September 1, 2023
In this Episode:
Marcel Brown: September 1st, 1977. Pioneer 11 becomes the first manmade object to fly by Saturn. After passing Saturn, Pioneer 11 continued on a trajectory towards the center of the Milky Way. The last contact with Pioneer 11 was in November of 1995.
Edwin Kwan: A data breach victim suffered additional emotional toll when she was charged by the courts and fined $1.2 million. The Australian victim had her information compromised in the Medibank data breach . The victim was served electronically with papers with charges for cybersquatting, trademark infringement, and IP infringement.
Katy Craig: The NIST Cybersecurity framework is getting a facelift and Version 2.0 is currently in draft form. So what’s cooking in the NIST kitchen? Let’s find out. First up, scope and intent.
Trac Bannon: The new draft of the NIST Cybersecurity Framework, CSF, is exciting. Why? Because the working group is applying modern software practices and techniques. The software architect in me is overjoyed that the CSF 2.0 includes a few updates that align with modern software practices.
Olimpiu Pop: Organizations using CSF may choose to handle a risk in different ways. You can create current profiles for the status quo of your cybersecurity or a target profile to define the end goal. Community profiles for different industries can be used as inspiration.
The Stories Behind the Cybersecurity Headlines
Data Breach Victim Gets Fined In Court
This is Edwin Kwan from Sydney, Australia.
The Australian victim from Byron Bay had her information compromised in the Medibank data breach in October, 2022. This is the only breach of her information that she is aware of.
Later that year, hackers took control of her PayPal account in a credential stuffing attack. Credential stuffing is where attackers attempt to gain access to accounts using username and passwords sourced from data leaks. After her PayPal account was compromised, attackers used the account to make hundreds of fraudulent transactions, trading hundreds of counterfeit goods under her name.
Soon after, the victim was served electronically with papers from the US District Court of Florida with charges filed by Adidas and the National Basketball Association for cybersquatting, trademark infringement, and IP infringement. The court ran the cases ex parte, where there isn’t a requirement for all parties in the case to be present. The courts awarded damages against the victim of $200,000 to the NBA and $1 million to Adidas.
Six months later and the Byron Bay victim is no closer to clearing her name. Even though the US Court judgment would need to be registered with the local Australian courts for it to be enforced, this could affect the victim’s ability to travel to the US. The Office for the Minister for Cybersecurity and Home Affairs is currently assisting the victim and referring the matter to the Australian Federal Police.
– ABC News, Australia: https://www.abc.net.au/news/2023-07-25/byron-bay-data-breach-victim-adidas-nab-us-court-action-damages/102575726
This Day, September 1st and 2nd, in Tech History
September 1st, 1977. Pioneer 11 becomes the first manmade object to fly by Saturn. After passing Saturn, Pioneer 11 continued on a trajectory towards the center of the Milky Way. The last contact with Pioneer 11 was in November of 1995.
September 1st, 2008. Google accidentally ships a printed comic book introducing to the world their new browser, Chrome, originally intended to launch on September 3rd. Google later posted a blog article on September 1st announcing that Chrome, since the secret had leaked, would now be released on September 2nd.
September 2nd, 1993. The world’s first primitive web search engine is started. Known as W3Catalog, or the CUI WWW catalog. It was started by Oscar Nierstrasz at the University of Geneva. This search site lasted for about three years before more modernized search engines began appearing.
September 2nd, 2008. One day, after accidentally mailing a paper comic book introducing the world to their new web browser, Google officially releases the first beta version of Google Chrome for Microsoft Windows. Google Chrome is now the world’s most popular web browser.
That’s your technology history for today. For more, tune in next week and visit my website thisdayintechhistory.com.
CSF: Modernizing the NIST Cybersecurity Framework
The new draft of the NIST Cybersecurity Framework CSF is exciting. Why? Because the working group is applying modern software practices and techniques.
Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.
The software architect in me is overjoyed that the CSF 2.0 includes a few updates that align with modern software practices. These updates reflect the changing nature of cybersecurity risk and the need for organizations to adopt more agile and user-centric approaches to cybersecurity risk management.
CSF 2.0 now includes the Software Development Lifecycle (SDLC) category in the Protect function. This category includes outcomes related to securing cybersecurity development practices, like threat modeling, code reviews, and testing. Integrating cybersecurity into the SDLC reduces the risk of vulnerabilities. It can improve the overall security of the software products.
More modern software practices show up in CSF 2.0 with the inclusion of Identity and Access Management, (IDAM) category in the Protect function. There are outcomes related to user authentication, authorization, and identity proofing. By focusing on IDAM, organizations can both improve the user experience and reduce the risk of unauthorized access to sensitive data and systems.
CSF 2.0 includes updates that reflect the need for more agile and user-centric approaches to cybersecurity risk management.
A new risk management strategy category in the Identify function has been added. This emphasizes the need for organizations to adopt a risk-based approach to cybersecurity risk management.
Another modern software technique is applying agility through collaboration. The “Supply Chain Risk Management” category in the Identify function reflects the needs for organizations to take a more holistic and collaborative approach to managing cybersecurity risks in their supply chains.
There is even a focus on building the digital workforce. Talk about a smart approach. The cybersecurity workforce category in the Identify function describes the need to develop and maintain a skilled cybersecurity workforce with outcomes related to workforce planning, training, and development.
The NIST Cybersecurity Framework 2.0 appears to apply practices and techniques we see in most modern software efforts, and it’s about time. We need to collectively improve cyber posture, reduce the risk of vulnerabilities, and better manage cybersecurity risks.
Head over to 505updates.com for today’s resources. Something to noodle on.
CSF: What’s cooking in the NIST kitchen?
This is Katy Craig in San Diego, California.
First up, scope and intent. Version 1.1 was like that friend who gently suggests you should probably eat healthier. Version 2.0 is more like a personal trainer yelling in your ear for two more reps. Also, it’s not just about critical infrastructures. Small- and medium-sized businesses are now in the spotlight.
Next, we’ve got maturity models. Version 1.1 was all about guidelines, but 2.0 introduces a cybersecurity maturity model. Think of it as a Fitbit for your cyber health, helping you gauge where you stand and what you need to work on.
Supply chain risk? Oh, it’s getting real. While 1.1 gave it a nod, 2.0 dives deep, like saying, “Hey, you locked the front door, but what about the back door?”
Usability and metrics are also getting a boost. Gone are the days of theoretical mumbo jumbo. Version 2.0 shows you how to actually implement what you’ve learned.
As for integration, Version 1.1 was the lone cowboy of cybersecurity frameworks. Version 2.0? It’s rallying that cowboy to join a posse, pushing for integration with other risk management frameworks.
And last but not least, automation. Version 2.0 wants to turn your cybersecurity practice into a well-oiled machine, emphasizing automated sharing of threat intel and response actions.
Whether you’re a cybersecurity newbie or a seasoned pro, keep an eye out for the finalized NIST Cybersecurity Framework 2.0. It’s shaping up to be the Swiss Army Knife of Cybersecurity Frameworks.
This is Katy Craig. Stay safe out there.
CSF: Defining Profiles and Tiers
Organizations using CSF may choose to handle a risk in different ways- mitigate, transfer, avoid, or accept, depending on the impact and capabilities.
CSF defines profiles and tiers as means for assessment, prioritization, and communication.
A profile is the alignment of the company’s requirements, risk tolerance, and resources with the functions and categories of the CSF. You can create current profiles for the status quo of your cybersecurity or a target profile to define the end goal. Community profiles for different industries can be used as inspiration.
Comparing current ones to target or community versions can help create actionable items for improvement. Definitions of how to measure the performance of cybersecurity can be found on the dedicated space on NIST’s website.
Tiers can be used to set the overall tone for how cybersecurity risks will be managed within the organization, but also to determine the required effort to reach a selected tier. The defined tiers are:
1) Tier One: Partial. Limited risk awareness, cybersecurity activities are ad hoc.
2) Tier two: Risk Informed. Organizational risk awareness without a formal policy.
3) Tier three: Repeatable. Cybersecurity practices are regularly updated based on the changing threat landscape and business mission requirements.
4) Tier four. Adaptive. There is a strong culture of integrated risk management across the organization.
The benefit of these tools is that they can be used both internally or externally for communication purposes.
I already can see applicability in day-to-day operations. On 505updates.com, you can listen to the full episode containing further perspectives on CSF.
Olimpiu Pop, reported from Transylvania, Romania.