https://community.isc2.org/t5/Industry-News/Binding-Operational-Directive-18-01-Enhance-Email-and-Web/m-p/2041#M207 <P>Correct recently all company are changing AES2 encryption for SSL/TLS offloading.</P><P>Narrow down&nbsp; such e-mail security we may have industry best practices.</P><UL><LI>Harden SMTP gateway based on vulnerability assessment on top of it.&nbsp;</LI><LI>Time to time we should have phishing drill from Cyber team as a awareness initiative because series of ransomeware spread out across the globe.</LI><LI>enabled selinux who are still using sendmail or postscript.&nbsp;</LI></UL><P>Thanks for highlighting this issue.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 29 Oct 2017 16:29:29 GMT paul200310 2017-10-29T16:29:29Z https://community.isc2.org/t5/Industry-News/Binding-Operational-Directive-18-01-Enhance-Email-and-Web/m-p/2012#M204 <P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>The Department of Homeland Security (DHS) published&nbsp;<STRONG><A title="Enhance Email and Web Security" href="https://cyber.dhs.gov/assets/report/bod-18-01.pdf" target="_blank">Binding Operational Directive 18-01</A>, <EM>Enhance Email and Web Security</EM></STRONG>.&nbsp; BOD-18-01 focuses on several elements including:</P><P>&nbsp;</P><P>a.&nbsp; Enhance Email Security</P><P>&nbsp;</P><UL><LI>Use of STARTTLS on internet-facing mail servers,</LI><LI>All second-level domains using SPF with a DMARC policy of "none" (initial 90 days),</LI><LI>Disable use of SSLv2 and SSLv3 on mail servers,</LI><LI>Disable use of RC4 and 3DES ciphers on mail servers.</LI><LI>Set a DMARC policy of "reject" (within 1 year)</LI></UL><P>b.&nbsp; Enhance Web Security</P><P>&nbsp;</P><UL><LI>All public-facing websites must use Always-On HTTPS with HSTS</LI><LI>Disable use of SSLv2 and SSLv3 on web servers</LI><LI>Disable use of RC4 and 3DES cipheres on web servers</LI></UL><P>The above is a summary of the memo and resources available at <A href="https://cyber.dhs.gov/" target="_blank">https://cyber.dhs.gov</A>.</P><P>&nbsp;</P><P>My question for the community is:&nbsp; Does your organization leverage federal government requirements, beyond NIST guidance, to establish your policies and implementation guidance for cybersecurity and risk management?&nbsp; &nbsp;For example, minus the reporting requirements, the bullet list of email and web security parameters could be replicated for a company.</P> Sun, 29 Oct 2017 16:03:00 GMT https://community.isc2.org/t5/Industry-News/Binding-Operational-Directive-18-01-Enhance-Email-and-Web/m-p/2012#M204 djharrity 2017-10-29T16:03:00Z https://community.isc2.org/t5/Industry-News/Binding-Operational-Directive-18-01-Enhance-Email-and-Web/m-p/2041#M207 <P>Correct recently all company are changing AES2 encryption for SSL/TLS offloading.</P><P>Narrow down&nbsp; such e-mail security we may have industry best practices.</P><UL><LI>Harden SMTP gateway based on vulnerability assessment on top of it.&nbsp;</LI><LI>Time to time we should have phishing drill from Cyber team as a awareness initiative because series of ransomeware spread out across the globe.</LI><LI>enabled selinux who are still using sendmail or postscript.&nbsp;</LI></UL><P>Thanks for highlighting this issue.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 29 Oct 2017 16:29:29 GMT https://community.isc2.org/t5/Industry-News/Binding-Operational-Directive-18-01-Enhance-Email-and-Web/m-p/2041#M207 paul200310 2017-10-29T16:29:29Z https://community.isc2.org/t5/Industry-News/Binding-Operational-Directive-18-01-Enhance-Email-and-Web/m-p/2070#M211 This really depends on the regulation or guidance to be adopted and/or the business benefit of it.<BR />I know that some of the enterprises out there do adopt some federal regulations, majority however do it from a business perspective (bidding on contracts) rather than actual security concerns. Sun, 29 Oct 2017 17:01:54 GMT https://community.isc2.org/t5/Industry-News/Binding-Operational-Directive-18-01-Enhance-Email-and-Web/m-p/2070#M211 IliaTiv 2017-10-29T17:01:54Z