search menu icon-carat-right cmu-wordmark

Subject: Software and Information Assurance

Cybersecurity Governance, Part 1: 5 Fundamental Challenges

Cybersecurity Governance, Part 1: 5 Fundamental Challenges

• Insider Threat Blog
Seth Swinton

This post was co-authored by Stephanie Hedges. Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. This blog post examines five fundamental challenges of cybersecurity governance that, while not exhaustive, are essential to establishing and maintaining an effective cybersecurity governance program....

Read More
Improving Cybersecurity Governance via CSF Activity Clusters

Improving Cybersecurity Governance via CSF Activity Clusters

• Insider Threat Blog
Dan Kambic

The National Institute for Science and Technology (NIST) recently released version 1.1 of its Cybersecurity Framework (CSF). Organizations around the world--including the federal civilian government, by mandate--use the CSF to guide key cybersecurity activities. However, the framework's 108 subcategories can feel daunting. This blog post describes the Software Engineering Institute's recent efforts to group the 108 subcategories into 15 clusters of related activities, making the CSF more approachable for typical organizations. The post also gives...

Read More
Building Resilient Systems with Cybersecurity Controls Management

Building Resilient Systems with Cybersecurity Controls Management

• Insider Threat Blog
Matthew Trevors

The CERT Division of the SEI has evaluated the cyber resilience of hundreds of organizations. We've seen that many organizations may not have formally established a controls management program. In this blog post, we will describe the basic controls management life cycle and provide a method for establishing effective controls for a new "green field" system or identifying gaps in an existing "brown field" system....

Read More
Moving Personal Data at Work

Moving Personal Data at Work

• Insider Threat Blog
Robert M. Ditmore

Many organizations allow limited personal use of organizational equipment. To move personal data to or from the organization's devices and network, employees typically use email, removable media, or cloud storage--the same channels a malicious insider would use for data exfiltration. This post explores a new way, based on cross-domain solutions, for employees to safely transfer personal data between an organization's network and their own systems....

Read More
Cybersecurity Performance: 8 Indicators

Cybersecurity Performance: 8 Indicators

• Insider Threat Blog
Summer Fowler

Since 1988's Morris Worm, which infected 10% of the estimated 60,000 computers connected to the internet, cybersecurity has grown into an industry expected to exceed $1 trillion in global spending between 2017 and 2021. Cybercrime will cost the global business market an estimated average of $6 trillion annually through the same time frame! So how do we spend just enough money on cybersecurity to be resilient and achieve our business objectives despite disruptive events like...

Read More
CryptoDNS--Should We Worry?

CryptoDNS--Should We Worry?

• Insider Threat Blog
Matthew Mackie

By Matt Mackie When the Internet was still ARPANET, hostnames were converted to numerical addresses using a hosts.txt file stored locally on each computer. This system evolved into today's hierarchical domain name system (DNS). Namecoin is a new--and old--alternative to DNS: it relies on a locally stored file, like the hosts.txt file, but the file is a blockchain, similar to that used in Bitcoin financial transactions. This cryptoDNS offers anonymity, security, and resistance to censorship--features...

Read More