Security References#

Creating a good solid cyber security solution is complicated. So the most valuable tip is:

Use and reuse good knowledge

Using and reusing good open cyber security references saves you time and improves the quality of your solution.

Good and excellent knowledge for building better security solutions is available under an open access licenses. This is why all references in this section are open access references or available for free under an open liberal license.

Too often information behind paywall turns out to be a fad or pure marketing information. So be warned!

Center for Internet Security (CIS)#

The Center for Internet Security (CIS) is a 501©(3) organization is dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. CIS’s Mission is to: Identify, develop, validate, promote, and sustain best practices in cybersecurity; Deliver world-class security solutions to prevent and rapidly respond to cyber incidents; and Build and lead communities to enable an environment of trust in cyberspace. https://www.cisecurity.org/

Data Transparency Lab (DTL)#

A community of technologists, researchers, policymakers and industry representatives working to advance online personal data transparency through scientific research and design. Also a collection of OSS tools to visualize internet privacy horror are offered. http://www.datatransparencylab.org

IDPro Body of Knowledge#

The IDPro Body of Knowledge is a compilation of IAM crucial up-to-date knowledge. This content is created and reviewed by the IAM professionals. All articles are peer reviewed. Within this resource you can find an ‘IAM Reference Architecture’, articles on ‘Authentication and Authorization’ and more content regarding IAM (Identity and Access Management).

Check: https://bok.idpro.org/

Information Security Guide: Effective Practices and Solutions for Higher Education#

Great guide with all topics for IS explained. And with measurements included. Tailored for Education institutes. The Information Security Guide is mapped to several popular standards, including ISO/IEC 27002:2013, NIST, HIPAA, COBIT, PCI DSS, and the US federal Cybersecurity Frameworks. There are currently 17 chapters on information security, privacy, identity and access management, governance, risk, and compliance.

Check https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide

Guide to data protection#

This guide is for those who have day-to-day responsibility for data protection. It explains the purpose and effect of each principle, gives practical examples and answers frequently asked questions. https://ico.org.uk/for-organisations/guide-to-data-protection/

Learning from attacks#

Key Reinstallation Attacks- Breaking WPA2 by forcing nonce reuse (KRACK). With hands-on description, check it out: https://www.krackattacks.com/

NIST General information#

NIST, An Introduction to Information Security, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf

The Cyber Security Body Of Knowledge. A lot of resources that cover all aspects of cyber security.

New Zealand Information Security Manual#

Great IS manual. The New Zealand Information Security Manual details processes and controls essential for the protection of all New Zealand Government information and systems. Controls and processes representing good practice are also provided to enhance the baseline controls. Use and reuse this manual for your governmental organisation or company.

New Zealand Information Security Manual

No-More-Ransom#

The “No-More-Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. https://www.nomoreransom.org/

OpenSCAP#

The OpenSCAP project provides tools to improve security of your infrastructure using open source tools. This project is founded by RedHat and the tools are NIST certified. Use of the tools is encouraged if your systems or infrastructure needs to meet NIST (or other US) security standards. https://www.open-scap.org/

Python Forensics, Inc.#

A non-profit organization focused on the collaborative development of open source investigative technologies using the Python programming language. See: http://python-forensics.org/ for more information.

Security Frameworks#

NIST Framework for Improving Critical Infrastructure Cybersecurity:

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

http://www.nist.gov/cyberframework/

Jericho security model, Open Group, https://collaboration.opengroup.org/jericho/

NIST, http://www.nist.gov/cyberframework/index.cfm

OECD privacy framework 2009, 2010,http://oecdprivacy.org/

Software Assurance Maturity Model (OWASP), http://www.opensamm.org/

Open Security Architecture (OSA), http://www.opensecurityarchitecture.org/

Mozilla Information Security Guides, https://infosec.mozilla.org/ Technical guidelines, principles and general information as used by the infosec team of Mozilla.

Security Officers Management and Analysis Project (SOMAP)#

Focuses on the Security Officers and on helping them in doing their daily business as comfortable as possible. The main goals of SOMAP.org are to develop and maintain: - Guides and Handbooks explaining and describing Risk Management. - an open and free ‘best practice’ Risk Model Repository with security objectives, threats and other risk related meta-data.

Check: https://www.somap.org/

Thread Models#

The OWASP Automated Threat Handbook provides actionable information and resources to help defend against automated threats to web applications. https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf

The Cyber Law Toolkit#

The Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways. At its core, it presently consists of 25 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis.

Great toolkit, with all material available under a nice CC BY-SA 4.0 license.

Check the toolkit on: https://cyberlaw.ccdcoe.org/wiki/Main_Page

The Common Criteria for Information Technology Security Evaluation (CC)#

If you want to launch a product is many countries and want to make sure you follow all regulations per country: A smart thing is to make use of the common criteria checks.

The Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:

Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance;

Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;

The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation. These certificates are recognized by all the signatories of the CCRA.

More information on: https://www.commoncriteriaportal.org/

Trusted CI#

Trusted CI, the NSF Cybersecurity Center of Excellence is comprised of cybersecurity experts who have spent decades working with science and engineering communities and have an established track record of usable, high-quality solutions suited to the needs of those communities. The team draws from best operational practices and includes leaders in the research and development of new methodologies and high-quality implementations.

Trusted CI offers a great collection of valuable resources to help cybersecurity professionals. Almost all content is open and published under a Creative Commons Attribution-­NonCommercial 3.0 Unported (CC BY­NC 3.0) license.

More information on: https://www.trustedci.org/

Vulnerability Databases#

CWE (Common Weakness Enumeration - CWE™) is a community-developed list of common software and hardware security weaknesses. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. Available on: http://cwe.mitre.org/

Web Authorization Protocol (OAuth)#

Web Authorization Protocol (OAuth), https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01

Web security#

Web Security technologies change continuously. A perfect solution does not exist. So make sure good practices are combined with good principles and non technical measurements for minimizing risks.

Mozilla Web Security Guide, https://developer.mozilla.org/en-US/docs/Web/Security