Friday, July 24, 2009

Top 20 List of Most Critical Cyber Security Controls

The twenty controls were agreed upon by by cyber security experts from various Federal Government agencies.

Note: The list of controls includes fifteen that are able to be validated in an automated manner and five that must be validated manually.

Consensus Audit Guideline Controls

Critical Controls Subject to Automated Measurement and Validation:

1: Inventory of Authorized and Unauthorized Hardware.

2: Inventory of Authorized and Unauthorized Software.

3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4: Secure Configurations of Network Devices Such as Firewalls and Routers.

5: Boundary Defense 5

6: Maintenance and Analysis of Complete Security Audit Logs

7: Application Software Security

8: Controlled Use of Administrative Privileges

9: Controlled Access Based On Need to Know

10: Continuous Vulnerability Testing and Remediation

11: Dormant Account Monitoring and Control

12: Anti‐Malware Defenses

13: Limitation and Control of Ports, Protocols and Services

14: Wireless Device Control

15: Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

16. Secure Network Engineering

17. Red Team Exercises

18. Incident Response Capability

19. Data Recovery Capability

20. Security Skills Assessment and Training to Fill Gaps

The controls above were agreed upon by knowledgeable individuals from the Federal Government entities listed below.

Contributing Federal Groups:

  • Red team members in NSA tasked with finding ways of circumventing military cyber defenses
  • Blue team members at NSA who are often called in when military commanders find their systems have been compromised
  • US‐CERT and other non‐military incident response employees and consultants who are called upon by civilian agencies and companies to identify the most likely method by which the penetrations were accomplished
  • Military investigators who fight cyber crime
  • Cybersecurity experts at US Department of Energy laboratories and Federally Funded Research and Development Centers (FFRDCs).
  • DoD and private forensics experts who analyze computers that have been infected
  • Civilian penetration testers who test civilian government and commercial systems to find how they can be penetrated
  • Federal CIOs and CISOs who have intimate knowledge of cyber attacks
  • The Government Accountability Office (GAO)



Monday, July 20, 2009

Share Files Effortlessly over the Internet with RapidShare

You ever want to share a file with friends or collaborators effortlessly without having to the person to logon or share login information?

RapidShare.com allows you to upload files then share the link with others so they can download the file to their computer.

RapidShare is a free service, but based on the file size, users of the free service must wait 30- 140 seconds before the download starts. Customers who pay for instant access to uploaded files can download immediately.

According to WikiPedia, RapidShare.com is a German owned company with its servers hosted in Switzerland. RapidShare has grown to be one of the largest File hosting service sites and the 17th most visited site on the internet.



Wednesday, July 15, 2009

Merchants and Wireless Security

Merchants Have New Guidelines to protect Cardholder Data from the risks of Using Wireless Technology.

The PCI Counsel issued new PCI Wireless Guidelines This week. Some of the new changes are as follows:

1. Perform a security risk assessment of merchant's environment prior to implementation and using findings to design controls to mitigate discovered risks.

2. Mount Wireless Devices on ceiling if possible to reduce the risk of unauthorized access to the device physically disable console interface and use a tamper proof chassis.

3. The Wireless device must sit on the outer edge of the merchant's network, meaning that all wireless traffic must flow through a firewall before entering network with Card Holder Data flowing or is stored.

4. Only non-sensitive information should be allowed to go through the wireless device.

5. AES encryption is the recommended encryption method. WEP encryption makes the Vendor non-compliant to PCI Standards.

6. Businesses must conduct a wireless assessment to detect active rouge wireless devices quarterly and implement security measures to reduce risks from them. Large organizations must set up automatic scanning and have an updated incident response plan to handle rouge wireless devices when detected.

7. Change the default settings like: Administrative passwords, encryption settings, reset function, disable SNMP access if possible. Do not advertise or organization names in the SSID transmission.

8. A Wireless usage policy should be established for "explicit management approval to used wireless networks on the same network where cardholder data flows or is stored.

These guidelines will help merchants better protect cardholder data while allowing them to benefit from wireless technology.

PCI Standards Guideline can be found at:


Network World Article:


Get Expert Advice!