Posts by Joel Cardella

7 min CIS Controls

The CIS Critical Security Controls Series

What are the CIS Critical Security Controls? The Center for Internet Security (CIS) Top 20 Critical Security Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] (previously known as the SANS Top 20 Critical Security Controls), is an industry-leading way to answer your key security question: “How can I be prepared to stop known attacks?” The controls transform best-in-class threat data into prioritized and actionable ways to protect your organization from today's most common

6 min CIS Controls

The CIS Critical Security Controls Explained - Control 4: Controlled Use of Administrative Privilege

The ultimate goal of an information security program [https://www.rapid7.com/fundamentals/security-program-basics/] is to reduce risk. Often, hidden risks run amok in organizations that just aren't thinking about risk in the right way. Control 4 of the CIS Critical Security Controls [https://rapid7.com/solutions/compliance/critical-controls/] can be contentious, can cause bad feelings, and is sometimes hated by system administrators and users alike. It is, however, one of the controls that can h

5 min CIS Controls

The CIS Critical Security Controls Explained - Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Stop No. 5 on our tour of the CIS Critical Security Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] (previously known as the SANS Top 20 Critical Security Controls) deals with Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. This is great timing with the announcement of the death of SHA1. (Pro tip: don't use SHA1 [https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/]

4 min

Disaster Preparedness: It's Not Thought Of Until It Is Needed Most

...and then it might be too late. > An update from Delta CEO Ed Bastian: pic.twitter.com/udNN0kzbKs [https://t.co/udNN0kzbKs] — Delta (@Delta) August 8, 2016 [https://twitter.com/Delta/status/762707065022349312] Recently, Delta Airlines suffered a weeklong outage that, if you take it on it's face, ticks just about every box on a security person's disaster recovery planning scenario. Delta has given [http://www.bizjournals.com/twincities/news/2016/08/08/delta-cancels-flights-outage-minneapolis

5 min Finance

Sometimes the simplest security works the best

The FBI this week posted an alert [https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&utm_medium=email&utm_content=28140297&_hsenc=p2ANqtz--f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5gdZ_ZF9OVT] that showed wire transfer scams bled $2.3 Billion from “business email compromise” from October 2013 through February 2016.  A couple of news outlets picked this up, including Brian Krebs [https://krebsonsecurity.co

3 min Networking

The End Of The Internet

On Sept 24th, ARIN announced [https://www.arin.net/announcements/2015/20150924.html] it had finally run out of IPv4 addresses. The open pool of IPv4 addresses is now gone, and the only way to get them now is via a transfer from another party who owns them or IP ranges which are returned to ARIN. The switch to IPv6 is imminent. Once switched, the number of available public addresses available will be roughly 4.2 x 10^37 [http://rednectar.net/2012/05/24/just-how-many-ipv6-addresses-are-there-real