Best Practices

Center for Information Security (CIS)

http://www.cisecurity.org/
The Center for Internet Security (CIS) is a nonprofit organization focused on enhancing the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration. Through its four divisions–Security Benchmarks, Multi-State ISAC, Trusted Purchasing Alliance, and the Integrated Intelligence Center–CIS serves as a central resource in the development and delivery of high-quality, timely products and services to assist our partners in government, academia, the private sector and the general public in improving their cyber security posture.

National Institute of Standards and Technology (NIST)

http://www.nist.gov/itl/csd/
The Computer Security Division (CSD), a component of NIST’s Information Technology Laboratory (ITL), provides standards and technology to protect information systems against threats to the confidentiality, integrity, and availability of information and services.

Blogs and News

F-Secure

http://www.f-secure.com/weblog/
Started in 2004, the “security center” of F-Secure – maintained by the personnel responsible for analyzing virus, phishing, spyware, and spam attacks.

Joshua Corman’s Security Blog

http://blog.cognitivedissidents.com/
Joshua Corman is the Director of Security Intelligence for Akamai Technologies and has more than a decade of experience with security and networking software.

Naked Security

http://nakedsecurity.sophos.com/
Naked Security is Sophos’s award-winning threat news room, giving you news, opinion, advice and research on computer security issues and the latest internet threats. The core team includes industry veterans Graham Cluley and Paul Ducklin and security expert Chet Wisniewski. The site is headed up by Carole Theriault. Various technology and security experts from around the world are also regularly invited to contribute to Naked Security.

Schneier on Security

http://www.schneier.com/
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a “security guru,” he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

Threat Post

http://threatpost.com/
Threatpost, The Kaspersky Lab security news service, is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.

Troy Hunt’s Blog

http://www.troyhunt.com/
Troy Hunt is a software architect and Microsoft MVP who regularly reports on web application security issues, breaches and trends.

Compliance

Health Insurance Portability and Accountability Act (HIPAA)

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html
The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The HIPAA Security Rule, sets national standards for the security of electronic protected health information. The HIPAA Breach Notification Rule, requires covered entities and business associates to provide notification following a breach of unsecured protected health information. The confidentiality provisions of the Patient Safety Rule, protect identifiable information being used to analyze patient safety events and improve patient safety.

Health Information Technology for Economic and Clinical Health Act (HITECH)

http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html
The Health Information Technology for Economic and Clinical Health Act, abbreviated HITECH Act, was enacted under Title XIII of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5). Under the HITECH Act, the United States Department of Health and Human Services is spending $25.9 billion to promote and expand the adoption of health information technology.

Payment Card Industry Data Security Standard (PCI-DSS)

https://www.pcisecuritystandards.org/
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.

Sarbanes–Oxley Act (SOX) and COSO Framework

http://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf
SOX 404 requires management at public companies like Campbell Soup to select an internal control
framework and then assess and report on the design and operating effectiveness of their internal controls annually. The majority of U.S. publicly traded companies have adopted COSO’s 1992 Framework to do this.

Conferences

B-Sides

http://www.securitybsides.com
Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

Black Hat

http://www.blackhat.com/
The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow’s information security landscape.

Blue Hat

http://technet.microsoft.com/en-us/security/cc261637.aspx
BlueHat’s goal is to educate Microsoft engineers and executives on current and emerging security threats in an effort to help address security issues in Microsoft products and services and protect customers. This education is done through presentation by invited security researchers on a variety of topics.

DEFCON

https://www.rsaconference.com/
DEFCON is one of the world’s largest annual hacker conventions, held every year in Las Vegas, Nevada. The first DEF CON took place in June 1993. Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, and hackers with a general interest in software, computer architecture, phone phreaking, hardware modification, and anything else that can be “hacked.”

DerbyCon

https://www.derbycon.com/
DerbyCon is a smaller “All in The Family” type conference aimed at promoting security education and conversation through a less commercial family-like feel.

RSA Conference

https://www.rsaconference.com/
RSA Conference is helping drive the information security agenda worldwide with annual industry events in the U.S., Europe and Asia. Throughout its history, RSA Conference has consistently attracted the world’s best and brightest in the field, creating opportunities for conference attendees to learn about IT security’s most important issues through first-hand interactions with peers, luminaries and emerging and established companies. As the IT security field continues to grow in importance and influence, RSA Conference plays an integral role in keeping security professionals across the globe connected and educated.

ShmooCon

https://www.shmoocon.org/
ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It and Bring It On.

Tools

Kali Linux

http://www.kali.org/
From the creators of BackTrack comes Kali Linux, the most advanced and versatile penetration testing distribution ever created. BackTrack has grown far beyond its humble roots as a live CD and has now become a full-fledged operating system.

Metasploit Framework

http://www.metasploit.com/
A tool for developing and executing exploit code against a remote target machine as well as anti-forensic and antivirus evasion.

Nmap (Network Mapper)

http://nmap.org/
Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover Host and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

Other

Control Objectives for Information and Related Technology 5 (COBIT 5)

http://www.isaca.org/COBIT/
COBIT 5 is the latest edition of ISACA’s globally accepted framework, providing an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world.

ISACA Journal

http://www.isaca.org/Journal/
A bi-monthly journal released by the Information Systems Audit and Control Association (ISACA). The journal contains articles addressing topics such as governance, compliance, assurance and information security.

Penetration Testing Framework

http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
A thorough list of the tools and techniques that vulnerability assessors and penetration testers can employ for common tasks.

Statement on Auditing Standards No. 70 (SAS 70)

http://sas70.com/
Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor’s examination performed in accordance with SAS No. 70 (also commonly referred to as a “SAS 70 Audit”) is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.