Tuesday, March 20, 2018

Critical Security Controls v7 RELEASED

I have previously posted on the Critical Security Controls, which many still incorrectly called the "SANS Top 20" and the like, tho SANS hasn't been managing them for some time.  The current org that manages them is the Center for Internet Security, which has overseen them since around 2015.  They previously put out v6 and after about a year working on the have released v7.  You can download them from the CIS website, along with other materials.

I haven't had the chance to full look at v7 and take a look at the differences from v6.  There are still 20 "controls", but they've done some rearrangement and have made tweaks to the "subcontrols" by adding, spitting, merging, moving (from one control to another), rewording, or deleting some.

Monday, March 5, 2018

March Updates on Frameworks & Standards

Last month I posted some information on several information security framework/standards being updated and sense then there have been updated on all of them.  So here we go:
  • NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Not clear when.  They have also set a tentative date for the 2018 workshop as September 11-13 in "the DC area".  Now NIST headquarters is in Baltimore, so does that count as the "DC area"?  I should also point out that NIST has done a great job of revamping their NIST CSF website, with some more info.

  •  NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  As I had noted, the original plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it slipped.  We were promised they they would re-asses and put out new dates, which they have: 
  • NIST Special Publication 800-37, Revision 2 (Risk Management Framework)
  • Initial Public Draft:  May 2018
  • Final Public Draft: July 2018
  • Final Publication:  October 2018
  •  
  • NIST Special Publication 800-53, Revision 5 (Security and Privacy Controls)
  • Final Public Draft:  October 2018
  • Final Publication:  December 2018
  •  
  • NIST Special Publication 800-53A, Revision 5 (Assessment Procedures for 800-53)
  • Initial Public Draft:  March 2019
  • Final Public Draft:  June 2019
  • Final Publication:  September 2019
  •  
  • FIPS Publication 200, Revision 1 (Minimum Security Requirements)
  • Initial Public Draft:  October 2018
  • Final Public Draft:  April 2019
  • Final Publication:  July 2019
  •  
  • FIPS Publication 199, Revision 1 (Security Categorization)
  • Initial Public Draft:  December 2018
  • Final Public Draft:  May 2019
  • Final Publication:  August 2019

  • CIS Critical Security Controls.  Better known as the "SANS Top 20", the Critical Security Controls are now managed by the Center for Internet Security.  The current version is 6.1 and they are working on a v7.  I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead.  They put out a draft of v7 out with a short comment period.  And are rolling out v7 on March 19th in DC (or you can attend on-line).  So that is pretty quick
The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF.  If they come out with new versions, will the Information References in the CSF be updated to these new versions?  I hope they will be.  Now NIST has on their new CSF website an on-line version of the Informational References that allows them to expand them.  Tho why they didn't include the HIPAA crosswalk here I don't know. Still awaiting the official PCI-CSF crosswalk to be made available as well.

As I learn more about these new updates, I'll be blogging about them.  I look forward to getting my hands on v7 of the CSC due to what I read in the draft version.

Wednesday, February 28, 2018

Report on BSides Tampa 2018

On Saturday, February 17th, I was in Tampa for the 5th Security BSides Tampa Conference.  This was my third time attending, and my third time speaking.  I spoke on the topic of the new "SOC for Cybersecurity" report.  I'll do a separate posting on this report, giving resources.

This conference had about 700 registered people there, not sure how many where there.  As with the prior couple of conferences, it was again held at the Stetson College of Law center in Tampa.

There were 5 tracks, a capture the flag game, lockpick village, training, and a recruitment track again.  Several great speakers.  Jack Daniel, Ira Winkler, Greg Hanis, and more.  I also had some good conversations with several people.

There were some problems last year, and I think they did a good job of addressing these.  My only personal complaint was it being on President's Day Weekend due to other commitments which I had to miss on.  Hopefully what ever date they pick next year won't conflict for me.


Monday, February 26, 2018

Report: The State of Cybersecurity in Florida

Just recently The Florida Center for Cybersecurity released their 2017 report, The State of Cybersecurity in Florida.

So what IS The Florida Center for Cybersecurity?  It's a statewide agency located at USF in Tampa that works with all State University System of Florida institutions, industry, the military, government, and the community to build Florida's cybersecurity workforce.

The report is the first they've done.  It looks at the cyber threat environment, workforce supply and demand, education and training opportunities, and research initiatives within the State of Florida.

In particular, here are some of its findings (and my comments):

Thursday, February 22, 2018

Report on ISACA South Florida's WOW Event

The South Florida Chapter of ISACA has been holding an annual one-day conference each year in February known as the WOW! Event.  In 2018, they held their 11th conference on Friday, February 16th at FIU's Koven Conference Center at their Biscayne Bay campus.

This year's theme was "The InfoSec of Things: Emerging issues in Privacy and Security".  There were about 250 people in attendance for the day, with several speakers and a panel discussion with several local CISOs.

Speakers included:

Tuesday, February 20, 2018

Report on SecureMiami 2018

On Saturday, February 10, 2018, DigitalEra hosted their second "annual" security event, Secure Miami at FIU, co-located with Brew Miami.  Their first event was in December of 2016.

Attendance was pretty good at this event, with about 350 registered to attend.  This year they moved it to the larger Graham Center in the University Center.  Lunch was provided.

There were several security vendors in attendance.  The South Florida ISSA Chapter assisted, so we were there with a booth. 

Speakers were a good selection of national level folks, along with a panel discussion with various security leaders.  These included:  Malcolm Harkins with Cylance, Hollis Howell from Rapid7, and Kevin Reardon with Symantec.  Panelists were from FIU, Trapezoid, Network Health, and Trend Micro.

Overall, a very nice half-day security event.  I believe DigitalEra is planning on doing this again next year, and I look forward to it.




Tuesday, February 6, 2018

Framework/standard updates coming

Well, it's early 2018 and there are several information security framework/standards being updated:
  • NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Now I think we will also see another workshop held in conjunction with this, we just don't know exactly when.

  •  NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  Now the plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it looks like the schedule has slipped.  If you read on-line, it looks like they need to re-assess the amount of work needed.  I do expect we will see these done this year, but no idea when at this point.

  • CIS Critical Security Controls.  Better known as the "SANS Top 20", the Critical Security Controls are now managed by the Center for Internet Security.  The current version is 6.1 and they are working on a v7.  I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead.  Now they have a draft of v7 out with a short comment period (about to end).  It's not clear when they expect the final version to come out but clearly will be this year
The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF.  If they come out with new versions, will the Information References in the CSF be updated to these new versions?  I hope they will be.  Still awaiting the official PCI-CSF crosswalk to be made available.

As I learn more about these new updates, I'll be blogging about them.