CISA Publishes List of Useful and Free Security Tools, and Info for Small Critical Infrastructure Providers to Convince Management of the Misinformation Risk; Yet Another House Committee Hearing on Data Privacy Does Not Mean Legislation is Near

Sadly, some organizations, in particular in the government, have a hard time using free/open-source tools for political reasons, not due to the quality of the tool. I hope that CISA's list will put a spotlight on some of these tools and make it easier to overcome "Layer 8" issues in implementing them. Currently, the list is a bit dominated by a few vendors and I hope over time more tools will be added. Great start and high-quality resources.

Johannes Ullrich

This is an amazing list of tools but remember you need people and processes to take advantage of them in the most efficient way possible.

Jorge Orchilles

This is a great resource for businesses, particularly small businesses, to refer to when looking for tools. However, while this helps deal with the challenge of the technology part of cybersecurity, I do hope there will be additional resources made available around the other areas such as processes and people.

Brian Honan

The site includes foundational security measures you should be incorporating, links to tools you can deploy locally, as well as information on free services CISA can provide to help your cyber hygiene. Leverage these services and tools to both augment current capabilities and verify your assessed posture, possibly discovering issues previously overlooked.

Lee Neely

In light of recent Russian activity, security professionals and leaders are asking, “What should I be doing?” In most cases, nothing different than what you are already doing now from a security perspective. This CISA publication and release of tools emphasizes the same key lessons: focus on the fundamentals. Neither the attack methods nor the defense methods have changed; it is the sense of urgency that has changed.

Lance Spitzner

This short three pager doesn’t contain any news for large critical infrastructure providers. However, it may be useful for state/local players across water and power and smaller private firms in manufacturing, transportation, etc. to get across to management the need to monitor and minimize the risk of misinformation campaigns across social media.

John Pescatore

This is an easy read, and lists both company and employee actions needed to shore up your defenses for misinformation, disinformation and malinformation (MDM) campaigns. Note the different definition of MDM here.

Lee Neely

For companies that need to deal with multiple state privacy laws and regulations, plan on continuing to do so for the foreseeable future. I think we just passed the 20th anniversary of the first draft US national privacy legislation – while we may see some limited controls on what are now being called social media “platforms,” the obstacles to any meaningful US national privacy legislation have not changed.

John Pescatore

While there is increasing consensus that a national privacy law is needed, there is still disagreement on where enforcement should lie, which federal agency should oversee the law, what the privacy standards should be, and whether this is a framework to support state laws or intended to replace them. While this is still movement in the right direction, the federal efforts may be overtaken by states unwilling to wait enacting their own legislation, which may make it very interesting for service providers to meet a complex landscape of requirements.

Lee Neely

With all the activity over the last two years, particularly with ransomware and supply-chain issues, it’s a good time to incorporate that experience to the NIST CSF. Don’t wait to submit comments; you only have until April 25th. Comments need to be submitted to the Federal e-Rulemaking portal (www.regulations.gov) or via email to the NIST RFI (CSF-SCRM-RFI@nist.gov) with attachments in text, RTF, Word, PDF, HTML format.

Lee Neely

Having had electronic and paper health records lost during a natural disaster, I am missing any mention of backups in the document. The presentation appears a bit disconnected and repeats common knowledge without deriving a lot of new insight from it. I do not believe that this presentation will convince any healthcare leaders to do anything that they are not already doing.

Johannes Ullrich

If you have an EHR system, make sure you understand what data is included, where the system is, and how it is protected. This primer is intended to organize and simplify protection strategies from VPN and encryption in transit to email security. Use the recommendations to reduce your risks and drive the conversation with the EHR system provider, whether internal or externally hosted to make sure your data is protected and all parties are prepared in the event of an incident.

Lee Neely

The biggest takeaway is that everyone should shift their focus from prevention to detection. As we say in SEC504, prevention is a goal, detection is a requirement.

Jorge Orchilles

Not to sound like a broken record: WordPress is THE largest threat to the Internet's stability and national security. If there ever should be a mass power outage due to compromised industrial PLCs, I am pretty sure the root cause will be a spear phishing site hosted on a compromised WordPress site. A mass DNS outage or BGP melt down? The cause was likely malware downloaded from a compromised WordPress site.

Johannes Ullrich

It is rare for WordPress to force a plugin update (regardless of the plugin's auto-update setting). This decision relates to the ease of exploit for this flaw by any authenticated user. Even so, make sure your copy is updated to at least 1.22.3 (free version) or 2.22.3 (paid version).

Lee Neely

Keep an eye on Expeditors’ Downtime Notification site for status updates (link below) as they are updating it daily. They are currently planning to restore systems from backups, which can be a time intensive activity. No announcements have yet been made regarding manual or other alternate processes. Consider this incident, recovery plan, communication to date, comparing with your DR/COOP plans, then look at it from your customers' perspective to verify your assumptions and expectations.

Lee Neely

Another NewsBites and another ransomware attack. The numbers are not going down and we must continue to collaborate to detect and respond to these threats before boom (boom being exfiltration and/or encryption).

Jorge Orchilles

If you wish to use the ID.me process, the PII provided for identity verification will now be deleted as part of that process. If you had previously used this process, the biometric data will be deleted over the next few weeks. The challenge the IRS and GSA are trying to solve is to implement strong identity verification at scale. The virtual interview option is intended for this tax year only, with an improved options beyond 2022.

Lee Neely