Wednesday, August 16, 2017

NIST releases DRAFT SP800-53R5

Recently NIST finally releases the DRAFT of SP800-53R5.  800-53 is entitled Security and Privacy Controls for Federal Information Systems and Organizations and is the set of controls used in FISMA, the mandated set of infosec controls used in federal systems (tho many others use it as well, often times state and local governments, as well as government contractors).

This has been in the works for awhile now, and many expected this draft to come out several months ago.  The due date for comments is September 17, 2017.  They want to put out the final draft (second draft) in October, with the final version by the end of the year.

They note several changes.  They have incorporate privacy controls into this.  They have separated out the control selection process from the controls.  The Risk Management Framework is that control selection process.  By doing this, it more easily allows others to use the controls as is.  With the NIST CSF referencing the controls in SP800-53, it makes it easier for those using the CSF to use these controls.  This is actually called out that SP800-53 can be used with the RMF, CSF, and Systems Engineering Processes.

One big change was the striking out "federal" from the title within the document, again as part of making the controls more accessible to non-federal users.

Wednesday, August 9, 2017

Sad news- Intel drops Edison, Galileo, Joule, Curie

I had previously posted about some of Intel's efforts to get involved in the IoT and Maker communities with their own products such as the Edison, Galileo, Curieand more.

At the recent DefCon conference I was chatting with the guy behind HackerBoxes and was sad to learn that Intel has recently dropped some of their efforts.  I took a look and found info that they are dropping production of the Edison, Galileo, Curie, and Joule products by the end of 2017 or mid 2018.

This is a bit disappointing.  I thought some of these had a lot of potential, and I think that if they haven't been as successful as they could have been that maybe Intel didn't do all they could to make these products successful.  I know Sparkfun had put out several items in support of the Edison.  I had hoped to see more published information on these items and there was a planned work on the Edison and Galileo that never came out.

As far as I can tell they are still supporting the Euclid product, but that's just not the same.

Does this end Intel's foray into this realm?  Hopefully not.

Tuesday, August 8, 2017

News on NIST CSF v1.1

I've previously posted on the NIST Cybersecurity Framework (NIST CSF) and the recent work to update it to v1.1.  I had attended the recent workshop held at NIST headquarters following the released of the Draft v1.1 and comments.  And I've been awaiting their report on the Workshop and a better idea as to what are the next steps.

Well, just before "Hacker Summer Camp" they released their summary and I missed it.  You can read it HERE.

Monday, August 7, 2017

New stuff coming soon

Been awhile since I've posted anything.  I was recently out in Las Vegas for what some call "hacker summer camp": BlackHat, BSides Las Vegas, and DefCon.  I had never been out there and had heard about it from several of my friends and associates who go out there almost annually.  For various reasons I haven't been able to, but made the point to get out there this summer.

I learned some interesting things, saw some interesting presentations.  So over the next week or so will have several postings on these items.

Wednesday, June 28, 2017

Better Business Bureau's work on Cybersecurity (CYBER$3CUR1TY)

While I was at the NIST CSF Workshop, something I learned about is the work being done by the Better Business Bureau on Cybersecurity, especially for small businesses.  This under the tagline of CYBER$3CUR1TY.

Tho to be accurate, this is coming from the Council of Better Business Bureaus, which is the umbrella organization for BBBs in North America.

All of what they have may be found HERE.

Monday, June 26, 2017

A look at the NYDFS requirements for Cybersecurity

Hopefully most people have heard of the new NY State regulations on cybersecurity, usually referred to as the NYDFS regs, or "23 NYCRR 500" or the like.

These went into effect on March 1, 2017 and you can read the regs HERE.  Its just 15 pages.

Now, there are a lot of articles out there on the regs.  So not so much interested in going over in deal what the regs say, but instead to comment on what it here.

Monday, June 19, 2017


In June of 2015 the FFIEC (Federal Financial Institutions Examination Council) released the first version of their Cybersecurity Assessment Tool (CAT).  The FFIEC, for those not aware, is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions and is made up of 6 different agencies.

The FFIEC already has a set of works called the IT Examination Handbooks, about a dozen, which help set down standards for IT in several areas.  One of interest would be the Information Security one that was finally updated in 2016.