Difference between revisions of "Cybersecurity"

From MgmtWiki
Jump to: navigation, search
(Solutions)
(Problems)
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Full Title or Meme==
 
==Full Title or Meme==
The increase in cyber attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.
+
The increase in cyber-attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.
  
 
==Context==
 
==Context==
 
* It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
 
* It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
* [[Cybernetics]] was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source may any terms in English before very suspect activities like [[Bitcoin]].
+
* [[Cybernetics]] was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source many terms in English before very suspect activities like [[Bitcoin]].
  
 
==Problems==
 
==Problems==
* New companies like [https://www.sentinelone.com/partners/partner-overview/ Sentinel One] start advertising on national television with no known track record.  (2021-10-13 on NBC)
+
* New companies like [https://www.sentinelone.com/partners/partner-overview/ Sentinel One] start advertising on national television with no known track record and therefore no reason the [[Trust]] what they say.  (2021-10-13 on NBC)
 
* Finding and fixing [[Cybersecurity]] breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
 
* Finding and fixing [[Cybersecurity]] breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
* Caveat Emptor
+
* In most countries, like UK and EU, [[Cybersecurity]] is not required by law.
==Solutions==
+
* The wiki page [[Cybersecurity Must Be Free]] explains why that is not the case today. Governments want to hold all the information even when it is damaging to the economy for them to do so.
"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive [[Cybersecurity]] research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D.<ref>Terry Benzel, ''Cybersecurity Research of the Future''  '''CACM 64''' no. 1 (2021-01)</ref>
+
 
 +
===DoD===
 +
* December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
 +
* November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
 +
** DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
 +
** Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD
 +
** Supplier Performance Risk System (SPRS) to be considered for contract award.
 +
** DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
 +
** Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
 +
* November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0).
 +
** 3 levels
 +
** Based on FAR & NIST 800-171
 +
** Self-attestation/3rd Party Audit
 +
* None of that seems to apply to COTS (commercial off-the-shelf) software.
 +
*Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented.
 +
===[[Executive Order 14028]]===
 +
* Definitions of Critical Software
 +
* [https://www.nist.gov/news-events/events/2021/11/executive-order-14028-guidelines-%03enhancing-software-supply-chain NIST presentation on enhancing the software supply chain.] (2021-22-19)
 +
* Guidelines for Enhancing Software Supply Chain Security (Section 4)
  
 
==Solutions==
 
==Solutions==
 +
"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive [[Cybersecurity]] research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."<ref>Terry Benzel, ''Cybersecurity Research of the Future''  '''CACM 64''' no. 1 (2021-01)</ref>
  
 
==References==
 
==References==
 +
<references />
 +
===Other Material===
 +
* [https://www.nist.gov/cybersecurity NIST web site on Cyber security.]
  
 
[[Category: Security]]
 
[[Category: Security]]

Latest revision as of 10:14, 23 July 2022

Full Title or Meme

The increase in cyber-attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.

Context

  • It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
  • Cybernetics was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source many terms in English before very suspect activities like Bitcoin.

Problems

  • New companies like Sentinel One start advertising on national television with no known track record and therefore no reason the Trust what they say. (2021-10-13 on NBC)
  • Finding and fixing Cybersecurity breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
  • In most countries, like UK and EU, Cybersecurity is not required by law.
  • The wiki page Cybersecurity Must Be Free explains why that is not the case today. Governments want to hold all the information even when it is damaging to the economy for them to do so.

DoD

  • December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
  • November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
    • DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
    • Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD
    • Supplier Performance Risk System (SPRS) to be considered for contract award.
    • DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
    • Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
  • November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0).
    • 3 levels
    • Based on FAR & NIST 800-171
    • Self-attestation/3rd Party Audit
  • None of that seems to apply to COTS (commercial off-the-shelf) software.
  • Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented.

Executive Order 14028

Solutions

"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive Cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."[1]

References

  1. Terry Benzel, Cybersecurity Research of the Future CACM 64 no. 1 (2021-01)

Other Material