POPULARITY
In this episode I talk with Lloyd 'Lucky' Guyot and Alex O'Meera about The Center for Internet Security's Critical Security Controls. Lloyd is a Security Advisor for Optiv and President of the Grand Rapids ISSA Chapter. Alex is a Security Analyst for Stack Overflow and Secretary of the Grand Rapids ISSA Chapter.Talking Points:How can the CIS 18 help an SMB build your security program?How can the CIS 18 help mature a security program?Which controls should a company start with?And many more!Episode Sponsor:Grand Rapids ISSA Chapter (with special thanks to Optiv). The GR-ISSA is the local chapter of the Information Systems Security Association.Episode Charity:The charity for the month of November is the Corewell Health Foundation. More specifically, the money will be going to assist children with various mental health challenges.
Podcast: Control Loop: The OT Cybersecurity Podcast (LS 26 · TOP 10% what is this?)Episode: CMMC and your industrial environment, plus the five most critical security controls.Pub date: 2022-07-13A cyberattack hits a Ukrainian energy provider. A Chinese-speaking threat actor targets building automation systems. An Iranian steel mill suspends production due to a cyberattack. The US US TSA issues relaxed pipeline cybersecurity directives. A US cybersecurity bill focuses on training. Ian Frist from BlueVoyant joins us to discuss on what CMMC will mean for ICS environments. And in the Learning Lab, Robert M Lee joins us to explain the five critical controls for ICS.Control Loop News Brief.Russian hackers allegedly target Ukraine's biggest private energy firm (CNN) Russian hackers carried out a "cyberattack" on Ukraine's biggest private energy conglomerate in retaliation for its owner's opposition to Russia's war in Ukraine, the firm said Friday.Attacks on industrial control systems using ShadowPad (Kaspersky) In mid-October 2021 Kaspersky ICS CERT researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan.Cyberattack Forces Iran Steel Company to Halt Production (SecurityWeek) One of Iran's major steel companies said Monday it was forced to halt production after being hit by a cyberattack that also targeted two other plants, apparently marking one of the biggest such assaults on the country's strategic industrial sector in recent memory.Iran's steel industry halted by cyberattack (The Jerusalem Post) Predatory Sparrow, a hacktivist group that is little known, took credit for the hacking that halted Iran's steel industry.Iranian steel facilities suffer apparent cyberattacks (CyberScoop) Three Iranian steel companies suffered apparent cyberattacks Monday, claimed a hacktivist group that previously took responsibility for a digital assault on the Iranian train system with wiper malware.Smart Factories Need to Prioritize Cybersecurity (Capgemini) Smart factories are increasingly being utilized by industry as part of the transition toward digitization. Being connected to cloud or the internet, they bring a plethora of communicative advantages. However, this network connection also creates a larger surface area vulnerable to attack via digital means.TSA Eases Pipeline Cybersecurity Rules Issued After Colonial Hack (Wall Street Journal) The Transportation Security Administration is loosening pipeline cybersecurity rules imposed after ...House Passes ICS Cybersecurity Training Bill (SecurityWeek) The House of Representatives has passed the Industrial Control Systems Cybersecurity Training Act.Cyber Yankee exercise hones New England Guard skills to fight digital threats (C4ISRNet) “Whether it's a state or a federal effort, the importance of being prepared to respond to a cyber ...Control Loop Interview.Ian Frist from BlueVoyant joins us to discuss the Cybersecurity Maturity Model Certification from the US Department of Defense and what it means for industrial environments.Ian Frist on LinkedInControl Loop Learning Lab.Robert M. Lee teaches us about the five critical controls for OT cybersecurity.5 Critical Controls for OT CybersecuritySubscribe to the Control Loop Newsletter here with new editions published every month.The podcast and artwork embedded on this page are from CyberWire Inc., which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
A cyberattack hits a Ukrainian energy provider. A Chinese-speaking threat actor targets building automation systems. An Iranian steel mill suspends production due to a cyberattack. The US US TSA issues relaxed pipeline cybersecurity directives. A US cybersecurity bill focuses on training. Ian Frist from BlueVoyant joins us to discuss on what CMMC will mean for ICS environments. And in the Learning Lab, Robert M Lee joins us to explain the five critical controls for ICS. Control Loop News Brief. Russian hackers allegedly target Ukraine's biggest private energy firm (CNN) Russian hackers carried out a "cyberattack" on Ukraine's biggest private energy conglomerate in retaliation for its owner's opposition to Russia's war in Ukraine, the firm said Friday. Attacks on industrial control systems using ShadowPad (Kaspersky) In mid-October 2021 Kaspersky ICS CERT researchers uncovered an active ShadowPad backdoor infection on industrial control systems (ICS) in Pakistan. Cyberattack Forces Iran Steel Company to Halt Production (SecurityWeek) One of Iran's major steel companies said Monday it was forced to halt production after being hit by a cyberattack that also targeted two other plants, apparently marking one of the biggest such assaults on the country's strategic industrial sector in recent memory. Iran's steel industry halted by cyberattack (The Jerusalem Post) Predatory Sparrow, a hacktivist group that is little known, took credit for the hacking that halted Iran's steel industry. Iranian steel facilities suffer apparent cyberattacks (CyberScoop) Three Iranian steel companies suffered apparent cyberattacks Monday, claimed a hacktivist group that previously took responsibility for a digital assault on the Iranian train system with wiper malware. Smart Factories Need to Prioritize Cybersecurity (Capgemini) Smart factories are increasingly being utilized by industry as part of the transition toward digitization. Being connected to cloud or the internet, they bring a plethora of communicative advantages. However, this network connection also creates a larger surface area vulnerable to attack via digital means. TSA Eases Pipeline Cybersecurity Rules Issued After Colonial Hack (Wall Street Journal) The Transportation Security Administration is loosening pipeline cybersecurity rules imposed after ... House Passes ICS Cybersecurity Training Bill (SecurityWeek) The House of Representatives has passed the Industrial Control Systems Cybersecurity Training Act. Cyber Yankee exercise hones New England Guard skills to fight digital threats (C4ISRNet) “Whether it's a state or a federal effort, the importance of being prepared to respond to a cyber ... Control Loop Interview. Ian Frist from BlueVoyant joins us to discuss the Cybersecurity Maturity Model Certification from the US Department of Defense and what it means for industrial environments. Ian Frist on LinkedIn Control Loop Learning Lab. Robert M. Lee teaches us about the five critical controls for OT cybersecurity. 5 Critical Controls for OT Cybersecurity Subscribe to the Control Loop Newsletter here with new editions published every month.
We're looking into version 8 of the Critical Security Controls. LINKS1. The 18 CIS Controls 2. SANS: CIS Controls v8FIND US ON1. Facebook2. Twitter - DamienHull
In 2020, Security Magazine listed Sounil Yu as one of the most Influential People in Security in 2020, in part because of his work on the Cyber Defense Matrix, a framework for understanding and navigating your cybersecurity environments. The Cyber Defense Matrix started as a project when Sounil was the Chief Security Scientist at Bank of America. The initial problem he focused on with the matrix was how to evaluate and categorize vendors and the solutions they provided. The Cyber Defense Matrix is a structured framework that allows a company to understand who their vendors are, what they do, how they work along side one another, what problem they profess to solve, and ultimately to find gaps in the company’s portfolio of capabilities. In the seven years Sounil has been working on the project, he has developed use cases that make the Cyber Defense Matrix practical for purposes such as rationalizing technology purchases, defining metrics and measurements, and identifying control gaps and opportunities. The matrix has been adopted by the OWASP Foundation as a community project. Elements of the matrix have been incorporated into the Center for Internet Security’s (CIS) Top 20 Critical Security Controls. I talked with Sounil to hear how the project was going, what his plans are for the future of the matrix, and what help he can use from the community for expanding its usefulness. ABOUT SOUNIL YU Before Sounil Yu joined JupiterOne as CISO and Head of Research, he was the CISO-in-Residence for YL Ventures, where he worked closely with aspiring entrepreneurs to validate their startup ideas and develop approaches for hard problems in cybersecurity. Prior to that role, Yu served at Bank of America as their Chief Security Scientist and at Booz Allen Hamilton where he helped improve security at several Fortune 100 companies and government agencies.
Redefining Security | On ITSPmagazine Conversations At the Intersection of Technology, Cybersecurity, and Society. Have you ever thought that we are selling cybersecurity insincerely, buying it indiscriminately, and deploying it ineffectively? For cybersecurity to be genuinely effective, we must make it consumable and usable. We must also bring transparency and honesty to the conversations surrounding the methods, services, and technologies upon which businesses rely. If we are going to protect what matters and bring value to our companies, our communities, and our society, in a secure and safe way, we must begin by operationalizing security. Join us as we explore how visionary leaders are Redefining Security. This Episode: A Business Program Or A Security Program | How Do You Employ The CIS Critical Security Controls? Host: Sean Martin Guests: - Claire Davis - Phyllis Lee - CIS - Larry Whiteside Jr. - Christian Toon A framework is a framework is a framework. Or is it? The reality is, a framework is only as good as the process, data, and effort you put into it coupled with the support of the organization you receive to make it work based on business needs. In today's episode, we bring together 2 guests from a medium-sized company that has implemented the CIS Critical Security Controls, a guest representing an MSSP that leverages the CIS Controls for consistency, transparency, and repeatability across clients, and a guest representing CIS and the framework itself to provide an even broader view surrounding the successful use of this widely-recognized controls framework. So, what's the trick? As Christian Toon, CISO at Pinsent Masons, states: "Firstly, this is a business program. It's not a security program. Once that is understood, the team can begin to tackle the selection and implementation of a framework. As Christian noted prior to recording this episode: "For me/us it’s about finding a framework that works best for you. There are many, and in my opinion, many that don’t quite cut it. Bringing the people together to unite under a common banner was important. This was our journey." And a journey it was, and still is. It's a similar, yet different, journey for Larry Whiteside Jr., Chief Technology Officer at CyberClan, where he and his team see varying cybersecurity and risk maturity levels - each company has its own unique challenges and requirements - the framework helps Larry's organization bring clarity to the risk, the controls, and the process overall. It's also a journey for the framework itself, as Phyllis Lee, Senior Director for Controls at Center for Internet Security, points out that ongoing revisions help organizations map the controls in meaningful ways, pointing to the recent changes made to map the sub-controls to MITRE ATT&CK. The star of this show, as you'll hear in this conversation, however, is the champion. In this story, that champion is Claire Davis, program manager at Pinsent Masons. With so many moving parts—the networks, systems, applications, teams, operational infrastructure, colleagues in risk and privacy, the infosec function, etc.—you can't just think you're going to crack this out and deal with it as a side project. Where do you start? How do you make progress? How do you know you're succeeding? Whatever your journey looks like, every program looks identical at one point: the start. This is the point at which you begin the journey. From there, it can be focused or chaotic. The choice is yours. Now, it's time to start your journey by listening to this conversation. Ready? Set. Go! __________________________________ Learn more about this column's sponsors: - Nintex: itspm.ag/itspntweb __________________________________ Listen to more Episodes of Redefining Security here: www.itspmagazine.com/redefining-security __________________________________ Interested in sponsoring an ITSPmagazine talk show? www.itspmagazine.com/talk-show-sponsorships
Time to start thinking about our Critical Security Controls audit. This will include policies and procedures. We can’t avoid good documentation.FIND US ON1. Facebook2. Twitter - DamienHull
We need to make sure our projects are useful. To help us do that, were mapping our projects to the Critical Security Controls. We’re also looking at the Black Hills presentation on How to Build a Home Lab. This is full of good information.LINKS1. Security Onion2. Black Hills - How to Build a Home Lab3. The Critical Security Controls4. Atomic Red Team5. ScytheFIND US ON1. Facebook2. Twitter - DamienHull
In today's Modern Digital Enterprise, the digital transformation podcast from Anexinet, Steve and Glenn talk with Takeda Data Security Risk Advisor, Jason Marchant on the most-pressing security issues today's organizations face. This episode also answers the following questions: What are the largest internal security issues facing today's teams? How do we create a Security Scorecard as a path to remediation? How does Anexinet's Policy Characteristics Matrix compare with Scenario-Based Control Requirements? What are some 2-Factor (and multi-factor) Authentication Best Practices? How secure is 2-Factor Authentication, anyway? What are the implications of posting personal data to Social Media (health, etc.), and how responsible are they for protecting that data? Does HIPAA still apply? What are the security determinants for moving to the Cloud? Does the move make a company's data more or less secure? How effective is data-masking? What threats to AES encryption are beginning to emerge? What is the greatest security threat organizations face today? What about the role of AI/Machine Learning/Quantum Computing? How much of a risk do they pose? What are the risks of increased surfaced area (IoT proliferation) and morphing malware? What are Sans Institute's "Top 20 Critical Security Controls"? How does Trust & Verify compare to Zero Trust in terms of Risk-Management Practices? How do you determine your ideal Risk-Management Strategy? Links in the episode: Sans Institute Top 20 Critical Security Controls
The City of Baltimore’s recent ransomware incident not only caught government servers by surprise. It also jolted the industry as a stark reminder that cyberattacks can still occur where and when they’re least expected. Not the most comforting prospect—but are there constructive takeaways to be gleaned in the aftermath? Helping us uncover these silver linings are Duo Security’s Wendy Nather and LEO Cybersecurity’s Andrew Hay. Some of the topics to be covered in this podcast include: • How the Center for Internet Security’s Top 20 Critical Security Controls remains an effective guide for preventing cyberattacks—regardless of a company’s security budget • The importance of educating all employees on the need for good cyber hygiene habits • Taking a first-responder approach to dealing with a cyberattack, such as immediately bolstering IT staff Related links: https://www.colorado.gov/pacific/dhsem/atom/129636 https://www.cisecurity.org/controls/cis-controls-list/ https://sightlinesecurity.org/
In this episode we talk about patch Tuesday, An issue with Automox, & HIPAA compliance. We also have a bit of interesting news. We might have our first client. There’s a minor issue. They asked about HIPAA compliance. We’re not HIPAA experts. However, there might be a way we can help them. Did you know you can map the Critical Security Controls to some of the HIPAA requirements?CORRECTIONIn this episode a reference was made to HITECH. This should be HITRUST.HIPAA & HITECH are laws covering health records. HITRUST is a framework used to audit & secure an organization.For more information check out the HITRUST Alliance.LINKS1. Microsoft Patch Tuesday, June 2019 Edition - Krebs on Security2. Critical Security Controls - AuditScripts.com3. Critical Security Controls Master Mapping - Spreadsheet mapping the controls to other frameworks including HIPAA4. Offensive Security Certified Professional (OSCP) Study Guide - Free Resources5. Kali Linux: Hiding information from Nmap - Our video on how to hide information from NmapFIND US ON1. Facebook2. Twitter - DamienHull
The first three critical security controls might seem simple, but they’re not. For those that have a hand full of devices, they can be simple. For those that have more than a hand full, they can be difficult to implement.LINKS1. CIS Introduces V7.1 of CIS Controls Featuring New Implementation Groups
Dorothy and I do a quick review of Bitdefender GravityZone & Sumo. We’re on the hunt for solutions that meat one or more of the first 6 Critical Security Controls. The first 6 controls are our road map to a security program for Section 9. This was an interesting project.LINKS1. Bitdefender GravityZone2. KC Softwares Sumo
Instead of 20 Critical Security Controls, we’re going to talk about the Essential 8. These are 8 things you can do to keep your organization secure. This list comes from the Australian Cyber Security Center.LINKS1. Essential Eight Explained
Time to look at controls 4-6. This is where things get a bit tricky. Do you have the skills to deploy these controls? That’s a question we have to ask our selves. In some cases, we don’t. This is just the beginning. Dorothy and I have a long way to go before we can deploy the first 6 controls.LINKS1. CIS Controls2. CIS Benchmarks
It’s time to take a look at the first three Critical Security Controls. What are they? How do they keep your organization secure? How are we going to implement them? There’s a lot to think about with the first three. Our goal is to implement the first 6. We have a long way to go.LINKS1. CIS Controls
I’m taking the SANS 566 course, Implementing & Auditing the Critical Security Controls - In-Depth. We talk about why I’m taking this course.LINKSGIAC GCCCSANS SEC566
When you are starting a small business, there is plenty to worry about. How do you make your product amazing? How are you going to make sure your potential customers know about what you have to offer? How do you hire the right people? With so much going on, it is easy to see why […]The post Episode 23: Critical Security Controls: First steps for business cybersecurity appeared first on Cyber24.
Did I mention I love the Critical Security Controls? I do. And here's an absolute diamond I found this week: This site (http://www.auditscripts.com/free-resources/critical-security-controls/) offers awesome CSC-mapping tools (and they're free!), specifically: A spreadsheet with how the CSCs map to other popular frameworks like ISO and NIST A manual assessment tool for measuring your org - or someone else's org - against the CSCs. Flippin' sweet right? RIGHT! Also, be sure to come and Slack chat with us, as my pal hackernovice is building a tool called MacMon to help you satisfy CSC #1! Lastly, I built an LOL-worthy pentesting recon tool called SSOTT (Scan Some of the Things) that might help you automate some NMAPing, DIRBing, NIKTOing, and the like. Cheggitout!
We're continuing to hammer on the CSCs again this week. Here's some rad resources that can get your CSC efforts in the right direction: CIS Implementation Guide for SMEs CIS Cybersecurity quarterly newsletters Netdisco lets you locate machines by MAC or IP, show the corresponding switch port, and disable it if necessary. Defensive Security Handbook isn’t specifically mapped to CSCs but offers great advice to tie into them. Open-Audit tells you what’s on your network, how it’s configured, and when it changes.
Nothing to do with security, but I've heard this song way too much this week. I love the CIS Controls but it seems like there isn't a real good hands-on implementation guide out there. Hrmm...maybe it's time to create one? Speaking of that, check out the MacMon project and chat with us about it via Slack. After hearing rave reviews about Fingbox (not a sponsor), I picked one up (~$120) and wow, I'm impressed! It's got a lot of neat features that home users and SMBs would like as it related to mapping to CSC #1: Ability to map network devices to users to create an inventory Email alerts for new devices that pop up on the network Block unwanted users from the app, even when not directly connected to the LAN Nice set of troubleshooting tools, such as wifi throughput test, Internet speed test, and port scanning of LAN/WAN devices More on today's show...
For a long time I've been electronically in love with the Critical Security Controls. Not familiar with 'em? The CIS site describes them as: The CIS Controls are a prioritized set of actions that protect your critical systems and data from the most pervasive cyber attacks. They embody the critical first steps in securing the integrity, mission, and reputation of your organization. Cool, right? Yeah. And here are the top (first) 5 that many organizations start to tackle: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Google searches will show you that you can definitely buy expensive hardware/software to help you map to the CSCs, but I'm passionate about helping small businesses (and even home networks!) be more secure, so I'm on a quest to find implementable (if that's a word?) ways to put these controls in place. I'm focusing on control #1 to start, and I've heard great things about using Fingbox (not a sponsor) to get the job done, but I'm also exploring other free options, such as nmap + some scripting magic. More on today's episode...
Continuing in the Critical Security Controls we are at number nineteen. Incident Response. Now that you have all the tools, policies and procedures in place what do you do with the alerts? How you respond to an incident is vital and makes your investments worthwhile. This episode goes over this control Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Podcast RSS - http://securityinfive.libsyn.com/rss Twitter @binaryblogger - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 YouTube - https://www.youtube.com/binaryblogger TuneIn Radio -
The next control in the Critical Security Controls is number 18, Application Security. Even though 50% of all attacks are against the application less than 1% of all security spending is on application security. This episode goes into the details of this control and what it takes to address it. End of line. ------------------------------------ Website - https://www.binaryblogger.com Podcast RSS - http://securityinfive.libsyn.com/rss ; Twitter @binaryblogger - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 YouTube - https://www.youtube.com/binaryblogger TuneIn Radio -
The next control in the Top 20 Critical Security Controls is number 11, Network Device Configurations. Much like your workstations and servers you need to maintain and control configurations for the components that drive your network. This episode goes into the details. Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Twitter - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 Podcast RSS - http://securityinfive.libsyn.com/rss YouTube - https://www.youtube.com/binaryblogger TuneIn Radio -
Next up in the Critical Security Controls is number nine, Network Limits. Much like your users and computers the network should be in a Least Privilege mode. Listen to hear the details and reasons behind this control. Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Twitter - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 Podcast RSS - http://securityinfive.libsyn.com/rss YouTube - https://www.youtube.com/binaryblogger Email - contactme@binaryblogger.com Music in this episode: Greenhorn by Mystery Mammal is licensed under a Attribution-ShareAlike License.
Next up in the Critical Security Controls is number seven, email and browsers. This control talks about closing the ability of easy access through email and web browsers. The control leaves one aspect out of the discussion and this episode covers it. Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Twitter - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 Podcast RSS - http://securityinfive.libsyn.com/rss YouTube - https://www.youtube.com/binaryblogger Email - contactme@binaryblogger.com Music in this episode: Children Of The Son (Instrumental Acoustic) by PC-ONE is licensed under a Attribution License.
The next item in the Critical Security Controls is number 6, Audit Log. Logs are only as good as the data recorded and how often you look at them. Outside of that they are not providing any value. Listen to how you can help address the Audit Log control. Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Twitter - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 Podcast RSS - http://securityinfive.libsyn.com/rss YouTube - https://www.youtube.com/binaryblogger Email - contactme@binaryblogger.com
Continuing the breakdown of the CIS Top 20 Critical Security Controls the next one on the list is number 5, Controlling Administrative Accounts. The admin accounts have all the access in your environment, if a hacker gets those keys they can go anywhere they wish. CIS 5 drives for controlling those keys in your environment. Listen how you can work toward making sure those are not lost or misused. Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Twitter - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 Podcast RSS - http://securityinfive.libsyn.com/rss YouTube - https://www.youtube.com/binaryblogger Email - contactme@binaryblogger.com Music in this episode: Greenhorn by Mystery Mammal is licensed under a Attribution-ShareAlike License.
Security professionals don't make policies and rules for the fun of it. There's a method to their madness. The Center of Internet Security created a list of 20 Critical Security Controls to help companies be a baseline of best practices in cybersecurity. This is the intro episode to the CIS and the Top 20 controls. Be aware, be safe. Website - https://www.binaryblogger.com Twitter - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 Podcast RSS - http://securityinfive.libsyn.com/rss Email - contactme@binaryblogger.com Music in this episode: Starchild by Mystery Mammal is licensed under a Attribution-ShareAlike License.
Critical Security Controls: Part 2 (with Brian Ventura) ADVANCED PERSISTENT SECURITY PODCAST EPISODE 24 GUEST: Brian Ventura October 31, 2016 If you enjoy this podcast, be sure to give us a 5 ...
Critical Security Controls: Part 2 (with Brian Ventura) ADVANCED PERSISTENT SECURITY PODCAST EPISODE 24 GUEST: Brian Ventura October 31, 2016 If you enjoy this podcast, be sure to give us a 5 ... The post Critical Security Controls: Part 2 (with Brian Ventura) first appeared on Advanced Persistent Security. --- Send in a voice message: https://podcasters.spotify.com/pod/show/the-osintion/message Support this podcast: https://podcasters.spotify.com/pod/show/the-osintion/support
Critical Security Controls: Part 1 (with Brian Ventura) (WITH BRIAN VENTURA) ADVANCED PERSISTENT SECURITY PODCAST EPISODE 23 GUEST: BRIAN VENTURA October 24, 2016 If you enjoy this podcast, be sure to give ... The post Critical Security Controls: Part 1 (with Brian Ventura) first appeared on Advanced Persistent Security. --- Send in a voice message: https://podcasters.spotify.com/pod/show/the-osintion/message Support this podcast: https://podcasters.spotify.com/pod/show/the-osintion/support
Critical Security Controls: Part 1 (with Brian Ventura) (WITH BRIAN VENTURA) ADVANCED PERSISTENT SECURITY PODCAST EPISODE 23 GUEST: BRIAN VENTURA October 24, 2016 If you enjoy this podcast, be sure to give ...
We’ve been writing about the GDPR for the past few months now and with the GDPR recently passed into law, we thought it was worth bringing together a panel to discuss its implications. In this episode of the Inside Out Security Show, we discuss how the GDPR will impact businesses, Brexit, first steps you should take in order to protect EU consumer data and much more. Go from beginning to end, or feel free to bounce around. What is the EU General Data Protection Regulation? Who will be tasked to implement GDPR? What’s the first step you need to take to take when implementing GDPR? Data Breach Notification Brexit and GDPR Territorial Scope Tension between Innovation and Security Tips on Protecting Customer Data Final Thoughts Upcoming Webinars: July 21st English, July 28th German and French Cindy: Hi and welcome to another edition of the Inside Out Security show. I’m Cindy Ng, a writer for Varonis’s Inside Out Security blog. And as always, I’m joined by security experts Mike Buckbee, Rob Sobers, and Kilian Englert. Hey, Kilian. Kilian: Hi Cindy. Cindy: Hey Rob. Rob: Hey Cindy, how is it going? Cindy: Good. And hey, Mike. Mike: Hey Cindy, you made me go last this week. That’s all right. Cindy: This week, we also have two special guests, also security experts. Andy Green, who is based in New York, and Dietrich Benjies who is based in the UK. And they’re here to join us to share their insights on the latest General Data Protection Regulation that was just passed with an aim to protect consumer data that will impact not only businesses in the EU, Britain and the US and the rest of the world. So Hi Andy. Andy: Hey Cindy. Cindy : Hey Dietrich. Dietrich: Hi Cindy. What is the EU General Data Protection Regulation? Cindy: So, let’s start with the facts. First, what is GDPR and what are its goals? Andy: In one sentence? Can I get two? Cindy: You get two and a half. Andy: Okay, two and a half. So it stands for General Data Protection Regulation. It’s a successor to the EU’s current data security directive which is called the Data Protection Directive, DPD. And it really…I mean if you are under the rules now, the GDPR will not be a major change but it does add a few key major additions. And one of those is…well there is a stronger rules on, let’s say right to access your data. You really have … almost like a bill of rights. One of them is that you can see your data, which is maybe not something in the US we are experienced with. Also, another new thing is you have a right of portability, which is something that Facebook probably hates. In other words, you can download the [personal] data. If I were, I assume this would happen in the UK or the EU, that if you are a Facebook customer you will be able to download everything that Facebook has and have it in some sort of portable format. And I guess that [if you have another] social media service, you can then upload that data to that social media service and say goodbye to Facebook, which is kind of not something they’re very happy about. … You have almost like a consumer data rights under the new rule. I don’t know if anyone has any comments on some of these things but I think that’s…that, I think, is like a big deal. Dietrich: I’m sorry Mike. Were you going to go next? I chimed in so I suppose I’ll carry on- Cindy: Go ahead, Dietrich. Dietrich: So I think in terms of your attendance, it’s the European Union recognizing that data is…the European citizens recognize their data as important and historically, recently and historically, there has been many cases where it hasn’t been demonstrated to be appropriately controlled. And as it’s a commodity, the information on them is a commodity traded on the open market to a degree that there has just been an increasing demand to have greater safeguards on their data. And those greater safeguards on European citizen data gives them greater confidence in the market, in the electronic market that the world economic market has become. So that the two pillars, which we’ll get to, or the two tenants are Privacy by Design and accountability by design … we’ll get to a lot of things but that’s synopsis on it. Mike: I was curious about to what extent this was targeting enterprises or is it targeting, say like you brought up Facebook, which I consider an application, like a web application service. Was there an intent behind this, that it’s targeting more one or the other? Andy: Yeah. It’s definitely, I would say consumers. I mean it’s really very consumer-oriented. Dietrich: Mike do you mean in terms of it’s targeting the consumers? Yes, it’s consumer data. It’s related to but do you mean in terms of the types of businesses where it’s most applicable? Is that what you mean Mike? Mike: Well, you know, there is a decision-making framework that, so now with GDPR as the Data protection Directive to need to make decisions, that I’m building an application, I’m going to need to have new privacy features. We talked about Privacy by Design which has its own sort of tenets. Or I’m building out the policies for my company which has satellite offices all over the world and some of them happen to be in the EU. Just trying to look at the impact and look at how this should change my decision making on the business. Dietrich: Well, it’d be cynical. I’d say if you want to avoid it totally and entirely, just don’t sell to an EU citizen. Rob: Yeah, I think, to answer your question, Mike, the Facebooks of the world and these global web services are going to have to worry about it if they are collecting data. And we all know Facebook not only collects the data that you give them but it also ascertains data through your actions. And I think that’s what Andy was talking about is that it’s not just the ability to click a button and say give me my profile data back now so I can take it with me. It’s like I put that data in but I think what the GDPR is aiming to do is give you back the data that they’ve gathered on you from other sources. So tell me everything you know about me because I want to know what you know about me. And that’s, I think, a very important thing. And I really hope that the US goes in that direction. But outside of those web services, think about like any bank that serves an EU customer. So any bank, any healthcare organization, so other businesses outside of these big global web services certainly do have to worry about it, especially if you look in your customer database or any kind of…if you are a retailer, your transaction database, and you have information that belongs to EU citizens then this is something that you should at least be thinking through. Who will be tasked to implement GDPR? Cindy: So who needs to really pay close attention to the law so that you are executing all the requirements properly? Dietrich: Who needs to pay attention to it in terms of those organizations and scope? It’s pretty well spelled out that the organizations who deal with, who transfer, who process big things on processing and doing this information associated to European citizens. So if I backtrack a bit, it was where we are starting with the portability of the data, the information that we have, that organizations have on individuals and those subject access request, right to erasure, kind of the first and foremost is the protection element. Making sure that the data is protected, that we are not…organizations aren’t putting us at risk by the fact that they are holding our data and making that overexposed. Kilian: To kind of address the question more technically speaking, I think … everybody involved in the process needs to pay attention to it. From the people designing the app, Mike, if you want to launch your business, you need to realize that there are…boundaries are kind of made up anymore with technology. So right from the beginning, we’ll talk about Privacy by Design. But that needs to be the first step, all the way up to the CEO of the company or the board realizing that this is a global marketplace. So they want to get the most amount of customers, so they have to take it seriously. Andy: Yeah, I was going to say that they do have a heart at the EU … and they do make an exception … there is some language for making exceptions for smaller businesses or businesses that are not sort of collecting data on, what they say, like on a really large scale–whatever that means! What you are saying is all true but I think they do say that they will sort of scale some of the interpretations for smaller businesses so the enforcement is not as rough. And there may even be an exclusion, I forget, for under 250 employee companies. But I think you are right. This is really meant for the, especially with the fines, it’s really meant to get to C-Level and higher executive’s attention. What’s the first step you need to take to take when implementing GDPR? Cindy: So if you are a higher up or someone responsible for implementing GDPR, what’s the first step you need to look for and so you don’t miss any deadlines, so that you are planning ahead? Andy: I think we had to talk about this the other day. I’ve actually talked about it with Dietrich. Some of this is really, I’d say, like common IT sense and that if you are following any kind of IT best practices and there are a bunch of them or some standards, you are probably like 60 or 70% there, I think. I mean if you are, let’s say you are handling credit card transactions and you are trying to deal with PCI DSS or you are following some of the– forget what they call — the SANS Top 20 … So maybe I’ll say it’s sort of like putting laws around some common sense ideas. But I realize the executives don’t see it that way. Kilian: Yeah. I think the first thing you have to do is figure out if you have that data, to begin with, or where it’s at. I mean the common knowledge is you probably do. If you do some type of commerce or interact with anybody really, you are going to store some information. But kind of nailing it down where it’s at or where it might be is I think the key first step. Dietrich: And in terms of deadlines, I suppose to answer your question very directly, the deadline is May 25th, 2018, is when it comes into full force. That is the, I wouldn’t say it’s fast approaching. We still have 23 months. … Dietrich: I’ve got a clock on my laptop right there. Deadline to GDPR. Data Breach Notification Cindy: So there is also a data breach notification. What does that process entail? Like how do you get fined and how do you know that personal data has been lost or breached? What’s defined as personal data? Because there is a difference between leaking like company ID, company IP versus leaking personal data. Andy: Actually I happen to have the definition right in front of me. So it’s any information related to a person. And in particular, it can be…so it says an “identifiable person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier”. So it’s really, I guess what we would call in the US, PII [personally identifiable information], but it’s broad. It’s not just a strict list of social security number or specific account numbers. Those are examples of the types of identifiers. So it’s very broad but it has to relate back to a person and they do consider the online identifiers as “relatable to a person”. Brexit and GDPR Cindy: And kind of I can’t help but ask Dietrich, will Brexiters be exempt from GDPR? Dietrich: No. Not at all. So, first off, yes. A week ago today, we cast our votes. And then a week ago tomorrow it was found out that yes, in fact, we are leaving the European Union. So the reality of that is we haven’t invoked article 50. So article 50 is that yes, we are definitely doing it. We are doing it and then we have 24 months for them to get the heck out of the European Union. The starting of that clock isn’t likely to happen for some time. For one David Cameron, who is currently our prime minister is stepping down…has stepped down. We have to wait. He said, “I’m not going to invoke. I’m going to let somebody else handle not only that process of invoking article 50 but in addition to that, negotiating the trade policies and all the things associated with the exit.” In addition to all the things associated with the exit is the adoption or exclusion of a lot of the European directives, GDPR being one. So we could just sit there and not only, so if you take that time scale that will come into play if article 50, and there is some questions on the legality of the referendum, which I won’t go into in detail but there is a lot of debate going on in the moment that we voted leave if it’s actually something that will happen. If it happens, and let’s say it will, the time scale of that activity is likely to be well after GDPR is in effect. And if GDPR does come…sorry, and even if we leave and the likelihood as in democratic country in which we live, we have cast a vote that we will leave, we could still take on GDPR as our own. We have our own Data Protection Act here in the UK. We could just bump it up with GDPR at a stroke of a pen. And that’s quite likely considering we are debating in negotiation. We will negotiate for, hopefully, as freer trade as we can do within the European Union and I’m sure that will be…it would make sense that that would be a dependent clause. Andy: And I was going to say, it looks like if you’re…since the UK has to trade with the EU, the EU countries are going to put in higher standards for e-commerce transactions. Dietrich: Yeah. They are out biggest trading partner. I believe and don’t quote me on this but I could be wrong. I think it’s 54, 54% of our exports go to the EU. And likewise, we are one of the biggest trading partners for France, for Germany, etc. Territorial Scope Cindy: So, the US, we trade with the EU and the… Dietrich: Do you? (sarcasm) Cindy: I’m really talking about territorial scope. And I’m curious if I start a business or Mike starts a business, we talked about this earlier, how will I…what’s the law in terms of me needing to protect an EU consumer’s personal data? That’s a little controversial. Go ahead Dietrich. Dietrich: Can I give you some examples on this? In the last 48 hours, I have purchased a flight from Southwest Airlines, United Airlines, I’m a European citizen. I have purchased a backpack from some random site that’s being shipped to my father. Look, I hope I’m not debt dipping myself in tax loss but anyway, you know what I mean. As a European citizen, I’m going to be in the States for three weeks as of next week. So I’m a European citizen who is going to be transacting, who is going to be purchasing stuff over there. So, considering the freedom of movement that exists, the small world in which we live where European citizens regularly travel to the US, regularly buy from sites online, I can’t see how the border is going to make any difference. Most, if not, I’d say the vast majority of organizations in the US will deal with European citizens and therefore at least for that subset of data related to European citizens, they will be…they’ll have to put in controls if they want to carry on trading with European citizens. Cindy: Go ahead, Mike. Mike: Well, I was trying to think of parallels to this. And there is one that I think a lot of people are aware of which is like the Cookie Law which is, there were some European directives around like you should have, like if you land on a website, sometimes you see those banners at the bottom that says this website uses cookies and then click to, which came out of a similar thing. That’s really only been European websites that are doing that, but that sort of a half step into this. I just wonder if that shows a model for how this is going to be adopted so that it’s only the very strictly EU sites. Andy: Yeah. I think that was, that came out of, I forget, it may have been the Data Protection Directive but you’ve got to gain consent from the consumer and they apply it to cookies, accepting cookies. So you do see that on a lot of the EU sites, that’s right. Mike: It just seems very odd because there is no…it doesn’t seem like it will improve things. It just seems like, yeah, we are getting cookies off you so here is this giant banner that gets in the way. Andy: Will they ever click no? Mike: Well, what’s interesting is that I don’t think I’ve ever actually seen like, “Yeah, no, don’t collect my cookies.” It just says like, “Hey, we are doing this so accept it or leave.” You are on my website now, so probably with a French accent. Tension between Innovation and Security Cindy: So in terms of, we talked about the cookie law, we’re talking about the GDPR. If you are a CEO and you know that there is a potential risk of anything really, and let’s say data breach, if something happens, they’re often asking, “okay, higher ups, can we work through this? Will our companies survive?” It sounds like people don’t like to be strong-armed into following certain laws. Like if I’m an entrepreneur, I’m going to come up with an idea. And the last thing I would want is like, oh, I have to follow privacy by design. It’s annoying. Rob: Yeah. I mean it’s a push and pull between innovation and security. You see this with all sorts of things. You know, Snapchat is famous for its explosive growth, hundreds of millions of active users a day. And in the beginning, they didn’t pay attention to security and privacy. They kind of consciously put that on the back burner because they knew it would slow their growth. And it wouldn’t have mattered as much if they never became a giant company like they are today. But then it came back to bite them, like they’ve had multiple situations where they’ve had data breaches that they’ve had to deal with and I’m sure devote a lot of resources to recovering from, not only on the technical side of things but also on the legal and PR side. So it is a push and pull but we see it in varying degrees everywhere. Look what Uber is doing as they expand into different markets and they have to deal with all of the individual regulations in each state that they expand to, each country. And they would love to just close a blind eye and focus on improving their technology and recruiting new drivers and making their businesses a success. But the fact of the matter is — and the EU is way out in front of everybody else on this — is that somebody has to look out for the customers. Because we just see it over and over again where in the US, it’s almost like flipping. Like we see these massive breaches where people’s healthcare information is exposed on the public web or their credit card numbers get leaked or God knows what kind of information. And it just doesn’t ever feel like there is enough teeth to make organizations really assess their situation. Like every time I apply– and I don’t do this very often, thank God!–apply for a mortgage in the US, the process, it scares me. You have to email sensitive information to your mortgage broker in plain text. They are asking for PDFs, scans of your bank account. And where that information goes, you’re just not that confident in a lot of these companies that they are actually looking at information and putting it in sensitive secure depositories, monitoring who has access to it. It’s just…without this regulation, it would be…without regulations like GDPr, it would be way worse and there would be no one looking after us. Kilian: You actually kind of beat me to the point I was going to make there Rob by couple of sentences. But, you know, fine. The businesses don’t like being strong-armed but the consumers don’t like having their entire lives aired out on the Internet. And I think you are 100% right there. It is a pain in the butt in some cases for innovation, but we keep going back to it or I will but Privacy by Design. You don’t have to make an and/or decision. If you start with that mind to begin with you can achieve both things. You can still achieve massive growth and avoid some of the problems instead of trying to patch up the holes later on. Dietrich: One thing in terms of the strong arm, in terms of the regulatory fatigue that organizations get, I have been dealing with organizations for some time and it seems that regulations are at points that the external world makes organizations focus on the only things they will focus on. And this is important. It’s important for us. I mean I kind of like…I don’t kind of like. I quite like the intent of the regulation. It’s down to protect me. It’s not something that’s esoteric. It’s something that’s quite explicit to protect more information. And if it requires a regulation for them to take heed and pay note and to get over the fact that regardless if they have been ignoring data breaches in the past, to do so in the future may cost them more than it had, then that’s probably a good thing. Andy: I was just going to say that one of the, like the one word they use in a lot of the law is just it has to do with Privacy by Design. It’s just minimize. I think if you just show that you’re aware of what you are collecting and trying to minimize it and minimizing what you collect, put a time limit on the data that you do collect, the personal data, in other words, if you’ve collected it and processed it and you no longer have a need for it, then get rid of it. It seems common sense and I think they want the companies to be thinking along these lines of, as I say, just minimize. And that shouldn’t be too much of a burden, I think. I don’t know. I mean I think as Rob was saying, some of these web companies are just going crazy, collecting everything, and it comes out to sort of bite them in the end. Mike: And this is me being cynical but I wonder if this is going to be a new attack vector. If there is like an easy way to get all your information out of Facebook, then that’s the attack vector and you just steal everyone’s information through the export feature. I don’t know if anyone else saw there is a thing that you could hijack someone’s Facebook account by sending in a faxed version of your passport. That was a means by which they would reset your password if you couldn’t do anything else and you lost access to it. They are like, “Well, this whole rigamarole, but fax in your passport,” and so people were doing that as a…I think its good intentions. I just wonder about the actual implementation, like how much of a difference it will actually make. Rob: Yeah, and I think you are right Mike that the execution is everything in this. With these regulations, we see it with failing PCI audits. PCI auditors that are checking boxes. And having worked for a software company that, in a previous job, that did retail software and was heavily dependent on collecting credit card information from certain devices and terminals and keyboard swipes and all sorts of things and gone through a PCI audit, knowing that there were holes that weren’t done by the auditors, it’s all about the execution. It’s all about following through on best practices for data security. And the regulation itself isn’t going to make you excellent at security. Tips on Protecting Customer Data Cindy: So if I’m trying to catch up… in terms… if I am not following PCI or if I am not following the SANS top 20, which is now renamed to something else like Critical Security Controls… so what are some of the things that I can start with in terms of protecting my customers’ data? Any tips? Rob: Well I mean one thing and Andy kind of touched on this is don’t collect it if you don’t have to. I think that’s the number one thing. I mean certain services out there actually make it easy for you not to touch your customers’ data. For instance, Stripe, which is a pretty popular payment provider now, if you are collecting payment information on the web from customers, you should never know their credit card number. It should never hit your servers. If you’re using something that Stripe, it basically goes from the web form, off to Stripe and you get at most the last four digits and maybe the expiration number. But as a business, you never have to worry about that part of their profile, that sensitive data. So to me, start with asking that question of what do we actually have to have. And if we don’t need it, get rid of it and let’s look at all of our data collection processes, whether it’s by paper form or web form or API, whatever the method is and decide what can we ax to just cut out the fat. Like we don’t want to have to hold your information if we don’t have to. Now, failing that, I know a lot of companies cannot do that, like Facebook’s business is knowing everything about everybody and the connections. And so in that situation, it’s a little bit different. Cindy: It’s hard because what if I’m a company and I just what if I’m a hoarder? Like I hoard my…I live in New York, my studio is tiny, what if I like to hoard? And it’s kind of like you are digitally hoarding stuff. And …. storage is cheap, why not get more? What would you say to a digital hoarder in terms of I might need this information later? Rob: I would say stop. Stop doing that! There are data retention policies that prevent you from doing that that you can implement. It’s an organization culture thing, I think. Some organizations are great at data retention, others are hoarders. It’s just bad data protection. Dietrich: Greater data retention and hoarders. We’d love to retain data. Most of the organizations we’ve talked to love to retain data. It’s nice having something to get in that stick which sits there and goes, just get rid of it. I talk to organizations now and I’ll go finally this is being implemented in such a way that we actually can go back to the business. Who doesn’t want the data deleted? It’s usually people in the business who says I may, at some time in the future, need that document that I created 15 years ago. Well not if it has anything related to an individual associated with it. In that case, you can only keep it for as long as it is a demonstrable requirement to have that. So I think it’s something at that level, which should be welcomed by organizations, not unless they are really…I mean my wife’s a bit of a hoarder. If she was running a business, she would definitely have many petabytes of information. But related to individuals, it would give me the excuse to throw it out when she isn’t looking. Andy: Right. I was going to add that the GDPR says, I mean yes, you can collect the data, you can keep it, but I think there is somewhere that says that you have to put a time stamp on it. You have to say, “This is the data I have and, okay,” if it’s five years or ten years, but put some reasonable time stamp on this data and then follow through. So sure, collect it. But make sure it has a shelf life on it. Final Thoughts Cindy: Any final thoughts before we wrap up? Silence, I love it. Michael: I was on mute, so I was talking extremely loudly while no one heard me. I was going to say my final thought was that, we kind of started this with Andy saying that a lot of this was common sense IT things. And I think that’s probably the biggest takeaway. The thing to do immediately is to, I think, just do an audit of all of your data. That’s just good practice anyway. If you don’t have that at hand, you should start doing that. Whatever the regulations are, whatever your situation, it’s very, very hard to think of a situation where that wouldn’t be to your advantage. So I think that’s the first thing and most immediate thing any company should do. Dietrich: That’s a very good point and something that also, related to GDPR, is the point within GDPR in terms of the data breach impact disbursements. That’s also understanding what you have, making sure that you have the appropriate controls around it. So that’s just understanding, going through that audit directly helps you for GDPR. Upcoming Webinars: July 21st English, July 28th German and French Cindy: Rob, you mentioned there is a webinar on GDPR. When can people tune in? … Mike: Rob told me there was a barbecue at his house for the next GDPR meeting. Just come on over, we’ll talk European regulations, smoke some brisket. Cindy: I need some help from people de-hoarding my studio. First, I need to go home and change all my passwords because I have a password problem. Now you all know I’m a hoarder. Mike: This is just leading up to you having your own Lifetime television series I mean. Cindy: That will be exciting. Mike: I’d watch it. Cindy: It will be Tiger Mom, 2.0. Rob: So yeah, so we’re having a webinar on July 21st in English and we are having another one on July 28th in German. So for anybody that’s interested in the GDPR, we are also doing it on the 28th in French. So we are having multiple languages for you and they can go to varonis.com and just search for GDPR in the upper right-hand corner and you should be able to find the registration form. Cindy: Thanks so much, Rob. Dietrich: Whether you speak it or not. Yeah, fantastic. Cindy: Thank you so much Mike, Rob, Kilian, Dietrich, and Andy. And thank you all our listeners and viewers for joining us today. If you want to follow us on Twitter and see what we are up to, you can find us @varonis, V-A-R-O-N-I-S. And if you want to subscribe to this podcast, you can go to iTunes and search for the Inside Out Security show. There is a video version of this on YouTube then you can subscribe to on the Varonis channel. And thank you and we’ll see you next week. Bye guys. Subscribe Now Join us Thursdays at 1:30ET for the Live show on Youtube, or use one of the links below to add us to your favorite podcasting app. iTunes Android RSS Want to learn more about the GDPR? Check out our free 6-part email course (and earn CPE credits!) Sign me up The post GDPR – IOSS 13 appeared first on Varonis Blog.
SANS Top 20 Critical Security Controls 13-16 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ... The post SANS Top 20 Critical Security Controls 13-16 first appeared on Advanced Persistent Security. --- Send in a voice message: https://podcasters.spotify.com/pod/show/the-osintion/message Support this podcast: https://podcasters.spotify.com/pod/show/the-osintion/support
SANS Top 20 Critical Security Controls 13-16 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ...
SANS Top 20 Critical Security Controls 9-12 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ...
SANS Top 20 Critical Security Controls 9-12 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ... The post SANS Top 20 Critical Security Controls 9-12 first appeared on Advanced Persistent Security. --- Send in a voice message: https://podcasters.spotify.com/pod/show/the-osintion/message Support this podcast: https://podcasters.spotify.com/pod/show/the-osintion/support
SANS Top 20 Critical Security Controls 5-8 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ...
SANS Top 20 Critical Security Controls 5-8 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ... The post SANS Top 20 Critical Security Controls 5-8 first appeared on Advanced Persistent Security. --- Send in a voice message: https://podcasters.spotify.com/pod/show/the-osintion/message Support this podcast: https://podcasters.spotify.com/pod/show/the-osintion/support
SANS Top 20 Critical Security Controls 1-4 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ...
SANS Top 20 Critical Security Controls 1-4 The SANS SANS Top 20 Critical Security Controls are an industry and (for the most part) vendor neutral set of controls that organizations ... The post SANS Top 20 Critical Security Controls 1-4 first appeared on Advanced Persistent Security. --- Send in a voice message: https://podcasters.spotify.com/pod/show/the-osintion/message Support this podcast: https://podcasters.spotify.com/pod/show/the-osintion/support
When you're working with network infrastructure, there's a real need for proper configuration management, as well as having a proper baseline to work from. Mr. Boettcher and I continue through the SANS Top25 Critical Security Controls. #10 and #11 are all dealing with network infrastructure. Proper patches, baselines for being as secure as possible. Since your company's ideal security structure needs to be a 'brick', and not an 'egg'.
We continue our trek down the list of SANS Top 20 Critical Security Controls this week with #12 and #13 - Boundry Defense, and Controlled use of Administrative Privileges. Learn what you can do to shore up your network defenses, and how to handle admin privileges... When to give that kind of access, and how to make privileged access as secure as possible while still allowing administrators to do their work. https://www.sans.org/media/critical-security-controls/CSC-5.pdf http://www.openspf.org/ https://4sysops.com/