While I was at the NIST CSF Workshop, something I learned about is the work being done by the Better Business Bureau on Cybersecurity, especially for small businesses. This under the tagline of CYBER$3CUR1TY.
In June of 2015 the FFIEC (Federal Financial Institutions Examination Council) released the first version of their Cybersecurity Assessment Tool (CAT). The FFIEC, for those not aware, is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions and is made up of 6 different agencies.
The FFIEC already has a set of works called the IT Examination Handbooks, about a dozen, which help set down standards for IT in several areas. One of interest would be the Information Security one that was finally updated in 2016.
In May 2017, NIST hosted another Cybersecurity Workshop. This 2 day workshop was held as part of their process to update the Cybersecurity Framework. This process actually started a year ago when NIST had a request for comments on how the framework was used, followed by a workshop to review that input and see if there was a need for an update.
A big question was should the update be incremental (a version 1.1) or major (a version 2.0). The answer was more for an incremental update.
So this was followed by a draft v1.1 update at the end of 2016, followed by another request for comments on the draft, which lead to this workshop to review the results and do further work to get to a finished v1.1
A new, interesting board aimed at helping kids get into programming is the BBC micro:bit.
They have setup a Foundation to support this device, and they have a lot of information on their website.
You can purchase them from several sources. In the US, two sources are Adafruit and Sparkfun. (see the website for a list of re-sellers worldwide) Both sell the board at about $15, tho you can get a "kit" that includes a USB cable and a battery pack for a couple more bucks. Both sell an edge connector for the cards, but Sparkfun has one that allows for the board to be attacked to a breadboard HERE.
So by now hopefully most are aware of the recent Executive Order signed by President Trump. While not numbered, it came out May 11th, which was just before the planned NIST Cybersecurity Framework Workshop. Full title is "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure".
So let's take a look at it.
It has 5 sections. Sections 4 and 5 we can basically overlook. Sec4 is definitions, while Sec5 is General Provisions.
One of the news items floating around is the recently signed executive order regarding cybersecurity. I haven't had a chance to really look over it, but hope to soon and will post my thoughts here.
There are a couple of upcoming events I will be at next week.
First off is the NIST Cybersecurity Framework Workshop at NIST HQ. I look forward to that. Should be a great opportunity to gather information, give input, and meet others. I hope that impact of this new EO will also be covered.
Then next weekend is the HackMiamiCon5 in Miami Beach. I'll be there, and be speaking on the second day on Cyber Resilience. Look forward to that.
I will be posting on both events here on the blog, so be sure to check back.
As mentioned previously, I gave a presentation on IT Risk at the 2017 Security BSides Orlando Conference. The title was "Risk: It's more then just a game from Parker Brothers". Was trying to be a little cute and have a catchy title.
The talk was about IT Risk, and I was aiming it at infosec professionals. My idea is that risk is important to understand, as we do security to reduce risk to the organizations we work for. But I think too many infosec folks just don't have a good understanding of this.
Now, the talk was posted. Not sure how well it comes out. I'll update with a link.
But what I wanted to give here was information on the sources and materials I used for the talk.
Saturday, April 8, 2017, the 5th Security BSides Orlando conference was held. This year there were several changes over past ones.
The conference was but one day. The venue this year was Valencia College rather then University of Central Florida from the last two years. The new venue lead to a few minor changes in scheduling. As there was really no venue for lunch, pizza and soda was provided for participants.
There were 3 tracks of talks. A workshop track. A CTF was held. For the lockpick village this year, there were two additional challenges. One was to unlock a room, another a box. There were several vendors setup. And the conference wrapped up with a keynote speaker: Tara Wheeler.
There are several conferences in the South Florida (and other areas) that I plan to be at in the coming months, and am speaking or hope to be.
BSides Orlando will be April 8th, but now moved to Valencia College-West Campus. Also different this year is this will be a one day event, but will again be right before SANS Orlando. I will be there speaking on the topic of Risk. This talk is aimed at the entry level security professional to help them gain a better understanding of the importance of IT Risk in what we do in security.
The South Florida ISACA Chapter will be having their 10th WOW event on Friday, April 21st. This will be an all day event at the FIU Biscayne Campus as usual. Registration is already open and the focus is on "Emerging Threats in Cybersecurity". Will be there. Had hoped to speak, but didn't happen.
HackMiami will be back with their 5th conference on May 19-21, again at the Deauville Beach Resort in Miami Beach. I will be speaking there on the topic of Cyber Resilience.
Further out, there is of course Black Hat, DefCon, BSides out in Las Vegas from July 22-30th. I have never been out there, and plan to go out for BSides and DefCon. Barring any financial issues. I am also planning to submit for BSides. Probably submit a few of my talks and see if any get picked. Not sure if what I speak on would be accepted at DefCon.
Interestingly, ISC(2) has moved their Security Congress event out of being co-located with ASIS's conference. This one will be September 25-27 in Austin, TX. To be honest, I have no plans to attend this. I felt their event was a bit pricey.
Now, ASIS, which is more for security folks who deal with physical security then information security, will have their conference September 25-28 in Dallas, TX. ISSA is working with them to have infosec speakers at this event. Kind of filling the void that ISC2 left. And again, Infragard is co-hosting their annual conference there as well. Sounds interesting, but again, probably will not be at this event. Just can't afford it.
ISSA will be having their 2017 International Conference in San Diego from October 9-11. I am on the conference committee for this one again, and again submitted some talk proposals. Unless one of my talks gets picked I'm not certain I'll go this year. [UPDATE: my talk on Cyber Resilience was picked]. I do want to go next year when it'll be in Atlanta.
Now, the only other conferences this year I look forward to is a possible Security BSides happening in Southwest Florida, where I am from. Heard about this at BSides Tampa and the group hopes to have this in Ft Myers. I hope to hear more about it as I'd love to be involved. Tentative time they are aiming for is June.
Another one I should mention is BSides Jacksonville. This is usually held in October. I've never been to one.
If any will be at the above ones I'll be at, stop by and say hi!
As I have previously posted, and hopefully most are aware, NIST (National Institute of Standards and Technology) has released a draft for an update of the Cybersecurity Framework (CSF), to be v1.1.
Recently NIST held 2 webinars on the CSF, each an hour long. One was an overview, and the other on the proposed updates. The webinars had a limited number that could watch them live, but they have now put up the videos on their website. Both are good to watch.
Well, at this point hopefully those in the infosec field, especially in the healthcare arena, are aware of the recent settlement by Memorial Healthcare (Hollywood, Florida) for $5.5 million. This was for violations of HIPAA that resulted in the protected health information (PHI) of over 100,000 individuals being potentially exposed. While not the highest penalty, certainly up there.
You can read the whole press release HERE. As well as the settlement agreement HEREwhich includes the corrective measures they must take.
For me, this is notable as Memorial Healthcare is one of the local hospital groups in my area. Now, I have no connection with Memorial, I do NOT have any inside information on them. All I know is what I have read in the above articles.
This past weekend, February 11th, I was in Tampa for the 4th BSides Tampa Conference. This is my second time attending, and second time presenting.
Overall it was a good conference. There were some differences from last year, most positive. They clearly need to move to a larger venue. This year and last was at the Stetson Law Center in Tampa. This location has a nice facility, but is limited in parking, and there is no place to get lunch. Last year they brought in KFC for everyone, this year was food trucks. But there was only 2 and I didn't have the time to get lunch before I had to do my session.
Recently ISACA released the result of a survey as their State of Cyber Security Report 2017, part 1. You can download it at their website HERE.
Part 1 focuses on topics like "workforce challenges" and "persistent skills gap". Like many other groups, ISACA continues to push the narrative of a skills gap, and of course their solution is to train more folks in cybersecurity, ideally with their new set of CSX training and certifications.
At the upcoming HackMiami5 conference I will be speaking on "Cyber Resilience". I have been looking at this term over the last several months. As an infosec/cybersecurity professional, I wanted to better understand what this "cyber resilience" is and how it fits in.
Now, at my talk at HM2017 I will be going into several "models" for cyber resilience and other resources, and I will NOT be posting that information here on my blog until sometime later. So this posting, which maybe part of a series, is more my thoughts on what cyber resilience is.
Now, the more or less standard definition I hear for cyber resilience is "the ability to recover from attacks quicker and keep losses to a minimum."
There are several conferences in the South Florida (and general area) that I plan to be at in the coming months, and some I hope to speak at.
The South Florida ISACA Chapter will be having their 10th WOW event on Friday, February 24th. [UPDATE: Friday, April 21st] This will be an all day event at the FIU Biscayne Campus as usual. Registration is already open and the focus is on "Emerging Threats in Cybersecurity".
Well, NIST (National Institute of Standards and Technology) has announced an update for the Cybersecurity Framework (CSF). The new version will be v1.1, an incremental update which was expected.
They have released a draft of this update for comments.
You may read about it HERE. There is also THIS page that explain the update AND gives info on feedback, which has a deadline of APRIL 10, 2017 and were to send comments.
At that page you can read the draft in a couple of different versions.
What has been added/updated?
They added more stuff regarding supply chain. They did a few tweaks on the Core. I had hoped they would have gotten rid of the Implementation Tiers, but instead of dumping it or major work they did some tweaks to it. And there is a new section on metrics and measurement.
I was disappointed they didn't update the Critical Security Controls references. They are still listing v5, which is no longer valid and the group that managed it is no more. However, they note they are still updating all the Information References, so hopefully that is just something that is in progress and will appeared in the released version.
I had hoped that the HIPAA crosswalk that was done would be incorporated into the document, at least as an appendix. And I think the should add a PCI DSS crosswalk. Am told it exists, and think it would be good to include it. Again, maybe this will be including in the final version.
Am debating if I should put together a talk on this proposed draft for upcoming conferences.
The topic will be on "HIPAA for Security Professionals". My aim is to introduce to security professionals what HIPAA is and what they need to know about it. With the increased pressure on healthcare organizations and their third party vendors for information security, this is important. Especially with HHS doing random audits going forward.