Tuesday, July 29, 2014

CPNI 20 Critical Security Controls

Extremely well done. These are published by the UK Centre for the Protection of National Infrastructure (CPNI).

Overview: http://www.cpni.gov.uk/advice/cyber/Critical-controls
Direct: http://www.cpni.gov.uk/documents/publications/2014/2014-04-11-critical-security-controls.pdf

Article Summary
The Critical Security Controls for cyber defence are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. CPNI is participating in an international government-industry effort to promote the Critical Security Controls for computer and network security. The development of these controls is being coordinated by the Council on CyberSecurity website.

Critical Security Controls guidance
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software 
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 
CSC 4: Continuous Vulnerability Assessment and Remediation 
CSC 5: Malware Defenses 
CSC 6: Application Software Security
CSC 7: Wireless Access Control
CSC 8: Data Recovery Capability
CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps 
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 
CSC 11: Limitation and Control of Network Ports, Protocols, and Services 
CSC 12: Controlled Use of Administrative Privileges 
CSC 13: Boundary Defense
CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs 
CSC 15: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control 
CSC 17: Data Protection 
CSC 18: Incident Response and Management 
CSC 19: Secure Network Engineering
CSC 20: Penetration Tests and Red Team Exercises

Also found this while researching new information for a class. Session title is When Controls Fail.

Thursday, March 6, 2014

Elizabeth Martin System Hardening Rant.......

Interesting rant from Elizabeth Martin. I'm a new fan!

[EM]: "I went off on a bit of a rant today about hardening. In the interest of disclaimers, I would like to make it abundantly clear that I was raised in a world where *hardening is king*. If you didn't harden you were compromised very quickly. Unfortunately it is now at least 10 years later if not more and still very few, if any, systems are hardened.

Of course I asked the twitters and frankly they did not give me the answers I sought. I was looking for answers such as "Of course we harden our systems." or, "Naturally most of the clients I work with harden their external systems." Well I didn't get those answers. The best I got was "I am just happy if they patch." .... [ouch.]

Awesome Comparison of Risk Methodologies

Absolutely love this research from Gartner. Fantastic job guys.
You Care Because: There are several viable risk management frameworks our customers can use for assessing and building security into Vblock Systems. The program is far less important than the execution. There are several similar sports, business, and personal analogies.  

Gartner For Technical Professionals - Comparing Methodologies for IT Risk Assessment and Analysis       

Authors: Ben Tomhave, Erik T. Heidt & Anne Elizabeth Robins

To access this research, visit www.gartner.com.

In-Scope Methods:

  • FAIR
  • ISO/IEC 31000:2009 and 27005:2011
  • NIST Special Publication 800-30
  • OCTAVE Allegro
  • RiskSafe 

Summary of Findings (page 3)

Bottom Line: Which method you choose for IT risk assessment and risk analysis is far less important than ensuring that the selected methodology is operationalized and a good fit for the corporate culture. It is more important to start somewhere, getting a process in place that integrates with existing or emerging risk management processes, and then scaling and evolving practices over time. The selected approach must be able to produce output that is meaningful to management, and supporting processes must account for assumptions, documentation and potential gaming of the system. Tools should be leveraged, where possible, to ease method adoption.


Tuesday, February 18, 2014

Cisco 2014 Annual Security Report - An Erosion of Trust

Get the report here: http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html 
Selected highlights:
  • 100 percent of companies have systems calling malicious malware hosts. Investigations of multinational companies show evidence of internal compromise. Suspicious traffic is emanating from their networks and attempting to connect to questionable sites.
  • Threats grow: 14 percent year over year – new alerts
  • Market verticals: The rate of malware goes up or down as the value of a particular vertical’s goods and services rises or declines.
  • 37 billion “intelligent things” connected to the Internet by 2020.
  • Old blogs and idle domains: Millions of abandoned blogs and purchased domains sitting idle, and many of them are probably now owned by cybercriminals. Cisco security experts predict the problem will only worsen as more and more people in emerging Internet markets around the globe establish a blog or a website, only to let it languish later.
  • Making noise: DDoS attacks are increasingly being used to conceal other nefarious activity, such as wire fraud before, during, or after a campaign
  • Talent shortage: It’s estimated that by 2014, the industry will still be short more than a million security professionals across the globe.
  • Cloud computing: For smaller organizations or those with budget constraints, a well-protected and well-managed cloud service can offer more security safeguards than a business’s own servers and firewalls.
  • Security Objectives for 2014: Verifying Trustworthiness and Improving Visibility
Special note for Java:
  • 76 percent of enterprises using Cisco solutions are also using the Java 6 Runtime Environment, in addition to Java 7. Java 6 is a previous version that has reached its end of life and is no longer supported.
  • Java comprises 91 percent of web exploits.
  • 97 percent of enterprise desktops run Java
Impressive statistics – Cisco evaluates:
  • 16 billion web requests are inspected daily through Cisco Cloud Web Security
  • 93 billion emails are inspected daily by Cisco’s hosted email solution
  • 200,000 IP addresses are evaluated daily
  • 400,000 malware samples are evaluated daily

Monday, December 23, 2013

Upcoming Security Conferences

Coming off of an awesome time freezing in the cold night around a large fire pit, eating brisket with friends at David Cowen's home. Called man night, it's a time for a bunch of old hacks to tell stories of early day phone phreaking, ISP hacking, and other stuff that was usually benign and flat-out funny. Thrown in the mix, stories of partying and playing pranks at early hacker conferences. Just a fantastic group of guys.

So…  This jumped out at me while reviewing the weekly Cisco Cyber Risk Report. Here is a list of upcoming (larger) conferences that may be of interest:
  • SHMOOCON 2014: January 17–19, 2014
  • Cisco Live Milan: January 27–31, 2014
  • RSA Conference USA 2014: February 24–28, 2014
  • Cisco Live Melbourne: March 18–21, 2014
  • Black Hat Asia: March 25–28, 2014
  • Infosecurity Europe: April 29–May 1, 2014
  • Cisco Live 2014: May 18–22, 2014