Author: admin

This post is second in a series on Cyber Security Preparedness, and follows step 1: Cyber Security Awareness.  Today we look at the establishment of Critical Security Controls.

As security professionals, we all know that assurances come through the process of establishing and measuring controls.  Cyber security is no different. 

The Council on Cybersecurity, Center of Internet Security, SANS, and others have compiled a list of Critical Security Controls – now in their 5th revision.  The document provides a roadmap for implementing the 20 critical security controls (CSC) and many associated sub controls.  Has CSC been added to your control framework?  Start your assessment now before the next incident or audit.

Five key sub-controls are your starting point:

1. CSC 2.1 – Deploying application white-listing technology
2. CSC 3.1 – Implementing a configuration standard operating systems
3. CSC 3.2 – Automating the patching of the OS and Applications
4. CSC 3.3 – Limiting administrative privileges
5. CSC 4.1 – Perform automated vulnerability scans at least weekly

The foundation is established through numerous other Quick Wins.  Further refinement is offered through sub-controls to add Visibility and improve Configurations.  

Note:

Critical Security Controls have been considerably advanced since this post. Version 5 is no longer accessible. For the latest control set, see: https://www.cisecurity.org/controls/v8

We all have a distant memory of a bully at school that we chose to avoid during recess or after school.  We were no match for them.  Why end up in a fight for no good reason?

The bully is back, but this time they are challenging our cyber defenses. 

Researchers claim that 99% of us are vulnerable.  Today’s capability of our adversaries are no match for us.  The bullies are in the thousands and we have no place to hide.  Any of us could be the next Sony.

The path forward is clear,  Each of us must hit the gym and gain a little muscle against today’s cyber threats.  At the same time, we must actively collaborate, creating strength in our numbers.

References:

1. https://www.cnet.com/news/privacy/thousands-could-launch-sony-style-cyber-attack-says-ex-hacker/

It seems like forever ago that we learnt of the Heartbleed Bug, a serious vulnerability found in the backbone of network privacy – OpenSSL. The news came in a zero-day perfect storm – a public vulnerability and exploit without any means to fix it. We lacked preparation, not knowing where OpenSSL was and how to fit it. Countless software manufacturers took what seems to be an eternity to assess their implementations, advise customers of their vulnerability, and develop patches to close the loophole.

The “zero-day” took weeks. Many grew tired of the cycles of discovery, planning, and deployment. The response took its toll – leaving the job undone.

The majority – it appears – stopped when systems had been patched. A key missing step was dealing with their encryption keys – the information disclosure risk that started it all.

According to Venafi, the public-facing systems of 74 percent of Global 2000 remain vulnerable, running on old PKI certificates and keys. Let’s stop the bleeding and get the job done!

References:

• https://heartbleed.com/