Since 2008, the CIS Controls have been through many iterations of refinement and improvement leading up to what we are presented with today in CIS Controls version 8.1.CIS Controls reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, and individuals). The controls reflect consideration by people in many different roles, such as threat analysts,...

In today’s dynamic IT environments, securing and maintaining the integrity of your systems is critical. Fortra’s Tripwire Enterprise is a robust tool designed to help organizations ensure compliance and security by continuously monitoring the configuration and behavior of their IT assets.When deploying Tripwire, a common question arises: should you prioritize monitoring applications, operating...

Modern factories are increasingly relying on Industrial Internet of Things (IIoT) solutions. This shift is beneficial in many regards, including higher efficiency and transparency, but it also introduces unique cybersecurity concerns. Better vulnerability management for IIoT systems is essential if companies hope to make the most of this technology.The White House’s 2024 cybersecurity report named...

Today, I will be going over Control 2 from version 8.1 of the top 18 CIS Controls – Inventory and Control of Software Assets. I will go over the seven safeguards and offer my thoughts on what I’ve found.Key Takeaways for Control 2Reusability. The tools that were mentioned in Control 1 will be used in Control 2 as well. Reusing tools that accomplish goals for both Controls 1 and 2 can help cut...

The cyber threat to critical infrastructure has never been greater. The growing sophistication of cybercriminals, deteriorating geopolitical relations, and the convergence of operational technology (OT) and information technology (IT) have created unprecedented risks for critical infrastructure organizations. Fortunately, resources are available to help these organizations protect themselves.In...

Key Takeaways for Control 3At the heart of a strong data management plan is awareness surrounding the 'Five Ws' of the enterprise's data:What data does the enterprise store or handle?Who should have access to it?Where is it stored or accessed?When should it be deleted?Why does it need protection?A comprehensive data management plan incorporates the answers to these questions with policy decisions...

Data breaches continue to cost organizations millions of dollars each year, with costs rising steadily. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a data breach has surged to $4.88 million globally, reflecting the increasing complexity and sophistication of cyberattacks. In the United States, this figure is even higher, averaging $9.8 million per breach, and the...

Key Takeaways for Control 4Most fresh installs of operating systems or applications come with preconfigured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with the policies your...

In the early part of 2024, the Center for Internet Security (CIS) released the latest version of the well-respected Critical Security Controls (CSC). The new version, 8.1, adds contours to the prior versions, making it more comprehensive and timely in today’s challenging cybersecurity environment.The CIS CSC has been a valued source of guidance for many organizations since its initial release in...

The Transportation Security Administration (TSA) has proposed new rules requiring those under its jurisdiction to follow specific cyber risk management (CRM) requirements, report cybersecurity incidents in a certain timeframe, and address physical security concerns.This is positive news for the transportation industry, as hundreds of attacks have been leveled against the sector. These attacks have...

The Turkish government is proposing a controversial new cybersecurity law that could make it a criminal act to report on data breaches. The new legislation proposes penalties for various cybersecurity-related offences. But they key one which has people concerned is this:"Those who carry out activities aimed at targeting institutions or individuals by creating the perception that there has been a...

Knowing who has credentials, how those credentials are granted, and how they are being used is the foundation of any secure environment. It begins with user accounts and the credentials they use. Maintaining a thorough inventory of all accounts and verifying any changes to those accounts as authorized and intentional vs unintended is paramount to establishing a secure environment, and this...

CIS Control 6 merges some aspects of CIS Control 4 (admin privileges) and CIS Control 14 (access on a need-to-know basis) into a single access control management group. Access control management is a critical component in maintaining information and system security, restricting access to assets based on role and need. It is important to grant, refuse, and remove access in a standardized, timely,...

When it comes to cybersecurity, vulnerability management is one of the older technologies that still play a critical role in securing our assets. It is often overlooked, disregarded, or considered only for checkbox compliance needs, but a proper vulnerability management program can play a critical role in avoiding a series of data breaches.CIS Control 07 provides the minimum requirements and table...

As we enter 2025, the frequency and sophistication of cyberattacks on critical national infrastructure (CNI) in the US are rising at an alarming rate. These attacks target the foundational systems that support everything from energy and water to transportation and communications, and the consequences are far-reaching and potentially catastrophic. They impact not just the operations of these...

While Exponential Organizations (ExOs) are transforming industries beyond the tech space, that doesn’t mean that they are not susceptible to an increasing number of cyber threats. As ExOs harness innovative and cutting-edge technologies to drive transformative growth, the ability to respond effectively and proactively to cyber incidents becomes increasingly vital. Recent statistics from the 2024...

Audit logs provide a rich source of data critical to preventing, detecting, understanding, and minimizing the impact of network or data compromise in a timely manner.Collection logs and regular reviews are useful for identifying baselines, establishing operational trends, and detecting abnormalities. In some cases, logging may be the only evidence of a successful attack.CIS Control 8 emphasizes...

London is one of the smartest and most interconnected cities in the world. Digital infrastructure plays a role in almost every facet of society, streamlining public transport, improving healthcare provision, boosting sustainability, and more.However, this reliance on technology has left London’s critical national infrastructure (CNI) perilously vulnerable to digital attacks. As geopolitical...

Web browsers and email clients are used to interact with external and internal assets. Both applications can be used as a point of entry within an organization. Users of these applications can be manipulated using social engineering attacks. A successful social engineering attack needs to convince users to interact with malicious content. A successful attack could give an attacker an entry point...

With the continuing rise of ransomware, malware defenses are more critical than ever before with regard to securing the enterprise. Anti-Malware technologies have become an afterthought in many organizations, a technology that they’ve always had, always used, and never really thought about. This control serves as a reminder that this technology is as critical as it ever was and lays out the...