A new international group, the Consortium for Cybersecurity Action (CCA), has just published a list of Critical Controls for Effective Cyber Defense to help companies and agencies figure out their IT security plan.
Led by Tony Sager, the retired chief operation officer of NSA’s Information Assurance Directorate, the CCA’s goal is to give organizations a manageable strategy for preventing and detecting attacks. According to the CCA, a company’s IT security plan should:
- Use data about actual attacks that have happened in the past to figure what the risks are
- Establish common terminology and metrics so that IT, executives and other areas make sure they’re on the same page
- Be continuously monitored and evaluated to make sure it’s still working, and
- Include as much automation as possible.
The first point is especially important as organizations prioritize for their IT security plan — CCA says companies should focus on measures that mitigate known attacks and address the widest variety of attacks the organization is likely to face.
While the order of priority will vary across different companies, these are the coalition’s top 20 critical controls for an IT security plan:
1.) Inventory of authorized and unauthorized devices – That can include specific lists of device models that are allowed or banned, or lists of criteria devices must meet before they’re allowed on the network. That’s especially important as IT consumerization and BYOD programs become more common.
2.) Inventory of authorized and unauthorized software – Likewise, organizations should know what software is allowed on their systems and have a way to monitor for applications that aren’t allowed.
3.) Secure configurations for hardware and software – All devices, including PCs, laptops, mobile devices and servers, should be properly configured to prevent cyber attacks. Hackers often exploit default configurations, so an IT security plan should include procedures for verifying secure configurations before a device is connected to the network.
4.) Secure configurations for network devices – Likewise, routers, firewalls, switches and other networking devices must be properly configured to protect against cyber attacks. In many organizations, vulnerable configurations build up over time as changes are made and then forgotten about.
5.) Continuous vulnerability assessment and remediation – It’s not enough to conduct security audits a few times a year — the CCA recommends using automated vulnerability testing to scan for security holes on at least a weekly basis. The company should also have procedures in place to make sure vulnerabilities found are fixed in a timely manner.
6.) Defenses against malware – Malware is one of the most common cyber attacks against businesses, and an effective IT security plan will include a variety of defenses, such as installing anti-malware applications, disabling auto-run features on users’ machines and improving email protection.
7.) Secure web applications – Hackers can access networks through vulnerabilities in web-facing applications. Often businesses are attacked after trusting applications developed by third parties, so it’s important to test those before they’re used.
8.) Secure wireless devices – Many attacks stem from wireless networks, either because nearby attackers access the network through Wi-Fi, or data is stolen when users connect to unsecured wireless networks. Companies should monitor traffic on their wireless networks and use enterprise-level security controls to protect access points, as well as create policies and training to ensure safe Wi-Fi use among employees.
9.) Data recovery capability – Companies must make sure data is backed up in case it’s damaged or destroyed by cyber attacks or other incidents. It’s important for an IT security plan to include regular tests to make sure data is backed up and recoverable.
10.) Security skills assessment and training – Both users and IT employees are often tricked by attackers to allow network access or turn over sensitive data. That’s why everyone in the company should be given a security skills assessment and offered training to cover any gaps.
11.) Control of ports and services — In addition to user desktops and web applications, hackers can gain access to companies’ networks through web servers, mail servers, file and print services, DNS servers and other services, often because they were enabled by default without IT’s knowledge.
12.) Controlled administrative privileges — A large number of data breaches are blamed on a company’s own employees — either because they intentionally stole data or their negligence led to a breach. One way to lower risk is to limit the access privileges employees have to only what they need to do their jobs.
13.) Data categorized based on sensitivity – Likewise, it’s important to limit access to individual sets of sensitive data to only the people that need to see them. To do that, businesses must take an inventory of their data and create categories based on sensitivity.
14.) Audit administrative accounts – Attacks often exploit inactive user accounts to gain entry into a network. IT must make sure it closes accounts as soon as they are no longer needed — that means they should be in close communication with HR so they’re immediately aware of personnel changes.
15.) Boundary defenses – To effectively keep attackers from gaining access to the network, the CCA recommends a multi-layered IT security plan that includes firewalls, proxies, perimeter networks and other tools, as well as blocking inbound and outbound traffic to and from blacklisted IP addresses.
16.) Monitoring and analysis of audit logs – While preventing attacks is important, it may be even more critical to detect attacks that do happen and prevent them causing more damage. One way to do that is to create regular network audit logs and check them for anomalies.
17.) Protections against data loss – Data often falls into the wrong hands after a computing device is lost or stolen or it’s siphoned off the network after a cyber attack. One key protection against both those types of incidents: encryption.
18.) Effective breach response plans – The sad fact is that data breaches will occur — but IT can help protect against damages to company’s reputation and bottom line by making sure an effective data breach response plan is in place before an incident occurs.
19.) Securely designed networks – Even when all controls are implemented as part of an IT security plan, the CCA says attacks can still occur in networks that are poorly designed. One big problem: Many networks fail to keep different segments separate, leaving the whole network vulnerable in case of an attack.
20.) Penetration testing – Finally, a good IT security plan will call for regular penetration testing to discover vulnerabilities that may be left open despite the other security controls.
For more information on how to implement each of those controls in your IT security plan, download the CCA’s report on 20 Critical Security Controls.