Continuing to clear the news chum, here are a bunch of articles all related to cybersecurity:
- NIST Cybersecurity Framework is Changing. NIST is getting ready to release an update to their Cybersecurity Framework (and other updates are planned: eventually, the IPD of 800-53rev5 will be out for review, and then an update to 800-37). A key change in the new framework is measurement: The first, which should really be the starting point for any comprehensive cyber risk management program, is an entirely new section about measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business objectives and outcomes. That means measuring both how organizations are reducing risk to the business and identifying the benefits to the business resulting from good cybersecurity, such as how many new customers the organization has gained and/or how much more revenue was brought in. Another significant change in the framework is the addition of recommendations surrounding supply-chain risk management. Finally, the access-control category has changed within the framework. It was renamed to identity management and access control. The change adds more focus on making sure identities and credentials are managed from the time they are created to the time they are deactivated.
- Minimal Cybersecurity Requirements. Although some of us have known about this for a while, the world is growing increasingly aware of NIST SP 800-171. The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration. While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows. Basically, they apply to any federal contractor that handles what is called Controlled Unclassified Information.
- Encryption and Protection. Protection is good. Just ask porn site Pornhub, home to things like thumbzilla and youporn. They’ve gone to always on encryption, meaning that although your ISP knows you’re going to pornhub, they don’t know what you’re looking at. Others are turning to VPNs, and here’s a good summary of how to use one. Lastly, for those worried about your ISP seeing where you go, one thing you should do is not use the ISP’s DNS. I use openDNS: 22.214.171.124 and 126.96.36.199.
- Verizon and Spyware. Note that if you use Verizon Wireless, they may be pre-installing spyware on your phone.
- Congrats to North Hollywood High. They won a national cybersecurity competition. Disclosure: My employer helped sponsor the team, although I was not involved.
- Printer Cartridges. Lastly, an interesting court case that could dictate how much you pay for ink. This week, oral arguments were heard in the case of Impression Products, Inc. v. Lexmark International, Inc., and according to the well-regarded SCOTUSblog, it seems that the justices are having a tough time figuring out how to view this difficult legal tangle themselves. At its most basic, the case is a dispute over Lexmark’s patent rights regarding refilling printer cartridges. Impression Products is a small business with about 25 employees. It specializes in buying used printer cartridges and re-manufacturing them. In 2012, Lexmark decided to add Impression to an already existing lawsuit against other re-manufacturers. While the other defendants eventually settled, Impressin has stuck it out and the case has made it to the highest court in the land. The question is: Does the manufacturer give up rights to something when you physically purchase it? Can Lexmark dictate what you can do with your printer cartridge? Can HP dictate you can’t open your computer and modify it? Big key questions.