Sunday, November 5, 2017

Cyber Resilience- what I've found (Part 1)

A year or so ago I came upon the idea of "cyber resilience", which is a general concept of 'hardening' or toughing, or making more resilient, our IT/cyber systems.  I started seeing the terms used a lot, and many of the times I've seen it has been in use of ideas that we need to focus MORE on resilience then cybersecurity, or that cyber resilience is the next step beyond cybersecurity.

Here are some of the articles I read:  one, two, three.

I have a lot of problems with this idea.  This lead me to do research on the topic and I developed a presentation which I've given twice, most recently at the 2017 ISSA International Conference.  Below you'll find my research.

Now, this is not to say I'm not in agreement with the idea of cyber resilience.  What I have a problem is that its separate from or a next step from cybersecurity.  If people think this, I think they don't understand what cybersecurity SHOULD be.

Sunday, October 15, 2017

2017 ISSA International Conference Report

This past week, ISSA held their 2017 International Conference in San Diego.  I've attended the last 4 conferences (not sure when they started doing them), and this was one pretty good.  Full disclosure: I am a member of the conference steering committee, so had some involvement in the planning of it.

On the 9th was the all day Chapter Leaders Summit, which brings chapter leaders around the country (and world) to a day of training and sharing of information.  A change this year was the Summit was live streamed to those who couldn't attend.  I thought this was a good summit, with some good sessions.  I think attendance was pretty decent as well.  My chapter, the South Florida Chapter, had 4 officers in attendance.

Thursday, October 12, 2017

2017 ISSA International Conference

Well, I just returned from the 2017 ISSA International Conference which was held Oct 9-11 in San Diego.  This was the 4th conference I attended.  I have been on the conference steering committee the last couple of times, and this time spoke on cyber resilience.

I'll be posting more on the conference shortly, as well as a posting on my presentation to provide people with the references and resources I used in my presentation.  I hope to get this all up by this weekend.

The 2018 Conference will be in Atlanta, but uncertain about the date. 

Tuesday, September 19, 2017

My first SANS/GIAC certification

I have several infosec certifications, but most are from ISC(2) and ISACA.

This past week I learned that I passed the test I took for a new GIAC certification: the GSTRT, which is for the GIAC Strategic Planning, Policy, and Leadership.  Its tied to SANS's new MGT514: IT Security Strategic Planning, Policy, and Leadership, which I took last year.  At the time there was no cert, so I got to beta test the new exam.

Not having done any of the GIAC certs, this was a new experience for me.  GIAC allows you to bring your books with you, so I knew it was vital to prep for the cert.  I read and re-read my books and also created my own index of the books.  This was vital because one volume was devoted to leadership concepts, and it had a lot, many I wasn't familiar with when I took the course.  In many cases, they almost introduced a new concept every 2-3 pages!

I don't know my score yet, but am curious to learn how well I did.

Monday, September 18, 2017

"Hacker Summer Camp" 2017

This past July I went out to Las Vegas for the first to attend some of the events referred to as "hacker summer camp": Black Hat, BSides, and Defcon.

Now, I did not attend Black Hat as the event was pretty expensive.  I did want to drop by the exhibit hall, but couldn't get in.  I did attend the ISSA and ISC(2) receptions tied to the event.  I was a little disappointed that ISACA made a big deal about being at Black Hat but didn't do a reception of some kind.

I mainly came to attend BSides and Defcon and stayed at the Tuscany Suites where BSides was being held, which I recommend.  This guaranteed you a ticket for BSides.  I also got the meal ticket deal (breakfast & lunch) at BSides, which made me a sponsor and got me earlier checking at the sponsor table.  I also pre-ordered a t-shirt (recommended).

There were a lot of interesting sessions I attended.  I'll need to do another posting on some of the sessions I went thru and give more info on them.

Once BSides was over I attended Defcon.  This event was a bit overwhelming.  There was a big line for the trading post (cash only!), and I mainly wanted to get a t-shirt.  I was a little disappointed that the badge this year was a rubber badge, not an electronic one.  But many others had their own badge and I got a few.

Defcon is almost a collection of conferences.  There are main Defcon sessions, which are in HUGE rooms, four at a time.  Then there are a half dozen or so "villages" which have activities and their own sessions.  Skytalks was a good one, but there are villages for privacy & crypto, car hacking, IoT, and many others.  There was also a vendor area (but not open the first day).  There were many interesting vendors.  One I had met at BSides is HackerBoxes

As I noted, a lot of groups, including some of the villages, had their own electronic badges.  I really wanted a few, but they were cash only.  I didn't consider that and didn't bring a lot of cash with me.  And using ATMs was expensive.  So next time I will bring a lot more cash. 

I did some fun things, like solider a small badge at the Hardware Hacking Village (wasn't their big electronic badge they had, missed out on that).  Had some interesting conversations with several people. Met a few interesting people and groups.

Not sure if I'll go back next year or when I'll go back.  I would probably want to submit some talk proposals to BSides (I had thought of doing some this year, but wasn't certain if any I do would get accepted, but after seeing the sessions I should have submitted some).  I would again get a room at the Tuscany and had debated getting one just in case I decided to go.  Just don't know at this point.

I'll post some pics soon.

Wednesday, August 16, 2017

NIST releases DRAFT SP800-53R5

Recently NIST finally releases the DRAFT of SP800-53R5.  800-53 is entitled Security and Privacy Controls for Federal Information Systems and Organizations and is the set of controls used in FISMA, the mandated set of infosec controls used in federal systems (tho many others use it as well, often times state and local governments, as well as government contractors).

This has been in the works for awhile now, and many expected this draft to come out several months ago.  The due date for comments is September 17, 2017.  They want to put out the final draft (second draft) in October, with the final version by the end of the year.

They note several changes.  They have incorporated privacy controls into this.  They have separated out the control selection process from the controls.  The Risk Management Framework is that control selection process.  By doing this, it more easily allows others to use the controls as is.  With the NIST CSF referencing the controls in SP800-53, it makes it easier for those using the CSF to use these controls.  This is actually called out that SP800-53 can be used with the RMF, CSF, and Systems Engineering Processes.

One big change was the striking out "federal" from the title within the document, again as part of making the controls more accessible to non-federal users.

Wednesday, August 9, 2017

Sad news- Intel drops Edison, Galileo, Joule, Curie

I had previously posted about some of Intel's efforts to get involved in the IoT and Maker communities with their own products such as the Edison, Galileo, Curieand more.

At the recent DefCon conference I was chatting with the guy behind HackerBoxes and was sad to learn that Intel has recently dropped some of their efforts.  I took a look and found info that they are dropping production of the Edison, Galileo, Curie, and Joule products by the end of 2017 or mid 2018.

This is a bit disappointing.  I thought some of these had a lot of potential, and I think that if they haven't been as successful as they could have been that maybe Intel didn't do all they could to make these products successful.  I know Sparkfun had put out several items in support of the Edison.  I had hoped to see more published information on these items and there was a planned work on the Edison and Galileo that never came out.

As far as I can tell they are still supporting the Euclid product, but that's just not the same.

Does this end Intel's foray into this realm?  Hopefully not.

Tuesday, August 8, 2017

News on NIST CSF v1.1

I've previously posted on the NIST Cybersecurity Framework (NIST CSF) and the recent work to update it to v1.1.  I had attended the recent workshop held at NIST headquarters following the released of the Draft v1.1 and comments.  And I've been awaiting their report on the Workshop and a better idea as to what are the next steps.

Well, just before "Hacker Summer Camp" they released their summary and I missed it.  You can read it HERE.

Monday, August 7, 2017

New stuff coming soon

Been awhile since I've posted anything.  I was recently out in Las Vegas for what some call "hacker summer camp": BlackHat, BSides Las Vegas, and DefCon.  I had never been out there and had heard about it from several of my friends and associates who go out there almost annually.  For various reasons I haven't been able to, but made the point to get out there this summer.

I learned some interesting things, saw some interesting presentations.  So over the next week or so will have several postings on these items.

Wednesday, June 28, 2017

Better Business Bureau's work on Cybersecurity (CYBER$3CUR1TY)

While I was at the NIST CSF Workshop, something I learned about is the work being done by the Better Business Bureau on Cybersecurity, especially for small businesses.  This under the tagline of CYBER$3CUR1TY.

Tho to be accurate, this is coming from the Council of Better Business Bureaus, which is the umbrella organization for BBBs in North America.

All of what they have may be found HERE.

Monday, June 26, 2017

A look at the NYDFS requirements for Cybersecurity

Hopefully most people have heard of the new NY State regulations on cybersecurity, usually referred to as the NYDFS regs, or "23 NYCRR 500" or the like.

These went into effect on March 1, 2017 and you can read the regs HERE.  Its just 15 pages.

Now, there are a lot of articles out there on the regs.  So not so much interested in going over in deal what the regs say, but instead to comment on what it here.

Monday, June 19, 2017


In June of 2015 the FFIEC (Federal Financial Institutions Examination Council) released the first version of their Cybersecurity Assessment Tool (CAT).  The FFIEC, for those not aware, is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions and is made up of 6 different agencies.

The FFIEC already has a set of works called the IT Examination Handbooks, about a dozen, which help set down standards for IT in several areas.  One of interest would be the Information Security one that was finally updated in 2016.

Thursday, June 15, 2017

NIST Cybersecurity Workshop 2017

In May 2017, NIST hosted another Cybersecurity Workshop.  This 2 day workshop was held as part of their process to update the Cybersecurity Framework.  This process actually started a year ago when NIST had a request for comments on how the framework was used, followed by a workshop to review that input and see if there was a need for an update.

A big question was should the update be incremental (a version 1.1) or major (a version 2.0).  The answer was more for an incremental update.

So this was followed by a draft v1.1 update at the end of 2016, followed by another request for comments on the draft, which lead to this workshop to review the results and do further work to get to a finished v1.1

Wednesday, June 14, 2017

BBC Micro:Bit

A new, interesting board aimed at helping kids get into programming is the BBC micro:bit.

They have setup a Foundation to support this device, and they have a lot of information on their website.

You can purchase them from several sources.  In the US, two sources are Adafruit and Sparkfun.  (see the website for a list of re-sellers worldwide)  Both sell the board at about $15, tho you can get a "kit" that includes a USB cable and a battery pack for a couple more bucks.  Both sell an edge connector for the cards, but Sparkfun has one that allows for the board to be attacked to a breadboard HERE.

Monday, June 12, 2017

HackMiamiCon5 Report

The weekend of May 20-21 2017, HackMiamiCon5 was held in Miami Beach at the Deauville Resort.  I've been to all 5 conferences and have spoken at the last 4.  Yeah, on Sunday I spoke on Cyber Resilience.

Overall, this was a good conference.  Unlike in the past, we actually had 2 tracks both Saturday and Sunday.  In the past, there was only one track on Sunday.

Tuesday, May 23, 2017

New Cybersecurity Executive Order

So by now hopefully most are aware of the recent Executive Order signed by President Trump.  While not numbered, it came out May 11th, which was just before the planned NIST Cybersecurity Framework Workshop.  Full title is "Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure".

So let's take a look at it.

It has 5 sections.  Sections 4 and 5 we can basically overlook.  Sec4 is definitions, while Sec5 is General Provisions.

Monday, May 22, 2017

Recent events

Am a little behind on posting on some very recent events.

Last week I was at the NIST Cybersecurity Workshop.  Lot of interesting things there.  Further, the prior week Trump signed an Executive Order on Cybersecurity that has an impact on things.

This past weekend I was at the HackMiamiCon5, where I also spoke on cyber resilience.  More on that as well.

Hopefully soon I will be speaking at an upcoming HackMiami meeting on various updates (the NIST CSF Workshop, recent EO, and some other regulations that have come out).

Friday, May 12, 2017

News and upcoming events

One of the news items floating around is the recently signed executive order regarding cybersecurity.  I haven't had a chance to really look over it, but hope to soon and will post my thoughts here.

There are a couple of upcoming events I will be at next week.

First off is the NIST Cybersecurity Framework Workshop at NIST HQ.  I look forward to that.  Should be a great opportunity to gather information, give input, and meet others.  I hope that impact of this new EO will also be covered.

Then next weekend is the HackMiamiCon5 in Miami Beach.  I'll be there, and be speaking on the second day on Cyber Resilience.  Look forward to that.

I will be posting on both events here on the blog, so be sure to check back.

Tuesday, April 11, 2017

Resources for presentation on IT Risk

As mentioned previously, I gave a presentation on IT Risk at the 2017 Security BSides Orlando Conference.  The title was "Risk: It's more then just a game from Parker Brothers".  Was trying to be a little cute and have a catchy title.

The talk was about IT Risk, and I was aiming it at infosec professionals.  My idea is that risk is important to understand, as we do security to reduce risk to the organizations we work for.  But I think too many infosec folks just don't have a good understanding of this.

Now, the talk was posted.  Not sure how well it comes out.  I'll update with a link.

But what I wanted to give here was information on the sources and materials I used for the talk.

Monday, April 10, 2017

BSides Orlando 2017 Report

Saturday, April 8, 2017, the 5th Security BSides Orlando conference was held.  This year there were several changes over past ones.

The conference was but one day.  The venue this year was Valencia College rather then University of Central Florida from the last two years.  The new venue lead to a few minor changes in scheduling.  As there was really no venue for lunch, pizza and soda was provided for participants.

There were 3 tracks of talks.  A workshop track.  A CTF was held.  For the lockpick village this year, there were two additional challenges.  One was to unlock a room, another a box.  There were several vendors setup.  And the conference wrapped up with a keynote speaker: Tara Wheeler.

Wednesday, April 5, 2017

Upcoming Security Conferences for 2017

There are several conferences in the South Florida (and other areas) that I plan to be at in the coming months, and am speaking or hope to be.

BSides Orlando will be April 8th, but now moved to Valencia College-West Campus.  Also different this year is this will be a one day event, but will again be right before SANS Orlando.  I will be there speaking on the topic of Risk.  This talk is aimed at the entry level security professional to help them gain a better understanding of the importance of IT Risk in what we do in security.

The South Florida ISACA Chapter will be having their 10th WOW event on Friday, April 21st.  This will be an all day event at the FIU Biscayne Campus as usual.  Registration is already open and the focus is on "Emerging Threats in Cybersecurity".  Will be there.  Had hoped to speak, but didn't happen.

HackMiami will be back with their 5th conference on May 19-21, again at the Deauville Beach Resort in Miami Beach.  I will be speaking there on the topic of Cyber Resilience.

Further out, there is of course Black Hat, DefCon, BSides out in Las Vegas from July 22-30th.  I have never been out there, and plan to go out for BSides and DefCon.  Barring any financial issues.  I am also planning to submit for BSides.  Probably submit a few of my talks and see if any get picked.  Not sure if what I speak on would be accepted at DefCon.

Interestingly, ISC(2) has moved their Security Congress event out of being co-located with ASIS's conference.  This one will be September 25-27 in Austin, TX.  To be honest, I have no plans to attend this.  I felt their event was a bit pricey.

Now, ASIS, which is more for security folks who deal with physical security then information security, will have their conference September 25-28 in Dallas, TX.  ISSA is working with them to have infosec speakers at this event.  Kind of filling the void that ISC2 left.  And again, Infragard is co-hosting their annual conference there as well.  Sounds interesting, but again, probably will not be at this event.  Just can't afford it.

ISSA will be having their 2017 International Conference in San Diego from October 9-11.  I am on the conference committee for this one again, and again submitted some talk proposals.  Unless one of my talks gets picked I'm not certain I'll go this year. [UPDATE: my talk on Cyber Resilience was picked]. I do want to go next year when it'll be in Atlanta.

Now, the only other conferences this year I look forward to is a possible Security BSides happening in Southwest Florida, where I am from.  Heard about this at BSides Tampa and the group hopes to have this in Ft Myers.  I hope to hear more about it as I'd love to be involved.  Tentative time they are aiming for is June.

Another one I should mention is BSides Jacksonville.  This is usually held in October.  I've never been to one.

If any will be at the above ones I'll be at, stop by and say hi!

Wednesday, March 15, 2017

2017 SFISSA Security Conference Report

This past Friday, the South Florida ISSA Chapter held its 2017 Security Conference.  The chapter holds these every 2 years, and this year's event was our more successful one to date.

We had 4 tracks of talks, include a track of workshops (twice the length of a regular presentation), a breakfast and lunch keynote, and a CISO Panel of 4 local CISOs.

Wednesday, March 8, 2017

News on NIST's update to Cybersecurity Framework

As I have previously posted, and hopefully most are aware, NIST (National Institute of Standards and Technology) has released a draft for an update of the Cybersecurity Framework (CSF), to be v1.1.

Recently NIST held 2 webinars on the CSF, each an hour long.  One was an overview, and the other on the proposed updates.  The webinars had a limited number that could watch them live, but they have now put up the videos on their website.  Both are good to watch.

Wednesday, February 22, 2017

Memorial Healthcare pays $5.5 million HIPAA settlement

Well, at this point hopefully those in the infosec field, especially in the healthcare arena, are aware of the recent settlement by Memorial Healthcare (Hollywood, Florida) for $5.5 million.  This was for violations of HIPAA that resulted in the protected health information (PHI) of over 100,000 individuals being potentially exposed.  While not the highest penalty, certainly up there.

You can read the whole press release HERE.  As well as the settlement agreement HERE which includes the corrective measures they must take.

For me, this is notable as Memorial Healthcare is one of the local hospital groups in my area.  Now, I have no connection with Memorial, I do NOT have any inside information on them.  All I know is what I have read in the above articles.

Friday, February 17, 2017

BSides Tampa 2017 report

This past weekend, February 11th, I was in Tampa for the 4th BSides Tampa Conference.  This is my second time attending, and second time presenting.

Overall it was a good conference.  There were some differences from last year, most positive.  They clearly need to move to a larger venue.  This year and last was at the Stetson Law Center in Tampa.  This location has a nice facility, but is limited in parking, and there is no place to get lunch.  Last year they brought in KFC for everyone, this year was food trucks.  But there was only 2 and I didn't have the time to get lunch before I had to do my session.

Thursday, February 16, 2017

ISACA's State of Cyber Security 2017 Report

Recently ISACA released the result of a survey as their State of Cyber Security Report 2017, part 1.  You can download it at their website HERE.

Part 1 focuses on topics like "workforce challenges" and "persistent skills gap".  Like many other groups, ISACA continues to push the narrative of a skills gap, and of course their solution is to train more folks in cybersecurity, ideally with their new set of CSX training and certifications.

Thursday, February 9, 2017

Commentary on Cyber Resilience

At the upcoming HackMiami5 conference I will be speaking on "Cyber Resilience".  I have been looking at this term over the last several months.  As an infosec/cybersecurity professional, I wanted to better understand what this "cyber resilience" is and how it fits in.

Now, at my talk at HM2017 I will be going into several "models" for cyber resilience and other resources, and I will NOT be posting that information here on my blog until sometime later.  So this posting, which maybe part of a series, is more my thoughts on what cyber resilience is.

Now, the more or less standard definition I hear for cyber resilience is "the ability to recover from attacks quicker and keep losses to a minimum."

Friday, January 13, 2017

Upcoming Conferences in South Florida 2017

There are several conferences in the South Florida (and general area) that I plan to be at in the coming months, and some I hope to speak at.

The South Florida ISACA Chapter will be having their 10th WOW event on Friday, February 24th. [UPDATE: Friday, April 21st] This will be an all day event at the FIU Biscayne Campus as usual.  Registration is already open and the focus is on "Emerging Threats in Cybersecurity".

The South Florida ISSA Chapter will be having their biannual security conference on Friday, March 10th.  This will be an all day event at the Signature Grand.  Registration is open, sponsors are being lined up and a call for presenters is open.

BSides Orlando will be April 8th, again at University of Central Florida.  Unlike past years, this will be a one day event, but will again be right before SANS Orlando.

HackMiami will be back with their 5th conference on May 19-21, again at the Deauville Beach Resort in Miami Beach.

So some great events and I look forward to them.

NIST Cybersecurity Framework v1.1 is coming!!!

Well, NIST (National Institute of Standards and Technology) has announced an update for the Cybersecurity Framework (CSF).  The new version will be v1.1, an incremental update which was expected.

They have released a draft of this update for comments.

You may read about it HERE.   There is also THIS page that explain the update AND gives info on feedback, which has a deadline of APRIL 10, 2017 and were to send comments.

At that page you can read the draft in a couple of different versions.

What has been added/updated?

They added more stuff regarding supply chain.  They did a few tweaks on the Core.  I had hoped they would have gotten rid of the Implementation Tiers, but instead of dumping it or major work they did some tweaks to it.  And there is a new section on metrics and measurement.

I was disappointed they didn't update the Critical Security Controls references.  They are still listing v5, which is no longer valid and the group that managed it is no more.  However, they note they are still updating all the Information References, so hopefully that is just something that is in progress and will appeared in the released version.

I had hoped that the HIPAA crosswalk that was done would be incorporated into the document, at least as an appendix.  And I think the should add a PCI DSS crosswalk.  Am told it exists, and think it would be good to include it.  Again, maybe this will be including in the final version.

Am debating if I should put together a talk on this proposed draft for upcoming conferences.

BSides Tampa 2017

I will be speaking at BSides Tampa 2017 this February.

The topic will be on "HIPAA for Security Professionals".  My aim is to introduce to security professionals what HIPAA is and what they need to know about it.  With the increased pressure on healthcare organizations and their third party vendors for information security, this is important.  Especially with HHS doing random audits going forward.

Hope to see many of you there.