NIST Cybersecurity Framework Version 1.1 Released for Public Comments
According to a press release, “NIST published the second draft of the proposed update to the Framework for Improving Critical Infrastructure Cybersecurity. This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. This latest draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017. Public comments for the latest draft of Cybersecurity Framework version 1.1 and the draft Roadmap are due to NIST by […] January 19, 2018.” Quoted in SC Media, Larry Clinton, president and CEO of the Internet Security Alliance (ISA), said, “…the new draft makes it clear that our goal is not some undefined metric for use of the Framework, but for effective use of the Framework. Moreover, this use-metric needs to be tied not to some generic standard, but to be calibrated to the unique threat picture, risk appetite and business objective of a particular organization.”
EU Wants Privacy Shield Pact Concerns Addressed by End of 2018
Despite the European Union and the United States agreeing to the Privacy Shield pact that ensures that US data complies with EU law, EU regulators (specifically the Article 29 Working Party) want some concerns addressed with US law. Otherwise, the EU regulators have said they will take their concerns to court if these issues are not resolved. According to Reuters, “The Privacy Shield framework - which is used by over 2,400 companies including Google, Facebook, and Microsoft - has already been challenged in the courts by privacy activists who say it does not go far enough to protect Europeans’ data. The data protection authorities asked for ‘further evidence or legally binding commitments’ to back up U.S. assertions that its data collection under Section 702 is not indiscriminate and that access to the data is not conducted on a generalized basis.” Section 702, which will expire December 31, also continues to concern companies, privacy advocates, and citizens in the United States as ZDNet recently reported that “The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.”
Two Research Reports Discuss Incident Response and Industrial Information Security Trends
CrowdStrike released its annual Cyber Intrusion Services Casebook which provides insights into attack tactics, techniques and procedures (TTPs), and the state of breach readiness across industries. The findings include:
Also, Honeywell recently released a report titled “Putting Industrial Cyber Security at the Top of the CEO Agenda.” In a summary by ZDNet, the “in-depth poll of 130 industrial companies revealed that almost two-thirds of those surveyed -- a total of 63 percent -- admitted they do not monitor for suspicious behavior, and 45 percent do not even have a cybersecurity expert or manager in place. Despite over half of these companies, 53 percent in total, reporting that they have already been the victim of at least one cybersecurity breach, 20 percent still do not conduct regular risk assessments.”
2018 Cybersecurity Trends Roundup
We continue to round up various 2018 cybersecurity trends articles that cover topics important to CISOs and the security community.
Banks Participate in Sheltered Harbor Project to Prepare for Worst-Case Cyberattack Scenario
What if ATMs stop working? What if a cyberattacker destroys or locks financial data at a major bank? Some cybersecurity experts in the financial sector fear that a major cyberattack may not only cause a run on the bank affected but also on other banks. To head off this worst-case scenario, the Wall Street Journal recently reported that banks and credit unions have created the Sheltered Harbor project. According to the Wall Street Journal, “Its 34-member board is composed of representatives of individual big banks, groups of smaller firms, trade associations, clearinghouses and broker-dealers. […] The idea is to ensure that every U.S. bank has the kind of backups that some of the biggest banks have been using since the 1990s: protected in vaults, whether digital or physical, and unalterable once recorded.”