Free Trial

Security Compliance Platform

The need to have strong security practices in place to protect sensitive government data from outside threats has never been greater.  By December 31, 2017, the Department of Defense will require NIST SP 800-171 compliance for all its contracts that handle controlled unclassified information (CUI) outside of government agencies. 

According to the U.S. Nation Archives and Record Administration “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended”.  In other words, it’s unclassified sensitive information that the US federal government believes should be protected to assure minimal risk of cyberattacks on America.  This includes citizen’s financial, legal, higher education, immigration, tax and healthcare records plus organizations patent, proprietary business, and SAFETY Act Information.   You can find the complete list of categories and sub-categories (with descriptions) on the National Archives Web site.  

0
0
0
s2sdefault

There is a great deal of interest in the NIST CSF and how to apply it within an organization.  Cavirin recently hosted a webinar detailing the rationale behind the framework, the suggested implementation process, and most importantly, the actual mapping to specific policies and controls.  Here, we detail this third point.

The CSF outlines five major functions – Identify, Protect, Detect, Respond, and Recover.  Using Identify as an example, the workflow is as follows:

So, mapping of the CSF to an organization’s environment is first accomplished by selecting the proper reference and control, and then selecting the Target of Evaluation, aka the operating system to which the control applies.  In the example above, ‘Ensuring separate partition exists for /tmp’ is one of literally dozens of controls that apply to RHEL7 and within ID-RA-1.  The audit and remediation for this is detailed within the CIS Red Hat Enterprise Linux 7 Benchmark, and specifically section 1.1.2.

We detail how this workflow matches the Cavirin Platform implementation, in our new infographic, as well as in a whitepaper available via NIST.   Visit https://www.cavirin.com/solutions/nist-support.html to learn more!     

 

0
0
0
s2sdefault

Cavirin provides vulnerability assessments for your operating systems (in the cloud, on-premise or hybrid) as well as Docker Images. This article shares vulnerability trending insights we have seen when working on vulnerability analysis project and training our risk reporting algorithms. 

Cavirin platform uses a synchronized feed from the NIST National Vulnerability Database. This feed directly provides the Common Vulnerabilities and Exposures (CVEs) severity and base score that is used in its risk scoring algorithm to project the risk posture from unpatched vulnerabilities

0
0
0
s2sdefault
Google Cloud Platform Partner

It’s the week of Google Cloud NEXT and, as a Google Cloud Technology Partner, we are glad to see our efforts to add Google Cloud Platform (GCP) into the Cavirin family of cloud security products succeed. The March 2017 release of Cavirin's platform will include support for continuous security assessment of workloads on GCP, and marks a major milestone in our company’s vision to be the provider of consistent security solution across workloads running on multiple cloud providers’ platforms.

0
0
0
s2sdefault

This week yet another Linux vulnerability was discovered - CVE-2017-6074 – that could be exploited to gain kernel code execution from an unprivileged processes. The vulnerability is associated with the DCCP protocol.

The DCCP protocol is recommended by the security benchmarks to be disabled to reduce the attack surface. 

DISA RHEL 6 STIG reads “Disabling DCCP protects the system against exploitation of any flaws in its implementation.

The CIS Security Benchmark for Debian 8 reads “The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery. If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.

Cavirin’s solution automates the assessment of these security baselines in your hybrid cloud. It continuously protects you from vulnerabilities arising out of misconfiguration and such zero-day vulnerabilities arising out of default attack surface. Vulnerabilities such as these do not really bother you if you used the solution to detect the presence of such uncommon network protocols and already reduced the attack surface by disabling them all together if not in use. You cannot really protect what you don’t see and Cavirin’s solution helps you with security evidence, audit reports, and operational procedures instead of verbal security assurances and recommendations.

0
0
0
s2sdefault

First of a multi-part series on the CIS benchmarking process, by Pravin Goyal.

ON CIS BENCHMARKS

What are CIS Benchmarks?

The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, these benchmarks are recommended as industry-accepted system hardening standards and are used by organizations in meeting various compliance requirements such as PCI and HIPAA.

What is the typical CIS benchmark development process?

CIS Benchmarks are created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds such as consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the future versions of the benchmark.

What does it take to develop a new benchmark?

It is easy to contribute to CIS benchmarks. Just write to the CIS community program managers with your proposal for addition. The respective program manager will respond to you followed by a call to understand your proposition and discuss timelines, project announcement and project marketing to attract community participants. With some internal approvals, the project is created in around two weeks of time.

How long does it usually takes to develop a new benchmark?

It usually takes around 12-24 weeks based on the number of participants in the community and the size of the project.

Who else is providing security benchmarks like CIS does?

I would say none. CIS provides the broadest set of benchmarks covering both software and hardware. These include databases, operating systems, applications, mobile operating systems, firewalls, browsers, office applications and almost anything else that touches IT. The only other agency that provides a subset of the benchmarks is DISA. Also, sometimes vendors provide security documentation in the benchmark format. For example, VMware provides a VMware vSphere hardening guide for securing vSphere deployments.

How can we contribute?

Join the existing CIS communities. It is exciting and challenging, and you will get to work with amazing people.

How do we implement CIS benchmarks in our product?

You have two ways to implement CIS benchmarks. The first one leverages the content directly from CIS. The second method is to develop your own proprietary content to implement the benchmark.

Tell us a bit about CIS Docker and CIS Android benchmarks?

Both CIS Docker and CIS Android benchmarks have fascinating community members. I had the privilege to work on both as an author. One thing interesting to note is that CIS Docker benchmark exists from Docker version 1.6.  At that time not many people knew Docker or Docker security. But, the community did an amazing job by documenting 84 security recommendations! That is the power of community.  I'll cover Docker and Android in more detail in a future segment.

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.