MITRE
Not An Acronym
The Mitre Corporation is an American non-profit organization. It manages federally funded research and development centers (FFRDCs) supporting various U.S. government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others.
MITRE formed in 1958 as a military think tank, spun out from the radar and computer research at the MIT Lincoln Laboratory. Over the years, MITRE’s field of study had greatly diversified. In the 1990s, with the winding down of the cold war, private companies complained that MITRE had an unfair advantage competing for civilian contracts; in 1996 this led to the civilian projects being spun off to a new company, Mitretek. Mitretek was renamed Noblis in 2007.
CVE
Common Vulnerabilities and Exposures
- CVE (Common Vulnerabilities and Exposures) identify, define and catalog publicly disclosed cybersecurity vulnerabilities.
- Its is important to stay aware of relevant CVEs for the tech stack that you or your company uses.
- It is maintained by Mitre (A US non-profit)
- Ratings: Low, Medium, High, and Critical
- Ratings are aligned to CVSS
- Famous CVEs:
- CVE-2014-0160 - Heartbleed (OpenSSL)
- CVE-2017-0143 - SMB (Used by WannaCry)
- CVE-2019-0708 - BlueKeep (RDP)
- CVE-2021-44229 - Log4j
CVSS
Common Vulnerability Scoring System
- The CVSS base score is a measure of theseverity of a vulnerability.
- Scores are calculated based on separate metrics, given a score of 0 - 10 (one decimal place)
- Low : 0.1 - 3.9
- Medium : 4.0 - 6.9
- High : 7.0 - 8.9
- Critical : 9.0 - 10.0 - Used by CVEs
FIRST
Forum of Incident Response and Security Teams
TheForum of Incident Response and Security Teams(FIRST) is a global forum of incident response and security teams. They aim to improve cooperation between security teams on handling major cybersecurity incidents.FIRST is an association of incident response teams with global coverage.
The 2018 Report of the United Nations Secretary-General’s High-Level Panel on Digital Cooperation noted FIRST as a neutral third party which can help build trust and exchange best practices and tools during cybersecurity incidents.
Known for governing the EPSS (Exploit Prediction Scoring System).
EPSS
Exploit Prediction Scoring System
- EPSS aims to measure the probability of a vulnerability being used in an exploit, and therefore determine the risk that a CVE will be used in an attack.
- While other industry standards have been useful for capturing innate characteristics of a vulnerability and provide measures of severity, they are limited in their ability to assess threat. EPSS fills that gap because it uses current threat information from CVE and real-world exploit data.
- The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
- EPSS is governed by the Forum of Incident Response and Security Teams (FIRST), a team responsible for a number of vulnerability scoring protocols.
- Because EPSS is driven by the data and has a strong temporal aspect, it only learns from the exploitation activity it sees (from data partners) and predicts on the vulnerability attributes presented.
- Note that EPSS relies onindustry partners, (Fortinet, GreyNoise Intelligence, The Shadowserver Foundation, F5, Efflux, AlienVault and Cisco) and does not curate any of our own exploitation activity.
What is the difference between CVSS vs EPSS?
- The CVSS base score is a measure of the severity of a vulnerability.
- EPSS aims to measure the probability of a vulnerability being used in an exploit, and therefore determine theriskthat a CVE will be used in an attack.
What is the benefit of EPSS vs CVSS?
EPSS provides a real-time assessment; a method for prioritizing the riskiest vulnerabilities where CVSS provides the severity score. In addition, the details of a CVSS base score, e.g. the specific attack vector, can help refine that prioritization under knowledge of the specifics of a user’s environment. Used together, EPSS and CVSS allow network defenders to prioritize the most severe and riskiest CVEs for remediation efforts.
CISA
Cybersecurity & Infrastructure Security Agency
- A US federal agency which provides information on how to defend against threats to cyber and physical infrastructure
- They maintain helpful information such as:
- KEV - Known Exploited Vulneralbilites catalog
- Alerts
- Many countries have their own equivalent
- ex. UK has NCSC
- But CISA is not necessarily US specific and will be applicable to anyone in the security field
KEV
Known Exploited Vulnerabilities
CISA KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. This catalog is publicly available online atCISA KEV.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Directive mandating organizations to patch a list of Known Exploited Vulnerabilities (KEV) on November 03, 2021, with specified deadlines. This catalog started with 287 vulnerabilities, and the count stands at over 1000 today (1076).**
NIST
(US) National Institute of Standards and Technology
- TheNational Institute of Standards and Technology(NIST) is an agency of the[United States Department of Commerce] whose mission is to promote American innovation and industrial competitiveness.
- NIST’s activities are organized intophysical sciencelaboratory programs that includenanoscale science and technology,engineering,information technology,neutronresearch, material measurement, and physical measurement.
CSF
CSF - NIST Cyber Security Framework
- A set of guidelines for mitigatingorganizationalcybersecurityrisks, published by the USNational Institute of Standards and Technology(NIST) based on existing standards, guidelines, and practices.[1]
- The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
- The NIST Cybersecurity Framework is designed for individual businesses and other organizations to assess risks they face.
- The framework is divided into three parts, “Core”, “Profile” and “Tiers”.
- Core
- The “Framework Core” contains an array of activities, outcomes and references about aspects and approaches to cybersecurity.
- Tiers
- The “Framework Implementation Tiers” are used by an organization to clarify for itself and its partners how it views cybersecurity risk and the degree of sophistication of its management approach.
- Profile
- A “Framework Profile” is a list of outcomes that an organization has chosen from the categories and subcategories, based on its needs and risk assessments. It is documentation of those outcomes.
- An organization typically starts by using the framework to develop a “Current Profile” which describes its cybersecurity activities and what outcomes it is achieving.
- It can then develop a “Target Profile”, or adopt a baseline profile tailored to its sector (e.g. infrastructure industry) or type of organization. It can then define steps for switching from its current profile to its target profile.
- A “Framework Profile” is a list of outcomes that an organization has chosen from the categories and subcategories, based on its needs and risk assessments. It is documentation of those outcomes.
- Core
The Framework Core is made up of 5 functions:
- Identify - ID
- Protect - PR
- Detect - DE
- Respond - RS
- Recover - RC
CSA
Cloud Security Alliance
Cloud Security Alliance(CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance withincloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.”[1]
- Cloud Controls Matrix (CCM). Security controls framework for cloud provider and cloud consumers.
CCM
Cloud Controls Matrix
TheCSA Cloud Controls Matrix (CCM)is a cybersecurity control framework for cloud computing. It is a spreadsheet that lists 16 domains covering all key aspects of cloud technology. Each domain is broken up into 133 control objectives. It can be used as a tool to systematically assess cloud implementation, by providing guidance on which security controls should be implemented by which actor within the cloud supply chain.The controls framework is aligned to theSecurity Guidance v4and is currently considered a de-facto standard for cloud security assurance and compliance.
FedRamp
Federal Risk and Authorization Management Program
At its core,FedRAMP is a government-wide programstandardizing the approach to security assessment, authorization, and continuous monitoring for cloud products and services. That’s a mouthful, but in simpler terms, it’s a seal of approval, ensuring cloud services have the right level of security to be used by federal agencies.
For cloud professionals, FedRAMP can sometimes feel like a high bar to clear. But once you understand its essence, it’s really about maintaining the highest standard of data protection. It follows a “do once, use many times” framework which reduces the efforts, time, and costs that would otherwise be required for the security assessment of a cloud service.
Three levels of security impact are defined in FedRAMP - Low, Moderate, and High, each corresponding to the potential impact of a security breach.
FedRAMP may feel like a tough nut to crack, but it’s worth it. Adhering to its guidelines not only helps you serve government clients but also elevates your overall cloud security posture. So, despite the challenges it may pose, it’s a badge of honor in the cloud industry.
HIPPA
Health Insurance Portability and Accountability Act
Healthcare and cloud computing - a match made in heaven? Well, if you’re in the healthcare sector or deal with health-related data in the U.S., you’ve likely come across the term HIPAA.
HIPAA, or theHealth Insurance Portability and Accountability Act, is not a framework like some of our previous entries. Instead, it’s a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers.
In the context of cloud services, HIPAA applies to cloud providers that process, store, or transmit “Protected Health Information” (PHI). To be considered HIPAA-compliant, cloud providers must implement a robust set of physical, network, and process security measures. Moreover, they need to sign a Business Associate Agreement (BAA) in which they commit to comply with certain provisions of HIPAA rules.
HIPAA compliance might feel like navigating through a maze at times, but it’s ultimately about ensuring the privacy and security of sensitive health information. Adhering to its guidelines means you’re treating your customers’ health data with the care and respect they deserve.
COPPA
Children’s Online Privacy Protection Act
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
PCI DSS
Payment Card Industry Data Security Standard
In the realm of digital transactions, one framework tends to stands outl: PCI DSS. If your organization deals with card payments in any form, you’re likely already familiar with this one.
ThePayment Card Industry Data Security Standardis a set of security standards designed to ensure all companies that process, store, or transmit credit card information maintain a secure environment. It’s a universal standard, applicable to entities of all sizes and geographies, as long as they handle cardholder data.
PCI DSS outlines a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information. It covers six major objectives which are further broken down into 12 requirements. These range from building and maintaining a secure network, to regularly monitoring and testing networks, to maintaining an information security policy.
In the context of cloud services, both the cloud provider and the customer have a shared responsibility when it comes to ensuring compliance. Cloud providers must secure the underlying infrastructure, while customers must ensure the way they use the cloud services complies with the standard.
While achieving and maintaining PCI DSS compliance might seem like a challenging task, it’s a vital part of ensuring the security and trustworthiness of card payment systems.
GDPR
General Data Protection Regulation
If you’ve ever dealt with data of EU citizens, then GDPR is likely a term that has kept you up at night.
The General Data Protection Regulation, or GDPR, is a regulation enacted by the European Union to protect the privacy and personal data of its residents. Despite being an EU regulation, it has global implications. Any organization, regardless of its location, that processes the personal data of individuals within the EU must comply.
GDPR is centered on principles such as transparency, lawful basis for processing, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. It grants EU citizens specific rights like the right to access their personal data, the right to rectification, the right to be forgotten, and more.
In the cloud context, both the cloud provider and the customer share responsibility for ensuring GDPR compliance. Cloud providers must ensure they provide GDPR-compliant services, while customers must use those services in a GDPR-compliant way.
Complying with GDPR may seem daunting, but it’s an essential part of modern data handling practices. It not only ensures the privacy of EU citizens but also cultivates trust between organizations and their users.
CIS
Center for Internet Security
Formerly known as the CIS Top 20, there are now18 CIS Critical Security Controls. In the field of information security, the Center for Internet Security (CIS) controls stand as a respected guide for securing a wide variety of systems and platforms, including cloud environments.
- CIS Security Controls– prescriptive, prioritized, and simplified set of cybersecurity best practices
- CIS Benchmarks– consensus-developed secure configuration guidelines for hardening
FISMA
**Federal Information Security Modernization Act **
When it comes to U.S. government agencies, there’s one act that rings particularly loud: theFederal Information Security Modernization Act, or FISMA.
Established in 2002, FISMA requires federal agencies to develop, document, and implement an information security and protection program. But its scope isn’t limited to government bodies. If you’re an organization that handles federal data, this is an act you’ll need to comply with, as well.
FISMA lays out a clear framework for managing information security that revolves around risk management and the need to secure information systems that support the operations and assets of an agency. This includes systems managed by third parties on behalf of a federal agency.
In the cloud environment, both cloud service providers and their customers share the responsibility of ensuring FISMA compliance. Cloud providers must ensure their services meet FISMA requirements, while customers must ensure they use these services in a manner that complies with the Act.
While FISMA compliance might seem like an uphill task, it’s an essential part of protecting sensitive federal data. Plus, it can enhance your organization’s overall security posture.
ISO 270001
**International Organization for Standardization **
In a world where data is the new oil, protecting it becomes paramount. This is whereISO 27001steps in.
ISO 27001 is an international standard that provides a robust framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS). It was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
The standard outlines a risk management process involving the identification and assessment of risks to the confidentiality, integrity, and availability of information. Controls are then applied to reduce these risks to an acceptable level.
ISO 27001 is technology-neutral and uses a top-down, risk-based approach. The standard is particularly significant in the cloud environment as it ensures that the cloud service provider follows a systematic approach to managing sensitive company information and ensuring data security.
Becoming ISO 27001 certified can seem like a daunting task, but the journey can significantly improve your organization’s resilience against information security threats and enhance customer and stakeholder confidence in your cloud security posture.
SOX
Sarbanes-Oxley Act
Stepping into the realm of financial reporting, we encounter the Sarbanes-Oxley Act, or SOX. Born out of major corporate and accounting scandals in the early 2000s, SOX is a U.S. law aimed at protecting investors from fraudulent financial reporting by corporations.
SOX establishes strict auditing and financial regulations to protect shareholders and the general public from accounting errors and fraudulent practices. While it isn’t strictly about information technology or cloud computing, it has significant implications for IT departments and cloud service providers.
Under SOX, corporate IT departments are required to create and maintain systems of internal controls to assure the integrity and confidentiality of data, as well as the accuracy of financial reports. These controls should ensure that all financial transactions are tracked accurately and that no data is altered or deleted.
In a cloud context, both the cloud service provider and the customer share the responsibility for ensuring SOX compliance. While the cloud provider must ensure their infrastructure is secure and reliable, customers must ensure their usage of cloud services complies with the Act’s requirements.
SOX compliance can seem daunting, but it’s an essential part of maintaining trust in your organization’s financial activities. Plus, the practices it promotes can enhance your overall security and reliability.
Google Cloud Architecture Framework
In the increasingly competitive world ofcloud platforms, Google Cloud holds its own, complete with its very own guiding star - theGoogle Cloud Architecture Framework.
This framework, developed by Google, offers a structured approach to creating, architecting, designing, and implementing cloud solutions. It provides a comprehensive and authoritative set of best practices that guide you in making the right choices for your applications running on Google Cloud.
The Google Cloud Architecture Framework is built around five key pillars:
- Security: This pillar emphasizes creating secure and private application architectures that ensure data protection and compliance with industry standards.
- Reliability: This focuses on developing reliable and resilient systems that effectively manage outages and continue to function in their intended, correct manner.
- Performance optimization: This pillar is all about ensuring that your applications meet your performance objectives, both now and in the future.
- Cost Optimization: This focuses on creating cost-effective systems that give you the most value from your Google Cloud investments.
- Operational excellence: This pillar focuses on efficient deployment, monitoring, and operation of cloud workloads.
The Google Cloud Architecture Framework offers a holistic approach to designing, implementing, and managing solutions in Google Cloud. By aligning your solutions to the principles in this framework, you’re ensuring they’re built on a solid foundation and take full advantage of what Google Cloud has to offer.
AWS Well Architected Framework
Ever wished for a roadmap to building a more robust, secure, and efficient cloud architecture? Say hello to theAWS Well-Architected Framework.
In the simplest terms, think of this framework as your trusted guide for constructing high-performing cloud infrastructure. It’s a set of strategic guidelines developed by the wizards over at AWS, designed to help cloud architects build the most secure, high-performing, resilient, and efficient infrastructure possible for their applications.
The AWS Well-Architected Framework is organized around six pillars:
- Operational Excellence: This is all about the ability to run and monitor systems effectively, deliver business value, and continually improve supporting processes and procedures.
- Security: As you might expect, this pillar emphasizes protecting information and systems, managing who can do what with privilege management, and implementing controls to detect security events.
- Reliability: This one centers on preventing and recovering from failures to meet demand and achieve business goals.
- Performance Efficiency: The focus here is on using resources efficiently to meet system requirements and maintaining that efficiency as demand changes and technology evolves.
- Cost Optimization: This pillar revolves around avoiding unnecessary costs, and running systems at the lowest price point without sacrificing quality or performance.
- Sustainability: This relatively new pillar is centered on minimizing the environmental impact of running cloud workloads.
By following the advice encapsulated within these pillars, you’re not just ticking boxes; you’re building a cloud infrastructure that is secure, high-performing, resilient, and efficient. It’s like having a cloud guru whispering best practices in your ear. Not bad, right?
