This page is dedicated to increasing security awareness among the general population and the technology community.
It should be of interest to technologists, information security professionals and business management.
Direct access to security resources make this page unique. Within a few clicks, you should have access to what you
are looking for. If you can't find what you need, feel free to contact me.
The resources listed on this page are updated roughly quarterly. To keep current, consider subscribing to my LinkedIn and Twitter accounts. The primary focuses are security resources, security news, industry trends and vulnerabilities.
This site does not accept sponsors or donations of any kind.
Security Awareness Programs
NIST
800-50: Security Awareness and Training Program
This NIST publication provides detailed guidance on designing,
developing, implementing, and maintaining an awareness and training
program within an agency's IT security program.
ENISA: A Users' Guide: How to Raise Information
Security Awareness
This document illustrates the main processes necessary to plan,
organise and run information security awareness raising initiatives:
plan & assess, execute & manage, evaluate & adjust. Each process
is analysed and time-related actions and dependencies are identified.
The process modelling presented provides a basis for "kick-starting"
the scoping and planning activities as well as the execution and
assessment of any programme. The Guide aims to deliver a consistent
and robust understanding of major processes and activities amoung
users.
NIST
800-16: Information Technology Security Training Requirements
(188 pages)
The overall goal for use of this document is to facilitate the
development or strengthening of a comprehensive, measurable, cost-effective
IT security program which supports the missions of the organization
and is administered as an integral element of sound IT management
and planning. Protecting the value of an organization's information
assets demands no less. This approach allows senior officials
to understand where, in what way, and to what extent IT-related
job responsibilities include IT security responsibilities, permitting
the most cost-effective allocation of limited IT security training
resources.
Building
a Security Awareness Program - CyberGuard
Hackers, worms and viruses grab the headlines, but the real threat
often comes not from outside the organization but within. Social
engineering and unhappy employees pose very real risks to network
security. How do you address the problem? This article offers
a practical approach to setting up an effective security awareness
program that gets everyone in the organization on board.
Security
Awareness Toolbox - The Information Warfare Site
The Security Awareness Toolbox contains many useful documents
and links. The Main Documents section was contributed by Melissa
Guenther. The Toolbox is a rich source of awareness material.
SANS
Reading Room - Security Awareness Section
Most of the computer security white papers in the Reading Room
have been written by students seeking GIAC certification to fulfill
part of their certification requirements and are provided by SANS
as a resource to benefit the security community at large.
IIA Tone at the Top
Awareness Newsletter
Mission: To provide executive management, boards of directors, and audit committees with
concise, leading-edge information on such issues as risk, internal control, governance,
ethics, and the changing role of internal auditing; and guidance relative to their roles
in, and responsibilities for the internal audit process.
Security Awareness Tips
Stop.Think.Connect.
The Stop.Think.Connect. Campaign is a national public awareness campaign aimed at increasing the
understanding of cyber threats and empowering the American public to be safer and more secure online.
Cybersecurity is a shared responsibility. We each have to do our part to keep the Internet safe. When
we all take simple steps to be safer online, it makes using the Internet a more secure experience for
everyone.
StaySafeOnline
The Internet is a powerful and useful tool, but in the same way that you shouldn't drive without
buckling your seat belt or ride a bike without a helmet, you shouldn't venture online without taking
some basic precautions.
National Institute for Cybersecurity Studies
(NICS)
To make cybersecurity materials more readily-available, the government developed NICS. It serves as
a national resource for government, industry, academia, and the general public to learn about
cybersecurity awareness, education, careers, and workforce development opportunities.
SANS Securing The Human
Program
The SANS Securing The Human Program provides everything your organization needs for an effective
security awareness program. This site includes free resources to make your security awareness
program a success, including project plans, awareness surveys and execution checklists.
Cyber Security Tips - US-CERT
Cyber Security Tips describe common security issues and offer advice for non-technical home and corporate
computer users. Although each one is restricted to a single topic, complex issues may span multiple tips.
Each tip builds upon the knowledge, both terminology and content, of those published prior to it.
Cyber Security Alerts - US-CERT
Cyber Security Alerts provide timely information about current security issues, vulnerabilities, and exploits.
They are released in conjunction with Technical Cyber Security Alerts when there is an issue that affects the
general public. Cyber Security Alerts outline the steps and actions that non-technical home and corporate
computer users can take to protect themselves from attack.
Security Awareness Tips - Gideon T.
Rasmussen
Security tips are a key component to any awareness program. They should advise of best practices and
reinforce policy.These tips are written with the average person as the intended audience. The site randomly
displays information security tips. Companies can use it internally to educate their user community. The site
and script are free to download.
Security Awareness Posters
Information
Assurance Awareness Posters - Information Warfare Site
These awareness posters were provided as a courtesy by Keesler Air Force Base. You may download the
posters and submit to your graphics department to tailor to your organizations specifications. This page
includes links to posters on other sites as well.
Information Security Program
NIST Special Publication 800-100: Information Security Handbook: A Guide for
Managers
This Information Security Handbook provides a broad overview of information security program elements
to assist managers in understanding how to establish and implement an information security program.
The purpose of this publication is to inform members of the information security management team
[agency heads, chief information officers (CIO), senior agency information security officers (SAISO),
and security managers] about various aspects of information security that they will be expected to
implement and oversee in their respective organizations. This handbook summarizes and augments a number
of existing National Institute of Standards and Technology (NIST) standard and guidance documents and
provides additional information on related topics.
CIS
Critical Security Controls
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work - NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation's top forensics and incident response organizations - to answer the question, "what do we need to do to stop known attacks." That group of experts reached consensus and today we have the most current Controls. The key to the continued value is that the Controls are updated based on new attacks that are identified and analyzed by groups from Verizon to Symantec so the Controls can stop or mitigate those attacks.
The Controls take the best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace. Too often in cybersecurity, it seems the "bad guys" are better organized and collaborate more closely than the "good guys." The Controls provide a means to turn that around.
Implementing
Information Security: Risks vs. Cost - CyberGuard
Whether your organization is large or small, a thorough, detailed
information security plan should be part of your security formula.
This article provides some useful information on implementing
a viable plan that not only complies with government regulations,
but also eliminates costly threats.
Security Maturity Models
ISO/IEC 21827:2008 Systems Security Engineering – Capability Maturity Model (SSE-CMM)
ISO/IEC 21827:2008 specifies the Systems Security Engineering - Capability Maturity Model (SSE-CMM), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The model is a standard metric for security engineering practices covering the following:
The objective is to facilitate an increase of maturity of the security engineering processes within the organization. The SSE-CMM is related to other CMMs which focus on different engineering disciplines and topic areas and can be used in combination or conjunction with them.
Cybersecurity Capability Maturity Model (C2M2) Program
The C2M2 model, which is designed to be used by any organization to enhance its own cybersecurity capabilities, is publicly available and can be downloaded now. More information is available in the FAQs. For those organizations performing self-assessments, please refer to the C2M2 Facilitators Guide and request a free C2M2 toolkit.
Open Information Security Management Maturity Model (O-ISM3)
The Open Information Security Management Maturity Model (O-ISM3) is The Open Group framework for managing information security. It aims to ensure that security processes operate at a level consistent with business requirements. ISM3 is technology-neutral and focuses on the common processes of information security which most organizations share. As well as complementing the TOGAF model for enterprise architecture, ISM3 defines operational metrics and their allowable variances.
A Systems Engineering Capability Maturity Model
The Systems Engineering Capability Maturity Model (SE-CMM) describes the essential elements of an organization's systems engineering process that must exist to ensure good systems engineering. It does not specify a particular process or sequence. In addition, the SE-CMM provides a reference for comparing actual systems engineering practices against these essential systems.
This document provides an overall description of the principles and architecture upon which the SE-CMM is based, an overview of the model, the practices included in the model, and a description of the attributes of the model. It also includes the requirements used to develop the model.
Security Metrics
California Cybersecurity Maturity Metrics
The California Cybersecurity Maturity Metrics capture many of the National Institute of Standards and Technology (NIST) Cybersecurity Framework sub-categories, and a majority of the Foundational Framework (SIMM 5300-B). The metrics are reflective of NIST Cybersecurity Framework (CSF) categories: Identify, Protect, Detect, Respond, and Recover.
NIST:
SP 800-55: Performance Measurement Guide for Information Security
This document is a guide to assist in the development, selection, and implementation of measures to be
used at the information system and program levels. These measures indicate the effectiveness of security
controls applied to information systems and supporting information security programs. Such measures are
used to facilitate decision making, improve performance, and increase accountability through the collection,
analysis, and reporting of relevant performance-related data–providing a way to tie the implementation,
efficiency, and effectiveness of information system and program security controls to an agency's success
in achieving its mission.
Dan Geer's Measuring
Security Tutorial
Dan Geer's Measuring Security Tutorial is a valuable metrics resource. At 346 pages, it contains a
wealth of quotes, observations, methodologies and techniques for defining and generating metrics.
NISTIR
7564 - Directions in Security Metrics Research
More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge
and understanding in physical science. During the last few decades, researchers have made various attempts
to develop measures and systems of measurement for computer security with varying degrees of success. This
paper provides an overview of the security metrics area and looks at possible avenues of research that
could be pursued to advance the state of the art.
Measures for Managing Operational Resilience (Software Engineering Institute)
How resilient is my organization? Have our processes made us more resilient? Members of the CERT Resilient Enterprise Management (REM) team are conducting research to address these and other related questions. The team's first report, Measuring Operational Resilience Using the CERT Resilience Management Model, defined high-level objectives for managing an operational resilience management (ORM) system, demonstrated how to derive meaningful measures from those objectives, and presented a template for defining resilience measures, along with example measures. In this report, REM team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT Resilience Management Model, Version 1.1 (CERT-RMM). The report also provides measures for each of the 26 process areas of CERT-RMM, as well as a set of global measures that apply to all process areas. This report thus serves as an addendum to CERT-RMM Version 1.1. Since CERT-RMM practices map to bodies of knowledge and codes of practice such as ITIL, COBIT, ISO2700x, BS25999, and PCI DSS, the measures may be useful for measuring security, business continuity, and IT operations management processes, either as part of adoption of CERT-RMM or independent of it.
Operating System Hardening
Security Technical Implementation Guides (STIGs) - DISA
The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.
Benchmarking
Tools - The Center For Internet Security
The CIS vulnerability assessment tools provide a quick way to
evaluate systems and networks, comparing their security configurations
against the CIS benchmark hardening standards. They automatically
create reports that guide users and system administrators to secure
both new installations and production systems. CIS tools are also
effective for monitoring systems to assure that security settings
continuously conform with CIS Benchmark configurations. CIS offers
tools and benchmark standards for Windows, Solaris, Linux, HP-UX,
Cisco IOS and Oracle databases.
Physical Security
GAO
Technologies to Secure Federal Buildings (72 pages)
U.S.
Army - Physical Security - FM 3-19.30 (317 pages)
Sun
Microsystems Data Center Site Planning Guide (106 pages)
Security Policy Templates
SANS
Security Policy Project
WindowSecurity.com Policy & Standards - Internet Security Policy
Information Security Control Frameworks
NIST Cybersecurity Framework
This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.
The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection
and resilience of critical infrastructure and other sectors important to the economy and national security.
ISACA- COBIT IT Standard for IT Security and
Control Practices
COBIT has been developed as a generally applicable and accepted standard for good Information Technology
(IT) security and control practices that provides a reference framework for management, users, and IS
audit, control and security practitioners.
ISACA - IT Control Objectives for Sarbanes-Oxley Final Document
This document issued by the ITGI reflects the latest thinking on this increasingly global topic. Based on
COBIT control objectives, the authors have designed this publication as an educational resource primarily
for IT control professionals, but CIOs, IT management and assurance professionals will find the information
vitally important and beneficial as well.
NIST SP 800-53: Recommended Security Controls for Federal Information Systems (188 pages)
The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components5 of an information system that process, store, or transmit federal information.
Baseline controls - low
Baseline controls - medium
Baseline controls - high
Common Criteria for IT Security Evaluation (CC)
The Common Criteria defines a language for defining and evaluating information technology security
systems and products. The framework provided by the Common Criteria allows government agencies and other
groups to define sets of specific functional and assurance requirements, called protection profiles.
Information Security Standards
ISO 27002 (formerly ISO 17799)
ISO 27002 is intended to serve as a single reference point for identifying the range of controls
needed for most situations where information systems are used in industry and commerce, and to be
used by large, medium and small organizations.
PCAOB
Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with
An Audit of Financial Statements
This standard establishes requirements and provides direction that applies when an auditor is engaged
to perform an audit of management's assessment 1/ of the effectiveness of internal control over
financial reporting ("the audit of internal control over financial reporting") that is integrated with
an audit of the financial statements. (required by Section 404(b) of the Sarbanes-Oxley Act of 2002)
Information Security Legislation
Health
Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA provides the first comprehensive Federal protection for
the privacy of health information.
Sarbanes-Oxley
Act 2002
The Sarbanes-Oxley Act mandates a number of reforms to enhance
corporate responsibility, enhance financial disclosures and combat
corporate and accounting fraud, and created the "Public Company
Accounting Oversight Board," also known as the PCAOB, to
oversee the activities of the auditing profession.
Gramm-Leach-Bliley
Act (GLBA) 1999
The Gramm-Leach-Bliley Act includes provisions to protect consumers’
personal financial information held by financial institutions.
Information Security Assessments
US-CERT Cyber Resilience Review (CRR)
The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.
Vendor Security Alliance Questionnaire
When we do business with a vendor, it is not safe to assume we are doing business just with the party under contract. Vendors rely on other parties. If we are to rely on a chain, then all the links must be tested, not just the first link. We must also apply the same standard of testing to all the links, which is why we created this questionnaire.
US-CCU Cyber-Security Check List
The US Cyber Consequences Unit (CCU) has developed a Cybersecurity Checklist to help federal
agencies and industry to determine the possible consequences of risks posed by the current
state of their IT systems; the list also offers suggestions for mitigating those risks. The
list asks 478 questions about hardware software, networks, automation, humans and suppliers.
The checklist has not yet received DHS approval. CCU is funded by DHS and aims to provide the
government with accurate assessments of the consequences of cyber attacks. "The new lists
shifts the focus from perimeter security to internal systems monitoring and maintenance".
SANS
ISO 17799 Audit Checklist
This 7799 checklist can be used to audit an organisation's information
security posture. This checklist does not provide vendor specific
security considerations. Instead it provides a generic checklist
of security considerations. It is 47 pages long. Definitely worth
a look.
ISACA
IS Standards, Guidelines and Procedures for Auditing and Control
Professionals
IS Auditing Standards are mandatory requirements for certification
holders’ reports on the audit and its findings. IS Auditing
Guidelines and Procedures are detailed guidance on how to follow
those standards. The IS Auditing Guidelines are guidance an IS
auditor will normally follow with the understanding that there
may be situations where the auditor will not follow that guidance.
In this case, it will be the IS auditor's responsibility to justify
the way in which the work is done. The procedure examples show
the steps performed by an IS auditor and are more informative
than IS Auditing Guidelines. The examples are constructed to follow
the IS Auditing Standards and the IS Auditing Guidelines and provide
information on following the IS Auditing Standards. To some extent,
they also establish best practices for procedures to be followed.
NSA INFOSEC Assessment Methodology (IAM)
The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other
words, the methodology explains the depth and breadth of the assessment activities that must be performed
to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be
considered a complete INFOSEC Assessment.
Payment
Card Industry Data Security Standard
The Requirements and Security Assessment Procedures document is used to verify that a site is in compliance
with the PCI Data Security Standard and to create a Report on Compliance.
Payment
Card Industry Self-Assessment Questionnaires
Questionnaire D is divided into twelve sections. Each section focuses on a specific area of security, based
on the requirements included in the PCI Data Security Standard.
OSSTMM - Open Source Security
Testing Methodology Manual by Pete Herzog
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for
performing security tests. When you use an internal testing methodology, you leverage the brain trust
of a handful of security experts. The OSSTMM is powerful because it provides the collective best
practices, legal, and ethical concerns of the global security testing community.
Protiviti
- Guide to Internal Audit: Frequently Asked Questions About the
NYSE Requirements and Developing an Effective Internal Audit Function
(66 pages)
Protiviti has released the final version of its comprehensive
internal audit resource guide. This publication contains 69 frequently
asked questions and answers about internal audit, including details
on the new NYSE internal audit rule and creating and maintaining
an effective internal audit function. It also details how PCAOB
Auditing Standard No. 2, which has been approved by the SEC, allows
for the work of internal auditors to be relied upon to an extent
by the external auditor.
Protiviti
- Guide to the Sarbanes-Oxley Act: Internal Control Reporting
Requirements - Third Edition Updated to reflect PCAOB Auditing
Standard No. 2 (189 pages)
Protiviti has revised its highly regarded resource guide on Section
404 of the Sarbanes-Oxley Act. The third edition of Protiviti's
popular Section 404 publication addresses the effects of changes
arising from the SEC's final rules released in June 2003, and
as amended by the Commission's extension of these rules released
in February 2004. It also includes a wealth of detailed information
on PCAOB Auditing Standard No. 2. and its impact on Section 404
compliance efforts. In all, this comprehensive guide contains
88 new questions and well over 100 pages of new or substantially
revised material.
IT Examination Handbook - FFIEC
Financial institutions protect their information by instituting
a security process that identifies risks, forms a strategy to
manage the risks, implements the strategy, tests the implementation,
and monitors the environment to control the risks. Examiners may
use this booklet when evaluating the financial institution’s
risk management process, including the duties, obligations, and
responsibilities of the service provider for information security
and the oversight exercised by the financial institution.
Continuous Auditing: Implications
for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of
technology in support of continuous auditing and highlights areas that require further attention. It
provides continuous audit guidance that will benefit the organization by significantly reducing instances
of error and fraud, increasing operational efficiency, and improving bottom-line results through a
combination of cost savings and a reduction in overpayments and revenue leakage.
GAO
Technology Assessment - Cybersecurity for Critical Infrastructure
The GAO conducted this technology assessment on the use of cybersecurity
technologies for CIP in response to a request from congressional
committees. This assessment addresses the following questions:
(1) What are the key cybersecurity requirements in each of the
CIP sectors? (2) What cybersecurity technologies can be applied
to CIP? (3) What are the implementation issues associated with
using cybersecurity technologies for CIP, including policy issues
such as privacy and information sharing?
BITS Financial Institution Shared Assessments
Program (FISAP)
The FISAP Program is a groundbreaking new process for financial institutions to evaluate the security controls of their IT service providers.
Risk Management
Risk IT Framework and Best Practice Guidance - ISACA
Risk IT is a framework based on a set of guiding principles for effective management of IT risk. The
Risk IT framework explains IT risk, allows the enterprise to make appropriate risk-aware decisions
and will enable users to:
· Integrate the management of IT risk into the overall enterprise risk management (ERM) of the
organization
· Make well-informed decisions about the extent of the risk, the risk appetite and the risk tolerance
of the enterprise
· Understand how to respond to the risk
The Institute of Risk Management: Risk Management Standard (17 pages)
There are many ways of achieving the objectives of risk management and it would be impossible to try to
set them all out in a single document. Therefore it was never intended to produce a prescriptive standard
which would have led to a box ticking approach nor to establish a certifiable process. By meeting the
various component parts of this standard, albeit in different ways, organisations will be in a position
to report that they are in compliance.The standard represents best practice against which organisations
can measure themselves.
NIST SP
800-30: Risk Management Guide for Information Technology Systems (55 pages)
This guide provides a foundation for the development of an effective risk management program,
containing both the definitions and the practical guidance necessary for assessing and mitigating
risks identified within IT systems. The ultimate goal is to help organizations to better manage
IT-related mission risks.
CERT: OCTAVE® (Operationally
Critical Threat, Asset, and Vulnerability EvaluationSM)
For an organization that wants to understand its information security needs, OCTAVE is a risk-based
strategic assessment and planning technique for security.
CERT: Mission
Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments (59 pages)
The main focus of MAAP is developing advanced risk analysis techniques for highly complex and
distributed work processes. However, we believe that MAAP can also be used to analyze risk in virtually
all work processes, from very simple workflows to those that are distributed among multiple
organizations.
Microsoft: Security Risk Management Guide
This guide helps customers of all types plan, build, and maintain a successful security risk management
program. In a four phase process, depicted below, the guide explains how to conduct each phase of a risk
management program and how to build an ongoing process to measure and drive security risks to an
acceptable level.
Microsoft: Security Assessment Tool
This application is designed to help organizations with fewer than 1,000 employees assess weaknesses in
their current IT security environment. It will help identify processes, resources, and technologies that
are designed to promote good security planning and risk mitigation practices within your organization.
FEMA Risk Management Series (RMS)
Publications
The RMS is a new FEMA series directed at providing design guidance for mitigating multihazard events.
The publications are directed at manmade disasters. The objective of the series is to reduce physical
damage to structural and nonstructural components of buildings and related infrastructure, and to reduce
resultant casualties during conventional bomb attacks, as well as attacks using chemical, biological,
and radiological agents. The underlining issue is that improving security in high occupancy buildings
will better protect the nation from potential threats by identifying key actions and design criteria to
strengthen our buildings from the forces that might be anticipated in a terrorist assault. The intended
audience includes architects and engineers working for private institutions, building
owners/operators/managers, and state and local government officials working in the building sciences
community.
World
Bank Technology Risk Checklist
The World Bank Technology Risk Checklist is designed to provide Chief Information Security Officers
(CISO), Chief Technology Officers (CTO), Chief Financial Officers (CFO), Directors, Risk Managers
and Systems Administrators with a way of measuring and validating the level of security within a
particular organization.
Insider Threat
Common Sense Guide to Prevention and Detection of Insider Threats - CERT (88 pages)
This report is written for a diverse audience, outlining practices that should be implemented by
organizations to prevent insider threats. Each practice is described briefly in terms of why it should
be implemented and one or more case studies illustrate what could happen if it is not implemented, and
how the practice could have prevented an attack or facilitated early detection.
Insider Risk Management Guide
- Gideon T. Rasmussen
The threat posed by authorized personnel is well documented by research and court cases. According to ACFE,
U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not
limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider.
If you have not taken a hard look at insider threat controls in your organization, now is the time.
DoD Insider Threat Mitigation (67 pages)
This report provides an explicit set of recommendations for action to mitigate the insider threat to DoD
information systems. The report results from the actions of an Insider Threat Integrated Process Team
(IPT). The Team's charter was "to foster the effective development of interdependent technical and
procedural safeguards" to reduce malicious behavior by insiders.
ISACA Segregation of Duties Matrix
The segregation of duties control matrix is not an industry standard, but a guideline indicating
which positions should be separated and which require compensating controls when combined. The
matrix is illustrative of potential segregation of duties issues and should not be viewed or used
as an absolute, rather it should be used to help identify potential conflicts so proper questions
may be asked to identify compensating controls.
The Insider Threat to
U.S. Government Information Systems - NSTISSC (47 pages)
This NSTISSAM focuses on the insider and the potential damage that such an individual could cause when
targeting today's IS. It points out the various weaknesses (vulnerabilities) in today's IS an insider
might exploit and highlights approaches to solving these problems. In taking corrective action, it is
necessary to consider technical and procedural steps in deterring the insider. Finally, we propose, in
priority order, recommendations that mitigate the threat posed by the insider. Our approach is not to
provide an exhaustive list, but rather offer recommendations that could have the greatest immediate
return against this serious threat.
Insider Threat Study:
Computer System Sabotage in Critical Infrastructure Sectors - CERT & U.S. Secret Service (45 pages)
Research for this report found that the majority of the insiders who committed acts of sabotage were
former employees who had held technical positions with the targeted organizations. As a result of
their involvement in the incidents reviewed for this study, almost all of the insiders were charged
with criminal offenses. The majority of these charges were based on violations of federal law.
Insider Threat Study:
Illicit Cyber Activity in the Banking and Finance Sector - CERT & U.S. Secret Service (25 pages)
This report reviewed 23 incidents of insider threat in the banking and finance sector. It examines
insider incidents across critical infrastructure sectors in which the insider's primary goal was to
sabotage some aspect of the organization (for example, business operations, information/data files,
system/network, and/or reputation) or direct specific harm toward an individual.
Preliminary
System Dynamics Maps of the Insider Cyber-threat Problem - CERT (36 pages)
This paper discusses the preliminary system dynamic maps of the insider cyber-threat.
Trustworthy Refinement Through
Intrusion-Aware Design (TRIAD) - CERT (97 pages)
This report proposes an intrusion-aware design model called trustworthy refinement through intrusion-aware
design (TRIAD). TRIAD helps information system decision-makers formulate and maintain a coherent,
justifiable, and affordable survivability strategy that addresses mission-compromising threats for
their organization. The goals of a survivability strategy are to provide a documented response to the
primary threats to the mission; to provide a justification for and the limitations of the system design;
to support the design and implementation of the desired system behavior across multiple systems and
multiple development teams; and to support maintenance and evolution as the system operations and threat
environment evolve over time.
Research on Mitigating
the Insider Threat to Information Systems - Rand (126 pages)
This report details R&D initiatives to mitigate and thwart the insider threat to critical U.S. defense and
infrastructure information systems. The three main focus areas were long-term (2-5 year) research
challenges and goals toward mitigating the insider threat; developing insider threat models; and
developing near-term solutions using commercial off-the-shelf (COTS) and government off-the-shelf (GOTS)
products. The long-term research recommendations stressed the need to develop an underlying system
architecture designed explicitly with security and survivability in mind (unlike essentially all operating
systems and network architectures in use today). Other topics included R&D needed on differential access
controls, means of recording and saving the provenance of a digital document, and dealing with the
increasing use of mobile code (e.g., in the form of applets, viruses, worms, or macros) in complex
information systems. The report also contains a number of recommendations regarding the purposes and
design of models of insider behavior, and near-term recommendations for helping to prevent, discover,
and mitigate the threat ofinsider misuse of information systems.
Understanding the
Insider Threat - Rand (137 pages)
The format of this document included four groups: (1) Intelligence Community (IC) System Models, (2)
Vulnerabilities and Exploits, (3) Attacker Models and (4) Event Characterization. It brought together
members of the IC with specific knowledge of IC document management systems and IC business practices;
persons with knowledge of insider attackers, both within and outside the IC; and researchers involved
in developing technology to counter insider threats.
A Target-Centric Formal
Model For Insider Threat and More - University at Buffalo (17 pages)
In this paper, we propose a target-centric modeling methodology motivated by the fact that insiders
typically pursue lucrative targets to cause damage or gain leverage. It is based on a higher level
description of an organization's infrastructure and less detail-intensive as compared to the attack
graph model.
Analysis and Detection of Malicious Insiders - MITRE (6 pages)
This paper summarizes a collaborative, six month ARDA NRRC challenge workshop to characterize and create
analysis methods to counter sophisticated malicious insiders in the United States Intelligence
Community. Based upon a careful study of past and projected cases, we report a generic model of
malicious insider behaviors, distinguishing motives, (cyber and physical) actions, and associated
observables.
Insider Threat Group - Yahoo
Groups
The insider threat group provides a forum to discuss resources and techniques to mitigate the threat posed
by authorized personnel. Those interested in learning more about insider threat will benefit from
the exchange of tips and the opportunity to ask questions. The group is moderated to keep on topic.
Application Security
OWASP Top 10 -
Critical Web Application Security Flaws
The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws
are. Project members include a variety of security experts from around the world who have shared their
expertise to produce this list.
CWE/SANS TOP 25 Most Dangerous
Software Errors
Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation
steps that developers can take to mitigate or eliminate the weakness.
Building Security In Maturity Model (BSIMM)
BSIMM is designed to help you understand, measure, and plan a software security initiative. It was created
by observing and analyzing real-world data from 51 leading software security initiatives.
OWASP Prevention Cheat Sheet Series
The OWASP Prevention Cheat Sheet Series was created to provide a concise collection of high value
information on specific web application security topics. These cheat sheets were created by multiple
application security experts and provide excellent security guidance in an easy to read format.
OWASP
Guide to Building Secure Web Applications
The original OWASP Guide to Building Secure Web Applications has become a staple diet for many web security
professionals. Over the last 24 months the initial version has now been downloaded over 2 million times.
The Guide forms the basis for corporate web security policies for several Fortune 500 companies and is used
in service offerings from many security consulting companies. The Guide is aimed at architects, developers,
consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web
applications.
Incident Response Programs
NIST
SP 800-61: Computer Security Incident Handling Guide (148 pages)
This NIST publication assists organizations in establishing computer
security incident response capabilities and handling incidents
efficiently and effectively.
Handbook
for Computer Security Incident Response Teams (CSIRTs) - CERT/CC
(233 pages)
This document provides guidance on forming and operating a computer
security incident response team (CSIRT). It details the functions
that make up the CSIRT, how to handle sensitive information and
the tools, procedures, and roles necessary to implement the program.
In addition, operational and technical issues are covered, such
as equipment, security, and staffing considerations.
Computer
Security Incident Response Team (CSIRT) FAQs - CERT/CC
This frequently asked questions page provides a good primer for
those interested in the basics of computer incident response.
6
Phases of Incident Handling - Texas A&M University
Computer security incident handling can be divided into six phases:
preparation, identification, containment, eradication, recovery,
and follow-up. Understanding these stages, and what can go wrong
in each, facilitates responding more methodically and avoids duplication
of effort.
CSIRT
Case Classification (Example for enterprise CSIRT) - FIRST
This document provides the guidelines needed for CSIRT Incident
Managers (IM) to classify the case category, criticality level,
and sensitivity level for each CSIRT case. This information will
be entered into the Incident Tracking System (ITS) when a case
is created. Consistent case classification is required for the
CSIRT to provide accurate reporting to management on a regular
basis. In addition, the classifications will provide CSIRT IM’s
with proper case handling procedures and will form the basis of
SLA’s between the CSIRT and other Company departments.
Incident Report Templates
·
Gideon
T. Rasmussen's Incident Report Template
·
SANS
Incident Identification Form
·
SANS
Incident Survey Form
·
SANS
Incident Containment Form
·
SANS
Incident Eradication Form
·
SANS
Incident Communication Log Form
·
Melissa
Guenther's Incident Report Form
·
US-CERT
Incident Reporting System
·
CERT/CC
Incident Reporting Guidelines