This document discusses Continuous Vulnerability Assessment and Remediation, which is Control 4 from the CIS Top 20 Critical Security Controls. It emphasizes the importance of continuously scanning systems for vulnerabilities, prioritizing remediation of the most critical issues, and ensuring vulnerabilities are addressed in a timely manner through patching or other methods. The document provides an overview of the key aspects of Control 4 and offers suggestions for tools that can be used to implement continuous scanning and vulnerability management.
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and
targeted attacks?”
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and
targeted attacks?”
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
Top 20 Security Controls for a More Secure InfrastructureInfosec
The CIS® (Center for Internet Security, Inc.®) Controls offer 20 proven, globally recognized best practices for securing your IT systems and data against the most pervasive attacks. Join Tony Sager, CIS Senior Vice President and Chief Evangelist, to learn:
- Origin and purpose of the CIS Controls
- How to prioritize implementation
- How to make the CIS Controls a foundational part of your security program, and improve your enterprise defenses, operations, compliance and security awareness
Watch the full webinar: https://www2.infosecinstitute.com/l/12882/2018-12-06/bcbc68
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense. a presentation by John M. Gilligan at the National Summit on Planning and Implementing the 20 Critical Controls, held in November 2009.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals.
They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
Top 20 Security Controls for a More Secure InfrastructureInfosec
The CIS® (Center for Internet Security, Inc.®) Controls offer 20 proven, globally recognized best practices for securing your IT systems and data against the most pervasive attacks. Join Tony Sager, CIS Senior Vice President and Chief Evangelist, to learn:
- Origin and purpose of the CIS Controls
- How to prioritize implementation
- How to make the CIS Controls a foundational part of your security program, and improve your enterprise defenses, operations, compliance and security awareness
Watch the full webinar: https://www2.infosecinstitute.com/l/12882/2018-12-06/bcbc68
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense. a presentation by John M. Gilligan at the National Summit on Planning and Implementing the 20 Critical Controls, held in November 2009.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals.
They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”
NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
While vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization's attack surface: known vulnerabilities in applications that are built in-house.
All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.
A vulnerability scanner is a software tool that discovers and inventories all networked systems, including servers, PCs, laptops, virtual machines, containers, firewalls, switches, and printers. It attempts to identify the operating system and software installed on each device it detects, as well as other characteristics such as open ports and user accounts.
Enterprise Class Vulnerability Management Like A Bossrbrockway
A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault
- Overview of the AlienVault USM Platform
- Differentiation through Delivery "Threat Detection That Works"
- Ways to Engage via Managed Services, Security Device Management and Professional Services
- AlienVault MSSP Program Details
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...Cam Fulton
Learn how to evaluate risk, what the differences are between vulnerability assessments and penetration tests, and when to implement both.
Presented by AWA International, a division of I.S. Partners, LLC https://www.ispartnersllc.com/awa-international-group/
Vulnerability Assessment & Penetration Testing (VAPT) identifies system weaknesses through assessments and simulates real-world attacks to bolster cybersecurity measures.
What to Expect During a Vulnerability Assessment and Penetration TestShyamMishra72
A vulnerability assessment and penetration test (pen test) is important cybersecurity activities designed to identify and address security weaknesses in your organization's systems and networks. Here's what you can expect during each phase of these assessments:
ARES focuses on the Sweet Spot of threat intelligence and continuous monitoring datasets, enabling you to identify and act on the most relevant and critical threats and findings at cyber speed
Similar to SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4 (20)
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
1. CIS Top 20 #4
Continuous Vulnerability Assessment & Remediation
2. CIS Top 20 Critical Security Controls
• Organizations must know at all times:
– Which vulnerabilities are present in their IT assets
– The level of risk each one carries
– Remediation of affected IT assets
4. CIS Top 20 Critical Security Controls
• This week, we’re focusing on CIS Control 4:
Continuous Vulnerability Assessment and
Remediation.
• More specifically: “Continuously acquire, assess,
and take action on new information in order to
identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.”
12. CIS Top 20 Critical Security Controls
Why is CIS Control 4 critical?
• Organizations that do not scan for
vulnerabilities and proactively address
discovered flaws face significant likelihood of
having their computer systems compromised
13. CIS Top 20 Critical Security Controls
How to Get Started
Step 1. Gap Assessment.
2. Implementation Roadmap
3. Implement the First Phase of Controls
4. Integrate Controls into Operations
5. Report and Manage Progress
15. CIS Top 20 Critical Security Controls
• CSC 4.1 Run automated vulnerability scanning tools against all
systems on the network on a weekly or more frequent basis
• CSC 4.1 Procedure: Scan entire network daily using SCAP(Security
Content Automation Protocol) scanner
• The organization:
– IT department to run SCAP scan weekly (Monday mornings)
– IT department will review SCAN logs for completeness
– Metrics:
– IT department will report in new vulnerabilities
– The IT department will audit SIEM logs daily
16. CIS Top 20 Critical Security Controls
• No one solution will prevent all attacks,
vulnerability assessment is a matter of
foundational security practice
17. CIS Top 20 Critical Security Controls
• Identified vulnerabilities or misconfigurations,
patches (or updates) must be applied to all
affected
• Where possible, automate patch management.
Basic preventive hygiene practices that will
significantly enhance your security posture.
18. CIS Top 20 Critical Security Controls
• Routinely check system logs to verify that vulnerabilities
have been addressed and identify any scanning problems
• By comparing logs over time, you can see look for patterns
and ensure that any scanning activity taking place
• Since automated patching tools may not detect or install all
patches, you can compare system logs against patches listed
on vendor websites to ensure you’ve got the latest security
updates.
19. CIS Top 20 Critical Security Controls
4.1
Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities
to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk. Use a SCAP-validated
vulnerability scanner that looks for both code-based vulnerabilities (such as those described by Common Vulnerabilities and Exposures entries) and configuration-based
vulnerabilities (as enumerated by the Common Configuration Enumeration Project).
4.2
Correlate event logs with information from vulnerability scans to fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools is itself
logged. Second, personnel should be able to correlate attack detection events with prior vulnerability scanning results to determine whether the given exploit was used against a
target known to be vulnerable.
4.3
Perform vulnerability scanning in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that
are given administrative rights on the system being tested. Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative
activities and should be tied to specific machines at specific IP addresses. Ensure that only authorized employees have access to the vulnerability management user interface and
that roles are applied to each user.
4.4
Subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the information gained from this subscription to update the organization’s
vulnerability scanning activities on at least a monthly basis. Alternatively, ensure that the vulnerability scanning tools you use are regularly updated with all relevant important
security vulnerabilities.
4.5
Deploy automated patch management tools and software update tools for operating system and software/applications on all systems for which such tools are available and safe.
Patches should be applied to all systems, even systems that are properly air gapped.
4.6 Monitor logs associated with any scanning activity and associated administrator accounts to ensure that this activity is limited to the timeframes of legitimate scans.
4.7
Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or documenting
and accepting a reasonable business risk. Such acceptance of business risks for existing vulnerabilities should be periodically reviewed to determine if newer compensating
controls or subsequent patches can address vulnerabilities that were previously accepted, or if conditions have changed, increasing the risk.
4.8
Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ
servers, internal network servers, desktops, laptops). Apply patches for the riskiest vulnerabilities first. A phased rollout can be used to minimize the impact to the organization.
Establish expected patching timelines based on the risk rating level.
20. CIS Top 20 Critical Security Controls
• 4-1 Run automated vulnerability scanning tools against all systems on the network on a
weekly or more frequent basis and deliver prioritized lists of the most critical
vulnerabilities to each responsible system administrator along with risk scores that
compare the effectiveness of system administrators and departments in reducing risk.
• Free Tools
• CIS Cis-Cat - Our friends at CIS
• AlienVault OSSIM - OpenSource fairly comprehensive
• OpenVAS - Comes in AlienVault, but if you JUST need a vulnerability scanner, this is it.
• Rapid 7 Rapid 7 IoT Seeker seek Iot devices and check for default passwords
• Commercial Tools
• Nessus - Industry known and trusted scanner.
• Nexpose - Rapid7 Vulnerability scanner
26. CIS Top 20 Critical Security Controls
• 4-2 Correlate event logs with information from vulnerability scans to fulfill two
goals. First, personnel should verify that the activity of the regular vulnerability
scanning tools themselves is logged. Second, personnel should be able to correlate
attack detection events with earlier vulnerability scanning results to determine
whether the given exploit was used against a target known to be vulnerable.
• Free Tools
• AlienVault OSSIM - again
• OpenVAS - Comes in AlienVault, but if you JUST need a vulnerability scanner, this is
it.
• Commercial Tools
• Nessus - Industry known and trusted scanner.
• Nexpose - Rapid7 Vulnerability scanner
• Qualys - Qualys Vulnerability scanner
27. CIS Top 20 Critical Security Controls
• 4-3 - Perform vulnerability scanning in authenticated mode either with agents
running locally on each end system to analyze the security configuration or with
remote scanners that are given administrative rights on the system being tested.
• Free Tools
• AlienVault OSSIM - What can't it do???
• OpenVAS - Comes in AlienVault, but if you JUST need a vulnerability scanner, this is
it.
• Commercial Tools
• Nessus - Industry known and trusted scanner.
• Nexpose - Rapid7 Vulnerability scanner
• Qualys - Qualys Vulnerability scanner
28. CIS Top 20 Critical Security Controls
• 4-4 - Subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and
use the information gained from this subscription to update the organization's vulnerability scanning
activities on at least a monthly basis.
• Free Tools
• You must get these tools from each vendor you use. Usually these would be mailing lists, RSS feeds,
etc.. A few I subscribe to:
• https://isc.sans.edu/newssummary.html
• http://sectools.org/
• CVE - Common Vulnerability and Exposures subject to National Vulnerability Database
• OpenSSL - Stay up to date for the next Heart Bleed
• https://www.us-cert.gov/ncas/current-activity, (Alerts & tips),
• http://www2.mitre.org/work/sepo/toolkits/risk/
• OWASP – Vulnerabilities. Rating and more
• Vendors: Trendmicro, FireEye
33. CIS Top 20 Critical Security Controls
• 4-5 - Deploy automated patch management tools and software update tools for
operating system and software/applications on all systems for which such tools are
available and safe.
• Free Tools
• Ninite - While not free, it is DIRT CHEEP. But only patches 3rd party applications listed on its
website.
• Microsoft System Center Configuration Manager SCCM patch management capabilities have been a
de facto standard for enterprise IT shops for many years.
• Commercial Tools
• Solarwinds - SolarWinds Patch Management Suite for scanning, patching, management, LEM
• Tenable - suite of course with VM, inventory, configuration settings
• LanGuard - most platforms
37. CIS Top 20 Critical Security Controls
• 4-6 - Carefully monitor logs associated with any scanning activity and associated
administrator accounts to ensure that all scanning activity and associated access via
the privileged account is limited to the timeframes of legitimate scans.
Free Tools
• Netwrix - AD Change Reporter Free
• Scripted - on github
• GPO - Only enables logging, you still need to alert
• Commercial Tools
• Solarwinds - Part of LEM suite
• Splunk also offers commercial versions of their free tool above.
• Rapid7 part of complete suite.
42. CIS Top 20 Critical Security Controls
• 4-7 - Compare the results from back-to-back vulnerability
scans to verify that vulnerabilities were addressed either by
patching, implementing a compensating control, or
documenting and accepting a reasonable business risk.
– This is more of a process than a tool.
• 4-8- Establish a process to risk-rate vulnerabilities based on
the exploitability and potential impact of the vulnerability,
and segmented by appropriate groups of assets (example,
DMZ servers, internal network servers, desktops, laptops).
46. CIS Top 20 Critical Security Controls
• Vulnerability Factors:
Goal is to estimate the likelihood of the particular vulnerability being discovered
and exploited.
• Ease of discovery
How easy is it for this group of threat agents to discover this vulnerability?
• Ease of exploit
How easy is it for this group of threat agents to actually exploit this vulnerability?
• Awareness
How well known is this vulnerability to this group of threat agents?
• Intrusion detection
How likely is an exploit to be detected?
50. CIS Top 20 Critical Security Controls
• Center for Internet Security (CIS): https://www.cisecurity.org/
• NIST Cyber Security Framework (CSF):
http://www.nist.gov/cyberframework/
• CIS Critical Security Controls (CSC):
https://www.cisecurity.org/critical-controls.cfm
• Auditscripts resources (provided by James Tarala, CSC Editor):
https://www.auditscripts.com/free-resources/critical-security-controls/
• STIG https://iase.disa.mil/stigs/Pages/index.aspx
51. CIS Top 20 Critical Security Controls
• SynerComm’s IT Summit
• April 9-10th
• Lambeau Field, Green Bay, WI
• Validate Your IT Strategy
• FREE!!
• Register: www.events.synercomm.com
52. CIS Top 20 Critical Security Controls
Thank you for Attending.
Hope you can join us for the Complete CIS Top 20 CSC
Tuesday March 20th
CIC CSC #5
Controlled Use of Administrative Privileges