CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8

Read Time:5 Minute, 30 Second

Risk assessments are valuable tools for understanding the threats enterprises face, allowing them to organize a strategy and build better resiliency and business continuity, all before a disaster occurs. Preparation is key – after all, the worst time to plan for a disaster is during a disaster.

The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk after implementation of the Controls. Few enterprises can apply all Controls to all environments and information assets. Some Controls offer effective security, but at the cost of necessary efficiency, collaboration, utility, productivity, or available funds and resources.

When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical ability with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment methods. Most importantly, CIS RAM lets enterprises of varying security capabilities navigate the balance between implementing security controls, risks, and enterprise needs.

CIS RAM Can Help Your Enterprise Demonstrate “Due Care”

If you experience a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach. CIS RAM provides a method to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. At the core of CIS RAM is the Duty of Care Risk (DoCRA) methodology, which allows enterprises to weigh the risks of not implementing the controls and its potential burden on the enterprise.

CIS RAM helps you answer questions like:

What are my enterprise’s risks?
What constitutes “due care” or “reasonableness?”
How much security is enough?

What’s New for CIS RAM v2.0

CIS RAM is made up of a family of documents, with CIS RAM Core at the foundation of it all. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. It is also useful for enterprises and cybersecurity practitioners who are experienced at assessing risk, and who are able to quickly adopt RAM’s principles and practices for their environment.

As previously mentioned, CIS RAM uses DoCRA, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise.

And now, CIS RAM v2.0 helps enterprises estimate the likelihood of security incidents by using data about real world cybersecurity incidents. We have evolved our thinking about threat likelihood so instead of asking, “how likely is it that this risk will occur” we now ask, “when a security incident occurs, what is the most likely way it will happen here?” CIS RAM now uses data from the Veris Community Database to help each enterprise automatically estimate that likelihood by comparing the real-world incident data to the resilience of their deployment of each CIS Safeguard.

CIS RAM v2.0 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups: IG1, IG2, and IG3. One document for each Implementation Group will be the anchors in the CIS RAM family and will be available for both v8 and v7.1 of the CIS Critical Security Controls. Each document will have a workbook with a corresponding guide. The first of many documents in the CIS RAM v2.0 family, CIS RAM v2.0 for Implementation Group 1 and CIS RAM v2.0 for Implementation Group 1 Workbook are now available for download and will help enterprises in IG1 to build their cybersecurity program. These IG1 documents automate much of the risk assessment process so that enterprises with little or no cybersecurity expertise can become aware of their risks, and know which to address first.

All CIS RAM documents have material to help readers accomplish their risk assessments, and include the following: examples, templates, exercises, background material, and further guidance on risk analysis techniques. We are actively working on CIS RAM v2.0 for IG2 and IG3.

The CIS RAM Core Process

CIS RAM Core risk assessments involve the following activities:

Developing the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.
Modeling the Risks: Evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats.
Evaluating the Risks: Estimate the likelihood and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable.
Recommending CIS Safeguards: Propose CIS Safeguards that would reduce unacceptable risks.
Evaluating Recommended CIS Safeguards: Risk-analyze the recommended CIS Safeguards to ensure that they pose acceptably low risks without creating an undue burden.

Enterprises that use CIS RAM and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.

CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.

Taking the Next Step

Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.

 
CIS has recently released CIS RAM v2.1.Click here to see what’s new.
 
Join the CIS RAM Community on CIS WorkBench.
 
Questions about CIS RAM? Email controlsinfo@cisecurity.org.

Read More

[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202110.1

Read Time:23 Second
Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution, and in line with best practice, Tenable opted to upgrade the bundled Apache components to address the potential impact of these issues. Tenable.sc Patch 202110.1 updates Apache to version 2.4.51 to address the identified vulnerabilities.

Read More

[R2] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202109.1

Read Time:23 Second
Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution, and in line with best practice, Tenable opted to upgrade the bundled OpenSSL components to address the potential impact of these issues. Tenable.sc patch SC-202109.1 updates OpenSSL to version 1.1.1l to address the identified vulnerabilities.

Read More

Drupal core – Moderately critical – Access Bypass – SA-CORE-2021-010

Read Time:57 Second
Project: 
Date: 
2021-September-15
Vulnerability: 
Access Bypass
CVE IDs: 
CVE-2020-13677
Description: 

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.

Sites that do not have the JSON:API module enabled are not affected.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core does not include the JSON:API module and therefore is not affected.

Reported By: 
Fixed By: 

Read More

Drupal core – Moderately critical – Access bypass – SA-CORE-2021-009

Read Time:1 Minute, 12 Second
Project: 
Date: 
2021-September-15
Vulnerability: 
Access bypass
CVE IDs: 
CVE-2020-13676
Description: 

The QuickEdit module does not properly check access to fields in some circumstances, which can lead to unintended disclosure of field data.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core does not include the QuickEdit module and therefore is not affected.

Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.

Reported By: 
Fixed By: 
Greg Watson
Wim Leers
Jess of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Joseph Zhao
Vijay Mani
Adam G-H
Drew Webber of the Drupal Security Team

Read More

Drupal core – Moderately critical – Access bypass – SA-CORE-2021-008

Read Time:1 Minute, 22 Second
Project: 
Date: 
2021-September-15
Vulnerability: 
Access bypass
CVE IDs: 
CVE-2020-13675
Description: 

Drupal’s JSON:API and REST/File modules allow file uploads through their HTTP APIs. The modules do not correctly run all file validation, which causes an access bypass vulnerability. An attacker might be able to upload files that bypass the file validation process implemented by modules on the site.

This vulnerability is mitigated by three factors:

The JSON:API or REST File upload modules must be enabled on the site.
An attacker must have access to a file upload via JSON:API or REST.
The site must employ a file validation module.

This advisory is not covered by Drupal Steward.

Also see GraphQL – Moderately critical – Access bypass – SA-CONTRIB-2021-029 which addresses a similar vulnerability for that module.

Solution: 

Install the latest version:

If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core is not affected.

Reported By: 
Fixed By: 
Klaus Purer
Lee Rowlands of the Drupal Security Team
Alex Pott of the Drupal Security Team
Jess of the Drupal Security Team
Samuel Mortenson
Drew Webber of the Drupal Security Team
Kim Pepper

Read More

Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-007

Read Time:1 Minute, 23 Second
Project: 
Date: 
2021-September-15
Vulnerability: 
Cross Site Request Forgery
CVE IDs: 
CVE-2020-13674
Description: 

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues.

Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the “access in-place editing” permission from untrusted users will not fully mitigate the vulnerability.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core does not include the QuickEdit module and therefore is not affected.

Uninstalling the QuickEdit module will also mitigate the vulnerability. Site owners may wish to consider this option as the QuickEdit module will be removed from core in Drupal 10.

Reported By: 
Fixed By: 
Wim Leers
Greg Knaddison of the Drupal Security Team
Jess of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Vijay Mani
Heine of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Adam G-H
Drew Webber of the Drupal Security Team
Théodore Biadala

Read More

Drupal core – Moderately critical – Cross Site Request Forgery – SA-CORE-2021-006

Read Time:1 Minute, 18 Second
Project: 
Date: 
2021-September-15
Vulnerability: 
Cross Site Request Forgery
CVE IDs: 
CVE-2020-13673
Description: 

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to cross-site scripting.

This advisory is not covered by Drupal Steward.

Also see Entity Embed – Moderately critical – Cross Site Request Forgery – SA-CONTRIB-2021-028 which addresses a similar vulnerability for that module.

Updated 18:15 UTC to clarify text.

Solution: 

Install the latest version:

If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.

Drupal 7 core is not affected.

Reported By: 
Fixed By: 
Aaron Zinck
Sean Blommaert
Alex Bronstein of the Drupal Security Team
Marcos Cano
Lee Rowlands of the Drupal Security Team
Adam G-H
Jess of the Drupal Security Team
Drew Webber of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Brian Tofte-Schumacher

Read More

WordPress 5.8.1 Security and Maintenance Release

Read Time:2 Minute, 31 Second

WordPress 5.8.1 is now available!

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

3 security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the following security issues:

Props @mdawaffe, member of the WordPress Security Team for their work fixing a data exposure vulnerability within the REST API.Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor.The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.

In addition to these issues, the security team would like to thank the following people for reporting vulnerabilities during the WordPress 5.8 beta testing period, allowing them to be fixed prior to release:

Props Evan Ricafort for reporting a XSS vulnerability in the block editor discovered during the 5.8 release’s beta period.Props Steve Henty for reporting a privilege escalation issue in the block editor.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the WordPress security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.8.1 HelpHub documentation page.

Thanks and props!

The 5.8.1 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.1 happen:

2linctools, Adam Zielinski, Alain Schlesser, Alex Lende, alexstine, AlGala, André, Andrei Draganescu, Andrew Ozz, Ankit Panchal, Anthony Burchell, Anton Vlasenko, Ari Stathopoulos, Bruno Ribaric, Carolina Nymark, Daisy Olsen, Daniel Richards, Daria, David Anderson, David Biňovec, David Herrera, Dominik Schilling, Ella van Durpe, Enchiridion, Evan Mullins, Gary Jones, George Mamadashvili, Greg Ziółkowski, Héctor Prieto, ianmjones, Jb Audras, Jeff Bowen, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kapil Paul, Kerry Liu, Kevin Fodness, Marcus Kazmierczak, Mark-k, Matt, Michael Adams (mdawaffe), Mike Schroder, moch11, Mukesh Panchal, Nik Tsekouras, Paal Joachim Romdahl, Pascal Birchler, Paul Bearne, Paul Biron, Peter Wilson, Petter Walbø Johnsgård, Radixweb, Rahul Mehta, ramonopoly, ravipatel, Riad Benguella, Robert Anderson, Rodrigo Arias, Sanket Chodavadiya, Sergey Biryukov, Stephen Bernhardt, Stephen Edgar, Steve Henty, terraling, Timothy Jacobs, tmatsuur, TobiasBg, Tonya Mork, Toro_Unit (Hiroshi Urabe), Vlad T, wb1234, and WFMattR.

Read More

News, Advisories and much more

Exit mobile version