The four security controls your business should take now

Security experts have defined the 20 most important security controls any organization should make now. Start with these four.

There never will be a perfect computer or network defense. Computer security is a constantly elevating game of cat-and-mouse. As quickly as you address the latest threat, attackers have already developed a new technique to access your network and compromise your PCs. But if you focus on the fundamentals, you can minimize your risk and defend against most attacks.

Small companies have limited IT resources, and can't possibly defend against every possible exploit or attack. How do you know what to prioritize? Start with the 20 Critical Security Controls report, written by the Center for Internet Security (CIS), the SANS Institute, and the National Security Agency (NSA). To help businesses and governments, they have defined the security controls that block the most frequent attacks.

Speaking recently at the RSA Security conference, Philippe Courtot, chairman and CEO of Qualys, cautioned against mistaking compliance for security. He stressed that security should facilitate rather than impede business goals, naming the report as a valuable starting point.

John Pescatore, director of the SANS Institute, drew a comparison to the Pareto principle. The axiom commonly referred to as the "80/20 rule" says essentially that 20 percent of the effort or input results in 80 percent of the output.

It turns out that the top 20 priorities you should tackle to address 80 percent of the possible attacks against your network and PCs are common-sense fundamentals that have long been best security practices. However, even this relatively narrow list is too broad. To break it down further, here are the top four security controls you should put into practice immediately.

1. Inventory of authorized and unauthorized devices

You can't stay on top of every vulnerability and exploit for every device made, and you can't protect things if you don't even know they exist. Take an accurate inventory of both your physical and virtual servers, as well as the PCs, smartphones, tablets, and other devices connected to your network or in use in your environment.

Trying to keep track of every device on your network manually is impractical--and it wouldn't help you monitor the rogue, unauthorized devices. You should use an asset tracking tool like GFI MAX or QualysGuard to automate the process.

2. Inventory of authorized and unauthorized software

Similarly, you can't follow every flaw in every application ever written, either. Know what software is on the devices connected to your network in order to determine the risk and potential impact of any emerging threats.

Maintaining an accurate inventory of the hardware and software used on your network is difficult--especially without a tool to automate the process. However, the same tools used for taking an inventory of hardware can monitor applications as well.

3. Continuous vulnerability assessment and remediation

Most attacks exploit known vulnerabilities--publicly disclosed flaws that vendors have already developed patches for. Even if there is no active exploit in the wild, once a vendor releases a patch attackers can reverse-engineer it to create a new attack. A system of vulnerability assessment and patch management will help you plug those holes before attackers find them.

New vulnerabilities are discovered almost constantly, though, so almost as soon as you conduct a vulnerability scan the results are outdated. If you use a tool like QualysGuard, or nCircle PureCloud, you can set up automated vulnerability scans to be conducted on a regular basis.

4. Malware defenses

The vast majority of attacks come in the form of malware, including viruses, worms, Trojans, botnets, and rootkits. If you have antimalware protection in place--such as McAfee Internet Security 2013 or BitDefender Internet Security 2013--and keep it updated regularly, it should be able to detect and block known malware threats. Most antimalware tools also include heuristic techniques capable of identifying suspicious or malicious behavior to defend against new, unknown attacks.

The 20 Critical Security Controls have been around for a few years, but they're periodically updated. This latest is version 4.0.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityNational Security Agencyrsa securitySANS Institutesecurityqualysantivirusbusiness security

More about BitDefenderGFIGFI SoftwareMcAfee AustraliaNational Security AgencynCircleNSAQualysRSASANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place