With data breaches on the rise, organizations need to ensure they have all the necessary security controls in place to protect their data more than ever. To address the growing security threats, the SANS Institute, in collaboration with the Center for Internet Security (CIS) and other organizations, has developed the 10 Critical Security Controls (CSCs) for Effective Cyber Defense. These controls provide IT professionals with a prioritized and targeted set of actions that enable them to stop the most dangerous cyberattacks and keep their data safe.
This blog post explains these 10 controls and why each one is critical.
These 10 controls are based on the most current information about common attacks and reflect the combined knowledge of commercial crime experts, individual penetration testers, and U.S. government agency representatives.
1. Authorized and unauthorized devices
Organizations must actively manage all devices on the network so that only authorized devices can access them and unauthorized devices can be quickly identified and disconnected before causing damage.
Why is this critical? Attackers continually scan the address space of organizations, waiting for new, unprotected systems to connect to the network. This monitoring is especially important for organizations that allow the use of personal devices, as attackers specifically look for devices entering and leaving the corporate network.
2. Authorized and unauthorized software
Organizations must actively manage all software on the network so that only authorized software is installed. Security measures such as an application whitelist allow organizations to quickly identify unauthorized software before it is installed.
Why is this critical? Hackers look for vulnerable versions of software that can be exploited remotely. They may distribute hostile web pages, media files and other content, or use zero-day exploits that take advantage of unknown vulnerabilities. For this reason, being familiar with the software that has been deployed in your organization is critical to ensuring data security and privacy.
3. Secure hardware and software configurations
Organizations must define, implement and manage security configurations for laptops, servers and desktops. They must enforce strict configuration management and change control processes to prevent attackers from exploiting vulnerable services and settings.
Why is this critical? Manufacturers and resellers design default configurations for operating systems and applications for ease of deployment and use, not for strong security. Open services and ports, as well as default accounts or passwords, can be exploited in their default state, so organizations must develop configuration settings with good security properties.
4. Continuous vulnerability assessment and remediation
Organizations must continually acquire, assess, and manage new information (e.g., software updates, patches, security advisories, and threat bulletins) to identify and remediate vulnerabilities that attackers might otherwise use to penetrate their networks.
Why is this critical? As soon as researchers report new vulnerabilities, a race begins between all parties involved: attackers work to use those vulnerabilities for an attack, vendors develop patches or updates, and IT security managers begin performing risk assessments or regression testing. Hackers have access to the same information as everyone else, and can take advantage of the intervals between new knowledge and corrective action.
5. Controlled use of administrative privileges
As part of this control, organizations should use automated tools to monitor user behavior and track how administrative privileges are assigned and used. This is to prevent unauthorized access to critical systems.
Why is this critical? Administrative privilege theft is one of the most common methods used by attackers to penetrate an organization’s network. To obtain administrative credentials, they may use phishing techniques, crack or guess an administrator user’s password, or elevate the privileges of a normal user account to an administrative account. If organizations do not have the resources to monitor what is happening in their IT environment, attackers can more easily take full control of their systems.
6. Maintenance monitoring and analysis
Organizations must collect, manage and analyze event logs in order to detect anomalous activity and investigate security incidents.
Why is this critical? Lack of logging and analysis of security events allows attackers to hide their location and activities in the network. Even if the victim organization knows which systems have been compromised, without complete maintenance monitoring, it will be difficult for them to understand what an attacker has done so far and respond effectively.
7. Protect email and web browsers
To minimize their attack surface, organizations should ensure that only fully supported web browsers and email clients are used.
Why is this critical? Web browsers and email clients are popular entry points for hackers due to their high technical complexity and flexibility. Criminals can create content and entice users to perform actions that can introduce malicious code and result in the loss of valuable data.
8. Malware defense
Organizations must ensure that they can control the installation and execution of malicious code in different locations within the organization. This control recommends using automated tools to continuously monitor desktops, servers and mobile devices with antivirus, antispyware, personal firewalls and host-based IPS functionality.
Why is this essential? Today’s malware circulates and evolves rapidly, and it can penetrate from multiple points. Therefore, malware defenses must be effective in this dynamic environment through large-scale automation, updates and integration with processes such as incident response.
9. Restriction and control of network ports, protocols and services
Organizations must monitor and manage the use of ports, protocols and services on network devices to minimize vulnerabilities that attackers can exploit.
Why is this critical? Attackers look for remotely accessible and vulnerable network services. Common examples include misconfigured web servers, mail servers and file and print services, and domain name system (DNS) servers installed by default on various devices. It is therefore imperative to ensure that only ports, protocols and services that meet a confirmed business need are running on each system.
10. Data backups & data recovery
Companies must ensure that they properly back up critical systems and data at least once a week. They also need to have a proven methodology to recover data in a timely manner.
Why is this critical? Criminals often make significant changes to data, configurations and software. Without reliable backup and recovery, organizations will struggle to recover from an attack.
check out this article to learn more about the basics of cybersecurity.