IT Risk Assessments and the SANS Top 20 - Part II

4 min read
February 9, 2016 at 10:00 AM

We are in part II of the blog series that we are doing on the SANS Top 20 Critical Security Controls (CSC) and why organizations are using these controls as a foundation for their IT Risk Assessments. This week we are going to cover CSC's 6 through 10 and provide a little overview of why these controls are important. 

When it comes to the SANS Top 20, there is really no secret as to the order of the controls and why they are listed the way they are. The controls are ranked in order of importance in terms of "quick wins", ease of implementation, and the associated impact that they will have on your overall Information Security program. Also, the first controls listed are foundational for an organization and their Information Security Program. With that though, CSC's 6 through 10 are not less important, they are in fact still quite critical (hence the Critical Security Controls name). Think of these CSC's as a house. Controls 1 through 5 would be the foundation and controls 6-10 might be considered the walls. You can't build a house without a foundation or walls but the order in which you do those things obviously makes a huge difference. On to CSC's 6 through 10: 

  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs - This is another big one (you're going to hear that a lot throughout these posts)! Most organizations keep audit logs to meet some compliance requirement, but how often do they review those audit logs? Audit logs can be, and often times are, the only evidence of an attack on an organization. If you don't review them, you will never know and the damage might be impossible to recover from. We have dealt with this situation several times and in some instances it has led to the inability for law enforcement to prosecute the perpetrators due to not having solid evidence because the audit logs were not maintained or they were overwritten too frequently. Audit logs can and will provide you with good, detailed information that could be essential to stopping an attack.
  • CSC 7: Email and Web Browser Protections - This is a pretty obvious one but it still needs to be discussed. How many of your employees use email and web browsing to complete their day to day responsibilities? I would venture to guess that the number is upwards of 85%. Email and web browsers provide a common attack vector due to high complexity and significant usage. Make sure that you are only using supported email clients and web browsers, they are up to date with patches, and disable associated plug ins. This may make your employees upset but the reality is that you have a responsibility to protect sensitive information from falling into the wrong hands and this is a key method of doing that. 
  • CSC 8: Malware Defenses - Seems pretty obvious, right? You should defend against Malware and have protections in place so Malware cannot end up on your systems. Common sense. You never hear a CIO or ISO suggest that they allow Malware onto their systems or they would probably be fired on the spot. But, talking about Malware defenses and actually defending against Malware are two completely separate animals. Malware can be spread or introduced in so many forms that it is truly frightening but here are some good places to start. Make sure you have anti-virus, anti-spyware, and anti-malware installed on your devices and have this information directed back to a centralized event log server that can be reviewed for abnormalities. In addition, limit the use of external devices for specific business needs only and have anti-malware scans run on media when inserted.
  • CSC 9: Limitation and Control of Network Port, Protocols, and Services - This is another common entry point for attacks as attackers search for accessible network services that can be exploited. As CSC version 6 points out, many software packages, when installed, automatically install and turn on services that may not be necessary and administrators may not be aware they are running, thus leaving them open to attack. The use of a port scanner is a great line of defense for organizations to use but remember, attackers are using port scanners as well to see what you have missed. Look at trends over time to identify differences and possible areas of concern.
  • CSC 10: Data Recovery Capability - What, when, and how you back up your data can be incredibly important if you suffer an attack. The most obvious example of this is the latest trend in Ransomware. If a company falls victim to a Ransomware attack, when that data was backed up and where it was backed up can mean the difference between business as usual and a quick recovery or a difficult, painstaking process that means business downtime. Business downtime means loss of productivity and revenue which can spell disaster for a company, especially a small business. Backup your data often, use encryption methodologies, and if possible, backup key systems to a location that is not continuously addressable through operating system calls. 

At Compass we talk about three key pieces of your Information Security Program and you have probably seen these all over our website. Secure. Comply. Save. Focus on security and building that culture of security in your organization. By doing this, you will have an easier time meeting the compliance regulations that are a part of your business. In the end you will save time, money, resources, and effort to mitigate your risk of a data breach. For more information, contact us to learn how Compass can help your organization.

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think