Not all patterns are as powerful as they might seem, as made clear in this article by NCSC. However, in my opinion they drepends heavily on the context they are (not) implemented.
Practical Guide to Zero-Trust, or the Basics if You Like
Threatpost made this practical guide, however this is more a journey of architecting. Read more.
Who’s the Cyberpunk?
Supporting open source, Cyberpunk/n0where.net, gives both practical tips and news for tools that a cyber security geek would love. And the best part is its rating feature for all published articles. E.g., here I found the SELKS distro.
Check out these categories I found especially interesting:
Spyhood, the hackers´loungs, they say
Another “black-hat” site, spyhood, for security practitioners who like to learn from cyber security tools, games and news you can learn from.
The guides are rather trivial (or made trivial:)) with illustrations, step-by-step instructions and screenshots. Just played with the security camera recently.
Cyber Security MindMaps
I like mind maps, they help structure stuff. There are certainly a lot of cyber security mind maps as well to help professionals, consultants as well as management cope with this growing field. Check out the following:
- amanhardikar has various security maps,
- TaoSecurity made a cyber domain map,
- SANS CISO map (PDF)
- Rafeeq R. CISO MindMap
CSA tools, not just useful for cloud
The CSA tools are useful not just for cloud, however ideal, but for cyber security in general.
- Cloud Controls Checklist, a set of principles that cannot be argued
- Consensus Assessment Initiative, the questionnaire
- CSA STAR Registry, and the list of registered entities
- CSA Research
ECSTRA
Enterprise Cyber SecuriTy Reference Architecture (ECSTRA) is a nice tree/taxonomy and a checklist if you like a checklist while trying to figure out what not to miss. Its not exaustive, but covers most topics, such as preventive measures, security services catalogue etc.
http://artconfusion.com/TECRA/
Also see this article its maker: https://www.linkedin.com/pulse/what-does-ciso-your-board-you-need-know-breadth-cyber-boris-taratine/
IAM before password vaults takes you
Security I believe is not to be fixed with tools only. Theres no silver bullet, so argumenting password vaults will fit all is unfortunate. For personal use I love both Googles Smart Lock and other password vaults. However, if you aim to control access to large sets of corporate services and apps, aim for SSO and complete IAM to prevent, detect and respond. This article adress this challenge well.
MS fighting ransomware
Windows have taken the effort to fight ransomware with Controlled Folder Access, bleepingcomputer sais. It requires Win 10 Fall Creators Update, which is version 1709. Check your version. Enable it under Virus & threat protection if available.
*playing with Windows settings URI, making the settings links.
Kali for Azure
I have been using/playing with Azure lately. Everything from server builds, Azure AD, network security and all those magical app services and microservices for AI, cognitive behaviour, threat analytics and more. Playing with Azure is free for a limited subscription with enough cash to play with most (although not resource intensive) services. See here.
Azure security enables you to protect, detect and respond your services. What I find even more interesting from a security perspective is how you can penetration test your Azure ser vices using Kali for Azure. Have not yet tested it out myself, but plan to. It can be acquired here.
Just make sure you let Microsoft know if you plan to pentest something – as you probably would if you tested your corporate network:)