Center for Internet Security
The Center for Internet Security (CIS), a non-profit that defines itself as the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. governmental entities, this year found itself in the middle of deciding if the American voting infrastructure is safe from being hacked.
The answer was a decided no.
The CIS was among several other organizations, including DEFCON, the National Governors Association, the Atlantic Council and numerous universities, that helped construct and issue a damning report in September based on the results of the DefCon Hacking Village where cyber professionals easily hacked into numerous voting machines.
“This report makes one key point: our voting systems are not secure. Why is this so serious? Why must we act now? Why is this a national security issue? First, Russia has demonstrated successfully that they can use cyber tools against the US election process. This is not an academic theory; it is not hypothetical; it is real. This is a proven, credible threat. Russia is not going away,” said Douglas E. Lute, Former U.S. ambassador to NATO, retired U.S. Army Lieutenant General and cybersecurity expert, in the report's forward.
Another spin off project has the CIS developing a handbook containing best practices for setting up an election infrastructure.
“There's an urgent need and opportunity to bring together interested groups to collaborate in identifying best practices for election infrastructure, specifically to complement the EAC Voluntary Voting System Guidelines by addressing security best practices for systems that perform voter registration,” said John Gilligan, CES and chairman and interim CEO.
The CIS officially named Gilligan CEO in November. Previously, he served as interim CEO and chairman from March 2016.
The group also has a rigorous schedule participating in a long slate of cybersecurity events, including BlackHat, DEFCON, Business Email Compromise (BEC) Roadshow – Boston and Security of Things World USA.
Cloud Security Alliance
With more and more organizations and consumers moving their data to the cloud, sometimes with disastrous results as the spat of breaches related to misconfigured Amazon S3 buckets has shown, it is no wonder at all why non-profit groups like the Cloud Security Alliance (CSA) are gaining prominence.
To help keep this data safe the CSA is dedicated to defining and teaching best practices to help keep the cloud computing environment secure. This is accomplished by bringing together industry, associations, governments, and its corporate and individual members who then help deliver cloud security-specific research, education, certification, events and products.
The CSA educational efforts start with its certification programs: CSA Security, Trust & Assurance Registry (STAR), Certificate of Cloud Security Knowledge, Certified Cloud Security Professional and the CSA Global Consultancy Program.
“CSA launched the industry's first cloud security user certification in 2010, the Certificate of Cloud Security Knowledge (CCSK), the benchmark for professional competency in cloud computing security,” the CSA said.
Other educational offerings includes training individuals prior being certified, its CloudBytes webinar series covering topics like Cloud Security for Startups - From A to E(xit) presented by Outbrain and 5 Steps to Prevent AWS Data Exposures by Skyhigh.
The CSA's educational efforts are not limited to the classroom. The group issues a steady stream of tips, best practices and news through its blog and lists like The Treacherous 12: Cloud Computing Top Threats.
2017 also saw the CSA add to its event schedule hosting the Inaugural Cloud Security Alliance Philippines Summit held in July that saw 27 leading IT companies and start-ups gather, as well as, one founded by CSA Boston focusing on cloud revolution and accelerating business.
FASTR
Future of Automotive Security Technology Research officially came into being in February of 2017 after having formerly been known as the Automotive Security Review Board.
The group is a neutral, inclusive nonprofit consortium that in its first public statement, or manifesto, said it seeks to enable innovation in automotive security with a vision of self-healing vehicles and to drive systematic coordination of cybersecurity across the entire supply chain and ensure trust in the connected and autonomous vehicle of the future.
“We created the manifesto to put a stake in the ground and a call to action,” said Steve Grobman, FASTR board president and Intel Security Group chief technology officer. “The connected and autonomous car of the future offers revolutionary benefits: dramatic reduction in accidents, alleviation of city congestion and mobility for all and more.
The organization hit the ground running heading right to RSA, then in June attending the Autonomous Vehicle Software Symposium, Connected Cars & Autonomous Vehicles @TechXLR8 and TU-Automotive Detroit. In October FASTR members spoke at the 6th Annual Automotive Cybersecurity Summit.
The group has also issued a series of reports already including Automotive Industry Guidelines for Secure Over-the-Air Updates to assist car makers in evaluating platforms for secure updates, describing the threat models, providing recommended cryptographic algorithms and detailing a step-by-step checklist for evaluating SOTA systems. Also put out this year was the Automotive Cybersecurity Literature Review to help illuminate the valuable research that has already been undertaken and where crucial gaps remain.
All of this is being done to help FASTR and its members better understand and deal with automotive cybersecurity threats.
“Tomorrow's car-security ecosystem is being engineered to be systematically more able to deal with those threats in a safe and predictable manner and, ultimately, to self-heal. FASTR is marshaling collaboration among the vanguard of the world's leading R&D organizations for security of self-driving vehicles working to reduce attack surfaces and harden cybersecurity capabilities,” the group said.
Global Internet Forum to Counter Terrorism
Terrorists may use simple weapons such as trucks, rifles and knives to conduct their attacks, but when it comes to spreading their methods and ideology they go high tech so to combat them in cyberspace in June Facebook, Microsoft, Twitter and YouTube are announcing the formation of the Global Internet Forum to Counter Terrorism.
“We take these issues very seriously, and each of our companies have developed policies and removal practices that enable us to take a hard line against terrorist or violent extremist content on our hosted consumer services. We believe that by working together, sharing the best technological and operational elements of our individual efforts, we can have a greater impact on the threat of terrorist content online,” the group said in its formal announcement.
The Forum held its first meeting on August 1 in San Francisco where it gathered representatives from the private sector, in addition to the founding members more than two dozen other technology companies and NGOs were on hand along with United Kingdom's Home Secretary Amber Rudd MP and the United States' Acting Deputy Secretary of Homeland Security Elain Duke along with representatives from the Canadian government, the Australian government, the United Nations, and the European Union.
At the meeting the Forum's formal goals were established:
• Employing and leveraging technology
• Sharing knowledge, information and best practices, and
• Conducting and funding research.
In addition, the attendees set the agenda for what it hopes to accomplish before the end of the year. This included bringing in more companies to participate in the industry hash-sharing database for violent terrorist imagery; Reach 50 companies to share best practices on how to counter terrorism online through the Tech Against Terrorism project in partnership with ICT4Peace and the UN Counter Terrorism Executive Directorate and conduct four knowledge-sharing workshops.
The National Cybersecurity Student Association
The National Cybersecurity Student Association is just about to put its second full year of operation under its belt.
The organization strives to cultivate a national community to supports students in their cybersecurity endeavors through extracurricular activities, career opportunities, mentoring, and keeping these students at the forefront of cybersecurity trends both during and after they obtain their degrees.
The association was founded in 2016 to offer to students a single place where they can enhance their educational and professional development through networking and collaboration with the goal to increase the number of graduates in the field. A worthy endeavor considering the massive shortfall in trained cybersecurity workers entering the profession.
“Strengthening the nation's future cybersecurity workforce and environment is a key component in addressing former President Barack Obama's Cybersecurity National Action Plan (CNAP). According to the Center for Cyber Safety and Education (ISC)², there will be an estimated workforce shortage of 1.8 million in information security by 2022. Developing and creating a pipeline of cybersecurity professionals, along with a cyber workforce strategy, is a shared responsibility,” said Gustavo Hinojosa, the National Cybersecurity Student Association's executive director in the group's annual report.
Currently, the organization has chapters in 40 states. The chapters form the anchor for a variety of local endeavors designed to not only help students, but the area in which they are located. Student chapters provide support within the student community and seek to cultivate local partnerships to enhance common sense cybersecurity practices for the general public, nurture relationships with local cybersecurity professional chapters. Student chapters also provide an outlet to cultivate an ecosystem of cybersecurity professionals on a local level and in areas across the nation to expand and foster the culture.
The association also offers several events for its members to attend that address building their cybersecurity skills and helping them land a job. These include participating in the National Cyber League events, provides an ongoing virtual training ground for collegiate students to develop, practice, and validate their cybersecurity skills, to webinars such as Resume Robots: How to get your resume past the system and into human hands.