INFORMATION SECURITY RESOURCES

This page is dedicated to increasing security awareness among the general population and the technology community. It should be of interest to technologists, information security professionals and business management.

Direct access to security resources make this page unique. Within a few clicks, you should have access to what you are looking for. If you can't find what you need, feel free to contact me.

The resources listed on this page are updated roughly quarterly. To keep current, consider subscribing to my LinkedIn and Twitter accounts. The primary focuses are security resources, security news, industry trends and vulnerabilities.

This site does not accept sponsors or donations of any kind.

 Awareness Program  InfoSec Professional  InfoSec Program  Infosec Assessments
 Risk Management  Insider Threat  Application Security  Incident Response
 Security Maturity Models  Control Frameworks  Security Metrics


Security Awareness Programs

NIST 800-50: Security Awareness and Training Program
This NIST publication provides detailed guidance on designing, developing, implementing, and maintaining an awareness and training program within an agency's IT security program.

ENISA: A Users' Guide: How to Raise Information Security Awareness
This document illustrates the main processes necessary to plan, organise and run information security awareness raising initiatives: plan & assess, execute & manage, evaluate & adjust. Each process is analysed and time-related actions and dependencies are identified. The process modelling presented provides a basis for "kick-starting" the scoping and planning activities as well as the execution and assessment of any programme. The Guide aims to deliver a consistent and robust understanding of major processes and activities amoung users.

NIST 800-16: Information Technology Security Training Requirements (188 pages)
The overall goal for use of this document is to facilitate the development or strengthening of a comprehensive, measurable, cost-effective IT security program which supports the missions of the organization and is administered as an integral element of sound IT management and planning. Protecting the value of an organization's information assets demands no less. This approach allows senior officials to understand where, in what way, and to what extent IT-related job responsibilities include IT security responsibilities, permitting the most cost-effective allocation of limited IT security training resources.

Building a Security Awareness Program - CyberGuard
Hackers, worms and viruses grab the headlines, but the real threat often comes not from outside the organization but within. Social engineering and unhappy employees pose very real risks to network security. How do you address the problem? This article offers a practical approach to setting up an effective security awareness program that gets everyone in the organization on board.

Security Awareness Toolbox - The Information Warfare Site
The Security Awareness Toolbox contains many useful documents and links. The Main Documents section was contributed by Melissa Guenther. The Toolbox is a rich source of awareness material.

SANS Reading Room - Security Awareness Section
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large.

IIA Tone at the Top Awareness Newsletter
Mission: To provide executive management, boards of directors, and audit committees with concise, leading-edge information on such issues as risk, internal control, governance, ethics, and the changing role of internal auditing; and guidance relative to their roles in, and responsibilities for the internal audit process.


Security Awareness Tips

Stop.Think.Connect.
The Stop.Think.Connect. Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. Cybersecurity is a shared responsibility. We each have to do our part to keep the Internet safe. When we all take simple steps to be safer online, it makes using the Internet a more secure experience for everyone.

StaySafeOnline
The Internet is a powerful and useful tool, but in the same way that you shouldn't drive without buckling your seat belt or ride a bike without a helmet, you shouldn't venture online without taking some basic precautions.

National Institute for Cybersecurity Studies (NICS)
To make cybersecurity materials more readily-available, the government developed NICS. It serves as a national resource for government, industry, academia, and the general public to learn about cybersecurity awareness, education, careers, and workforce development opportunities.

SANS Securing The Human Program
The SANS Securing The Human Program provides everything your organization needs for an effective security awareness program. This site includes free resources to make your security awareness program a success, including project plans, awareness surveys and execution checklists.

Cyber Security Tips - US-CERT
Cyber Security Tips describe common security issues and offer advice for non-technical home and corporate computer users. Although each one is restricted to a single topic, complex issues may span multiple tips. Each tip builds upon the knowledge, both terminology and content, of those published prior to it.

Cyber Security Alerts - US-CERT
Cyber Security Alerts provide timely information about current security issues, vulnerabilities, and exploits. They are released in conjunction with Technical Cyber Security Alerts when there is an issue that affects the general public. Cyber Security Alerts outline the steps and actions that non-technical home and corporate computer users can take to protect themselves from attack.

Security Awareness Tips - Gideon T. Rasmussen
Security tips are a key component to any awareness program. They should advise of best practices and reinforce policy.These tips are written with the average person as the intended audience. The site randomly displays information security tips. Companies can use it internally to educate their user community. The site and script are free to download.


Security Awareness Posters

Information Assurance Awareness Posters - Information Warfare Site
These awareness posters were provided as a courtesy by Keesler Air Force Base. You may download the posters and submit to your graphics department to tailor to your organizations specifications. This page includes links to posters on other sites as well.


Information Security Program

NIST Special Publication 800-100: Information Security Handbook: A Guide for Managers
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.
The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics.

CIS Critical Security Controls
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work - NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation's top forensics and incident response organizations - to answer the question, "what do we need to do to stop known attacks." That group of experts reached consensus and today we have the most current Controls. The key to the continued value is that the Controls are updated based on new attacks that are identified and analyzed by groups from Verizon to Symantec so the Controls can stop or mitigate those attacks.

The Controls take the best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace. Too often in cybersecurity, it seems the "bad guys" are better organized and collaborate more closely than the "good guys." The Controls provide a means to turn that around.

Implementing Information Security: Risks vs. Cost - CyberGuard
Whether your organization is large or small, a thorough, detailed information security plan should be part of your security formula. This article provides some useful information on implementing a viable plan that not only complies with government regulations, but also eliminates costly threats.


Security Maturity Models

ISO/IEC 21827:2008 Systems Security Engineering – Capability Maturity Model (SSE-CMM)
ISO/IEC 21827:2008 specifies the Systems Security Engineering - Capability Maturity Model (SSE-CMM), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The model is a standard metric for security engineering practices covering the following:

  • the entire life cycle, including development, operation, maintenance and decommissioning activities;
  • the whole organization, including management, organizational and engineering activities;
  • concurrent interactions with other disciplines, such as system, software, hardware, human factors and test engineering; system management, operation and maintenance;
  • interactions with other organizations, including acquisition, system management, certification, accreditation and evaluation.

    The objective is to facilitate an increase of maturity of the security engineering processes within the organization. The SSE-CMM is related to other CMMs which focus on different engineering disciplines and topic areas and can be used in combination or conjunction with them.

    Cybersecurity Capability Maturity Model (C2M2) Program
    The C2M2 model, which is designed to be used by any organization to enhance its own cybersecurity capabilities, is publicly available and can be downloaded now. More information is available in the FAQs. For those organizations performing self-assessments, please refer to the C2M2 Facilitators Guide and request a free C2M2 toolkit.

    Open Information Security Management Maturity Model (O-ISM3) The Open Information Security Management Maturity Model (O-ISM3) is The Open Group framework for managing information security. It aims to ensure that security processes operate at a level consistent with business requirements. ISM3 is technology-neutral and focuses on the common processes of information security which most organizations share. As well as complementing the TOGAF model for enterprise architecture, ISM3 defines operational metrics and their allowable variances.

    A Systems Engineering Capability Maturity Model The Systems Engineering Capability Maturity Model (SE-CMM) describes the essential elements of an organization's systems engineering process that must exist to ensure good systems engineering. It does not specify a particular process or sequence. In addition, the SE-CMM provides a reference for comparing actual systems engineering practices against these essential systems.

    This document provides an overall description of the principles and architecture upon which the SE-CMM is based, an overview of the model, the practices included in the model, and a description of the attributes of the model. It also includes the requirements used to develop the model.


    Security Metrics

    California Cybersecurity Maturity Metrics
    The California Cybersecurity Maturity Metrics capture many of the National Institute of Standards and Technology (NIST) Cybersecurity Framework sub-categories, and a majority of the Foundational Framework (SIMM 5300-B). The metrics are reflective of NIST Cybersecurity Framework (CSF) categories: Identify, Protect, Detect, Respond, and Recover.

    NIST: SP 800-55: Performance Measurement Guide for Information Security
    This document is a guide to assist in the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs. Such measures are used to facilitate decision making, improve performance, and increase accountability through the collection, analysis, and reporting of relevant performance-related data–providing a way to tie the implementation, efficiency, and effectiveness of information system and program security controls to an agency's success in achieving its mission.

    Dan Geer's Measuring Security Tutorial
    Dan Geer's Measuring Security Tutorial is a valuable metrics resource. At 346 pages, it contains a wealth of quotes, observations, methodologies and techniques for defining and generating metrics.

    NISTIR 7564 - Directions in Security Metrics Research
    More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. This paper provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art.

    Measures for Managing Operational Resilience (Software Engineering Institute)
    How resilient is my organization? Have our processes made us more resilient? Members of the CERT Resilient Enterprise Management (REM) team are conducting research to address these and other related questions. The team's first report, Measuring Operational Resilience Using the CERT Resilience Management Model, defined high-level objectives for managing an operational resilience management (ORM) system, demonstrated how to derive meaningful measures from those objectives, and presented a template for defining resilience measures, along with example measures. In this report, REM team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT Resilience Management Model, Version 1.1 (CERT-RMM). The report also provides measures for each of the 26 process areas of CERT-RMM, as well as a set of global measures that apply to all process areas. This report thus serves as an addendum to CERT-RMM Version 1.1. Since CERT-RMM practices map to bodies of knowledge and codes of practice such as ITIL, COBIT, ISO2700x, BS25999, and PCI DSS, the measures may be useful for measuring security, business continuity, and IT operations management processes, either as part of adoption of CERT-RMM or independent of it.


    Operating System Hardening

    Security Technical Implementation Guides (STIGs) - DISA
    The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

    Benchmarking Tools - The Center For Internet Security
    The CIS vulnerability assessment tools provide a quick way to evaluate systems and networks, comparing their security configurations against the CIS benchmark hardening standards. They automatically create reports that guide users and system administrators to secure both new installations and production systems. CIS tools are also effective for monitoring systems to assure that security settings continuously conform with CIS Benchmark configurations. CIS offers tools and benchmark standards for Windows, Solaris, Linux, HP-UX, Cisco IOS and Oracle databases.


    Physical Security

    GAO Technologies to Secure Federal Buildings (72 pages)

    U.S. Army - Physical Security - FM 3-19.30 (317 pages)

    Sun Microsystems Data Center Site Planning Guide (106 pages)


    Security Policy Templates

    SANS Security Policy Project

    WindowSecurity.com Policy & Standards - Internet Security Policy


    Information Security Control Frameworks

    NIST Cybersecurity Framework
    This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

    ISACA- COBIT IT Standard for IT Security and Control Practices
    COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.

    ISACA - IT Control Objectives for Sarbanes-Oxley Final Document
    This document issued by the ITGI reflects the latest thinking on this increasingly global topic. Based on COBIT control objectives, the authors have designed this publication as an educational resource primarily for IT control professionals, but CIOs, IT management and assurance professionals will find the information vitally important and beneficial as well.

    NIST SP 800-53: Recommended Security Controls for Federal Information Systems (188 pages)
    The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. The guidelines apply to all components5 of an information system that process, store, or transmit federal information.
    Baseline controls - low      Baseline controls - medium      Baseline controls - high

    Common Criteria for IT Security Evaluation (CC)
    The Common Criteria defines a language for defining and evaluating information technology security systems and products. The framework provided by the Common Criteria allows government agencies and other groups to define sets of specific functional and assurance requirements, called protection profiles.


    Information Security Standards

    ISO 27002 (formerly ISO 17799)
    ISO 27002 is intended to serve as a single reference point for identifying the range of controls needed for most situations where information systems are used in industry and commerce, and to be used by large, medium and small organizations.

    PCAOB Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
    This standard establishes requirements and provides direction that applies when an auditor is engaged to perform an audit of management's assessment 1/ of the effectiveness of internal control over financial reporting ("the audit of internal control over financial reporting") that is integrated with an audit of the financial statements. (required by Section 404(b) of the Sarbanes-Oxley Act of 2002)


    Information Security Legislation

    Health Insurance Portability and Accountability Act (HIPAA) 1996
    HIPAA provides the first comprehensive Federal protection for the privacy of health information.

    Sarbanes-Oxley Act 2002
    The Sarbanes-Oxley Act mandates a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the "Public Company Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing profession.

    Gramm-Leach-Bliley Act (GLBA) 1999
    The Gramm-Leach-Bliley Act includes provisions to protect consumers’ personal financial information held by financial institutions.


    Information Security Assessments

    US-CERT Cyber Resilience Review (CRR)
    The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.

    Vendor Security Alliance Questionnaire
    When we do business with a vendor, it is not safe to assume we are doing business just with the party under contract. Vendors rely on other parties. If we are to rely on a chain, then all the links must be tested, not just the first link. We must also apply the same standard of testing to all the links, which is why we created this questionnaire.

    US-CCU Cyber-Security Check List
    The US Cyber Consequences Unit (CCU) has developed a Cybersecurity Checklist to help federal agencies and industry to determine the possible consequences of risks posed by the current state of their IT systems; the list also offers suggestions for mitigating those risks. The list asks 478 questions about hardware software, networks, automation, humans and suppliers. The checklist has not yet received DHS approval. CCU is funded by DHS and aims to provide the government with accurate assessments of the consequences of cyber attacks. "The new lists shifts the focus from perimeter security to internal systems monitoring and maintenance".

    SANS ISO 17799 Audit Checklist
    This 7799 checklist can be used to audit an organisation's information security posture. This checklist does not provide vendor specific security considerations. Instead it provides a generic checklist of security considerations. It is 47 pages long. Definitely worth a look.

    ISACA IS Standards, Guidelines and Procedures for Auditing and Control Professionals
    IS Auditing Standards are mandatory requirements for certification holders’ reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS auditor's responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.

    NSA INFOSEC Assessment Methodology (IAM)
    The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be considered a complete INFOSEC Assessment.

    Payment Card Industry Data Security Standard
    The Requirements and Security Assessment Procedures document is used to verify that a site is in compliance with the PCI Data Security Standard and to create a Report on Compliance.

    Payment Card Industry Self-Assessment Questionnaires
    Questionnaire D is divided into twelve sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

    OSSTMM - Open Source Security Testing Methodology Manual by Pete Herzog
    The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for performing security tests. When you use an internal testing methodology, you leverage the brain trust of a handful of security experts. The OSSTMM is powerful because it provides the collective best practices, legal, and ethical concerns of the global security testing community.

    Protiviti - Guide to Internal Audit: Frequently Asked Questions About the NYSE Requirements and Developing an Effective Internal Audit Function (66 pages)
    Protiviti has released the final version of its comprehensive internal audit resource guide. This publication contains 69 frequently asked questions and answers about internal audit, including details on the new NYSE internal audit rule and creating and maintaining an effective internal audit function. It also details how PCAOB Auditing Standard No. 2, which has been approved by the SEC, allows for the work of internal auditors to be relied upon to an extent by the external auditor.

    Protiviti - Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements - Third Edition Updated to reflect PCAOB Auditing Standard No. 2 (189 pages)
    Protiviti has revised its highly regarded resource guide on Section 404 of the Sarbanes-Oxley Act. The third edition of Protiviti's popular Section 404 publication addresses the effects of changes arising from the SEC's final rules released in June 2003, and as amended by the Commission's extension of these rules released in February 2004. It also includes a wealth of detailed information on PCAOB Auditing Standard No. 2. and its impact on Section 404 compliance efforts. In all, this comprehensive guide contains 88 new questions and well over 100 pages of new or substantially revised material.

    IT Examination Handbook - FFIEC
    Financial institutions protect their information by instituting a security process that identifies risks, forms a strategy to manage the risks, implements the strategy, tests the implementation, and monitors the environment to control the risks. Examiners may use this booklet when evaluating the financial institution’s risk management process, including the duties, obligations, and responsibilities of the service provider for information security and the oversight exercised by the financial institution.

    Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
    This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of technology in support of continuous auditing and highlights areas that require further attention. It provides continuous audit guidance that will benefit the organization by significantly reducing instances of error and fraud, increasing operational efficiency, and improving bottom-line results through a combination of cost savings and a reduction in overpayments and revenue leakage.

    GAO Technology Assessment - Cybersecurity for Critical Infrastructure
    The GAO conducted this technology assessment on the use of cybersecurity technologies for CIP in response to a request from congressional committees. This assessment addresses the following questions: (1) What are the key cybersecurity requirements in each of the CIP sectors? (2) What cybersecurity technologies can be applied to CIP? (3) What are the implementation issues associated with using cybersecurity technologies for CIP, including policy issues such as privacy and information sharing?

    BITS Financial Institution Shared Assessments Program (FISAP)
    The FISAP Program is a groundbreaking new process for financial institutions to evaluate the security controls of their IT service providers.

    Risk Management

    Risk IT Framework and Best Practice Guidance - ISACA
    Risk IT is a framework based on a set of guiding principles for effective management of IT risk. The Risk IT framework explains IT risk, allows the enterprise to make appropriate risk-aware decisions and will enable users to:

    · Integrate the management of IT risk into the overall enterprise risk management (ERM) of the organization
    · Make well-informed decisions about the extent of the risk, the risk appetite and the risk tolerance of the enterprise
    · Understand how to respond to the risk

    The Institute of Risk Management: Risk Management Standard (17 pages)
    There are many ways of achieving the objectives of risk management and it would be impossible to try to set them all out in a single document. Therefore it was never intended to produce a prescriptive standard which would have led to a box ticking approach nor to establish a certifiable process. By meeting the various component parts of this standard, albeit in different ways, organisations will be in a position to report that they are in compliance.The standard represents best practice against which organisations can measure themselves.

    NIST SP 800-30: Risk Management Guide for Information Technology Systems (55 pages)
    This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

    CERT: OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM)
    For an organization that wants to understand its information security needs, OCTAVE is a risk-based strategic assessment and planning technique for security.

    CERT: Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments (59 pages)
    The main focus of MAAP is developing advanced risk analysis techniques for highly complex and distributed work processes. However, we believe that MAAP can also be used to analyze risk in virtually all work processes, from very simple workflows to those that are distributed among multiple organizations.

    Microsoft: Security Risk Management Guide
    This guide helps customers of all types plan, build, and maintain a successful security risk management program. In a four phase process, depicted below, the guide explains how to conduct each phase of a risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level.

    Microsoft: Security Assessment Tool
    This application is designed to help organizations with fewer than 1,000 employees assess weaknesses in their current IT security environment. It will help identify processes, resources, and technologies that are designed to promote good security planning and risk mitigation practices within your organization.

    FEMA Risk Management Series (RMS) Publications
    The RMS is a new FEMA series directed at providing design guidance for mitigating multihazard events. The publications are directed at manmade disasters. The objective of the series is to reduce physical damage to structural and nonstructural components of buildings and related infrastructure, and to reduce resultant casualties during conventional bomb attacks, as well as attacks using chemical, biological, and radiological agents. The underlining issue is that improving security in high occupancy buildings will better protect the nation from potential threats by identifying key actions and design criteria to strengthen our buildings from the forces that might be anticipated in a terrorist assault. The intended audience includes architects and engineers working for private institutions, building owners/operators/managers, and state and local government officials working in the building sciences community.

    World Bank Technology Risk Checklist
    The World Bank Technology Risk Checklist is designed to provide Chief Information Security Officers (CISO), Chief Technology Officers (CTO), Chief Financial Officers (CFO), Directors, Risk Managers and Systems Administrators with a way of measuring and validating the level of security within a particular organization.


    Insider Threat

    Common Sense Guide to Prevention and Detection of Insider Threats - CERT (88 pages)
    This report is written for a diverse audience, outlining practices that should be implemented by organizations to prevent insider threats. Each practice is described briefly in terms of why it should be implemented and one or more case studies illustrate what could happen if it is not implemented, and how the practice could have prevented an attack or facilitated early detection.

    Insider Risk Management Guide - Gideon T. Rasmussen
    The threat posed by authorized personnel is well documented by research and court cases. According to ACFE, U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time.

    DoD Insider Threat Mitigation (67 pages)
    This report provides an explicit set of recommendations for action to mitigate the insider threat to DoD information systems. The report results from the actions of an Insider Threat Integrated Process Team (IPT). The Team's charter was "to foster the effective development of interdependent technical and procedural safeguards" to reduce malicious behavior by insiders.

    ISACA Segregation of Duties Matrix
    The segregation of duties control matrix is not an industry standard, but a guideline indicating which positions should be separated and which require compensating controls when combined. The matrix is illustrative of potential segregation of duties issues and should not be viewed or used as an absolute, rather it should be used to help identify potential conflicts so proper questions may be asked to identify compensating controls.

    The Insider Threat to U.S. Government Information Systems - NSTISSC (47 pages)
    This NSTISSAM focuses on the insider and the potential damage that such an individual could cause when targeting today's IS. It points out the various weaknesses (vulnerabilities) in today's IS an insider might exploit and highlights approaches to solving these problems. In taking corrective action, it is necessary to consider technical and procedural steps in deterring the insider. Finally, we propose, in priority order, recommendations that mitigate the threat posed by the insider. Our approach is not to provide an exhaustive list, but rather offer recommendations that could have the greatest immediate return against this serious threat.

    Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors - CERT & U.S. Secret Service (45 pages)
    Research for this report found that the majority of the insiders who committed acts of sabotage were former employees who had held technical positions with the targeted organizations. As a result of their involvement in the incidents reviewed for this study, almost all of the insiders were charged with criminal offenses. The majority of these charges were based on violations of federal law.

    Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector - CERT & U.S. Secret Service (25 pages)
    This report reviewed 23 incidents of insider threat in the banking and finance sector. It examines insider incidents across critical infrastructure sectors in which the insider's primary goal was to sabotage some aspect of the organization (for example, business operations, information/data files, system/network, and/or reputation) or direct specific harm toward an individual.

    Preliminary System Dynamics Maps of the Insider Cyber-threat Problem - CERT (36 pages)
    This paper discusses the preliminary system dynamic maps of the insider cyber-threat.

    Trustworthy Refinement Through Intrusion-Aware Design (TRIAD) - CERT (97 pages)
    This report proposes an intrusion-aware design model called trustworthy refinement through intrusion-aware design (TRIAD). TRIAD helps information system decision-makers formulate and maintain a coherent, justifiable, and affordable survivability strategy that addresses mission-compromising threats for their organization. The goals of a survivability strategy are to provide a documented response to the primary threats to the mission; to provide a justification for and the limitations of the system design; to support the design and implementation of the desired system behavior across multiple systems and multiple development teams; and to support maintenance and evolution as the system operations and threat environment evolve over time.

    Research on Mitigating the Insider Threat to Information Systems - Rand (126 pages)
    This report details R&D initiatives to mitigate and thwart the insider threat to critical U.S. defense and infrastructure information systems. The three main focus areas were long-term (2-5 year) research challenges and goals toward mitigating the insider threat; developing insider threat models; and developing near-term solutions using commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) products. The long-term research recommendations stressed the need to develop an underlying system architecture designed explicitly with security and survivability in mind (unlike essentially all operating systems and network architectures in use today). Other topics included R&D needed on differential access controls, means of recording and saving the provenance of a digital document, and dealing with the increasing use of mobile code (e.g., in the form of applets, viruses, worms, or macros) in complex information systems. The report also contains a number of recommendations regarding the purposes and design of models of insider behavior, and near-term recommendations for helping to prevent, discover, and mitigate the threat ofinsider misuse of information systems.

    Understanding the Insider Threat - Rand (137 pages)
    The format of this document included four groups: (1) Intelligence Community (IC) System Models, (2) Vulnerabilities and Exploits, (3) Attacker Models and (4) Event Characterization. It brought together members of the IC with specific knowledge of IC document management systems and IC business practices; persons with knowledge of insider attackers, both within and outside the IC; and researchers involved in developing technology to counter insider threats.

    A Target-Centric Formal Model For Insider Threat and More - University at Buffalo (17 pages)
    In this paper, we propose a target-centric modeling methodology motivated by the fact that insiders typically pursue lucrative targets to cause damage or gain leverage. It is based on a higher level description of an organization's infrastructure and less detail-intensive as compared to the attack graph model.

    Analysis and Detection of Malicious Insiders - MITRE (6 pages)
    This paper summarizes a collaborative, six month ARDA NRRC challenge workshop to characterize and create analysis methods to counter sophisticated malicious insiders in the United States Intelligence Community. Based upon a careful study of past and projected cases, we report a generic model of malicious insider behaviors, distinguishing motives, (cyber and physical) actions, and associated observables.

    Insider Threat Group - Yahoo Groups
    The insider threat group provides a forum to discuss resources and techniques to mitigate the threat posed by authorized personnel. Those interested in learning more about insider threat will benefit from the exchange of tips and the opportunity to ask questions. The group is moderated to keep on topic.


    Application Security

    OWASP Top 10 - Critical Web Application Security Flaws
    The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

    CWE/SANS TOP 25 Most Dangerous Software Errors
    Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

    Building Security In Maturity Model (BSIMM)
    BSIMM is designed to help you understand, measure, and plan a software security initiative. It was created by observing and analyzing real-world data from 51 leading software security initiatives.

    OWASP Prevention Cheat Sheet Series
    The OWASP Prevention Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.

    OWASP Guide to Building Secure Web Applications
    The original OWASP Guide to Building Secure Web Applications has become a staple diet for many web security professionals. Over the last 24 months the initial version has now been downloaded over 2 million times. The Guide forms the basis for corporate web security policies for several Fortune 500 companies and is used in service offerings from many security consulting companies. The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.


    Incident Response Programs

    NIST SP 800-61: Computer Security Incident Handling Guide (148 pages)
    This NIST publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively.

    Handbook for Computer Security Incident Response Teams (CSIRTs) - CERT/CC (233 pages)
    This document provides guidance on forming and operating a computer security incident response team (CSIRT). It details the functions that make up the CSIRT, how to handle sensitive information and the tools, procedures, and roles necessary to implement the program. In addition, operational and technical issues are covered, such as equipment, security, and staffing considerations.

    Computer Security Incident Response Team (CSIRT) FAQs - CERT/CC
    This frequently asked questions page provides a good primer for those interested in the basics of computer incident response.

    6 Phases of Incident Handling - Texas A&M University
    Computer security incident handling can be divided into six phases: preparation, identification, containment, eradication, recovery, and follow-up. Understanding these stages, and what can go wrong in each, facilitates responding more methodically and avoids duplication of effort.

    CSIRT Case Classification (Example for enterprise CSIRT) - FIRST
    This document provides the guidelines needed for CSIRT Incident Managers (IM) to classify the case category, criticality level, and sensitivity level for each CSIRT case. This information will be entered into the Incident Tracking System (ITS) when a case is created. Consistent case classification is required for the CSIRT to provide accurate reporting to management on a regular basis. In addition, the classifications will provide CSIRT IM’s with proper case handling procedures and will form the basis of SLA’s between the CSIRT and other Company departments.

    Incident Report Templates

    · Gideon T. Rasmussen's Incident Report Template
    · SANS Incident Identification Form
    · SANS Incident Survey Form
    · SANS Incident Containment Form
    · SANS Incident Eradication Form
    · SANS Incident Communication Log Form
    · Melissa Guenther's Incident Report Form
    · US-CERT Incident Reporting System
    · CERT/CC Incident Reporting Guidelines










  •