Monday, January 18, 2021

Forward into 2021

 Well, here we are in 2021.  A lot has happened to all of us this past year.  I think all the security conferences I usually attend this past year from March on were either cancelled or went virtual.  And it looks like the same will occur thru some of this year.

I've also been behind in trying to post regularly on this blog and hope to address this and aim to post at least twice a month.  I am planning on tackling some additional certifications in the cloud and privacy areas, and will be posting on this, as well as areas I have an interest in.  Futher, I plan on presenting at upcoming conferences and events, so will be posting on that.

Here in Florida, I know that BSides Tampa will be virtual in 2021, and I have proposed a few ideas.  Not sure about BSides Orlando.  South Florida ISSA does plan on doing their Hack the Flag, hopefully live.  Both SFISSA and HackMiami will be having regular meetings on-line, as well as South Florida ISACA.

If anyone has any ideas or suggests, please post them.


Monday, February 17, 2020

Upcoming Security Events in Florida

There are several upcoming information security events in Florida that some may not be aware of.

First up is the South Florida ISACA Chapter's annual WOW event.  This year its the thirteenth year of the event.  It will be held on Friday February 21st, 2020, again at FIU's Koven Center at their Biscayne Bay campus.  This is a single-track conference, with various speakers and a panel discussion.  Its usually a good event, and plan on being there.

Next up is Security BSides Tampa.  The seventh year for this event, it will be held Saturday, February 29th, 2020 at the Embassy Suites on the USF Campus in Tampa.  There will be training sessions on Friday.  This event is a multi-track conference, with tracks including CISO, Cloud, and job fair.  They also have other activities like a CTF, Lockpicking, and more.  This is a pretty good event.  Sadly, I don't plan on attending this year.

Then there is Security BSides Orlando.  This will be Saturday, April 11, 2020 at Full Sail University's Live Venue.  I believe they are planning on doing training sessions on Friday.  The schedule hasn't yet been announced.  They also have other activities like CTF, Lockpicking, and more.  This is also a pretty good event and it seems BSides Tampa and Orlando have some of the largest BSides outside of Vegas.  I'm not sure at this point if I'll be going.

Finally, there is HackMiamiCon.  This time it will be Saturday, May 30th, 2020 at Broward Library.  There will be training events on Friday.  This is a change of venue from hotels on Miami Beach, so will remain to be seen how this works out.  They should have other activities like a CTF.  This is also a good event.  Due to a conflict with another event, I may not attend this year.

These are all great events and I encourage folks to check them out and attend.


Wednesday, February 12, 2020

2020 SecureMiami Conference

This past weekend I attended the 2020 SecureMiami Conference.  This was the 4th time this conference was held, again at FIU's Graham Center and co-located with BrewMiami held later that day at the FIU stadium.  I've been to all of these events, promoting the South Florida ISSA Chapter and had a good time.

This event was organized by DigitalEra and again had a great number of speakers and panels, and a good set of sponsors and exhibitors. 

I enjoyed Jorge Orchilles talk.  He is a past president of our chapter.  Hacker Hector Monsegur was the final speaker, and I wasn't previously aware of him.  He gave a great talk from the point of being a former 'black hat' who has become a 'white hat.

I look forward to next years event.  This one sold a quickly with a large waiting list.  Will they move to a new location because of this?


Monday, February 10, 2020

2020 Update

Here we are in 2020, and there are many updates to go over.  I plan on further postings on several of these items, and need to get back into blogging here with more regularity.

Here are some of the new things that are out.

CCPA.  Privacy as an issue just seems to get bigger and bigger.  Even as a security professional I find myself being pulled into it.  I wonder if I need to join IAPP, maybe even study and get one of their certs.  We had the GDPR that came out last year.  I really though more companies would address it, but just didn't see that.  Now California came out with their CCPA law.  CCPA is not quite "California's GDPR".  Its not a broad privacy law, but aimed at consumer data.  I've seen some companies be concerned about it, but not as many as I thought.  But am sure I'll be getting more into it.

NIST Privacy Framework- NIST has been working on this for the last year and released v1 recently.  I have a copy and am reading over it.  I plan on giving a talk at an upcoming local meeting, and may do a conference talk about this as well.  Am hoping I'll be able to attend NIST's upcoming cybersecurity conference, as I'm sure it will be a topic of discussion.  We'll have to see how well this works in helping companies prepare for privacy regulations.

FISMA Updates- NIST is still working on the updates for the documents used for FISMA.  The next one they are working on is SP 800-53 Release 5.  We don't have a release date, but hope it will be soon as they've been working on it for so long.  Once its out, we should see other documents that are relying on it, such as 53A and 53B, an new version of 800-171 and others.  All we have so far on this is THIS page.

DoD CMMC- The DoD released this month the first version of their Cybersecurity Maturity Model Certification (CMMC).  This is an interesting items, its a certification for vendors of the DoD.  From a quick read, it combines the CMM/CMMI 5-level maturity model with the categories of the NIST SP 800-171, which is about protecting controlled unclassified data (CUI).  SP800-171 based on the control set of SP 800-53.  I plan on posting on this and may do a presentation as well.

PCI-DSS v4- yes, there is a new update of PCI-DSS.  I first heard about this a couple of years ago.  This should be a revamp of PCI-DSS.  I just have no idea how it will look like until its released.  Which I expect sometime this year.  I don't have an inside track, I just know from reading here and there that its getting closer to release.  Yes, I hope to posting on this as well.

There are several events coming up in my general area and will be posting in these soon.

Tuesday, April 9, 2019

2019 Security BSides Orlando

Saturday March 30th, the 2019 Security BSides Orlando conference was held.  This is the 6th one, and the largest yet.  Believe they had over 700 in attendance.  As last year, it was held at Full Sail University's Live venue location. 

This year there were 4 tracks of speakers, along with several workshops and a CFT.  Several sponsors were in attendance.  No job track this year.

There was a book signing with the book Tribe of Hackers as there were 3 hackers from the book in attendance.

And there was an electronic badge again this year, but this time was a little more complex and programmable. 

No idea where next year's event will be, but will probably be tied to SANS Orlando again.



Thursday, April 4, 2019

SFISSA Security Conference

On March 22, 2019, the South Florida ISSA held their biannual 2019 Security Conference.  This time the theme was "A New Year, a New Era of Cybersecurity".

The conference had 4 tracks of speakers, as well as a 2 hour workshop on your cybersecurity career.  A keynote address was given by Dave Aitel of Cygtera, and a CISO panel was held with 4 local CISO from different companies.

An array of sponsors were present as well.  Breakfast and lunch were provided, and everyone had a great time.

The next event of the chapter will be their annual Hack the Flag/Chili Cookoff held September 7th at FIU's Graham Center.



Wednesday, February 20, 2019

2019 Update on frameworks, standards, and regulations for infosec

At the 2019 BSides Tampa Security conference I did a talk on 2019 Updates on frameworks, standards, and regulations for infosec.  Over the last year several new and updated frameworks and regulations have come out, as well as are being updated.

Most of the information can be found on the Internet, but if you're not making an effort to stay up to date, you can miss something.  So here I give links to much of the information I gave.

NIST is the National Institute of Standards and Technology, a non-regulatory part of the Department of Commerce.  They are doing a lot of things that impact us in infosec.  Most are hopefully familiar with the Special Publication 800 and 1800 series that are put out on a regular basis.  Several are being developed, updated, and in a few cases retired. Go HERE to access all of them.

The NIST Cybersecurity Framework (CSF) was updated to version 1.1 last year, and they later had a cyber risk conference in October.  It just had its 5th anniversary, too. For full info on the CSF, and any updates and the like, go HERE.  One element I am looking forward to is an update to informative references that will add additional references (such as crosswalks to PCI-DSS, Standards of Good Controls, etc).  Hopefully we'll start seeing these coming out.

NIST Privacy Framework.  NIST has embarked on creating a privacy framework like they've done for cybersecurity.  This work has just begun, and they are working on a preliminary framework which we should see soon.  I would hope there will be further workshops and feedback before the final version is out.  To see where they are, go HERE.

FISMA is the Federal Information Security Management Act. Basically sets down security standards for federal information systems.  NIST has developed the materials for this, the Risk Management Framework (SP 800 37), the controls set (SP 800-53) and other materials.  They are working on updating this, having just come out with the latest version of the RMF.  The control set is next, with others to follow.  Go HERE for their page on this work.  The schedule is HERE.

Baldridge Cybersecurity Excellence Builder is a combination of NIST's Baldridge Excellence work crossed with their CSF.  It was rolled out in 2017, and should get an update this Spring.  You can download it for free HERE, and there is info on how others have used it successfully.

NIST OSCAL is an interesting project that attempts to create a common set of control assessment language.  This is a project I want to spend more time looking into myself.  More info on their website HERE.

Hopefully most have heard of the "Critical Controls" or the "Critical Security Controls".  Maybe you've heard it referred to as the "Top 20" or the "SANS20" or the like.  While it was started by SANS, they no longer manage it.  For the last few years its been handled by the Center for Internet Security, which has rolled out v6 and in early 2018 they rolled out v7.  They have reorganized it into 3 groups: Basic, Foundational, Organizational.  They have been putting out other resources for it, including the CSAT, a self assessment tool.  They are working on a v7.1 and I expect more resources coming from CIS.  So keep your eye out for them, as they just rolled out a companion guide for cloud (go HERE) and is working on another for IoT.

ISO/IEC 27000 is the international standard set for information security.  This series is made up of about 50-60 documents in various states of work.  Sadly, the documents are not free, and the cost is over $100 for each.  Key documents is usually 27001 and 27002.  1 sets down the ISMS (Information Security Management System) and 2 is the control set (compare with SP800-53).  As several of the documents are being worked on, its hard to keep up.  ISO/IEC 27005 got updated.  My go-to site to keep up to date on this is iso27002security.com.

Privacy regs  (GDPR & California).  Privacy is getting more and more important.  While we work in security, we often get pulled into privacy work as well.  GDPR (General Data Protection Regulation) of the EU was rolled out last year.  And we've already seen some big companies get in trouble.  While I see a lot of groups pushing GDPR training and the like, as a consultant I'm not seeing a lot of clients asking for help.  Yet.  California is rolling out their regulation, which isn't in effect yet.  We'll see if other states will roll out or update their privacy regulations.

One I left out of my presentation is 23 NYCRR 500, which is the New York Department of Financial Services (NY DFS) regulations on cybersecurity.  Rolled out a couple of years ago, the various elements of the regulation has been slowly rolled out with the last one required this March.  This regulation expects companies do certain things to protect NPI (non-public information), such as have a security program, policies, doing pentesting and vulnerability scanning, have a CISO, do training, have an incident response plan, vendor management plan, etc.  This may be a model for other state.  You can read it all HERE.

Now, there are some other items that aren't pure infosec/cybersecurity, but do touch on it, so should be mentioned.

CMMI- The Capability Maturity Model Integrated, originally for assessing the maturity of software development, it was later expanded to others.  Later merged into the CMMI, with Development, Service, and Acquisition versions.  The Software Engineering Institute at CMU developed it, and it used to be available for free or via books.  But they moved the CMMI to the CMMI Institute, which was recently bought by ISACA.  They've rolled out CMMI v2, but its available as a SaaS product, and no longer free.  The CMMI Institute has also rolled out a Cybermaturity Platform, again as a SaaS product.  I'd like to learn more about it, but hard to do.

COBIT, which is ISACA framework for governance of enterprise IT has been updated to COBIT 2019.  They've rolled out the new books, and hopefully other materials will be updated to COBIT 2019.

ITIL is a framework for IT Service Management, which includes infosec.  The current version is ITIL v3 (updated in 2011).  It's being updated to a new version, ITIL 4.  So far only the foundation certification info have been updated.  Hopefully they will update the 5 main books this year.

PCI-DSS is the standard for assessing credit card processing systems.  Current version is 3.2.1, which was updated due to issues with SSL.  Well, the next version, v4, is going to be coming out, but not for another year or so.  It will be a very different version, but info on this is hard to find.  Am sure as we move further along we'll learn more.

Hopefully this is useful for others.  As I learn of new updates, I'll make further postings.