Check out expert recommendations for protecting your AI system data. Plus, boost your IT department’s cybersecurity skills with a new interactive framework. In addition, learn about a malware campaign targeting critical infrastructure orgs. And get the latest on Russian cyber espionage and on a NIST effort to enhance vulnerability prioritization.

Dive into five things that are top of mind for the week ending May 23.

1 - Cyber agencies offer AI data security best practices

With organizations gleefully deploying artificial intelligence (AI) tools to enhance their operations, cybersecurity teams face the critical task of securing AI data.

If your organization is looking for guidance on how to protect the data used in AI systems, check out new best practices released this week by cyber agencies from Australia, New Zealand, the U.K. and the U.S.

“This guidance is intended primarily for organizations using AI systems in their operations, with a focus on protecting sensitive, proprietary or mission-critical data,” reads the document titled “AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems.”

“The principles outlined in this information sheet provide a robust foundation for securing AI data and ensuring the reliability and accuracy of AI-driven outcomes,” it adds.
 

By drafting this guidance, the authoring agencies seek to accomplish three goals:

• Create awareness about data security risks involved in developing, testing and deploying AI systems.
• Offer best practices for securing data throughout the AI lifecycle.
• Promote the adoption of strong data-security techniques and of risk-mitigation strategies.

Here’s a small sampling of recommended best practices in the 22-page document:

• Use trusted, reliable data source for training your AI models and adopt provenance-tracking to trace the training-data origins.
• Employ checksums and cryptographic hashes to maintain the AI data’s integrity during storage and transmission.
• Adopt digital signatures to prevent unauthorized third-parties from tampering with the AI data.

For more information about AI data security, check out these Tenable resources:

• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Tenable Cloud AI Risk Report 2025” (report)
• “Who's Afraid of AI Risk in Cloud Environments?” (blog)
• “Tenable Cloud AI Risk Report 2025: Helping You Build More Secure AI Models in the Cloud” (on-demand webinar)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)

2 - Framework maps cyber skills across 14 IT roles

Security skills must extend beyond an organization’s cyber team and across your IT department – but how?

It’s a question that the Linux Foundation and the Open Source Security Foundation have tried to answer with a new reference framework that maps required cyber skills across 14 IT department roles.

The new “Cybersecurity Skills Framework,” available via an interactive web interface, is meant to be a “starting point” for organizations to then adjust the framework’s guidance based on their specific needs and requirements.

“The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles,” the Linux Foundation and OpenSSF said in a statement.
 

“By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists,” the organizations added.

The required cyber skills are organized into three categories for each IT role: basic, intermediate and advanced. For example, for a web developer the framework lists nine basic cybersecurity skills, seven intermediate ones and five advanced ones. 

Cybersecurity skills for a web developer include:

• Basic: Adopt input validation and injection prevention techniques to prevent vulnerabilities like cross-site scripting and SQL injection.
• Intermediate: Implementing scanning and testing throughout the development lifecycle.
• Advanced: Deepen advanced cryptographic techniques such as digital signatures and hashing algorithms.

For more information about cybersecurity skills enterprises need today:

• “5 Essential Cybersecurity Skills Every IT Professional Should Master” (Ascend Education)
• “5 Cybersecurity Skills Every IT Professional Should Master” (WebAsha Technologies)
• “The Most In-Demand Cybersecurity Skills” (Dice)
• “10 must-have cybersecurity skills for career success in 2025” (TechTarget)
• “Why Cybersecurity Skills Are Essential for Entry-Level Tech Roles in 2025” (EC-Council)

3 - Alert: LummaC2 malware used against critical infrastructure

Cyber attackers are deploying the LummaC2 malware in an attempt to breach the networks of U.S. critical infrastructure organizations and steal sensitive data.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued the warning this week in a joint advisory that outlines attackers’ TTPs and indicators of compromise, along with recommended mitigations.

“LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors,” the advisory reads.
 

Cyber attackers use spearphishing methods to trick victims into downloading legit-looking apps that contain the LummaC2 malware, which has been available in cybercriminal forums since 2022. The malware’s obfuscation methods allow it to bypass standard cyber controls.

“Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection,” the advisory reads.

Mitigation recommendations include:

• Monitor and detect anomalous behavior, such as API calls that try to retrieve system information.
• Implement application controls, such as allowlisting remote access programs.
• Adopt phishing-resistant multi-factor authentication.
• Collect logs to regularly review registry changes and access logs that may signal a LummaC2 malware infection.
• Regularly update and patch software to remediate critical vulnerabilities.

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)

4 - Logistics and tech vendors warned about Russian cyber spies

Cyber attackers backed by Russia’s GRU military intelligence unit have unleashed an aggressive cyber espionage campaign targeting U.S. and European technology companies and logistics providers involved in delivering aid to Ukraine.

That’s according to the joint advisory “Russian GRU Targeting Western Logistics Entities and Technology Companies” published this week by cybersecurity and law enforcement agencies from 11 countries, including Australia, Canada, France, Germany, the U.K. and the U.S.

“This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide-scale targeting of IP cameras in Ukraine and bordering NATO nations,” the 33-page document reads.
 

The group carrying out the cyber espionage campaign, known by various names, including APT28 and Fancy Bear, uses multiple tactics, techniques and procedures (TTPs) to gain initial access to victims’ networks, including: 

• brute-force password attacks
• credential spearphishing
• malware delivery
• vulnerability exploitation
• attacks against VPNs

The advisory’s mitigation recommendations include:

• Segment networks, restrict network access and adopt a zero-trust architecture
• Automatically log network access and audit the logs to identify suspicious access requests
• Implement allowlisting for applications and scripts
• Adopt tools that check the safety of links in emails
• Use multi-factor authentication with passkeys or PKI smartcards
• Limit the number of administrative accounts 
• Change all default credentials

For more information about APT28 / Fancy Bear:

• “APT28” (MITRE ATT&CK)
• “Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network” (Dark Reading)
• "Fancy Bear (APT28)" (Bugcrowd)
• "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks" (Publishers Weekly)
• "APT28" (Malpedia)

5 - NIST develops metric to predict likelihood of a vulnerability’s exploitation

Knowing which vulnerabilities have been exploited in the wild is priceless information for a security team as it prioritizes which ones to patch first.

Now, the U.S. National Institute of Standards and Technology has come up with a set of calculations designed to determine a vulnerability’s exploitation chances.

“Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be exploited. Predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts,” reads NIST’s white paper “Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability,” published this week.
 

NIST calls the metric LEV, which stands for “likely exploited vulnerabilities.” LEV, NIST says, may help augment both the Known Exploited Vulnerabilities Catalog (KEV) database and the 

Exploit Prediction Scoring System (EPSS) by adding entries to the former and enhancing the latter’s accuracy.

The LEV equation, which has been implemented using Python and uses data from the National Vulnerability Database (NVD), KEV and EPSS, is “mathematically sound” but its error margin is unknown, so it needs to be rigorously tested, according to NIST.

For more information about NIST’s LEV:

• “NIST's 'LEV' Equation to Determine Likelihood a Bug Was Exploited” (Dark Reading)
• “NIST Proposes Security Metric to Determine Likely Exploited Vulnerabilities” (Cybersecurity News)
• “Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers” (SecurityWeek)