Stay vigilant, plan your response and test your defenses with CIS Controls 18, 19 and 20
This is the final entry in our series on the 20 Critical Security Controls devised by the Center for Internet Security (CIS) as best practices to help the public and private sectors tighten their cybersecurity.
We started down the path of building a solid security foundation by taking inventory of hardware and software, we looked at vulnerability assessment and administrative privileges, and we discussed how to build malware defenses. We also explored how to create a data recovery plan, how to protect your data, and the importance of monitoring and training employees.
We’ve reached the last three Critical Security Controls, so this article will round off our series with a look at the importance of monitoring software, establishing a response protocol, and conducting pen tests and red team exercises.
Critical Control 18: Application Software Security
Vulnerabilities in software offer a potential route into your organization for attackers. Vulnerabilities can be caused by a wide variety of different errors, so you have to take steps to prevent them, detect them and correct them.
When a vulnerability is present in open-source software, it’s more likely to become common knowledge and be exploited by attackers. Consider that 93 percent of organizations use open-source software, and 78 percent run part or all of their operations on it, according to The Tenth Annual Future of Open Source Survey.
Understanding the 20 Critical Security Controls:
- CIS Controls 1-3
- CIS Controls 4-6
- CIS Controls 7-9
- CIS Controls 10-12
- CIS Controls 13-15
- CIS Controls 16-17
- CIS Controls 18-20
It’s vital to ensure that all the software you use is fully updated to the latest version and patched for the latest security fixes. Web application firewalls should be deployed to inspect traffic and identify common attacks. In-house and third-party software must be stringently tested to identify security weaknesses. Avoid exposing error messages to end users, and don’t allow developers unmonitored access to production environments. Your developers should ideally have some training in secure code writing. A great resource to learn more about web application security is OWASP.
Critical Control 19: Incident Response and Management
Assuming you can completely block all attacks is not realistic, no matter how many resources you devote to security. Incidents will occur from time to time, so you must have a framework in place to discover them, contain the damage, purge the attacker and restore your systems. Far too many companies find vulnerabilities or suspicious activity, but they fail to take action swiftly enough to limit the damage.
You need a clear incident response plan with procedures to follow and a hierarchy of roles assigned so that everyone understands their responsibilities. Make sure the key players are empowered to take the necessary actions to deal with an incident. You should also establish standards to ensure that incidents are reported in detail in a timely manner and meet all legal and regulatory requirements. All employees should be aware of who needs to know about an incident, both internally and externally, for it to be resolved. When you have a plan in place, test it with a mock scenario to ensure it works as expected.
Critical Control 20: Penetration Tests and Red Team Exercises
The only way to be sure your defenses work is to simulate real-world scenarios and emulate a cyber attack. Hire someone to play the part of an attacker, and have them try to gain access to your systems and data. An experienced security professional can view your organization as an attacker might and find the weak spots to exploit. This will help you to find gaps that need to be plugged.
Internal and external penetration testing should reveal vulnerabilities that attackers might use to breach your systems. With a clear demonstration of where a problem lies, you can plan mitigation. Red team exercises take a holistic view of your defenses, including your policies and processes, to identify where improvements might be made. Both penetration tests and red team exercises should be conducted regularly, and the results should show a steady improvement over time. Always be careful to tidy up afterwards and keep the results confidential.
Your security has to evolve over time because attackers are constantly developing new methods and finding new ways in. Your security standards and your response plan depend upon monitoring, analysis and testing to be truly effective.
We hope this CIS Critical Security Controls series has been useful for you as an introduction to security standards. Follow these best practices, and you can dramatically reduce your potential attack surface and make life much harder for any would-be attacker.
This article was originally posted on NetworkWorld.
Image courtesy of Victor Cruz