Menu
Log in


INTERNATIONAL FOUNDATION FOR
CULTURAL PROPERTY PROTECTION

Log in

News


  • March 12, 2024 12:31 PM | Anonymous

    Reposted from Tim Richardson

    Last week I talked about how high performers should take regular breaks away from work to bring their best into their work. This week we will consider the advantages of workflow pauses for high performers.

    Over the last few weeks, I have had several speaking engagements that were within driving distance. To help make them as stress free as possible, I made sure that my luggage was packed 48 hours before traveling. Over the years, I have forgotten many travel necessities by hurriedly packing too close to my departure. Packing earlier, and using a checklist, has all but eliminated this problem. I’ve also tried to give myself extra travel time to account for anything unexpected. When I am at the event venue, I have been early for my appointed meeting times with my client. I double check hotel reservations and communicate with the team setting up the meeting room the day before. Anything that I can do the night before my speech is taken care of to reduce the last-minute stress of trying to get everything done. This includes laying out my clothes and presentation materials.

    Since I have traveled a lot by car recently, I have been more aware of signs to encourage me to slow down. A rest area sign, that I would have driven by in the past, was a reminder to stop even for a few minutes to break up the monotony of the highway. I have had a lot quieter time in my car instead of always filling it with music or a podcast or audio book. To have more thinking time, I haven’t turned on a TV in my hotel room and I request restaurant seating that is out of view of a television screen. Finally, I changed the screen color on my iPhone to gray to remind me that life is much more colorful and interesting in the real world. Less time staring at a screen is helpful in focusing on things that really matter. Other content ideas for how to slow down at work include: Slowing down to prepare for an important phone call. Take some time to prep for a call just as you would for an important in-person meeting. Write down objectives of the call and anticipate questions you might be asked as well as any objections that may be expressed.

    Reread your emails before you send them. Check for understanding and clarity in what you write. Make them as brief as possible and limit the number of people who are copied on your emails. Advise the reader if you need additional information with a reasonable time frame for them to respond. Really think before you speak. Be as brief as possible when you do and include questions to others and repeating their key points to check for understanding.

    See Original Post


  • March 12, 2024 12:13 PM | Anonymous

    Reposted from CISA

    The Cybersecurity and Infrastructure Security Agency (CISA) joins the National Security Agency (NSA) as a partner in five cloud security Cybersecurity Information Sheets (CSIs) that provide recommended best practices and mitigation strategies for organizations transitioning their information technology resources to cloud environments. NSA released “Top Ten Cloud Mitigation Strategies”, a compilation of CSIs each on a different strategy to secure cloud environments and CISA co-sealed five of the ten. The CISA and NSA co-authored publications are:

    • Use Secure Cloud Identity and Access Management Practices 
    • Use Secure Cloud Key Management Practices 
    • Implement Network Segmentation and Encryption in Cloud Environments  
    • Secure Data in the Cloud
    • Mitigate Risks from Managed Service Providers in Cloud Environments 

    The CSI for each strategy includes an executive summary providing background information, details on threat models, best practices for strong cybersecurity and additional guidance to protect networks. All organizations need to understand that securing their information is a responsibility for both the cloud provider and user. All organizations using cloud environments are encouraged to review these strategies and assess how they can strengthen their security.

    See Original Post

  • March 12, 2024 11:53 AM | Anonymous

     Reposted from

    Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) concluded a two-day Open-Source Software (OSS) Security Summit convening OSS community leaders and announced key actions to help secure the open-source ecosystem. Recognizing that OSS underpins the essential services and functions of modern life, the Summit sought to catalyze progress in advancing security of this critical ecosystem. This urgency was underscored by security flaws such as the Log4Shell vulnerability in 2021.
    CISA Director Jen Easterly opened the summit with keynote remarks and was followed by a panel discussion with Office of National Cyber Director (ONCD) Assistant National Cyber Director for Technology Security Anjana Rajan, CISA Open-Source Security Section Chief Aeva Black, and CISA Senior Technical Advisor Jack Cable. The summit also featured a tabletop exercise on open-source vulnerability response and a roundtable discussion on package manager security with opening remarks by CISA Executive Assistant Director for Cybersecurity Eric Goldstein. During the summit, OSS community leaders, including open-source foundations, package repositories, civil society, industry and federal agencies explored approaches to help strengthen the security of the open-source infrastructure we all rely upon. As part of this collaborative effort, CISA announced several initial key actions that CISA will take to help secure the open-source ecosystem in partnership with the open-source community:

    • CISA, as detailed below, is working closely with package repositories to foster adoption of the Principles for Package Repository Security framework. Developed by CISA and the Open-Source Security Foundation’s (OpenSSF) Securing Software Repositories Working Group, this framework was published earlier this month and outlines voluntary security maturity levels for package repositories.
    • CISA has launched a new effort to enable voluntary collaboration and cyber defense information sharing with open source software infrastructure operators to better protect the open source software supply chain.
    • Materials from the summit’s tabletop exercise will be published by CISA so that the lessons learned can be used by any open-source community to improve their vulnerability and incident response capabilities.
    Additionally, five of the most widely used package repositories are taking steps in line with the Principles for Package Repository Security framework:
    • The Rust Foundation is working on implementing Public Key Infrastructure for the Crates.io package repository for mirroring and binary signing and plans to issue a Request for Comment. The Rust Foundation also published a detailed threat model for Crates.io and has created tooling to identify malicious activity. Further steps are highlighted in the Rust Foundation’s Security Initiative Report.
    • The Python Software Foundation is working to add additional providers to PyPI for credential-less publishing (“Trusted Publishing”), expanding support from GitHub to include GitLab, Google Cloud and ActiveState as well. Work is ongoing to provide an API and related tools for quickly reporting and mitigating malware, with the goal of increasing PyPI’s ability to respond to malware in a timely manner without consuming significant resources. Finally, the Python ecosystem is finalizing PEP 740 (“Index support for digital attestations”) to enable uploading and distributing digitally signed attestations and metadata used to verify these attestations on a Python package repository, like PyPI.
    • Packagist and Composer have recently introduced vulnerability database scanning and measures to prevent attackers from taking over packages without authorization. Further work to increase security in line with the Principles for Package Repository Security framework is in progress, and a thorough security audit of existing codebases will take place this year.
    • The package repository npm requires maintainers of high-impact projects to enroll in multifactor authentication. Additionally, npm has introduced tooling that allows maintainers to automatically generate package provenance and SBOMs, giving consumers of those open-source packages the ability to trace and verify the provenance of dependencies.
    • Maven Central (maintained by Sonatype) is the largest open-source repository for Java and JVM languages and enforces validation and metadata requirements with clear namespaces. Since 2021, all staged repositories have automatically been scanned for vulnerabilities when published, and developers receive a report with any security issues. In 2024, Maven Central is transitioning publishers to a new publishing portal that has enhanced repository security, including planned support for multifactor authentication. Upcoming key initiatives include Sigstore implementationTrusted Publishing evaluation, and access control on namespaces. This includes Maven Central benchmarking the maturity of its security processes against best practices, which will also guide backlog prioritization.
    “Open-Source Software is foundational to the critical infrastructure Americans rely on every day,” said CISA Director Jen Easterly. “The federal government must integrate into open-source communities to help protect this essential public good – not the other way around. We’re proud to announce these efforts to help secure the open-source ecosystem in close partnership with the open-source community and are excited for the work to come.”
    “Open-source software is a mission-critical foundation of cyberspace that the U.S. Government must continue to defend,” says Anjana Rajan, Assistant National Cyber Director for Technology Security. “Ensuring that we have a secure and resilient open-source software ecosystem is a national security imperative, a technology innovation enabler, and an embodiment of our democratic values. As the chair of the Open-Source Software Security Initiative (OS3I), ONCD is committed to ensuring this remains a priority for the Biden-Harris Administration and commends CISA’s leadership in convening this important forum.”
    “OpenSSF’s mission is to improve the security of open-source software. Package repositories are critical infrastructure for the open-source community. We thank CISA for facilitating this Open-Source Software (OSS) Security Summit to help secure package repositories. Through continued cooperation in activities such as this summit and the Principles for Package Repository Security, we will improve the security of open-source package repositories for everyone,” Omkhar Arasaratnam, General Manager, OpenSSF.
    “Securing the open-source software supply chain is crucial for protecting global economic infrastructure,” said Mike Milinkovich, Executive Director of the Eclipse Foundation. “CISA is working to improve open-source security, focusing on both current issues and future application development. We’re proud to contribute to this vital work, helping CISA improve the global development ecosystem and supporting its vision for the future.”
    “OSI and the Open Policy Alliance commend CISA for engaging with the open-source software community and appreciate the opportunity to participate in this week’s Open-Source Security Summit.  Including less represented, small open-source non-profits into the discussion will facilitate workable, practical policies and practices, building upon the strength of the collaborative model of Open Source,” said Deb Bryant, US Policy Director, Open-Source Initiative.
    The federal government has coordinated its efforts around open-source software security through the ONCD Open-Source Software Security Initiative. Last year, ONCD, CISA, the National Science Foundation, the Defense Advanced Research Projects Agency, and the Office of Management and Budget published a Request for Information (RFI) on open-source software security and memory safe languages, which received more than 100 substantive responses. The issuing agencies are currently reviewing responses and will publish a summary of the RFI submissions. In 2023, CISA released its Open-Source Software Security Roadmap which lays out four key goals to help secure the federal government’s use of open-source software and support the global open-source ecosystem: establishing CISA’s role in supporting the security of open-source software, driving visibility into open-source software usage and risks, reducing risks to the federal government, and hardening the open-source software ecosystem. The actions announced today from the summit represent key steps in fulfillment of the roadmap’s goals, including Objective 1.1. Partner With OSS Communities and Objective 1.2. Encourage Collective Action from Centralized OSS Entities.

    See Original Post

  • March 12, 2024 11:37 AM | Anonymous


    We are excited to extend an invitation to you for an insightful webinar series focused on Small and Medium Businesses (SMBs) organized by the Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the Information Technology Sector Coordinating Council (IT SCC).

    In today's rapidly evolving digital landscape, SMBs face unique challenges and threats. This webinar series aims to equip participants with essential knowledge to navigate these challenges effectively. Our upcoming session will delve into the critical topic of Ransomware, shedding light on the prevailing threats, strategies for understanding Ransomware, and proactive measures for prevention.

    Here are the key details:

    Webinar Topic: Ransomware: Threats, Understanding, and Prevention
    Date: March 25, 2024
    Time: 1:30 p.m. – 2:30 p.m. EST

    This session will feature insights from experts at CISA alongside industry leaders, offering invaluable perspectives and practical advice. Moreover, we encourage active participation by providing dedicated time for questions and answers, ensuring that attendees can engage directly with the presenters.

    Who should attend? This webinar is tailored for federal, state, local, and private sector stakeholders interested in gaining a deeper understanding of the risks associated with critical infrastructure systems and their interdependencies.

    Don't miss out on this opportunity to enhance your cybersecurity posture and safeguard your organization against evolving threats.

    Join Now


  • March 12, 2024 11:28 AM | Anonymous

    Reposted from EMR-ISAC

    Cybersecurity professionals can expect fresh reading materials in the coming months from the Office of the National Cyber Director, which aims to issue an update to the National Cybersecurity Strategy Implementation Plan before the summer is over, a White House cyber official said Tuesday. The implementation plan outlines how the White House will accomplish the goals outlined in the national cybersecurity plan and is supposed to be a “living document” that is updated as initiatives are complete or new initiatives are added. The implementation plan 2.0 is expected “late spring, early summer,” said Brian Scott, deputy assistant national cyber director for cyber policy and programs.

    Cybersecurity pros can also expect an update on software liability reform in the next implementation plan release. In its recently released National Cybersecurity Strategy, the Biden administration called on Congress to develop legislation to develop a software liability regime, one that would allow consumer and businesses to sue software makers if they fail to take proper care in designing the security of their tools. Software companies, if the White House has its way, will no longer be able to disclaim liability for the products they produce.

    The Biden administration is currently looking at developing a framework around software liability. One aspect of the framework will be exploring how best to implement safe harbor incentives for companies that are developing code using secure methods. Companies that align with those best practices — which are still being explored — are less likely to face legal issues down the road.

    See Original Post


  • March 12, 2024 11:21 AM | Anonymous

    Reposted from EMR-ISAC

    The Cybersecurity and Infrastructure Security Agency’s (CISA’s) Emergency Services Sector (ESS) Management Team has partnered with the Department of Homeland Security (DHS), Center for Prevention Programs and Partnerships (CP3) to educate first responders on the Targeted Violence and Terrorism Prevention (TVTP) Grant Program.

    CISA and CP3 will host a webinar on Tuesday, March 19, 2024, at 1 p.m. EDT, Targeted Violence and Terrorism Prevention Grant Program. This webinar will discuss how homeland security, public safety, emergency management and emergency response personnel can apply to the TVTP program and how TVTP funds can be used to develop prevention capabilities in their community. This webinar is part of CISA’s quarterly Emergency Services Sector Resilience Development series. The series is facilitated by CISA’s ESS Management Team and focuses on topics of interest to ESS stakeholders.

    No advanced registration is required to join this webinar. To participate, mark your calendar for March 19, 2024, at 1 p.m. EDT and go to CISA’s Homeland Security Information Network (HSIN) Connect Room at the scheduled time to join: https://share.dhs.gov/cisatargetedviolentprogram/. A HSIN account is not required to join; participants may enter the room as a guest.

    See Original Post


  • March 12, 2024 11:15 AM | Anonymous

    Reposted from EMR-ISAC

    Jurisdictions establish Emergency Operations Centers (EOC) to meet their unique requirements and needs, so no two EOCs are designed the same way. The Federal Emergency Management Agency (FEMA) provides tools and resources for building or maintaining EOCs, in accordance with the National Incident Management System (NIMS).

    EOC Skillsets serve as a flexible framework for building the capabilities and qualifications of EOC personnel, allowing EOC leaders to build position qualifications according to their organization’s needs and resources.

    FEMA’s National Integration Center (NIC) has just released updated EOC Skillsets for each function and level of responsibility of EOC personnel. Once finalized, this version of the EOC Skillsets will supersede the 2018 version. The NIC is seeking input on the updated EOC Skillsets during a national engagement period that concludes on Thursday, March 28, 2024.

    This update is based on best practices related to operations; assessing processes and transitioning; capabilities; infrastructure (technology); personnel; and comprehensive training. The updates incorporate lessons learned related to supporting temporary or extended virtual EOC operations or replacing the typical EOC model with a hybrid/virtual option.

    See Original Post


  • March 12, 2024 11:07 AM | Anonymous

    Reposted from EMR-ISAC

    The National Institute of Standards and Technology (NIST) has updated the widely used Cybersecurity Framework (CSF), its landmark guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors and organization types, from the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.

    The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation.

    See Original Post


  • March 12, 2024 10:52 AM | Anonymous

    Reposted from Walden Security

    You can’t train your team during an emergency. Proactively train employees on your emergency action plan so they respond appropriately when every second is crucial.

    EMERGENCY ACTION PLAN- The first step in maintaining workplace safety is an emergency action plan, which gives employees a step-by-step guide when facing a crisis. This master plan should be easily accessible to all employees and must be read during onboarding. An emergency action plan should be comprehensive and easy to understand. Your company should also conduct ongoing training to ensure all employees are up-to-date on proper safety protocols. Each emergency action plan will look different depending on what industry you are part of. However, there are a few situations for which every business should provide resources and training.

    ACTIVE SHOOTER- The importance of active shooter training cannot be overstated. Over-communicate your company’s active shooter plan, so everyone knows how to handle this stressful situation. The Run, Hide, Fight method is the most effective active shooter response. Run: The safest thing you can do is flee the scene. If able, leave behind personal belongings and follow your company’s evacuation route. Create as much room between you and the shooter as possible. Hide: If you can’t evacuate, find a safe hiding place. Close doors, turn off lights, silence your phone and be quiet until you are certain the threat is over. Fight: If you have no other option, confront the shooter. Throw objects, use improvised weapons, be aggressive, and do whatever you must to survive. NATURAL DISASTERS- Natural disasters come in many forms, such as tornadoes, fires, floods, and hurricanes. Even though they all require a unique response, you can take a few practical steps to prepare for these events. Disaster Training: Your employees need to know how to handle each type of natural disaster before it occurs. For example, employees should know where exit points are, where to go during a flood, where tornado shelters are, locations of fire extinguishers, etc. Include proper responses to emergencies specific to your location. Communication Plan: Have multiple channels available to communicate with employees. Text messaging, email and social media are good places to start. It’s wise to have one person in charge of sending updates so the latest information stays consistent. Evacuation: Ensure evacuation routes are clearly marked. Designate an area to assemble. Appoint one person, such as a manager or director, in each department to begin a head count. Identify names and last known locations of anyone missing.

    HAZARDOUS MATERIAL Any business can come into contact with hazardous materials. Therefore, it is important to include how to respond to a hazardous material spill in an emergency action plan. These are the recommended steps if you encounter a hazardous material spill: • Contact emergency services. • Flush any skin that came into contact with the dangerous material. • Stop the source of the hazardous material if possible. • Evacuate the area. • Aid emergency personnel by giving crucial information to help with clean-up. Safety is a top priority for any business. Creating an emergency action plan, communicating safety protocols and enforcing regular employee safety training is crucial for all businesses to stay ahead of an emergency.

    See Original Post



  • March 12, 2024 9:45 AM | Anonymous

    Reposted from The Soufan Center

    On May 27, 1993, a car bomb blasted through the side of the Uffizi Gallery in Florence, Italy, killing five and wounding around thirty others, and destroying hundreds of priceless pieces of art in the gallery’s collection. Many contend that the gallery was targeted by the Cosa Nostra, or the Sicilian Mafia, not just in retaliation for crackdowns on the organization, but also due to the gallery’s embodiment of Italian culture and its symbolism of the Italian nation. As an open-access museum and a protected UN Educational, Scientific and Cultural Organization (UNESCO) World Heritage site, the city of Florence presents unique challenges to both safeguarding its cultural heritage from risks but also, most critically, remaining open and accessible to the public. Not limited to the Florentine example, this challenge is ubiquitous in the protection of cultural heritage throughout the world. Its symbolic importance, as well as the fact that it attracts large crowds of civilians and may not always be adequately protected, means that cultural heritage – which is often also considered a so-called “soft target” – can be a prime target for violence and an objective for illicit actors, including criminals and terrorists.

    See Original Post

  
 

1305 Krameria, Unit H-129, Denver, CO  80220  Local: 303.322.9667
Copyright © 2015 - 2018 International Foundation for Cultural Property Protection.  All Rights Reserved