IT Risk Assessments and the SANS Top 20 - Part III

As we continue down our journey of discussing the importance of the SANS Top 20 Critical Security Controls, I want to make one important clarification that was brought to my attention by one of the readers of our blog. It should be noted that the controls that we are referring to in these blog posts and the blog posts moving forward are no longer referred to as the SANS Top 20 Controls. Rather they are now referred to as the Center for Internet Security Critical Security Controls. While there remains 20 of these CSC's and SANS remains critically involved in the development and contribution to these controls, this is a Center for Internet Security initiative and they retain the lead on compiling information and changes to these controls though most people still refer to them as the SANS Top 20. I would like to send a quick thanks to Russ Gallery for bringing this to light and making sure I explain this to our readers! On to CSC's 11 through 15: 

• CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches - This one seems pretty simple, straightforward, and obvious but in all reality, there is a reason that it remains on the list of the Top 20 Critical Security Controls. These devices, when sent to the end user, are designed to be deployed quickly, not necessarily to be secure. With that, organizations need to ensure that they do the basics, like only use services and ports that are necessary, to increase the security of these devices. The single biggest area where organizations need to pay attention to is to make sure that they change the default username and password assigned to the device. These are easily found online and ultimately would be like you leaving the door to your house open and then getting upset when someone comes in and steals your stuff. Lock your doors. Change the defaults. Secure your systems. If you think that I am making a big deal about this control, I am and for good reason. In fact, PCI DSS 3.1 Requirement 2.1 explicitly outlines the need for organizations to change the default usernames and passwords for devices and systems installed on your network. 
• CSC 12: Boundary Defense - This is your first line of defense. Hackers, Organized Crime Organizations, and Nation States look for weaknesses in your perimeter defenses to gain access to your network. From there, they wait and navigate through your systems undetected to elevate their privilege level so they can access the real information: The stuff they can use or sell to make money. Your Boundary Defenses should by multi-layered and should include inbound and outbound traffic filtering. Constantly evaluate your perimeter and ensure that you are utilizing appropriate and effective defense mechanisms to keep your sensitive data safe. 
• CSC 13: Data Protection - In the world of business today, data resides in many different places both within and outside your organization. With the advances in cloud computing and the use of mobile devices, it is essential for organizations to know where this data is and if/when/how it is being exfiltrated from your organization. Some methodologies that you can use include Encryption techniques for data in motion and at rest when it resides within your organization. When using cloud computing vendors, a thorough review of their security practices and user controls are essential to protect the data that ultimately belongs to your organization.
• CSC 14: Controlled Access Based on the Need to Know - When Compass comes into an organization to conduct an IT Risk Assessment or an IT Audit, one of the primary questions that we ask multiple times is who has access to what information and why do they need it? Do they need access for specific business reasons related to their role in the organization? How have you managed that access over time? The analogy that I like to use when working with clients is this: Imagine that your CFO decides that they no longer want to be CFO but rather want to be an Accounts Payable Clerk. Obviously their need for access to critical financial information should change dramatically, but have you as an organization changed that controlled access to reflect these changes in position? Don't worry about hurting someone's feelings by restricting their access to information based on their need to know. They should understand the reasons why this happens and be supportive of the change.
• CSC 15: Wireless Access Control - What company do you know of that doesn't have wireless networking at their locations? Everyone has wireless access and this remains a critical point of intrusion for organizations and one of the more challenging to protect. Do you know how many Wireless Access Points are on your network versus how many there should be? Do you segregate your company wireless network from your guest wireless network? (you had better!) Wireless isn't going away due to it's flexibility and ease of deployment. But, with great reward comes great risk so make sure that your wireless networks are secured and configured properly to keep the bad guys (and girls) out!

So there you have part III of our look at the Critical Security Controls, formerly known as the SANS Top 20! Many of these look basic and elementary and to be quite honest, they are. But there is a reason why they are on this list and essential for organizations to implement. While they appear easy, not properly following them can lead to serious problems and can be a disaster. Want to avoid disaster? Conduct an IT Risk Assessment and Security Assessment to recognize where you stand and what you need to do to secure your systems and data. For more information on how Compass can assist, contact us and download our Security Risk Assessment brochure below for more information!