Thursday, November 1, 2018

SFISSA's 2018 Hack the Flag and Chili Cookoff

The South Florida ISSA Chapter is again held our annual Hack the Flag/Chili Cookoff in October of 2018.  For the third year we were hosted at FIU's Graham Center on their main campus.

As always, we had 2 games, a beginner and an advanced.  We had a lockpick village.  We had food and drink.  And we had a keynote speaker!   Oh, and our chili cookoff.

Monday, October 29, 2018

2018 ISSA International Conference

This past week I attended the 2018 ISSA International Conference in Atlanta.  I've attended the last 4 conferences (San Diego, Austin, Chicago, Orlando).  There were good and bad points about this year's conference.  I'm not sure where the 2019 conference will be, but hope I can attend it as well.

The day before the conference, I attended the ISSA Chapter Leader Summit as the president of the South Florida Chapter.  I've attended the prior 4 as well.  I was at the conference with 3 other chapter officers, and I know we had 2 others from our chapter in attendance as well.

Monday, October 1, 2018

Security Maturity Models (Part 1 of 2)

At the 2018 BSides Miami conference I spoke on the topic of "Security Maturity Models".  In part, due to technical problems with the presentation, am presenting a lot of what I spoke on there.  This is a topic I continue to research and gather information on, so I may do an updated presentation at a future conference or possibly write an article for a journal.  Due to the amount of information, I'll be doing this as 2 postings.

What IS "maturity"?  We aren't talking about individuals (tho that's important), but about organizations.  From Wikipedia: "Maturity is a measurement of the ability of an organization for continuous improvement in a particular discipline."  Thus the higher the maturity, the higher will be the chances that incidents or errors will lead to improvements either in the quality or in the use of the resources of the discipline as implemented by the organization.  An 'immature' organization is often times in 'firefighter mode', they are a re-active organization.  Because they don't do things in a consistent manner, there is no "process", they often times cause many of the problems they later have to fix.  For instance, if an IT organization is building systems such that each is unique, this will make it harder for them to maintain those systems vs if they built systems in a consistent manner.

A mature organization would instead follow a process to build systems that enable them to be maintained.  A mature organization would be proactive.

We can see these principles in security when we build a information security management system or program.  Some security organizations are immature, being reactive.  Others are mature, being proactive.  And hopefully organizations are trying to work toward maturity.  If they understand this.

Many have created a variety of maturity models, in security and elsewhere.  Which is part of the problem.  Some models are focused on particular areas, such as security awareness or secure coding or endpoint protection.  Others are fairly high-level, others more detailed.  Many models are based on a widely used model, the Capability Maturity Model, developed by the Software Engineering Institute at Carnegie Mellon.

Let's start with this one from Blue Lava.  A fairly high level level model, ranging from reactive to proactive.  Immature/reactive organization are in the "blocking & tackling" level.  I think many can relate to that.  I did like how they have the next 2 levels.  Too often some will focus on compliance when the right target is to create a risk-based security program.  Compliance is NOT security.  Compliance should instead be seen as a measurement of security, an outcome of being risk-based, not the goal.

Moving on to another one, a little more complex.  Still 3 levels of organizations.  But here we assess orgs against 4 categories.  3 should be familiar: people, process, and technology.  People is who, both leadership and team members.  Process is how, how do we do what we do.  Technology is the means of doing those things.  I find the last (or is it first) category interesting: philosophy.  The why?  

A more complex model, here going with 5 levels of organization, which is something to be familiar with.  It builds off the 5 level Capability Maturity Model I mentioned.  We'll spend more time at the start of part 2 going into it.  But the names are pretty common to the CMM.  This one looks at the 3 categories of People, Process, and Technology.

And now we get an even more complex model, again using the 5-level maturity levels of the CMM.  But a difference here is the security aspect goes from basic to advanced.

Here is a high-level diagram of the CMMI, the Capability Maturity Model Integrated, which replaced the CMM.  It changed some of the level names.  I should point out that the 5th level is OptimizING. To often those who used the CMM as a basis overlook this and call it Optimized.  But that's wrong.  Its optimizing, as process improvement is ongoing, never stopping.

Now, some further overview of the CMM.  There is more to this model, as in levels 2 thru 5, there are various Key Process Areas that need to be met to be considered at that level.  Organizations usually start at level 1, then by completing these KPA they can move up the levels.  Some may never get past 3 or 4.  I was part of an IT organization that was formally access at Level 3.

So hopefully this has peaked some interest.  In the next part, I'll go into more depth on several maturity models in use:  CMM/CMMI, The Cybermaturity Platform, maturity models built into things like the NIST CSF and FFIEC CAT, and others.

Monday, September 24, 2018

Report on BSides Miami 2018

Saturday, September 22, 2018 we had our first Security BSides conference in the South Florida area: BSides Miami.  Hosted at i2 Labs on Biscayne Bay, we had two tracks of speakers, several panels, and about 80+ participants.

I spoke at the conference on the topic of Security Maturity Models.  Interestingly, the presidents of the South Florida ISACA Chapter and HackMiami also spoke at the conference.

For a first time conference, it was overall good.  There were problems, which will happen with a first time event.  I hope they address this for the next time, and I do hope there is a next time.  I was bothered by the emphasis on blockchain.  For my view, BSides should be a conference by and for the whole infosec community.  We should have sessions that appeal to and be of value to a wide range of folks: those getting into the field, mid-level folks, experienced folks, etc.  I do like that seeing other activities at BSides conferences, like job fairs, hack the flag games, lock picking, etc.  A blockchain track is one thing, but it shouldn't overwhelm the overall conference.

Do to the problems with my presentation, I'll be posting a summary here soon.

Friday, June 15, 2018

NIST releases v1.1 of the Cybersecurity Framework

Hopefully by this point most are aware that NIST released after much work the updated version of the Cybersecurity Framework (CSF), now version 1.1.  This had been worked on over the last 2 years, was the topic of 2 workshops at NIST headquarters and produced 2 drafts.

It added one categories and 5-6 subcategories, and updated other items, like the information references.  They have also done a revamp of the website for the CSF, adding more resources there.  I do look forward to more informational references to be added, such as crosswalks to PCI-DSS, Standard of Good Practice, and others.

They have now announced that for 2018, instead of a workshop at NIST HQ, there will be a 3 day conference held in Baltimore in November.  Its now the "NIST Cybersecurity Risk Management Conference" and they have registration open along with a call for presentations.

I hope to attend the event, and based on what they are looking for from speakers, I think this will be a valuable conference.  As NIST is also working this year to update several documents related to FISMA, will be interesting how this affects this.  SP800-37 is scheduled to be released in October, and the final draft of SP800-53R5 is planned for October as well.

Wednesday, June 13, 2018

Report on HackMiamiCon6

HackMiami held its 6th Conference in 2018.  And this year we had another new location, tho it wasn't the organizers fault.  :)  The previous location suffered a fire, so this year they moved to Seacoast Suites.  This limited them a bit, as the rooms were not as spacious as with the Deauville.  And there were few food options within walking distance as with the Deauville. 

That aside, I thought overall they had another great conference.  This year they did an electronic badge, but this was a limited-run add-on, due to cost.

Two days, both kicked off with keynote addresses.  Both were good, and the second day we had Jack Daniel, who is kind of the father of BSides.  There were a good mix of talks and presentations, even a few longer workshops in the evening.  I spoke on the second day on cyber resilience/disaster recovery.  With the recent hit by Irma in Florida (and Maria in PR), I felt this was a good topic. I think it overall went well.

Congrats as always to the HM folks for putting on this conference.  Am surprised that they have already set the date and location for the 2019 conference, and will be back at the Deauville!  Registration is even open on their website!

Monday, June 11, 2018

Report on BSides Orlando 2018

Security BSides Orlando was back in 2018, the 6th year.  There were some issues this year.  They have been tied, scheduling-wise, to SANS in Orlando, but this year they had a weird schedule of April 3-10, which is Tuesday thru Tuesday, rather Sunday-Saturday like schedule.  So they went with April 7, right in the middle.

The other issue was location.  After several years at University of Central Florida, last year they were at Valencia College.  This year they were at Full Sail University's Live Venue location in Winter Park.  And, yes, another one day event.

The Full Sail location was interesting.  They added a lot of other activities to the schedule, which was nice, but I was sadden that this limited the number of actual talks, as this decreased the number of rooms available, so instead of having 4-5 talk tracks, there were only 2.  I had submitted several proposals, and none were picked.  So this was a personal disappointment for myself.

This year they did an electronic badge, which required participants to solder the items on the board.  They had a station setup to solder them, with people helping, which was great.  Probably needed to have a few more soldering irons, but still nice.  The blue badge was for participants, red was staff/volunteers.  Then they added a plastic hanger below to indicate speakers, sponsors, etc.

Here is a shot of the t-shirt and program book.

Overall a great event this year.  I look forward to next year's event.  SANS has set the date for SANS Orlando, so hopefully the BSides Orlando folks can set their date for next year's event.

Tuesday, March 20, 2018

Critical Security Controls v7 RELEASED

I have previously posted on the Critical Security Controls, which many still incorrectly called the "SANS Top 20" and the like, tho SANS hasn't been managing them for some time.  The current org that manages them is the Center for Internet Security, which has overseen them since around 2015.  They previously put out v6 and after about a year working on the have released v7.  You can download them from the CIS website, along with other materials.

I haven't had the chance to full look at v7 and take a look at the differences from v6.  There are still 20 "controls", but they've done some rearrangement and have made tweaks to the "subcontrols" by adding, spitting, merging, moving (from one control to another), rewording, or deleting some.

Monday, March 5, 2018

March Updates on Frameworks & Standards

Last month I posted some information on several information security framework/standards being updated and sense then there have been updated on all of them.  So here we go:
  • NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Not clear when.  They have also set a tentative date for the 2018 workshop as September 11-13 in "the DC area".  Now NIST headquarters is in Baltimore, so does that count as the "DC area"?  I should also point out that NIST has done a great job of revamping their NIST CSF website, with some more info.

  •  NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  As I had noted, the original plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it slipped.  We were promised they they would re-asses and put out new dates, which they have: 
  • NIST Special Publication 800-37, Revision 2 (Risk Management Framework)
  • Initial Public Draft:  May 2018
  • Final Public Draft: July 2018
  • Final Publication:  October 2018
  • NIST Special Publication 800-53, Revision 5 (Security and Privacy Controls)
  • Final Public Draft:  October 2018
  • Final Publication:  December 2018
  • NIST Special Publication 800-53A, Revision 5 (Assessment Procedures for 800-53)
  • Initial Public Draft:  March 2019
  • Final Public Draft:  June 2019
  • Final Publication:  September 2019
  • FIPS Publication 200, Revision 1 (Minimum Security Requirements)
  • Initial Public Draft:  October 2018
  • Final Public Draft:  April 2019
  • Final Publication:  July 2019
  • FIPS Publication 199, Revision 1 (Security Categorization)
  • Initial Public Draft:  December 2018
  • Final Public Draft:  May 2019
  • Final Publication:  August 2019

  • CIS Critical Security Controls.  Better known as the "SANS Top 20", the Critical Security Controls are now managed by the Center for Internet Security.  The current version is 6.1 and they are working on a v7.  I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead.  They put out a draft of v7 out with a short comment period.  And are rolling out v7 on March 19th in DC (or you can attend on-line).  So that is pretty quick
The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF.  If they come out with new versions, will the Information References in the CSF be updated to these new versions?  I hope they will be.  Now NIST has on their new CSF website an on-line version of the Informational References that allows them to expand them.  Tho why they didn't include the HIPAA crosswalk here I don't know. Still awaiting the official PCI-CSF crosswalk to be made available as well.

As I learn more about these new updates, I'll be blogging about them.  I look forward to getting my hands on v7 of the CSC due to what I read in the draft version.

Wednesday, February 28, 2018

Report on BSides Tampa 2018

On Saturday, February 17th, I was in Tampa for the 5th Security BSides Tampa Conference.  This was my third time attending, and my third time speaking.  I spoke on the topic of the new "SOC for Cybersecurity" report.  I'll do a separate posting on this report, giving resources.

This conference had about 700 registered people there, not sure how many where there.  As with the prior couple of conferences, it was again held at the Stetson College of Law center in Tampa.

There were 5 tracks, a capture the flag game, lockpick village, training, and a recruitment track again.  Several great speakers.  Jack Daniel, Ira Winkler, Greg Hanis, and more.  I also had some good conversations with several people.

There were some problems last year, and I think they did a good job of addressing these.  My only personal complaint was it being on President's Day Weekend due to other commitments which I had to miss on.  Hopefully what ever date they pick next year won't conflict for me.

Monday, February 26, 2018

Report: The State of Cybersecurity in Florida

Just recently The Florida Center for Cybersecurity released their 2017 report, The State of Cybersecurity in Florida.

So what IS The Florida Center for Cybersecurity?  It's a statewide agency located at USF in Tampa that works with all State University System of Florida institutions, industry, the military, government, and the community to build Florida's cybersecurity workforce.

The report is the first they've done.  It looks at the cyber threat environment, workforce supply and demand, education and training opportunities, and research initiatives within the State of Florida.

In particular, here are some of its findings (and my comments):

Thursday, February 22, 2018

Report on ISACA South Florida's WOW Event

The South Florida Chapter of ISACA has been holding an annual one-day conference each year in February known as the WOW! Event.  In 2018, they held their 11th conference on Friday, February 16th at FIU's Koven Conference Center at their Biscayne Bay campus.

This year's theme was "The InfoSec of Things: Emerging issues in Privacy and Security".  There were about 250 people in attendance for the day, with several speakers and a panel discussion with several local CISOs.

Speakers included:

Tuesday, February 20, 2018

Report on SecureMiami 2018

On Saturday, February 10, 2018, DigitalEra hosted their second "annual" security event, Secure Miami at FIU, co-located with Brew Miami.  Their first event was in December of 2016.

Attendance was pretty good at this event, with about 350 registered to attend.  This year they moved it to the larger Graham Center in the University Center.  Lunch was provided.

There were several security vendors in attendance.  The South Florida ISSA Chapter assisted, so we were there with a booth. 

Speakers were a good selection of national level folks, along with a panel discussion with various security leaders.  These included:  Malcolm Harkins with Cylance, Hollis Howell from Rapid7, and Kevin Reardon with Symantec.  Panelists were from FIU, Trapezoid, Network Health, and Trend Micro.

Overall, a very nice half-day security event.  I believe DigitalEra is planning on doing this again next year, and I look forward to it.

Tuesday, February 6, 2018

Framework/standard updates coming

Well, it's early 2018 and there are several information security framework/standards being updated:
  • NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Now I think we will also see another workshop held in conjunction with this, we just don't know exactly when.

  •  NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  Now the plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it looks like the schedule has slipped.  If you read on-line, it looks like they need to re-assess the amount of work needed.  I do expect we will see these done this year, but no idea when at this point.

  • CIS Critical Security Controls.  Better known as the "SANS Top 20", the Critical Security Controls are now managed by the Center for Internet Security.  The current version is 6.1 and they are working on a v7.  I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead.  Now they have a draft of v7 out with a short comment period (about to end).  It's not clear when they expect the final version to come out but clearly will be this year
The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF.  If they come out with new versions, will the Information References in the CSF be updated to these new versions?  I hope they will be.  Still awaiting the official PCI-CSF crosswalk to be made available.

As I learn more about these new updates, I'll be blogging about them.

Monday, February 5, 2018

Healthcare Industry Cybersecurity Task Force report- June 2017

Recently a report came out from the "Health Care Industry Cybersecurity Task Force".  This group was formed by Congress as part of the Cybersecurity Act of 2015.  The task force is made up of a diverse group from the healthcare industry, taking a look at the state of cybersecurity and how it can be improved.

You can read the report HERE.

At nearly 100 pages, it's a bit much to slog thru.  At a minimum, read over the executive summary.  As someone who works with healthcare clients, their findings are not a surprise to me.  They have a figure:

which points out some of this issues.  Lack of talent- yes.  Not that there is no talent, but that many orgs don't have enough people on board.  Smaller orgs can't afford to, sometimes outsourcing their IT to vendors who themselves may not have the right skills.  (it's one thing to go with a managed security service provider who hopefully knows healthcare, it's another to go with some local IT guys who has no idea of security or the issues facing healthcare)
Legacy equipment- wow.  yes.  Big problem as the vendors aren't supporting or updating these systems, and the orgs can't.  Most orgs don't understand that there are some solutions (isolated networks and the like) for this.  Over-connectivity ties back to lack of talent.  When you don't have people on board who can properly set things up, problems will arise.  Vulnerabilities impact- this is stuff like ransomware and the like hitting groups, which often was caused by not have the right talent in place to get things in a good shape.

Some of these actually interconnect.  Healthcare IT is behind everyone else.  Too many organizations have, for various reasons, not invested in IT.  This means they have not worked to get enough people on board with the right skills and given them the budget to setup things up well.

They define 6 imperatives:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, weaknesses, and mitigations.
The report spends quite a bit of time on a variety of recommendations and action items off of these imperatives.

Check it out and add your comments.

Friday, February 2, 2018

Upcoming Conferences in early 2018

There are several local security conferences coming up in my general area, some of which I'll be speaking at.

Here are the ones over the next few months:

* SecureMiami 2018, co-located with BrewMiami.  Organized by DigitalEra, this is the second time for this half day event at the main campus of Florida International University.  Held on Saturday, February 10th.  Registration is open NOW and I encourage people to attend.

* ISACA South Florida Chapter's 11th WOW Event is coming up on Friday, February 16th at FIU's Biscayne Bay campus.  The theme: The InfoSec of Things: Emerging issues in Privacy and Security, and have great lineup of speakers.  So register NOW.

* BSides Tampa 2018 is coming up Saturday, February 17th again at Stetson Law in Tampa.  I will be speaking here on the topic of "SOC for Cybersecurity".  I think they are sold out, but check anyway.

* BSides Orlando 2018 is coming up on Saturday, April 7th.  Location this year will be Full Sail Live Venue in Winter Park.  CFP is open, and I've submitted some proposals, and registration is open NOW.

* HackMiamiCon6 is coming up May 18-20.  This year they will be at Sea Coast Suites in Miami Beach.  I will be speaking there on protecting your organization with resilience and disaster recovery.  Registration is open NOW.

So, there are more coming down the road.  Stuff in the summer and stuff coming up in the Fall, especially in October do to Cybersecurity Awareness Month.

Check back for more.  I will be doing postings reporting on these events after they are done.