tag:blogger.com,1999:blog-66356565214766415112024-03-16T11:53:08.158-07:00Michael on SecurityThoughts and ideas (and news) on information and IT Security
Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.comBlogger170125tag:blogger.com,1999:blog-6635656521476641511.post-64398035850106844282021-01-18T07:00:00.001-08:002021-01-18T07:00:02.930-08:00Forward into 2021<p> Well, here we are in 2021. A lot has happened to all of us this past year. I think all the security conferences I usually attend this past year from March on were either cancelled or went virtual. And it looks like the same will occur thru some of this year.</p><p>I've also been behind in trying to post regularly on this blog and hope to address this and aim to post at least twice a month. I am planning on tackling some additional certifications in the cloud and privacy areas, and will be posting on this, as well as areas I have an interest in. Futher, I plan on presenting at upcoming conferences and events, so will be posting on that.</p><p>Here in Florida, I know that BSides Tampa will be virtual in 2021, and I have proposed a few ideas. Not sure about BSides Orlando. South Florida ISSA does plan on doing their Hack the Flag, hopefully live. Both SFISSA and HackMiami will be having regular meetings on-line, as well as South Florida ISACA.</p><p>If anyone has any ideas or suggests, please post them.</p><p><br /></p>Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com1tag:blogger.com,1999:blog-6635656521476641511.post-43605642102630094562020-02-17T08:00:00.000-08:002020-02-17T08:00:08.178-08:00Upcoming Security Events in FloridaThere are several upcoming information security events in Florida that some may not be aware of.<br />
<br />
First up is the <b><a href="https://engage.isaca.org/southfloridachapter/home">South Florida ISACA Chapter</a></b>'s annual <b>WOW event</b>. This year its the thirteenth year of the event. It will be held on Friday February 21st, 2020, again at FIU's Koven Center at their Biscayne Bay campus. This is a single-track conference, with various speakers and a panel discussion. Its usually a good event, and plan on being there.<br />
<br />
Next up is <b><a href="https://bsidestampa.net/">Security BSides Tampa</a></b>. The seventh year for this event, it will be held Saturday, February 29th, 2020 at the Embassy Suites on the USF Campus in Tampa. There will be training sessions on Friday. This event is a multi-track conference, with tracks including CISO, Cloud, and job fair. They also have other activities like a CTF, Lockpicking, and more. This is a pretty good event. Sadly, I don't plan on attending this year.<br />
<br />
Then there is <b><a href="https://bsidesorlando.org/2020/">Security BSides Orlando</a></b>. This will be Saturday, April 11, 2020 at Full Sail University's Live Venue. I believe they are planning on doing training sessions on Friday. The schedule hasn't yet been announced. They also have other activities like CTF, Lockpicking, and more. This is also a pretty good event and it seems BSides Tampa and Orlando have some of the largest BSides outside of Vegas. I'm not sure at this point if I'll be going.<br />
<br />
Finally, there is <b><a href="https://hackmiami.com/">HackMiamiCon</a></b>. This time it will be Saturday, May 30th, 2020 at Broward Library. There will be training events on Friday. This is a change of venue from hotels on Miami Beach, so will remain to be seen how this works out. They should have other activities like a CTF. This is also a good event. Due to a conflict with another event, I may not attend this year.<br />
<br />
These are all great events and I encourage folks to check them out and attend.<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com2tag:blogger.com,1999:blog-6635656521476641511.post-74569906329962890502020-02-12T08:00:00.000-08:002020-02-12T08:00:06.313-08:002020 SecureMiami ConferenceThis past weekend I attended the <b>2020 SecureMiami Conference</b>. This was the 4th time this conference was held, again at FIU's Graham Center and co-located with BrewMiami held later that day at the FIU stadium. I've been to all of these events, promoting the <b><a href="https://www.sfissa.org/">South Florida ISSA Chapter</a></b> and had a good time.<br />
<br />
This event was organized by <b>DigitalEra</b> and again had a great number of speakers and panels, and a good set of sponsors and exhibitors. <br />
<br />
I enjoyed <b>Jorge Orchilles</b> talk. He is a past president of our chapter. Hacker <b>Hector Monsegur </b>was the final speaker, and I wasn't previously aware of him. He gave a great talk from the point of being a former 'black hat' who has become a 'white hat.<br />
<br />
I look forward to next years event. This one sold a quickly with a large waiting list. Will they move to a new location because of this?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe1f3kxT7voeI1qwD79dNqijpeSbKsiq6yswu9c14R9gavzR9X25-ce276x3pDgvrH72gZPGbxaLkYXgNSf0iGYVavz-2OlN0DN9frgyBU_8L4-NRylfbsiMezWd6H57FyL9U2HbSRfuFK/s1600/2020-02-08+19.57.52-b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe1f3kxT7voeI1qwD79dNqijpeSbKsiq6yswu9c14R9gavzR9X25-ce276x3pDgvrH72gZPGbxaLkYXgNSf0iGYVavz-2OlN0DN9frgyBU_8L4-NRylfbsiMezWd6H57FyL9U2HbSRfuFK/s400/2020-02-08+19.57.52-b.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-66311653589863761582020-02-10T08:00:00.000-08:002020-02-10T08:00:05.492-08:002020 UpdateHere we are in 2020, and there are many updates to go over. I plan on further postings on several of these items, and need to get back into blogging here with more regularity.<br />
<br />
Here are some of the new things that are out.<br />
<br />
<b><a href="https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act">CCPA</a></b>. Privacy as an issue just seems to get bigger and bigger. Even as a security professional I find myself being pulled into it. I wonder if I need to join <b><a href="https://iapp.org/">IAPP</a></b>, maybe even study and get one of their certs. We had the <b><a href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation">GDPR</a></b> that came out last year. I really though more companies would address it, but just didn't see that. Now California came out with their CCPA law. CCPA is not quite "California's GDPR". Its not a broad privacy law, but aimed at consumer data. I've seen some companies be concerned about it, but not as many as I thought. But am sure I'll be getting more into it.<br />
<br />
<b>NIST Privacy Framework</b>- NIST has been working on this for the last year and released <a href="https://www.nist.gov/privacy-framework/privacy-framework"><b>v1</b></a> recently. I have a copy and am reading over it. I plan on giving a talk at an upcoming local meeting, and may do a conference talk about this as well. Am hoping I'll be able to attend NIST's upcoming cybersecurity conference, as I'm sure it will be a topic of discussion. We'll have to see how well this works in helping companies prepare for privacy regulations.<br />
<br />
<b>FISMA Updates</b>- NIST is still working on the updates for the documents used for FISMA. The next one they are working on is SP 800-53 Release 5. We don't have a release date, but hope it will be soon as they've been working on it for so long. Once its out, we should see other documents that are relying on it, such as 53A and 53B, an new version of 800-171 and others. All we have so far on this is <a href="https://csrc.nist.gov/projects/risk-management/schedule">THIS</a> page.<br />
<br />
<b>DoD CMMC</b>- The DoD released this month the first version of their <a href="https://www.acq.osd.mil/cmmc/index.html">Cybersecurity Maturity Model Certification (CMMC)</a>. This is an interesting items, its a certification for vendors of the DoD. From a quick read, it combines the <b>CMM/CMMI</b> 5-level maturity model with the categories of the <b><a href="https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final">NIST SP 800-171</a></b>, which is about protecting controlled unclassified data (CUI). SP800-171 based on the control set of SP 800-53. I plan on posting on this and may do a presentation as well.<br />
<br />
<b>PCI-DSS v4</b>- yes, there is a new update of PCI-DSS. I first heard about this a couple of years ago. This should be a revamp of PCI-DSS. I just have no idea how it will look like until its released. Which I expect sometime this year. I don't have an inside track, I just know from reading here and there that its getting closer to release. Yes, I hope to posting on this as well.<br />
<br />
There are several events coming up in my general area and will be posting in these soon.<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-13716509124650389552019-04-09T09:00:00.000-07:002019-04-09T09:00:02.723-07:002019 Security BSides OrlandoSaturday March 30th, the <b>2019 Security BSides Orlando</b> conference was held. This is the 6th one, and the largest yet. Believe they had over 700 in attendance. As last year, it was held at <b>Full Sail University</b>'s Live venue location. <br />
<br />
This year there were 4 tracks of speakers, along with several workshops and a CFT. Several sponsors were in attendance. No job track this year.<br />
<br />
There was a book signing with the book <i>Tribe of Hackers</i> as there were 3 hackers from the book in attendance.<br />
<br />
And there was an electronic badge again this year, but this time was a little more complex and programmable. <br />
<br />
No idea where next year's event will be, but will probably be tied to SANS Orlando again.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0s_idSuMeCkCrO7UFHIZLQeU-BuceHKlEqiCLGXucNTYeAhARrkTrbF3dq45bYyuHtYmIi6DYVpjyD0u1JbzwtXEvBcu-6uwpE23PbuPxxX87XHuCIV6-XA4WE5xrO2S2RNtJHHuQ9U8r/s1600/2019-03-31+14.21.28.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0s_idSuMeCkCrO7UFHIZLQeU-BuceHKlEqiCLGXucNTYeAhARrkTrbF3dq45bYyuHtYmIi6DYVpjyD0u1JbzwtXEvBcu-6uwpE23PbuPxxX87XHuCIV6-XA4WE5xrO2S2RNtJHHuQ9U8r/s320/2019-03-31+14.21.28.jpg" width="240" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5gap-cuXBMDmKrESqCa8gxD3SeJHI_x2cprZvTCkoXhOio1zwU4WDXFexEEwZm0VKfYaECo7JT1wGjW-ojRF8bOzJuYNzcs1Bf0jmC7zNLi_Z1EvdCwBgPIhnlNrtKlXyhyEXN26QqlNO/s1600/2019-03-31+14.21.39.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5gap-cuXBMDmKrESqCa8gxD3SeJHI_x2cprZvTCkoXhOio1zwU4WDXFexEEwZm0VKfYaECo7JT1wGjW-ojRF8bOzJuYNzcs1Bf0jmC7zNLi_Z1EvdCwBgPIhnlNrtKlXyhyEXN26QqlNO/s320/2019-03-31+14.21.39.jpg" width="240" /></a></div>
Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-68825504689824769702019-04-04T09:00:00.000-07:002019-04-04T09:00:04.151-07:00SFISSA Security ConferenceOn March 22, 2019, the <b><a href="http://www.sfissa.org/">South Florida ISSA</a></b> held their biannual <b><a href="http://www.sfissa.org/sfissaconference">2019 Security Conference</a></b>. This time the theme was "A New Year, a New Era of Cybersecurity".<br />
<br />
The conference had 4 tracks of speakers, as well as a 2 hour workshop on your cybersecurity career. A keynote address was given by <b>Dave Aitel</b> of Cygtera, and a CISO panel was held with 4 local CISO from different companies.<br />
<br />
An array of sponsors were present as well. Breakfast and lunch were provided, and everyone had a great time.<br />
<br />
The next event of the chapter will be their annual <b>Hack the Flag/Chili Cookoff</b> held September 7th at FIU's Graham Center.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfnOv-T0ToSAEJBauu1mLkx8U63Efte7LvH_bv1buQekFjHCHsetOJJMaXQFrPD9mhD55gGVp4uwoqE4NNZh0yvww7b0AwiEoR3JnSEVmMYR6X_cotN7CZUDxgsNApdl47_Cxyh5dm-w50/s1600/2019-03-22+14.38.30.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfnOv-T0ToSAEJBauu1mLkx8U63Efte7LvH_bv1buQekFjHCHsetOJJMaXQFrPD9mhD55gGVp4uwoqE4NNZh0yvww7b0AwiEoR3JnSEVmMYR6X_cotN7CZUDxgsNApdl47_Cxyh5dm-w50/s400/2019-03-22+14.38.30.jpg" width="300" /></a></div>
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-80295009837170927352019-02-20T09:00:00.000-08:002019-03-01T17:13:15.589-08:002019 Update on frameworks, standards, and regulations for infosecAt the <b>2019 BSides Tampa</b> Security conference I did a talk on <b>2019 Updates on frameworks, standards, and regulations for infosec</b>. Over the last year several new and updated frameworks and regulations have come out, as well as are being updated.<br />
<br />
Most of the information can be found on the Internet, but if you're not making an effort to stay up to date, you can miss something. So here I give links to much of the information I gave.<br />
<br />
<b>NIST</b> is the <b>National Institute of Standards and Technology</b>, a non-regulatory part of the Department of Commerce. They are doing a lot of things that impact us in infosec. Most are hopefully familiar with the <b>Special Publication 800</b> and 1800 series that are put out on a regular basis. Several are being developed, updated, and in a few cases retired. Go <b><a href="https://csrc.nist.gov/publications/sp">HERE</a></b> to access all of them.<br />
<br />
The <b>NIST Cybersecurity Framework (CSF) </b>was updated to version 1.1 last year, and they later had a cyber risk conference in October. It just had its 5th anniversary, too. For full info on the CSF, and any updates and the like, go <b><a href="https://www.nist.gov/cyberframework">HERE</a></b>. One element I am looking forward to is an update to informative references that will add additional references (such as crosswalks to PCI-DSS, Standards of Good Controls, etc). Hopefully we'll start seeing these coming out.<br />
<br />
<b>NIST Privacy Framework</b>. NIST has embarked on creating a privacy framework like they've done for cybersecurity. This work has just begun, and they are working on a preliminary framework which we should see soon. I would hope there will be further workshops and feedback before the final version is out. To see where they are, go <b><a href="https://www.nist.gov/privacy-framework">HERE</a></b>.<br />
<br />
<b>FISMA</b> is the Federal Information Security Management Act. Basically sets down security standards for federal information systems. NIST has developed the materials for this, the Risk Management Framework (SP 800 37), the controls set (SP 800-53) and other materials. They are working on updating this, having just come out with the latest version of the RMF. The control set is next, with others to follow. Go <b><a href="https://csrc.nist.gov/projects/risk-management">HERE</a></b> for their page on this work. The schedule is <b><a href="https://csrc.nist.gov/Projects/Risk-Management/Schedule">HERE</a></b>.<br />
<br />
<b>Baldridge Cybersecurity Excellence Builder </b>is a combination of NIST's Baldridge Excellence work crossed with their CSF. It was rolled out in 2017, and should get an update this Spring. You can download it for free <b><a href="https://www.nist.gov/baldrige/products-services/baldrige-cybersecurity-initiative">HERE</a></b>, and there is info on how others have used it successfully.<br />
<br />
<b>NIST OSCAL</b> is an interesting project that attempts to create a common set of control assessment language. This is a project I want to spend more time looking into myself. More info on their website <b><a href="https://pages.nist.gov/OSCAL/">HERE</a></b>.<br />
<br />
Hopefully most have heard of the "Critical Controls" or the <b><a href="https://www.cisecurity.org/controls/">"Critical Security Controls"</a></b>. Maybe you've heard it referred to as the "Top 20" or the "SANS20" or the like. While it was started by SANS, they no longer manage it. For the last few years its been handled by the <b><a href="https://www.cisecurity.org/">Center for Internet Security</a></b>, which has rolled out v6 and in early 2018 they rolled out v7. They have reorganized it into 3 groups: Basic, Foundational, Organizational. They have been putting out other resources for it, including the <b><a href="https://www.cisecurity.org/blog/cis-csat-free-tool-assessing-implementation-of-cis-controls/">CSAT</a>, </b>a self assessment tool. They are working on a v7.1 and I expect more resources coming from CIS. So keep your eye out for them, as they just rolled out a companion guide for cloud (go <b><a href="https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/">HERE</a></b>) and is working on another for IoT.<br />
<br />
<b>ISO/IEC 27000</b> is the international standard set for information security. This series is made up of about 50-60 documents in various states of work. Sadly, the documents are not free, and the cost is over $100 for each. Key documents is usually 27001 and 27002. 1 sets down the ISMS (Information Security Management System) and 2 is the control set (compare with SP800-53). As several of the documents are being worked on, its hard to keep up. <b>ISO/IEC 27005</b> got updated. My go-to site to keep up to date on this is <b><a href="http://iso27002security.com/">iso27002security.com</a></b>.<br />
<br />
Privacy regs (GDPR & California). Privacy is getting more and more important. While we work in security, we often get pulled into privacy work as well. <b>GDPR (General Data Protection Regulation)</b> of the EU was rolled out last year. And we've already seen some big companies get in trouble. While I see a lot of groups pushing GDPR training and the like, as a consultant I'm not seeing a lot of clients asking for help. Yet. California is rolling out their regulation, which isn't in effect yet. We'll see if other states will roll out or update their privacy regulations.<br />
<br />
One I left out of my presentation is <b>23 NYCRR 500</b>, which is the <b>New York Department of Financial Services (NY DFS)</b> regulations on cybersecurity. Rolled out a couple of years ago, the various elements of the regulation has been slowly rolled out with the last one required this March. This regulation expects companies do certain things to protect NPI (non-public information), such as have a security program, policies, doing pentesting and vulnerability scanning, have a CISO, do training, have an incident response plan, vendor management plan, etc. This may be a model for other state. You can read it all <b><a href="https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf">HERE</a></b>.<br />
<br />
Now, there are some other items that aren't pure infosec/cybersecurity, but do touch on it, so should be mentioned.<br />
<br />
<b>CMMI- The Capability Maturity Model Integrated</b>, originally for assessing the maturity of software development, it was later expanded to others. Later merged into the CMMI, with Development, Service, and Acquisition versions. The <b>Software Engineering Institute</b> at CMU developed it, and it used to be available for free or via books. But they moved the CMMI to the <b><a href="https://cmmiinstitute.com/">CMMI Institute</a></b>, which was recently bought by <b>ISACA</b>. They've rolled out CMMI v2, but its available as a SaaS product, and no longer free. The CMMI Institute has also rolled out a <b>Cybermaturity Platform</b>, again as a SaaS product. I'd like to learn more about it, but hard to do.<br />
<br />
<b>COBIT</b>, which is ISACA framework for governance of enterprise IT has been updated to <b><a href="http://www.isaca.org/COBIT/Pages/default.aspx">COBIT 2019</a></b>. They've rolled out the new books, and hopefully other materials will be updated to COBIT 2019.<br />
<br />
<b>ITIL</b> is a framework for IT Service Management, which includes infosec. The current version is ITIL v3 (updated in 2011). It's being updated to a new version, <b><a href="https://www.axelos.com/itil-update">ITIL 4</a></b>. So far only the foundation certification info have been updated. Hopefully they will update the 5 main books this year.<br />
<br />
<b>PCI-DSS</b> is the standard for assessing credit card processing systems. Current version is 3.2.1, which was updated due to issues with SSL. Well, the next version, v4, is going to be coming out, but not for another year or so. It will be a very different version, but info on this is hard to find. Am sure as we move further along we'll learn more.<br />
<br />
Hopefully this is useful for others. As I learn of new updates, I'll make further postings.<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com4tag:blogger.com,1999:blog-6635656521476641511.post-69430572922023871282019-02-13T09:00:00.000-08:002019-02-13T09:00:09.647-08:002019 Secure MiamiThis past weekend I attended <b><a href="https://securemiami.com/">2019 Secure Miami</a> conference,</b> the third edition of this local cybersecurity conference. Organized by <b><a href="https://www.digitaleragroup.com/">DigitalEra</a></b>, and held at <b>FIU</b>, it also tied to <b>BrewMiami</b>, held later that day at FIU.<br />
<br />
This was a full day event held in FIU's Graham Center with key note speakers and panel discussions. As I've been to the prior events, I felt this as good or better then the last one.<br />
<br />
On the panel discussions, topics covered included the "Cybersecurity skills gap", "managing visibility and compliance" and "smart cities". The skills gap discussion was interesting, as I know several who struggle to find work and our hiring process in IT/infosec is broken. Had a good chat with one of the people on the panel about the <b><a href="https://www.nist.gov/itl/applied-cybersecurity/nice/events/nice-conference-expo">NICE conference</a></b> that we had at FIU and learned the next one will be in Phoenix. The smart cities one got into the matter about IoT security and the like. We'll see where that goes.<br />
<br />
On the keynotes, they had an interesting one given by a former FBI Agent and his experiences, and another about artificial intelligence. AI was a topic I had a keen interest in college, but drifted away from, that seems to have become more a topic in infosec. I need to get back on top of that.<br />
<br />
Afterwards many of us headed over to the BrewMiami event and chatted and had fun. Another great event. I look forward to next year's event, as well as other upcoming events in the area: <b><a href="https://engage.isaca.org/southfloridachapter/home">ISACA South Florida's WOW event</a>, <a href="https://www.infragardsofl.org/">Infragard South Florida's next meeting</a>, <a href="https://www.sfissaconference.com/SFISSAConference">South Florida ISSA's Conference</a></b> and <b><a href="https://www.hackmiami.com/">HackMiamiCon</a></b>.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQYXac8jEKotcq8jXvBQMbDgwDPT6sokSrTQCCAlMxfJqq4JmsqT4lDkJwBiKTOwRHHHhl5PQka11SVKaosjH9-V9kwOy7P_lFV4Y37UHglgLs4QlHLlG7JuBS0dKrg-l8RyUVdUXmjFxl/s1600/2019-02-10+11.14.59.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1521" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQYXac8jEKotcq8jXvBQMbDgwDPT6sokSrTQCCAlMxfJqq4JmsqT4lDkJwBiKTOwRHHHhl5PQka11SVKaosjH9-V9kwOy7P_lFV4Y37UHglgLs4QlHLlG7JuBS0dKrg-l8RyUVdUXmjFxl/s320/2019-02-10+11.14.59.jpg" width="304" /></a></div>
<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-66435042081346894912019-02-04T09:00:00.000-08:002019-02-04T09:00:03.195-08:00BSides Tampa 2019This past Saturday (Feb 2nd), the <b><a href="https://bsidestampa2019.dryfta.com/en/">2019 BSides Tampa Conference</a></b> was held.<br />
<br />
In a change from past years, they've moved to a new venue, the Embassy Suites on the USF Campus. The 2020 Conference will also be held there, apparently on February 29th.<br />
<br />
This year there were about 8 tracks of talks, including one for job seekers. There were many vendors in attendance as well as several infosec groups. The Tampa Bay chapters of <b>ISSA, ISC(2)</b>, and <b>IAPP</b> were in attendance, along with a couple of universities with infosec programs.<br />
<br />
I spoke again on the topic of updated and upcoming frameworks, standards, and regulations for infosec people. I'll be posting separably on that talk with links to information I spoke of.<br />
<br />
Overall, I thought the event went great. Sadly, due to other issues, this year I flew in that morning and left that evening, so missed out on the dinner the night before for speakers and couldn't hang around for the afterparty. Maybe next year.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmZJ8wm6nkVQMGS76jx9cFHnCbHlqYjY_6FdH43C6xGjnzk460vniK_-n8yyPB6BhupwtSor96oNvnld9liXHqyekCjNQ4nf1n_9qYdloM5ziwikZCoptp4f7gxsVF25ZJBXPF1DhRPWzl/s1600/2019-02-03+10.01.02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmZJ8wm6nkVQMGS76jx9cFHnCbHlqYjY_6FdH43C6xGjnzk460vniK_-n8yyPB6BhupwtSor96oNvnld9liXHqyekCjNQ4nf1n_9qYdloM5ziwikZCoptp4f7gxsVF25ZJBXPF1DhRPWzl/s640/2019-02-03+10.01.02.jpg" width="480" /></a></div>
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-15908975135705071362019-02-03T13:42:00.001-08:002019-02-03T13:42:30.103-08:002018 NIST Cybersecurity Risk Management ConferenceBack in October I was in Baltimore for <b><a href="http://www.nist.gov/">NIST</a></b>'s <b>2018 Cybersecurity Risk Management Conference</b>. For those not aware, let me break this down. NIST is the National Institute of Standards and Technology, a non-regulatory research arm of the Department of Commerce. For those of us in the IT and infosec world, we know NIST for their SP800 and SP1800 series of documents on various IT and infosec topics, for creating the Risk Management Framework (sometimes call FISMA) and the Cybersecurity Framework (CSF).<br />
<br />
For the last two years they held annual workshops for the CSF (these were actually the 7th and 8th), which I was able to attend and previously reported on. The main purpose of these workshops was to bring people together to look at the future of the CSF, and develop the next version, which was v1.1 that came out earlier this year.<br />
<br />
This year we instead got a 3 day conference held at a hotel in Baltimore. It was a mix of plenary sessions, work sessions, panel discussions, and presentations. There were also working lunches for those who paid extra for 'catering'.<br />
<br />
It was almost overwhelming the number of sessions, as there were about 8-9 sessions going on at once during certain period. Some of the slide decks from these presentations are made available, as there was almost too much information.<br />
<br />
Some of the items I learned was details on the updating going on with various documents related to FISMA. I knew this was going on, but got more details. Also learned more about the plans for <b>PCI-DSS</b> v4, which is planned for development over the coming year. I also learned more about the <b>Baldridge Cybersecurity Excellence Builder</b> (which will have an update early next year).<br />
<br />
There were some problems, I think due to the change in venue and expansion from the workshops. I hope these will be addressed for the next one. At this point, we don't know when or even where the next one will be. So we'll have to see. I hope I can attend the next one as well.<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-4516623267820985282018-11-01T08:00:00.000-07:002018-11-01T08:00:12.393-07:00SFISSA's 2018 Hack the Flag and Chili CookoffThe <b><a href="http://www.sfissa.org/">South Florida ISSA Chapter</a></b> is again held our annual <b>Hack the Flag/Chili Cookoff</b> in October of 2018. For the third year we were hosted at <b>FIU</b>'s Graham Center on their main campus.<br />
<br />
As always, we had 2 games, a beginner and an advanced. We had a lockpick village. We had food and drink. And we had a keynote speaker! Oh, and our chili cookoff.<br />
<b></b><br />
<a name='more'></a><b><br /></b>
<b>Rod Soto</b> of <a href="http://www.noqrtrctf%2Ccom/"><b>NO QRTR</b> <b>CTF</b></a> did the advanced capture the flag game as usual.<br />
<br />
We (actually <b>Dan Polimeni </b>and <b>Drew Indelicato</b>) created the beginner game.<br />
<br />
We had lockpick village, run by our own <b>Mike Anderson</b>.<br />
<br />
We had cool t-shirts.<br />
<br />
And our Keynote Speaker was <b>Gal Shpantzer</b>.<br />
<br />
As always, thanks to our many sponsors for their support, including Fortinet who also provided networking equipment, including wifi!<br />
<br />
If we had any problems, it was we had many who registered WHO DID NOT COME. Sadly, these people took tickets that could have gone to people who wanted to come but couldn't get tickets. PLEASE, don't sign up unless you are going to come. We plan this event based on ticket "sales", and while we know some won't come, too many no shows throws things off.<br />
<br />
We are looking at plans for our future events, both next year's HTF and our 2019 Conference, so look for news soon!Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com12tag:blogger.com,1999:blog-6635656521476641511.post-36242932801897356902018-10-29T08:00:00.000-07:002018-10-29T08:00:02.796-07:002018 ISSA International ConferenceThis past week I attended the<b><a href="https://www.issa.org/mpage/2018IntlConference"> 2018 ISSA International Conference</a></b> in Atlanta. I've attended the last 4 conferences (San Diego, Austin, Chicago, Orlando). There were good and bad points about this year's conference. I'm not sure where the 2019 conference will be, but hope I can attend it as well.<br />
<br />
The day before the conference, I attended the <b>ISSA Chapter Leader Summit</b> as the president of the <b><a href="http://www.sfissa.org/">South Florida Chapter</a></b>. I've attended the prior 4 as well. I was at the conference with 3 other chapter officers, and I know we had 2 others from our chapter in attendance as well.<br />
<br />
<a name='more'></a><br />
The Conference hotel was the Westin Peachtree, and we had the Summit there as well as the opening reception and Awards Dinner the night before the conference. The conference itself was held at the nearby Georgia World Congress Center, co-hosted with <a href="https://www.cybersecurity-atlanta.com/"><b>Cyber Security //Atlanta</b></a>. We had access to all the presentations of both events, and all the sponsor booths were available to all. This was a different type of conference, as the "rooms" where just curtained off from the exhibit floor, rather then being conference rooms in a hotel. Not sure if I like this sort of setup.<br />
<br />
There were several good presentations. I looked forward to the presentation from NIST on their OSCAL project. And one of the keynotes was from <b><a href="https://www.thesecurityawarenesscompany.com/who-are-we/founder-winn-schwartau/">Winn Schwartau</a></b>, who came out with a new interesting book, <i><a href="https://www.amazon.com/Analog-Network-Security-Engineering-Thinking/dp/B07C39RDBW/ref=sr_1_1?ie=UTF8&qid=1532033616&sr=8-1&keywords=analogue+network+security">Analogue Network Security</a></i>, which I want to get.<br />
<br />
There was a Capture the Flag event, but they didn't do a good job promoting this, so there weren't a lot of participation. <br />
<br />
For the big "party", it was held at the World of Coca-Cola. I had been to the original location, so this was my first time to the new location near the Georgia Aquarium. We had access to most of the place, except the "tasting room". Oh well. It was fun.<br />
<br />
There were some problems with the planning of the event, in part due to issues ISSA had with changing their professional management. For some reason, they didn't reform a conference committee to help plan the event. I had submitted several talk proposals, but never learned if any were accepted. Those will be offered to other conferences.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSdVAho8fg93WvAKCbhYqmqQ6LgVpEP8yX7lRCZvxhpKJpb0CO-n5eDlxT5C8OtT2OnRXFoTymcBgHd0Jd7QU9UQIrFcmxeefunpFiHcVp13rdzTl2e0lfU6Gn54s_Vw0A5QaijkC27CQN/s1600/2018-10-17+10.09.51.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSdVAho8fg93WvAKCbhYqmqQ6LgVpEP8yX7lRCZvxhpKJpb0CO-n5eDlxT5C8OtT2OnRXFoTymcBgHd0Jd7QU9UQIrFcmxeefunpFiHcVp13rdzTl2e0lfU6Gn54s_Vw0A5QaijkC27CQN/s200/2018-10-17+10.09.51.jpg" width="200" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7b4HWcOZmRC3MwipOROJtCbvROuUMTY6C08Yvn6DHaR1wGa5RE0VOPz4ZMSNze4e7Bt8wOC5112in72DIEgwyUZ1YU03fpDBFwToHrogDE6UAySiUWeTsrC3xF-9kzwJLEj63xK58y_5f/s1600/2018-10-17+10.45.53.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7b4HWcOZmRC3MwipOROJtCbvROuUMTY6C08Yvn6DHaR1wGa5RE0VOPz4ZMSNze4e7Bt8wOC5112in72DIEgwyUZ1YU03fpDBFwToHrogDE6UAySiUWeTsrC3xF-9kzwJLEj63xK58y_5f/s320/2018-10-17+10.45.53.jpg" width="240" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi02ukRqtoNDFa0s8rR5XBoPCRxKBmyztaEr2ocoPvswxwG8wq7O84ewnqE2qD2X8i-Scag0z3NQnL1VgQ_QWBXJsEfkdrZSLo6wWx2quG-lvzggWNmaScDVJbSNJzZfAiEazoC5_6gk_gL/s1600/2018-10-17+13.21.48.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi02ukRqtoNDFa0s8rR5XBoPCRxKBmyztaEr2ocoPvswxwG8wq7O84ewnqE2qD2X8i-Scag0z3NQnL1VgQ_QWBXJsEfkdrZSLo6wWx2quG-lvzggWNmaScDVJbSNJzZfAiEazoC5_6gk_gL/s320/2018-10-17+13.21.48.jpg" width="240" /></a></div>
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-38972434498064394762018-10-01T06:00:00.000-07:002018-10-26T18:24:29.852-07:00Security Maturity Models (Part 1 of 2)At the<b> <a href="http://www.bsidesmiami.com/">2018 BSides Miami</a></b> conference I spoke on the topic of "Security Maturity Models". In part, due to technical problems with the presentation, am presenting a lot of what I spoke on there. This is a topic I continue to research and gather information on, so I may do an updated presentation at a future conference or possibly write an article for a journal. Due to the amount of information, I'll be doing this as 2 postings.<br />
<br />
What IS "maturity"? We aren't talking about individuals (tho that's important), but about organizations. From Wikipedia: "Maturity is a measurement of the ability of an organization for continuous improvement in a particular discipline." Thus the higher the maturity, the higher will be the chances that incidents or errors will lead to improvements either in the quality or in the use of the resources of the discipline as implemented by the organization. An 'immature' organization is often times in 'firefighter mode', they are a re-active organization. Because they don't do things in a consistent manner, there is no "process", they often times cause many of the problems they later have to fix. For instance, if an IT organization is building systems such that each is unique, this will make it harder for them to maintain those systems vs if they built systems in a consistent manner.<br />
<br />
A mature organization would instead follow a process to build systems that enable them to be maintained. A mature organization would be proactive.<br />
<br />
We can see these principles in security when we build a information security management system or program. Some security organizations are immature, being reactive. Others are mature, being proactive. And hopefully organizations are trying to work toward maturity. If they understand this.<br />
<br />
Many have created a variety of maturity models, in security and elsewhere. Which is part of the problem. Some models are focused on particular areas, such as security awareness or secure coding or endpoint protection. Others are fairly high-level, others more detailed. Many models are based on a widely used model, the <b>Capability Maturity Model</b>, developed by the <b>Software Engineering Institute at Carnegie Mellon</b>.<br />
<br />
Let's start with this one from Blue Lava. A fairly high level level model, ranging from reactive to proactive. Immature/reactive organization are in the "blocking & tackling" level. I think many can relate to that. I did like how they have the next 2 levels. Too often some will focus on compliance when the right target is to create a risk-based security program. Compliance is NOT security. Compliance should instead be seen as a measurement of security, an outcome of being risk-based, not the goal.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvMzugZD1An5HMfPjMiA0MCkPWv3qPepHiccL1LT9YlMAaV3RDlMHbgwOGdS4eebUsq-tJKiYqOM4Mu6Q0RjHDN5O3u7UxbS0JHOVgZRBFYSR7rPDYb7tbCj4UwDDTR5-0izX9YhIIa-5C/s1600/SecurityMaturity-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /><img border="0" data-original-height="384" data-original-width="580" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvMzugZD1An5HMfPjMiA0MCkPWv3qPepHiccL1LT9YlMAaV3RDlMHbgwOGdS4eebUsq-tJKiYqOM4Mu6Q0RjHDN5O3u7UxbS0JHOVgZRBFYSR7rPDYb7tbCj4UwDDTR5-0izX9YhIIa-5C/s640/SecurityMaturity-2.png" width="640" /></a></div>
<br />
<div>
Moving on to another one, a little more complex. Still 3 levels of organizations. But here we assess orgs against 4 categories. 3 should be familiar: people, process, and technology. People is who, both leadership and team members. Process is how, how do we do what we do. Technology is the means of doing those things. I find the last (or is it first) category interesting: philosophy. The why? </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY79JYyHbNj7oaA_pEa_WWQdWj6QdYmrY872_pmehZcpSs4JYZCSmRhP-XIlBRWWJ9X6wtgQIE8rgg5EiGWQEYIROUGKyqIYZPTgCigacR4_sHLbvmoFZtAKdQKCEU9sJKSOBM1MkL1z2b/s1600/SecurityMaturity-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="600" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY79JYyHbNj7oaA_pEa_WWQdWj6QdYmrY872_pmehZcpSs4JYZCSmRhP-XIlBRWWJ9X6wtgQIE8rgg5EiGWQEYIROUGKyqIYZPTgCigacR4_sHLbvmoFZtAKdQKCEU9sJKSOBM1MkL1z2b/s640/SecurityMaturity-1.png" width="640" /></a></div>
<div>
<br /></div>
A more complex model, here going with 5 levels of organization, which is something to be familiar with. It builds off the 5 level Capability Maturity Model I mentioned. We'll spend more time at the start of part 2 going into it. But the names are pretty common to the CMM. This one looks at the 3 categories of People, Process, and Technology.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0cbZ75fK_cqk4VHA8Kxnp38-TFxtiTE1Krw32ugTWm0L90UbD5zsCz-p_KV5OdsEiAWmxdOHmNEEGR1TGh8sHdGAMQVe7U2EKjXHZJXJscMg8-5jutJnGUkn70xOUTTKakMSpsWOOvHqe/s1600/security-maturity1-1024x549.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="549" data-original-width="1024" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0cbZ75fK_cqk4VHA8Kxnp38-TFxtiTE1Krw32ugTWm0L90UbD5zsCz-p_KV5OdsEiAWmxdOHmNEEGR1TGh8sHdGAMQVe7U2EKjXHZJXJscMg8-5jutJnGUkn70xOUTTKakMSpsWOOvHqe/s640/security-maturity1-1024x549.png" width="640" /></a></div>
And now we get an even more complex model, again using the 5-level maturity levels of the CMM. But a difference here is the security aspect goes from basic to advanced.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJqjz58-if_xnpRKDalS5ttFww-axRE6y9JQoxygrKsgrQRZ-s_GWVqEMRQiYZ2BY8KJtU3mjxh3VIoqeU18qPBKLvEaGmYviYrh1tkgvrKfKAfE3p1mHSiHBpvL0hCM08AiL5-TAGMr5d/s1600/SecurityMaturityModel.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="640" data-original-width="800" height="512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJqjz58-if_xnpRKDalS5ttFww-axRE6y9JQoxygrKsgrQRZ-s_GWVqEMRQiYZ2BY8KJtU3mjxh3VIoqeU18qPBKLvEaGmYviYrh1tkgvrKfKAfE3p1mHSiHBpvL0hCM08AiL5-TAGMr5d/s640/SecurityMaturityModel.jpeg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Here is a high-level diagram of the CMMI, the <b>Capability Maturity Model Integrated</b>, which replaced the CMM. It changed some of the level names. I should point out that the 5th level is OptimizING. To often those who used the CMM as a basis overlook this and call it Optimized. But that's wrong. Its optimizing, as process improvement is ongoing, never stopping.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4JFGf5NadjTSuYIgEJGl2XYV0-sFT94dSrcRdTSH9vtO34mGDbUf6jk6PTz80r219pFJJi27gjKum9uvVQ75D9O_P4nofg6qjZVjjSzJrL3vPvOZjUTJz3O_ifv_7KUcCb3MUEV60QgFc/s1600/MaturityModel.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="800" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4JFGf5NadjTSuYIgEJGl2XYV0-sFT94dSrcRdTSH9vtO34mGDbUf6jk6PTz80r219pFJJi27gjKum9uvVQ75D9O_P4nofg6qjZVjjSzJrL3vPvOZjUTJz3O_ifv_7KUcCb3MUEV60QgFc/s640/MaturityModel.png" width="640" /></a></div>
<br />
<span id="goog_871660150"></span><span id="goog_871660151"></span>Now, some further overview of the CMM. There is more to this model, as in levels 2 thru 5, there are various Key Process Areas that need to be met to be considered at that level. Organizations usually start at level 1, then by completing these KPA they can move up the levels. Some may never get past 3 or 4. I was part of an IT organization that was formally access at Level 3.<br />
<br />
So hopefully this has peaked some interest. In the next part, I'll go into more depth on several maturity models in use: CMM/CMMI, The Cybermaturity Platform, maturity models built into things like the NIST CSF and FFIEC CAT, and others.<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-52185016677376091912018-09-24T10:00:00.000-07:002018-09-24T10:00:05.672-07:00Report on BSides Miami 2018Saturday, September 22, 2018 we had our first <b><a href="http://www.securitybsides.com/w/page/12194156/FrontPage">Security BSides</a></b> conference in the South Florida area: <b><a href="http://www.bsidesmiami.com/">BSides Miami</a></b>. Hosted at <b><a href="https://i2labs.co/">i2 Labs</a></b> on Biscayne Bay, we had two tracks of speakers, several panels, and about 80+ participants.<br />
<br />
I spoke at the conference on the topic of <b>Security Maturity Models</b>. Interestingly, the presidents of the <b><a href="http://isacasfl.org/">South Florida ISACA Chapter</a></b> and <b><a href="http://www.hackmiami.org/">HackMiami </a></b>also spoke at the conference.<br />
<br />
For a first time conference, it was overall good. There were problems, which will happen with a first time event. I hope they address this for the next time, and I do hope there is a next time. I was bothered by the emphasis on blockchain. For my view, BSides should be a conference by and for the whole infosec community. We should have sessions that appeal to and be of value to a wide range of folks: those getting into the field, mid-level folks, experienced folks, etc. I do like that seeing other activities at BSides conferences, like job fairs, hack the flag games, lock picking, etc. A blockchain track is one thing, but it shouldn't overwhelm the overall conference.<br />
<br />
Do to the problems with my presentation, I'll be posting a summary here soon.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcmUU0DjxI8-6Q1gCpXXbwKEL6R2B9SB7wbMeGAIwYh4Oi1rk886VP2PXTqF5oNN74TOaVjO9utO1DfPqwAYP6O_tR5k5x8oPguBKHKnvwJaa2G6cFwdBBwABE-YZM_OUupFQchk4bqKyz/s1600/BSidesMiami2018.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1000" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcmUU0DjxI8-6Q1gCpXXbwKEL6R2B9SB7wbMeGAIwYh4Oi1rk886VP2PXTqF5oNN74TOaVjO9utO1DfPqwAYP6O_tR5k5x8oPguBKHKnvwJaa2G6cFwdBBwABE-YZM_OUupFQchk4bqKyz/s400/BSidesMiami2018.jpg" width="400" /></a></div>
<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-26457150174390615592018-06-15T10:00:00.000-07:002018-06-15T10:00:03.017-07:00NIST releases v1.1 of the Cybersecurity FrameworkHopefully by this point most are aware that <b><a href="http://www.nist.gov/">NIST</a></b> released after much work the updated version of the <b><a href="https://www.nist.gov/cyberframework">Cybersecurity Framework (CSF)</a></b>, now version 1.1. This had been worked on over the last 2 years, was the topic of 2 workshops at NIST headquarters and produced 2 drafts.<br />
<br />
It added one categories and 5-6 subcategories, and updated other items, like the information references. They have also done a revamp of the website for the CSF, adding more resources there. I do look forward to more informational references to be added, such as crosswalks to <b>PCI-DSS</b>, <b>Standard of Good Practice</b>, and others.<br />
<br />
They have now announced that for 2018, instead of a workshop at NIST HQ, there will be a 3 day conference held in Baltimore in November. Its now the "<b>NIST Cybersecurity Risk Management Conference</b>" and they have registration open along with a call for presentations.<br />
<br />
I hope to attend the event, and based on what they are looking for from speakers, I think this will be a valuable conference. As NIST is also working this year to update several documents related to FISMA, will be interesting how this affects this. SP800-37 is scheduled to be released in October, and the final draft of SP800-53R5 is planned for October as well.<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-72956698324792737102018-06-13T10:00:00.000-07:002018-06-13T10:00:12.243-07:00Report on HackMiamiCon6 HackMiami held its 6th Conference in 2018. And this year we had another new location, tho it wasn't the organizers fault. :) The previous location suffered a fire, so this year they moved to Seacoast Suites. This limited them a bit, as the rooms were not as spacious as with the Deauville. And there were few food options within walking distance as with the Deauville. <br />
<br />
That aside, I thought overall they had another great conference. This year they did an electronic badge, but this was a limited-run add-on, due to cost.<br />
<br />
Two days, both kicked off with keynote addresses. Both were good, and the second day we had Jack Daniel, who is kind of the father of BSides. There were a good mix of talks and presentations, even a few longer workshops in the evening. I spoke on the second day on cyber resilience/disaster recovery. With the recent hit by Irma in Florida (and Maria in PR), I felt this was a good topic. I think it overall went well.<br />
<br />
Congrats as always to the HM folks for putting on this conference. Am surprised that they have already set the date and location for the 2019 conference, and will be back at the Deauville! Registration is even open on their website!<br />
<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-19195363892178582092018-06-11T10:00:00.000-07:002018-06-11T10:00:16.048-07:00Report on BSides Orlando 2018<b>Security BSides Orlando</b> was back in 2018, the 6th year. There were some issues this year. They have been tied, scheduling-wise, to <b>SANS</b> in Orlando, but this year they had a weird schedule of April 3-10, which is Tuesday thru Tuesday, rather Sunday-Saturday like schedule. So they went with April 7, right in the middle.<br />
<br />
The other issue was location. After several years at <b>University of Central Florida</b>, last year they were at Valencia College. This year they were at Full Sail University's Live Venue location in Winter Park. And, yes, another one day event.<br />
<br />
The Full Sail location was interesting. They added a lot of other activities to the schedule, which was nice, but I was sadden that this limited the number of actual talks, as this decreased the number of rooms available, so instead of having 4-5 talk tracks, there were only 2. I had submitted several proposals, and none were picked. So this was a personal disappointment for myself.<br />
<br />
This year they did an electronic badge, which required participants to solder the items on the board. They had a station setup to solder them, with people helping, which was great. Probably needed to have a few more soldering irons, but still nice. The blue badge was for participants, red was staff/volunteers. Then they added a plastic hanger below to indicate speakers, sponsors, etc.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5W1w_xXE6QtwQyCfuRjpYlmRA95WnaMeNUJWysGLQkJUX5z4BKKNoHmjsVhkleJ8lJzJUAqZQmYVQlQnh27ZCtiFgu4_0ZHsMyhas4_3L_Hw2dxV6p8BGad5VuFtvbSZI7HMhfu0VrTfH/s1600/2018-04-07+13.03.21.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5W1w_xXE6QtwQyCfuRjpYlmRA95WnaMeNUJWysGLQkJUX5z4BKKNoHmjsVhkleJ8lJzJUAqZQmYVQlQnh27ZCtiFgu4_0ZHsMyhas4_3L_Hw2dxV6p8BGad5VuFtvbSZI7HMhfu0VrTfH/s320/2018-04-07+13.03.21.jpg" width="240" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmhVfpXghB0YzNIXzPeMi5CTYI1TA-nVp3qAc64QLhlWwN0GoTuTLbk56IRgeRnj0KXK3lGsj1_kkEOLz6FW4uGMzti4O6IK84mmatZ8miU9B6k7ONopiuxHwEFfCNv246ZoXhm8Lf8bul/s1600/2018-04-07+10.51.00.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmhVfpXghB0YzNIXzPeMi5CTYI1TA-nVp3qAc64QLhlWwN0GoTuTLbk56IRgeRnj0KXK3lGsj1_kkEOLz6FW4uGMzti4O6IK84mmatZ8miU9B6k7ONopiuxHwEFfCNv246ZoXhm8Lf8bul/s320/2018-04-07+10.51.00.jpg" width="320" /></a></div>
<br />
Here is a shot of the t-shirt and program book.<br />
<br />
Overall a great event this year. I look forward to next year's event. SANS has set the date for SANS Orlando, so hopefully the BSides Orlando folks can set their date for next year's event.Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-28909424976621764572018-03-20T10:00:00.000-07:002018-03-20T10:00:07.975-07:00Critical Security Controls v7 RELEASEDI have previously posted on the <b>Critical Security Controls</b>, which many still incorrectly called the "SANS Top 20" and the like, tho <b><a href="http://www.sans.org/">SANS</a></b> hasn't been managing them for some time. The current org that manages them is the <b><a href="http://www.cisecurity.org/">Center for Internet Security</a></b>, which has overseen them since around 2015. They previously put out v6 and after about a year working on the have released v7. You can download them from the CIS website, along with other materials.<br />
<br />
I haven't had the chance to full look at v7 and take a look at the differences from v6. There are still 20 "controls", but they've done some rearrangement and have made tweaks to the "subcontrols" by adding, spitting, merging, moving (from one control to another), rewording, or deleting some.<br />
<br />
<a name='more'></a><br />
Biggest re-arrangement is how they have organized the 20 controls. In v6, the first 5 controls were "foundational", basic controls that all orgs should implement immediately. The remaining 15 were advanced controls.<br />
<br />
In v7, the first *6* are basic controls that everyone should implement immediately. Controls 7-16 are now called "foundational", and are the next set of controls that should be tackled after taking care of 1-6. The rest of the controls (17-20) are being called "organizational" and are a little different, as in addition to including technical matters, also include people and process items.<br />
<br />
Some controls were rearranged. #3 (Secure Configuration) is now #5, Controls #4 & 5 are moved up to #3 & 4. Otherwise, the controls remain the same.<br />
<br />
The subcontrols have been changed, as I noted. (you can download a change file with detailed info on what has been changed) Now we have:<br />
<ul>
<li>Control #1 has gone from 6 to 8, with deletions, additions, and rewording</li>
<li>Control #2 has gone from 4 to 10, with additions and rewording</li>
<li>Control #3 (the former #4) has gone from 8 to 7, with deletions and rewording</li>
<li>Control #4 (the former #5) is still 9, but has some replaced and others reworded</li>
<li>Control #5 (the former #3) has gone from 7 to 5, bur has some moved, deleted, and reworded</li>
<li>Control #6 has gone from 6 to 8, with mergers and rewording</li>
<li>Control #7 has gone from 8 to 10, with deletions, additions, and rewording</li>
<li>Control #8 has gone from 6 to 8, with additions and rewording</li>
<li>Control #9 has gone from 6 to 5, with deletions, moving, and additions.</li>
<li>Control #10 has gone from 4 to 5 with splitting and rewording.</li>
<li>Control #11 is still at 7, but there is rewording</li>
<li>Control #12 has gone from 10 to 12 with deletions, additions, and rewording</li>
<li>Control #13 is still at 9, but has deletions, additions, moving, splitting, and rewording</li>
<li>Control #14 has gone from 7 to 9 with additions, moving, splitting and rewording</li>
<li>Control #15 has gone from 9 to 10 with additions and rewording</li>
<li>Control #16 has gone from 14 to 13 with deletions, additions, and rewording</li>
<li>Control #17 has gone from 5 to 9 with deletions, additions, splitting, and rewording</li>
<li>Control #18 has gone from 9 to 11 with deletions and additions.</li>
<li>Control #19 has gone from 7 to 8 with one addition (probably the least changed of all)</li>
<li>Control #20 is still at 8 with minor work.</li>
</ul>
<div>
Version 6 has 139 subcontrols. Version 7 has 171. But the overall documents went from 96 pages to 73. Also, in V6, subcontrols were noted as being foundational or advanced. This has been dropped, but subcontrols are marked by a "security function" that matches the 5 core areas of the NIST CSF.</div>
<div>
<br /></div>
<div>
They have already put out some supporting materials, like a measurement & metrics document, with more promised (SME document, etc).</div>
<div>
<br /></div>
<div>
Hope to dig into this further and encourage others to check it out.</div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-46490270160202260432018-03-05T10:00:00.000-08:002018-03-05T10:01:09.116-08:00March Updates on Frameworks & StandardsLast month I posted some information on several information security framework/standards being updated and sense then there have been updated on all of them. So here we go:<br />
<ul>
<li><b><a href="https://www.nist.gov/cyberframework">NIST CSF v1.1</a></b>. The second draft was released at the end of 2017, and we just wrapped up the comment period on this. I believe the plans are to review and hopefully come out with the final release in a few months. Not clear when. They have also set a tentative date for the 2018 workshop as September 11-13 in "the DC area". Now NIST headquarters is in Baltimore, so does that count as the "DC area"? I should also point out that NIST has done a great job of revamping their NIST CSF website, with some more info.</li>
<li><br /></li>
<li><b> <a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft">NIST SP 800-53</a></b> and <b><a href="https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft">800-37</a></b>. NIST is also working on updated for a couple of important documents in FISMA/RMF. SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the <b>Risk Management Framework</b>, and should also have info on how the RMF can work with the CSF. As I had noted, the original plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it slipped. We were promised they they would re-asses and put out new dates, which they have: </li>
<li></li>
<li><b>NIST Special Publication 800-37, Revision 2</b> (Risk Management Framework)</li>
<li>Initial Public Draft: May 2018</li>
<li>Final Public Draft: July 2018</li>
<li>Final Publication: October 2018</li>
<li> </li>
<li><b>NIST Special Publication 800-53, Revision 5</b> (Security and Privacy Controls)</li>
<li>Final Public Draft: October 2018</li>
<li>Final Publication: December 2018</li>
<li> </li>
<li><b>NIST Special Publication 800-53A, Revision 5 </b>(Assessment Procedures for 800-53)</li>
<li>Initial Public Draft: March 2019</li>
<li>Final Public Draft: June 2019</li>
<li>Final Publication: September 2019</li>
<li> </li>
<li><b>FIPS Publication 200, Revision 1 </b>(Minimum Security Requirements)</li>
<li>Initial Public Draft: October 2018</li>
<li>Final Public Draft: April 2019</li>
<li>Final Publication: July 2019</li>
<li> </li>
<li><b>FIPS Publication 199, Revision 1</b> (Security Categorization)</li>
<li>Initial Public Draft: December 2018</li>
<li>Final Public Draft: May 2019</li>
<li>Final Publication: August 2019</li>
<li><br /></li>
<li><b><a href="https://www.cisecurity.org/controls/">CIS Critical Security Controls</a></b>. Better known as the "SANS Top 20", the Critical Security Controls are now managed by the Center for Internet Security. The current version is 6.1 and they are working on a v7. I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead. They put out a draft of v7 out with a short comment period. And are rolling out v7 on March 19th in DC (or you can attend on-line). So that is pretty quick</li>
</ul>
The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF. If they come out with new versions, will the Information References in the CSF be updated to these new versions? I hope they will be. Now NIST has on their new CSF website an on-line version of the Informational References that allows them to expand them. Tho why they didn't include the HIPAA crosswalk here I don't know. Still awaiting the official PCI-CSF crosswalk to be made available as well.<br />
<br />
As I learn more about these new updates, I'll be blogging about them. I look forward to getting my hands on v7 of the CSC due to what I read in the draft version.<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-66791211611777228192018-02-28T10:00:00.000-08:002018-02-28T10:00:05.107-08:00Report on BSides Tampa 2018On Saturday, February 17th, I was in Tampa for the 5th <b><a href="http://www.bsidestampa.net/">Security BSides Tampa Conference</a></b>. This was my third time attending, and my third time speaking. I spoke on the topic of the new "SOC for Cybersecurity" report. I'll do a separate posting on this report, giving resources.<br />
<br />
This conference had about 700 registered people there, not sure how many where there. As with the prior couple of conferences, it was again held at the Stetson College of Law center in Tampa.<br />
<br />
There were 5 tracks, a capture the flag game, lockpick village, training, and a recruitment track again. Several great speakers. <b>Jack Daniel, Ira Winkler, Greg Hanis</b>, and more. I also had some good conversations with several people.<br />
<br />
There were some problems last year, and I think they did a good job of addressing these. My only personal complaint was it being on President's Day Weekend due to other commitments which I had to miss on. Hopefully what ever date they pick next year won't conflict for me.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHl3MvzVk80_V6d8BijQk2q3qg5wmw7MQ20wq65A0C8D3NffmUQlrpzlISkOkYEo-P4IGwstRVjemSsCwAMooVVVsxNfxOtplmqwu-ZUL5dvngX6cHKUIzhvTh_xa6aBiB7EjMA1AkSCHA/s1600/2018-02-17+17.38.32.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1200" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHl3MvzVk80_V6d8BijQk2q3qg5wmw7MQ20wq65A0C8D3NffmUQlrpzlISkOkYEo-P4IGwstRVjemSsCwAMooVVVsxNfxOtplmqwu-ZUL5dvngX6cHKUIzhvTh_xa6aBiB7EjMA1AkSCHA/s320/2018-02-17+17.38.32.jpg" width="240" /></a></div>
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com1tag:blogger.com,1999:blog-6635656521476641511.post-55587288463774358512018-02-26T10:00:00.000-08:002018-02-26T10:00:02.671-08:00Report: The State of Cybersecurity in FloridaJust recently <b><a href="http://thefc2.org/">The Florida Center for Cybersecurity</a></b> released their 2017 report, <a href="http://thefc2.org/documents/state-of-cybersecurity-report.pdf"><b>The State of Cybersecurity in Florida</b>.</a><br />
<br />
So what IS The Florida Center for Cybersecurity? It's a statewide agency located at USF in Tampa that works with all State University System of Florida institutions, industry, the military, government, and the community to build Florida's cybersecurity workforce.<br />
<br />
The report is the first they've done. It looks at the cyber threat environment, workforce supply and demand, education and training opportunities, and research initiatives within the State of Florida.<br />
<br />
In particular, here are some of its findings (and my comments):<br />
<a name='more'></a>In regards to the talent shortage:<br />
<ul>
<li>68% of organizations surveyed report cyber staffing challenges.</li>
<li>Compensation for mid- and junior-level positions in Florida is $5,000 to $10,000 per position higher than the national average.</li>
</ul>
<div>
Ok. But *why* are orgs having a problem finding talent? Don't just assume it's due to lack of talent. It could be that companies job postings are bad, what they look for is unrealistic, or the orgs have a bad rep. And I have a problem with the claim that compensation is *higher* then average. I'm seeing posting where companies are offering below average compensation. Again, MAYBE in some areas (like maybe Tampa) this is true, but not in other areas.<br />
<br />
Even reading further in the report, its not clear the authors know what the average is that people should be paid.</div>
<div>
<br /></div>
Next, there is an overview of the threats facing Florida businesses:<br />
<ul>
<li>Reports of corporate data breaches in Florida rose 17.8% between 2015 and 2016</li>
<li>41% of organizations surveyed report having suffered a breach</li>
<li>Only 32% of organizations surveyed are confident they are prepared for a cyberattack</li>
</ul>
A look at the steps organizations are taking to mitigate these threats:<br />
<br />
80% of organizations surveyed require all personnel to complete security training<br />
87% of organizations surveyed technologically enforce strong passwords<br />
More than 85% of organizations surveyed have disaster recovery and business continuity plans (though only 32% regularly test those plans)<br />
<br />
Sadly, this doesn't surprise me. Employee security training is just security awareness training. But how good or effect is it? Again, how good are those BC/DR plans? Since only a third test them, who knows? Scary when you consider we have to worry about hurricanes, and we had Irma last year go thru the whole state.<br />
<br />
I hope this will be an annual report. I would like to see a larger group providing information, tho it seems this one was pretty diverse in terms of location and industry.<br />
<br />
Check it our yourself.<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-45504153659456718482018-02-22T10:00:00.000-08:002018-02-22T10:00:04.196-08:00Report on ISACA South Florida's WOW EventThe <b><a href="http://isacasfl.org/">South Florida Chapter of ISACA</a></b> has been holding an annual one-day conference each year in February known as the <b>WOW! Event</b>. In 2018, they held their 11th conference on Friday, February 16th at FIU's Koven Conference Center at their Biscayne Bay campus.<br />
<br />
This year's theme was "The InfoSec of Things: Emerging issues in Privacy and Security". There were about 250 people in attendance for the day, with several speakers and a panel discussion with several local CISOs.<br />
<br />
Speakers included:<br />
<a name='more'></a>Author <b>Christopher Hadnagy</b> (<i>Social Engineering, Unmasking the Social Engineer, Phishing Dark Waters</i>) spoke on phising, vishing and others. The chapter had copies of his books available and was able to get a couple and have them signed.<br />
<br />
<b>Rich Heimann</b>, Chief Scientist at Cybraics; <b>Theo Peterson</b>, Chief Security Architect at Bulletproof; and <b>Samson Williams</b>.<br />
<br />
There was a panel of CxOs, including <b>Mauricio Angee</b> (CISO, Mt Sinai), <b>Ana Roldan</b> (CISO, Miami Dade College), and <b>Sanjay Deo</b>, CEO of 24by7Security.<br />
<br />
For a keynote speaker, there was <b>Tom Brennan</b>, who is also a board member of OWASP.<br />
<br />
And everyone was given a copy of <i><b>Future Crimes</b></i>.<br />
<br />
Overall, a good conference.<br />
<br />
Expect we'll see a new one next year. The chapter is working on a joint GRC conference with a local IIA chapter, and a women in tech conference in October.<br />
<br />
<br />
<br />
<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-31756153452140802132018-02-20T10:00:00.000-08:002018-02-20T10:00:39.967-08:00Report on SecureMiami 2018On Saturday, February 10, 2018, <b><a href="https://www.digitaleragroup.com/">DigitalEra</a></b> hosted their second "annual" security event, <b>Secure Miami</b> at <b><a href="http://www.fiu.edu/">FIU</a></b>, co-located with <b>Brew Miami</b>. Their first event was in December of 2016.<br />
<br />
Attendance was pretty good at this event, with about 350 registered to attend. This year they moved it to the larger Graham Center in the University Center. Lunch was provided.<br />
<br />
There were several security vendors in attendance. The <b><a href="http://www.sfissa.org/">South Florida ISSA Chapter</a></b> assisted, so we were there with a booth. <br />
<br />
Speakers were a good selection of national level folks, along with a panel discussion with various security leaders. These included: Malcolm Harkins with Cylance, Hollis Howell from Rapid7, and Kevin Reardon with Symantec. Panelists were from FIU, Trapezoid, Network Health, and Trend Micro.<br />
<br />
Overall, a very nice half-day security event. I believe DigitalEra is planning on doing this again next year, and I look forward to it.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXz8pCeRt1RwvKTNnNTP-t7OLcn-Mxt3oGX2atK5fiCnKFfUlCwH2u015x6TC_Xdeq5SND7r0wWqv2lLsxiiVqF8qi8t133hvGbbxc0S82qjALsWf0zwbmqm2LC9YS0Nccx38VNwhJ5xt6/s1600/SecureMiamilogo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="687" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXz8pCeRt1RwvKTNnNTP-t7OLcn-Mxt3oGX2atK5fiCnKFfUlCwH2u015x6TC_Xdeq5SND7r0wWqv2lLsxiiVqF8qi8t133hvGbbxc0S82qjALsWf0zwbmqm2LC9YS0Nccx38VNwhJ5xt6/s640/SecureMiamilogo.jpg" width="640" /></a></div>
<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-5650811495455730502018-02-06T10:00:00.000-08:002018-02-12T15:41:12.232-08:00Framework/standard updates comingWell, it's early 2018 and there are several information security framework/standards being updated:<br />
<ul>
<li><b><a href="https://www.nist.gov/cyberframework">NIST CSF v1.1</a></b>. The second draft was released at the end of 2017, and we just wrapped up the comment period on this. I believe the plans are to review and hopefully come out with the final release in a few months. Now I think we will also see another workshop held in conjunction with this, we just don't know exactly when.</li>
<li><br /></li>
<li><b> <a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft">NIST SP 800-53</a></b> and <b><a href="https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft">800-37</a></b>. NIST is also working on updated for a couple of important documents in FISMA/RMF. SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the <b>Risk Management Framework</b>, and should also have info on how the RMF can work with the CSF. Now the plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it looks like the schedule has slipped. If you read on-line, it looks like they need to re-assess the amount of work needed. I do expect we will see these done this year, but no idea when at this point.</li>
<li><br /></li>
<li><b><a href="https://www.cisecurity.org/controls/">CIS Critical Security Controls</a></b>. Better known as the "SANS Top 20", the Critical Security Controls are now managed by the Center for Internet Security. The current version is 6.1 and they are working on a v7. I had seen stuff on their site last year about this, but it disappeared, so I thought the effort was dead. Now they have a draft of v7 out with a short comment period (about to end). It's not clear when they expect the final version to come out but clearly will be this year</li>
</ul>
The only thing I am concerned is that both SP800-53 and the CSC are Informational References in the NIST CSF. If they come out with new versions, will the Information References in the CSF be updated to these new versions? I hope they will be. Still awaiting the official PCI-CSF crosswalk to be made available.<br />
<br />
As I learn more about these new updates, I'll be blogging about them.Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com0tag:blogger.com,1999:blog-6635656521476641511.post-59375346482703235842018-02-05T10:00:00.000-08:002018-02-05T12:05:33.285-08:00Healthcare Industry Cybersecurity Task Force report- June 2017Recently a report came out from the "<b>Health Care Industry Cybersecurity Task Force</b>". This group was formed by Congress as part of the <b><i>Cybersecurity Act of 2015</i></b>. The task force is made up of a diverse group from the healthcare industry, taking a look at the state of cybersecurity and how it can be improved.<br />
<br />
You can read the report <a href="https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf">HERE</a>.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
At nearly 100 pages, it's a bit much to slog thru. At a minimum, read over the executive summary. As someone who works with healthcare clients, their findings are not a surprise to me. They have a figure:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAA3hAAAAJGJhNjQ0ZGE3LTVhYTQtNDAwMy04OGEzLTdiNjBjYjYzM2Y4Nw.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="750" height="320" src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAA3hAAAAJGJhNjQ0ZGE3LTVhYTQtNDAwMy04OGEzLTdiNjBjYjYzM2Y4Nw.jpg" width="320" /></a></div>
<br />
which points out some of this issues. Lack of talent- yes. Not that there is no talent, but that many orgs don't have enough people on board. Smaller orgs can't afford to, sometimes outsourcing their IT to vendors who themselves may not have the right skills. (it's one thing to go with a managed security service provider who hopefully knows healthcare, it's another to go with some local IT guys who has no idea of security or the issues facing healthcare)<br />
Legacy equipment- wow. yes. Big problem as the vendors aren't supporting or updating these systems, and the orgs can't. Most orgs don't understand that there are some solutions (isolated networks and the like) for this. Over-connectivity ties back to lack of talent. When you don't have people on board who can properly set things up, problems will arise. Vulnerabilities impact- this is stuff like ransomware and the like hitting groups, which often was caused by not have the right talent in place to get things in a good shape.<br />
<br />
Some of these actually interconnect. Healthcare IT is behind everyone else. Too many organizations have, for various reasons, not invested in IT. This means they have not worked to get enough people on board with the right skills and given them the budget to setup things up well.<br />
<br />
They define 6 imperatives:<br />
<br />
<ol>
<li>Define and streamline leadership, governance, and expectations for health care industry cybersecurity.</li>
<li>Increase the security and resilience of medical devices and health IT.</li>
<li>Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.</li>
<li>Increase health care industry readiness through improved cybersecurity awareness and education.</li>
<li>Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.</li>
<li>Improve information sharing of industry threats, weaknesses, and mitigations.</li>
</ol>
<div>
The report spends quite a bit of time on a variety of recommendations and action items off of these imperatives.<br />
<br />
Check it out and add your comments.</div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />Michael Brownhttp://www.blogger.com/profile/16577632385379561930noreply@blogger.com2