John Cavanaugh

With an increase in consumer banking done online post-pandemic, and the current geopolitical situation, it’s important for the Public and Private sectors to share threat intelligence to stop bad actors and Secure the Internet.

5

GSA announced last week that, "Starting June 8, 2024, GSA will begin collecting Common [#SSDF Attestation] Forms for new contracts (including micro-purchases) and the exercise of contract options, that include the use of software, regardless of whether or not the software is considered critical." This is a major update because it means all vendors dealing with GSA or a GSA contracts must comply in June and NOT in September, like originally thought. #ZeroTrust, #CyberSecurity, #SoftwareDevelopment, #DepartmentOfDefense, #InfoSec, #NationalSecurity, #DefenseTech, #CyberDefense, #SecureSoftware, #MilitaryTechnology, #DevSecOps, #InformationSecurity, #CyberAwareness, #GovernmentTech, #CyberThreats, #TechInnovation, #DigitalTransformation, #CloudSecurity, #DataProtection, #NetworkSecurity, #SecurityArchitecture, #CyberResilience, #IdentityManagement, #Encryption, #Compliance, #SecureCoding, #CyberRiskManagement, #AIInCybersecurity, #ThreatIntelligence, #CriticalInfrastructure, #CyberLaw, #CyberEthics, #TechnologyLeadership, #PublicSectorInnovation, #TechGovernance, #SecureByDesign, #PrivacyByDesign, #MilitaryInnovation, #DefenseStrategies, #CyberWarfare, #CyberDiplomacy, #GovernmentContracting, #DefenseContractors, #MilitaryTec, #TechPolicy, #SecureInfrastructure, #NationalCybersecurity, #TechForDefense, #SecureDevelopment, #GovernmentIT 

16

2 Comments

This Is a Common Problem That Many Large Organizations Face. 700 Exposed APIs Belonging to Cox 😕 A newly discovered critical vulnerability in Cox Communications' backend infrastructure exposed millions of business customer devices to potential attacks allowing threat actors to take over accounts and access sensitive data. The vulnerability stemmed from 700 exposed APIs belonging to Cox Communications. Many of those APIs included administrative functionalities that could have allowed attackers to steal personally identifiable information, modify millions of modems, and execute commands. The flaw resulted from an apparent error in the Spring framework code, which is commonly used for developing web applications and handling API requests. The coding error led to a series of vulnerabilities that affected proxy API requests sent to Cox Communications' dedicated backend system, while front-end files were served differently. #API Chris Riotta Brent Deterding Chris Roberts Drew Simonis Jimmy S, CISSP, CRISC, CISM

8

2 Comments

For those who missed my presentation at CMMC Day, a summary: There are two CMMC rules on two different rulemaking timelines that will lead to one giant gap between when DoD says you need CMMC and when the market says you need CMMC. The background info: The first rule codifies the CMMC program (the three levels, POAMs, waivers, roles and responsibilities, etc.). - This rule is the "32 CFR CMMC" rule. - Once this rule is final and effective, the CMMC marketplace is live (something I call the "market roll-out"). - That means your customers and your competitors will immediately pressure you to get certified. The second rule revises the DFARS clause 252.204-7021 created by the 2020 CMMC rule to match the details of the program at 32 CFR. - This rule is the "48 CFR CMMC" rule. - Once this rule is final and effective, DoD will begin inserting CMMC level requirements pursuant to the DFARS 7021 clause in contracts in phases. - Hence the name "phased roll-out". The 32 CFR CMMC rule was published just after Christmas 2023. Normally DoD rules take ~280 business days after publication to adjudicate public comments and publish a final rule. This puts the window for a 32 CFR CMMC final rule ~Q1 2025. However, DoD and OMB are highly motivated to wrap up rulemaking before the election adds time to the miscellaneous red tape that occurs when a final rule is published. There are many reasons to believe that DoD will beat the average timeline by a few months and meet their goal (for the sake of space, comment below if you'd like to know what those reasons are). In parallel, the 48 CFR CMMC proposed rule was originally slated for Q1 2024 publication with a Q1 2025 final rule. Unfortunately, the 48 CFR rule is behind schedule and was recently sent back for revisions which could add weeks/months before the proposed rule is published. If the average timeline applies to the 48 CFR rule once published in Q4 2024, then the gap between the two rules could be upwards of a year, possibly longer. As a result, all of the chaos resulting from CMMC will set-in by Q1 2025 but DoD will be able to say "we haven't required CMMC in a single contract yet".

163

19 Comments

New Gate 15 Security Sprint! EP 64. Verizon #DBIR, MDM, Hurricanes, Cyber Resilience!! Dave and I start off with me boasting about my newly acquired Tribal-ISAC merch 😃 and then touch on the new National Security Memorandum on Critical Infrastructure #Security and #Resilience. The we dive into our Main Topics: - Verizon 2024 Data Breach Investigations Report - Info Ops 🇷🇺 🇷🇺 🇷🇺 🇷🇺 - A Proclamation on National #Hurricane #Preparedness Week, 2024 - 🇨🇳 #cyber threats & Resilience! Cybersecurity and Infrastructure Security Agency: ‘Resolve to Be Resilient. Committing to resilience means doing the work up front—whether at a personal or organizational level—to be ready. It also means anticipating, preparing, and putting plans and measures in place to better withstand and recover rapidly when an incident occurs.’ 😍 https://lnkd.in/e-z5U6Tg #china #russia #cybersecurity #terrorism #security #gate15 #podcast

7

2 Comments

Update on the #CMMC timeline!  During the April The Cyber AB Town hall, Matthew Travis pointed out that CFR 48, the procurement side of the rule, was returned to the DoD and not accepted for release for public comment. The rule was originally expected out for public comment in March 2024; however since it was returned to the DoD on Apr 8 the timeline is unclear. Matt speculated that it could be a simple clerical error that could be quickly addressed enabling the rule to be released for public comment in May 2024. Public comments for CFR 32, the CMMC Program rule, are being adjudicated by the DoD. CFR 32 is still expected to be released in fall of 2024. This rule establishes the CMMC Program and authorizes assessments to begin. Therefore, it is likely that assessments can begin prior to being mandated in contracts. This will give the DoD additional fuel for including CMMC in more contracts once CFR 48 is finalized since organization will have plenty of time to get ready. Will your organization be ready for an CMMC assessment in time to beat the rush to ensure you can bid on contracts when CFR 48 is finalized?

31

3 Comments

It was pretty neat to see media coverage of our cybersecurity panel discussion at the North Carolina Technology Association (NC TECH) State of Technology event yesterday. Thank you Shane Snider and InformationWeek!! A few key highlights: 1. Remember the basics - While new threats come out all the time, don't forget the fundamental protective measures to secure your organization 2. Minimize Data - In addition to assessing your third-parties and adding security contract language, minimize data with them to the least amount necessary to complete the task. 3. AI for Good - Yes, criminals can use AI, but the defenders can too! 4. MFA - Please use Multi-factor Authentication (MFA) whenever possible. #cybersecurity #news #securetheplanet

121

7 Comments

No mention of defense contractors or CMMC in this new DoD playbook on cybersecurity reciprocity. This is written for the government's internal use. However, I'm happy to see evidence that DoD CIO is actively thinking about reciprocity. Reciprocity is different from inheritance. Inheritance is evaluated at a granular level - control by control, requirement by requirement. In general, it is much easier to evaluate inheritance than to evaluate reciprocity. Example of cybersecurity inheritance: Assessor: "Are you performing vulnerability scans to protect your CUI?" Defense contractor: I'm not, but my managed service provider is." Assessor: "Do you have proof that they are actually doing it?" Defense contractor: "They got assessed by an independent audit firm that confirmed they perform vulnerability scans of all their customers. Here is the audit report that shows it." Assessor: "I see that a reputable company did the assessment, they verified the same criteria that I want to see for vulnerability scans, the assessment was performed a few months ago, and that the assessment scope included the department that manages your systems. Looks good. You're "MET" for vulnerability scans." In comparison to inheritance, reciprocity is evaluated as a whole. For the CMMC program, the DoD decides which frameworks are "good enough" for reciprocity. An example of reciprocity: Assessor: "Is your cloud performing all the requirements in CMMC Level 2?" Defense contractor: "No, but it was certified against this other standard, which is pretty stringent too." Assessor: "Hey DoD, do you think that standard is good enough?" DoD: "Yup, we feel it meets or exceeds CMMC Level 2." Assessor: "OK, no further questions about your cloud." No mention of SOC-2 or ISO 27001 in this playbook. This confirms to me that it is very unlikely these will count for anything from a DoD reciprocity standpoint. FedRAMP is the only real candidate I see for CMMC Level 2 reciprocity, though even that isn't official at this point. Shameless plug: Want a double-check on your CMMC preps? Contact Kieri Solutions - Authorized C3PAO to get a Gap Analysis by a Lead Assessor with real world CMMC, 800-171, and Joint Surveillance experience. Nice find, ⚡️Jil Wright! #CMMC

51

6 Comments

Exciting to analyze the latest insights from the Boeing Ransomware incident. We're seeing notable trends emerge that underscore the evolving landscape of cybersecurity threats for manufacturers. Firstly, the myth that manufacturers are immune to cyberattacks is crumbling. Many have believed they aren't prime targets due to limited personal data holdings, but recent events prove otherwise. Ransomware isn't solely about PII—it's about halting operations until demands are met, hitting manufacturers hard. Secondly, the ransom amounts demanded are soaring. The ransomware industry has matured, with negotiations becoming more complex and costly. A $200 million demand might seem steep, but for Boeing—a company with a substantial market cap (157 Billion in 2023) —it's a calculated fraction, albeit a painful one. Thirdly, Boeing's resolute stance against paying the ransom is commendable. Companies are increasingly refusing to yield to extortion, despite facing fallout like data leaks and disruptions to relationships with customers and partners. These trends underscore the urgent need for heightened cybersecurity measures and resilience strategies across industries. Let's stay vigilant and adaptive in the face of evolving threats. #Cybersecurity #RansomwareProtection #Boeing #Drip7 #Cybersecuritytraining

12

1 Comment

My biggest concern from healthcare data breaches at the end of 2023 is that attackers are contacting the people whose files they stole directly. According to recent reports, even if a healthcare entity pays a ransom, the attackers are now calling elderly patients and extorting money from them. As healthcare-covered entity business associates, it is our responsibility to ensure that patients' sensitive information is protected and secure. Contact our Seimitsu team to work together to prevent further breaches and protect our clients and patients' privacy. #HealthcareDataBreaches #PatientPrivacy #CyberSecurity

5

DISA Expands Thunderdome Zero Trust Program Deployment; Brian Hermann, Quoted. ExecutiveGov discusses the Defense Information Systems Agency's (DISA) expansion of the Thunderdome zero trust program. In 2023, the program was deployed to 15 sites and plans are underway to extend it to 60 more sites in 2024. The program involves four key components: 🔐 Customer security stacks 🔗 Software-defined wide area networking 📴 Secure access service edge capability, and 💯 Application security stacks. Brian Hermann, DISA's director of the cybersecurity and analytics directorate, emphasized the program's role in advancing zero trust architecture, which is crucial for organizational security. DISA has also finalized the contracting process to support the U.S. Coast Guard’s network security improvement efforts through Thunderdome. Versa Networks is at the forefront of enhancing cybersecurity with their pivotal role in DISA's Thunderdome project. Their cutting-edge solutions are setting new standards in securing our nation's digital infrastructure. For more details, you can read the full article here:-https://lnkd.in/dNvErjXS #DISA #Thunderdome #ZeroTrust #Cybersecurity #versanetworks #channelpartners

2

1 Comment

Nothing to see here folks. Just the promotion of the gentleman who wrote a WaPo op-ed in support of renewing Section 702 of the Foreign Intelligence Surveillance Act (FISA). You know, that thing that BOTH side of the aisle were concerned about, which Sen. Ron Wyden (D-OR) called "one of the most dramatic and terrifying expansions of government surveillance authority in history." Yeah, he's on the Board of OpenAI now. As The Verge notes; "Recent departures tied to safety at OpenAI include co-founder and chief scientist Ilya Sutskever, who played a key role in Sam Altman’s November firing and eventual un-firing, and Jan Leike, who said on X that “safety culture and processes have taken a backseat to shiny products.”" I'm sure glad the NSA (fka OpenAI) will have a direct presence on my iPhone now. OG Article: https://lnkd.in/g8EP8YpR #lol #NSA #openai #ai #llm #security #goverment #policy #ethics #ethicsconflict https://lnkd.in/g8EP8YpR

6

1 Comment

Anyone remember the Metaverse? I'm about to speak at the ISC2 NJ and ISACA NJ SECON Event in New Jersey, and I decided that the topic is going to be an audience choice, where I have 4 topics and let the audience vote on which one they want to hear. I was going through my system and found my presentation on #Metaverse Security, from last year. I was considering throwing that in the mix and I realized that nobody talks about the hottest topic from last year anymore. Keep that in mind in general. #cybersecurity

58

12 Comments

Joseph Goodman, by Steven Palange and Copilot for Microsoft 365, Certainly! Here’s a rewritten “About Me” section and a detailed cybersecurity plan: About Me: With a robust 25-year trajectory in IT, I’ve navigated roles from help desk support to security and compliance leadership at Virginia Tech. My expertise spans across platforms, with a niche in PHP and MySQL for web app development1. Presently, I’m steering IT security and compliance, safeguarding sensitive data across financial, student, and medical domains, and adhering to standards like PCI-DSS and HIPAA2. My tenure in public service as a council member in Pulaski, Virginia, has honed my skills in budgeting, economic development, and fostering collaborative governance. Cybersecurity Plan: Risk Assessment: Conduct a comprehensive risk assessment to identify potential cybersecurity threats. Evaluate the effectiveness of current security measures and identify areas of improvement. Policy Development: Develop clear cybersecurity policies and procedures, including incident response and disaster recovery plans. Ensure policies meet compliance standards like PCI-DSS, FERPA, HIPAA, GDPR, and GLBA2. Employee Training: Implement ongoing cybersecurity awareness training for all employees. Simulate phishing and social engineering attacks to prepare staff for real-world scenarios. Infrastructure Security: Deploy advanced firewalls, intrusion detection systems, and endpoint protection solutions. Regularly update and patch systems to protect against known vulnerabilities. Data Protection: Encrypt sensitive data both in transit and at rest. Establish strict access controls and regularly review permissions. Monitoring and Response: Utilize SIEM tools for real-time monitoring and alerting of potential security incidents. Develop a structured incident response team ready to act on alerts swiftly. Vendor Management: Assess the security posture of all third-party vendors. Ensure vendors adhere to the same ethical and security standards as the company. Continuous Improvement: Regularly review and update the cybersecurity plan to adapt to new threats and technologies. Foster a security culture within the organization, encouraging proactive identification and reporting of security issues. This plan leverages AI capabilities to enhance threat detection, automate security tasks, and provide predictive analytics for proactive defense strategies. It’s designed to be dynamic, adapting to the evolving landscape of cybersecurity threats.

42

AT&T decided to sell off its cybersecurity division as part of its efforts to manage its debts, primarily due to its purchases of DirecTV, TimeWarner, and a failed attempt to buy T-Mobile. Despite these financial challenges, LevelBlue starts with a strong foundation, benefiting from AT&T Cybersecurity's ranking as the fourth-best managed security service provider in 2022. LevelBlue's success hinges on its ability to adjust and innovate in a quickly changing cybersecurity environment. Jonathan Ong from Omdia stresses the importance of customizing services to fit the market needs, especially as more companies and users consolidate their cybersecurity services. #Cybersecurity #LevelBlue #AT&T

17

1 Comment

This is a fantastic correlation of the 2024 #VerizonDBIR report to the #Mitre #Att&ck framework.

1