System Administration, Networking, and Security Institute

Twenty Critical Security Controls for Effective Cyber Defense

Over the years, many security standards and requirements frameworks have been developed in attempts to address risks to enterprise systems and the critical data in them. However, most of these efforts have essentially become exercises in reporting on compliance and have actually diverted security program resources from the constantly evolving attacks that must be addressed. In 2008, this was recognized as a serious problem by the U.S. National Security Agency (NSA), and they began an effort that took an "offense must inform defense" approach to prioritizing a list of the controls that would have the greatest impact in improving risk posture against real-world threats. A consortium of U.S. and international agencies quickly grew, and was joined by experts from private industry and around the globe. Ultimately, recommendations for what became the Critical Security Controls (CSCs) were coordinated through the SANS Institute.

National Institute of Standards and Technology

NIST SP 800 Series

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Information Systems Audit and Control Association

CobIT 5 for Information Security and Risk

COBIT 5 for Information Security provides guidance to help IT and security professionals understand, utilize, implement and direct important information security-related activities, and make more informed decisions while maintaining awareness about emerging technologies and the accompanying threats.

International Standards Organization

ISO 27001 Information Security Management

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

The Institute of Internal Auditors

Guide to the Assessment of IT Risk

The GAIT series describes the relationships among business risk, key controls within business processes, automated controls and other critical IT functionality, and key controls within IT general controls. Each practice guide in the series addresses a specific aspect of IT risk and control assessments.

Selecting a Penetration Test Company

How to choose your Pen Test Vendor

A common question is: Why should get a third party penetration testing company? Why not choose a team from your current technical group to handle the network security test? For one, security audits like traditional financial audits are better done by companies (read outsiders) with no bias and partiality to anyone or anything within your organization. That is the only way to make sure that you have fresh eyeballs that would objectively look at the systems you have. Another reason to hire a security testing company is that one may find it difficult to hire and retain Penetration Testers.

Web Application Vulnerability Scanner Comparison

OpenSource and Commercial products
The Web Application Vulnerability Scanners Benchmark

Price and Feature Comparison of Web Application Scanners


SEC Tools

For more than a decade, the Nmap Project has been cataloguing the network security community's favorite tools. In 2011 this site became much more dynamic, offering ratings, reviews, searching, sorting, and a new tool suggestion form. This site allows open source and commercial tools on any platform, except those tools that we maintain (such as the Nmap Security Scanner, Ncat network connector, and Nping packet manipulator).

What year is it? Who's president?

That feeling you get when you