Critical Vulnerability in Nginx UI WebServer Allow Attackers to Takeover
vulnerability was discovered in Nginx UI, a web-based management interface for the Nginx web server in march.
Continue ReadingNIST
NIST Releases Two New CSF 2.0 Quick-Start Strategy
NIST cybersecurity Framework 2.0
Continue Reading
NIST Wrapped Up ‘Lightweight Cryptography’ Algorithm to protect small devices, as IoT & Embedded Devices being prime Target of cybercriminals
The National Institute of Standards and Technology (NIST) has finalized four lightweight cryptographic algorithms designed to safeguard data generated and transmitted by the Internet of Things (IoT) and other small-scale technologies.
The four lightweight cryptographic algorithms that NIST has finalized the standard after a multiyear public review process followed by extensive interaction with the design community.
In the wake of IoT and embedded devices increasingly targeted by cybercriminals, the lightweight cryptography standard ensures strong security without overburdening limited hardware, paving the way for safer adoption in critical sectors like healthcare, transportation, and smart infrastructure.
There are many connected device such as smart home systems, fitness tracker and other IoT applications that lack the processing power and memory to run conventional encryption methods.
NIST’s new lightweight cryptography standard addresses this challenge by offering algorithms that require significantly less computing power and time, while still providing strong protection against cyberattacks.
The new framework, Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST SP 800-232), provides tools for authenticated encryption and hashing while minimizing energy, time, and memory usage.
Selected in 2023 after a global review, the Ascon algorithm family forms the core of the standard. Originally developed in 2014 by researchers at Graz University of Technology, Infineon Technologies, and Radboud University, Ascon has already proven its resilience through the CAESAR competition, where it was recognized as a leading lightweight encryption solution.
Key Features of the Standard
The standard is the result of a multiyear public review and extensive collaboration with the cryptographic design community. Its adoption will help ensure that even resource-constrained devices can securely protect sensitive information.
As NIST emphasizes, “it’s the little things that matter most.” With this new standard in place, even the smallest of networked electronics now have robust defenses against cyber threats.
Four related algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics.
Many networked devices do not possess the electronic resources that larger computers do, but they still need protection from cyberattacks. NIST’s lightweight cryptography standard will help.
The four algorithms in the standard require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices such as those making up the Internet of Things.
In the standard are four variants from the Ascon family that give designers different options for different use cases. The variants focus on two of the main tasks of lightweight cryptography: authenticated encryption with associated data (AEAD) and hashing.
ASCON-128 AEAD – Enables secure data encryption and integrity checks while resisting side-channel attacks.
ASCON-Hash 256 – Provides lightweight integrity verification for firmware updates, passwords, and digital signatures.
ASCON-XOF 128 / ASCON-CXOF 128 – Flexible hash functions with customizable lengths for efficiency and collision resistance.
The CXOF variant also adds the ability to attach a customized “label” a few characters long to the hash. If many small devices perform the same encryption operation, there is a small but significant chance that two of them could output the same hash, which would offer attackers a clue about how to defeat the encryption. Adding customized labels would allow users to sidestep this potential problem.
McKay said the NIST team intends the standard not only to be of immediate use, but also to be expandable to meet future needs.
NIST researchers emphasize the standard’s immediate applicability across industries, from smart appliances to healthcare. Future updates may expand functionalities, including a dedicated message authentication code.
In India, regulatory bodies have issued frameworks such as TEC’s Code of Practice for Securing Consumer IoT Devices and the IoT System Certification Scheme to enforce baseline security.
These measures focus on secure boot, encrypted communications, and safe software updates for connected devices.
Sources: ‘Lightweight cryptography’ standard to protect small devices finalized
NIST & CISA Proposed Metric for Vulnerability Exploitation Probability
The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.
The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.
This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.
NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.
However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.
Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.
The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.
Importance of Metric for Vulnerability Exploitation Probability
Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.
Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.
It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.
That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.
In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.
The researchers outline four key ways LEV could be used:
1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.
Introducing the LEV Metric
Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.
LEV probabilities are designed to:
- Estimate how many and which vulnerabilities are likely to have been exploited
- Assess the completeness of the KEV catalog
- Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
- Improve EPSS-based prioritization by correcting underestimations
Key Findings
The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.
For example:
- CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
- CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.
The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.
NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.
Sources: https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/#:~:text=LEV%20aims%20to%20bridge%20that,%2C%20not%20replace%2C%20existing%20methods.
Recent Comments