The National Institute of Standards and Technology plans to update its 2-year-old cybersecurity framework late next year, says Matt Barrett, program manager.

In part one of a two-part interview, with Information Security Media Group, Barrett characterizes the revision as a minor update, not a major overhaul, but one that refines and clarifies provisions in the existing framework. "Just to be clear, we're not headed toward a version 2.0 right now; we're definitely not," Barrett says. "We're headed to something that's more like a 1.1."

In the interview (click player beneath image to listen), Barrett also:

Describes the type of revisions that might be incorporated in the updated framework; Addresses criticisms that NIST hasn't tested the framework to determine its value to organizations, especially small businesses; and Explains why NIST may continue to oversee the cybersecurity framework despite an initial plan that a private-sector-controlled organization take over governance.

In part two of this interview, which will be available soon, Barrett discusses how the cybersecurity framework helps facilitate communication among technical and nontechnical managers and executives who must collaborate to keep their enterprises' information systems secure.

Responding to an executive order, issued by President Obama in February 2013, NIST a year later published the cybersecurity framework, based on existing standards, guidelines and practices. The tool, use of which is voluntary, is designed to help reduce cyber risks to the information systems of critical infrastructure providers.

Before returning to NIST in October 2014 as the framework's program manager, Barrett served as president of G2 Inc., a cyber and intelligence solutions firm. From January 2007 to July 2009, Barrett was NIST program manager for the security content automation protocol, commonly known as SCAP.

Anti-Malware , Technology

Canadian School Shells Out $15,700 to Ransomware Attackers Jeremy Kirk (jeremy_kirk) • June 10, 2016    

Yet another organization has acknowledged it opted to pay cyberattackers after its systems were infected with ransomware, the file-encrypting malware that has become one of the most dreaded menaces across the internet.

See Also: Unlocking Software Innovation with Secure Data as a Service

The University of Calgary paid CA$20,000 (US$15,700) and "is now in the process of assessing and evaluating the decryption keys," according to a statement from Linda Dalgetty, vice president for finance and services.

"The actual process of decryption is time-consuming and must be performed with care," Dalgetty writes. "A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time."

Ransomware Explosion

Ransomware has been around for more than a decade, but attacks have exploded in the past couple of years. Consumers appeared to be more affected at first, with ransoms in the range of a few hundred dollars, usually payable in bitcoin. But attackers are diversifing their targets and demanding more expensive ransoms from large companies and organizations.

In late April, the FBI warned of potentially "catastrophic" impacts to organizations such as schools and hospitals if a ransomware infection occurred. It advised educating users about ransomware, using security software, implementing robust access controls, patching applications and ensuring data is backed up.

But it's clear that many are still being caught off guard, stuck in the unenviable position of either taking a loss of data on the chin or the ethically ambiguous path of paying attackers to obtain the decryption keys.

In February, Hollywood Presbyterian Medical Center in Los Angeles said it paid $17,000 after determining that paying the ransom was the "the quickest and most efficient way to restore our systems and administrative functions." (See: Ransomware: Healthcare Fights Back.)

After confusion over reported comments by an FBI official last year, the agency firmly says that ransoms should not be paid. Such payment "emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved," according to an FBI guide on ransomware.

Active Investigation

In Calgary, the university says it started communicating about its cyberattack in late May. It restored email for faculty and staff on June 6. But it warned that obtaining the decryption keys did not mean that all systems could be restored and data recovered.

The Calgary Police Service is working with the university. "As this is an active investigation, we are not able to provide further details on the nature of the attack, specific actions taken to address it, or how or if decryption keys will be used," Dalgetty writes.

Cybersecurity , Data Breach , Risk Management

CASBs and the Treacherous 12 Top Cloud Threats Presented by Palerra     60 Minutes     The Cloud Security Alliance (CSA) Top Threats Working Group released a report titled, "The Treacherous 12: Cloud Computing Top Threats in 2016." In this report, the CSA concludes that although cloud services deliver business-supporting technology more efficiently than ever before, they also bring significant risk. Regardless of whether the IT department sanctions new cloud services or not, the door is wide open for the Treacherous 12. The CSA report points out that businesses need to take security policies, processes, and best practices into account. At the same time, Gartner predicts that through 2020, 95 percent of cloud security failures will be the customer's fault. This does not mean that customers lack security expertise. It does mean, however, that it is no longer sufficient to know how to make decisions about risk mitigation in the cloud. Automation is the key. Cloud security automation is where Cloud Access Security Brokers (CASBs) come into play. A CASB helps automate visibility, compliance, data security, and threat protection for cloud services. In this webinar you will learn about: The CSA Working Group's definition of the top cloud computing threats in 2016; The role of CASBs in protecting you from the Treacherous 12. You might also be interested in … Cybercrime Victims: Please Come Forward

In this edition of the ISMG Security Report, DataBreachToday Executive Editor Mathew Schwartz reports from the floor of the Infosecurity Europe conference in London on the top concerns of security practitioners, including ransomware.

You'll also hear in this report (click on player beneath image to listen):

National Institute of Standards and Technology Program Manager Matt Barrett explain how NIST intends to update next year the cybersecurity framework; HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee address the U.S. government's efforts to help ensure that patients can securely access their electronic health records; and How Belgium came up on top of the list of 50 nations with the most servers with open doors.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Please check out our June 3 and June 7 reports, which respectively examine President Obama's cybersecurity legacy and the backstory behind SWIFT-related thefts. The next ISMG Security Report will be posted Tuesday, June 14.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.