1 min read
CISA, the US Cybersecurity & Infrastructure Security Agency, began an initiative to help organizations manage cloud risks with the Secure Cloud Business Applications (SCuBA) project. While there are many secure cloud configuration guides, such as CIS (Center for Internet Security), SCuBA puts a new twist on them by measuring attack patterns and measuring the visibility into them. Intriguing!
Here are some takeaways compared to CIS:
- Simpler than CIS Benchmarks, SCuBA is minimum viable security requirements, so depending on risk tolerance and the criticality of data in O365, you can scale back to SCuBA vs CIS.
- Both give scripts and a step-by-step of how to configure. While both SCuBA and CIS offer scripts to implement and audit configurations, SCuBA offers GitHub downloads for easier implementation.
- CIS requires email and identification information to download while SCuBA has no requirements.
- SCuBA has additional insights into risks, attack patterns, and visibility into those with its eVRF framework. While I haven’t walked through one completely, it’s an interesting take and can provide valuable insight into monitoring, alerting, and configuration. Here’s an example from CISA’s framework document:
- SCuBA was released in 2023, and was subject to a comment period in 2022. It doesn’t have as much mileage on it as the CIS Benchmarks, which started in 2000.
While the SCuBA has an interesting approach for a control framework, I haven’t seen an implementation of this yet. CIS has much more experience and is a suggested replacement for the Cybersecurity Assessment Tool (CAT) by the FFIEC. However, SCuBA could complement with attack patterns and visibility into cloud applications.
Here are links to the framework and information to explore:
https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
How do you measure success when it comes to stopping Phishing attacks?
An article on CSO Online this week caught my attention and raises an excellent question. That being, "what is a good success rate in your phishing...
CISA’s Cybersecurity Performance Goals: A New Opportunity for Community Financial Institutions
The Cybersecurity and Infrastructure Security Agency (CISA) recently released its Cybersecurity Performance Goals (CPGs) Adoption Report,...