Foundational Controls may not sound like the sexiest subject in IT but arguably, it’s the most critical – and for good reason. Quite simply, without these fundamental controls in place and knowledge of what is on your network, your organization will find it incredibly difficult to manage a breach and effectively remediate. It’s very much the vogue at the moment to focus IT security budgets on prevention technologies to stop malware samples that exploit zero-day vulnerabilities, and to defend against advanced attacks like those we hear about on a day-to-day basis. But perhaps we need to stop and realize that the likelihood of an ordinary data breach is still quite high. If a breach does happen, do we have the controls in place to quickly and easily identify where it originated, what the impact is/was, how we can remediate quickly and efficiently, and how do we can prevent a similar incident from happening again? Acknowledging the threat of a data breach, the Center for Internet Security (CIS) developed 20 Critical Security Controls (CSC) that it recommends are followed to increase your security posture and reduce your attack surface. It’s the first five of these controls, in particular, that will pay dividends in the long run. They work on the Pareto 80/20 principle; by taking just a small portion of all the security actions available, you’ll make a big difference to your cybersecurity program. Just think about it. When building a house from the ground up, you need to make sure the foundations of your property are securely in place as surely no one would build walls and floors on poorly constructed foundations.
"From my own experiences as a CISO, many companies wrongly assume that have already invested in foundational controls either because they have been in business for a long time or because they have a (supposedly) mature IT function. Regardless of company size or operating time, if you ignore the basics, your foundations will shake." –Amar Singh
This clearly makes sense, but with the explosion in security awareness and companies striving to protect their critical assets, these basic controls are often forgotten about. Not intentionally, of course, but it’s understandable, if not negligent, that they’re looking to quickly protect and secure their data and systems as many companies are regulated and subjected to compliance. They need to show they’re investing in security. Tripwire can map the top five CSC down to four cybersecurity pillars. Are you applying these basic pillars of security? CSC 1: Inventory of Authorized and Unauthorized Devices. CSC 2: Inventory of Authorized and Unauthorized Software.
Discovery: Actively manage (inventory, track, and correct) all hardware devices on the network and create a list of authorized software (and their versions) that are required in the enterprise for each type of system, including servers, workstations, and laptops.
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers.
Best Practices: Establish standard-secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.
CSC 4: Continuous Vulnerability Assessment and Remediation.
Risk Assessment: Do you run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis? Do you deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk? If not, you’re at risk.
CSC 5: Controlled Use of Administrative Privileges. Monitoring: Do you leverage all available logs to detect, assess, and monitor what’s taking place inside your network and on your devices? Do you know what’s taking place on your critical infrastructure 24/7? In summary, the key to dealing with risk is to remember that foundational controls still apply regardless of scale. Know what’s on your network, understand how it’s vulnerable, keep it patched, keep it securely configured, and monitor it for suspicious activity. Quite simply, when you do the easy things well, the hard things will be easier. To learn more about how to use the top five CSC and other foundational controls to strengthen your company, please join Amar Singh, CEO & Founder of Cyber Management Alliance, and I for our webinar entitled "Designing the Foundations of a Secure Organization." You can attend our presentation by signing up here.