My information Resource (blog.mir.net)

 NIST is extending the public comment due date to February
27, 2023, for the initial working draft (iwd) of NIST Special
Publication (SP) 800-55r2, Performance Measurement Guide for Information
Security. See the publication
details for a copy of the draft and instructions for submitting
comments.

Read
More

 Today, NIST is publishing Federal Information Processing Standard
(FIPS) 186-5, Digital Signature
Standard (DSS), along with NIST Special Publication (SP)
800-186, Recommendations
for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters. 

FIPS 186-5 specifies three techniques for the generation and
verification of digital signatures that can be used for the protection of data:

1. Rivest-Shamir-Adleman (RSA)
   Algorithm
2. Elliptic Curve Digital
   Signature Algorithm (ECDSA)
3. Edwards Curve Digital Signature
   Algorithm (EdDSA)

The Digital Signature Algorithm (DSA), which was specified in
prior versions of FIPS 186, is retained only for the purposes of verifying
existing signatures. 

The companion document, NIST SP 800-186, specifies the set of
recommended elliptic curves. In addition to the previously recommended
Weierstrass curves, there are two newly specified Edwards curves included for
use with the EdDSA algorithm. Edwards curves provide increased
performance, side-channel resistance, and simpler implementation when compared
to traditional curves. While NIST SP 800-186 includes the specifications
for elliptic curves over binary fields, these curves are now deprecated, and the
use of other (prime) curves is strongly recommended.

The algorithms in these standards are not expected to provide
resistance to attacks from a large-scale quantum computer. Digital
signature algorithms that will provide security from quantum computers will be specified
in future NIST publications. For more information, see the Post-Quantum
Cryptography Standardization project.

Read
More

 

If you own a computer, watch the news, or spend virtually any time online these days you have probably heard the term “phishing.” Never in a positive context…and possibly because you have been a victim yourself. Phishing refers to a variety of attacks that are intended to convince you to forfeit sensitive data to an imposter. These attacks can take a number of different forms; from spear-phishing (which targets a specific individual within an organization), to whaling (which goes one step further and targets senior executives or leaders). Furthermore, phishing attacks take place over multiple channels or even across channels; from the more traditional email-based attacks to those using voice – vishing – to those coming via text message – smishing. Regardless of the type or channel, the intent of the attack is the same – to exploit human nature to gain control of sensitive information (citation 1). These attacks typically make use of several techniques including impersonated websites, attacker-in-the-middle, and relay or replay to achieve their desired outcome. Read More

The Microsoft 365 cloud environment benefits from an extensive monitoring and security infrastructure. Using machine learning and human intelligence that looks across worldwide traffic can rapidly detect attacks and allow you to reconfigure almost in real time.   None of the following scenarios apply to my org, and I’m ready to move forward with my migration.

         What: “Special
Topics on Privacy and Public Auditability” (STPPA) — Event 5.

• New date & time: 2023-Feb-09,
  12:00pm–15:50pm (Eastern Time)
• Featured topics:
  identity-based encryption (IBE), attribute-based encryption (ABE),
  broadcast encryption
• Format: Three talks
  and one panel conversation.
• Detailed info:  https://csrc.nist.gov/events/2023/stppa5
• Free registration
  (via Webex): https://nist-secure.webex.com/weblink/register/r92f4ffc27fc2534733799ac4161f454e
• Tweet about the
  event:  https://twitter.com/NISTcyber/status/1620080992936665097
• PEC-Forum: For future related announcements, you
  may also join the “PEC-forum” mailing list: https://csrc.nist.gov/projects/pec/email-list

STPPA: In the “Special Topics on Privacy and Public
Auditability” series, the NIST privacy-enhancing cryptography (PEC)
project, in the cryptographic technology group,
hosts talks on various interconnected topics related to privacy and public
auditability. The goal is to convey basic technical background, incite
curiosity, suggest research questions and discuss applications, with an
emphasis on the role of cryptographic tools.

For more information, contact: pec-stppa@nist.gov

Read
More

 Ransomware is a type of malicious attack where attackers encrypt an
organization’s data and demand payment to restore access. Attackers may
also steal an organization’s information and demand an additional
payment in return for not disclosing the information to authorities,
competitors, or the public. This Ransomware Profile identifies the
Cybersecurity Framework Version 1.1 security objectives that support
identifying, protecting against, detecting, responding to, and
recovering from ransomware events. The profile can be used as a guide to
managing the risk of ransomware events. That includes helping to gauge
an organization’s level of readiness to counter ransomware threats and
to deal with the potential consequences of events.

 

to download the publications go here

NIST today released its Artificial
Intelligence Risk Management Framework (AI RMF 1.0),
a guidance document for voluntary use by organizations designing, developing,
deploying or using AI systems to help manage the risks of AI technologies. The
Framework seeks to cultivate trust in AI technologies and promote AI innovation
while mitigating risk. The AI RMF follows a direction from
Congress for NIST to develop the framework and was produced in
close collaboration with the private and public sectors over the past 18
months.

AI RMF 1.0 was released at a livestreamed event today with Deputy
Secretary of Commerce Don Graves, Under Secretary for Technology and Standards
and NIST Director Laurie Locascio, Principal Deputy Director for Science and
Society in the White House Office of Science and Technology Policy Alondra Nelson,
House Science, Space, and Technology Chairman Frank Lucas and Ranking Member
Zoe Lofgren, and panelists representing businesses and civil society. A
recording of the event is available here.

NIST also today released, for public comment, a companion
voluntary AI RMF Playbook,
which suggests ways to navigate and use the framework, a Roadmap for future work to enhance the Framework and its
use, and the first two AI RMF 1.0 crosswalks with key AI standards and US and EU
documents.

NIST plans to work with the AI community to update the framework
periodically and welcomes suggestions for additions and improvements to the
Playbook at any time. Comments received through February 2023 will be
included in an updated version of the Playbook to be released in spring 2023.

Sign up to receive email notifications about NIST’s AI activities here or
contact us at: AIframework@nist.gov. Also, see information
about how to engage in NIST’s broader AI activities.

Read
More

 NIST requests public comments on NIST IR 8214C ipd (initial public
draft), NIST First Call for Multi-Party Threshold Schemes,
for primitives organized into two categories:

1. Cat1: selected NIST-specified
   primitives
2. Cat2: other primitives not
   specified by NIST

The report specifies the various categories, subcategories, and
requirements for a successful submission, including security characterization,
technical description, open-source implementation, and performance evaluation.
The process intends to help the NIST cryptographic technology group collect
reference material to promote a public analysis of the viability of threshold
schemes and related primitives. This will support the NIST multi-party
threshold cryptography and privacy-enhancing cryptography projects in
developing future recommendations.

Threshold schemes should NOT be submitted until the final version
of this report is published. However, using the present draft as a baseline,
potential submitters are encouraged to prepare early for future submissions.

The public comment period is open through April 10, 2023. See
the publication
details for a copy of the initial public draft and instructions for
submitting comments.

NOTE: A call for patent claims is included on page iii of this
draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy –
Inclusion of Patents in ITL Publications.

Read
More

 Here is a list of the new state data privacy statutes slated to come online in 2023:

(1) Most of the provisions of the California Privacy Rights Act (CPRA) become effective on Jan. 1, 2023. CPRA amended the California Consumer Privacy Act (CCPA), which had already created a number of individual rights modeled after the GDPR. CPRA created a new state agency, similar to data protection agencies in the EU countries charged with enforcing the GDPR.

(2) The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. In addition to creating rights patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for “high-risk” processing.

(3) The Connecticut Data Privacy Act (CDPA), like Colorado’s new privacy law, goes into effect on July 1, 2023. CDPA likewise creates a suite of GDPR-like individual rights, and requires data minimization, security, and assessments for “high risk” processing.

(4) The Utah Consumer Privacy Act (UCPA) becomes effective on Dec. 31, 2023. It provides for certain GDPR-like individual rights, and also requires data security and contract provisions. But UCPA does not include expressly required risk assessments.

(5) The Virginia Consumer Data Privacy Act (VCDPA) becomes effective Jan. 1, 2023. It provides for certain GDPR-like individual rights. But in 2022, the “right-to-delete” was replaced with a right to opt out from certain processing.