Security Boulevard

As software applications are built and developed over the years, engineering teams continuously shift perspective on what features to prioritize or de-prioritize. A feature developed five years ago may have no significance today. However, features deemed low priority may still be kept operational for legacy, compatibility, or business requirement reasons. Praetorian discovered such a legacy […]

The post Tarbomb Denial of Service via Path Traversal appeared first on Praetorian.

The post Tarbomb Denial of Service via Path Traversal appeared first on Security Boulevard.

As Southern California continues to battle devastating wildfires, cybercriminals have seized the opportunity to exploit the chaos, targeting vulnerable individuals and organizations.

The post California Wildfires Spark Phishing Scams Exploiting Chaos appeared first on Security Boulevard.

Shopping for OT systems? A new CISA guide outlines OT cyber features to look for. Meanwhile, the U.S. government publishes a playbook for collecting AI vulnerability data. Plus, a White House EO highlights AI security goals. And get the latest on IoT security; secure app dev; and tougher HIPAA cyber rules.

Dive into six things that are top of mind for the week ending Jan. 17.

1 - How to choose cybersecure OT products

Is your organization evaluating operational technology (OT) products for purchase? If so, a new guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) aims to help OT operators choose OT products designed with strong cybersecurity features.

The publication, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” highlights 12 cybersecurity elements that OT products should have, including:

• Support for controlling and tracking modifications to configuration settings
• Logging of all actions using open-standard logging formats
• Rigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updates
• Strong authentication methods such as role-based access control and phishing-resistant multi-factor authentication to prevent unauthorized access
• Protection of the integrity and confidentiality of data at rest and in transit

According to CISA, many OT products aren’t designed and developed securely, so they ship with security issues such as weak authentication, known vulnerabilities and insecure default settings. 

In fact, the agency says it’s common for hackers to target handpicked OT products instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products built securely by using CISA’s “Secure by Design” principles.

“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)

2 - JCDC publishes playbook to collect AI security info 

A new playbook published by the U.S. government aims to facilitate the collective, voluntary sharing of information among AI providers, developers and users about AI vulnerabilities and cyber incidents.

The “AI Cybersecurity Collaboration Playbook” from CISA’s Joint Cyber Defense Collaborative (JCDC) details ways in which AI community members in government and in the private sector – both in the U.S. and abroad – can collaborate to help boost AI security for everybody.

“The development of this playbook is a major milestone in our efforts to secure AI systems through active collaboration,” CISA Director Jen Easterly said in a statement.

AI systems introduce unique cybersecurity challenges which make them vulnerable to attacks including model poisoning, data manipulation and malicious inputs. “These vulnerabilities, coupled with the rapid adoption of AI systems, demand comprehensive strategies and public-private partnership to address evolving risks,” the 33-page playbook reads.

By collecting, analyzing and enriching information on AI vulnerabilities and cyber incidents, CISA would be able to help the AI community in a variety of ways, including by:

• Sharing information to improve detection and prevention of AI threats
• Exposing attackers’ tactics and infrastructure
• Identifying and notifying victims
• Generating threat advisories and intelligence reports
• Offering tailored recommendations, vulnerability management strategies and cyber defense best practices

The playbook’s target audience is operational cybersecurity professionals, including incident responders and security analysts, and its goal is to help them collaborate and share information with CISA and JCDC about AI security.

In addition, CISA also envisions organizations adopting the document’s guidance internally “to enhance their own information-sharing practices, contributing to a unified approach to AI-related threats across critical infrastructure.”

For more information about industry efforts for collaborating on AI security:

• Cloud Security Alliance’s “AI Safety Initiative”
• MITRE’s “AI Incident Sharing initiative”
• Open Worldwide Application Security Project’s “AI Exchange”
• U.S. government’s “Testing Risks of AI for National Security (TRAINS) Taskforce”

3 - New White House cybersecurity EO includes AI requirements

The Biden Administration issued a sweeping cybersecurity executive order (EO) this week aimed at boosting U.S. cyberdefenses, and AI security is one area that it says must be strengthened.

The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” calls for promoting security “with and in” AI, saying it can speed up the identification of new vulnerabilities, scale up threat detection and automate cyberdefenses.

“The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity,” the executive order reads.

Among the executive order’s requirements for AI are:

• Launching a pilot program on using AI to improve cyberdefense of critical infrastructure in the energy sector. The Secretaries of Energy, Defense and Homeland Security would be in charge of the program, in collaboration with private-sector critical infrastructure organizations. The program may include:
  • vulnerability detection
  • automatic patch management
  • identification and categorization of anomalous and malicious activity across IT or OT systems
• The Secretary of Defense must establish a program to use advanced AI models for cyberdefense.
• The Secretaries of Commerce, Energy and Homeland Security, and the National Science Foundation Director, must prioritize funding for their respective programs that encourage the development of “large-scale, labeled datasets needed to make progress on cyber defense research.”
• The Secretaries of Defense and Homeland Security, and the Director of National Intelligence must incorporate management of AI software vulnerabilities and compromises into their agencies’ process and “and interagency coordination mechanisms for vulnerability management.” These efforts should include incident tracking, response, reporting and sharing AI systems’ indicators of compromise.

These AI-related actions all must be completed at various dates during 2025.

The executive order covers multiple other areas. To get all the details and expert analysis, read our blog “New Cybersecurity Executive Order: What It Means for Federal Agencies” from Robert Huber, Tenable’s Chief Security Officer, Head of Research and President of Tenable Public Sector.

4 - CISA publishes secure software development best practices

Software makers interested in improving the security of their development process and of their products have fresh guidance to peruse.

As part of its “Secure by Design” program, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity recommendations for protecting organizations’ software development lifecycle.

The best practices are organized into two categories — Software development process goals; and Product design goals — and include:

• Software development process goals:
  • Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.
  • Separate all software development environments, including development, build and test, to reduce the lateral movement risk.
  • Enforce multi-factor authentication across all software development environments.
  • Securely store and transmit credentials.
• Product design goals
  • Reduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.
  • Provide timely security patches to customers.
  • Don’t use default password in your products.
  • Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.

The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” reads a CISA statement.

To get more details, read the full “Information Technology (IT) Sector-Specific Goals (SSGs)” fact sheet.

For more information about secure software development:

• “CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills” (Tenable)
• “Secure Development” (Software Engineering Institute, Carnegie Mellon Univ.)
• “Secure Software Development Framework” (NIST)
• “Secure development and deployment guidance” (UK NCSC)
• “OWASP Developer Guide” (Open Worldwide Application Security Project )

5 - U.S. gov’t launches security label for IoT products

To encourage the development of safer internet of things (IoT) devices for consumers, the U.S. government has introduced a new label for IoT products that meet National Institute of Standards and Technology (NIST) cybersecurity standards.

Called the U.S. Cyber Trust Mark, the label will also help U.S. consumers know which IoT products are more secure, as they shop for internet-connected ware, such as baby monitors, security cameras, refrigerators, garage door openers and thermostats.

“These devices are part of Americans’ daily lives. But Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations,” reads a White House statement.

IoT manufacturers will soon be able to seek the U.S. Cyber Trust Mark label by submitting their IoT products to accredited labs for testing. Tests will cover areas including password authentication, data protection, software updates and incident detection. 

IoT products that earn the label will also have a QR code that’ll link consumers to information such as:

• How to change default passwords
• How to configure the device securely
• How to access software updates and patches if they’re not delivered automatically
• The end date of the product’s support period

Participation in the U.S. Cyber Trust Mark program is voluntary for IoT manufacturers. IoT devices excluded from the program include motor vehicles, medical devices, and products used for manufacturing, industrial control and enterprise applications.

To get more details, visit the U.S. Cyber Trust Mark home page.

For more information about securing consumer IoT devices, check out resources from the IoT Security Foundation; the European Telecommunications Standards Institute; TechAccord; Internet Society; the U.K. National Cyber Security Centre; and the International Organization for Standardization (ISO). 

6 - U.S. gov’t seeks tougher cybersecurity rules for health providers

Doctors, hospitals, health insurers and other healthcare organizations may face stricter cybersecurity regulations in the U.S.

That’s because the U.S. government is seeking to tighten the cybersecurity requirements in the Health Insurance Portability and Accountability Act (HIPAA).

The new cybersecurity rules proposed by the Department of Health and Human Services (HHS) include:

• Develop and revise on an ongoing basis a technology asset inventory and a network map that illustrates the movement of electronic protected health information (ePHI) throughout the organization’s electronic information systems.
• Make risk analysis more specific by submitting written assessments that include:
  • A review of the technology asset inventory and network map
  • Reasonably anticipated threats to ePHI’s confidentiality, availability and integrity
  • Potential vulnerabilities to the organization’s electronic information systems
  • A risk-level assessment of identified threats and vulnerabilities
• Strengthen contingency planning and security incident response with steps including:
  • Draft written plans to restore certain electronic information systems and data within 72 hours.
  • Prioritize restoration by analyzing criticality of systems and tech assets.
  • Outline in writing how employees and the organization will respond to known or suspected security incidents.
• Conduct an audit at least once per year to ensure the organization’s compliance with HIPAA’s cybersecurity rules.
• With limited exceptions, encrypt ePHI at rest and in transit and require the use of multi-factor authentication.
• Conduct vulnerability scanning at least every six months, and penetration testing at least once a year.

For more details about HHS’ new proposed HIPAA cybersecurity rules and to submit public comments about them, go to the Federal Register’s “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” page. The comment period ends on March 7, 2025.

The post Cybersecurity Snapshot: CISA Lists Security Features OT Products Should Have and Publishes AI Collaboration Playbook appeared first on Security Boulevard.

The dark web is a thriving underground market where stolen data and corporate vulnerabilities are openly traded. This hidden economy poses a direct and growing threat to businesses worldwide. Recent breaches highlight the danger.  

The post How Much of Your Business is Exposed on the Dark Web?  appeared first on Security Boulevard.

While cloud adoption continues to drive digital transformation, the shift to the cloud introduces critical security challenges that organizations must address.

The post Security Concerns Complicate Multi-Cloud Adoption Strategies appeared first on Security Boulevard.

Most consumers are still unaware of their own role in cybersecurity incidents and continue to place primary blame on external bad actors.

The post Cybersecurity Breaches Degrade Consumer Trust, but Apathy Rises appeared first on Security Boulevard.

Dear blog readers,

In this post I'll provide some actionable
intelligence on the current state of active BitCoin Exchanges landscape
with the idea to assist everyone on their way to properly attribute a
fraudulent or malicious transaction or to dig a little bit deeper inside
the infrastructure and financial infrastructure behind these BitCoin Exchanges.

Sample BitCoin Exchanges URLs:

hxxp://bisq.network
hxxp://blockdx.net
hxxp://boltz.exchange
hxxp://changenow.io
hxxp://coinswap.click
hxxp://crp.is
hxxp://exch.cx
hxxp://exchanger.infinity.taxi
hxxp://exolix.com
hxxp://fixedfloat.com
hxxp://godex.io
hxxp://hodlhodl.com
hxxp://letsexchange.io
hxxp://localmonero.co
hxxp://majesticbank.at
hxxp://mandala.exchange
hxxp://peachbitcoin.com
hxxp://sideshift.ai
hxxp://stealthex.io
hxxp://tradeogre.com
hxxp://unstoppableswap.net
hxxp://vexl.it
hxxp://bitswitch.io
hxxp://wizardswap.io
hxxp://xchange.me

Sample known responding IPs:

172.67.172.108
91.195.240.19
51.68.37.66
188.165.1.80
104.21.80.1
104.21.64.1
36.86.63.182
172.67.69.184
188.114.99.236
188.114.96.18
185.178.208.163
3.24.66.78
188.114.98.229
104.26.7.14
188.114.99.229
103.154.123.132
172.67.68.152
188.114.98.224
182.23.79.195
203.119.13.75
203.119.13.76
186.2.163.71
91.215.41.54
176.9.158.211
188.114.98.128
146.112.61.107
188.114.99.192
162.241.216.218
128.242.250.148
208.101.21.43
202.160.130.52
202.160.128.210
146.112.61.106
89.41.182.24
89.41.182.99
193.168.141.179
193.168.141.55
72.52.178.23
13.248.148.254
104.21.58.171
206.189.58.26
167.99.246.105
54.66.176.79
157.245.84.7
188.114.97.4
188.114.96.4
188.114.97.12
95.214.53.250
159.89.122.145
104.21.60.147
172.67.197.200
172.64.86.149
15.235.75.245
104.18.45.100
188.114.97.1
104.31.82.18
192.29.39.98
107.154.236.60
107.154.141.60
172.67.70.100
192.29.39.48
65.8.227.25
13.225.229.65
18.160.144.91
13.35.245.111
13.249.64.117
172.217.12.179
172.217.16.179
198.18.1.141
34.196.254.27
92.242.140.6
185.66.143.187
188.114.96.6
188.114.97.10
188.114.96.14
104.31.83.21
104.21.34.110
188.114.97.14
192.186.250.199
188.114.97.11
18.102.16.191
13.50.141.112
176.9.29.194
104.26.1.187
34.234.52.18
65.0.79.182
173.236.182.137
104.244.46.93
198.18.1.164
108.160.165.211
52.25.92.0
86.35.3.193
50.63.202.31
104.21.112.1
184.168.221.26
50.63.202.19
172.67.134.215
255.255.255.255
23.217.138.108
149.202.88.23
184.168.221.42
45.60.153.115
15.165.119.196
188.114.96.0
15.164.135.176
18.173.233.64
104.26.13.101
188.114.97.20
108.160.170.41
104.21.81.250
188.114.97.6
188.114.97.3
104.21.32.1
172.67.128.64
104.26.7.183
184.168.221.44
172.64.80.1
23.202.231.167

The post A Peek Inside the Current State of BitCoin Exchanges appeared first on Security Boulevard.

Dear blog readers,

In this post I'll provide some actionable intelligence on the current state of active BitCoin Mixers landscape with the idea to assist everyone on their way to properly attribute a fraudulent or malicious transaction or to dig a little bit deeper inside the infrastructure and financial infrastructure behind these BitCoin Mixers.

Sample known BitCoin Mixer URLs:

hxxp://anonymixer.com
hxxp://bitmixer.online
hxxp://chipmixer.com
hxxp://coinomize.biz
hxxp://coinomize.co
hxxp://coinomize.is
hxxp://cryptomixer.io
hxxp://gingerwallet.io
hxxp://jambler.io
hxxp://jokermix.to
hxxp://medusamixer.io
hxxp://blindmixer.com
hxxp://mixer.money
hxxp://mixerdream.com
hxxp://mixero.io
hxxp://mixtum.io
hxxp://mixtura.money
hxxp://mixy.money
hxxp://puremixer.io
hxxp://sparrowwallet.com
hxxp://swamplizard.io
hxxp://tengricrypto.com
hxxp://thormixer.io
hxxp://unijoin.io
hxxp://webmixer.io
hxxp://whir.to

Sample known responding IPs:
104.21.14.15
172.67.133.191
136.228.192.103
172.64.101.28
172.64.98.33
104.21.36.129
172.67.158.129
188.114.97.3
188.114.97.1
172.67.142.24
185.205.69.10
135.181.110.78
93.95.231.89
34.102.136.180
172.67.188.123
104.26.3.240
198.177.120.27
104.21.58.174
188.114.99.229
188.114.98.224
104.21.79.112
34.102.155.139
216.246.46.117
172.67.170.136
172.67.172.23
108.167.189.28
162.241.61.115
108.167.189.61
192.185.4.130
188.114.97.0
172.67.180.202
188.114.96.4
104.21.34.115
172.67.160.123
46.101.27.21
108.160.143.236
188.114.96.3
172.67.170.175
104.21.63.126
65.109.166.143
103.224.212.100
93.95.231.80
199.59.243.226
37.120.206.181
172.64.174.24
152.89.162.34
188.114.96.0
46.17.96.4
103.224.212.210
186.2.163.238
101.99.91.215
172.67.154.113
104.21.69.169
185.178.208.78
172.67.210.143
 

188.114.98.229
188.114.97.4
188.114.96.14
172.67.158.73
188.114.97.2
172.67.70.29
188.114.97.14
104.26.5.134
186.2.163.228
23.202.231.167
104.21.96.1
198.54.117.210
188.114.97.22
198.54.117.200
188.114.97.7
149.28.138.23
45.180.20.12
185.86.149.239
218.93.250.18
185.178.208.139
172.67.191.198
188.114.99.224
104.21.43.207
46.28.207.19
104.26.3.196
13.248.151.237
104.21.36.95
172.64.80.1
36.86.63.182
172.64.165.7
23.217.138.112
 

185.178.208.159
172.67.206.39
104.21.16.160
172.67.154.213
104.21.6.88
5.61.48.183
172.67.154.211
104.239.213.7
45.76.91.219
46.101.124.25
23.195.69.112
104.21.6.90
164.92.229.238

Stay tuned.

The post A Peek Inside the Current State of BitCoin Mixers appeared first on Security Boulevard.

We are excited to announce a significant Salt Security API Protection Platform upgrade. We have recently introduced a new detection feature targeting a prevalent yet often neglected vulnerability: open redirect attacks. This issue is so severe that it is highlighted in the OWASP Top 10 API Security Risks!

What Makes Open Redirects So Dangerous?

Consider this: you receive a link in an email that appears to be from your bank. Instead of reaching your account page, you are led to a convincing fraudulent site designed to steal your login information. This is the deceptive nature of an open redirect attack.

Such attacks occur when an application uncritically accepts user-provided URLs and redirects users based on this unreliable input. Attackers take advantage of this by inserting harmful URLs, which can result in:

• Phishing attacks: Users are diverted to fake websites that resemble legitimate ones, tricking them into revealing sensitive information.
• Malware distribution: Users are sent to sites that host malware, endangering their devices and potentially the entire network.
• Data theft: Attackers can create URLs that extract sensitive information from the application during the redirect process.

Open redirects often serve as an initial step in a more extensive attack sequence. Think of the redirect as a way for attackers to gain initial access, leading to more harmful activities.

Why Are They So Common?

Although it seems straightforward to avoid, open redirects are alarmingly widespread. Developers frequently find it challenging to validate every URL that comes from user input. This task is tedious; updating validation as the application changes can be a significant burden.

This vulnerability is so common that it features in the OWASP API Top 10 2023 under API10:2023 Unsafe Consumption of APIs, underscoring its importance in the realm of API security. The category spotlights the risks associated with integrating with external APIs that may have poor security, potentially exposing your application by association. Open redirects directly fall into this category, as they exploit trust relationships between applications.

Salt Security Shuts Down the Threat

With our upcoming detection capability, Salt Security is elevating standards for API protection. Our platform employs advanced AI and machine learning to examine URL patterns and detect suspicious redirection attempts. This allows us to:

• Identify open redirect attacks in real-time: Stopping malicious redirects before they can affect your users or business.
• Provide comprehensive insights into attack attempts: Equipping your security team with essential information to understand the attack and respond appropriately.
• Mitigate your overall risk: We help you secure your APIs and protect sensitive data by neutralizing this frequent attack vector.

A Competitive Edge in API Security

We are confident that this new detection feature distinguishes us in the market. Many security solutions fail to address open redirects with the same level of precision and sophistication. By directly confronting this often-ignored vulnerability, Salt Security delivers a truly holistic API security solution.

You can use this new detection and all our other detection capabilities that make our intent engine industry-leading. This is just one more instance of how Salt Security continually innovates to remain ahead of the curve and ensure that our customers receive the best API protection possible.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture governance, and run-time threat protection, please contact us, schedule a demo, or check out our website.

The post Open Redirect? Game Over! Salt Security Neutralizes a Sneaky API Attack Vector appeared first on Security Boulevard.

3 min readWhen a single API key compromise spiraled into a broader attack, it exposed how overlooked non-human identities can become gateways for escalating threats.

The post BeyondTrust Breach Exposes API Key Abuse Risks appeared first on Aembit.

The post BeyondTrust Breach Exposes API Key Abuse Risks appeared first on Security Boulevard.

Textual's Pipeline workflow preps your data for AI, Structural's sensitivity scan is now customizable, and Ephemeral can be deployed on Azure or Google Cloud!

The post Tonic.ai product updates: July 2024 appeared first on Security Boulevard.

SQL Server support on Tonic Ephemeral, Db2 LUW on Tonic Structural, LLM synthesis in Tonic Textual, and expanded LLM access in Tonic Validate! Learn more about all the latest releases from Tonic.ai.

The post Tonic.ai product updates: April 2024 appeared first on Security Boulevard.

Tonic is now Tonic Structural and can output directly to Tonic Ephemeral, subsetting arrives for Snowflake, + Tonic Cloud is HIPAA certified!

The post Tonic.ai product updates: March 2024 appeared first on Security Boulevard.

Author/Presenter: Josh Pyorre

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Signature-Based Detection Using Network Timing appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Radon’ appeared first on Security Boulevard.

Get details on this new cybersecurity Executive Order and its implications. 

The post White House Executive Order: Strengthening and Promoting Innovation in the Nation’s Cybersecurity appeared first on Security Boulevard.

Discover why relying on on premise software hinders innovation and explore how shifting employee behavior is driving modern SaaS adoption and usage trends.

The post Debunking the “On Premise Software” Myth | Grip Security appeared first on Security Boulevard.

We are thrilled to announce that Veriti has been mentioned in the 2025 Gartner Emerging Tech: Tech Innovators in Preemptive Cybersecurity as a Tech Innovator in the Preemptive Cybersecurity category. We hold the view that this mention underscores our role as a leader in enabling organizations to proactively address security exposures and reduce risk in […]

The post Veriti mentioned as a Tech Innovator in the 2025 Gartner® Emerging Tech: Tech Innovators in Preemptive Cybersecurity Report in the Preemptive Cybersecuirty Category.  appeared first on VERITI.

The post Veriti mentioned as a Tech Innovator in the 2025 Gartner® Emerging Tech: Tech Innovators in Preemptive Cybersecurity Report in the Preemptive Cybersecuirty Category.  appeared first on Security Boulevard.

Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape
andrew.gertz@t…
Thu, 01/16/2025 - 16:30

Compliance

Thales | Cloud Protection & Licensing Solutions
More About This Author >

If you work in compliance for a financial services organization, chances are you have been focused on the March 31st deadline for the implementation of the Payment Card Industry Data Security Standard version (PCI DSS 4.0). However, as important as PCI may be, United States financial services organizations operate in one of the world’s most stringent and complex compliance landscapes. Financial institutions must navigate a maze of requirements on the road to compliance and it is important to understand how to simplify and streamline compliance efforts across multiple regulations to achieve a faster time to compliance.

Understanding the US FinServ Compliance Landscape

The US financial services industry is subject to a vast number of laws and regulations. Some of the most important are Gramm-Leach-Bliley Act (GLBA), the National Association of Insurance Commissioners (NAIC) Data Security Model Law, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, and the National Credit Union Administration (NCUA) cybersecurity guidance. Here is a quick summary of the most relevant regulations:

Gramm-Leach-Bliley Act (GLBA)

The GLBA mandates that a broad range of financial institutions based or operating in the United States, from banks and brokerage firms to payday and tax preparers, protect consumers’ personal financial information. It emphasizes the need for encryption, data governance, and secure information-sharing practices to prevent and mitigate cyber threats.

The most important components of the GBLA include the Federal Trade Commission (FTC) Safeguards Rule, which requires the development of a written information security plan, and the Financial Privacy Rule, which governs how financial data is collected and shared.

Compliance with the GBLA requires prioritizing data encryption and robust access controls to protect sensitive consumer information throughout its lifecycle.

NAIC Data Security Model Law

Designed to secure non-public information (NPI) within the insurance industry, the NAIC Data Security Model Law’s requirements closely resemble the GLBA requirements. It includes expectations for implementing comprehensive security programs, including risk assessments, incident response plans, periodic reporting, and controls like governance frameworks and application security protocols.

The NAIC, which applies to all insurance providers in the United States, is a perfect example of the value a unified approach to compliance can provide because its requirements overlap significantly with broader, well-established cybersecurity best practices, such as those found in the NIST Cybersecurity Framework.

NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is arduous. While it is a state regulation, because it applies to any financial organization that operates in the state of New York, it ends up applying to most organizations in the United States. The regulation is incredibly stringent and sets an unusually—albeit necessarily—high bar for cybersecurity practices. More than any other FinServ regulation, it includes unique components, such as the requirement for a Chief Information Security Officer (CISO) and an annual compliance certification.

That said, many of the requirements – establishing a risk-based cybersecurity program, maintaining secure access controls, and conducting regular penetration testing, for example – are either strongly recommended or mandated by the other regulations. Moreover, other compliance requirements included in the NYFDS, such as encryption, cloud security, and governance, are ubiquitous across US FinServ frameworks.

National Credit Union Administration (NCUA) Guidance

The NCUA guidance applies to credit unions and focuses heavily on data protection, vendor risk management, and incident response planning. Like other regulations, the NCUA calls for encryption to safeguard member data, governance policies to ensure accountability, and application security measures to protect against cyber threats. Access to resources can be a genuine concern for credit unions. As such, implementing a simplified, consolidated compliance strategy that addresses multiple frameworks at once is especially important.

Bringing it All Together

Now that you have a broad understanding of the US financial services regulatory landscape, you might notice that many of these regulations have significant overlaps. Every single one of the US financial services regulations mandates that organizations implement:

• Risk Assessment: Identifying data and systems at risk.
• Encryption: Protecting data at rest and in transit.
• Governance: Establishing accountability and enforcing policies.
• Cloud Security: Securing cloud environments against vulnerabilities.
• Access Control: Limiting access based on roles and responsibilities.
• Multi-Factor Authentication: Asserting the identity of people or systems.
• Application Security: Ensuring software is resilient to cyber threats.

Therefore, most requirements can be addressed with the same core technologies, without the need to duplicate efforts and dramatically reducing the time, effort, and resources necessary to achieve compliance. Differences between regulations can be addressed on a case-by-case basis.

Thales: Forging a Simplified Path to Compliance

As a leader in data security and cloud protection, Thales offers a comprehensive suite of solutions tailored to address financial institutions’ unique challenges. Partnering with Thales will help address the vast majority of requirements included in PCI DSS 4.0, GLBA, NAIC, NYDFS, and NCUA regulations – including risk assessment, encryption, governance, cloud security, access controls, and application security – and simplify the path to compliance so you can focus on the essentials: innovation, growth, and offering the best possible service to your customers.

I hope you will take the opportunity to review our new eBook to learn more about how Thales helps Financial Institutions operating in the United States to meet compliance requirements. It contains a detailed mapping of our cyber security capabilities to specific regulation requirements in the United States.

Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape",
"description": "Explore how financial institutions can navigate stringent U.S. FinServ regulations with simplified compliance strategies. Learn how Thales supports compliance with PCI DSS 4.0, GLBA, NAIC, NYDFS, and NCUA.",
"url": "https://cpl.thalesgroup.com/blog/data-security/simplifying-compliance-us-finserv-regulations",
"datePublished": "2025-01-16",
"author": {
"@type": "Person",
"name": "Tom Fusco",
"url": "https://www.linkedin.com/in/thomas-j-fusco-jr-68192b1/"
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
}
} studio THALES BLOG Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape

January 16, 2025

The post Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape appeared first on Security Boulevard.

Learn how one of Europe's largest healthcare tech leaders transformed their Secrets Security with GitGuardian, cutting incidents by half without compromising developer productivity.

The post How a Large Healthcare Company Slashed Their Secrets Incidents by Half appeared first on Security Boulevard.