Menu
Log in


INTERNATIONAL FOUNDATION FOR
CULTURAL PROPERTY PROTECTION

Log in

News


  • March 12, 2024 12:13 PM | Anonymous

    Reposted from CISA

    The Cybersecurity and Infrastructure Security Agency (CISA) joins the National Security Agency (NSA) as a partner in five cloud security Cybersecurity Information Sheets (CSIs) that provide recommended best practices and mitigation strategies for organizations transitioning their information technology resources to cloud environments. NSA released “Top Ten Cloud Mitigation Strategies”, a compilation of CSIs each on a different strategy to secure cloud environments and CISA co-sealed five of the ten. The CISA and NSA co-authored publications are:

    • Use Secure Cloud Identity and Access Management Practices 
    • Use Secure Cloud Key Management Practices 
    • Implement Network Segmentation and Encryption in Cloud Environments  
    • Secure Data in the Cloud
    • Mitigate Risks from Managed Service Providers in Cloud Environments 

    The CSI for each strategy includes an executive summary providing background information, details on threat models, best practices for strong cybersecurity and additional guidance to protect networks. All organizations need to understand that securing their information is a responsibility for both the cloud provider and user. All organizations using cloud environments are encouraged to review these strategies and assess how they can strengthen their security.

    See Original Post

  • March 12, 2024 11:53 AM | Anonymous

     Reposted from

    Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) concluded a two-day Open-Source Software (OSS) Security Summit convening OSS community leaders and announced key actions to help secure the open-source ecosystem. Recognizing that OSS underpins the essential services and functions of modern life, the Summit sought to catalyze progress in advancing security of this critical ecosystem. This urgency was underscored by security flaws such as the Log4Shell vulnerability in 2021.
    CISA Director Jen Easterly opened the summit with keynote remarks and was followed by a panel discussion with Office of National Cyber Director (ONCD) Assistant National Cyber Director for Technology Security Anjana Rajan, CISA Open-Source Security Section Chief Aeva Black, and CISA Senior Technical Advisor Jack Cable. The summit also featured a tabletop exercise on open-source vulnerability response and a roundtable discussion on package manager security with opening remarks by CISA Executive Assistant Director for Cybersecurity Eric Goldstein. During the summit, OSS community leaders, including open-source foundations, package repositories, civil society, industry and federal agencies explored approaches to help strengthen the security of the open-source infrastructure we all rely upon. As part of this collaborative effort, CISA announced several initial key actions that CISA will take to help secure the open-source ecosystem in partnership with the open-source community:

    • CISA, as detailed below, is working closely with package repositories to foster adoption of the Principles for Package Repository Security framework. Developed by CISA and the Open-Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group, this framework was published earlier this month and outlines voluntary security maturity levels for package repositories.
    • CISA has launched a new effort to enable voluntary collaboration and cyber defense information sharing with open source software infrastructure operators to better protect the open source software supply chain.
    • Materials from the summit’s tabletop exercise will be published by CISA so that the lessons learned can be used by any open-source community to improve their vulnerability and incident response capabilities.
    Additionally, five of the most widely used package repositories are taking steps in line with the Principles for Package Repository Security framework:
    • The Rust Foundation is working on implementing Public Key Infrastructure for the Crates.io package repository for mirroring and binary signing and plans to issue a Request for Comment. The Rust Foundation also published a detailed threat model for Crates.io and has created tooling to identify malicious activity. Further steps are highlighted in the Rust Foundation’s Security Initiative Report.
    • The Python Software Foundation is working to add additional providers to PyPI for credential-less publishing (“Trusted Publishing”), expanding support from GitHub to include GitLab, Google Cloud and ActiveState as well. Work is ongoing to provide an API and related tools for quickly reporting and mitigating malware, with the goal of increasing PyPI’s ability to respond to malware in a timely manner without consuming significant resources. Finally, the Python ecosystem is finalizing PEP 740 (“Index support for digital attestations”) to enable uploading and distributing digitally signed attestations and metadata used to verify these attestations on a Python package repository, like PyPI.
    • Packagist and Composer have recently introduced vulnerability database scanning and measures to prevent attackers from taking over packages without authorization. Further work to increase security in line with the Principles for Package Repository Security framework is in progress, and a thorough security audit of existing codebases will take place this year.
    • The package repository npm requires maintainers of high-impact projects to enroll in multifactor authentication. Additionally, npm has introduced tooling that allows maintainers to automatically generate package provenance and SBOMs, giving consumers of those open-source packages the ability to trace and verify the provenance of dependencies.
    • Maven Central (maintained by Sonatype) is the largest open-source repository for Java and JVM languages and enforces validation and metadata requirements with clear namespaces. Since 2021, all staged repositories have automatically been scanned for vulnerabilities when published, and developers receive a report with any security issues. In 2024, Maven Central is transitioning publishers to a new publishing portal that has enhanced repository security, including planned support for multifactor authentication. Upcoming key initiatives include Sigstore implementationTrusted Publishing evaluation, and access control on namespaces. This includes Maven Central benchmarking the maturity of its security processes against best practices, which will also guide backlog prioritization.
    “Open-Source Software is foundational to the critical infrastructure Americans rely on every day,” said CISA Director Jen Easterly. “The federal government must integrate into open-source communities to help protect this essential public good – not the other way around. We’re proud to announce these efforts to help secure the open-source ecosystem in close partnership with the open-source community and are excited for the work to come.”
    “Open-source software is a mission-critical foundation of cyberspace that the U.S. Government must continue to defend,” says Anjana Rajan, Assistant National Cyber Director for Technology Security. “Ensuring that we have a secure and resilient open-source software ecosystem is a national security imperative, a technology innovation enabler, and an embodiment of our democratic values. As the chair of the Open-Source Software Security Initiative (OS3I), ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”
    “OpenSSF’s mission is to improve the security of open-source software. Package repositories are critical infrastructure for the open-source community. We thank CISA for facilitating this Open-Source Software (OSS) Security Summit to help secure package repositories. Through continued cooperation in activities such as this summit and the Principles for Package Repository Security, we will improve the security of open-source package repositories for everyone,” Omkhar Arasaratnam, General Manager, OpenSSF.
    “Securing the open-source software supply chain is crucial for protecting global economic infrastructure,” said Mike Milinkovich, Executive Director of the Eclipse Foundation. “CISA is working to improve open-source security, focusing on both current issues and future application development. We’re proud to contribute to this vital work, helping CISA improve the global development ecosystem and supporting its vision for the future.”
    “OSI and the Open Policy Alliance commend CISA for engaging with the open-source software community and appreciate the opportunity to participate in this week’s Open-Source Security Summit.  Including less represented, small open-source non-profits into the discussion will facilitate workable, practical policies and practices, building upon the strength of the collaborative model of Open Source,” said Deb Bryant, US Policy Director, Open-Source Initiative.
    The federal government has coordinated its efforts around open-source software security through the ONCD Open-Source Software Security Initiative. Last year, ONCD, CISA, the National Science Foundation, the Defense Advanced Research Projects Agency, and the Office of Management and Budget published a Request for Information (RFI) on open-source software security and memory safe languages, which received more than 100 substantive responses. The issuing agencies are currently reviewing responses and will publish a summary of the RFI submissions. In 2023, CISA released its Open-Source Software Security Roadmap which lays out four key goals to help secure the federal government’s use of open-source software and support the global open-source ecosystem: establishing CISA’s role in supporting the security of open-source software, driving visibility into open-source software usage and risks, reducing risks to the federal government, and hardening the open-source software ecosystem. The actions announced today from the summit represent key steps in fulfillment of the roadmap’s goals, including Objective 1.1. Partner With OSS Communities and Objective 1.2. Encourage Collective Action from Centralized OSS Entities.

    See Original Post

  • March 12, 2024 11:37 AM | Anonymous


    We are excited to extend an invitation to you for an insightful webinar series focused on Small and Medium Businesses (SMBs) organized by the Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the Information Technology Sector Coordinating Council (IT SCC).

    In today's rapidly evolving digital landscape, SMBs face unique challenges and threats. This webinar series aims to equip participants with essential knowledge to navigate these challenges effectively. Our upcoming session will delve into the critical topic of Ransomware, shedding light on the prevailing threats, strategies for understanding Ransomware, and proactive measures for prevention.

    Here are the key details:

    Webinar Topic: Ransomware: Threats, Understanding, and Prevention
    Date: March 25, 2024
    Time: 1:30 p.m. – 2:30 p.m. EST

    This session will feature insights from experts at CISA alongside industry leaders, offering invaluable perspectives and practical advice. Moreover, we encourage active participation by providing dedicated time for questions and answers, ensuring that attendees can engage directly with the presenters.

    Who should attend? This webinar is tailored for federal, state, local, and private sector stakeholders interested in gaining a deeper understanding of the risks associated with critical infrastructure systems and their interdependencies.

    Don't miss out on this opportunity to enhance your cybersecurity posture and safeguard your organization against evolving threats.

    Join Now


  • March 12, 2024 11:28 AM | Anonymous

    Reposted from EMR-ISAC

    Cybersecurity professionals can expect fresh reading materials in the coming months from the Office of the National Cyber Director, which aims to issue an update to the National Cybersecurity Strategy Implementation Plan before the summer is over, a White House cyber official said Tuesday. The implementation plan outlines how the White House will accomplish the goals outlined in the national cybersecurity plan and is supposed to be a “living document” that is updated as initiatives are complete or new initiatives are added. The implementation plan 2.0 is expected “late spring, early summer,” said Brian Scott, deputy assistant national cyber director for cyber policy and programs.

    Cybersecurity pros can also expect an update on software liability reform in the next implementation plan release. In its recently released National Cybersecurity Strategy, the Biden administration called on Congress to develop legislation to develop a software liability regime, one that would allow consumer and businesses to sue software makers if they fail to take proper care in designing the security of their tools. Software companies, if the White House has its way, will no longer be able to disclaim liability for the products they produce.

    The Biden administration is currently looking at developing a framework around software liability. One aspect of the framework will be exploring how best to implement safe harbor incentives for companies that are developing code using secure methods. Companies that align with those best practices — which are still being explored — are less likely to face legal issues down the road.

    See Original Post


  • March 12, 2024 11:21 AM | Anonymous

    Reposted from EMR-ISAC

    The Cybersecurity and Infrastructure Security Agency’s (CISA’s) Emergency Services Sector (ESS) Management Team has partnered with the Department of Homeland Security (DHS), Center for Prevention Programs and Partnerships (CP3) to educate first responders on the Targeted Violence and Terrorism Prevention (TVTP) Grant Program.

    CISA and CP3 will host a webinar on Tuesday, March 19, 2024, at 1 p.m. EDT, Targeted Violence and Terrorism Prevention Grant Program. This webinar will discuss how homeland security, public safety, emergency management and emergency response personnel can apply to the TVTP program and how TVTP funds can be used to develop prevention capabilities in their community. This webinar is part of CISA’s quarterly Emergency Services Sector Resilience Development series. The series is facilitated by CISA’s ESS Management Team and focuses on topics of interest to ESS stakeholders.

    No advanced registration is required to join this webinar. To participate, mark your calendar for March 19, 2024, at 1 p.m. EDT and go to CISA’s Homeland Security Information Network (HSIN) Connect Room at the scheduled time to join: https://share.dhs.gov/cisatargetedviolentprogram/. A HSIN account is not required to join; participants may enter the room as a guest.

    See Original Post


  • March 12, 2024 11:15 AM | Anonymous

    Reposted from EMR-ISAC

    Jurisdictions establish Emergency Operations Centers (EOC) to meet their unique requirements and needs, so no two EOCs are designed the same way. The Federal Emergency Management Agency (FEMA) provides tools and resources for building or maintaining EOCs, in accordance with the National Incident Management System (NIMS).

    EOC Skillsets serve as a flexible framework for building the capabilities and qualifications of EOC personnel, allowing EOC leaders to build position qualifications according to their organization’s needs and resources.

    FEMA’s National Integration Center (NIC) has just released updated EOC Skillsets for each function and level of responsibility of EOC personnel. Once finalized, this version of the EOC Skillsets will supersede the 2018 version. The NIC is seeking input on the updated EOC Skillsets during a national engagement period that concludes on Thursday, March 28, 2024.

    This update is based on best practices related to operations; assessing processes and transitioning; capabilities; infrastructure (technology); personnel; and comprehensive training. The updates incorporate lessons learned related to supporting temporary or extended virtual EOC operations or replacing the typical EOC model with a hybrid/virtual option.

    See Original Post


  • March 12, 2024 11:07 AM | Anonymous

    Reposted from EMR-ISAC

    The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF), its landmark guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.

    The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.

    See Original Post


  • March 12, 2024 10:52 AM | Anonymous

    Reposted from Walden Security

    You can’t train your team during an emergency. Proactively train employees on your emergency action plan so they respond appropriately when every second is crucial.

    EMERGENCY ACTION PLAN- The first step in maintaining workplace safety is an emergency action plan, which gives employees a step-by-step guide when facing a crisis. This master plan should be easily accessible to all employees and must be read during onboarding. An emergency action plan should be comprehensive and easy to understand. Your company should also conduct ongoing training to ensure all employees are up-to-date on proper safety protocols. Each emergency action plan will look different depending on what industry you are part of. However, there are a few situations for which every business should provide resources and training.

    ACTIVE SHOOTER- The importance of active shooter training cannot be overstated. Over-communicate your company’s active shooter plan, so everyone knows how to handle this stressful situation. The Run, Hide, Fight method is the most effective active shooter response. Run: The safest thing you can do is flee the scene. If able, leave behind personal belongings and follow your company’s evacuation route. Create as much room between you and the shooter as possible. Hide: If you can’t evacuate, find a safe hiding place. Close doors, turn off lights, silence your phone and be quiet until you are certain the threat is over. Fight: If you have no other option, confront the shooter. Throw objects, use improvised weapons, be aggressive, and do whatever you must to survive. NATURAL DISASTERS- Natural disasters come in many forms, such as tornadoes, fires, floods, and hurricanes. Even though they all require a unique response, you can take a few practical steps to prepare for these events. Disaster Training: Your employees need to know how to handle each type of natural disaster before it occurs. For example, employees should know where exit points are, where to go during a flood, where tornado shelters are, locations of fire extinguishers, etc. Include proper responses to emergencies specific to your location. Communication Plan: Have multiple channels available to communicate with employees. Text messaging, email and social media are good places to start. It’s wise to have one person in charge of sending updates so the latest information stays consistent. Evacuation: Ensure evacuation routes are clearly marked. Designate an area to assemble. Appoint one person, such as a manager or director, in each department to begin a head count. Identify names and last known locations of anyone missing.

    HAZARDOUS MATERIAL Any business can come into contact with hazardous materials. Therefore, it is important to include how to respond to a hazardous material spill in an emergency action plan. These are the recommended steps if you encounter a hazardous material spill: • Contact emergency services. • Flush any skin that came into contact with the dangerous material. • Stop the source of the hazardous material if possible. • Evacuate the area. • Aid emergency personnel by giving crucial information to help with clean-up. Safety is a top priority for any business. Creating an emergency action plan, communicating safety protocols and enforcing regular employee safety training is crucial for all businesses to stay ahead of an emergency.

    See Original Post



  • March 12, 2024 9:45 AM | Anonymous

    Reposted from The Soufan Center

    On May 27, 1993, a car bomb blasted through the side of the Uffizi Gallery in Florence, Italy, killing five and wounding around thirty others, and destroying hundreds of priceless pieces of art in the gallery’s collection. Many contend that the gallery was targeted by the Cosa Nostra, or the Sicilian Mafia, not just in retaliation for crackdowns on the organization, but also due to the gallery’s embodiment of Italian culture and its symbolism of the Italian nation. As an open-access museum and a protected UN Educational, Scientific and Cultural Organization (UNESCO) World Heritage site, the city of Florence presents unique challenges to both safeguarding its cultural heritage from risks but also, most critically, remaining open and accessible to the public. Not limited to the Florentine example, this challenge is ubiquitous in the protection of cultural heritage throughout the world. Its symbolic importance, as well as the fact that it attracts large crowds of civilians and may not always be adequately protected, means that cultural heritage – which is often also considered a so-called “soft target” – can be a prime target for violence and an objective for illicit actors, including criminals and terrorists.

    See Original Post

  • March 12, 2024 8:57 AM | Anonymous

    Reposted from Boston Globe

    Richard “Rick” Abath, the guard who opened the door to two thieves who robbed Boston’s Isabella Stewart Gardner Museum of masterpieces worth more than $500 million in 1990, died Friday at his Vermont home, according to his attorney. “He died peacefully at home after a long illness,” Abath’s attorney, George Gormley, said during a telephone interview Tuesday. “Sadly, it’s the death of a good person who demonstrated that by living a good life that belied all of the suspicions about what his involvement was in this incident 34 years ago.” Abath, 57, steadfastly maintained that he played no role in what remains the largest art heist in history and one of Boston’s most notorious unsolved mysteries. Yet, he remained under intense scrutiny over the decades by federal investigators who never ruled out the possibility that the thieves had help from someone with inside knowledge about security at the museum. Abath was a 23-year-old musician working as a night watchman at the Gardner Museum at 1:24 a.m. on March 18, 1990, when he buzzed the door to let the thieves inside after they claimed they were police officers, investigating a disturbance.

    The thieves handcuffed and duct taped Abath and the other guard on duty and left them in the basement while they spent 81 minutes pulling and slashing treasured works from their frames. They stole 13 pieces, including three Rembrandts, among them his only seascape, “The Storm on the Sea of Galilee;” Vermeer’s “The Concert;” works by Manet, Flinck and Degas; an ancient Chinese vase; and a bronze eagle finial atop a Napoleonic flag.  Nobody has ever been charged with the crime and none of the works have been recovered, despite a $10 million reward for information leading to their safe return and promises of immunity. “For him it was just being in the wrong place at the wrong time,” said Gormley, adding that Abath believed he had to open the door to the pair claiming to be police officers. “His actions were completely appropriate, and this became a curse that he was forced to live with.” On Tuesday, Donna Hardwick, a spokesperson for the museum, released a statement saying, “We are very sorry to learn of Richard Abath’s passing. The Isabella Stewart Gardner Museum would like to extend our condolences to all his family and friends. Out of respect for his family we have no further comment at this time.” She said the investigation aimed at recovering the stolen artwork remains active and ongoing. Kristen Setera, a spokesperson for the FBI, declined to comment on Abath’s death, but said in a statement, “As far as our efforts to locate the stolen artwork, it’s a very active investigation and our focus is on recovering the art and returning it to its rightful place” at the museum. Abath told the Globe in 2013 that he had been told directly by a federal investigator several years before, “You know, we’ve never been able to eliminate you as a suspect.” Authorities have said the museum’s security protocol prohibited entry of unauthorized personnel, including police, but Abath said he was unaware of that. When the two men wearing police uniforms ordered Abath to step away from the back of the security desk, he complied — removing himself from the museum’s only emergency alarm that could have alerted police to the robbery. Abath said he followed orders to avoid being arrested, because he had tickets to attend a Grateful Dead concert later that day in Hartford. Motion sensors that recorded the thieves’ steps as they moved through the museum indicated they never entered the first-floor gallery where Manet’s Chez Tortoni was stolen, according to the FBI and the museum’s security director, Anthony Amore. Only Abath’s steps, as he made his rounds before the thieves arrived, were picked up there, they said. The sensors also revealed that Abath briefly opened the side door to the museum on Palace Road shortly before he buzzed the thieves in at the same entrance. “They wanted to know if I had taken the painting and stashed it somewhere,” Abath told Globe correspondent and author Stephen Kurkjian in 2013. “I told them, as I’ve said a hundred times before and since, I had absolutely nothing to do with the robbers or the robbery.” Abath moved to Vermont in 1999.

    He graduated from college in 2010, according to previous reports in the Brattleboro Reformer. Abath, who worked as a teacher, and his wife, Diana, lived quietly in Brattleboro, but were frequently approached by investigators and members of the media seeking interviews about the Gardner heist, according to Gormley. He had been subpoenaed to testify before a federal grand jury in Boston several times, Gormley said. “It was just an irritation that you couldn’t escape,” said Gormley, adding that Abath and his wife were very protective of their privacy and shunned most interviews. “I think he rose above all of this and tried, and I think successfully to live a good and honorable life and did so in a community that accepted him for who he was and what he was formerly dragged into.” Robert Fisher, a former assistant US attorney who oversaw the Gardner investigation from 2010 to 2016, said the heist “definitely had an impact” on Abath’s life and “brought him into the orbit of the FBI and an investigation that lasted for decades and is still ongoing.” As one of only two eyewitnesses inside the Gardner museum at the time of the robbery, Abath was “a valuable resource” for investigators who frequently reached out to him with questions while reviewing the case, Fisher said. He described Abath as “a cooperative guy.” “As you learn new things in any investigation, it’s helpful to reach out to people who were there,” Fisher said. “He was a piece of the puzzle.”

    See Original Post

  
 

1305 Krameria, Unit H-129, Denver, CO  80220  Local: 303.322.9667
Copyright © 1999 International Foundation for Cultural Property Protection.  All Rights Reserved