Following our earlier coverage of the 2013 Data Breach Investigations Report (DBIR), Verizon has released a full resource centre of information and recommendations based on the report. As always, the point of these reports is to learn from the issues facing other organizations in order to create actionable items that other organizations can use in proactive security preparations.
This year, working with the Consortium for Cybersecurity Action (CCA), they mapped the most common threat action varieties to the existing 20 Critical Security Controls for Effective Cyber Defense, a widely vetted and adopted list. The map, available on page 58 of the report, shows visually how threat actions (malware, etc) can be reduced by adoption of the Critical Security Controls.
"In general, well-designed controls do not represent a one-to-one defense against individual types of attack, but are instead measures that provide value against multiple classes of attack .
Most organizations should implement all 20 of the Critical Security Controls to some level . In this report and others we have produced, you can find lists of the top threat actions for various industries and sizes of organizations. And because the full threat-to-control mappings are publicly available, anyone has the ability to produce their own set of “top-of-the-Top-20” controls to evaluate and use as they see fit."
Although there is no one-size-fits-all solution, these Critical Security Controls offer a good starting point in addressing the most critical threats first. In review, they include:
If you visit the SANS.org source for these tips, you can go into depth on how attackers exploit the absence of each of these controls and how you can implement, automate and measure the effectiveness of controls for each of these 20 areas. For more insight from the DBIR, including additional ways to mitigate risks, visit here.
Wondering what all those bolded sections in the above list mean? Quite simply, those are areas where Absolute Software can help. So, if you are looking for a company that can offer a number of interconnected ways to easily and simply add security controls, contact us to learn more.