Spring is in full bloom (finally) in Minnesota, and life is good. The weather is great, and last week, our Governor (Tim Walz) lifted the mask mandate for people who are vaccinated and maintain some semblance of social distancing. It’s good to see people’s faces again, especially when they’re smiling. 🙂
We’re grateful for the guests who have joined our show the past four weeks! We’ve learned a ton from these conversations.
If you missed any of these shows, you can find them here:
- Episode 128 Special Guest – Roger Grimes (0n 4/20)
- Episode 129 Special Guest – Ron Woerner (on 4/27)
- Episode 130 Special Guest – John Strand (on 5/4)
- Episode 131 Special Guest – Chris Roberts (on 5/11)
NOTE: We’re looking for people from other walks of life to share their perspectives too, especially men and women of color. Let us know at email@example.com if you have suggestions.
This week, we’re not planning to have a guest, so you’ll have to put up with Brad and I.
Next week (episode 133) we’re hoping to have Gabriel Friedlander from Wizer on the show!
Let’s get to the episode 132 show notes, shall we?
SHOW NOTES – Episode 132 – Tuesday May 18th, 2021
[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 132, and the date is May 18th, 2021. Joining me is my good friend, highly-skilled information security expert, and all around great guy, Brad Nigh.
Good morning Brad!
There are so many things happening in our world, it’s hard to keep track. One interesting event from the last week (other than the Colonial Pipeline attack) was the announcement of President Biden’s Executive Order (EO) 14028 titled “Improving the Nation’s Cybersecurity”. In today’s episode, Brad and I are going to break this down.
Improving the Nation’s Cybersecurity
- The EO was announced by the Administration on 5/12/21.
- There’s a lot of information to unpack here, including:
- Section 1. Policy, containing:
- Policy statement.
- Section 2. Removing Barriers to Sharing Threat Information, containing:
- Review existing reporting requirements and procedures.
- Recommend updates to the Federal Acquisition Regulation (FAR).
- Update the FAR.
- Enforce IT/OT provider compliance.
- Centralize reporting.
- Provide budget for this section.
- Section 3. Modernizing Federal Government Cybersecurity
- Adopt security best practices.
- Advance toward Zero Trust Architecture.
- Accelerate movement to secure cloud services.
- Adopt multi-factor authentication.
- Encrypt data at rest and in transit.
- Centralize and streamline access to cybersecurity data.
- Invest in both technology and personnel to match the modernization goals.
- Section 4. Enhancing Software Supply Chain Security
- Develop standards, tools, and best practices for secure software development.
- Enforce secure software development practices.
- Define and enforce a “Software Bill of Materials (SBOM)”.
- Define “critical software” and its protection requirements.
- Consumer labeling programs for IoT and software.
- Section 5. Establishing a Cyber Safety Review Board
- Requirements for a new “Cyber Safety Review Board”.
- All requirements are for the Secretary of Homeland Security and the (yet to be established) Cyber Safety Review Board (“board”).
- Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents; the playbook:
- Will Incorporate all appropriate NIST standards.
- Be used by all Federal Civilian Executive Branch (FCEB) Agencies.
- Will articulate progress and completion through all phases of an incident response.
- Will allow flexibility so it may be used in support of various response activities.
- Establishes a requirement that the Director of CISA reviews and validates FCEB Agencies’ incident response and remediation results upon an agency’s completion of its incident response.
- Defines key terms and use such terms consistently with any statutory definitions.
- Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- The adoption of a Federal Government-wide Endpoint Detection and Response (EDR) initiative.
- CISA threat hunting on FCEB networks and systems without agency authorization.
- Information sharing between the Department of Defense and the Department of Homeland Security
- Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities
- Types of logs to be maintained.
- Time periods to retain the logs and other relevant data.
- Time periods for agencies to enable recommended logging and security requirements.
- How to protect logs (logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention)
- Data shall be retained in a manner consistent with all applicable privacy laws and regulations.
- Ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.
- Permit agencies to share log information, as needed and appropriate, with other Federal agencies for cyber risks or incidents.
- Section 9. National Security Systems
- Section 10. Definitions
- Section 11. General Provisions
This will be a great conversation as Brad and I share our summary, thoughts and opinions on all this!
Just time for one news story this week. This one is from Brian Krebs, “Try This One Weird Trick Russian Hackers Hate“.
Wrapping Up – Shout Outs
Who’s getting shout outs this week?
Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at firstname.lastname@example.org. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.
That’s it. Talk to you all again next week!
…and we’re done.