Apr 22 2024

The first steps of establishing your cloud security strategy

Category: Cloud computing,Cyber Strategydisc7 @ 7:53 am

In this article, we’ll identify some first steps you can take to establish your cloud security strategy. We’ll do so by discussing the cloud security impact of individual, concrete actions featured within the CIS Critical Security Controls (CIS Controls) and the CIS Benchmarks.

Data protection and application security: The foundation of a cloud security strategy

When you’re working with Controls v8 and the CIS Controls Cloud Companion Guide, you need to lay a foundation on which you can build your unique cloud security efforts. Toward that end, you can tailor the Controls in the context of a specific Information Technology/Operational Technology (IT/OT) map.

To help you make an impact at the beginning of your cloud security journey, we recommend you focus on two Controls in particular: CIS Control 3 – Data Protection and CIS Control 16 – Application Security.

Cloud Data Security with CIS Control 3

The purpose of CIS Control 3 is to help you create processes for protecting your data in the cloud. Consumers don’t always know that they’re responsible for cloud data security, which means they might not have adequate controls in place. For instance, without proper visibility, cloud consumers might be unaware that they’re leaking their data for weeks, months, or even years.

CIS Control 3 walks you through how to close this gap by identifying, classifying, securely handling, retaining, and disposing of your cloud-based data, as shown in the screenshot below.

CIS cloud security strategy
A screenshot of CIS Control 3: Data Protection
Cloud Application Security with CIS Control 16

In addition to protecting your cloud-based data, you need to manage your cloud application security in accordance with CIS Control 16. Your responsibility in this area applies to applications developed by your in-house teams and acquired from external product vendors.

To prevent, detect, and remediate vulnerabilities in your cloud-based applications, you need a comprehensive program that brings together people, processes, and technology. Continuous Vulnerability Management, as discussed in CIS Control 7, sits at the heart of this program. You can then expand your security efforts by using supply chain risk management for externally acquired software and a secure software development life cycle (SDLC) for applications produced in house.

Want to learn more about the CIS Benchmarks? Check out our video below.

Using the CIS Amazon Web Services Foundations Benchmark v3.0.0 as an example, here are two recommendations you can implement to protect your data in the cloud.

Hardening your cloud-based assets with MFA, lack of public access

With CIS Controls 3 and 16 as your foundation, you can build upon your progress by hardening your accounts and workloads in the cloud with the security recommendations of the CIS Benchmarks, which map back to the Controls.

Set up MFA for the ‘root’ user account

The ‘root’ user account is the most privileged user in your AWS account. In the event of a compromise, a cyber threat actor (CTA) could use your ‘root’ user account to access sensitive data stored in your AWS environment.

To address this threat, you need to safeguard your ‘root’ user account. You can do so by implementing Recommendation 1.5, which advises you to set up multi-factor authentication (MFA) using a dedicated device that’s managed by your company. Do not use a personal device to protect your ‘root’ user account with MFA, as this could increase the risk of account lockout if the device owner leaves the company, changes their number, or loses their device.

Block public access on your S3 buckets

Amazon Simple Storage Service (S3) enables you to store objects in your AWS environment using a web interface. The issue is that not everyone configures their S3 buckets securely. By default, S3 buckets don’t allow public access upon their creation. However, an Identity and Access Management (IAM) principal with sufficient permissions could enable public access to your S3 buckets. In doing so, they could inadvertently expose your buckets and their respective objects.

You can mitigate this risk by implementing Recommendation 2.1.4. This guideline consists of ensuring that you’ve configured S3 buckets to “Block public access” in both your individual bucket settings and in your AWS account settings. That way, you’ll block the public from accessing any of your S3 buckets and its contained objects connected to your AWS account.

Streamlining your use of cloud security best practices

The Controls and Benchmarks recommendations discussed above will help you take the first steps in implementing your cloud security strategy. From here, you can save time securely configuring your technologies using the CIS Hardened Images, virtual machine images (VMIs) that are pre-hardened to the security recommendations of the Benchmarks.

Securing Cloud Services: A pragmatic approach

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Feb 07 2022

Critical Infrastructure Attacks Spur Cybersecurity Investment

The attacks on critical industrial systems such as Colonial Pipeline last year pushed industrial cybersecurity to center stage. And with the threat of war between Russia and Ukraine, experts warned nations that a global flare-up of cybersecurity attacks on critical infrastructure could be looming. In late January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) put critical infrastructure organizations on notice: Take “urgent, near-term steps” to mitigate the risk of digital attacks. The alert cited tension in eastern Europe as the catalyst for possible attacks against U.S. digital assets.

Critical Infrastructure Under Attack

Unfortunately, critical systems have long been under significant attack. In fact, an overwhelming 80% of critical infrastructure organizations experienced ransomware attacks last year, according to a survey released today by PollFish on behalf of cyber-physical systems security provider Claroty. The survey, completed in September 2021, gathered responses from full-time information technology and operational technology (OT) security professionals in the United States (500 professionals), Europe (300) and Asia-Pacific (300). The industries surveyed include IT hardware, oil and gas (including pipelines), consumer products, electric energy, pharmaceutical/life sciences/medical devices, transportation, agriculture/food and beverage, heavy industry, water and waste and automotive.

Globally, 80% of respondents reported experiencing an attack and 47% of respondents said the attack impacted their operational technology and industrial control systems environment. A full 90% of respondents that reported their attacks to authorities or shareholders said the impact of those attacks was substantial in 49% of cases.

Attacking Digital Transformation

Cybersecurity Investments

Effectiveness of National Cyber Policy to Strengthen the Security and Resilience of Critical Infrastructure Against Cyber Attacks

Tags: Critical Infrastructure Attacks

Sep 02 2021

DoJ Launches Cybersecurity Fellowship Program as Threats Rise

Category: cyber security,Cyber StrategyDISC @ 9:35 am

The U.S. Department of Justice (DoJ) announced the creation of a cybersecurity fellowship program that will train prosecutors and attorneys to handle emerging national cybersecurity threats.

Fellows in the three-year Cyber Fellowship program will investigate and prosecute state-sponsored cybersecurity threats, transnational criminal groups, infrastructure and ransomware attacks and the use of cryptocurrency and money laundering to finance and profit from cybercrimes.

Cyber Fellowship Program

The program will train selected attorneys to deal with emerging cybercriminal threats and the ability to secure a top-secret security clearance is a prerequisite. All participants will be based in the Washington, D.C. area.

As part of the fellowship, participants will rotate through the multiple departments charged with protecting the country from cybersecurity threats, including the Criminal Division, the National Security Division and the U.S. Attorneys’ Offices.

The program is coordinated through the Criminal Division’s Computer Crime and Intellectual Property Section and the creation of the Fellowship is the result of a recommendation from the department’s ongoing comprehensive cybersecurity review, which was ordered by Deputy Attorney General Lisa Monaco in May 2021.

fellowship web app election security government

Enhancing Efforts Against Cybersecurity Threats

Tags: Cybersecurity Fellowship Program

Apr 19 2021

Alarming Cybersecurity Stats: What You Need To Know For 2021

Cyber Attack A01

The year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals. In addition, the sophistication of threats increased from the application of emerging technologies such as machine learning, artificial intelligence, and 5G,  and especially from greater tactical cooperation among hacker groups and state actors. The recent Solar Winds attack, among others,  highlighted both the threat and sophistication of those realities.

The following informational links are compiled from recent statistics pulled from a variety of articles and blogs. As we head deeper into 2021, it is worth exploring these statistics and their potential cybersecurity implications in our changing digital landscape.

To make the information more useable, I have broken down the cybersecurity statistics in several categories, including Top Resources for Cybersecurity Stats, The State of Cybersecurity Readiness, Types of Cyber-threats, The Economics of Cybersecurity, and Data at Risk.

There are many other categories of cybersecurity that do need a deeper dive, including perspectives on The Cloud, Internet of Things, Open Source, Deep Fakes, the lack of qualified Cyber workers, and stats on many other types of cyber-attacks. The resources below help cover those various categories.

Top Resources for Cybersecurity Stats:

If you are interested in seeing comprehensive and timely updates on cybersecurity statistics, I highly recommend you bookmark these aggregation sites:

 300+ Terrifying Cybercrime and Cybersecurity Statistics & Trends (2021 EDITION) 300+ Terrifying Cybercrime & Cybersecurity Statistics [2021 EDITION] (comparitech.com)·        

The Best Cybersecurity Predictions For 2021 RoundupWhy Adam Grant’s Newest Book Should Be Required Reading For Your Company’s Current And Future LeadersIonQ Takes Quantum Computing Public With A $2 Billion Deal

134 Cybersecurity Statistics and Trends for 2021 134 Cybersecurity Statistics and Trends for 2021 | Varonis

 2019/2020 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics  (cybersecurityventures.com)

Source: The State of Cybersecurity Readiness:

Cyber-Security Threats, Actors, and Dynamic Mitigation

Related article:

Top Cyber Security Statistics, Facts & Trends in 2022

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining



Tags: Cybersecurity Stats

Apr 15 2021

Why taking the cybersecurity initiative can win you business

Consumers seem somehow unable or unwilling to protect themselves. But our research reveals an interesting knock-on effect from this: consumers welcome organizations who take the security initiative – and actively move their business to them.

Good security is good for business

This situation is a huge opportunity for organizations to make security a differentiator. Our research reveals that consumers value companies they perceive as more secure, with 64% saying they would recommend a large organization that they think makes a big effort to keep their data secure. A business with clearly visible cybersecurity will reassure consumers and create confidence in its digital products and services, carving itself a competitive advantage.

Why taking the cybersecurity initiative can win you business

Cyber Shop - Home | Facebook

Tags: cybersecurity initiative

Mar 31 2021

Cyber Strategy – Risk-driven Security and Resiliency

Category: Cyber StrategyDISC @ 9:29 am

Cyber StrategyRisk-driven Security and Resiliency

Provides a process and roadmap for any company to develop its unified Cybersecurity and Cyber Resiliency strategies. It demonstrates a methodology for companies to combine their disassociated efforts into one corporate plan with buy-in from senior management that will efficiently utilize resources, target high risk threats, and evaluate risk assessment methodologies and the efficacy of resultant risk mitigations. The book discusses all the steps required from conception of the plan from preplanning (mission/vision, principles, strategic objectives, new initiatives derivation), project management directives, cyber threat and vulnerability analysis, cyber risk and controls assessment to reporting and measurement techniques for plan success and overall strategic plan performance. In addition, a methodology is presented to aid in new initiative selection for the following year by identifying all relevant inputs.

“This is the tour de force on designing, implementing and maintaining a modern cyber security and resiliency program. This book is a necessity for all information security and resiliency professionals.” – Howard Taylor, CISO of Radware


This book lays out a systematic process for developing corporate strategy in the area of cyber (meaning IT) security and resilience.  

NBlog – book review on “Cyber Strategy” discuss pros & cons

Tags: resiliency professionals, Risk-driven Security and Resiliency