Author: rescue@crimefire.in

By Cynthia Brumfield
CSO |
The White House released its long-anticipated National Cybersecurity Strategy, a comprehensive document that offers fundamental changes in how the US allocates “roles, responsibilities, and resources in cyberspace.” The strategy involved months of discussions among more than 20 government agencies and countless consultations with private sector organizations. It encompasses virtually all the weaknesses and challenges inherent in cybersecurity, from software vulnerabilities to internet infrastructure vulnerabilities to workforce shortages.
Chief among the changes proposed in the strategy is a new effort to “rebalance” the responsibility for cyber risk by requiring software providers to assume greater responsibility for the security of their products. The strategy also expands minimum mandatory cybersecurity requirements for critical sectors. It also creates a more comprehensive, coordinated approach to bolster US Cyber Command’s ability to engage in offensive operations, building on the defend-forward policy that began during the previous administration.
The strategy is just the latest effort in a series of actions taken by the Biden-Harris administration to tackle the increasing number of cybersecurity threats and position the US to better defend itself against cyber adversaries. “The strategy builds on two years of unprecedented attention that the president has placed on cyber issues,” Kemba Walden, acting national cyber director, said during an event at CSIS. “The May 2021 executive order set the tone committing the government to significantly enhancing our defenses and using our purchasing power to drive improvements into the broader ecosystem.”
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger said at the same event, “You’ve seen the Biden-Harris administration look at emerging technology areas with a careful eye to security. The fundamental principle of the strategy says we need an open, secure, and interoperable cyberspace. It’s possible to do it. We’ll do it with our partners in the private sector and countries around the world.”
The strategy relies on five “pillars” around which the strategy is organized. The first pillar in the strategy is to increase security by stepping up regulation of critical infrastructure. “The lack of mandatory requirements has resulted in inadequate and inconsistent outcomes,” the strategy states. “Today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.”
To establish better defenses, the federal government will use existing legal authorities to set performance-based and cybersecurity requirements for critical infrastructure organizations, leveraging frameworks such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, among others. Where those authorities do not exist, the administration hopes to work with Congress to pass legislation to enable them.
Because many critical infrastructure organizations rely on cloud computing, the administration will identify gaps in the cloud computing industry and other essential third-party providers. In addition, the administration will further seek to harmonize its requirements with international obligations while urging state regulators to consider funding sources to meet those requirements.
This pillar also reinforces the often-cited but rarely fully realized goals of strengthening public-private collaboration to improve cybersecurity, fostering better government agency and department integration of cybersecurity, creating more updated federal incident response plans, and modernizing national defenses.
The second pillar in the strategy seeks to disrupt and dismantle threat actors whose actions threaten US national security. It articulates plans to develop an updated Department of Defense strategy to clarify how US Cyber Command and other DoD arms will integrate cyberspace operations to proactively defend against state and non-state actors that pose strategic-level threats to the US. The goal is to enable continuous, coordinated operations through the National Cyber Investigative Joint Task Force (NCIJTF) for whole-of-government disruption campaigns.
Regarding ransomware, which the strategy deems a national security threat, the administration is committed to mounting disruption campaigns. The Joint Ransomware Task Force, co-chaired by the Cybersecurity and Infrastructure Security Agency (CISA), will “coordinate, deconflict, and synchronize” existing operations to disrupt ransomware operations.
The strategy also contemplates enhancing public-private operational collaboration, increasing the speed and scale of intelligence sharing and victim notification, preventing the abuse of US infrastructure, and generally combatting cybercrime and ransomware threats.
The most significant aspect of this pillar is a shift in liability for insecure software products and services. “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unknown or unvetted provenance,” the strategy states. “Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.”
The administration is proposing to shift responsibility onto software makers that fail to take reasonable precautions to secure their products and away from the end users who all too “often bear the consequences of insecure software.” To achieve this goal, the administration will work with Congress and the private sector to create a safe harbor framework to shield from liability companies that securely develop and maintain their products. The safe harbor will draw from NIST’s Secure Software Development Framework and other works.
The administration will also encourage coordinated vulnerability disclosure across all technologies, advance the development of software bills of materials (SBOMs), and develop a process for identifying and mitigating risk in widely used unsupported software.
The strategy further outlines how the administration will continue to seek improvements in IoT security, offer federal grants and other incentives to build security, leverage federal procurement to improve accountability, and explore a federal backstop to help deal with the rising cost of cyber insurance.
The fourth pillar of the strategy calls for the federal government to “leverage strategic public investments in innovation, R&D, and education to drive outcomes that are economically sustainable and serve the national interest.” It points to various existing programs, including the National Science Foundation’s Regional Innovation Engine programs, while working with other countries to optimize cybersecurity technologies.
The most noteworthy aspect of this part of the strategy is the plan to strengthen the cybersecurity workforce and tackle the lack of diversity among cybersecurity professionals. To this end, the Office of the National Cybersecurity Director will lead the development and implement a National Cyber Workforce and Education Strategy. The strategy will build on existing efforts developed by the National Initiative for Cybersecurity Education (NICE) and others.
The administration further plans to engage in a “clean-up” effort to mitigate the most urgent problems plaguing foundational technologies of the internet, such as Border Gateway Protocol vulnerabilities, unencrypted domain name system (DNS) system requests, and the slow adoption of IPv6. It will also prioritize the transition of vulnerable public network systems to quantum-resistant technology and urges the private sector to follow suit. Other efforts included in this pillar include accelerating the adoption of technology that secures a clean energy future and encouraging investments in robust verifiable digital identity solutions.
The fifth pillar of the strategy seeks to bring together the public and private sectors to gain greater visibility into adversary activity. Private-sector partners are encouraged to work with the federal government through one or more nonprofit organizations, such as the National Cyber-Forensics and Training Alliance, and others for operational collaboration.
It also aims to increase the speed of intelligence sharing and victim notification by coordinating with sector risk management agencies (SRMAs) to identify intelligence needs and priorities and developing processes to share warnings, technical indicators, and other information to share with both government and non-government partners. At the same time, the federal government will also review declassification to better provide actionable information to critical infrastructure owners and operators.
The government will also work with cloud infrastructure and other providers to identify malicious use of US-based infrastructure more quickly. The US will also work to combat cybercrime and ransomware by employing all elements of national power to combat these threats.
Experts generally praised the strategy but expressed concerns over the ability of the administration to carry out such an ambitious agenda. “I think it’s a well-done strategy,” Michael Daniel, president and CEO of the Cyber Threat Alliance, tells CSO. “I’m very pleased that they were able to get a strategy document that has some substance to it out of the interagency process because that’s not always a foregone conclusion.”
“It actually takes on some tough issues that have been long-standing in the field, so it’s not afraid to go there,” Daniel says. “And some examples of those are the fact that it talks about imposing mandatory requirements, for example, and starting to look at the issues around liability for software manufacturers.”
“We applaud the push to continue to modernize federal IT, update federal incident response plans and processes, and enhance public-private operation collaboration,” Lauren Van Wazer, vice president of global public policy at Akamai, tells CSO. “All of these will help strengthen our collective cybersecurity defenses.” But, she says, “This is an ambitious and time-consuming agenda, and much of it will require new legislation. Short of getting a second term, the administration has less than two years to implement a strategy that calls for both new legislation and regulation.”
Megan Stifel, chief strategy officer for the Institute for Security and Technology, tells CSO, “I think the two key priorities are rebalancing the responsibility to defend cyberspace and thinking about incentives. This approach to those issues is long overdue.” However, getting the necessary authorities passed through Congress will likely be a tough slog. “I think I would not expect much legislatively, which is not how it should be,” she says.
“They want to do some creative things on collaboration, and I think that is great. It’s a thoughtful document, and I think they have a big task ahead of them,” Megan Brown, partner at Wiley, tells CSO. But Brown says she is disappointed in how regulatory the strategy is. Citing the administration’s reliance on existing legal authorities to impose new requirements on the pipeline and rail sectors, “I think those regulations are far from perfect and aren’t a great model to try and expand to the rest of the economy.”
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

BrianAJackson/Getty Images
Sign up for our newsletter

Stay Connected
By Kaitlyn Levinson
While cybersecurity may be second nature to IT professionals, instilling it across an agency may be an uphill battle without a human-centered approach, one expert says. 
IT staff must be able to communicate cybersecurity terms and concepts in ways the average person can understand, according to Julie Haney, computer scientist and usable security researcher at the National Institute of Standards and Technology. Otherwise, agency staff may ignore proper cyber hygiene if they feel their lack of understanding will be belittled or judged by IT professionals, Haney wrote in a November 2022 paper titled, “Users are not stupid: Six cyber security pitfalls overturned.”
Before security teams initiate cybersecurity training or communications, they should test their explanations with people who are not experts and who “can say, ‘I have no idea what this means, you might want to change this,’” she said in an interview. 
When agency staff fully understand the security issues and context, they are more likely to absorb the information and integrate cybersecurity into their normal workflows, she said.
Agencies should also leverage tech-based solutions that detect and prevent cyberattacks to prevent their users from developing security fatigue—a sense of resignation, weariness, frustration or loss of control over their own cybersecurity, Haney wrote in the paper.
“Don’t always put all the responsibility on people if you don’t have to,” Haney said. For example, IT staff can deploy or improve email filters to catch phishing messages to reduce end users’ cybersecurity burden. “The more you can [offload that to the backend], the better.”
Other ways to avoid security fatigue include running training campaigns throughout the year rather than ahead of a single deadline. IT staff should also offer different ways staff can meet security benchmarks such as cyber incident simulations and educational events with certified speakers, she added. 
But these education efforts would be useless without a way to measure how well staff retain cybersecurity knowledge. While many organizations use metrics on how many employees complete a training session to gauge their staff’s cyber awareness, IT staff must dig deeper, Haney said. 
For instance, IT managers can monitor how often cyber incidents involve user error or evaluate click rates on simulated phishing attacks. “These metrics can be very helpful to see if people are responding appropriately to those phishing emails, but [they] have to be put in context as well,” she added. Data may reveal that click rates increased significantly from one quarter to the next, so IT managers should investigate what caused that spike before proposing a solution. 
Furthermore, IT personnel should consider loosening elaborate password requirements such as minimum character counts and the use of special characters and numbers, Haney said. Though weak passwords remain a major threat to cybersecurity, “complex password policies can inspire poor decisions, such as using the same password across multiple accounts,” the paper stated. 
Related articles
How one state’s phishing training evolves with threats
Unpatched, known vulnerabilities still key driver of cyberattacks
Cyber training expands to local leaders
“We’re human, right? We can only recall so many things,” Haney said. Passphrases, which are typically longer in length, are easier to remember and type in compared to complex passwords.
Another solution is dialing down how frequently users must update their passwords. While some organizations prompt staff to change their credentials every 60 to 90 days, Haney said changes could be made on an as-needed basis if, for example, IT staff believe the system has been compromised.  
Two-factor authentication can add another layer of defense without burdening staff. With this method, users may present a physical device such as a security token in addition to a PIN, which may be easier to recall, she said. 
For IT managers to understand staff’s pain points, feedback is vital. Open-ended surveys that ask staff how effective a training session was or what they struggle with when it comes to cybersecurity provides qualitative data that IT workers need to implement effective solutions, Haney said. 
“It’s hard for security people to put themselves in the shoes of non-security people because … we have an expertise that we can’t forget,” she said.
NEXT STORY: Turning hackers’ behavior against them
Do Not Sell My Personal Information
When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.
Manage Consent Preferences
Strictly Necessary Cookies – Always Active
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Sale of Personal Data, Targeting & Social Media Cookies
Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link
If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.
Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.
If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Cookie List
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:
Strictly Necessary Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Functional Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Performance Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Sale of Personal Data
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Social Media Cookies
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Targeting Cookies
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Help us tailor content specifically for you:

source

SOUTHFIELD–Tooling U-SME, the workforce training and development arm of SME, and CyManII, the cybersecurity mnufacturing inovation Institute, have partnered to deliver “CyManII Sealed” – endorsed cybersecurity training for manufacturers.
As cyberattacks grow increasingly sophisticated and threat landscapes expand, organizations and their employees need to understand how to raise awareness and take actionable preventative measures to protect against the new vulnerabilities.
“Cybersecurity is highly reliant on people,” said Jeannine Kunz, chief workforce development officer at SME. “Preventing cyberattacks on our supply chain only works when everyone is a part of the solution. This is even more important in the context of our current skills gap. Our vision, as two nonprofit organizations, includes a focus on securing manufacturers from threats by equipping the industry with the necessary cybersecurity skills.”
Tooling U-SME through the CyManII Sealed cybersecurity training program will provide the additional knowledge needed to prepare manufacturers for the growing vulnerabilities inherent with emerging operational and processes technologies. The web-based training is presented in an engaging and interactive format for organizations of all sizes.
Together, CyManII and Tooling U-SME will set a new benchmark for developing educational resources that remain current with rapidly changing cyberthreats and democratizing access to training on cybersecurity awareness.
With increased adoptions of Industry 4.0 technologies, and the increased digital connectivity throughout our facilities, a fundamental understanding of cybersecurity is becoming more critical to preventing losses due to cyberattacks. The United States Government Cybersecurity and Infrastructure Security Agency identifies manufacturing as one of the 16 critical U.S. infrastructures. Consequently, ensuring the strength and integrity of this sector is crucial to national safety and security.
“In the height of the Industry 4.0 transformation that the workforce is facing, it is imperative that Tooling U-SME and CyManII partner to provide learning solutions needed to develop a workforce that is trained and upskilled in the areas of operational technology and cybersecurity to protect our nation’s most vulnerable assets,” said Ty Middleton, director of education and workforce development at CyManII.
Tooling U-SME will provide immediate access to the industrial base and pipeline of future workers, delivering necessary cybersecurity training to thousands of OEMs, suppliers, and schools across our country. The training material, with review and input from CyManII, America Makes (National Additive Manufacturing Innovation Institute) and CESMII (The Smart Manufacturing Institute), and was also supported by the U.S. Office of Naval Research under awards N00014-18-1-2881 led by the National Center for Defense Manufacturing and Machining and N00014-19-1-2742 led by SME.
CyManII is a national institute with government, industry, academic and nonprofit thought leaders in cybersecurity and smart, energy-efficient manufacturing, and deep expertise in supply chains, factory automation and workforce development. Learn more at cymanii.org,
Tooling U-SME delivers learning and development solutions to the manufacturing community, working with thousands of companies, including more than half of all Fortune 500 manufacturers, as well as 900 educational institutions across the country. Tooling U-SME partners with customers to build high performers who help their companies drive quality, productivity, innovation, and employee satisfaction. It’s a division of SME, formerly known as the Society of Manufacturing Engineers. More at www.toolingu.com.
Notify me of follow-up comments by email.
Notify me of new posts by email.


Δ
SAFE!
Verified by Sur.ly
Email: [email protected]

source

Augusta University offers a new degree program focused on cybersecurity  WJBF-TV
source

Get the latest industry news first when you subscribe to our daily newsletter.
Sponsored Post
By Stephanie Baum
From left: Lynn Sessions, a partner with Baker Hostetler, was the panel moderator. She was joined by Jesse Fasolo, head of technology infrastructure and cyber security of St Joseph’s Healthcare System; Marti Arvin, chief compliance and privacy officer with Erlanger Health System; Bill O’Connell, head of product security and privacy operations at Roche Information Solutions at Roche Diagnostics O’Connell; and Sherri Douville, CEO of Medigram
The technological developments that have fueled innovation in health tech are accompanied by challenges that need to be addressed if their potential is to be fully realized. Few areas of healthcare reflect that reality more than cybersecurity and the need for health systems to provide robust training, so staff are prepared for phishing attacks, ransomware and other forms of cyber-attacks.
At the ViVE conference, powered by HLTH and CHIME, a panel discussion on the topic of healthcare and data security concerns concluded that the best way to educate and train employees on data security best practices is not through multi hours-long training courses and workshops but through frequent but bite-sized “apéritifs of information” — think 3-6 minute — training installments highlighting best practices.
Bill O’Connell, head of product security and privacy operations at Roche Information Solutions at Roche Diagnostics shared his perspective on the topic.
“I’ve run security and privacy training programs for probably 15 years. One of the things I’ve noticed is that sometimes there’s more information than people want or are ready for. You also have to figure out how to tailor the message because ultimately your goal is not just let me get the check mark that everybody sat through one hour of training —let me get them to behave differently.
“You might be better off going for some small wins. One year, we did three-minute videos, YouTube-length videos, and sprinkled them out throughout the year rather than the one-hour long training. Also, making it where there’s a baseline that you’d have to do that would offer more and make it relevant to the individual.”
O’Connell offered a couple of examples such as for staff planning travel — how can they stay safe using guest WiFi at hotels or other venues.
Marti Arvin, chief compliance and privacy officer with Erlanger Health System, agreed that her team had adopted a practice of providing what she described as “apéritifs of information” in the form of biweekly “Etips” — emails focused on a specific topic in cybersecurity and patient data management. Arvin said this approach has enjoyed a strong response from staff because it’s easier to retain this information. But heath systems still have to meet the expectations of regulators when it comes to training, which favor training sessions of longer duration.
Lynn Sessions, a partner with Baker Hostetler, was the panel moderator and was joined by Jesse Fasolo, head of technology infrastructure and cyber security of St. Joseph’s Healthcare System; Marti Arvin, chief compliance and privacy officer with Erlanger Health System; O’Connell; and Sherri Douville, CEO of Medigram.
Fierce competition for staff
Although ransomware attacks on hospitals have grabbed headlines, other industries face cybersecurity concerns as well, creating fierce competition for staff from industries prepared to pay 30% to 40% more, observed Fasolo. He said another option is for health systems to nurture a new generation of staff to meet these needs.
“There’s a training methodology that organizations need to adapt to go out and get the talent because the talent is not learning at the capacity that technology, security, regulations and privacy is growing,” Fasolo said. “It’s hard to get new skills or a person with those new skills in the door. You almost have to nurture and develop within — grow that resource, build and establish a bench — and that’s the only way I’m seeing it from my perspective in security.”
Who has the data?
Fasolo and Arvin shared insights on how challenging it can be for a health system with an extensive network of third-party vendors to keep track of and manage data. A health system shares data with hundreds of other third parties on any given day. Having a good grasp of where that data is and who is receiving the data is a daunting task for any healthcare system, Fasolo noted.
“I think if you can say that you know where 95% of your data is, from my perspective, you’re doing a really good job because it’s just so incredibly difficult to figure out …all the storage locations, all the people who store data in places they’re not supposed to,” Arvin said.
Promoted

IMO Health and MedCity News
Promoted

Travel nurses provide critical relief during staffing shortages and use of these professionals has increased in recent years. With this increase comes new and emerging risks. A review of closed malpractice claims data at Coverys reveals the top areas of vulnerability for travel nurses differs from other healthcare providers.

cybersecurity, data security, HLTH Events, Nashville, Tennessee, ViVE 2023
Promoted

The Covid-19 pandemic has transformed the way we think of diagnostics in our daily lives. In a recent webinar, BD Vice President for Diagnostics Nikos Pavlidis spoke with a clinician and an epidemiologist where they shared their perspectives on how testing developments have changed the way we track respiratory illnesses.
BD and MedCity News
GOT NEWS? SEND US A TIP
Get the latest industry news first when you subscribe to our newsletter.
Promoted

Travel nurses provide critical relief during staffing shortages and use of these professionals has increased in recent years. With this increase comes new and emerging risks. A review of closed malpractice claims data at Coverys reveals the top areas of vulnerability for travel nurses differs from other healthcare providers.

Our Sites
© 2023 Breaking Media, Inc. All rights reserved. Registration or use of this site constitutes acceptance of our Terms of Service and Privacy Policy.
Privacy Center | Do not sell my information

Friend’s Email Address
Your Name
Your Email Address
Comments
Send Email

source

12 Most Advanced Countries in Cybersecurity  Yahoo Finance
source

alvarez/iStock 
You’re on the bridge, with the ship’s course on the digital display. But why is the ship continuing to turn west?
Everything appears normal on the computer screens in the dim wheelhouse, but the land is perilously close outside. What is happening?
Down in the engine room, personnel reports through the radio that everything is okay, but they wonder why the bridge has altered direction. The engines are revving, and the ship is gaining speed. This hasn't been done by the engine room. What now?
Both in academia and the maritime industry as a whole, cybersecurity is a hot concern. Recently, a collaborative team taught a brand-new cyber security course at The Norwegian University of Science and Technology (NTNU) in Lesund. A new course titled "Maritime digital security" has just been added to NTNU in Lesund's maritime industry program.
Participants in the workshop have studied digital risks for the past two months. They have conducted a realistic practice run of a cyber attack on a ship in motion and evaluated the risk of current digital threats. The main emphasis is on resilience development and risk management of cyberattacks.
“Where information technology and people meet, there is room for digital vulnerability. Security breaches can come in through the ship’s systems and through the port system and through the people who operate or supervise them,” Marie Haugli-Sandvik and Erlend Erstad said.
Both are Ph.D. candidates at NTNU's Department of Ocean Operations and Civil Engineering. They are looking into how to make the maritime sector more resilient to cyberattacks.
The maritime digital security course, which looks to be the first in Norway, was created and is currently taught by the two Ph.D. candidates.
The course has been included as part of the doctoral theses they are about to complete.
“We developed this course in close collaboration with the industry,” Erstad said. “We have listened to what they want, looked objectively at their needs, and then tested the best solution we can come up with.”
“It’s always better to have a broad perspective and different approaches with new projects and methods. Established businesses can also benefit from a fresh look. NTNU is a good place to try out new ideas. As researchers, we can help meet the industry’s urgent needs while at the same time discussing solutions with them for the future,” Haugli-Sandvik said.

source

The United States has maintained its primary role in the global order since the end of World War II. As a result, today’s service members have never witnessed their nation at war with a peer adversary. However, today’s turbulent geopolitical environment has the potential to change the status quo. China, the United States’ principal adversary, currently enjoys two large advantages in modern naval warfare: a larger fleet and the superior means to employ cyber warfare. Therefore, U.S. command of the seas cannot be assured in a future conflict.
Despite the growing importance of cyber warfare, fleet size will still be an important factor in future conflicts. In 2020, China’s fleet of more than 350 ships officially became the world’s largest navy. This is a significant lead over the U.S. fleet of approximately 290 ships. In addition, the Chinese industrial base will continue to produce ships at a faster rate than the United States can match. According to the Office of the Secretary of Defense, the Chinese fleet may have up to 460 ships by 2030. The negative implications of such a gap in naval combatants could be tremendous, but that gap may not be the only determining factor for future naval conflicts.
Former Chief of Naval Operations (CNO) Admiral Vernon Clark challenged the idea that ship numbers would solely win battles during his congressional testimony in 2005. He stated that “the number of ships is no longer adequate to gauge the health or combat capability of the Navy. The capabilities posture of the Fleet is what is most important.” The “capabilities posture” the admiral referenced is a plan to better equip naval ships and decrease overall required ship numbers while maintaining readiness levels. By advocating for increased spending on relevant technology, Admiral Clark called to redirect efforts from inefficient ship construction toward sensor technology, cyberspace, and undersea warfare capabilities because these areas were, and still are, projected to have the most influence in future conflicts.
However, this vision for a Navy with an effective capabilities posture has not been fully realized. Ships are being retired earlier and faster than expected because of a lack of congruency with current missions. This is evident in the early decommissioning of littoral combat ships and the halted construction of Zumwalt-class destroyers. The Navy’s struggles with effective ship construction become that much more alarming when compared with the rise in capabilities of U.S. adversaries: The Navy spent billions constructing ineffective, resource-draining ships while its adversaries “designed sound, affordable ships . . . in large numbers.”
Yet, the next naval conflict will have a greater focus on cyber warfare dominance, rather than ship numbers. Given this, the U.S. Navy must reevaluate its stance in preparation for the next great power conflict.
Global maritime cyber warfare may have a profound effect on future conflict. Cyberattacks on ships can cut off logistical support and firepower capabilities for many nations. Furthermore, cyberattacks on commercial ships can be disastrous for military vessels and global commerce alike. According to the 2019 Secretary of the Navy Cybersecurity Readiness Review:
It is not beyond imagination that someday a naval combatant would fail to sail because the supply system vectored the wrong grade of lube oil for the LM2500 engines; upon reaching its rendezvous point, a tanker was not available to refuel a hungry bomber because the tanker was maliciously directed elsewhere; or all electricity and backup systems to a satellite control station failed during a complex Ballistic Missile Defense or Tomahawk missile strike.
Real examples of malicious maritime interference exist. U.S. adversaries such as China, Russia, and North Korea have tested their hostile ship-hacking methods on foreign vessels. From exploring sinking capabilities to navigation equipment disruption, U.S. adversaries are gaining experience on how to manipulate maritime activity for their benefit. To make matters worse, it seems that hacking a vessel’s navigation and steering systems are relatively easy, even to inexperienced hackers. It is possible that hacking ships—not even warships—can be a dangerous and unsuspecting way of causing damage to other vessels, slowing down international supply chains, and endangering the lives onboard and around the ship. Two cybersecurity scholars recently wrote:
The maritime cyber environment is abysmally insecure. The technical means to exploit these ships is well distributed across land-based hackers with no prior maritime systems experience. It doesn’t take much. . . . The opportunities are well-known, from the chokepoints and the ship dependence on external networks, clouds, and satellite navigation communications.
Commercial ship vulnerability to cyberattacks typically results from using outdated security measures and equipment. The permeability between onboard internet networks is also a major threat to vessels. There are often two main shipboard networks: the IP/ethernet network (used for business systems, crew mail, and web browsing) and the serial network (used for steering, propulsion, ballast, and navigation data). To gain access to a ship’s critical systems, one must only infiltrate the day-to-day internet and find the connection to the serial network before wreaking havoc. It is clear that vulnerable commercial vessels may inadvertently threaten the readiness of U.S. naval combatants. In preparation, the Navy’s cybersecurity environment must be properly attuned to face these threats.
The Navy’s current cybersecurity system leaves much to be desired, according to the 2019 Cybersecurity Readiness Report. Many systems within surface ships and critical naval infrastructure need to be upgraded or replaced with superior ones. Some of these reported missteps include: the USS Gerald R. Ford (CVN-78) being delivered with Windows XP; the LCS and DDG-1000 being developed with IT networks not brought under a secure, joint umbrella of cybersecurity protocols; and old warfare systems kept in service without updates or added cybersecurity. These examples highlight the Navy’s complacency in the cybersecurity realm. The 2019 report goes on to state that “the Navy has waived known material readiness standards mandated by the [Department of Defense Risk Management Framework] and knowingly continues to field high risk vulnerability systems.” The Navy should expect the compounding magnitude of fleet cybersecurity insufficiency to be a major weak spot in the future.
The inspection process for these deficient systems is also inadequate. Cyber components are often reviewed by undertrained personnel who lack the skills to complete the hands-on portions of a true audit. This inspection process differs from the red-teaming and audits that many other parts of the Department of the Navy use. This is concerning because the Navy may not have a valid estimate of the number of systems that truly need to be upgraded or replaced. It is crucial for the Navy to secure its information networks against adversarial cyberattacks to maintain deterrence and stability. It also goes without saying that a secure cyber defense foundation is critical for supporting offensive cyber capabilities. These offensive capabilities will be necessary to support the 2022 National Security Strategy, which declares securing cyberspace as one of this administration’s pertinent priorities.
Although the maintenance and manipulation of the cyber realm has been repeatedly highlighted as a crucial portion of warfare in the upcoming decades, the Navy’s cybersecurity practices are not up to the challenge. The Cybersecurity Readiness Review shows that the Navy does not meet the Department of Defense’s standards because of an abundance of waivers, old equipment, and personnel complacency. The people, structures, processes, and resources that support naval cybersecurity are making forces vulnerable to extreme risks.    
The lack of responsibility and accountability for cyber warfare readiness has been a significant detriment to the fleet. The Cybersecurity Readiness Review states that “the DON [Department of the Navy] cybersecurity culture can be characterized by distrust, a lack of knowledge or accountability, a willingness to accept unknown risks to mission, a lack of unity of effort, and an inability to fully leverage lessons learned at scale.” It appears that different echelons of leaders have varying commitments to cybersecurity as well. This results in cybersecurity priorities being left on the back burner or viewed as a problem for another person and another time. Calls for an improved cybersecurity culture have been made before, but the implementation proves difficult. In times such as these, it is important to remember that the Navy’s best asset is its people.
U.S. Navy research into cyber defense organizations shows that private sector personnel “aspire beyond mere compliance” and seek to “understand the operational importance of their behavior.” To improve the Navy’s cybersecurity culture, sailors must mirror the private sector’s approach. This change may be achieved by implementing procedures that highlight the importance of maintaining and expanding cyber defense capabilities. For example, cybersecurity or computer science–related training should be ingrained into the basic training environments for sailors and officers. For sailors, this can take place during boot camp or as a part of rating-specific education. Future officers commissioning via OCS or NROTC should have computer science coursework added to the list of mandated courses in calculus, physics, world cultures, and national security—to mirror changes already made at the U.S. Naval Academy. To educate those already in the fleet, sailors should receive incentives to obtain additional levels of cybersecurity training ahead of advancement and promotion boards.
The Navy’s leaders will also have a role to play in improving cybersecurity and cyber defense. Regarding command structure, cybersecurity should be managed by specially designated billets to prevent oversight and mismanagement among the differing echelons of command across the fleet. To mirror the private sector, naval cybersecurity leaders should strive to: “constantly communicate, advocate, and measure understanding of cybersecurity [,] . . . review daily system performance dashboards, [and] demand their systems and people are constantly tested.” This can be achieved with naval combatants by strictly enforcing cyber readiness requirements during predeployment workups and certifications. If a ship cannot prove that it will safely operate on deployment, it cannot leave port. The same standard should be adhered to for cybersecurity.
The Navy should prioritize cybersecurity to the same level as other warfare areas, if not higher, because cyber capabilities will be key to winning future conflicts. Securing and supporting cyber defense is necessary to ensure the Navy’s stability and effectiveness in this critical geopolitical era.
Midshipman Burrell is from Mandeville, Louisiana. She is pursuing a bachelor of science in social and economic development policy at the Illinois Institute of Technology in Chicago, Illinois. She hopes to commission into the surface warfare community after graduation.
View the discussion thread.
Sign up to get updates about new releases and event invitations.
You’ve read 1 out of 5 free articles of Proceedings this month.
Non-members can read five free Proceedings articles per month. Join now and never hit a limit.

source

When it comes to law enforcement crime investigations, there is a maxim of, “follow the money”. This broadly means that if you can follow the money trail, it will eventually lead you to the perpetrator of the crime.
In today’s modern society, money has now become a series of binary ones and zeros that are transferred between bank accounts without any real effort on either party, and cybercriminals are fully aware of how easy, and fragile, this process is.
In December 2022, the tenth edition of the ENISA Threat Landscape (ETL) report was released. It is an annual report about the status of the cybersecurity threat landscape, it identified the top threats and major trends observed with respect to threats, threat actors and attack techniques.
In the report they identified the top 5 threats as:
For most people in the cybersecurity industry, nothing in the above will come as much of a surprise. Almost daily, we hear of some organisation being hit by ransomware, where the targets systems are compromised and data is encrypted and held for ransom. The latest and most public attack is against the Royal Mail in the UK. The LockBit ransomware group was able to disrupt internal mail and parcel services for over two months over the Christmas period. At the time of this writing, systems and services were still not fully restored.
As recent as February, it was reported that LockBit had made further ransom demands of over £33Million, which Royal Mail has declined to pay. The threat by LockBit is that they will release data that they exfiltrated onto the dark web, which of course could further damage Royal Mail and its reputation. 
With eye-watering numbers that run into their millions, is it any wonder that cybercriminals are turning to Ransomware as a Service (RaaS), to make money? After all, there is no such thing as a 100% secure system, and in many organisations, it only takes one unpatched system or one untrained or distracted person to compromise the security capabilities of a business or organisation.
We must not fall into the trap of thinking that cybercrime is being carried out by a few rogue individuals. The money trail is getting longer, and really is paved with gold, and organised crime gangs are turning their attention from traditional street crime to online extortion and exploitation. 
It is for this reason that the Bank of England has provided guidance to financial institutions in the United Kingdom about cybersecurity, which includes the following aspects.
Leadership is fundamentally important to an organisation, and if those who lead the business don’t value the importance of information security and cybersecurity, then no one will.  There is a business adage that states, “culture is what we do, when no one is watching”. It is therefore something that an organisation must develop, over time, by the establishment of both risk and reward mechanisms.  This means rewarding the behaviour you wish to encourage, and taking swift action where the behaviour is undesirable.
To develop a strong cybersecurity culture, it is important to educate those who encounter data about why it is important, and what it means in their role. It’s important that people understand how they contribute to the bigger picture, and this means demonstrable and visible support from the C-Suite, or those in positions of authority. 
It is essential that everyone understands the importance of cybersecurity and are trained, not only about what to look out for, and how they may become victims.
Banks and other financial services organisations understand the importance of risk identification, management, and treatment, and in most cases will already have a robust risk management methodology. But, all too often, this focuses purely on IT security risks, and doesn’t consider threats and vulnerabilities associated with people and processes.  For this reason, organisations should broaden their approach to risk management to ensure that it encompasses people, process, AND technology. Where possible the risk management process should be backed up with tangible data related to real incidents that have occurred internally, or within the sector.
Organisations should ensure they have assessed and understand the risks to them from third-party suppliers, and ensure they have appropriate security measures in place. Like many large organisations, financial institutions often grant third-party suppliers access to their systems, yet security measures are not assessed or verified.  Understanding your third-party risks is therefore critical, as the people you trust most, like your IT, HR, or accounting provider could become your biggest vulnerability.
As you would expect, the Bank of England has offered a lot of advice and guidance related to information security and cybersecurity.  Additionally, the Financial Conduct Authority (FCA) that regulates the financial sector has also offered some great advice too. It is clearly very much in the banks interest to ensure they provide advice and guidance to us, the customer about how we protect ourselves, as much as it is to protect their own institutions too.
The Bank of England provides sound advice, and if an organisation is looking to implement these measures, they would do well to do so by following an internationally recognised method, or system, such as ISO27001:2022.
Indeed, my only frustration with the advice that both the Bank of England and the FCA provide, is that they don’t simply identify ISO27001 as the preferred standard that financial institutions implement to ensure there is an effective and measurable approach to information security and cybersecurity risk management.
ISO27001 is a risk-based approach to implementing technical and operational security measures. It’s as effective in a micro-business with few employees as it is in a multi-national business that employs thousands of people.
Simply suggesting to financial institutions that they should establish a strong cyber security culture, is like saying to a sick person that they should just get healthy. On the face of it, it’s very simple and common-sense advice, but it takes work.
That’s why we need structure. That’s why organisations need ISO27001.
Gary Hibberd is the ‘The Professor of Communicating Cyber’ at ConsultantsLikeUs and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from international security standards such as ISO27001 Dark Web to Cybercrime and CyberPsychology. He is passionate about providing pragmatic advice and guidance that helps people and businesses become more secure.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

source

Indian Institute of Technology Jammu recently collaborated with TimesPro to launch the Post Graduate Diploma in Cyber Security. The programme will help learners to identify cyber threats, gain insights into cybersecurity and risk management, data breaches, cloud and network security, design cyber security frameworks, and gain valued insights from academicians and industry experts.
PG Diploma in Cyber Security – Course structure
Professionals participating in the programme will learn subjects such as mathematical foundations and introduction to cryptography, computer networking fundamentals, operating systems fundamentals, web application and network security, multimedia, and digital forensics, among others.  
PG Diploma in Cyber Security – Duration and mode of the course
As per the release, the course will be conducted via Interactive Learning (IL) platform and delivered in Direct-to-Device (D2D) mode, including six days of campus immersion session during the year. The duration of the course is 12 months
The programme follows a proven pedagogy of diverse learning tools and techniques, including lectures, discussions, projects, and assignments, and includes over 100 hours of self-learning.  
PG Diploma in Cyber Security – Career scope
There is a constant threat to organisations due to ransomware and cyber-attacks, and IIT Jammu’s Post Graduate Diploma in Cyber Security can address the growing demand for experts and ethical hackers to safeguard organisational interests.  
‘Reproductive tonic for women’: This Ayurvedic herb may help manage PCOS, menstrual bleeding, and also enhance ovulation

source