Thursday, February 22, 2018

Report on ISACA South Florida's WOW Event

The South Florida Chapter of ISACA has been holding an annual one-day conference each year in February known as the WOW! Event.  In 2018, they held their 11th conference on Friday, February 16th at FIU's Koven Conference Center at their Biscayne Bay campus.

This year's theme was "The InfoSec of Things: Emerging issues in Privacy and Security".  There were about 250 people in attendance for the day, with several speakers and a panel discussion with several local CISOs.

Speakers included:

Tuesday, February 20, 2018

Report on SecureMiami 2018

On Saturday, February 10, 2018, DigitalEra hosted their second "annual" security event, Secure Miami at FIU, co-located with Brew Miami.  Their first event was in December of 2016.

Attendance was pretty good at this event, with about 350 registered to attend.  This year they moved it to the larger Graham Center in the University Center.  Lunch was provided.

There were several security vendors in attendance.  The South Florida ISSA Chapter assisted, so we were there with a booth. 

Speakers were a good selection of national level folks, along with a panel discussion with various security leaders.  These included:  Malcolm Harkins with Cylance, Hollis Howell from Rapid7, and Kevin Reardon with Symantec.  Panelists were from FIU, Trapezoid, Network Health, and Trend Micro.

Overall, a very nice half-day security event.  I believe DigitalEra is planning on doing this again next year, and I look forward to it.




Tuesday, February 6, 2018

Framework/standard updates coming

Well, it's early 2018 and there are several information security framework/standards being updated:
  • NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Now I think we will also see another workshop held in conjunction with this, we just don't know exactly when.

  •  NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  Now the plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it looks like the schedule has slipped.  If you read on-line, it looks like they need to re-assess the amount of work needed.  I do expect we will see these done this year, but no idea when at this point.

  • CIS Critical Security Controls.  Better known as the "SANS Top 20", the Critical Security Controls are now managed by the Center for Internet Security.  The current version is 6.1 and they are working on a v7.  I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead.  Now they have a draft of v7 out with a short comment period (about to end).  It's not clear when they expect the final version to come out but clearly will be this year
The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF.  If they come out with new versions, will the Information References in the CSF be updated to these new versions?  I hope they will be.  Still awaiting the official PCI-CSF crosswalk to be made available.

As I learn more about these new updates, I'll be blogging about them.

Monday, February 5, 2018

Healthcare Industry Cybersecurity Task Force report- June 2017

Recently a report came out from the "Health Care Industry Cybersecurity Task Force".  This group was formed by Congress as part of the Cybersecurity Act of 2015.  The task force is made up of a diverse group from the healthcare industry, taking a look at the state of cybersecurity and how it can be improved.

You can read the report HERE.

At nearly 100 pages, it's a bit much to slog thru.  At a minimum, read over the executive summary.  As someone who works with healthcare clients, their findings are not a surprise to me.  They have a figure:


which points out some of this issues.  Lack of talent- yes.  Not that there is no talent, but that many orgs don't have enough people on board.  Smaller orgs can't afford to, sometimes outsourcing their IT to vendors who themselves may not have the right skills.  (it's one thing to go with a managed security service provider who hopefully knows healthcare, it's another to go with some local IT guys who has no idea of security or the issues facing healthcare)
Legacy equipment- wow.  yes.  Big problem as the vendors aren't supporting or updating these systems, and the orgs can't.  Most orgs don't understand that there are some solutions (isolated networks and the like) for this.  Over-connectivity ties back to lack of talent.  When you don't have people on board who can properly set things up, problems will arise.  Vulnerabilities impact- this is stuff like ransomware and the like hitting groups, which often was caused by not have the right talent in place to get things in a good shape.

Some of these actually interconnect.  Healthcare IT is behind everyone else.  Too many organizations have, for various reasons, not invested in IT.  This means they have not worked to get enough people on board with the right skills and given them the budget to setup things up well.

They define 6 imperatives:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weaknesses, and mitigations.
The report spends quite a bit of time on a variety of recommendations and action items off of these imperatives.

Check it out and add your comments.










Friday, February 2, 2018

Upcoming Conferences in early 2018

There are several local security conferences coming up in my general area, some of which I'll be speaking at.

Here are the ones over the next few months:

* SecureMiami 2018, co-located with BrewMiami.  Organized by DigitalEra, this is the second time for this half day event at the main campus of Florida International University.  Held on Saturday, February 10th.  Registration is open NOW and I encourage people to attend.

* ISACA South Florida Chapter's 11th WOW Event is coming up on Friday, February 16th at FIU's Biscayne Bay campus.  The theme: The InfoSec of Things: Emerging issues in Privacy and Security, and have great lineup of speakers.  So register NOW.

* BSides Tampa 2018 is coming up Saturday, February 17th again at Stetson Law in Tampa.  I will be speaking here on the topic of "SOC for Cybersecurity".  I think they are sold out, but check anyway.

* BSides Orlando 2018 is coming up on Saturday, April 7th.  Location this year will be Full Sail Live Venue in Winter Park.  CFP is open, and I've submitted some proposals, and registration is open NOW.

* HackMiamiCon6 is coming up May 18-20.  This year they will be at Sea Coast Suites in Miami Beach.  I will be speaking there on protecting your organization with resilience and disaster recovery.  Registration is open NOW.

So, there are more coming down the road.  Stuff in the summer and stuff coming up in the Fall, especially in October do to Cybersecurity Awareness Month.

Check back for more.  I will be doing postings reporting on these events after they are done.



Sunday, November 5, 2017

Cyber Resilience- what I've found (Part 1)

A year or so ago I came upon the idea of "cyber resilience", which is a general concept of 'hardening' or toughing, or making more resilient, our IT/cyber systems.  I started seeing the terms used a lot, and many of the times I've seen it has been in use of ideas that we need to focus MORE on resilience then cybersecurity, or that cyber resilience is the next step beyond cybersecurity.

Here are some of the articles I read:  one, two, three.

I have a lot of problems with this idea.  This lead me to do research on the topic and I developed a presentation which I've given twice, most recently at the 2017 ISSA International Conference.  Below you'll find my research.

Now, this is not to say I'm not in agreement with the idea of cyber resilience.  What I have a problem is that its separate from or a next step from cybersecurity.  If people think this, I think they don't understand what cybersecurity SHOULD be.

Sunday, October 15, 2017

2017 ISSA International Conference Report

This past week, ISSA held their 2017 International Conference in San Diego.  I've attended the last 4 conferences (not sure when they started doing them), and this was one pretty good.  Full disclosure: I am a member of the conference steering committee, so had some involvement in the planning of it.

On the 9th was the all day Chapter Leaders Summit, which brings chapter leaders around the country (and world) to a day of training and sharing of information.  A change this year was the Summit was live streamed to those who couldn't attend.  I thought this was a good summit, with some good sessions.  I think attendance was pretty decent as well.  My chapter, the South Florida Chapter, had 4 officers in attendance.