Microsoft Security Virtual Training Day: Protect Data and Mitigate Risk

Identify, remediate, and limit data risks at Security Virtual Training Day: Protect Data and Mitigate Risk from Microsoft Learn. At this free event, you’ll learn how to secure data and reduce risks with Microsoft Purview Information Protection and risk management solutions. You’ll also explore how to manage data protection policies across your organization to help protect people and data against cyberthreats. You will have the opportunity to: Manage and monitor data in new, comprehensive ways to help prevent data loss with Microsoft Purview. Identify privacy risks and help protect personal data using Microsoft Priva. Discover sensitive data and respond to inquiries efficiently with Microsoft Purview. Join us at an upcoming two-part event:
October 4, 2023 | 12:00 PM – 2:45 PM | (GMT-05:00) Eastern Time (US & Canada)
October 5, 2023 | 12:00 PM – 2:30 PM | (GMT-05:00) Eastern Time (US & Canada)

Delivery Language: English
Closed Captioning Language(s): English

Learn how Microsoft adapted a classic cybersecurity practice to make AI safer

As generative AI evolves, cybersecurity professionals have access to powerful tools to fortify their defenses. But AI innovators must scrutinize these new technologies to ensure they are safe to use and responsibly developed. Red teaming is proving to be an effective way to test generative AI systems and verify that they meet rigorous standards.

Read the blog to learn how over five years, Microsoft has created a respected framework for proactively identifying potential issues and vulnerabilities in emerging AI technology. You’ll have an opportunity to:

  • Learn how AI red team techniques are similar to traditional cybersecurity practices—and how they differ.
  • Discover how AI red teaming helps make AI safer and more secure for everyone.

Access the latest learnings to help you implement your own AI red teaming program

Read the blog 

Join us at the 10th Annual New York Joint Cyber Security Conference

As Co-chair of New York Metro Joint Cyber Security Coalition
  2023 Conference & Workshop 10th Anniversary I invite you to join us, registration is here,

The Greater Hartford Chapter of ISACA has partnered again with the non-profit New York Metro Joint Cyber Security Conference and Workshop. It is the conference’s 10-year anniversary!

This is a low-cost, in-person conference held will be held at Microsoft in NYC, on October 19th. The workshop location is TBD on October 20th.

Session Abstracts – October 19th, 2023 The conference features educational talks and a panel to expand your knowledge and foster security discussions.  
KeynotesOpening Keynote
Lisa Plaggemier – Executive Director, National Cybersecurity Alliance Networking at This Conference:

Build Your Connections and Advance Your Career Today (Literally)
Elle O’Flaherty (JD, PCC, ACCG, CCSP, CPRW) – Founder, ADHD Coach and Executive Coach, Interlace Solutions
Even the most diehard conference lover can be intimidated by networking. This presentation is a fun and funny discussion with practical ways to network effectively during this conference. Attendees leave energized and excited to connect with each other. Networking is a critical skill for anyone looking to advance their career, and conferences provide a unique opportunity to meet new people, learn about industry trends, and gain valuable insights into the challenges and opportunities in your field. This presentation will provide practical tips and strategies for networking during this conference, including how to introduce yourself, ask questions, and follow up with new contacts. Attendees will start this conference with the knowledge and skills they need to make the most of their experience and build strong connections with industry professionals that can help them advance their careers.

Key Takeaways: Develop effective communication skills for networking – how to introduce yourself, ask questions, and follow up with new contacts. Learn how to build and maintain relationships with industry professionals you meet, including tips for staying in touch and offering value to others. Develop a personalized networking plan for this conference that aligns with your career goals and objectives.

Sessions Are Machines Learning Faster Than Humans?
Donald Borsay – Director of Security Solutions, HCH Enterprises LLC
Robert Zarnetske – Vice President for Public Consulting, HCH Enterprises LLC
A global adoption of artificial intelligence (AI) and machine learning (ML) is creating a mix of opportunities and concerns. In this roundtable discussion, we will explore the legal, business, economic, political, and technical implications coming our way due to AI/ML adoption. This broad commercial use of AI tools will, of course, have extensive policy implications. AI has disrupted markets, is driving social and political change, and is transforming how we use the workforce. We will explore each of the impacted areas and solicit the strategic and tactical next steps needed to maximize AI/ML benefit while containing potential harm.

Key Takeaways: Bigger issue than any one company, state, or country might solve. Transcends traditional market segmentation governance. Defies traditional knowledge.

Cascading Supply Chain Attacks: What Threat Intel & AppSec Teams Can Learn From the Next Generation of Supply Chain Attacks
Ali N. Khan – Field CISO, ReversingLabs
In light of the recent 3CX incident where Mandiant investigation came to the conclusion that 3CX was a case of a cascading software supply chain attack. My presentation will talk about the implications of cascading software supply chain attacks and what the possible best practices and countermeasures are. I will go through a similar cascading software supply chain attack discovered recently:

VS Code hack shows how supply chain attacks can extend to other software development tools. The new Visual Studio Code IDE hack highlights the risk of spreading beyond the Extensions Marketplace. Here’s how the threat can proliferate to open source packages like npm.

Key Takeaways: What CISOs are doing to understand this problem space and budget accordingly What Threat Intel Teams are doing to detect and limit the damage from these attacks What AppSec Teams are doing to proactively prevent such attacks

Deciphering the National Cybersecurity Strategy: Implications for Cybersecurity Professionals
Niloufer Tamboly (CISSP, CCSP, CDPSE, CISA, CFE) – Risk Management Specialist, Verizon
This talk delves into the intricacies of the United States National Cybersecurity Strategy, discussing its impact on cybersecurity professionals’ tasks, expectations, and roles. It begins with an exploration of the evolution of this strategy, highlighting policy changes and their reasons. We will examine the strategy’s objectives, including protecting government networks and data, deterring cyber threats, and fostering international cooperation. The talk further scrutinizes how these objectives have influenced the cybersecurity landscape and, in turn, the responsibilities of cybersecurity professionals. Specifically, it probes into the amplified need for advanced skillsets, cross-sector collaboration, and adherence to ethical standards. Finally, the talk elucidates the prospective implications of anticipated changes in national strategy, equipping cybersecurity professionals with the knowledge to future-proof their careers. This comprehensive overview aims to facilitate a deeper understanding of the strategy, enabling cybersecurity professionals to navigate and respond to the evolving cybersecurity climate in the United States.

Key Takeaways: The National Cybersecurity Strategy is a framework that has profound implications on the roles, expectations, and competencies required of cybersecurity professionals. Understanding this evolution is critical for staying ahead in the field. The current objectives of the strategy – protecting government networks and data, deterring cyber threats, and fostering international cooperation – have amplified the need for advanced skillsets, cross-sector collaboration, and strong ethical standards among cybersecurity professionals. Anticipating and understanding the national strategy is critical to future-proofing one’s cybersecurity career. Staying informed about these changes equips professionals to adapt, innovate and lead in the fast-paced and challenging cybersecurity landscape.

Hacker Tool Kit
Jay Ferron (CEH, CISM, CISSP, C)PTE, C)ISSM CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM, …) – CEO, Interactive Security Training, LLC
See what hackers use to attack your company, both technical and socially.

Key Takeaways: See what hardware and software hackers use How the tools are used How can you protect your company

Is AI Above the Law, a Forensic Perspective
Kathy Braun (MBA, CCE) – Director/Business Information Security Advisor for Cyber Security & Information Technology, WheelsUp
AI has been personified by Corporate entities as capable of handling human decisions in certain areas of business and science. Discussion on how AI weighs against human accountability, and what is the role of Cybersecurity and specifically Forensic science, to monitor and balance the emerging technology.

Aside from the extremes surrounding AI and the proposed capabilities, the way that security groups may be able to assist: Programmers specializing in AI code, examining the algorithms and the data ingested, Forensic groups that can trace back activity to a human or entity at the wheel. General education requirements that may provide a pragmatic approach to AI safety.

Unlocking the Value of Cyber Risk Quantification: Transforming Information Security from Cost-Centers to Profit-Centers
Kiran Bhujle (CISA, CRISC, CDPSE, CMMC RP) – Global Managing Director, SVAM Security
Managing cyber risks has become essential for organizations in the digital age, where cyber threats are increasing in frequency, velocity, and sophistication. Cyber Risk Quantification (CRQ) provides a quantitative assessment of an organization’s cyber risk posture, allowing them to make informed decisions about risk management. Adopting CRQ enables organizations to prioritize and measure their cyber risks, evaluate the effectiveness of their cybersecurity investments, and quantify the potential impact of cyberattacks. By presenting the impact of cyber risks in financial terms, CRQ helps align cyber risk management with overall business strategy and communicate the risks to the board and other stakeholders. This session will explore the advantages of shifting from qualitative to quantitative assessments in managing cyber risks and transforming Information Security (IS) cost-centers into profit-centers.

Key Takeaways: What is Cyber Risk Quantification (CRQ) Quantitative assessments approach How to prioritize and measure cyber risks, evaluate the effectiveness of cybersecurity investments, and quantify the potential impact of cyberattacks. How to increase stakeholder support and funding for cybersecurity initiatives

Inside the Cyber Trenches: a vCISO’s Perspective on Cyber Realities
Jim Ambrosini (CISA, CISSP, CRISC) – CISO and Cybersecurity Consultant, IGI Cybersecurity
Join us as we explore the intricate world of cybersecurity through the unique lens of a seasoned virtual Chief Information Security Officer (vCISO). In this captivating presentation, our vCISO will share their invaluable perspectives garnered from years of hands-on experience working with multiple clients. This presentation focuses on what it’s like to be a CISO for several organizations concurrently, Our speaker, Jim Ambrosini, has over 25 years working as an information security and risk professional spanning the middle market to some of the largest companies in the world. He was recently presented with the highest honor by ISACA, the Wasserman Award, for his lifetime contributions to the security, risk, and governance profession. Jim will provide an inside look into what it truly means to be a vCISO for multiple organizations. He will share his approach, lessons learned, and the tools and tactics he has employed to effectively manage cybersecurity in this dynamic role.

Key Takeaways: Insight into the vCISO Role: Gain a comprehensive understanding of the responsibilities, challenges, and strategies involved in being a virtual Chief Information Security Officer (vCISO) for multiple organizations concurrently. Explore the unique perspective of managing cybersecurity across diverse clients and industries. Practical Lessons and Best Practices: Discover practical insights, tools, and tactics employed by an experienced vCISO. Learn from real-world examples and lessons learned to enhance your own cybersecurity strategies. Leveraging Extensive Experience: Benefit from the wisdom gained over 25 years of working in the information security and risk management field. Understand the nuances of building and leading cybersecurity programs across different organizational landscapes,

A People-Centric Approach to Breaking the Attack Chain
John C. Checco (C|CISO, CISSP, CSSLP, CCSK, QTE) – Resident CISO, Proofpoint
The Cyber Attack Chain is a well-known tenet of cybersecurity professionals. However, breaking the chain can be fraught with complexities and confusion between policies, tactics, controls and solutions. This talk will unravel some of the complexities of breaking the attack chain, specifically focusing on two areas: insider threats and information protection.

Key Takeaways: Understanding the Attack Chain. Areas of focus for insider threats. Areas of focus for information protection.

Charting a Better Path: Alternatives for At-Risk Youth in Cybercrime
William R. McKeen – Special Agent, Cyber Crime Investigations, FBI
A movement is underway in New York to develop a youth in cyber alternatives program. In this initiative, we are developing pathways for at-risk youth away from potentially criminal activity toward opportunities for success. This program seeks to build upon already existing projects like the UK’s Cyber Choice’s program and the Dutch Hack_Right program.

In the development of this program, we seek to partner with key stakeholders including: Private Sector partners such as tech, cyber threat intelligence, or other for-profit industry partners. Academic partners such as local universities’ computer science programs. Non-profit organizations involved in youth/community/or cyber engagement. This program aims to partner with these organizations to help provide several “offramp” options for youth cyber actors. As you know, young cyber actors are often motivated by intellectual curiosity and thrill-seeking behavior. This program will serve to both prevent future cybercrime and give these young actors a chance at a bright future in cyber rather than a path to prosecution.

Key Takeaways: The current crisis of at risk youth in cyber demands a better solution. Building off of programs in the UK and the Netherlands, our team in New York seeks to create the United States’ first youth in cyber diversion program. This program must be a community-led initiative, not one directed by government/law enforcement/or private industry alone.

Cybersecurity Workforce Development: From Education to Employment
Patrick J. Slattery – Professor, Texas Tech University (Costa Rica) & Adjunct Professor, CUNY New York City College of Technology Participants in this panel discussion will emerge with a comprehensive understanding of how to bridge the gap between academic education and industry needs in the realm of cybersecurity. They will be equipped with insights into skill alignment, collaboration models, and diversity initiatives that will guide their decisions as students, educators, and professionals in the dynamic field of cybersecurity.
This dynamic panel aims to foster an insightful dialogue among four distinguished subject matter experts, each hailing from diverse sectors of academia and industry. With a spotlight on the alignment and potential misalignment between industry requirements for cybersecurity talent and the educational offerings provided by higher education institutions, this session will explore the multifaceted landscape of cybersecurity workforce development.

The discussion will delve into various aspects of this critical topic, including: Business-Centric Skillsets Curriculum Adaptation Practical Learning Experiences Talent Pipeline and Diversity Industry-Academia Collaboration

Shining a Light into the Security Blackhole of OT Security
Huxley Barbee – Organizer, BSidesNYC
The Internet of Things (IoT) and the rise of Operational Technology (OT) networks have significantly increased the number of connected devices in modern networks, creating new challenges in inventorying assets, identifying and mitigating vulnerabilities, and verifying security controls coverage. This presentation will explore the unique challenges that IoT and OT pose for network scanning and provide solutions for effectively addressing these challenges while ensuring the safety and availability of these systems. The presentation will cover topics such as identifying IoT and OT devices on a network, understanding the context of vulnerabilities associated with these devices, and implementing appropriate security controls to mitigate these risks while ensuring the safety and availability of these systems. Attendees will also learn about best practices and tools for IoT and OT network scanning, such as using automated asset inventory, performing regular vulnerability assessments, and testing the changes in a controlled environment before implementing them. This presentation aims to equip the audience with the knowledge and skills to protect their organizations’ networks in the IoT and OT era while ensuring these systems’ safety and availability.

Key Takeaways: Better baseline understanding of OT and OT security challenges. Understanding of when passive network monitors are not optimal. Understanding of challenges around active scanning in OT.

Safeguarding the Future: Navigating Cybersecurity and Compliance in the Age of Generative AI
Viral Trivedi – Co-Founder, [Stealth Startup]
In the ever-evolving landscape of cybersecurity, risk management, and compliance, the convergence of generative AI presents a transformative paradigm with profound implications. As organizations embrace the potential of AI-powered innovation, they must simultaneously address the intricate security challenges it introduces. This presentation seeks to explore the dynamic interplay between generative AI, cybersecurity, and compliance, providing a comprehensive roadmap for safeguarding the digital landscape.

Through a systematic exploration of key themes, attendees will gain valuable insights into: The Dual Nature of Generative AI Identifying and Mitigating AI-Specific Risks Navigating Regulatory Complexities Real-World Success Stories Collaborative Defense in AI

How Security Teams Can Help Build An AI Program
Mark Francis – Tech & Data Partner at Holland & Knight LLP
This session will offer a very pragmatic take on how security teams can help their business build and manage an AI program, covering important AI program elements such as: AI principles; product policies; corporate acquisitions; AI procurement and sales; technical guidance; and AI incident response.

Key Takeaways: Understand why AI can pose some unique challenges where product, security, and legal teams will need to work together; Understand key aspects of an AI program to build and manage from an operational perspective; and Leverage lessons-learned in overseeing cyber programs to take on the uncertainties posed by AI across legal, business and technical landscapes.

Rising From The Ashes: How one MSP Managed a Mass Scale Ransomware Attack
Robert Cioffi – Co-Founder, Progressive Computing
Imagine hackers using your RMM to install Ransomware on all your clients simultaneously? It’s the ultimate nightmare scenario every MSP fears the most.

Progressive Computing was one such victims of the Kaseya VSA attack in 2021 and victoriously battled to win back their business after ransomware was installed across their entire client base.

This is a personal story. A human story. An emotional story. Prepared to be frightened and inspired.

Key Takeaways: Learn about the human/psychological side of a ransomware attack Learn how this MSP managed to survive a near business-ending experience Learn about the power of community

Protect Your Privilege: The Key Security Measures Administrators in M365 and Azure Should Take
Eric Woodruff, Microsoft Security MVP – Product Technical Specialist, Semperis
How privileged is your user account in M365 and Azure? Are your privileged users synchronized from Active Directory? Are they mail enabled? And when is the last time you audited your privileges to see what you use vs what you are assigned?

In the 2022 Microsoft Digital Defense Report, weak identity controls were the number one factor for incident response engagements, with 84% of administrators in organizations not using proper privileged identity controls. Theat actors are turning their eyes towards the cloud; business email compromise, easy data exfiltration and tenants being ransomwared is a reality we now live with. For some organizations it’s a matter of time or money or knowledge, or perhaps all three, to understand what privileged identity means in the world of M365 and Azure.

In this conversation we’ll discuss the key privileged identity controls every organization should employ for privileged users, whether you are using Azure, or M365, or both. We’ll look at the Microsoft RAMP model for securing privilege, clarify commonly confusing topics around privileged security, and answer the questions as to why these controls are important, and how identity security requires layered complementary controls to ensure that we protect our privilege, and in turn protect our organization.

Key Takeaways: What steps are necessary to protect privileged access in Entra ID/Microsoft 365 The reality of how these steps are easier to implement than perceived Why it’s so important to use a layered model around identity security

Redefining Red Teaming with Artificial Intelligence
Thomas Ryan – Founder, Asymmetric Response
In today’s fast-evolving threat landscape, the confluence of artificial intelligence (AI) and cybersecurity is reshaping how we approach, understand, and counter cyber threats. This talk examines how red teaming-a discipline traditionally rooted in human intuition and creativity-evolves when infused with AI capabilities. We dive deep into the promises and perils AI brings to the realm of cybersecurity, providing insights and actionable takeaways for professionals looking to stay ahead in this new era of digital defense and offense.

Key Takeaways: Social Engineering in the Age of AI The Double-Edged Sword of AI in Offensive and Defensive Cybersecurity AI’s Role in Post-Exploit Scenarios Enhancing Zero-Day Exploit Discovery with AI Exploiting AI from an Adversarial Approach

Human Spies Enabling Cyber Attacks: Solutions to Real-World Problems
COL(R) Thomas Pike – CEO, Spectrum Shield
Human spies routinely facilitate cyber access. These acts are clandestine and designed not to be discovered. These spies are an insider threat, and have access to systems by the nature of their jobs. There are several ways humans can enable cyber attacks and facilitate these operations. These clandestine activities are designed not to be detected and a successful program can greatly inhibit the victim’s ability to detect a breach.

Key Takeaways: The threat is real, and here is how it happens The spy recruiting cycle: what you need to know Security programs can be effective if they leverage certain solutions

Beyond the XBOM: A Holistic Approach to Cyber Supply Chain Risk
Munish Walther-Puri (GICSP, FAIR, CTPRP, CISSP) – VP Cyber Risk, Exiger
Business depends on relationships, which require trust, but is is not transitive. How do you “”trust but verify”” second and tiers of relationships? In security, we are focused on how technology functions – or malfunctions, becomes dysfunctional, or gets misfunctioned. We need to start thinking about manufacturing and production, and not just function: where the tech comes from, who makes the tech, and how the tech is made.

Both industry and government are focused on software supply chain security (i.e., SBOMs), and separately, supply chains of critical technologies, e.g., semiconductors, however, we need an integrated approach to thinking about all the aspects related to technology, and therefore security.

This panel will bring together perspectives from government, industry, and academia to go beyond the XBOM (software, hardware, and firmware) and synthesize supply chain security issues related to supplier bases, geopolitical risk and national security, and technology ecosystems.

Proposed panelists: Anjana Rajan, Deputy Asst National Cyber Director for Supply Chain, ONCD Cassie Crossley, VP Product Security, Schneider Electric Anita Patankar-Stoll, Supply Chain Risk Management Counsel, Verizon Key Takeaways: Industry has deep visibility into its supply chain, government has the levers, and there are ways that they must work together to protect critical technologies. Geopolitics and national security affect supply chain decisions which have a direct impact on cybersecurity. Cyber risk is a type of supply chain risk; adversaries attack through *and* to the supply chain.

Workforce Development Collaborations for the Future
Joel Caminer – Senior Director, Center for Cybersecurity (CCS), NYU
A chance to discuss workforce development challenges for both new/incoming as well as experienced cybersecurity workers. We’ll dive into how universities can and should be collaborating with credential bodies like ISACA and ISC2 in a win-win scenario for skills training and career advancement.

Key Takeaways: Value in pursuing industry credentials Value in pursuing university degrees Value in collaborations in helping foster a lifelong learning mindset and trajectory

12 Dysfunctions of InfoSec
Gotham Sharma– Executive Director, Cybersecurity Education and Training, AccessCyber
InfoSec is broken – in more ways than one. Here are the problems. What are the solutions? Let’s find out.

Key Takeaways: The many security challenges Dysfunctional elements of infosec How do we get to functional on a micro and macro level?

We Need a Compliance Control for Retaining Cybersecurity Professionals
Deidre Diamond – Founder & President, Secure Diversity
Adrianna Iadarola – Ambassador, Secure Diversity
Organizations must examine risk with the lens of our dire talent retention issues. Organizations have control over retaining talent, and yet the statistics are horrifying. Cybersecurity professionals are not happy with their current employment and move jobs regularly. Talent retention controls seem greatly necessary being that organizations are not following best practices for retaining and or hiring cybersecurity professionals. This negligence puts an organization in a higher risk bracket, and therefore compliance control is greatly needed.

Cybersecurity Jobs Data: What Jobs are Steady and Which are Volatile?
Deidre Diamond – Founder & President, Secure Diversity
Adrianna Iadarola – Ambassador, Secure Diversity
Are you interested in the state of cybersecurity jobs in our current economy? In this discussion, we will dive into the latest U.S job posting data across cybersecurity over the last year. With an average of 160,000 cybersecurity jobs posted each month, this comprehensive data set will provide valuable insights into the ever-evolving world of cybersecurity.

Cultivating Diverse Cybersecurity Leadership
Deidre Diamond – Founder & President, Secure Diversity
Adrianna Iadarola – Ambassador, Secure Diversity

– Part of the Career Advancement Track

Employers Looking to Hire, Retain, and Build Diverse Cybersecurity Teams
Deidre Diamond – Founder & President, Secure Diversity
Adrianna Iadarola – Ambassador, Secure Diversity

– Part of the Career Advancement Track

Career Q&A
Deidre Diamond – Founder & President, Secure Diversity
Adrianna Iadarola – Ambassador, Secure Diversity

– Part of the Career Advancement Track

As part of our educational mission as a coalition of non-profit organizations, registration fees are only to cover the costs of the logistics.

Workshop on the Second day include.

Workshop (10/20) – “NIST Risk Mgt Framework”

Workshop (10/20) – “Introduction to Pen Testing”

Workshop (10/20) – “Intro to Digital Forensics”

Workshop (10/20) – “Introduction to Python”

Registration here

Microsoft Security Virtual Training Day: Security, Compliance, and Identity Fundamentals

Grow your skills at Security Virtual Training Day: Security, Compliance, and Identity Fundamentals from Microsoft Learn. At this free, introductory event, you’ll gain the security skills and training you need to create impact and take advantage of opportunities to move your career forward. You’ll explore the basics of security, compliance, and identity—including best practices to help protect people and data against cyberthreats for greater peace of mind. You’ll also learn more about identity and access management while exploring compliance management fundamentals.
You will have the opportunity to:
• Learn the fundamentals of security, compliance, and identity.
• Understand the concepts and capabilities of Microsoft identity and access management solutions, as well as compliance management capabilities.
• Gain the skills and knowledge to jumpstart your preparation for the certification exam.
Join us at an upcoming two-part event:
Wednesday, September 20, 2023 | 10:00 AM – 1:45 PM (GMT-05:00) Eastern Time (US & Canada)
Thursday, September 21, 2023 | 10:00 AM – 12:15 PM (GMT-05:00) Eastern Time (US & Canada)

Delivery Language: English
Closed Captioning Language(s): English


Overview and Considerations of Access Control Based on Attribute Encryption: NIST Publishes IR 8450

NIST has published NIST Internal Report (IR) 8450, Overview and Considerations of Access Control Based on Attribute Encryption. Access control based on attribute encryption addresses an issue with traditional public-key encryption (PKE) wherein keys need to dynamically change whenever access policies and/or attributes change, which could cause inefficient system performance.

Access control based on attribute encryption supports fine-grained access control for encrypted data and is a cryptographic scheme that goes beyond the all-or-nothing approach of public-key encryption. This document reviews the interplay between cryptography and the access control of attribute-based encryption, including the fundamental theories on which the scheme is based; the various main algorithms of IBE, CP-ABE, and KP-ABE; and considerations for deploying access control systems based on encryption.

Read More

NIST’s Planned Updates to Implementing the HIPAA Security Rule

Background: NIST Special Publication (SP) 800-66

Healthcare organizations face many challenges from cybersecurity threats. This can have serious impacts on the security of patient data, the quality of patient care, and even the organization’s financial status. Healthcare organizations also must comply with regulatory requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, which focuses on safeguarding the electronic protected health information (ePHI) held or maintained by HIPAA covered entities and business associates (collectively, ‘regulated entities’).

Draft NIST Special Publication (SP) 800-66 Revision 2 provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI. To that end, Draft NIST SP 800-66 Revision 2 aims to help organizations improve their overall cybersecurity posture, while also complying with the Security Rule. 

Read the Blog!

Get a Crash Course in Microsoft 365 Business Premium for Nonprofits

Microsoft 365 Business Premium
Crash Course for Nonprofits Get the e-book Microsoft 365 Business Premium is an integrated solution for small and mid-sized nonprofits that brings together Outlook email, Office desktop applications, OneDrive cloud storage, Teams for digital collaboration, as well as simple device management and advanced security features. Help your nonprofit improve cybersecurity, reduce costs, and empower staff and volunteers to work from anywhere. Download the e-book, Crash Course in Microsoft 365 Business Premium for Nonprofits, and learn how this integrated solution can help you focus on what matters most—your mission. Here are just a few of the topics we’ll cover: Be productive anywhere: Get work done and stay connected with your staff and constituents whether you’re working remotely or onsite. Secure your nonprofit: Safeguard data with a cloud platform that offers built-in security features for remote work. One cost-effective solution: Streamline collaboration tools, IT setup and management, and costs with a single productivity solution. Get started with the Microsoft 365 Business Premium grant
For eligible nonprofits, Microsoft 365 Business Premium is free for up to 10 users and discounted pricing of $5.50 (USD) per user/month for additional users. To get started, register and confirm your organization’s eligibility. Already registered as a nonprofit? Login to your Microsoft Nonprofit page and access Admin Center. Watch our guided demo to help you get your free Microsoft 365 licenses. Regards, Microsoft Tech for Social Impact Team

CISA and International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware

Today, the United Kingdom’s National Cyber Security Centre (NCSC-UK), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Canadian Centre for Cyber Security (CCCS), and the Australian Signals Directorate (ASD) published a joint Malware Analysis Report (MAR), on Infamous Chisel a new mobile malware targeting Android devices with capabilities to enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information. Infamous Chisel mobile malware has been used in a malware campaign targeting Android devices in use by the Ukrainian military.

Infamous Chisel is a collection of components targeting Android devices and is attributed to Sandworm, the Russian Main Intelligence Directorate’s (GRU’s) Main Centre for Special Technologies, GTsST. The malware’s capability includes network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning and Secure Copy Protocol (SCP) file transfer. 

The authoring organizations urge users, network defenders, and stakeholders to review the malware analysis report for indicators of compromise (IOCs) and detection rules and signatures to determine system compromise. For more information about malware, see CISA’s Malware, Phishing, and Ransomware page. The joint MAR can also be read in full on the NCSC-UK website. Associated files relating to this report can also be accessed via the NCSC’s Malware Analysis Reports page. For more information on Russian state-sponsored cyber activity, please see CISA’s Russia Cyber Threat Overview and Advisories webpage.

Identification and Disruption of QakBot Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this Joint Cybersecurity Advisory  to disseminate QakBot infrastructure indicators of compromise (IOCs) identified through FBI investigations as of August 2023. On August 25, FBI and international partners executed a coordinated operation to disrupt QakBot infrastructure worldwide. Disruption operations targeting QakBot infrastructure resulted in the botnet takeover, which severed the connection between victim computers and QakBot command and control (C2) servers. The FBI is working closely with industry partners to share information about the malware to maximize detection, remediation, and prevention measures for network defenders.
CISA and FBI encourage organizations to implement the recommendations in the mitigations section of the advisory to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. Note: The disruption of QakBot infrastructure does not mitigate other previously installed malware or ransomware on victim computers. If potential compromise is detected, administrators should apply the incident response recommendations included in this advisory and report key findings to a local FBI Field Office or CISA at
For a downloadable copy of IOCs, see: AA23-242A.stix.xml | AA23-242A.stix.json.
This advisory contains technical details, IOCs, mitigation recommendations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines: NIST SP 800-204D ipd Available for Comment

The initial public draft (ipd) of NIST Special Publication (SP) 800-204D, Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines, is now available for public comment.

Cloud-native applications are made up of multiple loosely coupled components called microservices. This class of applications is generally developed through an agile software development life cycle (SDLC) paradigm called DevSecOps, which uses flow processes called continuous integration/continuous delivery (CI/CD) pipelines. Analyses of recent software attacks and vulnerabilities have led both government and private-sector organizations to focus on the activities involved in the entire SDLC. The collection of these activities is called the software supply chain (SSC). The integrity of these individual operations contributes to the overall security of an SSC, and threats can arise from attack vectors unleashed by malicious actors as well as defects introduced when due diligence practices are not followed during the SDLC.

Executive Order (EO) 14028, NIST’s Secure Software Development Framework (SSDF), other government initiatives, and industry forums have addressed security assurance measures for SSCs to enhance the security of all deployed software. This document focuses on actionable measures to integrate the various building blocks of SSC security assurance into CI/CD pipelines to prepare organizations to address SSC security in the development and deployment of their cloud-native applications.

The public comment period is open through October 13, 2023. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More