IT | Security

Implementing Critical Security Controls

By: Absolute Editorial Team | 12/8/2013

Following our earlier coverage of the 2013 Data Breach Investigations Report (DBIR), Verizon has released a full resource centre of information and recommendations based on the report. As always, the point of these reports is to learn from the issues facing other organizations in order to create actionable items that other organizations can use in proactive security preparations.

This year, working with the Consortium for Cybersecurity Action (CCA), they mapped the most common threat action varieties to the existing 20 Critical Security Controls for Effective Cyber Defense, a widely vetted and adopted list. The map, available on page 58 of the report, shows visually how threat actions (malware, etc) can be reduced by adoption of the Critical Security Controls.

"In general, well-designed controls do not represent a one-to-one defense against individual types of attack, but are instead measures that provide value against multiple classes of attack .

Most organizations should implement all 20 of the Critical Security Controls to some level . In this report and others we have produced, you can find lists of the top threat actions for various industries and sizes of organizations. And because the full threat-to-control mappings are publicly available, anyone has the ability to produce their own set of “top-of-the-Top-20” controls to evaluate and use as they see fit."

Although there is no one-size-fits-all solution, these Critical Security Controls offer a good starting point in addressing the most critical threats first. In review, they include:

  1. Inventory of authorized and unauthorized devices using options such as asset tracking 
  2. Inventory of authorized and unauthorized software using controls such as whitelisting and blacklisting for apps 
  3. Secure configurations for hardware and software on laptops, workstations, and servers
  4. Continuous vulnerability assessment and remediation with controls as automated patch management on all systems
  5. Malware defenses
  6. Application software security
  7. Wireless device control including controls so that only authorized devices access the network
  8. Data recovery capability
  9. Security skills assessment and appropriate training to till gaps
  10. Secure configurations for network devices such as firewalls, routers, and switches including managing network devices and keeping device software up-to-date
  11. Limitations and control of network ports, protocols, and services
  12. Controlled use of administrative privileges
  13. Boundary defense including enterprise access to all devices remotely logging into the network, with remote control for their configuration, installed software and patch levels
  14. Maintenance, monitoring, and analysis of security audit logs
  15. Controlled access based on the need to know including logical access control and the use of DLP software
  16. Account monitoring and control
  17. Data loss prevention using DLP software 
  18. Incident response and management
  19. Secure network engineering
  20. Penetration tests and red team exercises

If you visit the SANS.org source for these tips, you can go into depth on how attackers exploit the absence of each of these controls and how you can implement, automate and measure the effectiveness of controls for each of these 20 areas. For more insight from the DBIR, including additional ways to mitigate risks, visit here.

Wondering what all those bolded sections in the above list mean? Quite simply, those are areas where Absolute Software can help. So, if you are looking for a company that can offer a number of interconnected ways to easily and simply add security controls, contact us to learn more.