HackingTheUniverse

You are browsing the archives of security controls.

Security controls are functions, counter-measures, processes, safeguards and other efforts to minimize any potential impact from security risks. Security controls come in many different forms and categories: Policy and procedures – define ways to do things, establish methodologies for processes Proactive/Preventive controls – attempt to prevent security events from occurring Monitoring/Detection controls – establish ways [...]

The NIST PM control family is a set of security controls that were added to the NIST SP 800-53 catalog of controls in version 3. These controls are fundamental and foundational and need to be established early in the System Development Life Cycle (SDLC). They lay the groundwork for processes that are critical to information [...]

Here’s a simplified plan to use a configuration management process to lock down your key network components: Know everything on your network – having a good inventory is prerequisite to everything else. If you don’t know what’s on your network, you can’t defend it or fix it. If you don’t know what state it’s in, [...]

Cyber strategies continually evolve as the state of the art changes rapidly. Long ago and far away, the attackers just wanted to deface web pages, but that is no longer true. From Advanced Persistent Threats (APT) to Stuxnet, the attackers are now far more organized, experienced and sophisticated. Our defensive strategies must evolve to match [...]

FOOTBALL In football (and other sports) the gameplan is an important part of success. How well the gameplan is implemented on the field will determine the final score, but with a flawed gameplan, performance may become irrelevant. Football organizations may use groups of scouts and coaches and spend weeks performing an analysis of their upcoming [...]

Continuous monitoring is about keeping an ongoing watch on how well your security controls are doing their job. NIST introduced this idea back in 2004 when they were also evangelizing about the Authorization process, then known as Certification and Accreditation (or C&A). By law (FISMA), NIST supplies federal organizations with security guidance, which can be [...]

This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL Recon General/Google RA-3 RISK ASSESSMENT – you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out Network scanning CM-7 LEAST FUNCTIONALITY – [...]

The new revision of NIST SP 800-53 (rev3) is now in FINAL Public Draft (FPD) and should be published in final form soon. When NIST moves a draft document from IPD status to FPD status, the changes are often few as the document is nearly ready for final publishing. In this case, however, the changes [...]

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site. [note - IPD means the document is in "draft" mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months [...]

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family: 800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES Control: The organization develops, disseminates, and periodically reviews/updates: (i) [...]