Data Breaches: 20 Critical Security Controls

The Verizon Data Breach Investigations Report makes it clear that each organization needs to implement a multi-faceted security solution to address the range of potential threats. Verizon points out that a one-size-fits-all security package is not a solution. Each organization has unique challenges based on type and size of company, processes and procedures, budget, and other factors.

As a part of developing a security solution, Verizon recommends businesses utilize the 20 Critical Security Controls as a helpful guide for assessing the security needs of the organization. These controls have been developed over the past decade through the work of National Security Agency (NSA) in conjunction with the Department of Defense (DoD). The list began as a classified mandate to “fix the known bads” that threatened government security. Over time, NSA decided that protecting the US infrastructure (such as critical communications, power and financial sectors) required a public-private collaboration with the key security in the U.S. and U.K.[1]

This following list of 20 represents the top priority controls for security with suggested actions by Verizon. Businesses would do well to review and consider the types of security solutions needed:

  1. Inventory of Authorized and Unauthorized Devices: Asset tracking
  2. Inventory of Authorized and Unauthorized Software: Software inventories, monitoring and notifications regarding unapproved software, application whitelisting, and software identification tagging
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers: Configuration monitoring and management, standard system images, software currency, 
and file integrity checks
  4. Continuous Vulnerability Assessment and Remediation: Automated vulnerability scanning, port checking, and patch management solutions
  5. Malware Defenses: Anti-virus tools, disabling auto-run, traffic analysis, secure e-mail usage, and sandboxing
  6. Application Software Security: Application testing and code review
  7. Wireless Device Control: Wireless device identifiers, network access control
  8. Data Recovery Capability: No sub-controls were primary mitigators of top threat actions
  9. Security Skills Assessment and Appropriate Training to Fill Gaps: Security awareness training, security policies, and awareness testing
  10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches: Strong authentication for network infrastructure
  11. Limitations and Control of Network Ports, Protocols, and Services: Conservative device configuration, default-deny stance
  12. Controlled Use of Administrative Privileges: Identification and monitoring of administrative accounts, restriction of access to administrative accounts, and securing administrative accounts with strong authentication
  13. Boundary Defense: Ingress and egress filtering based on blacklists, and default deny principle, DMZ traffic monitoring, IDS technologies, application proxies
  14. Maintenance, Monitoring, and Analysis of Security Audit Logs: Audit log settings, storage, retention, and review
  15. Controlled Access Based on the Need to Know: Network segmentation, logical access control
  16. Account Monitoring and Control: Account auditing, password parameters, account lockout settings, monitoring attempts to access disabled accounts and atypical account usage
  17. Data Loss Prevention: Mobile hard drive encryption, DLP software
  18. Incident Response and Management: No sub- controls were primary mitigators of top threat actions
  19. Secure Network Engineering: Network segmentation, establishment of security zones
  20. Penetration Tests and Red Team Exercises: Inclusion of social attacks in sanctioned penetration testing

[1] For more information on the history, see “A Brief History Of The 20 Critical Security Controls.” Center for Strategic & International Studies <>