var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Thursday, March 29, 2018

I recently posted the below on the SANS Internet Storm Center.

The CIS Controls serve as a “prioritized set of actions to protect your organization and data from known cyber attack vectors.”. Embraced by several organizations as outlined in the Case Studies section, significant improvements to their cyber security programs are listed and can serve as an inspiration to consider this approach to effective cyber defense.
Recently Version 7 of the CIS Controls were released. This work reflects the engagement of over many volunteers who helped shape this update. Several key changes made to the CIS Controls are listed below, including the following seven principles.

1. Improve the consistency and simplify the wording of each sub-control
2. Implement "one ask" per sub-control
3. Bring more focus on authentication, encryption, and application whitelisting
4. Account for improvements in security technology and emerging security problems
5. Better align with other frameworks (such as the NIST CSF)
6. Support the development of related products (e.g. measurements/metrics, implementation guides)
7. Identify types of CIS controls (basic, foundational, and organizational)

Have you implemented the CIS Controls? If so, please share some of your experiences in our comments section. If not, consider reviewing the references below to learn more about how they could help you.
Center for Internet Security
CIS Controls 
CIS Controls Version 7 – What’s Old, What’s New
Watch Launch Event Video
CIS Controls Version 7 Measures & Metrics
CIS Controls Version 7 Change Log

Russell Eubanks

Thursday, February 22, 2018

I recently posted the below on the SANS Internet Storm Center.

The Center for Internet Security (CIS) has been working diligently to update the CIS Controls (formerly known as the Critical Security Controls). A compelling feature of the CIS Controls is their regular updates that reflect the current cyber threats that face organizations, both small and large. The CIS Controls are the product of a truly global collaboration effort. “The CIS Controls have always been the product of a global community of adopters, vendors, and supporters, and V7 will be no exception,” said Tony Sager, CIS Senior Vice President and Chief Evangelist for the CIS Controls.

CIS is providing an opportunity to participate in the CIS Controls Version 7 release event that takes place March 19 in Washington, D.C., with options to either attend in-person or remotely via live stream. If you have not yet applied the CIS Controls in your environment, the release event can serve as the catalyst you need to consider them as an integral part of your cyber roadmap!

Russell Eubanks
ISC Handler
SANS Instructor

@russelleubanks

Saturday, October 7, 2017

CIS Controls Implementation Guide for Small-and Medium-Sized Enterprises


I recently posted the 
below on the SANS Internet Storm Center.

Recently the Center for Internet Security (CIS) released the CIS Controls Implementation Guide for Small-and Medium-Sized Enterprises (SMEs). The Implementation Guide is directly mapped to the CIS Critical Security Controls and is focused on actionable steps that can be taken right now to assess and improve the cyber security posture and preparedness, particularly in small and medium sized enterprises. Recently a webinar with some of the team members who helped develop the Implementation Guide was made recorded.  

The guide focuses on 3 key areas of
  • Know your environment
  • Protect your assets
  • Prepare your organization

I especially like the questions that are provided in the Implementation Guide
  • Do you know what is connected to your computers and networks?
  • Do you know what software is running on your systems and networks?
  • Do you set up your computers with security in mind?
  • Do you manage who has access to sensitive information or who has extra privileges?
  • Is your staff clear about their role in protecting your organization from cyber incidents?

When reviewing these questions, especially for the first time, you may not like your answers very much. I encourage you to use your answers as as motivation to apply focused attention to achieve better answers over the next 30 days. No matter the size of your enterprise, I believe there is something in the Implementation Guide for you!

Russell Eubanks

Friday, September 22, 2017

What is the State of Your Union?


What if you as an information security leader held an information security State of the Union address with the explicit purpose of educating both your leaders and business partners on your information security program and the areas of focus for the next year? Communicating to those who are not in our area is certainly a challenge; however, the benefits outweigh the effort in several different ways.

By being intentional at sharing the state of your security union, you can not only deliver the status of your program but also equip your leaders with information they can quite literally share in environments that your team is not able to attend.  

What should you consider including?
* Effectiveness of your program
* Opportunities to improve your program
* Communicate recent achievements
* Demonstrate stewardship of your resources
* Show how your team supported objectives of your organization
* Possible actions that you want others to take
* Clear call to action to the leaders to increase support, funding, and staffing
* Opportunity to receive feedback

How are you communicating the State of Your Security Union? Please leave what works in our comments section below.

Russell Eubanks