The Verizon Data Breach Investigations Report makes it clear that each organization needs to implement a multi-faceted security solution to address the range of potential threats. Verizon points out that a one-size-fits-all security package is not a solution. Each organization has unique challenges based on type and size of company, processes and procedures, budget, and other factors.
As a part of developing a security solution, Verizon recommends businesses utilize the 20 Critical Security Controls as a helpful guide for assessing the security needs of the organization. These controls have been developed over the past decade through the work of National Security Agency (NSA) in conjunction with the Department of Defense (DoD). The list began as a classified mandate to “fix the known bads” that threatened government security. Over time, NSA decided that protecting the US infrastructure (such as critical communications, power and financial sectors) required a public-private collaboration with the key security in the U.S. and U.K.[1]
This following list of 20 represents the top priority controls for security with suggested actions by Verizon. Businesses would do well to review and consider the types of security solutions needed:
- Inventory of Authorized and Unauthorized Devices: Asset tracking
- Inventory of Authorized and Unauthorized Software: Software inventories, monitoring and notifications regarding unapproved software, application whitelisting, and software identification tagging
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers: Configuration monitoring and management, standard system images, software currency, and file integrity checks
- Continuous Vulnerability Assessment and Remediation: Automated vulnerability scanning, port checking, and patch management solutions
- Malware Defenses: Anti-virus tools, disabling auto-run, traffic analysis, secure e-mail usage, and sandboxing
- Application Software Security: Application testing and code review
- Wireless Device Control: Wireless device identifiers, network access control
- Data Recovery Capability: No sub-controls were primary mitigators of top threat actions
- Security Skills Assessment and Appropriate Training to Fill Gaps: Security awareness training, security policies, and awareness testing
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches: Strong authentication for network infrastructure
- Limitations and Control of Network Ports, Protocols, and Services: Conservative device configuration, default-deny stance
- Controlled Use of Administrative Privileges: Identification and monitoring of administrative accounts, restriction of access to administrative accounts, and securing administrative accounts with strong authentication
- Boundary Defense: Ingress and egress filtering based on blacklists, and default deny principle, DMZ traffic monitoring, IDS technologies, application proxies
- Maintenance, Monitoring, and Analysis of Security Audit Logs: Audit log settings, storage, retention, and review
- Controlled Access Based on the Need to Know: Network segmentation, logical access control
- Account Monitoring and Control: Account auditing, password parameters, account lockout settings, monitoring attempts to access disabled accounts and atypical account usage
- Data Loss Prevention: Mobile hard drive encryption, DLP software
- Incident Response and Management: No sub- controls were primary mitigators of top threat actions
- Secure Network Engineering: Network segmentation, establishment of security zones
- Penetration Tests and Red Team Exercises: Inclusion of social attacks in sanctioned penetration testing
[1] For more information on the history, see “A Brief History Of The 20 Critical Security Controls.” Center for Strategic & International Studies <http://www.sans.org/critical-security-controls/history.php>