Discover more from The OSINTion Tidbit

Open Source Intelligence (OSINT), Geospatial Intelligence (GEOINT), OPSEC/Privacy, Disinformation, and Data Science and the impacts they have on society.

Critical Security Controls: Part 1 (with Brian Ventura)

Joe Gray

Oct 24, 2016

ADVANCED PERSISTENT SECURITY PODCAST

EPISODE 23

GUEST: BRIAN VENTURA

October 24, 2016

If you enjoy this podcast, be sure to give us a 5 Star Review and “Love Us” on iTunes; Like us on Google Play, Stitcher, Sound Cloud, Spreaker, and YouTube.
NOTE: The opinions expressed in this podcast are ours alone and do not reflect those of our employers
NOTE: This series was originally intended to be a single episode. Because we recorded in excess of three hours of content, we decided (after the fact) to split this into 2 episodes.

Critical Security Controls: Part 1 SHOW NOTES

PART 1

We talk about National Cyber Security Awareness Month (NCSAM) and some of the initiatives that we have observed to work and not work as well as what some organizations are doing to help. We touch on what the SANS and Center for Internet Security (CIS) Critical Security Controls (Formerly SANS Top 20) are. We then compare and contrast them briefly to other lists, like the Australian Signals Directorate 35 Strategies to Mitigate Cyber Intrusions, Cloud Security Alliance (CSA) Treacherous 12, Open Web Application Security Project (OWASP) Top 10, and OWASP Application Security Validation Standard (ASVS).

PART 2

Controls:

Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software

We discuss the beginning of the Critical Security Controls. Starting with control number 1, we discuss the importance of knowing what devices and assets are on the network as well as maintaining an inventory management tool. We discuss using inventory management as a means of accountability in management. We transition into control 2 which deals with authorized and unauthorized software.

PART 3

Controls:

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Controlled Use of Administrative Accounts

We discuss developing secure environments, benchmarking, and baselining. We discuss the cross correlation of the US DOD’s (DISA) STIGs (Security Technical Implementation Guides) and CIS Benchmarks and assessing it using Secure Content Assessment Protocol (SCAP). A discussion about golden images ensues and we discuss methods for patching golden images. We discuss vulnerability scanning versus assessment, mobile vulnerabilities, and scanning strategies. Finally, we discuss the importance of limiting who has administrative privileges and when they should be used.

ABOUT BRIAN

Critical Security Controls: Part 1 (with Brian Ventura) — Brian Ventura

Brian has 20+ years in Information Technology, ranging from systems administration to project management and information security. He is an Information Security Architect in Portland, Oregon and volunteers as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP and GCCC, as well as other industry certifications. As the Director of Education, Brian coordinates relevant local and online training opportunities.

CONTACTING BRIAN:

Twitter: @brianwifaneye

Brian’s SANS Instructor Profile

Brian’s SANS Courses:

SEC440: Critical Security Controls: Planning, Implementing and Auditing (2 day course in Pittsburgh, PA: February 1 and 2, 2017)

SEC566: Implementing and Auditing the Critical Security Controls – In-Depth (5 day course in Seattle, WA: February 6 through 10, 2017)

Links to Resources mentioned:

Australian Signals Directorate 35 Strategies to Mitigate Cyber Intrusions

CSA Treacherous 12 (PDF)

OWASP Top 10

OWASP ASVS 3.0 (PDF)

National Cyber Security Awareness Month (Stay Safe Online)

CIS Critical Security Controls

Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Enter your email address:

Delivered by FeedBurner