var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Sunday, October 18, 2015

Security Awareness for Security Professionals

I recently posted the below on the SANS Internet Storm Center.

During Cyber Security Awareness Month (CSAM), we develop campaigns for our coworkers that attempt to encourage them to stop clicking on links and  reusing their passwords. These are good reminders for us as information security professionals even though we focus on these topics during the other 11 months of the year.

Is it possible that we too can improve our security awareness during this month? Can we as security professionals use this time to “sharpen our saw” and do things that can increase our awareness of our information security programs? 

One very non-technical event caused me consider this topic. My son found his old bicycle in the garage recently and wanted to ride it in the neighborhood. As he was getting up to speed, he suddenly and unexpectedly realized the handlebars had become disconnected. He had a firm grip on what he needed to successfully control the bike, but the handlebars were no longer effectively controlling his navigation.

With that example in mind, how aware are you of the effectiveness of your information security program? What systems do you have in place to let you know when your security posture changes? What reminders and automation do you need to create that will increase your awareness before blindly depend on your tools? By dedicating sometimes marginal effort you can develop near real time awareness capabilities that will confirm the effectiveness of your information security program.  

Below are just a few examples where increased security awareness would be very helpful to you as an information security professional.

  •  Ensure the running configurations on your network equipment have not changed
  •  Ensure you know within a few minutes when a new administrative account is added
  •  Ensure you know within a few hours if a device stops sending logs to your syslog server

What are you personally doing to make sure that you as a security professional are most aware of the things that matter the most? Use the comments field to share what works!


Saturday, October 17, 2015

CIS Critical Security Controls - Version 6.0

I recently posted the below on the SANS Internet Storm Center.



Right in the middle of Cyber Security Awareness Month (CSAM), the Center for Internet Security (CIS) released Version 6.0 of the CIS Critical Security Controls for Effective Cyber Defense. This update incorporates significant changes that represent the latest technologies and threats faced by information security professionals. The most notable changes to the CIS Critical Security Controls are listed below and discussed at length in the archived webcast.

  • A new Control for Email and Web Browser Protections
  • Deletion of the Control on Secure Network Engineering
  • Reordering of the Controls to make Controlled Use of Administration Privileges higher in priority

I believe this update positions the CIS Critical Security Controls to remain both an actionable and relevant framework to build and sustain an effective cyber security program. Implementing them has been the catalyst to many organizations demonstrably increasing their cyber security posture. With intentional planning and focus, you can too. The following are several steps you can take right now to start or continue on your journey.


What will you do differently at your organization as a result of this update? Use the comments field to share your feedback!

Russell Eubanks