Saturday, March 2, 2024

Notes from the Field - CIS Control 18 - Penetration Testing

While working with clients I will review their latest penetration test report. Penetration tests are a great way to obtain independent and u...
Sunday, January 14, 2024

Notes from the Field - CIS Control 17 - Incident Response Management

The client I was working with had a SaaS application hosted in AWS. When we discussed how they would respond if their data were compromised,...
Sunday, December 3, 2023

Notes from the Field - CIS Control 16 - Application Software Security

Working recently with a small Software as a Services (SaaS) company, it quickly became clear they didn't have much in place by way of se...
Saturday, October 14, 2023

Notes from the Field - CIS Control 15 - Service Provider Management

The client I was conducting a gap analysis for had an incredibly detailed Service Provider Management Policy. It required the company compli...
Saturday, July 15, 2023

Notes from the Field - CIS Control 14 - Security Awareness and Skills Training

Security awareness training is one of the areas in which I see companies doing either very well or they don't do at all. It's unfort...
Sunday, April 30, 2023

Notes from the Field - CIS Control 13 - Network Monitoring and Defense

“How would you know if your network or systems have been compromised?” That’s the question I often ask clients when discussing their network...
Saturday, January 28, 2023

Notes from the Field - Center for Internet Security Control 12 - Network Infrastructure Management

A company I audited last fall had an insecure design for its Amazon Web Services architecture, which hosted a financial web application. The...