The Cyber Defense eMagazine February Edition for 2024

More documents

Recommendations

Info

disclose material cybersecurity incidents within four days of determining materiality. Additionally, the Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative will allow cases of fraud related to organizational misrepresentation of cybersecurity capabilities to be pursued. The DOJ has already taken action against a number of organizations, such as a recent settlement with Verizon that resulted in a $4 million fine. So, how does a CISO ensure that the organization is continually meeting compliance obligations and using due care with respect to cybersecurity strategy, controls, and outcomes? A key capability to consider is the implementation of a system of record. A system of record establishes an authoritative source of truth about the organization’s cybersecurity program that helps leadership understand the cybersecurity posture of the organization, align cybersecurity investments with strategic objectives, and meet regulatory obligations. A system of record may include the results of security and risk assessments, metrics related to security controls, status of planned and in-progress improvement activities, and an understanding of the potential impact of threats. CMMC requires defense contractors to provide an annual affirmation that the organization is maintaining compliance with the security requirements. A system of record will provide a CISO and other senior officials with the necessary support and justification to affirm compliance in good faith. Additionally, a system of record can help the organization justify that cybersecurity decisions were made based on sound rationale and best available information. This can be particularly useful post-breach if the organization needs to answer to regulators, the government, customers, and other stakeholders. Access to advanced attack techniques, even by less sophisticated threat actors, is driving increased scrutiny of cybersecurity measures. It is paramount that organizations carefully review their cybersecurity capabilities—regardless of maturity level—and evaluate if they will be durable when tested. Beyond adopting new security requirements, organizations should place the development of a performance management program high on their list of program improvements. Establishing and monitoring metrics is critical to ensure security controls are performing adequately, to protect the organization, and to validate compliance with regulations, like CMMC. Coupled with a system of record, organizations can more effectively prove that they have not only achieved and maintained compliance, but have done so with appropriate due care. Compliance without cybersecurity performance monitoring and improvement is a poor organizational investment. About the Authors Richard Caralli is a senior cybersecurity advisor at Axio with significant executive-level experience in developing and leading cybersecurity and information technology organizations in academia, government, and industry. Caralli has 17 years of leadership experience in internal audit, cybersecurity, and IT in the natural gas industry, retiring in 2020 as the Senior Director – Cybersecurity at EQT/Equitrans. Previously, Caralli was the Technical Director of the Risk and Resilience program at Carnegie Mellon's Software Engineering Institute CERT Program, where he was the lead researcher and author of the CERT Resilience Management Model (CERT-RMM), providing a foundation Cyber Defense eMagazine – February 2024 Edition 34 Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
for the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) and the emerging Cybersecurity Maturity Model Certification (CMMC). During his 15-year tenure at Carnegie Mellon, Caralli was also involved in creating educational and internship programs for Master's degree and continuing education students at the Heinz College. Richard can be reached online on LinkedIn at www.linkedin.com/in/richard-caralli-b6863aa/ and at Axio’s website, www.axio.com. Brian Benestelli is a Director within Axio’s cyber risk engineering practice. Brian has 10 years of experience leading and supporting projects to improve the operational resilience of critical infrastructure operators. He has experience with the development of maturity models and assessment methodologies, performing cybersecurity assessments, and developing and piloting training courses. Brian was involved in the development of recent versions of the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) and provided support to activities related to the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). Brian can be reached online on LinkedIn at www.linkedin.com/in/brian-benestelli and at Axio’s website, www.axio.com. Cyber Defense eMagazine – February 2024 Edition 35 Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2: How One Industry Exemplifies the Im
Page 3 and 4: Data Breach Search Engines --------
Page 5 and 6: @MILIEFSKY From the Publisher… De
Page 7 and 8: Welcome to CDM’s February 2024 Is
Page 9 and 10: Cyber Defense eMagazine - February
Page 15 and 16: 2001 2024 Cyber Defense eMagazine -
Page 19 and 20: How One Industry Exemplifies the Im
Page 21 and 22: That is where things stand in my in
Page 23 and 24: current on the mission and values o
Page 25 and 26: So, monitoring and managing vendor
Page 27 and 28: About the Author Caroline McCaffery
Page 29 and 30: How so? Businesses can make things
Page 31 and 32: Using Cmmc 2.0 To Transform Your Cy
Page 33: equire the implementation of additi
Page 37 and 38: • IT no longer controls where and
Page 39 and 40: For example, the Cloudbrink service
Page 41 and 42: 5 Cybersecurity Resolutions for The
Page 43 and 44: The Importance of Cyber Hygiene for
Page 45 and 46: The key steps to improve your cyber
Page 47 and 48: Connecting Tech to Black America By
Page 49 and 50: Establish partnerships with HBCUs E
Page 51 and 52: Perhaps the most obvious example of
Page 53 and 54: Crafting AI’s Future: Decoding th
Page 55 and 56: The implementation of regulations c
Page 57 and 58: AI Is Revolutionizing Phishing for
Page 59 and 60: That’s why security awareness tra
Page 61 and 62: culmination of this race will revea
Page 63 and 64: Traditionally, DBSEs would only inf
Page 65 and 66: Enhancing Cybersecurity Defenses: T
Page 67 and 68: Social engineering testing In the e
Page 69 and 70: GitGuardian Researchers Find Thousa
Page 71 and 72: *Emergent trends While everything f
Page 73 and 74: There are multiple tools that will
Page 75 and 76: Good Security Is About Iteration, N
Page 77 and 78: to incorporate architectural and de
Page 79 and 80: Hacking and Cybersecurity Trends to
Page 81 and 82: detect attacks as they are occurrin
Page 83 and 84: Legacy solutions hinder an organiza
Page 85 and 86:
About the Author Thomas Müller-Mar
Page 87 and 88:
Having worked closely with financia
Page 89 and 90:
device is emitting its signal the t
Page 91 and 92:
Navigating the API Security Landsca
Page 93 and 94:
that entities (users, services, or
Page 95 and 96:
examine financial transactions, net
Page 97 and 98:
Offensive Awakening: The 2024 Shift
Page 99 and 100:
Not only are legislators pushing fo
Page 101 and 102:
Let’s dive into how security lead
Page 103 and 104:
Overcoming Common Data Security Cha
Page 105 and 106:
The Risks of Over-Privilege Alongsi
Page 107 and 108:
Quishing Campaign Exploits Microsof
Page 109 and 110:
After inserting their email address
Page 111 and 112:
more expensive and time consuming.
Page 113 and 114:
Cotton Sandstorm or Static Kitten h
Page 115 and 116:
Spike in Layoffs Pose Serious Cyber
Page 117 and 118:
About the Author Adam Gavish is the
Page 119 and 120:
The Crucial Role of Data Categoriza
Page 121 and 122:
The Next Generation of Endpoint Sec
Page 123 and 124:
Next-Generation Endpoint Security:
Page 125 and 126:
As I reflect back on the past few m
Page 127 and 128:
Why Is Hardware More Secure than So
Page 129 and 130:
can achieve throughput levels of up
Page 131 and 132:
ecome more secure. By the end of 20
Page 133 and 134:
Zero Trust Matures, Insider Threat
Page 135 and 136:
of the risk of insider threats and
Page 137 and 138:
Zero Trust: Navigating the Labyrint
Page 139 and 140:
• Enhanced Security: Zero trust b
Page 141 and 142:
Cyber Defense eMagazine - February
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
CyberDefense.TV now has 200 hotseat
Page 151 and 152:
Books by our Publisher: Amazon.com:
Page 153 and 154:
Page 155:
i https://www.whitehouse.gov/briefi
show all

The Cyber Defense eMagazine February Edition for 2024

Create successful ePaper yourself

Delete template?

Save as template?