Framework/standard updates coming

Well, it's early 2018 and there are several information security framework/standards being updated:NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans are to review and hopefully come out with the final release in a few months.  Now I think we will also see another workshop held in conjunction with this, we just don't know exactly when. NIST SP 800-53 and 800-37.  NIST is also working on updated for a couple of important documents in FISMA/RMF.  SP 800-53 is the controls, and has now been expanded to include privacy controls as well as security. SP 800-37 defines the Risk Management Framework, and should also have info on how the RMF can work with the CSF.  Now the plan was to come out with a second draft at the end of last year after they put out the discussion draft, but it looks like the schedule has slipped.  If you read on-line, it looks like they need to re-assess the amount of work needed.  I do expect we will see these done this year, but no idea when at this point.
Read more

Healthcare Industry Cybersecurity Task Force report- June 2017

Recently a report came out from the "Health Care Industry Cybersecurity Task Force".  This group was formed by Congress as part of the Cybersecurity Act of 2015.  The task force is made up of a diverse group from the healthcare industry, taking a look at the state of cybersecurity and how it can be improved.You can read the report HERE.At nearly 100 pages, it's a bit much to slog thru.  At a minimum, read over the executive summary.  As someone who works with healthcare clients, their findings are not a surprise to me.  They have a figure:which points out some of this issues.  Lack of talent- yes.  Not that there is no talent, but that many orgs don't have enough people on board.  Smaller orgs can't afford to, sometimes outsourcing their IT to vendors who themselves may not have the right skills.  (it's one thing to go with a managed security service provider who hopefully knows healthcare, it's another to go with some local IT guys who has no idea of security or the issues facing healthcare)Legacy equipment- wow.  yes.  Big problem as the vendors aren't supporting or updating these systems, and the...
Read more

Upcoming Conferences in early 2018

There are several local security conferences coming up in my general area, some of which I'll be speaking at.Here are the ones over the next few months:* SecureMiami 2018, co-located with BrewMiami.  Organized by DigitalEra, this is the second time for this half day event at the main campus of Florida International University.  Held on Saturday, February 10th.  Registration is open NOW and I encourage people to attend.* ISACA South Florida Chapter's 11th WOW Event is coming up on Friday, February 16th at FIU's Biscayne Bay campus.  The theme: The InfoSec of Things: Emerging issues in Privacy and Security, and have great lineup of speakers.  So register NOW.* BSides Tampa 2018 is coming up Saturday, February 17th again at Stetson Law in Tampa.  I will be speaking here on the topic of "SOC for Cybersecurity".  I think they are sold out, but check anyway.* BSides Orlando 2018 is coming up on Saturday, April 7th.  Location this year will be Full Sail Live Venue in Winter Park.  CFP is open, and I've submitted some proposals, and registration is open NOW.* HackMiamiCon6 is coming up May 18-20.  This year they will be at Sea Coast...
Read more

Cyber Resilience- what I’ve found (Part 1)

A year or so ago I came upon the idea of "cyber resilience", which is a general concept of 'hardening' or toughing, or making more resilient, our IT/cyber systems.  I started seeing the terms used a lot, and many of the times I've seen it has been in use of ideas that we need to focus MORE on resilience then cybersecurity, or that cyber resilience is the next step beyond cybersecurity.Here are some of the articles I read:  one, two, three.I have a lot of problems with this idea.  This lead me to do research on the topic and I developed a presentation which I've given twice, most recently at the 2017 ISSA International Conference.  Below you'll find my research.Now, this is not to say I'm not in agreement with the idea of cyber resilience.  What I have a problem is that its separate from or a next step from cybersecurity.  If people think this, I think they don't understand what cybersecurity SHOULD be.I see cybersecurity as as subset of information security, more about systems that are internet-connected.  But we should NOT be ignoring all of information security.So if...
Read more

2017 ISSA International Conference Report

This past week, ISSA held their 2017 International Conference in San Diego.  I've attended the last 4 conferences (not sure when they started doing them), and this was one pretty good.  Full disclosure: I am a member of the conference steering committee, so had some involvement in the planning of it.On the 9th was the all day Chapter Leaders Summit, which brings chapter leaders around the country (and world) to a day of training and sharing of information.  A change this year was the Summit was live streamed to those who couldn't attend.  I thought this was a good summit, with some good sessions.  I think attendance was pretty decent as well.  My chapter, the South Florida Chapter, had 4 officers in attendance.The 10th and 11th was the conference itself.  And then it was followed by ISSA's CISO Forum.The conference had several things different this year.  For the vendors, they had setup a very large (but very nice) tent to house them in.  To make sure people got over there and visited the vendors, they made sure that all the food/coffee breaks were there, as well as having a kick off reception on the 9th, and one of the...
Read more

2017 ISSA International Conference

Well, I just returned from the 2017 ISSA International Conference which was held Oct 9-11 in San Diego.  This was the 4th conference I attended.  I have been on the conference steering committee the last couple of times, and this time spoke on cyber resilience.I'll be posting more on the conference shortly, as well as a posting on my presentation to provide people with the references and resources I used in my presentation.  I hope to get this all up by this weekend.The 2018 Conference will be in Atlanta, but uncertain about the date. 
Read more

My first SANS/GIAC certification

I have several infosec certifications, but most are from ISC(2) and ISACA.This past week I learned that I passed the test I took for a new GIAC certification: the GSTRT, which is for the GIAC Strategic Planning, Policy, and Leadership.  Its tied to SANS's new MGT514: IT Security Strategic Planning, Policy, and Leadership, which I took last year.  At the time there was no cert, so I got to beta test the new exam.Not having done any of the GIAC certs, this was a new experience for me.  GIAC allows you to bring your books with you, so I knew it was vital to prep for the cert.  I read and re-read my books and also created my own index of the books.  This was vital because one volume was devoted to leadership concepts, and it had a lot, many I wasn't familiar with when I took the course.  In many cases, they almost introduced a new concept every 2-3 pages!I don't know my score yet, but am curious to learn how well I did.
Read more

"Hacker Summer Camp" 2017

This past July I went out to Las Vegas for the first to attend some of the events referred to as "hacker summer camp": Black Hat, BSides, and Defcon.Now, I did not attend Black Hat as the event was pretty expensive.  I did want to drop by the exhibit hall, but couldn't get in.  I did attend the ISSA and ISC(2) receptions tied to the event.  I was a little disappointed that ISACA made a big deal about being at Black Hat but didn't do a reception of some kind.I mainly came to attend BSides and Defcon and stayed at the Tuscany Suites where BSides was being held, which I recommend.  This guaranteed you a ticket for BSides.  I also got the meal ticket deal (breakfast & lunch) at BSides, which made me a sponsor and got me earlier checking at the sponsor table.  I also pre-ordered a t-shirt (recommended).There were a lot of interesting sessions I attended.  I'll need to do another posting on some of the sessions I went thru and give more info on them.Once BSides was over I attended Defcon.  This event was a bit overwhelming.  There was a big...
Read more

NIST releases DRAFT SP800-53R5

Recently NIST finally releases the DRAFT of SP800-53R5.  800-53 is entitled Security and Privacy Controls for Federal Information Systems and Organizations and is the set of controls used in FISMA, the mandated set of infosec controls used in federal systems (tho many others use it as well, often times state and local governments, as well as government contractors).This has been in the works for awhile now, and many expected this draft to come out several months ago.  The due date for comments is September 17, 2017.  They want to put out the final draft (second draft) in October, with the final version by the end of the year.They note several changes.  They have incorporated privacy controls into this.  They have separated out the control selection process from the controls.  The Risk Management Framework is that control selection process.  By doing this, it more easily allows others to use the controls as is.  With the NIST CSF referencing the controls in SP800-53, it makes it easier for those using the CSF to use these controls.  This is actually called out that SP800-53 can be used with the RMF, CSF, and Systems Engineering Processes.One big change was the striking...
Read more

Sad news- Intel drops Edison, Galileo, Joule, Curie

I had previously posted about some of Intel's efforts to get involved in the IoT and Maker communities with their own products such as the Edison, Galileo, Curie, and more.At the recent DefCon conference I was chatting with the guy behind HackerBoxes and was sad to learn that Intel has recently dropped some of their efforts.  I took a look and found info that they are dropping production of the Edison, Galileo, Curie, and Joule products by the end of 2017 or mid 2018.This is a bit disappointing.  I thought some of these had a lot of potential, and I think that if they haven't been as successful as they could have been that maybe Intel didn't do all they could to make these products successful.  I know Sparkfun had put out several items in support of the Edison.  I had hoped to see more published information on these items and there was a planned work on the Edison and Galileo that never came out.As far as I can tell they are still supporting the Euclid product, but that's just not the same.Does this end Intel's foray into this realm?  Hopefully not.
Read more
Page 1 of 41234