CIS Community Newsletter – June 14, 2016

June 14, 2016

1. CIS Oracle Linux 6 v1.0.0 Benchmark Released

The benchmark provides prescriptive guidance for establishing a secure configuration posture for Oracle Linux 6 systems running on x86 and x64 platforms. The document was tested against Oracle Linux 6.7.

Download the Oracle Linux 6 Benchmark.

2. CIS Oracle Linux 7 v2.0.0 Benchmark Released

The benchmark provides prescriptive guidance for establishing a secure configuration posture for Oracle Linux 7 systems running on x86 and x64 platforms. The document was tested against Oracle Linux 7.2.

Download the CIS Oracle Linux 7

Continue reading

Champion License: What You Need To Know About The Update

June 9, 2016

CIS-Critical-Securty-Controls-Supporter

The Center for Internet Security is pleased to announce a restructuring of the Champion License to better accommodate widespread adoption of the Critical Security Controls. As an organization driven by strong relationships with our members and volunteers, we take the feedback from our community seriously. As always, the CIS Critical Controls are free for organizations using the resources to enhance their own cybersecurity posture. The Champion License is aimed at entities who are utilizing the Controls as part of a commercial service or product offering.

Continue reading

End-of-Support Software Report List: 5/1/2016 to 12/31/2016

June 3, 2016

By: Ryan Overall

The importance of updating software before its End-of-Life (EOL) and End-of-Support (EOS) is something that should not be taken lightly or ignored. EOL occurs when the software is retired, although the vendor/manufacture can (and generally does) continue to support the software until the EOS date. EOS occurs when software updates, patches, and other forms of support are no longer offered, resulting in software becoming prone to future security vulnerabilities. Vendors and manufacturers often use these terms interchangeably, although different vendors and manufacturers may have slightly different definitions for EOL and EOS. For this reason, it is important to check with the individual vendor/manufacturer. Continue reading

CIS Community Letter – May, 2016

May 10, 2016

CIS Community Newsletter

– 1. CIS Community Site Maintenance – Friday, May 6th at 7pm EST
The CIS community site (https://community.cisecurity.org) will be temporarily down for maintenance on Friday, May 6th at 7pm EST. The site will be down for approximately 1.5 hours. During this time you will not be able to access the site or download resources. We appreciate your patience.
2. CIS CentOS Linux 6 and 7 Benchmark Updates Released
The CentOS 6 benchmarkprovides prescriptive guidance for establishing a secure configuration posture for CentOS Linux 6 systems running on x86 and x64 platforms. This document was tested against CentOS 6.7.
The CentOS 7 benchmark provides prescriptive guidance for establishing a secure configuration posture for CentOS Linux 7 systems running on x86 and x64 platforms. This document was tested against CentOS 7.2.
Download the CentOS benchmarks here: https://benchmarks.cisecurity.org/downloads/browse/index.cfm? Continue reading

Benchmarks-for-Windows Updates

May 10, 2016

By Jordan C. Rakoske

We have exciting news about our Windows releases! Over the past year and a half, our Windows community has worked very hard reviewing all of the benchmarks that we had previously released as well as focusing on the new upcoming line of Windows OS’s (Windows 10 and Server 2016). Our First big updates released were our Windows 8.1 v2.0.0, Server 2012 R2 v2.0.0, and Windows 10 v1.0.0. Since then we have spent months reviewing all of the new and old Windows settings across all of our Windows Benchmarks. We worked closely with Aaron Margosis and Rick Munck from Microsoft to answer any technical questions that came up in the community and to help address some items within Microsoft Group Policy Templates. Continue reading

Malvertising

April 28, 2016

by Dilan Samarasinghe, SOC Analyst

 

MS-ISAC has recently observed an increase in malware that is most often disseminated through malvertising. Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally this occurs through the injection of unwanted or malicious code into ads. Malicious actors then pay legitimate online advertising networks to display the infected ads on various websites, exposing every user visiting these sites to the potential risk of infection. Generally, the legitimate advertising networks and websites are not aware they are serving malicious content. Continue reading

CIS Community Newsletter – April 19, 2016

April 19, 2016

CIS Community Newsletter 

1. Benchmark Participation Needed for NGINX, Palo Alto and Cisco ASA

Your feedback and participation helps ensure that CIS Benchmarks continue to reflect security best practice. All contributors will receive attribution in the associated Benchmark and are eligible to earn CPE credits toward maintaining (ISC)2 certifications. We’re looking for help in the following areas:

• Palo Alto Networks – Editors and contributors needed to provide feedback and test draft benchmark

• NGINX – Editors and contributors needed to define scope, draft the benchmark, test and provide feedback

• Cisco ASA – Editors and contributors needed update existing benchmark, test and provide feedback Continue reading

Making Security Happen

February 29, 2016

By Adam Montville

Our mission here at CIS is pretty clear: Lead communities to shepherd security best practices and continuously develop world-class security solutions supporting those practices. I generally like to think of this as working to “make security happen”. In support of this mission we have two important announcements to make today.

First, we have released the first-ever benchmark for your Amazon Web Services accounts, “CIS Amazon Web Services Foundations Benchmark v1.0.0” (here). This benchmark covers the bases for basic AWS services, such as: Identity and Access Management, AWS Config, CloudTrail, CloudWatch, Simple Notification Service, and Simple Storage Service. We have worked with Amazon and other organizations steeped in AWS services and technology to bring this benchmark to release (the folks over at Amazon have some more goodies for you as well – take a look here) using our well-known and respected consensus process. The recommendations embodied in this benchmark are not coming directly from CIS, but from a community of security-conscious, AWS-knowledgeable folks who want to share their work with the rest of the world. Continue reading

New Year’s Resolutions for a CISO

February 12, 2016

New Year’s Resolutions for a CISO

By the I&AWG

Every January 1st we take a few minutes to reevaluate our lives and where we want to be, and then create (occasionally) realistic resolutions to make our lives healthier or happier. It’s a tradition. A week or a month or two later we skip, slide, and forget about these resolutions until another January 1st rolls around and reminds us that we were going to do something.

So here we are, beginning February, the traditional time when resolutions start to slip, with a few new ones for you. While the following 15 resolutions won’t get you to an exotic island or help you hit the gym more often, hopefully, these will bring some happiness and ease into your work as a CISO. So pick a few (or take on them all!) and hop onto the bandwagon to do more this year with these easy (easier) resolutions that will make a difference in 2016. (There is also a handy one-page printable version https://www.cisecurity.org/documents/documents/Resolutions_for_2016.docx that you can hang as a reminder or print and put by the water cooler to get everyone on board with improving cybersecurity.) Continue reading