Jump to content

Greg Witte

  • Content Count

  • Joined

  • Last visited

Posts posted by Greg Witte

  1. Good afternoon!


    I think there's a lot of merit in your suggestion. The adversaries have certainly figured out how to leverage multiple endpoints working as a large infrastructure. What might be the next steps to identify specific outcomes that would lead to your solution?


    BTW - I don't think there's a particular forum for this. Many of the others deal with specific elements of the Cybersecurity Framework, and I agree with you that this is a topic of general interest.


    Have a great day!



  2. That's cool insight, Phil. It's great to be able to understand the derived requirements that result from a relatively simple outcome like "Data-at-rest is protected".


    One point to consider that came up in this week's NIST workshop - some orgs have misinterpreted the Informative Reference column as required controls. Those are simply examples for inspiration, and one could find replacement or supplemental inspiration through GRCsphere and CCH. I don't know how that might impact the resulting derived controls, but I hope an organization wouldn't try to do ISA and ISO and COBIT 5 and RMF and CCS. That would be hard!


    Thanks for bringing the question to CForum. After a great week at NIST with hundreds of friends and peers, I'd love to have conversations like this every day!



    G2, Inc

  3. Hi, Frank!


    I'm more of a process/policy person, so I don't know a lot about eCommerce platforms and went searching to learn more. I came across many sites, most of them ads for their particular platform, but I learned a lot from http://www.toptenreviews.com/business/internet/best-content-management-system-software/.


    I wasn't so much interested in their particular reviews, but I wanted to see what they used to measure "Security" aspects of a CMS.  In your searching, some of those aspects might be useful in finding the right fit:

    • Can you manage privileges in a granular way so that, if something goes wrong, the bad guy doesn't get all the keys to the kingdom?
    • Does the CMS support well-established certificates and encryption models?
    • Does it provide ways to confirm that there's a real human on the other end, without being too intrusive?
    • Are there good logging & auditing methods to help you detect bad behavior, or at least understand what went wrong after an attack?

    Hopefully others can chime in with more specific suggestions, but I think one of my next steps would be to find specific security requirements that could be included in the search.


    Happy hunting!


  4. Hi, Randy! Thanks for joining us!


    The company I'm part of (G2) is a small business here in the states, and I know that none of us has money to just give away to the bad guys. I'm sorry to hear your org fell prey to rotten criminals.


    Your note mentioned that you're looking at security tools and trying to replace security "top to bottom". Tools are important, and you might need a complete rebuild, but I would encourage you to take a look at the Cybersecurity Framework (or CSF) that CForum is organized around.


    The CSF was built by thousands of security teammates around the world, looking to find ways to deal with attacks like the ones you mentioned. We found that none of us have resources to just randomly throw at the problem, so we have to prioritize understanding of what needs to be done to protect what's really important to each company, then select the right tools to accomplish those priority outcomes.


    If you'd like to learn more about CSF, it's available here, and there's a supporting site at http://www.nist.gov/cyberframework. The industry resources page there has dozens of links to examples of how other organizations are already using it. Meanwhile, we have some free templates that might help get you started - please feel free to PM me via the CForum or drop me a note at greg.witte <at> g2-inc.com.


    Best wishes,

    Greg Witte

  5. With the passage of recent legislation (e.g., the CISA provisions), it seems like organizations have more opportunities to directly share "best practices" directly with the government, who can then share relevant practices with sector participants. Based on the limited amount of sharing that has been going on over the last two years, perhaps such a USG based solution would work best.


    Are there steps the US could take to increase that?



  6. Good morning, team!


    No responses to my earlier question, so I guess everyone is still thinking about the risk question.


    Here's the next in the series - I promise, we won't go through all 25 of the RFI questions, but I think this one is pretty key: What could we recommend to NIST that you would add to, remove from, or change about the current CSF model?


    I'll start us out with a couple that I would bring now that I've used it several times:


    1. I still like the notion of how I read the Tiers' role - the idea of intentionally and specifically determining the org's risk management strategy, integration and collaboration, then using that to help frame the outcomes that go in the Profiles. That said they've clearly been confusing and I would re-engineer the way that occurs.


    2. Meanwhile, where I see Tiers being used 90% of the time is where I would make a CSF addition: include a process capability determination in the Current State and Target State profiles. Many of my CSF clients have determined that it is helpful to add a rating scale to the category/subcategory outcomes, and that such a scale helps in setting the target. We use such a scale in COBIT 5 and our team added it to the ISACA CSF Profile.


    So, having poked the Tiers bear, standing by for brilliant thoughts. Have a great day!! Greg


  7. Good evening!


    I'd like to start collecting some information to provide a CForum response to NIST's RFI. This forum includes hundreds of those who attended the workshop, so I think we can speak with credibility and understanding.  Certainly not going to try to cover all 25 questions, but I'd like to get some insight and I'll be sure to post the draft response here for consideration and feedback.


    Given that here's the first round:

    To what extent do you believe the Framework has helped reduce your cybersecurity risk?

    Please cite the metrics you use to track such reductions, if any.


    Thanks! Greg


  8. Coming off the excitement of this week's ISACA CSX conference, I wanted to share a heated debate that we had there that is rivaled only by the infamous bathroom tissue OVER vs UNDER debate. (Not that there is a debate - I've been known to enter friends' houses and quietly CORRECT their rolls to the OVER position.)


    My personal default is to identify priorities, risk architecture, critical supporting assets, and then start with a Target Profile that defines what must be done to protect those resources. Upon completing an impartial list of where do I want to be, I can then record my Current State and review gaps.


    Many of my colleagues and customers, and indeed COBIT 5 itself, start with where we are and then decide where we want to be.


    From my perspective, in determining where I need to go, my current position has little value. If I need to get to Cleveland for a meeting, then I need to get there regardless of where I'm starting from. Once I've decided that, though, I can determine that I'm in Baltimore and I can calculate routes to get there.


    The counter-argument, though, is that in a real world, I should consider reasonable steps from my current position, not hypothetical targets that may or may not be reachable from here.


    What do you think - which comes first?




  9. I was pretty bummed yesterday hearing the long line of people bashing Federal Government email and admitting that they use personal email for official business.


    This note has nothing to do with the politics of it, but what good does it do us to spend tens of billions of dollars a year on safeguards and filters just to have a user - any user - circumvent those controls?


    It's a good reminder of the need for continued good training, awareness and communication about why these safety measures are important. That won't fix it all ... I imagine few understand risk better than General Powell, and yet it seems he broke the rules. But maybe some will get it.


    At least we security people can count on job security!

  10. Yesterday, I watched with interest as several senators asked about the success criteria for the Framework.  Some were a little more snarkey than others, but it's a valid question. U.S. academic, industrial, and governmental orgs have invested millions of dollars - how do we calculate the return on that investment?


    It seems like it needs to go beyond the talking phase - one could simply declare that they've selected a Tier to shoot for and say they're using the Framework. 


    To run through the full cycle, while it could be done in days, is more likely to take several years.  Certainly we wouldn't measure only those who have completed all the steps in a comprehensive way.


    So, how will we know if/when the Framework has achieved its goals?




  11. I think the framework helps in building or improving such an architecture, especially while the legacy-to-digital transition is happening. While such a transition is being planned and implemented, I'm sure the organization must be considering security needs as part of the modeling. Within that process, the Core functions seem like they would fit - (1) identifying how best to protect against at least the known threats, (2) how to defend and respond when those risks become real, and (3) achieving recovery objectives when things go bad.


    In the case you described, the action plan would draw upon the sector-specific requirements. I'd be surprised if there are high-level needs that wouldn't fit in to one of the categories.



  12. Hey, everyone!

    NIST has posted a preview copy of their upcoming RFI of the Cybersecurity Framework. It will be formally provided in the Federal Register soon, likely next week (and will begin a 45-day comment period). It is available from http://www.nist.gov/cyberframework/upload/preview_RFI-CyberFramework-081414.pdf


    The RFI is designed to help gather information about about awareness of and initial experiences with the Framework, including for those already using it within their organizations and those that are developing supporting guidance, tools, and resources. NIST is hoping to get a broad range of responses - including those who strongly advocate other directions. This input will inform NIST’s future planning, and to help maintain the Framework as a living document. It’ll also be key to help us develop the agenda for our next workshop at the end of October in Tampa.

  13. We received the following question during the webinar yesterday - Do you have any thoughts around how culture within organizations affect not only CSF but information security overall? 

    I personally think culture has a significant impact.  During the workshops, we used the example of how a culture of safety affects that area of influence.  If managers are lax about safety, people can get hurt badly and overall quality of company efforts will suffer.  If, on the other hand, safety becomes institutionalized, it can become an enabler that brings the team together and creates an advantage.
    When a culture of common sense risk management becomes institutionalized, I think that security improves throughout. Social engineering attempts work fewer times, phishing emails work less frequently, and the ISSO is called in at the design phase rather than a week before a project goes live.
    Lastly, some of the information security awareness activities can be a lot of fun. That in itself can benefit the organization.
    Other thoughts? (Note: We have about a dozen questions that I'll post here for discussion.)

  14. I had a great time today introducing the CSF and ISACA in ISACA's Cybersecurity Exchange Webinar.


    The recording is available at: http://www.isaca.org/Education/Online-Learning/Pages/Webinar-How-to-Implement-the-US-Cybersecurity-Framework-using-COBIT-5.aspx


    Meanwhile, I took note of some of the questions, and I'll start some discussion topics on those fronts.


    Thanks for everyone that took time out out their day to join us!!







  15. These are some good points, Tom.  It seems like two ways to help achieve the "fit for purpose" you describe would be to either use a security enhanced operating platform (e.g. an OS with fewer capabilities compiled in) or better ways to configure COTS platforms (e.g. a Windows server with many services disabled.)


    In either case, information could be shared among providers to better achieve this specialized security / limited functionality purpose. The platform vendors could help us understand how best to turn features on and off.


    I think you're right that this model would go a long way toward safer systems in a connected world!


    Greg Witte

    Sr. Security Engineer

    G2 Inc.

  16. Missing the sold-out FIRST conference in Boston, but looks like a great presentation today by Denise Anderson of the FS-ISAC. The work they've led in secure repositories for and exchange models of incident & threat info is already helping other ISACs make progress as well!