Integrity Blog

Vulnerability & Threat Intelligence Information Sources

No matter which framework your organization uses to determine risks to information assets, understanding vulnerabilities and threats plays an integral role. With the sheer breadth of known vulnerabilities and (potential) threats, not to mention the ever-growing variants of identified malware, it’s important to narrow down information into a usable amount that can be used for risk analysis efforts. Your organization’s vulnerability and threat intelligence needs may vary over time, but it’s good knowing there are several sources available, including those described below.

Information Sharing and Analysis Centers (ISACs)

The ISACs, organized through the National Council of ISACs, provide sector-specific threat and mitigation information for their member organizations. ISACs started to form after Presidential Decision Directive-63 was signed (May 1998), requesting each critical infrastructure sector establish organizations for sharing information about threats and vulnerabilities. There are now 24 ISACs, covering a range of sectors, including healthcare, finances, retail, education, and emergency services, among others. To see the entire list of ISACs and description, visit:

United States – Computer Emergency Readiness Team (US-CERT)

The US-CERT provides a variety of threat information, alerts and tips. The agency’s site ( also provides information about product updates, such as those from Apple, Adobe, Cisco, and VM Ware. In addition, information about other organizations that share vulnerability and threat information can be found on the site.

Vulnerability Databases

Vulnerabilities need to be understood in order to analyze risks. There is definitely no lack of identified vulnerabilities in the National Vulnerability Database ( and the Common Exposures and Vulnerabilities (CVE) database (


The Federal Bureau of Investigation partners with organizations in a public-private information sharing organization known as InfraGard. With chapters nationwide, InfraGard meetings are held routinely to present and exchange information about vulnerabilities and threats applicable to national security. All members, regardless of the industry or company they represent, must undergo a background check prior to being granted access to the organization’s portal and meetings. For more information, visit:

Information Security Professional Associations

There are several associations specific to information security, auditing, and risk. Association chapters provide great opportunities for networking with other information security professionals. Presentations and discussion at chapter meetings can be useful for maintaining awareness across myriad topics, including the latest threats and mitigations measures.

Free and Subscription-Based Sources

Threat intelligence is sometimes associated with the knowledge gained from digital forensics, but intelligence encompasses more than just “after the fact” information. A range of products are available to provide organizations with threat information, ranging from free or low-cost solutions to more expensive and capable products that analyze several hundred thousand feeds.

No matter which sources you use, your risk analysis efforts can benefit by having multiple choices for vulnerability and threat information. Within our daily schedules, we may not always find time to stay abreast the latest information, so it’s good to build in various vulnerability and threat assessment activities into your routine. To adequately determine risks, an organization must understand its vulnerabilities and potential threats.

5 Keys to Building a Strong Security Culture

We would all love working for a company that is easy-going and allows us to do pretty much whatever we want, whenever we want. The reality is though, companies that are overly lax and have a lack of security controls are easy targets for hackers.

Changing the security culture of your company is not an easy task. Here are 5 ways to help ease the change:

1. Communicate Proactively and Effectively

Let your employees know about the security changes before they are implemented. Provide as much detail as possible, but don’t overwhelm them with “techy” wording - make it clear and easy for everyone to read. Identify and communicate the “5 w’s”- who, what, when, where and why. Really focus on the “why” and the reasoning behind the change. Change in general is often difficult for many. It can be especially hard for long-time employees who have been performing the same poor security practices year after year. Providing a general understanding of the reasoning behind the change can go a long way.

2. Make it about Them.

Let’s face it. Many employees couldn’t care less about the security health of their organization. What they don’t realize is that their actions could cause a major security incident, bring the company crashing down, and leave them without a paycheck - searching for a new job. When talking security, make sure they’re aware of the impact their actions have not only on the company but themselves.

3. Listen and Request Feedback

Be open and available for employees to voice their concerns. There are times when increased security can make tasks take longer and put strains on productivity. Just because a new security control is put into place, doesn’t mean it is set in stone and can’t be adjusted. Let your employees know you want to hear their concerns and you’re willing to make adjustments if possible.

4. Get Leadership Support

It’s important to make sure the leadership teams are on board and are ready to help lead the way. If you have a lack of support from the top it’s really hard to make everyone else see the value. First, target the upper level teams, then let them help you spread the new culture throughout the company.

5. Give It Time

You can’t expect the culture of your company to change overnight. It takes time to change and adapt. Especially for organizations that have been around for a while. Be patient and focus on specific incremental goals.

It’s no secret that information security is not an exciting topic. Many people see it as nothing more than an inconvenience. Make sure to let everyone know you appreciate their willingness to make a difference and their efforts don’t go unnoticed. Reward good security practice – whether it’s a verbal praise or a message sent over the company intranet, reinforce proper security behavior and begin seeing continued improvement.

Need help improving your security culture?

Security for Air-Gapped Control Equipment

An air gap, at least in terms of networking, is a method of isolating computers or networks and preventing them from making external connections, either physically or wirelessly. Air gapped computers or networks may be used for various means: to separate information systems operating at different classification levels; isolating equipment from electronic eavesdropping measures; developing sensitive applications; or even just isolating manufacturing equipment and controllers to meet certain industry and safety standards. As a security measure, air gapping can be effective, but history shows it is not fool-proof. Think Stuxnet.

Some industries, such as manufacturing, have equipment and associated controllers that are not connected to the Internet, other computers, or networks, but still have operating systems that require patches. The equipment controllers may need information, such as CNC programs and design specifications, loaded onto them from external sources. If portable drives, such as a USB thumb drives, are used to transfer updates and information onto the controllers, there are several administrative, technical, and physical controls to consider to help mitigate and control risks.

1. Risk Management and Assessments.

Portable drives are very user-friendly, but can also be risk multipliers. Any time the portable drive is inserted into the manufacturing equipment controller, the risk of introducing malware onto the system increases. Ensure portable drives are ones that have been sourced from a reputable location, and ensure policies and procedures are in place to address access controls and how the portable drives may be used. Define which systems the drives may be used with, who may use them, and the purposes for which they may be used. Also, ensure that risks associated with air-gapped equipment and associated controllers are considered and documented.

2. Asset Management and Media Protection.

Like other storage devices, an organization should control and track portable drives. Add drives into the asset inventory before first use and inventory them periodically thereafter. Ensure that each drive is marked with appropriate information, such as content sensitivity/classification level, distribution and usage restrictions, and inventory control numbers. Store the portable drives in locked containers if not being used. Also, consider checking-out the drives only when needed and only to authorized persons, or assign each drive to a specific user.

3. System and Information Integrity.

Due to the risks associated with the insertion of portable drives onto air-gapped assets, certain technical controls should be considered. Use end-point protections on any system into which portable drives may be inserted. Scan the drives for malware before insertion into the equipment controllers. Implement other technical measures to prevent unauthorized programs and code from being installed.

4. Physical Security.

Implementing appropriate physical security controls are part of the equation. Only authorized users should be permitted access to the portable drives, manufacturing equipment and associated controllers. Install physical covers over controller connection points (e.g., USB port) and lock them if the ports are not in use (acknowledging appropriate port block products may not be available for all applications). If permitted by the business, use video surveillance of the manufacturing area to capture recordings of persons accessing and using the equipment.

There are definitely many considerations when securing air-gapped computers, networks and equipment controllers, and these considerations could apply outside the manufacturing industry as well. Other business factors and needs will obviously be part of the decisions made regarding the controls that are implemented and maintained. An air gap is in itself a security measure, but one easily overcome. As with other components of your information security program, continue to determine risks by evaluating vulnerabilities, threats, likelihood of attack, and impacts, and use this information to determine if the security measures in place are still appropriate and working as expected.

Get our blog posts delivered to your inbox: