Resources

Blog

CIS Control 12: Network Infrastructure Management

Networks form a critical core for our modern-day society and businesses. These networks are comprised of many types of components that make up the networks’ infrastructure. Network infrastructure devices can be physical or virtual and include things such as routers, switches, firewalls, and wireless access points. Unfortunately, many devices are shipped from manufacturers with “default”...
Blog

CIS Control 13: Network Monitoring and Defense

Networks form a critical core for our modern-day society and businesses. People, processes, and technologies should be in place for monitoring, detecting, logging, and preventing malicious activities that occur when an enterprise experiences an attack within or against their networks.Key Takeaways for Control 13Enterprises should understand that their systems and networks are never perfectly...
Blog

CIS Control 14: Security Awareness and Skill Training

Users who do not have the appropriate security awareness training are considered a weak link in the security of an enterprise. These untrained users are easier to exploit than finding a flaw or vulnerability in the equipment that an enterprise uses to secure its network. Attackers could convince unsuspecting users to unintentionally provide access to the enterprise network or expose sensitive...
Blog

CIS Control 15: Service Provider Management

Enterprises today rely on partners and vendors to help manage their data. Some companies depend on third-party infrastructure for day-to-day operations, so understanding the regulations and protection standards that a service provider is promising to uphold is very important.Key Takeaways from Control 15Identify your business needs and create a set of standards that can be used to grade service...
Blog

CIS Control 16: Application Software Security

The way in which we interact with applications has changed dramatically over the years. Enterprises use applications in day-to-day operations to manage their most sensitive data and control access to system resources. Instead of traversing a labyrinth of networks and systems, attackers today see an opening to turn an organization's application against it to bypass network security controls and...
Blog

CIS Control 17: Incident Response Management

We all know that it is a question of when you will be compromised and not if you will be compromised. It is unavoidable. The goal of CIS Control 17 is to ensure that you are set up for success when that inevitable breach occurs. If an organization is neither equipped nor prepared for that potential data breach, they are not likely to succeed in responding to the threat.Key TakeawaysOne takeaway...
Blog

CIS Control 18: Penetration Testing

Penetration testing is something that more companies and organizations should be considering as a necessary expense. I say this because, over the years, the cost of data breaches and other forms of malicious intrusions and disruptions are getting costlier. Per IBM Security’s “Cost of a Data Breach Report 2024,” the average cost of a breach has increased 10% year over year, with the healthcare...
Blog

How to Spot a Winning NERC CIP Project

The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations often make exacting demands of Fortra Tripwire's customers, requiring them to update or create new change processes and document those processes in order to comply. In any NERC CIP-centered IT\OT project, there are always crucial indicators of success - even before the project gets...
Blog

Resolving Top Security Misconfigurations: What You Need to Know

One of the most common factors that can lead to cybersecurity incidents is a security misconfiguration vulnerability in software or application settings. The default settings that come with the implementation of these tools and solutions are often not configured securely, and many organizations do not invest the time and resources into ensuring that...
Blog

Expert Insight for Securing Your Critical Infrastructure

At Tripwire's recent Energy and NERC Compliance Working Group, we had the opportunity to speak with the Manager of Gas Measurement, Controls, & Cybersecurity at a large energy company. More specifically, we focused on SCADA and field assets of gas Operational Technology. The experience at the management level of such an organization provided a wealth...
Blog

Tips for Achieving Success With a NERC CIP Audit

Electrical utilities are responsible for just about everything we do. This presents a tremendous burden on those who operate those utilities. One way these organizations offer assurance is through the audit process. While audits can generate tremendous anxiety, good planning, and tools can help make the entire process go smoothly. Moreover, these...
Blog

Guarding the Grid: Navigating the Current and Future Landscape of Utility Cybersecurity

Tripwire recently held its annual Energy and NERC Compliance Working Group. This year's attendees included more than 200 Tripwire customer utility personnel representing over 80 different registered entities from all across the US and Canada. The company sizes ranged from public utility districts and city municipalities to medium and larger-sized...
Blog

What is NERC? Everything you need to know

What is NERC?NERC stands for North American Electric Reliability Corporation. It is the organization behind ensuring the security and reliability of electric grids, and the NERC Critical Infrastructure Protection (CIP) reliability standard is the tool that provides responsible entities with the processes to achieve a crucial mandate: secure the...
On-Demand Webinar

Expert Compliance Automation Tips for Financial Services

Cybersecurity compliance standards like the Payment Card Industry Data Security Standard (PCI DSS) and Society for Worldwide Interbank Financial Telecommunications (SWIFT) do an excellent job of hardening systems against breaches. This is especially important in the financial services sector, a common target for cybercriminals. This on-demand webinar presented by Senior Solutions Engineer Dan...
On-Demand Webinar

ATT&CKing the Center for Internet Security

From the Critical Security Controls to the Community Defense Model, CIS has provided plenty of mappings that show how knowledge from MITRE ATT&CK can be integrated with their offerings. Last year, CIS went a step further, integrating mappings from MITRE ATT&CK into their Benchmarks. This provides a wealth of information to defenders, but too much information can sometimes lead to information...
Blog

Shifting Left with SAST, DAST, and SCA: Advanced Best Practices

In the past, teams incorporated security testing far after the development stage of the Software Development Lifecycle (SDLC). Security testing would influence whether the application would to proceed to production, or get passed back to the developers for remediation.This process caused delays while teams worked on remediation or, worse yet, it...
On-Demand Webinar

How to Balance NERC CIPv6 vs. CIPv5 Compliance (and Why it Matters)

The extension of the NERC CIPv5 deadline to July 2016 means that registered entities have gained a small window of time for their compliance projects, but they now face a combined compliance deadline for CIPv5 and CIPv6 in July. Join Nick Santora, CEO of Curricula, and Tim Erlin, Director of IT Risk & Security Strategist at Tripwire, for a discussion on the potential impact of CIPv6 on your...
Guide

Physical Cybersecurity: ICS Attack Scenarios and CIP-007 R1

The premise of a January 27, 2015, article by CNBC is that there is good evidence that a cyber attack against nearly any country’s critical infrastructure could be imminent. This kind of reporting has become so commonplace, but this doesn’t seem like just more FUD (fear, uncertainty, and doubt) journalism. ...
Guide

Meeting Multiple Compliance Objectives Simultaneously With the CIS Controls

The CIS Controls are a set of recommendations comprised of controls and benchmarks. They are intended to serve as a cybersecurity “best practice” for preventing damaging attacks. The recommendations are meant to provide a holistic approach to cybersecurity and to be effective across all industries. Adhering to them serves as an effective foundation for any organization’s security and compliance...