Friday, May 01, 2020

What I'm Reading (or Watching or Listening to) 5/1/2020 - Dragos / SANS Virtual ICS Conference, Also Apparently CMMC Sucks

Dragos / SANS - Virtual ICS Conference

Registration is still open (5/1/2020 - recorded after)
The content is focused around being widely acceptable for both IT Security and OT/ICS audiences and the theme is focused around education especially during times when many folks are at home and working remotely. Special focuses are being given in the talks to what work and efforts can be accomplished with minimal effort during slow down periods.
Forbes - Cybersecurity Maturity Model Certification: An Idea Whose Time Has Not Come And Never May
Cost and bureaucracy aside, what can go wrong? A great deal actually. There are at least two layers of non-government entities in this scheme that have enormous power. The lawyer in me sees all sorts of possibilities for both mischief and disputes to arise. This is not a trivial matter. When an Assessor effectively tells a business that it is not allowed to bid on a government contract it may have been preparing to bid on for months if not years, people are going to get upset, very upset. The list of possible disputes is long – where and how will they be resolved? Who will absorb the litigation risk for the Authorization Board, the Accredited Organizations, or the licensed Assessors? What legal accountability will anyone in this new structure have for its actions – to either the government or to affected parties? No one knows.
In a world in which the Department is reaching out to commercial firms and technology start-ups to encourage them to do business with the Department of Defense, why would a non-defense firm with a dual use technology subject itself to this independent bureaucracy? How long would it have to wait for an assessment? What risk of failure would there be? How quickly could a shortfall be corrected and reassessed? What would it all cost? The list of goes on and on.
 Related - Fedscoop - How one RFP is prompting backlash against the new cybersecurity board for defense contractors
The Cybersecurity Maturity Model Certification (CMMC) — the new third-party cybersecurity testing program that applies to all Department of Defense contractors — is off to a turbulent start.
...
With the sudden release of the continuous monitoring RFP, some have described the CMMC accreditation board as a private layer of bureaucracy that will only hamper progress on securing sensitive government information entrusted to contractors.
“CMMC is a deeply flawed way to achieve this objective,” Frank Kendall, the former undersecretary of defense for acquisition, technology and logistics, wrote in Forbes late Wednesday. “The Defense Department should at least delay CMMC implementation, and probably cancel it altogether.”
Security Week -  DHS Reiterates Recommendations on Securing Office 365 -
An alert the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published this week reiterates previously issued recommendations on how organizations should properly secure Microsoft Office 365 deployments.
In May last year, the agency issued an alert to highlight some of the common security oversights by Office 365 customers, and also included a series of recommendations on how organizations could improve their security posture.
 Flashpoint - The Three P’s of Contingency Planning: People, Process, and Products -
Overall, contingency or pandemic planning needs to be holistic, including: people, process and products. People should come first, they are most certainly the key to any organization success and it’s most valuable asset. In terms of process, I’m not sure any of us anticipated the degree of impact COVID-19 would have on our personal and professional lives, but having a baseline understanding of processes which need to continue and ensuring our co-workers, third party partners, and customers understand operations will be critical to continue. And lastly in terms of product, my recommendation is to think of ways to best support your customers for the new ways that pandemic situations impact their organizations. Flashpoint, for example, is hyper-focused on helping it’s clients navigate the cybercrime that comes with uncertain situations like we face today when it comes to fraud, misinformation, disinformation, and other schemes.
Security Week - CISA Reminds Federal Agencies to Use Its DNS Service -
In the United States, DNS resolution services provided by CISA are mandatory in most federal agencies in the executive branch. Otherwise, agencies no longer benefit from the provided cybersecurity protections, while CISA loses insight.
In the recently issued memo, CISA reminds agencies that their local DNS recursive resolvers should use its DNS service (E3A) as their primary (or ultimate) upstream DNS resolver.


No comments: