 0-10 pounds. Employee is required to have close visual acuity to perform activity such as: preparing and analyzing data and figures; transcribing; viewing computer terminal; extensive reading.

Here is a Storify summary of the SpotOn London session: BrainSpace, a global interest graph for

Assessing social media impact was one of the workshop sessions at November’s SpotOn London conference,

It ain’t a party if you can’t join us Towards the end of April, SpotOn

Julia Schölermann is the organiser for this year’s SpotOn London session on, What should the scientific

The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.

Last month, the Department of Homeland Security announced the availability of $279.9 million in grant funding for the Fiscal Year (FY) 2024 State and Local Cybersecurity Grant Program (SLCGP). Now in its third year, the four-year, $1 billion program provides funding for State, Local and Territorial (SLT) governments to implement cybersecurity solutions that address the growing threats and risks to their information systems. Applications must be submitted by December 3, 2024.

While there are no significant modifications to the program for FY 2024, the Federal Emergency Management Agency (FEMA), which administers SLCGP in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), identified key changes, some of which we highlight below:

The FY 2024 NOFO adds CISA’s KEV catalog as a new performance measure and recommended resource

The FY 2024 notice of funding opportunity (NOFO) adds the CISA Known Exploited Vulnerabilities (KEV) catalog as a recommended resource to encourage governments to regularly view information related to cybersecurity vulnerabilities confirmed by CISA, prioritizing those exploited in the wild. In addition, CISA has added “Addressing CISA-identified cybersecurity vulnerabilities” to the list of performance measures it will collect through the duration of the program.

Tenable offers fastest, broadest coverage of CISA’s KEV catalog

At Tenable, our goal is to help organizations identify their cyber exposure gaps as accurately and quickly as possible. To achieve this goal, we have research teams around the globe working to provide precise and prompt coverage for new threats as they are discovered. Tenable monitors and tracks additions to the CISA KEV catalog on a daily basis and prioritizes developing new detections where they do not already exist.

Tenable updates the KEV coverage of its vulnerability management products — Tenable Nessus, Tenable Security Center and Tenable Vulnerability Management — allowing organizations to use KEV catalog data as an additional prioritization metric when figuring out what to fix first. The ready availability of this data in Tenable products can help agencies meet the SLCGP performance measures. This blog offers additional information on Tenable’s coverage of CISA’s KEV catalog.

FY 2024 NOFO adds “Adopting Enhanced Logging” as a new performance measure

The FY 2024 NOFO also adds “Adopting Enhanced Logging” to the list of performance measures CISA will collect throughout the program duration.

How Tenable’s library of compliance audits can help with Enhanced Logging

Tenable's library of Compliance Audits, including Center for Internet Security (CIS) and Defense Information Systems Agency (DISA), allows organizations to assess systems for compliance, including ensuring Enhanced Logging is enabled. Tenable's vulnerability management tools enable customers to easily schedule compliance scans. Users can choose from a continuously updated library of built-in audits or upload custom audits. By conducting these scans regularly, organizations can ensure their systems are secure and maintain compliance with required frameworks.

FY 2024 NOFO continues to require applicants to address program objectives in their applications

As with previous years, the FY 2024 NOFO sets four program objectives. Applicants must address at least one of the following in their applications:

• Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

How Tenable can help agencies meet Objective 2 of the program

Tenable is uniquely positioned to help SLTs meet Objective 2 through the Tenable One Exposure Management Platform. In addition to analyzing traditional IT environments, Tenable One analyzes cloud instances, web applications, critical infrastructure environments, identity access and privilege solutions such as Active Directory and more — including highly dynamic assets like mobile devices, virtual machines and containers. Once the complete attack surface is understood, the Tenable One platform applies a proactive risk-based approach to managing exposure, allowing SLT agencies to successfully meet each of the sub-objectives outlined in Objective 2 (see table below).

Source: Tenable, October 2024

Tenable One deployment options offer flexibility for SLT agencies

Tenable offers SLT agencies flexibility in their implementation models to help them best meet the requirements and objectives outlined as part of the SLCGP. Deployment models include:

• Centralized risk-based vulnerability program managed by a state Department of Information Technology (DoIT)
• Multi-entity projects
• Decentralized deployments of Tenable One managed by individual municipalities,
• Managed Security Service Provider (MSSP) models that allow agencies to rapidly adopt solutions by utilizing Tenable’s Technology Partner network.

Whole-of-state approach enables state-wide collaboration and cooperation

A “whole-of-state” approach — which enables state-wide collaboration to improve the cybersecurity posture of all stakeholders — allows state governments to share resources to support cybersecurity programs for local government entities, educational institutions and other organizations. Shared resources increase the level of defense for SLTs both individually and as a community and reduce duplication of work and effort. States get real-time visibility into all threats and deploy a standard strategy and toolset to improve cyber hygiene, accelerate incident response and reduce statewide risk. For more information, read Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach.

FY 2024 NOFO advises SLT agencies to adopt key cybersecurity best practices

As in previous years, the FY 2024 NOFO again recommends SLT agencies adopt key cybersecurity best practices. To do this, they are required to consult the CISA Cross-Sector Cybersecurity Performance Goals (CPGs) throughout their development of plans and projects within the program. This is also a statutory requirement for receiving grant funding.

How Tenable One can help agencies meet the CISA CPGs

The CISA CPGs are a prioritized subset of cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations and the American people. They provide a common set of IT and operational technology (OT) fundamental cybersecurity best practices to help SLT agencies address some of the most common and impactful cyber risks. Learn more about how Tenable One can help agencies meet the CISA CPGs here.

Learn more

• $1 Billion State and Local Cybersecurity Grant Program Now Open for Applicants
• Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach
• How to Meet FY 2023 U.S. State and Local Cybersecurity Grant Program Objectives
• New U.S. SLCGP Cybersecurity Plan Requirement: Adopt Cybersecurity Best Practices Using CISA's CPGs
• Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog

Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.

Dive into six things that are top of mind for the week ending Nov. 1.

1 - Securing OT/ICS in critical infrastructure with zero trust

As their operational technology (OT) computing environments become more digitized, converged with IT systems and cloud-based, critical infrastructure organizations should beef up their cybersecurity by adopting zero trust principles.

That’s the key message of the Cloud Security Alliance’s “Zero Trust Guidance for Critical Infrastructure,” which focuses on applying zero trust methods to OT and industrial control system (ICS) systems.

While OT/ICS environments were historically air gapped, that’s rarely the case anymore. “Modern systems are often interconnected via embedded wireless access, cloud and other internet-connected services, and software-as-a-service (SaaS) applications,” reads the 64-page white paper, which was published this week.

The CSA hopes the document will help cybersecurity teams and OT/ICS operators enhance the way they communicate and collaborate.

Among the topics covered are:

• Critical infrastructure’s unique threat vectors
• The convergence of IT/OT with digital transformation
• Architecture and technology differences between OT and IT

The guide also outlines this five-step process for implementing zero trust in OT/ICS environments:

• Define the surface to be protected
• Map operational flows
• Build a zero trust architecture
• Draft a zero trust policy
• Monitor and maintain the environment

A zero trust strategy boosts the security of critical OT/ICS systems by helping teams “keep pace with rapid technological advancements and the evolving threat landscape,” Jennifer Minella, the paper’s lead author, said in a statement.

To get more details, read:

• The report’s announcement “New Paper from Cloud Security Alliance Examines Considerations and Application of Zero Trust Principles for Critical Infrastructure”
• The full report “Zero Trust Guidance for Critical Infrastructure”
• A complementary slide presentation

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “Tenable Cloud Risk Report 2024” (white paper)

2 - Five Eyes publish cyber guidance for tech startups

Startup tech companies can be attractive targets for hackers, especially if they have weak cybersecurity and valuable intellectual property (IP).

To help startups prevent cyberattacks, the Five Eyes countries this week published cybersecurity guides tailored for these companies and their investors.

“This guidance is designed to help tech startups protect their innovation, reputation, and growth, while also helping tech investors fortify their portfolio companies against security risks," Mike Casey, U.S. National Counterintelligence and Security Center Director, said in a statement.

These are the top five cybersecurity recommendations from Australia, Canada, New Zealand, the U.S. and the U.K. for tech startups:

• Be aware of threat vectors, including malicious insiders, insecure IT and supply chain risk.
• Identify your most critical assets and conduct a risk assessment to pinpoint vulnerabilities.
• Build security into your products by managing intellectual assets and IP; monitoring who has access to sensitive information; and ensuring this information’s protection.
• Conduct due diligence when choosing partners and make sure they’re equipped to protect the data you share with them.
• Before you expand abroad, prepare and become informed about these new markets by, for example, understanding local laws in areas such as IP protection and data protection.

“Sophisticated nation-state adversaries, like China, are working hard to steal the intellectual property held by some of our countries’ most innovative and exciting startups,” Ken McCallum, Director General of the U.K.’s MI5, said in a statement.

To get more details, check out these Five Eyes’ cybersecurity resources for tech startups:

• The announcement “Five Eyes Launch Shared Security Advice Campaign for Tech Startups”
• The main guides: 
  • “Secure Innovation: Security Advice for Emerging Technology Companies”
  • “Secure Innovation: Security Advice for Emerging Technology Investors”
• These complementary documents:
  • “Secure Innovation: Scenarios and Mitigations”
  • “Secure Innovation: Travel Security Guidance”
  • “Secure Innovation: Due Diligence Guidance”
  • “Secure Innovation: Companies Summary”

3 - Survey: Unapproved AI use impacting data governance

Employees’ use of unauthorized AI tools is creating compliance issues in a majority of organizations. Specifically, it makes it harder to control data governance and compliance, according to almost 60% of organizations surveyed by market researcher Vanson Bourne.

“Amid all the investment and adoption enthusiasm, many organisations are struggling for control and visibility over its use,” reads the firm’s “AI Barometer: October 2024” publication. Vanson Bourne polls 100 IT and business executives each month about their AI investment plans.

To what extent do you think the unsanctioned use of AI tools is impacting your organisation's ability to maintain control over data governance and compliance?

^{(Source: Vanson Bourne’s “AI Barometer: October 2024”)}

Close to half of organizations surveyed (44%) believe that at least 10% of their employees are using unapproved AI tools.

On a related front, organizations are also grappling with the issue of software vendors that unilaterally and silently add AI features to their products, especially to their SaaS applications.

While surveyed organizations say they’re reaping advantages from their AI usage, “such benefits are dependent on IT teams having the tools to address the control and visibility challenges they face,” the publication reads.

For more information about the use of unapproved AI tools, an issue also known as “shadow AI,” check out:

• “Do You Think You Have No AI Exposures? Think Again” (Tenable)
• “Shadow AI poses new generation of threats to enterprise IT” (TechTarget)
• “10 ways to prevent shadow AI disaster” (CIO)
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach” (Tenable)
• “Shadow AI in the ‘dark corners’ of work is becoming a big problem for companies” (CNBC)

VIDEO

Shadow AI Risks in Your Company

4 - NCSC explains nuances of multi-factor authentication

Multi-factor authentication (MFA) comes in a variety of flavors, and understanding the differences is critical for choosing the right option for each use case in your organization.

To help cybersecurity teams better understand the different MFA types and their pluses and minuses, the U.K. National Cyber Security Centre (NCSC) has updated its MFA guidance.

“The new guidance explains the benefits that come with strong authentication, while also minimising the friction that some users associate with MFA,” reads an NCSC blog.

In other words, what type of MFA method to use depends on people’s roles, how they work, the devices they use, the applications or services they’re accessing and so on.

Topics covered include:

• Recommended types of MFA, such as FIDO2 credentials, app-based and hardware-based code generators and message-based methods
• The importance of using strong MFA to secure users’ access to sensitive data
• The role of trusted devices in boosting and simplifying MFA
• Bad practices that weaken MFA’s effectiveness, such as:
  • Retaining weaker, password-only authentication protocols for legacy services
  • Excluding certain accounts from MFA requirements because their users, usually high-ranking officials, find MFA inconvenient

To get more details, read:

• The NCSC blog “Not all types of MFA are created equal”
• The NCSC guide “Multi-factor authentication for your corporate online services”

For more information about MFA:

• “Multifactor Authentication Cheat Sheet” (OWASP)
• “Deploying Multi Factor Authentication – The What, How, and Why” (SANS Institute)
• “How MFA gets hacked — and strategies to prevent it” (CSO)
• “How Multifactor Authentication Supports Growth for Businesses Focused on Zero Trust” (BizTech)
• “What is multi-factor authentication?” (TechTarget)

5 - U.S. gov’t outlines AI strategy, ties it to national security 

The White House has laid out its expectations for how the federal government ought to promote the development of AI in order to safeguard U.S. national security.

In the country’s first-ever National Security Memorandum (NSM) on AI, the Biden administration said the federal government must accomplish the following:

• Ensure the U.S. is the leader in the development of safe, secure and trustworthy AI
• Leverage advanced AI technologies to boost national security
• Advance global AI consensus and governance

“The NSM’s fundamental premise is that advances at the frontier of AI will have significant implications for national security and foreign policy in the near future,” reads a White House statement.

The NSM’s directives to federal agencies include:

• Help improve the security of chips and support the development of powerful supercomputers to be used by AI systems.
• Help AI developers protect their work against foreign spies by providing them with cybersecurity and counterintelligence information.
• Collaborate with international partners to create a governance framework for using AI in a way that is ethical, responsible and respects human rights. 

The White House also published a complementary document titled “Framework To Advance AI Governance and Risk Management in National Security,” which adds implementation details and guidance for the NSM.

6 - State CISOs on the frontlines of AI security

As the cybersecurity risks and benefits of AI multiply, most U.S. state CISOs find themselves at the center of their governments' efforts to craft AI security strategies and policies.

That’s according to the “2024 Deloitte-NASCIO Cybersecurity Study,” which surveyed CISOs from all 50 states and the District of Columbia.

Specifically, 88% of state CISOs reported being involved in the development of a generative AI strategy, while 96% are involved with creating a generative AI security policy.

However, their involvement in AI cybersecurity matters isn’t necessarily making them optimistic about their states’ ability to fend off AI-boosted attacks.

None said they feel “extremely confident” that their state can prevent AI-boosted attacks, while only 10% reported feeling “very confident.” The majority (43%) said they feel “somewhat confident” while the rest said they are either “not very confident” or “not confident at all.”

Naturally, most state CISOs see AI-enabled cyberthreats as significant, with 71% categorizing them as either “very high threat” (18%) or “somewhat high threat” (53%).

At the same time, state CISOs see the potential for AI to help their cybersecurity efforts, as 41% are already using generative AI for cybersecurity, and another 43% have plans to do so by mid-2025.

Other findings from the "2024 Deloitte-NASCIO Cybersecurity Study" include:

• 4 in 10 state CISOs feel their budget is insufficient.
• Almost half of respondents rank cybersecurity staffing as one of the top challenges.
• In the past two years, 23 states have hired new CISOs, as the median tenure of a state CISO has dropped to 23 months, down from 30 months in 2022.
• More state CISOs are taking on privacy protection duties — 86% are responsible for privacy protection, up from 60% two years ago.

For more information about CISO trends:

• “What’s important to CISOs in 2024” (PwC)
• “The CISO’s Tightrope: Balancing Security, Business, and Legal Risks in 2024” (The National CIO Review)
• “State of CISO Leadership: 2024” (SC World)
• “4 Trends That Will Define the CISO's Role in 2024” (SANS Institute)

Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.

Imagine a bustling bank, made not of bricks and mortar, but of a swirling mass of data in the cloud. Account numbers, transaction histories and personally identifiable information (PII) zip across servers, powering the financial world. Holding all this sensitive data requires tremendous care. Therefore, securing this sensitive information is paramount.

This is where Tenable Cloud Security steps in, offering a data security shield specifically designed for the unique needs of financial institutions.

The challenge: A data deluge demands vigilance

Financial institutions generate massive volumes of data daily. While the public cloud offers unparalleled capacity to store such data, along with agility and scalability, the cloud also expands the attack surface. Legacy cybersecurity solutions are often unable to manage — let alone secure — the sheer volume of data and the variety of ways it is accessed, leaving organizations exposed to malicious actors. At the same time, financial institutions must keep up with new and evolving compliance standards and regulations set forth by governing bodies. Financial institutions need a security platform that helps them protect their data and maintain compliance.

Tenable Cloud Security’s advantage: Seeing beyond the walls

Tenable Cloud Security actively scrutinizes every corner of the cloud data vault, continuously and automatically.

"Without [Tenable Cloud Security], we would've been virtually blind to risks and threats impacting our sensitive data. [Tenable Cloud Security] allows us to preempt any issues and meet the requirements we're receiving from our business partners, with minimal effort.

— VP Security at a leading Fintech platform

Here's how Tenable empowers financial institutions:

• Protecting sensitive data: Tenable doesn't just guard the door; it knows what's inside and how to best protect it. It identifies and labels all data, like financial records and social security numbers, understanding its sensitivity and prioritizing its protection.
• Continuous monitoring: Imagine guards constantly scanning every inch of the vault. Tenable does the same digitally, using advanced technology to constantly search for suspicious activity and potential breaches. Any unusual movement of the data, either exfiltration or copying to a different and inaccessible location, triggers an alarm, allowing for immediate intervention.
• Policy enforcement: Just like a vault needs clear access protocols, so does your data. Tenable automates setting and enforcing cybersecurity policies across the entire cloud, ensuring everyone plays by the book and no unauthorized hands touch the valuables.
• Following mandated regulations: Financial institutions juggle a complex set of regulations and industry standards like the Payment Card Industry Data Security Standard (PCI-DSS). Tenable simplifies compliance with a host of international regulations by providing timely reports and audit trails.

Beyond traditional security: More than just a lock

Modern technology stacks for data storage require a modern cybersecurity stack. Traditional security solutions are unable to address the unique risks associated with storing data in cloud technologies. Financial organizations that leverage Tenable’s data security platform are able to meet existing and future challenges, including:

• Preventing data loss: Early detection and prevention of unauthorized data access can help organizations minimize financial losses and reputational damage, keeping valuable assets safe from even the most cunning thieves.
• Complying with regulations: Automated reports and adherence to the most stringent regulations and industry standards ensure compliance, saving time and resources.
• Automating workflows: Tenable automates tasks and provides deeper insights into how data behaves, enabling organizations to free up their valuable resources for other endeavors and make their security teams more efficient.
• Managing access: Just like knowing who has access to the vault is crucial. Tenable tracks who and what has access to data, ensuring only authorized parties can handle the data.

The future of financial security is data-centric

Tenable Cloud Security's data-centric approach positions it as a valuable partner, not just for guarding the perimeter but for understanding the inner workings of the vault and the most sensitive data within it. By leveraging Tenable’s capabilities, financial institutions can confidently embrace the cloud while ensuring the highest level of security for their most valuable assets — their data.

To learn more about how you can secure your data

• Webinar: Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?
• Data Sheet: Data Security in a Unified Cloud Security Solution
• Infographic: When CNAPP met DSPM
• Demo Video

CISA is warning about a spear-phishing campaign that spreads malicious RDP files. Plus, OWASP is offering guidance about deepfakes and AI security. Meanwhile, cybercriminals have amplified their use of malware for fake software-update attacks. And get the latest on CISA’s international plan, Interpol’s cyber crackdown and ransomware trends.

Dive into six things that are top of mind for the week ending Nov. 8.

1 - CISA: Beware of nasty spear-phishing campaign

Proactively restrict outbound remote-desktop protocol (RDP) connections. Block transmission of RDP files via email. Prevent RDP file execution.

Those are three security measures cyber teams should proactively take in response to an ongoing and “large scale” email spear-phishing campaign targeting victims with malicious RDP files, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

A foreign threat actor is carrying out the campaign. Several vertical sectors, including government and IT, are being targeted.

“Once access has been gained, the threat actor may pursue additional activity, such as deploying malicious code to achieve persistent access to the target’s network,” CISA’s alert reads.
 

Other CISA recommendations include:

• Adopt phishing-resistant multi-factor authentication (MFA), such as FIDO tokens, and try to avoid SMS-based MFA
• Educate users on how to spot suspicious emails
• Hunt for malicious activity in your network looking for indicators of compromise (IoCs) and tactics, techniques and procedures

Although CISA didn’t name the hacker group responsible for this campaign, its alert includes links to related articles from Microsoft and AWS that identify it as Midnight Blizzard. Also known as APT29, this group is affiliated with Russia’s government.

To get more details, check out the CISA alert “Foreign Threat Actor Conducting Large-Scale Spear-Phishing Campaign with RDP Attachments.”

For more information about securing RDP tools:

• “Commonly Exploited Protocols: Remote Desktop Protocol (RDP)” (Center for Internet Security)
• “What is remote desktop protocol (RDP)?” (TechTarget)
• “Wondering Whether RDP IS Secure? Here's a Guide to Remote Desktop Protocol” (AllBusiness)
• “Why remote desktop tools are facing an onslaught of cyber threats” (ITPro)
• “'Midnight Blizzard' Targets Networks With Signed RDP Files” (Dark Reading)

2 - OWASP issues AI security resources

How should your organization respond to deepfakes? What’s the right way of establishing a center of excellence for AI security in your organization? Where can you find a comprehensive guide of tools to secure generative AI applications?

These questions are addressed in a new set of resources for AI security from the Open Worldwide Application Security Project’s OWASP Top 10 for LLM Application Security Project. 

The new resources are meant to help organizations securely adopt, develop and deploy LLM and generative AI systems and applications “with a comprehensive strategy encompassing governance, collaboration and practical tools,” OWASP said in a statement.

These are the new resources:

• “The Guide for Preparing and Responding to Deepfake Events,” which unpacks four types of deepfake schemes – financial fraud, job interview fraud, social engineering and misinformation – and offers guidance about each one in these areas:
  • preparation
  • detection and analysis
  • containment eradication and recovery
  • post-incident activity
• “The LLM and GenAI Center of Excellence Guide,” which aims to help CISOs and fellow organization leaders create a center of excellence for generative AI security that facilitates collaboration among various teams, including security, legal, data science and operations, so they can develop:
  • Generative AI security policies
  • Risk assessment and management processes
  • Training and awareness
  • Research and development
• “The AI Security Solution Landscape Guide,” which offers security teams a comprehensive catalog of open source and commercial tools for securing LLMs and generative AI applications.

To get more details, read OWASP’s announcement “OWASP Dramatically Expands GenAI Security Guidance.”

For more information about protecting your organization against deepfakes:

• “How to prevent deepfakes in the era of generative AI” (TechTarget)
• “Deepfake scams escalate, hitting more than half of businesses” (Cybersecurity Dive)
• “The AI Threat: Deepfake or Deep Fake? Unraveling the True Security Risks” (SecurityWeek)
• “How deepfakes threaten biometric security controls” (TechTarget)
• “Deepfakes break through as business threat” (CSO)

3 - Fake update variants dominate list of top malware in Q3

Hackers are doubling down on fake software-update attacks.

That’s the main takeaway from the Center for Internet Security’s list of the 10 most prevalent malware used during the third quarter.

Malware variants used to carry out fake browser-update attacks took the top four spots on the list: SocGholish, LandUpdate808, ClearFake and ZPHP. Collectively, they accounted for 77% of the quarter’s malware infections. It's the first time LandUpdate808 and ClearFake appear on this quarterly list.

^{(Source: “Top 10 Malware Q3 2024”, Center for Internet Security, October 2024)}

In a fake software-update attack, a victim gets duped into installing a legitimate-looking update for, say, their preferred browser, that instead infects their computers with malware.

Here’s the full list, in descending order:

• SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
• LandUpdate808, a JavaScript downloader distributed through malicious websites via fake browser updates
• ClearFake, another JavaScript downloader used for fake browser-update attacks
• ZPHP, another JavaScript downloader used for fake software-update attacks
• Agent Tesla, a remote access trojan (RAT) that captures credentials, keystrokes and screenshots
• CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
• Arechclient2, also known as SectopRAT, is a .NET RAT whose capabilities include multiple stealth functions
• Mirai, a malware botnet that compromises IoT devices to launch DDoS attacks
• NanoCore, a RAT that spreads via malspam as a malicious Excel spreadsheet
• Lumma Stealer, an infostealer used to swipe personally identifiable information (PII), credentials, cookies and banking information

To get more information, the CIS blog “Top 10 Malware Q3 2024” offers details, context and indicators of compromise for each malware strain.

For details on fake update attacks:

• “Fake browser updates spread updated WarmCookie malware” (BleepingComputer)
• “Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware” (The Hacker News)
• “Hackers Use Fake Browser Updates for AMOS Malware Attacks Targeting Mac Users” (MSSP Alert)
• “Malware crooks find an in with fake browser updates, in case real ones weren't bad enough” (The Register)
• “Fake Google Chrome errors trick you into running malicious PowerShell scripts” (BleepingComputer)

VIDEO

Fake Chrome Update Malware (The PC Security Channel)

4 - CISA’s first international plan unveiled

CISA has released its first-ever international plan, which outlines a strategy for boosting the agency’s collaboration with cybersecurity agencies from other countries.

Aligning cybersecurity efforts and goals with international partners is critical for tackling cyberthreats in the U.S. and abroad, according to the agency.

The three core pillars of CISA’s “2025 - 2026 International Strategic Plan” are:

• Help make more resilient other countries’ assets, systems and networks that impact U.S. critical infrastructure
• Boost the integrated cyber defenses of the U.S. and its international partners against their shared global cyberthreats
• Unify the coordination of international activities to strengthen cyberdefenses collectively

The plan will allow CISA to “reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day,” CISA Director Jen Easterly said in a statement.

5 - Interpol hits phishers, ransomware gangs, info stealers

Interpol and its partners took down 22,000 malicious IP addresses and seized thousands of servers, laptops, and mobile phones used by cybercriminals to conduct phishing scams, deploy ransomware and steal information.

The four-month global operation, titled Synergia II and announced this week, involved law enforcement agencies and private-sector partners from 95 countries and netted 41 arrests.

“Together, we’ve not only dismantled malicious infrastructure but also prevented hundreds of thousands of potential victims from falling prey to cybercrime,” Neal Jetton, Director of Interpol’s Cybercrime Directorate, said in a statement.

In Hong Kong, more than 1,000 servers were taken offline, while authorities in Macau, China took another 291 servers offline. Meanwhile, in Estonia, authorities seized 80GB of server data, which is now being analyzed for links to phishing and banking malware.

For more information about global cybercrime trends:

• “AI-Powered Cybercrime Cartels on the Rise in Asia” (Dark Reading)
• “AI Now a Staple in Phishing Kits Sold to Hackers” (MSSP Alert)
• “The Business of Cybercrime Explodes” (BankDirector)
• “Nation state actors increasingly hide behind cybercriminal tactics and malware” (CSO)

6 - IST: Ransomware attacks surged in 2023

Ransomware gangs went into hyperdrive last year, increasing their attacks by 73% compared with 2022, according to the non-profit think tank Institute for Security and Technology (IST).

The IST attributes the sharp increase in attacks to a shift by ransomware groups to “big game hunting” – going after prominent, large organizations with deep pockets. 

“Available evidence suggests that government and industry actions taken in 2023 were not enough to significantly reduce the profitability of the ransomware model,” reads an IST blog.

Global Ransomware Incidents in 2023

Another takeaway: The ransomware-as-a-service (RaaS) model continued to prove extremely profitable in 2023, and it injected dynamism into the ransomware ecosystem. 

The RaaS model prompted ransomware groups “to shift allegiances, form new groups, or iterate existing variants,” the IST blog reads.

The industry sector that ransomware groups hit the hardest was construction, followed by hospitals and healthcare, and by IT services and consulting. Financial services and law offices rounded out the top five.

To learn more about ransomware trends:

• “Ransomware Is ‘More Brutal’ Than Ever in 2024” (Wired)
• “Ransomware on track for record profits, even as fewer victims pay” (SC Magazine)
• “How Can I Protect Against Ransomware?” (CISA)
• “How to prevent ransomware in 6 steps” (TechTarget)
• “Steps to Help Prevent & Limit the Impact of Ransomware” (Center for Internet Security)

To tie in with this month’s SoNYC birthday celebrations, we are hosting a collection of case

A twitter TeachIn about marine protected areas, hosted by @RJ_Dunlap on 4/8/2013

Selected responses categorized into 'helped', 'helped and harmed' and 'harmed'.

To tie in with this month’s SoNYC birthday celebrations, we are hosting a collection of case