With this our first newsletter for 2016, we are starting a series of relatively brief articles covering Security Controls.
There are a number of IT Security frameworks available that help organisations identify the sorts of things they should be doing to secure their IT infrastructure and data. One such framework is called the Center for Internet Security (CIS) Critical Security Controls.
Here is a link to a poster of the 2016 CIS Critical Security Controls.
Below is an extract from that release, describing the purpose and effectiveness of the controls:
“The CIS Controls are a recommended set of actions that provide specific ways to stop today’s most pervasive and dangerous cyber security attacks.
This free set of internationally recognized measures is developed, refined, and validated by a large international community of leading security experts. The CIS Critical Security Controls for Effective Cyber Defense Version 6.0 document the most important actions of cyber hygiene that every organization should implement to protect their information technology (IT) networks. A recent study by the Australian Government Department of Defense revealed 85% of known cybersecurity vulnerabilities can be stopped by deploying the Top 5 CIS Controls. This includes taking an inventory of IT assets, implementing secure configurations, patching vulnerabilities, and restricting unauthorized users.”
The top five of the Top 20 CIS Critical Security Controls are:
CSC 1: Inventory of Authorised and Unauthorised Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
CSC 2: Inventory of Authorised and Unauthorised Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and unauthorized and unmanaged software is found and prevented from installation or execution.
[These first two controls can be summarised as “Know what you have.” – or “What am I trying to protect?”]
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Establish, implement, and actively manage (track, report on, and correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
CSC 4: Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, and to remediate and minimize the window of opportunity for attackers.
CSC 5: Controlled Use of Administrative Privileges
Track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
The National Campaign for Cyber Hygiene (from the US)
The National Campaign for Cyber Hygiene was developed to provide a plain-language, accessible, and low-cost foundation for implementation of the CIS Critical Security Controls. Although the Controls already simplify the daunting challenges of cyber defense by creating community priorities and action, many enterprises are starting from a very basic level of security.
The Campaign starts with a few basic questions that every corporate and government leader ought to be able to answer:
- Do we know what is connected to our systems and networks? (CSC 1)
- Do we know what software is running (or trying to run) on our systems and networks? (CSC 2)
- Are we continuously managing our systems using “known good” configurations? (CSC 3)
- Are we continuously looking for and managing “known bad” software? (CSC 4)
- Do we limit and track the people who have the administrative privileges to change, bypass, or over-ride our security settings? (CSC 5)
These questions, and the actions required to answer them, are represented in plain language by the Top 5 Priorities of the Campaign: “Count, Configure, Control, Patch, Repeat.”
Here at SSS we can help you do all the above, with a combination of expert help from our Security Consulting team, and with products from our Security Products division to help automate various security practices and controls.
Contact us if you’d like to discuss how SSS can help your organisation implement appropriate security controls.
