The rapidly growing number of cyberattacks in recent years has resulted in an ever-increasing need for better information security globally—for companies of all sectors. In response to the growth in cyberattacks, the SANS Institute developed the 20 Critical Security Controls (CSC), before transferring ownership of them to the Center for Internet Security (CIS) in 2015.
Undeniably, cyberattacks pose severe threats to all businesses. Furthermore, it is no longer acceptable to assume that your business is not valuable enough to attack. Indeed, attackers target vulnerable companies who have not invested in protection for their sensitive data with a robust information security framework.
So, what does the 20 Critical Security Controls list comprise? How can your business utilize the Controls list for better information security? More importantly, how does the list affect compliance and other factors in information security? We are going to answer these questions in this article.
One thing to note about the 20 CSC—also known as the CIS Controls—is that the Control guidelines are not intended to replace existing standards. Compliance standards like PCI DSS and HIPAA remain crucial for companies operating in specific industries. These cannot, and should not, be overlooked either.
What the following 20 Critical Security Controls do is to incorporate best practices from existing standards while taking into account the number and variety of cyberattacks seen in the last couple of decades. The 20 Controls are a more comprehensive framework, but it is not the only framework to use for maximum security.
Another important thing about the 20 Controls is the fact that it represents combined knowledge of different stakeholders, including that of US government agencies and digital forensics experts. As an information security framework, 20 CSC is highly comprehensive.
As the name suggests, the 20 Critical Security Controls will guide you through the items that require improved maintenance for an organization to achieve better information security levels. Use these 20 Controls as a starting point for thorough evaluation and security management:
This part of the control forces organizations to monitor and manage devices—hardware—on its network. Only identified and authorized devices should be permitted network access. Unauthorized devices, on the other hand, need to be removed from the system immediately.
There is a growing number of attacks that originate from network scans. Inventory of authorized and unauthorized devices makes protecting your business network easier. In most cases, critical identifiers like a MAC address are used to simplify the process further.
Hardware isn’t the only thing that needs monitoring. An inventory of authorized and unauthorized software within the company’s network is also essential. Make software whitelisting an integral part of maintaining network security.
The implementation of this monitoring process allows the business to protect itself from software vulnerabilities. By using a list of known vulnerable software, your business can prevent the install of malicious or insecure apps and software across the network.
The next element for improved security control is configuration. Once hardware and software are monitored, you need to shift your focus to configuring both hardware and software correctly. There are countless exploits that target config errors, and attacks from those exploits can be avoided with better configuration.
Vulnerabilities, bugs, and other issues make your attack surface larger as an organization. Updates and proper configuration of systems are effective enough to prevent the more basic attacks. At the very least, you are flushing unnecessary information security risks.
Information security is never a one-time thing. The attacks aren’t just growing in terms of numbers, but also in terms of variety and methods. The constant and continuous assessment helps organizations maintain maximum security and prevent more attacks.
New vulnerabilities get reported quite often these days. However, there is still a gap between when a vulnerability is reported and when it is actually patched. Continuous assessment and remediation allow you to remain protected during that gap.
The days of using a root account to perform system updates and make changes to a cloud environment are over. Today, administrative privileges need to be maintained meticulously. There is no room for all-access administrative accounts.
Unauthorized access to system configs or parts of the network—and the system—must be blocked immediately. At the same time, the assignment of administrative credentials needs to be maintained closely in order to avoid abuse of admin privileges.
Logging becomes an essential part of every information security system. By logging activities within a network or an IT ecosystem, an organization can maintain a strict chain of custody. Security logging, in particular, allows details about attackers or malicious activities to be uncovered easily.
Active logging and analysis of audit logs are crucial parts of the process. Logging also enables you to detect unauthorized access and sources of information leaks.
Secure email clients and web browsers are essential to the safety of your organization’s information. This is because both email and web browser are the outermost surface of attack in almost every instance. A lot of information can be collected by tampering with email and web browser.
Fortunately, there are ways to automate email and browser protection—we will get to this in a second. Raising awareness also helps with making sure that users know how to protect themselves.
We’re entering the region of active defense against cyberattacks, and the first component to add is malware defense. Malicious codes injected through different attack points can wreak havoc on a network. Constant monitoring and detection of malware are needed to prevent a catastrophe.
Anti-Virus alone is not enough. Anti-malware, dedicated anti-spyware, firewalls, and IPS functionality are all crucial in creating a comprehensive information security system.
Keeping all ports open is another thing that needs to be avoided. You want to be meticulous with the ports you open, how access to those ports is given, and the kind of services and protocols available to the public.
It is also a good idea to change some ports. Instead of using 3306 for MySQL, for instance, you can move the service to another port for better security. This way, attackers cannot simply guess the port number to perform an attack.
Data recovery is an important part of SANS Top 20 or the CIS Controls. Despite the multiple information security layers added to a network, the risk of data breach and damages is still present. Knowing how to recover from a catastrophic event is a crucial component.
The way Critical Security Controls address data recovery capability is by making backup routines—and maintaining multiple backups of mission-critical data—a must. It is a foundation on which you can build better network reliability.
Security configurations for the underlying network devices are also important. Network infrastructure devices must be seen as part of the organization’s attack surface, which means securing those devices is a crucial part of the information security process.
Attackers often exploit vulnerabilities found in access points and other network devices. These exploits put the entire network at risk when not patched or managed properly. Misconfiguration of network devices can result in the same security risk.
Boundary defense focuses more on the flow of information, particularly the flow of data to perimeter devices. It is not uncommon for devices—and users—in the same organization to have different trust levels. Proper control, combined with intrusion detection and prevention, will strengthen your ecosystem perimeter.
The risk of your information being taken—either through manual copying or information theft—is the next one to mitigate. Data encryption and better access management are the keys to improving data protection.
Simultaneously, steps need to be taken to minimize human error and maintain sufficient information security best practices. Both of these measures need to be deployed simultaneously.
In accordance with better data protection principles, managing access to information needs to be an integrated part of the process. File access is limited to only those accorded such privilege. A need-to-know approach will help reduce your organization’s attack surface by a substantial margin.
Wireless LANs or Wi-Fi networks are the next risks to tackle. With wireless devices offering maximum convenience, organizations often neglect the risk of implementing those devices in a more comprehensive way.
Wireless LANs don’t require physical connectivity, which means attackers can simply be in the vicinity when they begin their malicious activities, instead of having to connect directly to a terminal or an on-site device.
That brings us to the next control: access monitoring. The lifecycle of users and user accounts needs to be maintained just as closely. Old user accounts of employees can be exploited for malicious intent when they are not flushed from the system immediately.
Account control also involves reminding users to replace their passwords periodically. This helps minimize the risk of exploits utilizing old passwords to gain access to the organization’s network.
We’ve mentioned how human resources—users—are crucial to information security. The SANS Top 20 addresses this issue by making sure that members of organizations know how to strengthen security. Assessment is the first critical step in that process.
Regular training and the introduction of information security best practices allow everyone in the organization to be more involved in maintaining a high-security standard.
The lifecycle of user accounts isn’t the only one to manage. Management of software and solution lifecycles is also needed, especially since older software no longer receives patches and security updates. Keeping the entire organization up to date becomes even more rewarding as an investment.
Incidents will happen. How you handle those incidents and learn from them is what matters. The incident response needs to be solidified as a procedure rather than a reaction. Plans, persons in charge, and incident management as a whole helps the entire organization improve its information security by learning from incidents in an optimal way.
Incident management also helps the organization keeps track of the information security risks it faces. It provides crucial insights that help in the continuous improvement process.
Last but not least, a general assessment of the information security level is required. The assessment is usually conducted in the form of a penetration test and drills for the response team. With each test, you can learn about how to strengthen your ecosystem further.
The 20 Critical Security Controls we discussed in this article provide a clear guideline on how to get started with good information security. The getting-started part is very important though. As with other information security and compliance frameworks, the 20 Critical Security Controls isn’t designed to provide the ultimate level of information security. Instead, it is a foundation on which organizations can build their own data protection systems and increase their readiness against cyberattacks. For more on improving your information security levels, contact us at Ibexlabs today.
If you're working predominantly on AWS, then reading A Useful Overview Of The Cloud Controls Matrix
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.
Narendar is the Lead Solution Architect, and Co-Founder of Ibexlabs India.
