Resources

Blog

CIS Control 06: Access Control Management

CIS Control 6 merges some aspects of CIS Control 4 (admin privileges) and CIS Control 14 (access based on need to know) into a single access control management group. Access control management is a critical component in maintaining information and system security, restricting access to assets based on role and need. It is important to grant, refuse,...
Blog

CIS Control 05: Account Management

Knowing who has credentials, how those credentials are granted, and how they are being used is the foundation of any secure environment. It begins with user accounts and the credentials they use. Maintaining a thorough inventory of all accounts and verifying any changes to those accounts as authorized and intentional vs unintended is paramount to...
Blog

CIS Control 04: Secure Configuration of Enterprise Assets and Software

Key Takeaways for Control 4 Most fresh installs of operating systems or applications come with pre-configured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any...
Blog

CIS Control 03: Data Protection

For many years, there was a wide misunderstanding that encrypting some data is equivalent to protecting that data. If it’s encrypted, so the thinking goes, nobody else could access it, and it is therefore safe. While it is critical to encrypt data at rest as well as in transit, the job of protecting data goes much deeper. Encryption can mitigate...
Blog

CIS Control 02: Inventory and Control of Software Assets

Today, I will be going over CIS Control 2 from version 8 of the top 18 CIS Controls – Inventory and Control of Software Assets. Version 7 of CIS Controls had 10 requirements, but in version 8, it's simplified down to seven safeguards. I will go over those safeguards and offer my thoughts on what I’ve found. Key Takeaways for Control 2 ...
Blog

CIS Control 01: Inventory and Control of Enterprise Assets

Since 2008, the CIS Controls have been through many iterations of refinement and improvement, leading up to what we are presented with today in CIS Controls version 8. CIS Controls reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, and individuals). The controls reflect consideration by people in many...
Blog

What’s New in v8 of the CIS Controls

Back in 2018, the State of Security spent a lot of time going over v7 of the Center for Internet Security’s Critical Security Controls (CIS Controls). We noted at the time how the Center for Internet Security shuffled the order of requirements for many of the existing controls in that version. It also cleaned up the language of the CIS Controls,...
Blog

Mind the GAAP: A Lens for Understanding the Importance of the CIS Controls

Given that attacks are only increasing and there needs to be greater efficacy in how companies protect themselves, let us reference how the financial industry has created and relies on a body of standards to address issues in financial accounting as a defined comparison for Information Security. To support this argument, there is a defined contrast...
Blog

How Tripwire Can Help U.S. Federal Agencies Implement the CIS Controls

Digital attackers are increasingly launching sophisticated campaigns in an effort to target U.S. federal agencies and other organizations. Two recent examples demonstrate this reality. These are the SolarWinds supply chain attack and the HAFNIUM Exchange exploit campaign. The SolarWinds Supply Chain Attack In mid-December 2020, the security...
Blog

PCI DSS 4.0 Is Coming – Are You Ready?

Ransomware today is a billion-dollar industry. It’s crippled industries like healthcare. In 2017, for instance, WannaCry brought much of the United Kingdom’s National Health Service to its knees using the EternalBlue exploit. It was just a few weeks later when the NotPetya ransomware strain leveraged that same vulnerability to attack lots of...
Blog

Steps for PCI DSS Gap Analysis

Complying with Standards drawn by the Payment Card Industry Security Standards Council can be complicated and time-consuming. But, with a PCI DSS Gap Analysis, the process becomes a lot easier, streamlined, and less exhaustive. PCI Gap Analysis is the first step towards the Compliance process. The assessment provides details on your current security...
Blog

A Checklist for Preparing for Your Organization's Next PCI Audit

Organizations cannot afford to neglect their PCI compliance obligations. According to its website, PCI could punish offending organizations with a monetary penalty ranging in value from $5,000 to $100,000 per month. These fines could spell the end for a small business. Acknowledging those consequences, organizations need to make sure they’re PCI...
Blog

The Perimeter Really Is Gone - CIS Controls and COVID-19 with Tony Sager

Tony Sager, Senior Vice President and Chief Evangelist at CIS (Center for Internet Security) joins us to discuss the best approaches to the changing security landscape in the wake of COVID-19. Tony is a lifelong defender, with more than 44 years of experience. He spent most of his career at the NSA and now leads the development of the CIS Controls,...
Blog

Cybersecurity in Education (K-12) with the CIS Controls

Why is cybersecurity important to Education? Acknowledging recent reports of ransomware targeting educational institutions, it is no wonder that there have also been articles that attempt to lure in readers with “free” tools. What is disappointing is that these “free” tools are little more than marketing pieces that direct you to click on readily...
Blog

Verizon’s 2019 Payment Security Report – Not Just for PCI

If you are responsible for cybersecurity or data protection in your organization, stop what you are doing and read this report. Actually, first, go patch your servers and applications and then read this report. Much like Verizon’s Data Breach Investigations Report (DBIR), the Payment Security Report (PSR) is a must-read for security professionals. While it focuses on the PCI DSS standard and...
Blog

Strong Customer Authentication: A Vehicle for PCI-DSS Compliance

Payment services that operate electronically should adopt technologies that guarantees the safe authentication of the user and reduces, to the maximum extent possible, the risk of fraud. In order to achieve this, the European Union in 2007 passed the Payment Services Directive (PSD). The aim of this legislation is to regulate payment services and...
Blog

A Beginner’s Guide to PCI Compliance

PCI DSS, or the Payment Card Industry Data Security Standard, is the set of requirements for organizations who process card payments. Sounds simple enough, right? But PCI compliance can pose a major challenge to organizations if they’re not equipped with the proper knowledge and tools. Let’s take a quick look at the basics of PCI compliance, what...
Blog

How the CIS Controls Can Help You Achieve PCI DSS 3.2 Compliance

Compliance with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) is a must for organizations that handle, process, transmit and store payment card data. But compliance isn’t always easy to establish or maintain. Indeed, there are certain challenges along the way that can make organizations’ compliance with PCI DSS 3.2...
Blog

PCI DSS Version 3.2.1 Published by PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) published a minor revision to version 3.2 of its Data Security Standard (PCI DSS). On 17 May, PCI SSC published PCI DSS version 3.2.1. The purpose of the update was to clarify organizations' use of the Standard and when they would need to upgrade their use of common cryptographic...
Blog

3 Key Challenges To Being PCI 3.2 Compliant and How To Resolve Them

The latest revision to PCI DSS, PCI 3.2, provides specific security guidance on the handling, processing, transmitting and storing of credit card data. PCI 3.2 presents an opportunity for retail, healthcare, finance and hospitality organizations to minimize the theft, exposure and leakage of their customer’s personal and financial credit information...