senaduka/old-riskletpy
1
0
Fork 0
Code Issues 5 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
11e4c8e04702bba6a1312c751f3fa2d376a798ce
old-riskletpy/controls.csv
Senad Uka 7838e7da80 Add controls
2025-02-12 05:46:21 +01:00

482 lines
51 KiB
CSV
Raw Blame History

Risk #,Risk Description,CIS v8.1 Safeguards (Sub-Controls),Weight (0-10)
1,"Ransomware Attack on Critical Systems","3.1 - Establish and Maintain Inventory of Enterprise Assets",3
1,"Ransomware Attack on Critical Systems","3.3 - Manage Assets",4
1,"Ransomware Attack on Critical Systems","5.1 - Establish and Maintain a Secure Configuration Process",5
1,"Ransomware Attack on Critical Systems","5.3 - Securely Configure Enterprise Assets and Software",7
1,"Ransomware Attack on Critical Systems","8.1 - Establish and Maintain a Vulnerability Management Process",6
1,"Ransomware Attack on Critical Systems","9.2 - Deploy and Maintain Anti-Malware Software",9
1,"Ransomware Attack on Critical Systems","10.8 - Perform and Test Data Backups",10
1,"Ransomware Attack on Critical Systems","15.1 - Develop an Incident Response Plan",8
2,"Large-Scale Data Breach Due to External Attack","3.1 - Establish and Maintain Inventory of Enterprise Assets",4
2,"Large-Scale Data Breach Due to External Attack","3.4 - Manage Sensitive Assets",8
2,"Large-Scale Data Breach Due to External Attack","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
2,"Large-Scale Data Breach Due to External Attack","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
2,"Large-Scale Data Breach Due to External Attack","6.3 - Implement and Manage Network Segmentation",8
2,"Large-Scale Data Breach Due to External Attack","7.1 - Establish and Maintain a Data Management Process",6
2,"Large-Scale Data Breach Due to External Attack","7.2 - Implement and Enforce Data Retention",5
2,"Large-Scale Data Breach Due to External Attack","7.3 - Implement Data Loss Prevention (DLP)",9
2,"Large-Scale Data Breach Due to External Attack","12.5 - Enforce Encryption of Data-at-Rest",8
2,"Large-Scale Data Breach Due to External Attack","12.6 - Enforce Encryption of Data-in-Transit",7
3,"Insider Threat Leading to Data Exfiltration","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
3,"Insider Threat Leading to Data Exfiltration","4.3 - Manage Privileged Access",9
3,"Insider Threat Leading to Data Exfiltration","4.4 - Manage Service Accounts",6
3,"Insider Threat Leading to Data Exfiltration","4.6 - Manage External Accounts",5
3,"Insider Threat Leading to Data Exfiltration","7.3 - Implement Data Loss Prevention (DLP)",8
3,"Insider Threat Leading to Data Exfiltration","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
3,"Insider Threat Leading to Data Exfiltration","16.1 - Conduct Security Awareness and Skills Training",6
4,"Supply Chain Disruption Impacting Operations","3.1 - Establish and Maintain Inventory of Enterprise Assets",2
4,"Supply Chain Disruption Impacting Operations","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",1
4,"Supply Chain Disruption Impacting Operations","4.6 - Manage External Accounts",6
4,"Supply Chain Disruption Impacting Operations","13.1 - Establish and Maintain a Security Awareness Program",3
4,"Supply Chain Disruption Impacting Operations","18.1 - Establish and Maintain a Penetration Testing Program",4
4,"Supply Chain Disruption Impacting Operations","19.1 - Establish and Maintain an Incident Response Plan",7
4,"Supply Chain Disruption Impacting Operations","20.1 - Establish and Maintain a Business Continuity Plan",10
5,"Reputational Damage from Social Media Incident","13.1 - Establish and Maintain a Security Awareness Program",9
5,"Reputational Damage from Social Media Incident","16.1 - Conduct Security Awareness and Skills Training",8
5,"Reputational Damage from Social Media Incident","16.2 - Train Workforce Members on Social Engineering Attacks",7
5,"Reputational Damage from Social Media Incident","19.1 - Establish and Maintain an Incident Response Plan",6
5,"Reputational Damage from Social Media Incident","19.8 - Perform Post-Incident Reviews",5
6,"Compliance Failure Leading to Fines","1.1 - Establish and Maintain Enterprise Governance",10
6,"Compliance Failure Leading to Fines","1.2 - Establish and Maintain Enterprise Security Policies",9
6,"Compliance Failure Leading to Fines","1.3 - Establish and Maintain Enterprise Agreements",8
6,"Compliance Failure Leading to Fines","2.1 - Establish and Maintain an Inventory of Authorized Software",4
6,"Compliance Failure Leading to Fines","3.4 - Manage Sensitive Assets",7
7,"Loss of Critical Business Data Due to System Failure","10.8 - Perform and Test Data Backups",10
7,"Loss of Critical Business Data Due to System Failure","10.9 - Perform Off-Site Backups",9
7,"Loss of Critical Business Data Due to System Failure","10.10 - Securely Store Backups",8
7,"Loss of Critical Business Data Due to System Failure","5.3 - Securely Configure Enterprise Assets and Software",6
7,"Loss of Critical Business Data Due to System Failure","19.1 - Establish and Maintain an Incident Response Plan",5
8,"Business Email Compromise (BEC) Attack","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
8,"Business Email Compromise (BEC) Attack","16.2 - Train Workforce Members on Social Engineering Attacks",8
8,"Business Email Compromise (BEC) Attack","11.1 - Implement and Manage Email Protections",7
8,"Business Email Compromise (BEC) Attack","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",5
9,"Physical Security Breach Leading to Asset Theft","17.1 - Implement Physical Access Controls",10
9,"Physical Security Breach Leading to Asset Theft","17.2 - Monitor Physical Environment",9
9,"Physical Security Breach Leading to Asset Theft","3.1 - Establish and Maintain Inventory of Enterprise Assets",6
9,"Physical Security Breach Leading to Asset Theft","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",4
10,"Denial-of-Service (DoS) Attack Disrupting Services","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",6
10,"Denial-of-Service (DoS) Attack Disrupting Services","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
10,"Denial-of-Service (DoS) Attack Disrupting Services","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",10
10,"Denial-of-Service (DoS) Attack Disrupting Services","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
11,"Unpatched Software Vulnerabilities Exploited","8.2 - Remediate Vulnerabilities Based on Risk",10
11,"Unpatched Software Vulnerabilities Exploited","8.3 - Verify Application of Security Patches",9
11,"Unpatched Software Vulnerabilities Exploited","3.2 - Utilize an Automated Asset Discovery Tool",4
12,"Third-Party Vendor Security Breach Impacting Data","4.6 - Manage External Accounts",8
12,"Third-Party Vendor Security Breach Impacting Data","13.5 - Manage Supplier Access",9
12,"Third-Party Vendor Security Breach Impacting Data","13.6 - Monitor Supplier Security",7
13,"Mobile Device Compromise Leading to Data Loss","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
13,"Mobile Device Compromise Leading to Data Loss","4.5 - Manage Mobile Devices",9
13,"Mobile Device Compromise Leading to Data Loss","12.5 - Enforce Encryption of Data-at-Rest",7
14,"Cloud Service Configuration Errors Exposing Data","5.4 - Securely Configure Cloud Infrastructure",9
14,"Cloud Service Configuration Errors Exposing Data","5.5 - Securely Configure Cloud Workloads",8
14,"Cloud Service Configuration Errors Exposing Data","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
15,"Lack of Employee Security Awareness Leading to Phishing Success","16.1 - Conduct Security Awareness and Skills Training",10
15,"Lack of Employee Security Awareness Leading to Phishing Success","16.2 - Train Workforce Members on Social Engineering Attacks",9
15,"Lack of Employee Security Awareness Leading to Phishing Success","11.1 - Implement and Manage Email Protections",7
16,"Unsecured APIs Exposing Sensitive Information","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
16,"Unsecured APIs Exposing Sensitive Information","12.6 - Enforce Encryption of Data-in-Transit",9
16,"Unsecured APIs Exposing Sensitive Information","18.1 - Establish and Maintain a Penetration Testing Program",7
17,"Accidental Data Leak by Employee","7.3 - Implement Data Loss Prevention (DLP)",8
17,"Accidental Data Leak by Employee","16.1 - Conduct Security Awareness and Skills Training",7
17,"Accidental Data Leak by Employee","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",5
18,"Weak Password Policies Leading to Account Compromise","4.7 - Enforce Account Password Requirements",9
18,"Weak Password Policies Leading to Account Compromise","4.8 - Enforce Multi-Factor Authentication for All Users",8
18,"Weak Password Policies Leading to Account Compromise","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
19,"Uncontrolled Use of Shadow IT","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",8
19,"Uncontrolled Use of Shadow IT","2.1 - Establish and Maintain an Inventory of Authorized Software",7
19,"Uncontrolled Use of Shadow IT","13.1 - Establish and Maintain a Security Awareness Program",6
20,"Insider Trading Based on Stolen Information","4.3 - Manage Privileged Access",9
20,"Insider Trading Based on Stolen Information","7.3 - Implement Data Loss Prevention (DLP)",7
20,"Insider Trading Based on Stolen Information","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",8
21,"Loss of Key Personnel with Critical Security Knowledge","16.4 - Establish and Maintain a Role-Based Security Training Program",7
21,"Loss of Key Personnel with Critical Security Knowledge","16.5 - Conduct Skills Gap Assessments",6
21,"Loss of Key Personnel with Critical Security Knowledge","1.3 - Establish and Maintain Enterprise Agreements",5
22,"Natural Disaster Impacting Data Centers","17.3 - Plan and Implement Environmental Protections",9
22,"Natural Disaster Impacting Data Centers","20.1 - Establish and Maintain a Business Continuity Plan",10
22,"Natural Disaster Impacting Data Centers","10.9 - Perform Off-Site Backups",8
23,"Industrial Control System (ICS) Compromise","5.6 - Securely Configure Industrial Control Systems (ICS)",10
23,"Industrial Control System (ICS) Compromise","6.6 - Implement and Manage Network Segmentation for ICS",9
23,"Industrial Control System (ICS) Compromise","9.2 - Deploy and Maintain Anti-Malware Software",7
24,"Misconfiguration of Network Devices","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",9
24,"Misconfiguration of Network Devices","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
24,"Misconfiguration of Network Devices","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
25,"Lack of Regular Security Audits","1.5 - Conduct Periodic Security Risk Assessments",9
25,"Lack of Regular Security Audits","14.7 - Conduct Security Controls Testing and Validation",8
25,"Lack of Regular Security Audits","18.1 - Establish and Maintain a Penetration Testing Program",7
26,"AI/ML System Bias Leading to Unfair Outcomes","1.2 - Establish and Maintain Enterprise Security Policies",6
26,"AI/ML System Bias Leading to Unfair Outcomes","7.1 - Establish and Maintain a Data Management Process",7
26,"AI/ML System Bias Leading to Unfair Outcomes","15.4 - Establish and Maintain a Security Architecture",5
27,"IoT Device Vulnerabilities Exploited","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
27,"IoT Device Vulnerabilities Exploited","5.3 - Securely Configure Enterprise Assets and Software",7
27,"IoT Device Vulnerabilities Exploited","9.2 - Deploy and Maintain Anti-Malware Software",6
28,"Geopolitical Risks Impacting Cybersecurity","1.4 - Establish and Maintain a Threat Intelligence Program",9
28,"Geopolitical Risks Impacting Cybersecurity","19.1 - Establish and Maintain an Incident Response Plan",7
28,"Geopolitical Risks Impacting Cybersecurity","13.1 - Establish and Maintain a Security Awareness Program",6
29,"Unsecured Code in Custom Applications","2.2 - Utilize Standard Security Configurations for Enterprise Software and Hardware",7
29,"Unsecured Code in Custom Applications","8.4 - Perform Application Security Testing",9
29,"Unsecured Code in Custom Applications","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",8
30,"Failure to Adequately Vet New Technologies","15.4 - Establish and Maintain a Security Architecture",7
30,"Failure to Adequately Vet New Technologies","1.5 - Conduct Periodic Security Risk Assessments",8
30,"Failure to Adequately Vet New Technologies","13.1 - Establish and Maintain a Security Awareness Program",6
31,"Social Engineering Attack Targeting Executives","16.2 - Train Workforce Members on Social Engineering Attacks",10
31,"Social Engineering Attack Targeting Executives","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
31,"Social Engineering Attack Targeting Executives","11.1 - Implement and Manage Email Protections",7
32,"Vulnerability in Open-Source Software Components","2.1 - Establish and Maintain an Inventory of Authorized Software",6
32,"Vulnerability in Open-Source Software Components","8.1 - Establish and Maintain a Vulnerability Management Process",9
32,"Vulnerability in Open-Source Software Components","8.2 - Remediate Vulnerabilities Based on Risk",8
33,"Cryptojacking on Enterprise Assets","9.2 - Deploy and Maintain Anti-Malware Software",9
33,"Cryptojacking on Enterprise Assets","5.3 - Securely Configure Enterprise Assets and Software",7
33,"Cryptojacking on Enterprise Assets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
34,"Data Spillage in Cloud Environments","7.3 - Implement Data Loss Prevention (DLP)",8
34,"Data Spillage in Cloud Environments","5.4 - Securely Configure Cloud Infrastructure",7
34,"Data Spillage in Cloud Environments","12.5 - Enforce Encryption of Data-at-Rest",6
35,"Malicious Browser Extensions Compromising Users","9.1 - Establish and Maintain a Software Allow List",8
35,"Malicious Browser Extensions Compromising Users","16.1 - Conduct Security Awareness and Skills Training",7
35,"Malicious Browser Extensions Compromising Users","11.2 - Implement and Manage Web Browser Protections",9
36,"Domain Name System (DNS) Attacks","6.7 - Implement and Manage Domain Name System (DNS) Security",9
36,"Domain Name System (DNS) Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
36,"Domain Name System (DNS) Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",6
37,"Quantum Computing Breaking Encryption","12.7 - Plan and Implement Cryptographic Key Management",7
37,"Quantum Computing Breaking Encryption","15.4 - Establish and Maintain a Security Architecture",6
37,"Quantum Computing Breaking Encryption","1.4 - Establish and Maintain a Threat Intelligence Program",5
38,"Deepfake Technology Used for Fraud","16.2 - Train Workforce Members on Social Engineering Attacks",8
38,"Deepfake Technology Used for Fraud","11.1 - Implement and Manage Email Protections",7
38,"Deepfake Technology Used for Fraud","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",6
39,"Misinformation Campaigns Damaging Reputation","13.1 - Establish and Maintain a Security Awareness Program",9
39,"Misinformation Campaigns Damaging Reputation","19.1 - Establish and Maintain an Incident Response Plan",7
39,"Misinformation Campaigns Damaging Reputation","1.4 - Establish and Maintain a Threat Intelligence Program",6
40,"Lack of a Formal Security Culture","13.1 - Establish and Maintain a Security Awareness Program",10
40,"Lack of a Formal Security Culture","16.1 - Conduct Security Awareness and Skills Training",9
40,"Lack of a Formal Security Culture","1.2 - Establish and Maintain Enterprise Security Policies",8
41,"Insufficient Physical Security at Remote Offices","17.1 - Implement Physical Access Controls",9
41,"Insufficient Physical Security at Remote Offices","17.2 - Monitor Physical Environment",8
41,"Insufficient Physical Security at Remote Offices","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",6
42,"Compromise of Building Management Systems (BMS)","5.6 - Securely Configure Industrial Control Systems (ICS)",8
42,"Compromise of Building Management Systems (BMS)","6.6 - Implement and Manage Network Segmentation for ICS",7
42,"Compromise of Building Management Systems (BMS)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
43,"Failure to Securely Dispose of Sensitive Data","7.4 - Securely Dispose of Assets",9
43,"Failure to Securely Dispose of Sensitive Data","3.3 - Manage Assets",7
43,"Failure to Securely Dispose of Sensitive Data","1.2 - Establish and Maintain Enterprise Security Policies",6
44,"Man-in-the-Middle (MitM) Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
44,"Man-in-the-Middle (MitM) Attacks","12.6 - Enforce Encryption of Data-in-Transit",9
44,"Man-in-the-Middle (MitM) Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
45,"Session Hijacking","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
45,"Session Hijacking","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
45,"Session Hijacking","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
46,"Cross-Site Scripting (XSS) Attacks","8.4 - Perform Application Security Testing",9
46,"Cross-Site Scripting (XSS) Attacks","12.2 - Secure Software via Secure Coding Practices",8
46,"Cross-Site Scripting (XSS) Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
47,"SQL Injection Attacks","8.4 - Perform Application Security Testing",10
47,"SQL Injection Attacks","12.2 - Secure Software via Secure Coding Practices",9
47,"SQL Injection Attacks","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
48,"Zero-Day Exploits","8.1 - Establish and Maintain a Vulnerability Management Process",7
48,"Zero-Day Exploits","9.2 - Deploy and Maintain Anti-Malware Software",8
48,"Zero-Day Exploits","6.3 - Implement and Manage Network Segmentation",6
49,"Rogue Access Points on the Network","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",8
49,"Rogue Access Points on the Network","6.3 - Implement and Manage Network Segmentation",7
49,"Rogue Access Points on the Network","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
50,"Wireless Network Attacks","6.8 - Secure Wireless Access Points",9
50,"Wireless Network Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
50,"Wireless Network Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
51,"Stolen Credentials","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
51,"Stolen Credentials","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",10
51,"Stolen Credentials","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
52,"Unsecured Public Wi-Fi Usage","16.1 - Conduct Security Awareness and Skills Training",7
52,"Unsecured Public Wi-Fi Usage","12.6 - Enforce Encryption of Data-in-Transit",8
52,"Unsecured Public Wi-Fi Usage","4.9 - Manage Access to Enterprise Applications",6
53,"Vishing Attacks","16.2 - Train Workforce Members on Social Engineering Attacks",9
53,"Vishing Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
53,"Vishing Attacks","11.1 - Implement and Manage Email Protections",5
54,"Smishing Attacks","16.2 - Train Workforce Members on Social Engineering Attacks",9
54,"Smishing Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
54,"Smishing Attacks","11.3 - Implement and Manage Endpoint Protections",6
55,"Watering Hole Attacks","11.2 - Implement and Manage Web Browser Protections",8
55,"Watering Hole Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
55,"Watering Hole Attacks","1.4 - Establish and Maintain a Threat Intelligence Program",6
56,"Typosquatting Attacks","11.1 - Implement and Manage Email Protections",7
56,"Typosquatting Attacks","13.1 - Establish and Maintain a Security Awareness Program",8
56,"Typosquatting Attacks","1.4 - Establish and Maintain a Threat Intelligence Program",6
57,"Malvertising","11.2 - Implement and Manage Web Browser Protections",9
57,"Malvertising","9.2 - Deploy and Maintain Anti-Malware Software",7
57,"Malvertising","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
58,"Fileless Malware Attacks","9.2 - Deploy and Maintain Anti-Malware Software",8
58,"Fileless Malware Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
58,"Fileless Malware Attacks","11.3 - Implement and Manage Endpoint Protections",6
59,"Advanced Persistent Threats (APTs)","1.4 - Establish and Maintain a Threat Intelligence Program",9
59,"Advanced Persistent Threats (APTs)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
59,"Advanced Persistent Threats (APTs)","18.1 - Establish and Maintain a Penetration Testing Program",7
60,"Remote Code Execution (RCE) Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",10
60,"Remote Code Execution (RCE) Vulnerabilities","8.3 - Verify Application of Security Patches",9
60,"Remote Code Execution (Rulnerabilities","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
61,"Formjacking Attacks","12.2 - Secure Software via Secure Coding Practices",8
61,"Formjacking Attacks","11.2 - Implement and Manage Web Browser Protections",7
61,"Formjacking Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
62,"SIM Swapping Attacks","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
62,"SIM Swapping Attacks","16.1 - Conduct Security Awareness and Skills Training",7
62,"SIM Swapping Attacks","1.3 - Establish and Maintain Enterprise Agreements",6
63,"Unsecured Database Configurations","5.3 - Securely Configure Enterprise Assets and Software",9
63,"Unsecured Database Configurations","7.1 - Establish and Maintain a Data Management Process",8
63,"Unsecured Database Configurations","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
64,"API Sprawl and Lack of API Governance","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",8
64,"API Sprawl and Lack of API Governance","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
64,"API Sprawl and Lack of API Governance","15.4 - Establish and Maintain a Security Architecture",6
65,"Insecure Default Configurations","5.1 - Establish and Maintain a Secure Configuration Process",9
65,"Insecure Default Configurations","5.3 - Securely Configure Enterprise Assets and Software",8
65,"Insecure Default Configurations","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
66,"Insufficient Data Encryption","12.5 - Enforce Encryption of Data-at-Rest",10
66,"Insufficient Data Encryption","12.6 - Enforce Encryption of Data-in-Transit
66,"Insufficient Data Encryption","12.6 - Enforce Encryption of Data-in-Transit",9
66,"Insufficient Data Encryption","7.2 - Implement and Enforce Data Retention",6
67,"Legacy Systems with Known Vulnerabilities","3.3 - Manage Assets",7
67,"Legacy Systems with Known Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",9
67,"Legacy Systems with Known Vulnerabilities","6.3 - Implement and Manage Network Segmentation",8
68,"Poorly Implemented Patch Management","8.2 - Remediate Vulnerabilities Based on Risk",10
68,"Poorly Implemented Patch Management","8.3 - Verify Application of Security Patches",9
68,"Poorly Implemented Patch Management","3.2 - Utilize an Automated Asset Discovery Tool",6
69,"Unsecured Configuration Management Practices","5.1 - Establish and Maintain a Secure Configuration Process",9
69,"Unsecured Configuration Management Practices","5.3 - Securely Configure Enterprise Assets and Software",8
69,"Unsecured Configuration Management Practices","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
70,"Lack of Network Segmentation","6.3 - Implement and Manage Network Segmentation",10
70,"Lack of Network Segmentation","6.1 - Establish and Maintain a Baseline Configuration of Network Devices",7
70,"Lack of Network Segmentation","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
71,"Compromised Software Update Mechanisms","8.3 - Verify Application of Security Patches",8
71,"Compromised Software Update Mechanisms","9.2 - Deploy and Maintain Anti-Malware Software",7
71,"Compromised Software Update Mechanisms","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
72,"Weaknesses in Cloud Identity and Access Management","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
72,"Weaknesses in Cloud Identity and Access Management","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
72,"Weaknesses in Cloud Identity and Access Management","5.4 - Securely Configure Cloud Infrastructure",7
73,"Insufficient Security Logging and Monitoring","14.1 - Establish and Maintain a Security Logging and Monitoring Process",10
73,"Insufficient Security Logging and Monitoring","14.2 - Integrate Threat Intelligence into Security Monitoring",8
73,"Insufficient Security Logging and Monitoring","14.3 - Establish and Maintain Alerting and Escalation Processes",7
74,"Lack of an Effective Incident Response Plan","19.1 - Establish and Maintain an Incident Response Plan",10
74,"Lack of an Effective Incident Response Plan","19.2 - Establish and Maintain an Incident Response Team",9
74,"Lack of an Effective Incident Response Plan","19.3 - Develop and Conduct Incident Response Exercises",8
75,"Poor Data Backup and Recovery Procedures","10.8 - Perform and Test Data Backups",10
75,"Poor Data Backup and Recovery Procedures","10.9 - Perform Off-Site Backups",9
75,"Poor Data Backup and Recovery Procedures","10.10 - Securely Store Backups",8
76,"Insufficient Security Awareness Training for Employees","16.1 - Conduct Security Awareness and Skills Training",10
76,"Insufficient Security Awareness Training for Employees","16.2 - Train Workforce Members on Social Engineering Attacks",9
76,"Insufficient Security Awareness Training for Employees","13.1 - Establish and Maintain a Security Awareness Program",8
77,"Lack of a Formal Risk Management Program","1.5 - Conduct Periodic Security Risk Assessments",10
77,"Lack of a Formal Risk Management Program","1.1 - Establish and Maintain Enterprise Governance",9
77,"Lack of a Formal Risk Management Program","1.2 - Establish and Maintain Enterprise Security Policies",8
78,"Inadequate Third-Party Risk Management","13.5 - Manage Supplier Access",9
78,"Inadequate Third-Party Risk Management","13.6 - Monitor Supplier Security",8
78,"Inadequate Third-Party Risk Management","4.6 - Manage External Accounts",7
79,"Failure to Enforce Least Privilege","4.3 - Manage Privileged Access",10
79,"Failure to Enforce Least Privilege","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
79,"Failure to Enforce Least Privilege","4.4 - Manage Service Accounts",7
80,"Unsecured Remote Access Solutions","4.9 - Manage Access to Enterprise Applications",9
80,"Unsecured Remote Access Solutions","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",8
80,"Unsecured Remote Access Solutions","12.6 - Enforce Encryption of Data-in-Transit",7
81,"Insufficient Protection of Critical Infrastructure","17.1 - Implement Physical Access Controls",8
81,"Insufficient Protection of Critical Infrastructure","6.3 - Implement and Manage Network Segmentation",7
81,"Insufficient Protection of Critical Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
82,"Lack of Data Loss Prevention (DLP) Measures","7.3 - Implement Data Loss Prevention (DLP)",10
82,"Lack of Data Loss Prevention (DLP) Measures","3.4 - Manage Sensitive Assets",8
82,"Lack of Data Loss Prevention (DLP) Measures","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
83,"Ineffective Vulnerability Scanning Practices","8.1 - Establish and Maintain a Vulnerability Management Process",9
83,"Ineffective Vulnerability Scanning Practices","8.2 - Remediate Vulnerabilities Based on Risk",8
83,"Ineffective Vulnerability Scanning Practices","3.2 - Utilize an Automated Asset Discovery Tool",7
84,"Poorly Defined Security Roles and Responsibilities","1.2 - Establish and Maintain Enterprise Security Policies",8
84,"Poorly Defined Security Roles and Responsibilities","1.3 - Establish and Maintain Enterprise Agreements",7
84,"Poorly Defined Security Roles and Responsibilities","16.4 - Establish and Maintain a Role-Based Security Training Program",6
85,"Lack of a Formal Change Management Process","5.2 - Implement and Manage a Change Management Process",9
85,"Lack of a Formal Change Management Process","5.3 - Securely Configure Enterprise Assets and Software",7
85,"Lack of a Formal Change Management Process","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
86,"Insufficient Security Architecture and Design","15.4 - Establish and Maintain a Security Architecture",10
86,"Insufficient Security Architecture and Design","6.3 - Implement and Manage Network Segmentation",8
86,"Insufficient Security Architecture and Design","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",7
87,"Failure to Secure Containerized Environments","5.7 - Securely Configure Containers",9
87,"Failure to Secure Containerized Environments","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
87,"Failure to Secure Containerized Environments","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
88,"Inadequate Protection of API Keys and Secrets","12.3 - Manage Credentials",9
88,"Inadequate Protection of API Keys and Secrets","12.5 - Enforce Encryption of Data-at-Rest",7
88,"Inadequate Protection of API Keys and Secrets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
89,"Lack of a Formal Security Assessment Process for New Projects","1.5 - Conduct Periodic Security Risk Assessments",8
89,"Lack of a Formal Security Assessment Process for New Projects","15.4 - Establish and Maintain a Security Architecture",7
89,"Lack of a Formal Security Assessment Process for New Projects","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",6
90,"Insufficient Budget Allocation for Cybersecurity","1.1 - Establish and Maintain Enterprise Governance",9
90,"Insufficient Budget Allocation for Cybersecurity","1.2 - Establish and Maintain Enterprise Security Policies",8
90,"Insufficient Budget Allocation for Cybersecurity","1.5 - Conduct Periodic Security Risk Assessments",7
91,"Lack of Executive Support for Security Initiatives","1.1 - Establish and Maintain Enterprise Governance",10
91,"Lack of Executive Support for Security Initiatives","1.2 - Establish and Maintain Enterprise Security Policies",9
91,"Lack of Executive Support for Security Initiatives","13.1 - Establish and Maintain a Security Awareness Program",7
92,"Mergers and Acquisitions Leading to Security Integration Challenges","1.3 - Establish and Maintain Enterprise Agreements",8
92,"Mergers and Acquisitions Leading to Security Integration Challenges","15.4 - Establish and Maintain a Security Architecture",7
92,"Mergers and Acquisitions Leading to Security Integration Challenges","3.1 - Establish and Maintain Inventory of Enterprise Assets",6
93,"Decentralized Security Management Leading to Inconsistencies","1.1 - Establish and Maintain Enterprise Governance",8
93,"Decentralized Security Management Leading to Inconsistencies","1.2 - Establish and Maintain Enterprise Security Policies",7
93,"Decentralized Security Management Leading to Inconsistencies","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",6
94,"Rapid Cloud Adoption Without Adequate Security Controls","5.4 - Securely Configure Cloud Infrastructure",9
94,"Rapid Cloud Adoption Without Adequate Security Controls","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
94,"Rapid Cloud Adoption Without Adequate Security Controls","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
95,"Increased Use of Personal Devices for Work (BYOD)","3.5 - Manage Enterprise Assets Connected to the Enterprise Network Remotely",8
95,"Increased Use of Personal Devices for Work (BYOD)","4.5 - Manage Mobile Devices",7
95,"Increased Use of Personal Devices for Work (BYOD)","12.5 - Enforce Encryption of Data-at-Rest",6
96,"Growing Attack Surface Due to Digital Transformation","3.1 - Establish and Maintain Inventory of Enterprise Assets",7
96,"Growing Attack Surface Due to Digital Transformation","15.4 - Establish and Maintain a Security Architecture",8
96,"Growing Attack Surface Due to Digital Transformation","8.1 - Establish and Maintain a Vulnerability Management Process",6
97,"Talent Shortage in Cybersecurity","16.3 - Establish and Maintain a Security Skills Development Program",9
97,"Talent Shortage in Cybersecurity","16.5 - Conduct Skills Gap Assessments",8
97,"Talent Shortage in Cybersecurity","1.3 - Establish and Maintain Enterprise Agreements",5
98,"Increased Regulatory Scrutiny and Complexity","1.1 - Establish and Maintain Enterprise Governance",9
98,"Increased Regulatory Scrutiny and Complexity","1.2 - Establish and Maintain Enterprise Security Policies",8
98,"Increased Regulatory Scrutiny and Complexity","3.4 - Manage Sensitive Assets",7
99,"Evolving Threat Landscape","1.4 - Establish and Maintain a Threat Intelligence Program",10
99,"Evolving Threat Landscape","18.1 - Establish and Maintain a Penetration Testing Program",8
99,"Evolving Threat Landscape","13.1 - Establish and Maintain a Security Awareness Program",7
100,"Failure to Adapt Security Strategy to Business Changes","1.2 - Establish and Maintain Enterprise Security Policies",8
100,"Failure to Adapt Security Strategy to Business Changes","1.5 - Conduct Periodic Security Risk Assessments",9
100,"Failure to Adapt Security Strategy to Business Changes","15.4 - Establish and Maintain a Security Architecture",7
101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","14.2 - Integrate Threat Intelligence into Security Monitoring",9
101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","18.1 - Establish and Maintain a Penetration Testing Program",8
101,"Advanced Persistent Threats (APTs) Evading Existing Defenses","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",8
102,"Zero-Day Exploits Targeting Unpatched Applications","8.2 - Remediate Vulnerabilities Based on Risk",9
102,"Zero-Day Exploits Targeting Unpatched Applications","6.3 - Implement and Manage Network Segmentation",7
102,"Zero-Day Exploits Targeting Unpatched Applications","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",7
103,"Sophisticated Phishing Campaigns Bypassing Email Security","11.1 - Implement and Manage Email Protections",8
103,"Sophisticated Phishing Campaigns Bypassing Email Security","16.2 - Train Workforce Members on Social Engineering Attacks",9
103,"Sophisticated Phishing Campaigns Bypassing Email Security","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",7
104,"Malware Delivered Through Supply Chain Compromise","13.3 - Implement and Manage Secure Software Supply Chain Practices",9
104,"Malware Delivered Through Supply Chain Compromise","9.2 - Deploy and Maintain Anti-Malware Software",7
104,"Malware Delivered Through Supply Chain Compromise","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
105,"Ransomware Targeting Backup Infrastructure","10.8 - Perform and Test Data Backups",8
105,"Ransomware Targeting Backup Infrastructure","10.10 - Securely Store Backups",9
105,"Ransomware Targeting Backup Infrastructure","6.3 - Implement and Manage Network Segmentation",7
106,"Data Exfiltration Through DNS Tunneling","6.7 - Implement and Manage Domain Name System (DNS) Security",9
106,"Data Exfiltration Through DNS Tunneling","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
106,"Data Exfiltration Through DNS Tunneling","7.3 - Implement Data Loss Prevention (DLP)",7
107,"Compromise of Cloud Service Provider Credentials","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
107,"Compromise of Cloud Service Provider Credentials","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
107,"Compromise of Cloud Service Provider Credentials","5.4 - Securely Configure Cloud Infrastructure",7
108,"Lateral Movement within the Network Post-Breach","6.3 - Implement and Manage Network Segmentation",10
108,"Lateral Movement within the Network Post-Breach","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
108,"Lateral Movement within the Network Post-Breach","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",7
109,"Exploitation of Unsecured APIs","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
109,"Exploitation of Unsecured APIs","12.4 - Implement and Manage Security for Software Applications",9
109,"Exploitation of Unsecured APIs","18.1 - Establish and Maintain a Penetration Testing Program",8
110,"Credential Stuffing Attacks Against Web Applications","4.7 - Enforce Account Password Requirements",7
110,"Credential Stuffing Attacks Against Web Applications","4.8 - Enforce Multi-Factor Authentication for All Users",9
110,"Credential Stuffing Attacks Against Web Applications","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
111,"Brute-Force Attacks Targeting Cloud Services","4.7 - Enforce Account Password Requirements",8
111,"Brute-Force Attacks Targeting Cloud Services","4.8 - Enforce Multi-Factor Authentication for All Users",9
111,"Brute-Force Attacks Targeting Cloud Services","5.4 - Securely Configure Cloud Infrastructure",7
112,"Cryptojacking Exploiting Web Browser Vulnerabilities","11.2 - Implement and Manage Web Browser Protections",9
112,"Cryptojacking Exploiting Web Browser Vulnerabilities","9.2 - Deploy and Maintain Anti-Malware Software",7
112,"Cryptojacking Exploiting Web Browser Vulnerabilities","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
113,"Business Logic Flaws in Applications Leading to Data Breach","12.4 - Implement and Manage Security for Software Applications",9
113,"Business Logic Flaws in Applications Leading to Data Breach","8.4 - Perform Application Security Testing",8
113,"Business Logic Flaws in Applications Leading to Data Breach","7.1 - Establish and Maintain a Data Management Process",7
114,"Malicious Insiders Exfiltrating Data Using Approved Tools","4.3 - Manage Privileged Access",8
114,"Malicious Insiders Exfiltrating Data Using Approved Tools","7.3 - Implement Data Loss Prevention (DLP)",9
114,"Malicious Insiders Exfiltrating Data Using Approved Tools","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",7
115,"Rogue or Shadow IT Devices on the Network","3.6 - Establish and Maintain an Inventory of Non-Enterprise Assets",9
115,"Rogue or Shadow IT Devices on the Network","6.3 - Implement and Manage Network Segmentation",7
115,"Rogue or Shadow IT Devices on the Network","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",9
116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
116,"Compromise of CI/CD Pipelines Leading to Malicious Code Injection","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
117,"Insecurely Configured Cloud Storage Buckets","5.4 - Securely Configure Cloud Infrastructure",10
117,"Insecurely Configured Cloud Storage Buckets","7.1 - Establish and Maintain a Data Management Process",8
117,"Insecurely Configured Cloud Storage Buckets","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
118,"Exploitation of Memory Corruption Vulnerabilities","8.2 - Remediate Vulnerabilities Based on Risk",9
118,"Exploitation of Memory Corruption Vulnerabilities","9.3 - Implement and Manage Endpoint Detection and Response (EDR)",8
118,"Exploitation of Memory Corruption Vulnerabilities","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
119,"Data Breaches Due to Misconfigured Security Groups","5.4 - Securely Configure Cloud Infrastructure",9
119,"Data Breaches Due to Misconfigured Security Groups","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
119,"Data Breaches Due to Misconfigured Security Groups","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
120,"Use of Default or Weak Encryption Keys","12.7 - Plan and Implement Cryptographic Key Management",9
120,"Use of Default or Weak Encryption Keys","12.5 - Enforce Encryption of Data-at-Rest",8
120,"Use of Default or Weak Encryption Keys","12.6 - Enforce Encryption of Data-in-Transit",7
121,"Vulnerabilities in Third-Party Libraries and Dependencies","8.1 - Establish and Maintain a Vulnerability Management Process",8
121,"Vulnerabilities in Third-Party Libraries and Dependencies","12.1 - Establish and Maintain a Software Development Life Cycle (SDLC)",9
121,"Vulnerabilities in Third-Party Libraries and Dependencies","2.1 - Establish and Maintain an Inventory of Authorized Software",7
122,"Targeted Attacks on Operational Technology (OT) Systems","5.6 - Securely Configure Industrial Control Systems (ICS)",9
122,"Targeted Attacks on Operational Technology (OT) Systems","6.6 - Implement and Manage Network Segmentation for ICS",10
122,"Targeted Attacks on Operational Technology (OT) Systems","14.1 - Establish and Maintain a Security Logging and Monitoring Process",8
123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","7.1 - Establish and Maintain a Data Management Process",8
123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","3.4 - Manage Sensitive Assets",9
123,"Data Aggregation from Multiple Sources Leading to Privacy Violations","1.2 - Establish and Maintain Enterprise Security Policies",7
124,"AI Poisoning Attacks Manipulating Machine Learning Models","15.4 - Establish and Maintain a Security Architecture",8
124,"AI Poisoning Attacks Manipulating Machine Learning Models","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
124,"AI Poisoning Attacks Manipulating Machine Learning Models","1.4 - Establish and Maintain a Threat Intelligence Program",6
125,"Quantum Computing Attacks Breaking Current Encryption","12.7 - Plan and Implement Cryptographic Key Management",9
125,"Quantum Computing Attacks Breaking Current Encryption","15.4 - Establish and Maintain a Security Architecture",7
125,"Quantum Computing Attacks Breaking Current Encryption","1.4 - Establish and Maintain a Threat Intelligence Program",6
126,"Deepfake Technology Used for Social Engineering","16.2 - Train Workforce Members on Social Engineering Attacks",9
126,"Deepfake Technology Used for Social Engineering","11.1 - Implement and Manage Email Protections",7
126,"Deepfake Technology Used for Social Engineering","13.1 - Establish and Maintain a Security Awareness Program",6
127,"Blockchain Vulnerabilities Leading to Financial Loss","12.4 - Implement and Manage Security for Software Applications",8
127,"Blockchain Vulnerabilities Leading to Financial Loss","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
127,"Blockchain Vulnerabilities Leading to Financial Loss","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
128,"Serverless Function Vulnerabilities","5.4 - Securely Configure Cloud Infrastructure",8
128,"Serverless Function Vulnerabilities","12.4 - Implement and Manage Security for Software Applications",7
128,"Serverless Function Vulnerabilities","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
129,"Insider Threats Leveraging Data in Motion","7.3 - Implement Data Loss Prevention (DLP)",8
129,"Insider Threats Leveraging Data in Motion","12.6 - Enforce Encryption of Data-in-Transit",7
129,"Insider Threats Leveraging Data in Motion","14.5 - Establish and Maintain an Audit Log Review and Analysis Process",6
130,"Compromise of Hardware Supply Chain (Hardware Implants)","13.4 - Implement and Manage Secure Hardware Supply Chain Practices",9
130,"Compromise of Hardware Supply Chain (Hardware Implants)","3.1 - Establish and Maintain Inventory of Enterprise Assets",7
130,"Compromise of Hardware Supply Chain (Hardware Implants)","18.1 - Establish and Maintain a Penetration Testing Program",6
131,"Formjacking Attacks Stealing Payment Card Data","12.4 - Implement and Manage Security for Software Applications",9
131,"Formjacking Attacks Stealing Payment Card Data","11.2 - Implement and Manage Web Browser Protections",7
131,"Formjacking Attacks Stealing Payment Card Data","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
132,"SIM Swapping Leading to Account Takeover","4.2 - Implement and Manage Multi-Factor Authentication for Enterprise Accounts",9
132,"SIM Swapping Leading to Account Takeover","16.1 - Conduct Security Awareness and Skills Training",7
132,"SIM Swapping Leading to Account Takeover","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",6
133,"Attacks Targeting APIs of Third-Party Services","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",7
133,"Attacks Targeting APIs of Third-Party Services","12.4 - Implement and Manage Security for Software Applications",8
133,"Attacks Targeting APIs of Third-Party Services","13.6 - Monitor Supplier Security",7
134,"Insufficient Segmentation of Cloud Workloads","5.4 - Securely Configure Cloud Infrastructure",9
134,"Insufficient Segmentation of Cloud Workloads","6.3 - Implement and Manage Network Segmentation",8
134,"Insufficient Segmentation of Cloud Workloads","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
135,"Compromise of Managed Service Provider (MSP) Infrastructure","4.6 - Manage External Accounts",8
135,"Compromise of Managed Service Provider (MSP) Infrastructure","13.5 - Manage Supplier Access",9
135,"Compromise of Managed Service Provider (MSP) Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","8.4 - Perform Application Security Testing",9
136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","12.2 - Secure Software via Secure Coding Practices",8
136,"Abuse of Stored Cross-Site Scripting (XSS) Vulnerabilities","6.2 - Establish and Maintain a Baseline Configuration of Endpoints",6
137,"Exploitation of Race Conditions in Applications","12.2 - Secure Software via Secure Coding Practices",8
137,"Exploitation of Race Conditions in Applications","8.4 - Perform Application Security Testing",7
137,"Exploitation of Race Conditions in Applications","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","6.3 - Implement and Manage Network Segmentation",7
138,"ARP Spoofing and Man-in-the-Middle Attacks on Local Networks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
139,"DNS Spoofing and Cache Poisoning Attacks","6.7 - Implement and Manage Domain Name System (DNS) Security",9
139,"DNS Spoofing and Cache Poisoning Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
139,"DNS Spoofing and Cache Poisoning Attacks","11.2 - Implement and Manage Web Browser Protections",6
140,"Border Gateway Protocol (BGP) Hijacking","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
140,"Border Gateway Protocol (BGP) Hijacking","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
140,"Border Gateway Protocol (BGP) Hijacking","1.4 - Establish and Maintain a Threat Intelligence Program",6
141,"ICMP Flood Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
141,"ICMP Flood Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
141,"ICMP Flood Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
142,"SYN Flood Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",9
142,"SYN Flood Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",8
142,"SYN Flood Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
143,"Smurf Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
143,"Smurf Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
143,"Smurf Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
144,"Fraggle Attacks","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",8
144,"Fraggle Attacks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
144,"Fraggle Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
145,"GTP Tunneling Exploits in Mobile Networks","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
145,"GTP Tunneling Exploits in Mobile Networks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
145,"GTP Tunneling Exploits in Mobile Networks","1.4 - Establish and Maintain a Threat Intelligence Program",5
146,"SIP Flood Attacks Targeting VoIP Infrastructure","6.5 - Implement and Manage Distributed Denial of Service (DDoS) Mitigation Techniques",9
146,"SIP Flood Attacks Targeting VoIP Infrastructure","6.4 - Implement and Manage Network Infrastructure Device Hardening",7
146,"SIP Flood Attacks Targeting VoIP Infrastructure","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
147,"LLMNR/NBT-NS Poisoning","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",7
147,"LLMNR/NBT-NS Poisoning","6.3 - Implement and Manage Network Segmentation",8
147,"LLMNR/NBT-NS Poisoning","14.1 - Establish and Maintain a Security Logging and Monitoring Process",6
148,"Pass-the-Hash Attacks","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
148,"Pass-the-Hash Attacks","4.3 - Manage Privileged Access",8
148,"Pass-the-Hash Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
149,"Pass-the-Ticket Attacks (Kerberoasting)","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",8
149,"Pass-the-Ticket Attacks (Kerberoasting)","4.3 - Manage Privileged Access",9
149,"Pass-the-Ticket Attacks (Kerberoasting)","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
150,"Golden SAML Attacks","4.1 - Establish and Maintain a Secure Access Control Policy and Procedures",9
150,"Golden SAML Attacks","4.3 - Manage Privileged Access",8
150,"Golden SAML Attacks","14.1 - Establish and Maintain a Security Logging and Monitoring Process",7
Reference in New Issue View Git Blame Copy Permalink