Information Security Resources

This site is dedicated to increasing security awareness among the general population and the technology community. It should be of interest to technologists, information security professionals and business management.

Direct access to security resources makes this site unique. Within a few clicks, you should have access to what you are looking for. If you can't find what you need, feel free to contact me.

The resources listed on this site are updated roughly quarterly. To keep current, consider subscribing to Gideon's InfoSec List. The list's primary focuses are security resources, security news, industry trends and vulnerabilities. The most recent posts are displayed in the window on the right. Here are methods to access the list: Twitter website or E-mail.

This site does not accept sponsors or donations of any kind.

 Awareness Program  InfoSec Professional  InfoSec Program  Infosec Auditing
 Risk Management  Insider Threat  Application Security  Incident Response

Security Awareness Programs

NIST 800-50: Security Awareness and Training Program
This NIST publication provides detailed guidance on designing, developing, implementing, and maintaining an awareness and training program within an agency's IT security program.

ENISA: A Users' Guide: How to Raise Information Security Awareness
This document illustrates the main processes necessary to plan, organise and run information security awareness raising initiatives: plan & assess, execute & manage, evaluate & adjust. Each process is analysed and time-related actions and dependencies are identified. The process modelling presented provides a basis for "kick-starting" the scoping and planning activities as well as the execution and assessment of any programme. The Guide aims to deliver a consistent and robust understanding of major processes and activities amoung users.

NIST 800-16: Information Technology Security Training Requirements (188 pages)
The overall goal for use of this document is to facilitate the development or strengthening of a comprehensive, measurable, cost-effective IT security program which supports the missions of the organization and is administered as an integral element of sound IT management and planning. Protecting the value of an organization's information assets demands no less. This approach allows senior officials to understand where, in what way, and to what extent IT-related job responsibilities include IT security responsibilities, permitting the most cost-effective allocation of limited IT security training resources.
Appendix A-D      Appendix E

Building a Security Awareness Program - CyberGuard
Hackers, worms and viruses grab the headlines, but the real threat often comes not from outside the organization but within. Social engineering and unhappy employees pose very real risks to network security. How do you address the problem? This article offers a practical approach to setting up an effective security awareness program that gets everyone in the organization on board.

Security Awareness Toolbox - The Information Warfare Site
The Security Awareness Toolbox contains many useful documents and links. The Main Documents section was contributed by Melissa Guenther. The Toolbox is a rich source of awareness material.

SANS Reading Room - Security Awareness Section
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large.

University of Arizona Security Awareness Page
The UA security awareness site contains awareness presentations, videos and posters. It's a good site to explore.

IIA Tone at the Top Awareness Newsletter
Mission: To provide executive management, boards of directors, and audit committees with concise, leading-edge information on such issues as risk, internal control, governance, ethics, and the changing role of internal auditing; and guidance relative to their roles in, and responsibilities for the internal audit process.


Security Awareness Tips

Stop.Think.Connect.
The Stop.Think.Connect. Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. Cybersecurity is a shared responsibility. We each have to do our part to keep the Internet safe. When we all take simple steps to be safer online, it makes using the Internet a more secure experience for everyone.

StaySafeOnline
The Internet is a powerful and useful tool, but in the same way that you shouldn't drive without buckling your seat belt or ride a bike without a helmet, you shouldn't venture online without taking some basic precautions.

National Institute for Cybersecurity Studies (NICS)
To make cybersecurity materials more readily-available, the government developed NICS. It serves as a national resource for government, industry, academia, and the general public to learn about cybersecurity awareness, education, careers, and workforce development opportunities.

SANS Securing The Human Program
The SANS Securing The Human Program provides everything your organization needs for an effective security awareness program. This site includes free resources to make your security awareness program a success, including project plans, awareness surveys and execution checklists.

Cyber Security Tips - US-CERT
Cyber Security Tips describe common security issues and offer advice for non-technical home and corporate computer users. Although each one is restricted to a single topic, complex issues may span multiple tips. Each tip builds upon the knowledge, both terminology and content, of those published prior to it.

Cyber Security Alerts - US-CERT
Cyber Security Alerts provide timely information about current security issues, vulnerabilities, and exploits. They are released in conjunction with Technical Cyber Security Alerts when there is an issue that affects the general public. Cyber Security Alerts outline the steps and actions that non-technical home and corporate computer users can take to protect themselves from attack.

Security Awareness Tips - Gideon T. Rasmussen
Security tips are a key component to any awareness program. They should advise of best practices and reinforce policy.These tips are written with the average person as the intended audience. The site randomly displays information security tips. Companies can use it internally to educate their user community. The site and script are free to download.


Security Awareness Posters

Information Assurance Awareness Posters - Information Warfare Site
These awareness posters were provided as a courtesy by Keesler Air Force Base. You may download the posters and submit to your graphics department to tailor to your organizations specifications. This page includes links to posters on other sites as well.


Information Security Program

NIST Special Publication 800-100: Information Security Handbook: A Guide for Managers
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.
The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics.

RFC 2196 - Site Security Handbook
This handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of this handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response.

SANS Top 20 Security Risks
The SANS Top 20 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; the Internet Storm Center, and many other user organizations.

SANS S.C.O.R.E.
SCORE is a cooperative effort between SANS/GIAC and the Center for Internet Security(CIS). SCORE is a community of security professionals from a wide range of organizations and backgrounds working to develop consensus regarding minimum standards and best practice information, essentially acting as the research engine for CIS. After consensus is reached and best practice recommendations are validated, they may be formalized by CIS as best practice and minimum standards benchmarks for general use by industry at large.

NSA IATRP - INFOSEC Assurance Capability Maturity Model (IA-CMM)
Use of the NSA IA-CMM increases an organization’s capability to provide ongoing support and confidence that its technical work force is performing according to an established and mature INFOSEC Assurance process. The goal is to gain relative assurance that the INFOSEC Assurance process is consistent and repeatable over time.

Critical Information Infrastructure Protection Handbook - CRN Publications (Free)
The CIIP Handbook focuses on national governmental efforts to protect critical (information) infrastructure (CII). The overall purpose of the handbook is to provide an overview of CII protection practices in an increasingly broad range of countries. For each of the 25 countries and 7 international organizations the paper identifies critical sectors, related initiatives and policies and the organizational structure. Furthermore, it looks at early warning and public outreach and reviews law and legislation.

Implementing Information Security: Risks vs. Cost - CyberGuard
Whether your organization is large or small, a thorough, detailed information security plan should be part of your security formula. This article provides some useful information on implementing a viable plan that not only complies with government regulations, but also eliminates costly threats.

ISSA: Generally Accepted Information Security Principles (GAISP) (60 pages)
GAISP's goal is to collect information security principles that have been proven in practice and accepted by practitioners, and to document those principles in a single repository – hence the name, Generally Accepted Information Security Principles. GAISP draws upon established security guidance and standards to create comprehensive, objective guidance for information security professionals, organizations, governments, and users.

Australian DSTO: A Survey of Techniques for Security Architecture Analysis
This technical report is a survey of existing techniques which could potentially be used in the analysis of security architectures. The report has been structured to section the analysis process over three broad phases: the capture of a specific architecture in a suitable representation, discovering attacks on the captured architecture, and then assessing and comparing different security architectures. Each technique presented in this report has been recognised as being potentially useful for one phase of the analysis.


Security Metrics

NIST: SP 800-55: Performance Measurement Guide for Information Security
This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance-related data–providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency's success in achieving its mission.

Corporate Information Security Working Group: Report of the Best Practices and Metrics Teams
The Corporate Information Security Working Group (CISWG) was originally convened in November 2003 by Representative Adam Putnam (R-FL). The Best Practices team surveyed available information security guidance. It concluded in its March 2004 report that much of this guidance is expressed at a relatively high level of abstraction and is therefore not immediately useful as actionable guidance without significant and often costly elaboration. In a subsequent phase convened in June 2004, the Best Practices and Metrics teams was charged with refining Information Security Program Elements and developing recommended Metrics supporting each of the elements. This report is the result of that effort and represents a resource that will help Board members, managers, and technical staff establish their own comprehensive structure of principles, policies, processes, controls, and performance metrics to support the people, process, and technology aspects of information security.

Dan Geer's Measuring Security Tutorial
Dan Geer's Measuring Security Tutorial is a valuable metrics resource. At 346 pages, it contains a wealth of quotes, observations, methodologies and techniques for defining and generating metrics.

NISTIR 7564 - Directions in Security Metrics Research
More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. This paper provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art.

Center for Internet Security: Consensus Information Security Metrics
Organizations struggle to make cost-effective security investment decisions, in part because information security professionals lack widely accepted, unambiguous metrics for supporting their decisions. To address the need for clear security metrics, CIS established a consensus group of industry experts. The result? A set of Consensus Security Metrics and data set definitions that can be used across organizations to collect and analyze data on security outcomes and process performance.


Operating System Hardening

Benchmarking Tools - The Center For Internet Security
The CIS vulnerability assessment tools provide a quick way to evaluate systems and networks, comparing their security configurations against the CIS benchmark hardening standards. They automatically create reports that guide users and system administrators to secure both new installations and production systems. CIS tools are also effective for monitoring systems to assure that security settings continuously conform with CIS Benchmark configurations. CIS offers tools and benchmark standards for Windows, Solaris, Linux, HP-UX, Cisco IOS and Oracle databases.

Security Recommendation Guides - National Security Agency
NSA provides hardening standards for Apple iOS, Linux, Microsoft Windows and Sun Solaris.


Physical Security

GAO Technologies to Secure Federal Buildings (72 pages)

U.S. Army - Physical Security - FM 3-19.30 (317 pages)

Sun Microsystems Data Center Site Planning Guide (106 pages)


Security Policy Templates

SANS Security Policy Project

WindowSecurity.com Policy & Standards - Internet Security Policy


Information Security Control Frameworks

ISACA- COBIT IT Standard for IT Security and Control Practices
COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.

ISACA - IT Control Objectives for Sarbanes-Oxley Final Document
This document issued by the ITGI reflects the latest thinking on this increasingly global topic. Based on COBIT control objectives, the authors have designed this publication as an educational resource primarily for IT control professionals, but CIOs, IT management and assurance professionals will find the information vitally important and beneficial as well.

NIST SP 800-53: Recommended Security Controls for Federal Information Systems (188 pages)
The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components5 of an information system that process, store, or transmit federal information.
Baseline controls - low      Baseline controls - medium      Baseline controls - high

Common Criteria for IT Security Evaluation (CC)
The Common Criteria defines a language for defining and evaluating information technology security systems and products. The framework provided by the Common Criteria allows government agencies and other groups to define sets of specific functional and assurance requirements, called protection profiles.


Information Security Standards

ISO 27002 (formerly ISO 17799)
ISO 27002 is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.

PCAOB Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
This standard establishes requirements and provides direction that applies when an auditor is engaged to perform an audit of management's assessment 1/ of the effectiveness of internal control over financial reporting ("the audit of internal control over financial reporting") that is integrated with an audit of the financial statements. (required by Section 404(b) of the Sarbanes-Oxley Act of 2002)


Information Security Legislation

Health Insurance Portability and Accountability Act (HIPAA) 1996
HIPAA provides the first comprehensive Federal protection for the privacy of health information.

Sarbanes-Oxley Act 2002
The Sarbanes-Oxley Act mandates a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the "Public Company Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing profession.

Gramm-Leach-Bliley Act (GLBA) 1999
The Gramm-Leach-Bliley Act includes provisions to protect consumers’ personal financial information held by financial institutions.


Information Security Auditing

US-CCU Cyber-Security Check List
The US Cyber Consequences Unit (CCU) has developed a Cybersecurity Checklist to help federal agencies and industry to determine the possible consequences of risks posed by the current state of their IT systems; the list also offers suggestions for mitigating those risks. The list asks 478 questions about hardware software, networks, automation, humans and suppliers. The checklist has not yet received DHS approval. CCU is funded by DHS and aims to provide the government with accurate assessments of the consequences of cyber attacks. "The new lists shifts the focus from perimeter security to internal systems monitoring and maintenance".

SANS ISO 17799 Audit Checklist
This 7799 checklist can be used to audit an organisation's information security posture. This checklist does not provide vendor specific security considerations. Instead it provides a generic checklist of security considerations. It is 47 pages long. Definitely worth a look.

ISACA IS Standards, Guidelines and Procedures for Auditing and Control Professionals
IS Auditing Standards are mandatory requirements for certification holders’ reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS auditor's responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.

NSA INFOSEC Assessment Methodology (IAM)
The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be considered a complete INFOSEC Assessment.

Payment Card Industry Data Security Standard
The Requirements and Security Assessment Procedures document is used to verify that a site is in compliance with the PCI Data Security Standard and to create a Report on Compliance.

Payment Card Industry Self-Assessment Questionnaires
Questionnaire D is divided into twelve sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

OSSTMM - Open Source Security Testing Methodology Manual by Pete Herzog
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for performing security tests. When you use an internal testing methodology, you leverage the brain trust of a handful of security experts. The OSSTMM is powerful because it provides the collective best practices, legal, and ethical concerns of the global security testing community.

Protiviti - Guide to Internal Audit: Frequently Asked Questions About the NYSE Requirements and Developing an Effective Internal Audit Function (66 pages)
Protiviti has released the final version of its comprehensive internal audit resource guide. This publication contains 69 frequently asked questions and answers about internal audit, including details on the new NYSE internal audit rule and creating and maintaining an effective internal audit function. It also details how PCAOB Auditing Standard No. 2, which has been approved by the SEC, allows for the work of internal auditors to be relied upon to an extent by the external auditor.

Protiviti - Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements - Third Edition Updated to reflect PCAOB Auditing Standard No. 2 (189 pages)
Protiviti has revised its highly regarded resource guide on Section 404 of the Sarbanes-Oxley Act. The third edition of Protiviti's popular Section 404 publication addresses the effects of changes arising from the SEC's final rules released in June 2003, and as amended by the Commission's extension of these rules released in February 2004. It also includes a wealth of detailed information on PCAOB Auditing Standard No. 2. and its impact on Section 404 compliance efforts. In all, this comprehensive guide contains 88 new questions and well over 100 pages of new or substantially revised material.

IT Examination Handbook - FFIEC
Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of technology in support of continuous auditing and highlights areas that require further attention. It provides continuous audit guidance that will benefit the organization by significantly reducing instances of error and fraud, increasing operational efficiency, and improving bottom-line results through a combination of cost savings and a reduction in overpayments and revenue leakage.

GAO Technology Assessment - Cybersecurity for Critical Infrastructure
The GAO conducted this technology assessment on the use of cybersecurity technologies for CIP in response to a request from congressional committees. This assessment addresses the following questions: (1) What are the key cybersecurity requirements in each of the CIP sectors? (2) What cybersecurity technologies can be applied to CIP? (3) What are the implementation issues associated with using cybersecurity technologies for CIP, including policy issues such as privacy and information sharing?

BITS Financial Institution Shared Assessments Program (FISAP)
The FISAP Program is a groundbreaking new process for financial institutions to evaluate the security controls of their IT service providers.

Risk Management

Risk IT Framework and Best Practice Guidance - ISACA
Risk IT is a framework based on a set of guiding principles for effective management of IT risk. The Risk IT framework explains IT risk, allows the enterprise to make appropriate risk-aware decisions and will enable users to:

· Integrate the management of IT risk into the overall enterprise risk management (ERM) of the organization
· Make well-informed decisions about the extent of the risk, the risk appetite and the risk tolerance of the enterprise
· Understand how to respond to the risk

The Institute of Risk Management: Risk Management Standard (17 pages)
There are many ways of achieving the objectives of risk management and it would be impossible to try to set them all out in a single document. Therefore it was never intended to produce a prescriptive standard which would have led to a box ticking approach nor to establish a certifiable process. By meeting the various component parts of this standard, albeit in different ways, organisations will be in a position to report that they are in compliance.The standard represents best practice against which organisations can measure themselves.

NIST SP 800-30: Risk Management Guide for Information Technology Systems (55 pages)
This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

CERT: OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM)
For an organization that wants to understand its information security needs, OCTAVE is a risk-based strategic assessment and planning technique for security.

CERT: Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments (59 pages)
The main focus of MAAP is developing advanced risk analysis techniques for highly complex and distributed work processes. However, we believe that MAAP can also be used to analyze risk in virtually all work processes, from very simple workflows to those that are distributed among multiple organizations.

Microsoft: Security Risk Management Guide
This guide helps customers of all types plan, build, and maintain a successful security risk management program. In a four phase process, depicted below, the guide explains how to conduct each phase of a risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level.

Microsoft: Security Assessment Tool
This application is designed to help organizations with fewer than 1,000 employees assess weaknesses in their current IT security environment. It will help identify processes, resources, and technologies that are designed to promote good security planning and risk mitigation practices within your organization.

FEMA Risk Management Series (RMS) Publications
The RMS is a new FEMA series directed at providing design guidance for mitigating multihazard events. The publications are directed at manmade disasters. The objective of the series is to reduce physical damage to structural and nonstructural components of buildings and related infrastructure, and to reduce resultant casualties during conventional bomb attacks, as well as attacks using chemical, biological, and radiological agents. The underlining issue is that improving security in high occupancy buildings will better protect the nation from potential threats by identifying key actions and design criteria to strengthen our buildings from the forces that might be anticipated in a terrorist assault. The intended audience includes architects and engineers working for private institutions, building owners/operators/managers, and state and local government officials working in the building sciences community.

World Bank Technology Risk Checklist
The World Bank Technology Risk Checklist is designed to provide Chief Information Security Officers (CISO), Chief Technology Officers (CTO), Chief Financial Officers (CFO), Directors, Risk Managers and Systems Administrators with a way of measuring and validating the level of security within a particular organization.


Insider Threat

Common Sense Guide to Prevention and Detection of Insider Threats - CERT (88 pages)
This report is written for a diverse audience, outlining practices that should be implemented by organizations to prevent insider threats. Each practice is described briefly in terms of why it should be implemented and one or more case studies illustrate what could happen if it is not implemented, and how the practice could have prevented an attack or facilitated early detection.

Insider Risk Management Guide - Gideon T. Rasmussen
The threat posed by authorized personnel is well documented by research and court cases. According to ACFE, U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time.

DoD Insider Threat Mitigation (67 pages)
This report provides an explicit set of recommendations for action to mitigate the insider threat to DoD information systems. The report results from the actions of an Insider Threat Integrated Process Team (IPT). The Team's charter was "to foster the effective development of interdependent technical and procedural safeguards" to reduce malicious behavior by insiders.

ISACA Segregation of Duties Matrix
The segregation of duties control matrix is not an industry standard, but a guideline indicating which positions should be separated and which require compensating controls when combined. The matrix is illustrative of potential segregation of duties issues and should not be viewed or used as an absolute, rather it should be used to help identify potential conflicts so proper questions may be asked to identify compensating controls.

The Insider Threat to U.S. Government Information Systems - NSTISSC (47 pages)
This NSTISSAM focuses on the insider and the potential damage that such an individual could cause when targeting today's IS. It points out the various weaknesses (vulnerabilities) in today's IS an insider might exploit and highlights approaches to solving these problems. In taking corrective action, it is necessary to consider technical and procedural steps in deterring the insider. Finally, we propose, in priority order, recommendations that mitigate the threat posed by the insider. Our approach is not to provide an exhaustive list, but rather offer recommendations that could have the greatest immediate return against this serious threat.

Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors - CERT & U.S. Secret Service (45 pages)
Research for this report found that the majority of the insiders who committed acts of sabotage were former employees who had held technical positions with the targeted organizations. As a result of their involvement in the incidents reviewed for this study, almost all of the insiders were charged with criminal offenses. The majority of these charges were based on violations of federal law.

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector - CERT & U.S. Secret Service (25 pages)
This report reviewed 23 incidents of insider threat in the banking and finance sector. It examines insider incidents across critical infrastructure sectors in which the insider's primary goal was to sabotage some aspect of the organization (for example, business operations, information/data files, system/network, and/or reputation) or direct specific harm toward an individual.

Preliminary System Dynamics Maps of the Insider Cyber-threat Problem - CERT (36 pages)
This paper discusses the preliminary system dynamic maps of the insider cyber-threat.

Trustworthy Refinement Through Intrusion-Aware Design (TRIAD) - CERT (97 pages)
This report proposes an intrusion-aware design model called trustworthy refinement through intrusion-aware design (TRIAD). TRIAD helps information system decision-makers formulate and maintain a coherent, justifiable, and affordable survivability strategy that addresses mission-compromising threats for their organization. The goals of a survivability strategy are to provide a documented response to the primary threats to the mission; to provide a justification for and the limitations of the system design; to support the design and implementation of the desired system behavior across multiple systems and multiple development teams; and to support maintenance and evolution as the system operations and threat environment evolve over time.

Research on Mitigating the Insider Threat to Information Systems - Rand (126 pages)
This report details R&D initiatives to mitigate and thwart the insider threat to critical U.S. defense and infrastructure information systems. The three main focus areas were long-term (2-5 year) research challenges and goals toward mitigating the insider threat; developing insider threat models; and developing near-term solutions using commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) products. The long-term research recommendations stressed the need to develop an underlying system architecture designed explicitly with security and survivability in mind (unlike essentially all operating systems and network architectures in use today). Other topics included R&D needed on differential access controls, means of recording and saving the provenance of a digital document, and dealing with the increasing use of mobile code (e.g., in the form of applets, viruses, worms, or macros) in complex information systems. The report also contains a number of recommendations regarding the purposes and design of models of insider behavior, and near-term recommendations for helping to prevent, discover, and mitigate the threat ofinsider misuse of information systems.

Understanding the Insider Threat - Rand (137 pages)
The format of this document included four groups: (1) Intelligence Community (IC) System Models, (2) Vulnerabilities and Exploits, (3) Attacker Models and (4) Event Characterization. It brought together members of the IC with specific knowledge of IC document management systems and IC business practices; persons with knowledge of insider attackers, both within and outside the IC; and researchers involved in developing technology to counter insider threats.

A Target-Centric Formal Model For Insider Threat and More - University at Buffalo (17 pages)
In this paper, we propose a target-centric modeling methodology motivated by the fact that insiders typically pursue lucrative targets to cause damage or gain leverage. It is based on a higher level description of an organization's infrastructure and less detail-intensive as compared to the attack graph model.

Analysis and Detection of Malicious Insiders - MITRE (6 pages)
This paper summarizes a collaborative, six month ARDA NRRC challenge workshop to characterize and create analysis methods to counter sophisticated malicious insiders in the United States Intelligence Community. Based upon a careful study of past and projected cases, we report a generic model of malicious insider behaviors, distinguishing motives, (cyber and physical) actions, and associated observables.

Insider Threat Group - Yahoo Groups
The insider threat group provides a forum to discuss resources and techniques to mitigate the threat posed by authorized personnel. Those interested in learning more about insider threat will benefit from the exchange of tips and the opportunity to ask questions. The group is moderated to keep on topic.


Application Security

OWASP Top 10 - Critical Web Application Security Flaws
The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

CWE/SANS TOP 25 Most Dangerous Software Errors
Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

Building Security In Maturity Model (BSIMM)
BSIMM is designed to help you understand, measure, and plan a software security initiative. It was created by observing and analyzing real-world data from 51 leading software security initiatives.

OWASP Prevention Cheat Sheet Series
The OWASP Prevention Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.

OWASP Guide to Building Secure Web Applications
The original OWASP Guide to Building Secure Web Applications has become a staple diet for many web security professionals. Over the last 24 months the initial version has now been downloaded over 2 million times. The Guide forms the basis for corporate web security policies for several Fortune 500 companies and is used in service offerings from many security consulting companies. The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.


Incident Response Programs

NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)
This NIST publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively.

Handbook for Computer Security Incident Response Teams (CSIRTs) - CERT/CC (233 pages)
This document provides guidance on forming and operating a computer security incident response team (CSIRT). It details the functions that make up the CSIRT, how to handle sensitive information and the tools, procedures, and roles necessary to implement the program. In addition, operational and technical issues are covered, such as equipment, security, and staffing considerations.

Computer Security Incident Response Team (CSIRT) FAQs - CERT/CC
This frequently asked questions page provides a good primer for those interested in the basics of computer incident response.

6 Phases of Incident Handling - Texas A&M University
Computer security incident handling can be divided into six phases: preparation, identification, containment, eradication, recovery, and follow-up. Understanding these stages, and what can go wrong in each, facilitates responding more methodically and avoids duplication of effort.

CSIRT Case Classification (Example for enterprise CSIRT) - FIRST
This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper case handling procedures and will form the basis of SLA’s between the CSIRT and other Company departments.

Incident Report Templates

· Gideon T. Rasmussen's Incident Report Template
· SANS Incident Identification Form
· SANS Incident Survey Form
· SANS Incident Containment Form
· SANS Incident Eradication Form
· SANS Incident Communication Log Form
· Melissa Guenther's Incident Report Form
· US-CERT Incident Reporting System
· CERT/CC Incident Reporting Guidelines