Donald Borsay, MSIA, CISA

ICYMI: Office of Inspector General Report in Brief from the Alabama Medicaid Management Information Systems (MMISs) and Eligibility and Enrollment (E&E) systems security audit. The scope of the audit was limited to external facing systems and a phishing exercise (GoPhish). https://lnkd.in/emGaGWQa The OIG audit reports are always good to get a glimpse of the focus of these security audits. The response to recommendations can also be helpful for orgs struggling with some of the same issues (Starting on page 14). Key Takeaways 1) Vulnerability Management: Existing tools were not effective in detecting system flaws. 2) Software Development: Issues were not remediated prior to deploying on production systems. 3) Phishing was not successful (0 opened emails......) #healthcare #hipaa #cybersecurity #hhs #riskmanagement #risktolerance #riskassessment #criticalinfrastructure #hitrust #criticalcontrols #penetrationtesting #vulnerabilityassessment #vulnerabilitymanagement

2

Recent third-party incidents have had a major impact on enterprises of all sizes and from all sectors. This is an important event to attend to learn how to mitigate this risk.

6

K12 SIX Releases Applicant Guidance for FCC K-12 Cybersecurity Pilot Program Investments Given the current cybersecurity posture of the K-12 sector—including the scarcity of K-12 IT staff with cybersecurity experience —such an open-ended pilot program may feel like both a blessing and a curse. Which eligible services would make the most impact? What time and expertise are required from K-12 staff to successfully implement any given solution? What will come of cybersecurity investments after the conclusion of the pilot program? https://lnkd.in/e4ir2QDY K12 SIX

62

4 Comments

🚨 CISA Weekly Vulnerability Summary: SB24-225 The Cybersecurity and Infrastructure Security Agency (CISA) has released its Vulnerability Summary for the week of August 12, 2024. This bulletin, SB24-225, sheds light on the latest vulnerabilities listed by the National Vulnerability Database (NVD). 🔍 Key Highlights: High-Severity Vulnerabilities: Cisco IOS XR: CVE-2024-3422: A flaw that could enable unauthorized access to sensitive system functions. Google Android: CVE-2024-2356: Critical vulnerability allowing remote code execution. VMware vSphere: CVE-2024-1457: Issues that could lead to compromised virtual environments. Notable Affected Products: QNAP NAS Devices: Multiple vulnerabilities impacting data integrity. OpenSSH: CVE-2024-4523: Potential exposure to unauthorized access. Emerging Threats and Advisories: Microsoft Exchange Server: Ongoing threats and advisories emphasizing the need for timely patching. 🌟 Mitigation Strategies: Deploy Patches Immediately: Ensure your systems are up-to-date with the latest patches from vendors to mitigate risks. Strengthen Monitoring: Implement enhanced security monitoring to detect and respond to potential exploitation attempts. 🚀 Engage and Share: How is your organization addressing these vulnerabilities? Share your strategies and insights to foster a secure and informed community. For more details, read https://lnkd.in/dmqCxvAN. 🚀 #CISA #Cybersecurity #InfoSec #VulnerabilityManagement #PatchNow

13

1 Comment

#SEC finalized amendments for S-P, designed to protect PII. RIAs, BDs and more must, (1) have a written incident response plan (IRP) and (2) develop procedures to notify people whose PII was improperly accessed. To quote the SEC, "The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”" 18-24 months to implement. #ria #rias #cybersecurity

4

OpenID Connect specifications published as ISO standards I’m thrilled to report that the OpenID Connect specifications have now been published as ISO/IEC standards. I submitted the OpenID Connect specifications for publication by ISO as Publicly Available Specifications (PAS) for the OpenID Foundation in December 2023. Following the ISO approval vote, they are now published. This should foster even broader adoption of OpenID Connect by enabling deployments in jurisdictions around the world that have legal requirements to use specifications from standards bodies recognized by international treaties, of which ISO is one. See https://lnkd.in/g5aZF8CJ for links to the ISO specifications and more details. OpenID Foundation #OpenID #OpenIDConnect #ISO

220

8 Comments

National Institute of Standards and Technology (NIST)  has released the RMF Small Enterprise Quick Start Guide. For organizations of all sizes, managing risk (including information security and privacy risk), is critical for organizational resilience. This guide is designed to help small, under-resourced entities understand the value and core components of the NIST Risk Management Framework (RMF) and provide a starting point for designing and implementing an information security and privacy risk management program. This document is not intended to replace the RMF; it is intended to be an introductory guide to help organizations get started. Link: https://lnkd.in/deZ9csya PDF Source: https://lnkd.in/dJaetyYx #NIST #dataprivacy #RMF #cybsersecurity #risk

1

New proposed amendments to the Defense Acquisition Regulations Supplement (DFARS) are scheduled for publication on August 15, 2024. These changes focus on updating the Cybersecurity Maturity Model Certification (CMMC) requirements for contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The comment period on the proposed DFARS rule will close on Oct. 14. Key Amendments in Policy (DFARS 204.7502) * Contractors must present a current CMMC certificate or CMMC self-assessment results at the required level during contract award. * This requirement applies to all information systems that process, store, or transmit FCI or CUI. Contracting Procedures (DFARS 204.7503) * Contracting officers must verify in the Supplier Performance Risk System (SPRS) that the contractor has posted a current CMMC certificate or self-assessment before awarding contracts, exercising options, or when new DoD UIDs are issued. * The successful offeror must also affirm continuous compliance with the security controls specified in 32 CFR part 170. Definitions Update (DFARS 204.7501) * A new definition for CUI, based on 32 CFR 2002, is included. * Definitions for "current" in relation to CMMC and DoD UID are also added. New DFARS Provision (252.204-7YYY) * A new provision, Notice of Cybersecurity Maturity Model Certification Level Requirements, informs offerors of the required CMMC level and mandates that CMMC certificates or self-assessment results be posted in SPRS. * Level 1 and Level 2 self-assessments must be posted by the offeror, while Level 2 and Level 3 assessments are transmitted to SPRS by third-party assessors and DoD assessors, respectively. * Successful offerors must provide DoD UIDs for contractor systems handling FCI or CUI. Updates to DFARS Clause 252.204-7021 * The clause now includes definitions for CMMC, "current" (as it relates to CMMC), and DoD UID. * Contractors must maintain the required CMMC level throughout the contract duration and submit relevant DoD UIDs to the contracting officer. * Annual affirmations of continuous compliance with security controls must be completed and maintained, along with notifications to contracting officers about changes in contractor systems or lapses in CMMC certification. * Subcontractors must also comply with the appropriate CMMC level before awarding any subcontracts. Contractor Responsibilities and Compliance * Contractors must ensure that data is only transmitted through systems certified at the required CMMC level. * Contractors are required to notify the contracting officer if any changes in certification levels occur that could affect contract performance. * The Department of Defense evaluated different options for CMMC certification timing, ultimately requiring certification at the time of award to balance risks and benefits. #cybersecurity #CMMC #DoD #compliance

8

1 Comment

This is very interesting... seems to be a riff on an analysis technique that we described in an article titled "Beyond Timelines - Anchors in Relative Time" ten years ago in Digital Forensics Magazine. The technique has been applied to extremely high-profile and high-stakes cases since then.

11

2 Comments

Join us on Wednesday, May 29th at 8:30 AM to discover how CERT Ukraine and CISA work together to combat cyber threats! Limited tickets available - act fast! Link in bio for more details and to get tickets. #CERTUkraine #CISA #CyberDefense #Collaboration #CyberSecurity.

12

CISA and FBI release draft guidance on Product Security Bad Practices for software manufacturers The CISA-FBI guidance outlines software manufacturers to avoid these product security bad practices. By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle. https://lnkd.in/gb3DgATY

4

Key quotes from the new 48CFR Rule for #CMMC. This rule is the one that goes into new and renewing contracts and requires having a CMMC certificate or self-assessment upon contract award. They tightened up the language quite a bit. On quick scan, it looks well done. The first 40 pages give a lot of information about the DoD's thought process on CMMC, including some technical clarifications like whether joint ventures need to be individually certified, and whether talking about CUI over the phone is in scope.

31

Why not adopt all of the information security controls from ISO/IEC 27001 Annex A and call it quits? Here's why: https://lnkd.in/gCaE8mu8

17

11 Comments

Help Us Secure Our World this Cybersecurity Awareness Month - Middle Tennessee State University (MTSU) FAST FACTS According to the National Cybersecurity Alliance 2023 Oh Behave! report: 1. 84% of people considered online safety a priority. 2. Only 38% of people use unique passwords for all their accounts. 3. About a third of respondents began using a password manager after receiving cyber training. 4. 79% of respondents were familiar with multifactor authentication. 5. 70% of those who have heard of MFA security measure know how to use it. 6. Only 36% of people always install software updates when they become available. 7. 69% of people express confidence in their ability to identify phishing attempts. 8. 51% of Americans actively report cybercrimes, particularly instances of phishing. October is Cybersecurity Awareness Month, an international initiative that educates everyone about online safety and empowers individuals and businesses to protect their data from cybercrime. Even amidst large-scale data breaches and cyberattacks, Cybersecurity Awareness Month reminds everyone that there are simple, effective ways to keep yourself safe online, protect your personal data, and ultimately help secure our world. Middle Tennessee State University (MTSU) is proud to be a Champion and support this online safety and education initiative this October. The theme of Cybersecurity Awareness Month is Secure Our World! This initiative reminds us that there are simple actions we can take every day to protect ourselves, our families, and businesses from online threats. Cybersecurity Awareness Month focuses on the top four ways to stay safe online: 1. Use strong passwords and a password manager 2. Turn on multifactor authentication 3. Recognize and report phishing 4. Update software Cybersecurity Awareness Month is led by the Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance. For more information about ways to keep you and your family safe online visit https://lnkd.in/gbVrwN7q and https://lnkd.in/guzwsh_8. #MiddleTennesseeStateUniversity #MTSU #ComputerScience #CybersecurityAwarenessMonth #SecureOurWorld

18

CISA (Cybersecurity and Infrastructure Security Agency) has proposed new reporting requirements for significant cyber events across critical infrastructure sectors, including healthcare. These requirements aim to enhance cybersecurity measures but have raised concerns within the medical community. MGMA (Medical Group Management Association) has suggested that instead of adding duplicative reporting requirements, CISA should collaborate closely with HHS (Department of Health and Human Services) to streamline existing regulations under HIPAA. They also expressed concerns about the proposed size-based threshold, which could impose reporting obligations on smaller physician offices with revenues as low as $9 million annually. Do you agree that collaboration between CISA and HHS could streamline regulatory burdens? #HealthcareSecurity #CISA #CybersecurityReporting

5

Vulnerability exploitation involves taking advantage of weaknesses or flaws in software, hardware, or networks to gain unauthorized access, cause damage, or perform malicious activities.  #Vulnerability #exploitation #cybersecurity

2

CMMC Level 2 Assessment Objective: Alternative Work Sites PRACTICE: Organizations must enforce safeguarding measures for containing controlled unclassified information (CUI) at alternative work sites. ASSESSMENT: Alternative work sites may include government facilities or the private residences of employees. Organizations must define and implement safeguards to account for protection of CUI beyond the enterprise perimeter. Safeguards may include physical protections, such as locked file drawers, as well as electronic protections such as encryption, audit logging, and proper access controls. Be prepared! Your assessor could ask to: 🔍 EXAMINE a list of safeguards required for alternative work sites 🗣 INTERVIEW personnel approving use of alternative work sites 📝 TEST organizational processes for security at alternative work sites (CMMC Assessment Guide: Level 2 Version 2.11, page 186) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

47

Fellow #CISSP holders, I need you to weigh in. I was recently having a discussion with a colleague where the conversation led to an important consideration. Having a CISSP comes with a hefty burden of upholding a code of ethics that can, in nearly every case, risk a cert holders livelihood. Given that ISC² has no jurisdiction or ability to offer protections for CISSP holders who uphold these ethical standards, how do you navigate scenarios where you witness unethical, illegal, or risky behaviors that could put an enterprise and the public at risk? There are some serious considerations I think every #CyberSecurity #Practioner needs to consider before they align to ANY certification body. 1. Ethical Dilemma: CISSP's are expected to uphold high ethical standards, including reporting security issues, but may face personal consequences for doing so. 2. Enforcement Limitations: ISC²'s ability to enforce ethics is largely limited to the certification itself, not extending to workplace protections. 3. Credibility Issue: This situation could potentially undermine the integrity of the certification if holders feel they can't act on their ethical obligations without risking their livelihoods. 4. Practical Challenges: Providing actionable protections across various global jurisdictions and employment situations is extremely complex. So, with that being said, how do you navigate the conflicts of interest that exist with these certifications? Let me know in the comments. I want to hear your thoughts! #CleverGirl ♛ Gina King ♛ Derrick Knox, Jr. WellSecured IT The Ovation Point LLC Diverse IT ISC2

21

33 Comments

Putting on the final touches for the ISACA Central Maryland Chapter (CMC) Cybersecurity Framework (#CSF) event next week! Have you signed up? @Kelly Hood and I are presenting an overview of the NIST Cybersecurity Framework v2.0, highlighting the key updates from version 1.1 and guidance for using the CSF v2.0 to mature your cybersecurity capabilities and addressing compliance needs. Not signed up? It's not too late. Use the link below for more information and to register for the event. 👇 https://lnkd.in/erhXdqtu

10