Short Takes – 2-16-23

US NIST unveils winning encryption algorithm for IoT data protection. BleepingComputer.com article. Pull quote: “"The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation," stated Kerry McKay, a computer scientist at NIST.”

Active defense a key approach to protecting against major threats. TalosIntelligence.com blog post. Searching for attackers not hacking back. Pull quote: “Ransomware compromises, which usually involve data exfiltration, are not fast nor swift. Attackers need time to find their way in the network, including identifying the databases with the relevant information they are seeking, to exfiltrate the information and finally to deploy the ransomware. This is the time window when an active defense strategy can make the most impact, by looking from the inside out: The perimeter was already compromised, no relevant alerts were raised, and the attackers have already begun to carry out their malicious activities within the victim’s network.”

Investigation updated released into hazardous train derailment as rail company pulls out of meeting with locals. HazardExOnTheNet.net article. Pull quote: “A town meeting was called on February 15 as hundreds of locals looked to ask questions about the health risks the derailment had caused. East Palestine’s Mayor Trent Conaway told the meeting that he wanted those responsible for the incident to be held to account and that he was working closely with Norfolk Southern, adding “they screwed up our town, they are going to fix it.” However, Norfolk Southern pulled out of the town meeting saying they feared violence.”

Frustration builds over response to Ohio train derailment as officials urge patience. TheHill.com article. Pull quote: ““The fact that it happened on the state line where it’s a lower income area … especially the area where the derailment itself [occurred], it’s not heavily populated, no injuries happened. … It’s not going to be an immediate ‘oh, what’s happened,’” he [Greg Brown, nearby resident] said. “When there are reports of people who are finding these fish dead, [the state] giving us kind of a runaround, it just really didn’t sit well with a lot of people, especially in the community.””

‘This Is Absurd’: Train Cars that Derailed in Ohio Were Labeled Non-Hazardous. GovExec.com article. The actual complaint was that the train was not labeled as a ‘Highly Hazardous Flammable Train’ (HHFT). Pull quote: “Speaking at a press conference on Tuesday, Republican Governor Mike DeWine said he learned that the train cars were marked as non-hazardous, and thus officials weren’t notified that the train would be crossing through the state.”

How the U.S. Can Use Taxes to Improve Cybersecurity. WSJ.com article. Pull quote: “A new study, which I co-wrote with Professors Janine Hiller and Kathryn Kisska-Schulze, suggests ways to do just that. Specifically, we propose offering a three-tier Federal Cybersecurity Investment Tax (FCIT) credit to encourage businesses to adopt and implement cybersecurity practices that an agency such as the Cybersecurity and Infrastructure Security Agency (CISA) has identified as necessary to defend our nation and critical infrastructure.”