Wednesday, April 20, 2016

Quick and Dirty Cloud Assessment

Some of you guys have insane resources, capital, people, that you can throw at the problem until it's solved.

Unfortunately, that's not all of you. Or maybe it IS you, but you're not going to spend anymore time than necessary to make sure that you have the basics covered.

Here's the short list.

1. Review the following list of security solutions and make sure that you have answers for each one of the security solutions/products that apply to you.

http://www.cloudauditcontrols.com/p/requirements-checklist.html

2. Find the hardening guide for each one of the products that you have installed and make sure you focus on reducing the attack surface and exploitability of the systems by implementing moderate to complete hardening on the systems.

3. Ensure that you have basic segmentation implemented to protect multitier applications.

4. Implement traffic filtering for external-facing applications. I'm a big fan of these guys. No affiliation whatsoever. Look at some of the other offerings that they have as well.

https://www.incapsula.com/website-security/https://www.incapsula.com/website-security/

If you want one of the best peer-reviewed security standards that I believe is actionable and reasonable to implement, consider PCI DSS. There is some overlap between some of the requirements. It still requires a moderate amount of interpretation. I've done a tremendous amount of work in and around the standard, and I'm not speaking flippantly or borrowing from someone else's opinion when I state these things.

Here's a short blog post that contains distilled requirements that I consider must-haves:

http://www.cloudauditcontrols.com/2012/03/practices-for-protecting-management.html

5. Final additional considerations not required specifically by most regulations and standards. [a] Consider Network Behavior Anomaly Detection such as Fire Eye. [b] Consider white listing, sandboxing, persistence, and other measures to limit attack surface, attack vectors, escalations, attack persistence.

This is typically when I tell organizations that are uncomfortable making product decisions to engage a reputable security-focused reseller. Of course I have my favorites for different situations. But I don't know your environment. My brother founded and runs https://www.criticalstart.com. I've used some of his guys in the past for different assessments. Good work. Another couple that I like are https://www.redlegg.com and https://depthsecurity.com. Both founded by stand-up guys that care about the customer and care about getting it right.

Tuesday, April 5, 2016

CVE Analysis Spreadsheet - 2015 through 2016 Q1


Here's a dump of the CVE's from January 2015 through March 2016 with a quick search feature. Simply input minimum CVSS score, any search terms under description, vendor, or product, and it immediately counts combined matches. For example, the number of vulnerabilities from Microsoft with a CVSS score greater than 4 is 628. Apple has 613.

Simply navigate to the documents tab and look for CVE Analysis spreadsheet.