Author Archives: Michael R. Brown

Report: The State of Cybersecurity in Florida

Posted on by

Just recently The Florida Center for Cybersecurity released their 2017 report, The State of Cybersecurity in Florida.
So what IS The Florida Center for Cybersecurity?  It’s a statewide agency located at USF in Tampa that works with all State Unive… Continue reading Report: The State of Cybersecurity in Florida

Report on ISACA South Florida’s WOW Event

Posted on by

The South Florida Chapter of ISACA has been holding an annual one-day conference each year in February known as the WOW! Event.  In 2018, they held their 11th conference on Friday, February 16th at FIU’s Koven Conference Center at their Biscayne B… Continue reading Report on ISACA South Florida’s WOW Event

Framework/standard updates coming

Posted on by

Well, it’s early 2018 and there are several information security framework/standards being updated:

NIST CSF v1.1.  The second draft was released at the end of 2017, and we just wrapped up the comment period on this.  I believe the plans ar… Continue reading Framework/standard updates coming

Healthcare Industry Cybersecurity Task Force report- June 2017

Posted on by

Recently a report came out from the “Health Care Industry Cybersecurity Task Force”.  This group was formed by Congress as part of the Cybersecurity Act of 2015.  The task force is made up of a diverse group from the healthcare industry, taki… Continue reading Healthcare Industry Cybersecurity Task Force report- June 2017

Upcoming Conferences in early 2018

Posted on by

There are several local security conferences coming up in my general area, some of which I’ll be speaking at.
Here are the ones over the next few months:
* SecureMiami 2018, co-located with BrewMiami.  Organized by DigitalEra, this is the second t… Continue reading Upcoming Conferences in early 2018

Cyber Resilience- what I’ve found (Part 1)

Posted on by

A year or so ago I came upon the idea of “cyber resilience”, which is a general concept of ‘hardening’ or toughing, or making more resilient, our IT/cyber systems.  I started seeing the terms used a lot, and many of the times I’ve seen it has been in use of ideas that we need to focus MORE on resilience then cybersecurity, or that cyber resilience is the next step beyond cybersecurity.

Here are some of the articles I read:  one, two, three.

I have a lot of problems with this idea.  This lead me to do research on the topic and I developed a presentation which I’ve given twice, most recently at the 2017 ISSA International Conference.  Below you’ll find my research.
Now, this is not to say I’m not in agreement with the idea of cyber resilience.  What I have a problem is that its separate from or a next step from cybersecurity.  If people think this, I think they don’t understand what cybersecurity SHOULD be.
I see cybersecurity as as subset of information security, more about systems that are internet-connected.  But we should NOT be ignoring all of information security.
So if we look at the 5 core elements of information security (taking a cue from the NIST CSF), we need ALL of these.  I think too often cybersecurity is focused ONLY on protect, detect, and a little on respond.  That doesn’t work.  Resilience is included (IMO) in the rest of this (identify, respond and recover).
OR, if we look at the CIA triad: Confidentiality, Integrity, and Availability, resilience IS availability.  Heck, that’s what I knew it as years ago when I was working as a sysadmin for a large global company.  We working to make our systems more available.  You know, 5 Nines and all that?  (99.999% uptime etc) That’s now called resilience.
Or to put it another way, which I used in my recent presentation, was take a look at how power companies prepare for upcoming hurricanes, something I see living in Florida.  Now, just before the hurricane hits, they have teams ready to go in to restore power, which are deployed after things are clear.  These teams, depending on the area, can be working for weeks to restore power: replace or fix cables, poles, transformers, etc.

But another thing they do is prepare for things before a hurricane hit to minimize the impact, to lessen the chance of loosing power.  In my area, they have been doing this by replacing old wooden poles with new, stronger concrete poles, burying power lines from the poles to the houses, trimming trees etc.

So the teams prepared to go into action after the hurricane is equivalent to your traditional disaster recovery plan.  But all the work to strengthen the power grid is making it resilient.  It’s an investment that often has to be sold to management.
Ok.  So here are the frameworks, models, organizations and resources I found in my research:

CERT RMM

The Software Engineering Institute at Carnegie-Mellon University is probably best known for creating the Capability Maturity Model (CMM), and also the CERT Division.  Within the CERT Division is the Cyber Risk and Resilience Management work area.

A big part of there work is the CERT Resilience Management Model, which is a maturity model for “Operational Resilience”, similar to the CMM being a maturity model for (original) software and system management.

V1.1 of the CERT-RMM was published as a book from Addison-Wesley, but v1.2 is available as a free download from the site.

They have other materials for cybersecurity you should check out.

Cyber Resilience Review (CRR)

Provided by the DHS’s US-CERT, the CRR was actually created by SEI’s CERT Division and is based on their CERT RMM.  The review can be done either as a self assessment or an on-site assessment facilitated by DHS personnel.

Full info on the CRR is found HERE.  You can find info on the CRR and download all materials.

The CRR is built around 10 domains:

  1. Asset Management
  2. Controls Management
  3. Configuration and Change Management
  4. Vulnerability Management
  5. Incident Management
  6. Service Continuity Management
  7. Risk Management
  8. External Dependency Management
  9. Training and Awareness
  10. Situational Awareness

There are other resources for the CRR, such as crosswalks to the NIST Cyberframerwork, FFIEC CAT, etc.

I recommend that you check out the US-CERT site, as they have a lot of other cybersecurity resources.

World Economic Forum

The World Economic Forum, established in 1971, is a global organization that does public-private partnership to help improve the world.  They have several initiatives, and under their Digital Economy initiative, they have had a project focused on cyber resilience for several years.

They have a variety of reports and materials, all available for download:

As part of their work, they worked with xxx, whose people put out a book: Beyond Cybersecurity.

There most recent work in this area is a blog posting: Why being a responsible leader means being cyber-resilient.

MITRE

MITRE is a not-for-profit organization that operates research and development centers sponsored by the federal government: FFRDCs—federally funded research and development centers.  One is focused on cybersecurity

They have created a bit for cyber resilience.  They’ve held 7 Annual Secure and Resilient Cyber Architectures Invitational & Training Event, the most recent in May of 2017.

They’ve created a Cyber Resilience Engineering Framework (CREF).  They have Cyber Resilience Metrics.  Even a good FAQ

National Forum for Public Private Collaboration

First established as the Global Forum for Advanced Cyber Resilience, it was meeting the CEO of the group that spurred me on doing this research.

They have worked up a common lexicon and the current projects appear to be developing business use cases for cyber resilience for several sectors.  They also had a collaboration event in September of 2017. 

Will be interesting to see where this group goes with what its doing.

Resilia

Resilia is a best practice program from Axelos, who manages the ITIL certification program.  It includes a couple of certifications for Foundation and Practitioner.  Not sure the value of this program, as I don’t see much mention of it in the marketplace.

But do check it out.

The post Cyber Resilience- what I’ve found (Part 1) appeared first on Security Boulevard.

Continue reading Cyber Resilience- what I’ve found (Part 1)

2017 ISSA International Conference Report

Posted on by

This past week, ISSA held their 2017 International Conference in San Diego.  I’ve attended the last 4 conferences (not sure when they started doing them), and this was one pretty good.  Full disclosure: I am a member of the conference steering committee, so had some involvement in the planning of it.

On the 9th was the all day Chapter Leaders Summit, which brings chapter leaders around the country (and world) to a day of training and sharing of information.  A change this year was the Summit was live streamed to those who couldn’t attend.  I thought this was a good summit, with some good sessions.  I think attendance was pretty decent as well.  My chapter, the South Florida Chapter, had 4 officers in attendance.


The 10th and 11th was the conference itself.  And then it was followed by ISSA’s CISO Forum.

The conference had several things different this year.  For the vendors, they had setup a very large (but very nice) tent to house them in.  To make sure people got over there and visited the vendors, they made sure that all the food/coffee breaks were there, as well as having a kick off reception on the 9th, and one of the lunches.  I think it worked well.  In addition, this time the Capture the Flag game was run on the 9th, ran then be part of the party event on the 10th.  Better idea.  Something new was a first timer event. I’ll have to see how that went.

As noted, the main conference was the 10th & 11th.  We had breakfast keynote kickoffs each day, with Tarah Wheeler (whom I first saw at the 2017 BSides Orlando conference) doing the keynote on Wednesday.  For the last couple of conferences, we had a “party in the sky” on the evening of the first day.  This time, we had a “party on the flight deck” at the USS Midway, which was pretty cool.  I do wish we had been able to tour thru the ship, but we had access to all the planes up on the flight deck, and they had some of the veterans who act as docents on hand.  And below was flight simulators.  Also wish the gift shop was open as well.

Lot of talks the two days.  I think we had a good set, tho there are always the one or two that aren’t that good.  I think we need to work on getting more technical talks.  As noted, I spoke on cyber resilience, and will have a separate posting on that soon.

New this year was we had a conference company do the checkin.  Bit more automated, with print on demand name badges. I had first seen this kind of thing at an ISACA Conference, and this went as smoothly.  Hopefully the cost was worth it.  We also had a conference t-shirt for the first time.

I noted good and bad things about this years conference that I will be bringing up with the steering committee so we can improve for next year’s conference.  At this point I know it will be in Atlanta, but uncertain of the date.

#ISSACONF

The post 2017 ISSA International Conference Report appeared first on Security Boulevard.

Continue reading 2017 ISSA International Conference Report