NIST CSF 2.0 || LockBit is back?
CyberInsights #131 - The newer and crisper version of the older version || LockBit appears to be back and making smart comments at the FBI
New and Improved version of the NIST CSF
It’s more than just adding ‘Govern’ to the now famous ‘Identify-Protect-Detect-Respond-Recover’
I was quite excited when the 2.0 draft was released. [LINK] I wrote about it here:
With the release of the standard, some of the changes are quite evident. For example, the new Govern section has had 4 areas in the draft. In the release there are 6 areas. “Oversight” and “Cybersecurity Supply Chain Risk Management” have been added.
What I like about this version is the succinctness of the document. Clear, concise and leaves the details and examples to other resources, which are plentiful.
Another key area is “Organisational Profiles”. Profiles were explored earlier in version 1.1. However, now there seems to be more clarity on how to use them. I can visualise our consulting team creating an organisation profile for, say, Internet Banking or for HIPAA compliance. I am not sure if it will be successful, but it is worth an attempt.
Take Action:
Cybersecurity Professional: Evaluate whether this framework can become your base - meaning all your other compliances - ISO 27001, PCI-DSS, etc. can plug into this framework. Prima Facie this seems doable and will add value if you can achieve this.
Cyber Insurers: Consider if you want to evaluate risks based on this framework instead of the generic “IT General Controls (ITGC)”. It might be useful if your current evaluation techniques are ad-hoc or driven by a generic proposal form.
And we have Lockbit back again?
The ransomware organisation taunts the FBI and threatens to release confidential documents
It seemed just last time that I was writing a celebratory post about LockBit being no longer in existence and using this nice little image of the Jolly Roger on a computer.
Wait, it was last time!!
Lockbit seems to have resurfaced and is taunting the FBI. [LINK]
Take Action:
It just seemed apt to write about it. Nothing changes from last week, save acknowledging the fact that ransomware groups are hard to kill.
I don't if this is just a comment or a sad confession, but I was genuinely excited to see the release of the CSF 2.0. I've been following its progress through the draft and comments etc process, and I'm happy to see the new Govern function area and more attention to supply chain security.