Tuesday, May 23, 2017

New Cybersecurity Executive Order

So by now hopefully most are aware of the recent Executive Order signed by President Trump.  While not numbered, it came out May 11th, which was just before the planned NIST Cybersecurity Framework Workshop.  Full title is "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure".

So let's take a look at it.

It has 5 sections.  Sections 4 and 5 we can basically overlook.  Sec4 is definitions, while Sec5 is General Provisions.

Monday, May 22, 2017

Recent events

Am a little behind on posting on some very recent events.

Last week I was at the NIST Cybersecurity Workshop.  Lot of interesting things there.  Further, the prior week Trump signed an Executive Order on Cybersecurity that has an impact on things.

This past weekend I was at the HackMiamiCon5, where I also spoke on cyber resilience.  More on that as well.

Hopefully soon I will be speaking at an upcoming HackMiami meeting on various updates (the NIST CSF Workshop, recent EO, and some other regulations that have come out).


Friday, May 12, 2017

News and upcoming events

One of the news items floating around is the recently signed executive order regarding cybersecurity.  I haven't had a chance to really look over it, but hope to soon and will post my thoughts here.

There are a couple of upcoming events I will be at next week.

First off is the NIST Cybersecurity Framework Workshop at NIST HQ.  I look forward to that.  Should be a great opportunity to gather information, give input, and meet others.  I hope that impact of this new EO will also be covered.

Then next weekend is the HackMiamiCon5 in Miami Beach.  I'll be there, and be speaking on the second day on Cyber Resilience.  Look forward to that.

I will be posting on both events here on the blog, so be sure to check back.

Tuesday, April 11, 2017

Resources for presentation on IT Risk

As mentioned previously, I gave a presentation on IT Risk at the 2017 Security BSides Orlando Conference.  The title was "Risk: It's more then just a game from Parker Brothers".  Was trying to be a little cute and have a catchy title.

The talk was about IT Risk, and I was aiming it at infosec professionals.  My idea is that risk is important to understand, as we do security to reduce risk to the organizations we work for.  But I think too many infosec folks just don't have a good understanding of this.

Now, the talk was posted.  Not sure how well it comes out.  I'll update with a link.

But what I wanted to give here was information on the sources and materials I used for the talk.

Monday, April 10, 2017

BSides Orlando 2017 Report

Saturday, April 8, 2017, the 5th Security BSides Orlando conference was held.  This year there were several changes over past ones.

The conference was but one day.  The venue this year was Valencia College rather then University of Central Florida from the last two years.  The new venue lead to a few minor changes in scheduling.  As there was really no venue for lunch, pizza and soda was provided for participants.



There were 3 tracks of talks.  A workshop track.  A CTF was held.  For the lockpick village this year, there were two additional challenges.  One was to unlock a room, another a box.  There were several vendors setup.  And the conference wrapped up with a keynote speaker: Tara Wheeler.

Wednesday, April 5, 2017

Upcoming Security Conferences for 2017

There are several conferences in the South Florida (and other areas) that I plan to be at in the coming months, and am speaking or hope to be.

BSides Orlando will be April 8th, but now moved to Valencia College-West Campus.  Also different this year is this will be a one day event, but will again be right before SANS Orlando.  I will be there speaking on the topic of Risk.  This talk is aimed at the entry level security professional to help them gain a better understanding of the importance of IT Risk in what we do in security.


The South Florida ISACA Chapter will be having their 10th WOW event on Friday, April 21st.  This will be an all day event at the FIU Biscayne Campus as usual.  Registration is already open and the focus is on "Emerging Threats in Cybersecurity".  Will be there.  Had hoped to speak, but didn't happen.

HackMiami will be back with their 5th conference on May 19-21, again at the Deauville Beach Resort in Miami Beach.  I will be speaking there on the topic of Cyber Resilience.


Further out, there is of course Black Hat, DefCon, BSides out in Las Vegas from July 22-30th.  I have never been out there, and plan to go out for BSides and DefCon.  Barring any financial issues.  I am also planning to submit for BSides.  Probably submit a few of my talks and see if any get picked.  Not sure if what I speak on would be accepted at DefCon.

Interestingly, ISC(2) has moved their Security Congress event out of being co-located with ASIS's conference.  This one will be September 25-27 in Austin, TX.  To be honest, I have no plans to attend this.  I felt their event was a bit pricey.

Now, ASIS, which is more for security folks who deal with physical security then information security, will have their conference September 25-28 in Dallas, TX.  ISSA is working with them to have infosec speakers at this event.  Kind of filling the void that ISC2 left.  And again, Infragard is co-hosting their annual conference there as well.  Sounds interesting, but again, probably will not be at this event.  Just can't afford it.

ISSA will be having their 2017 International Conference in San Diego from October 9-11.  I am on the conference committee for this one again, and again submitted some talk proposals.  Unless one of my talks gets picked I'm not certain I'll go this year. [UPDATE: my talk on Cyber Resilience was picked]. I do want to go next year when it'll be in Atlanta.

Now, the only other conferences this year I look forward to is a possible Security BSides happening in Southwest Florida, where I am from.  Heard about this at BSides Tampa and the group hopes to have this in Ft Myers.  I hope to hear more about it as I'd love to be involved.  Tentative time they are aiming for is June.

Another one I should mention is BSides Jacksonville.  This is usually held in October.  I've never been to one.

If any will be at the above ones I'll be at, stop by and say hi!

Wednesday, March 15, 2017

2017 SFISSA Security Conference Report

This past Friday, the South Florida ISSA Chapter held its 2017 Security Conference.  The chapter holds these every 2 years, and this year's event was our more successful one to date.

We had 4 tracks of talks, include a track of workshops (twice the length of a regular presentation), a breakfast and lunch keynote, and a CISO Panel of 4 local CISOs.



Wednesday, March 8, 2017

News on NIST's update to Cybersecurity Framework

As I have previously posted, and hopefully most are aware, NIST (National Institute of Standards and Technology) has released a draft for an update of the Cybersecurity Framework (CSF), to be v1.1.

Recently NIST held 2 webinars on the CSF, each an hour long.  One was an overview, and the other on the proposed updates.  The webinars had a limited number that could watch them live, but they have now put up the videos on their website.  Both are good to watch.

Wednesday, February 22, 2017

Memorial Healthcare pays $5.5 million HIPAA settlement

Well, at this point hopefully those in the infosec field, especially in the healthcare arena, are aware of the recent settlement by Memorial Healthcare (Hollywood, Florida) for $5.5 million.  This was for violations of HIPAA that resulted in the protected health information (PHI) of over 100,000 individuals being potentially exposed.  While not the highest penalty, certainly up there.

You can read the whole press release HERE.  As well as the settlement agreement HERE which includes the corrective measures they must take.

For me, this is notable as Memorial Healthcare is one of the local hospital groups in my area.  Now, I have no connection with Memorial, I do NOT have any inside information on them.  All I know is what I have read in the above articles.

Friday, February 17, 2017

BSides Tampa 2017 report

This past weekend, February 11th, I was in Tampa for the 4th BSides Tampa Conference.  This is my second time attending, and second time presenting.



Overall it was a good conference.  There were some differences from last year, most positive.  They clearly need to move to a larger venue.  This year and last was at the Stetson Law Center in Tampa.  This location has a nice facility, but is limited in parking, and there is no place to get lunch.  Last year they brought in KFC for everyone, this year was food trucks.  But there was only 2 and I didn't have the time to get lunch before I had to do my session.

Thursday, February 16, 2017

ISACA's State of Cyber Security 2017 Report

Recently ISACA released the result of a survey as their State of Cyber Security Report 2017, part 1.  You can download it at their website HERE.

Part 1 focuses on topics like "workforce challenges" and "persistent skills gap".  Like many other groups, ISACA continues to push the narrative of a skills gap, and of course their solution is to train more folks in cybersecurity, ideally with their new set of CSX training and certifications.

Thursday, February 9, 2017

Commentary on Cyber Resilience

At the upcoming HackMiami5 conference I will be speaking on "Cyber Resilience".  I have been looking at this term over the last several months.  As an infosec/cybersecurity professional, I wanted to better understand what this "cyber resilience" is and how it fits in.

Now, at my talk at HM2017 I will be going into several "models" for cyber resilience and other resources, and I will NOT be posting that information here on my blog until sometime later.  So this posting, which maybe part of a series, is more my thoughts on what cyber resilience is.

Now, the more or less standard definition I hear for cyber resilience is "the ability to recover from attacks quicker and keep losses to a minimum."

Friday, January 13, 2017

Upcoming Conferences in South Florida 2017

There are several conferences in the South Florida (and general area) that I plan to be at in the coming months, and some I hope to speak at.

The South Florida ISACA Chapter will be having their 10th WOW event on Friday, February 24th. [UPDATE: Friday, April 21st] This will be an all day event at the FIU Biscayne Campus as usual.  Registration is already open and the focus is on "Emerging Threats in Cybersecurity".



The South Florida ISSA Chapter will be having their biannual security conference on Friday, March 10th.  This will be an all day event at the Signature Grand.  Registration is open, sponsors are being lined up and a call for presenters is open.



BSides Orlando will be April 8th, again at University of Central Florida.  Unlike past years, this will be a one day event, but will again be right before SANS Orlando.



HackMiami will be back with their 5th conference on May 19-21, again at the Deauville Beach Resort in Miami Beach.



So some great events and I look forward to them.


NIST Cybersecurity Framework v1.1 is coming!!!

Well, NIST (National Institute of Standards and Technology) has announced an update for the Cybersecurity Framework (CSF).  The new version will be v1.1, an incremental update which was expected.

They have released a draft of this update for comments.

You may read about it HERE.   There is also THIS page that explain the update AND gives info on feedback, which has a deadline of APRIL 10, 2017 and were to send comments.

At that page you can read the draft in a couple of different versions.

What has been added/updated?

They added more stuff regarding supply chain.  They did a few tweaks on the Core.  I had hoped they would have gotten rid of the Implementation Tiers, but instead of dumping it or major work they did some tweaks to it.  And there is a new section on metrics and measurement.

I was disappointed they didn't update the Critical Security Controls references.  They are still listing v5, which is no longer valid and the group that managed it is no more.  However, they note they are still updating all the Information References, so hopefully that is just something that is in progress and will appeared in the released version.

I had hoped that the HIPAA crosswalk that was done would be incorporated into the document, at least as an appendix.  And I think the should add a PCI DSS crosswalk.  Am told it exists, and think it would be good to include it.  Again, maybe this will be including in the final version.

Am debating if I should put together a talk on this proposed draft for upcoming conferences.


BSides Tampa 2017

I will be speaking at BSides Tampa 2017 this February.

The topic will be on "HIPAA for Security Professionals".  My aim is to introduce to security professionals what HIPAA is and what they need to know about it.  With the increased pressure on healthcare organizations and their third party vendors for information security, this is important.  Especially with HHS doing random audits going forward.

Hope to see many of you there.