Critical Security Controls is a set of best practices devised by the Center for Internet Security, a nonprofit dedicated to improving cybersecurity in the public and private sectors.
Cyberattacks are costing businesses between $400 billion and $500 billion per year, depending on which analysts you listen to. Cybersecurity has never been a hotter topic. The market is expected to grow from $106 billion this year to more than $170 billion by 2020, according to Markets and Markets. The average cost of a data breach, by the time you factor in remediation, non-compliance fines, and brand damage, is tough to accurately calculate, but it’s high, and it’s rising.
The Heartbleed vulnerability was 2014’s catastrophic security bug, and it had a wide-reaching impact. But even as companies pour more money into security services and platforms, the exploit still remains on many servers. As the IoT threatens new avenues of risk, the response in the enterprise is mixed, and good practices in some areas are being severely undermined by a casual approach in others.
Building a solid foundation
Just as a house built on sand is not going to last, an InfoSec strategy that lacks a solid foundation is going to fail, no matter how much money you throw at it. We hear plenty about the growth in software vulnerabilities, the rise of malware and ransomware, and the risk of ignoring threats, but what should you be doing?
A great place to start creating your InfoSec framework is with the CIS (Center for Internet Security) Critical Security Controls. This is a recommended set of best practices, put together by government and law enforcement agencies, that focuses on actionable ways to bolster your cyber defenses. You’ll find a full explanation at theSANS institute.
Taking any of the 20 actions on the list will have a positive impact on your security status, but the smart move is to work towards fulfilling the full range.
A step in the right direction
These are simple common-sense rules, but you’d be amazed at how often they’re overlooked. We don’t have time to cover everything in this article, but if we just take a brief look at the first couple of entries on the list, you’ll get an idea of the practical advice within.
Critical Control 1 – Inventory of Authorized and Unauthorized Devices
Building a good security foundation is about asking the right questions and identifying gaps in your knowledge. This first control is absolutely fundamental to security, but many organizations will struggle to answer questions like:
- How many servers do you have in total?
- How many devices are connected to your network?
- What about firewalls, switches, and routers?
- Can you control what joins your network?
There’s no way you can have a complete map, or flag potential vulnerabilities, without knowing exactly what hardware you have. An up-to-date, comprehensive hardware inventory is essential.
Critical Control 2 – Inventory of Authorized and Unauthorized Software
You should take this together with the first control and devise a list of authorized software that covers every system and device you’re using. You’ll need to be able to monitor your software in real-time to validate versions and ensure that unapproved apps are blocked or, at least, flagged.
To ensure vulnerabilities and exploits are dealt with in a timely fashion, you also need to know what operating systems and versions of software are in use, and have a system to flag necessary updates based on new threats as they emerge.
It takes time
As you can see, simply creating an accurate inventory of your hardware and software can be a big undertaking. Rome wasn’t built in a day, and you’ll find it takes time and resources to build a good InfoSec framework, too. What’s important is to formulate a plan that takes a holistic view. Start working through the steps outlined in the Critical Security Controls, and your defense will be strengthened with every step you take.
Whether you’re training up a team, hiring a new CISO, or engaging the services of a security consultancy, this list arms you with a solid framework to measure your efforts against. It’s invaluable actionable guidance, and it has the potential, not just to improve individual security, but to boost our collective security online. Every business should consider making it a starting point for building that solid security foundation.
The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.
This article was recently published in Network World.
Image courtesy ofVictor Cruz.