IT Risk Assessment and the SANS Top 20 - Part I

3 min read
February 2, 2016 at 10:30 AM

Last week we discussed the SANS Top 20 Critical Security Controls (CSC), what they are, and where they came from. This week we are going to start to dig into a handful of the Critical Security Controls to discuss what they are and why these controls are so important. In fact, industry experts suggest that if an organization can implement and measure themselves against all 20 of the CSC's, they can reduce their risk by up to 94%. This illustrates the importance of the SANS Top 20 and why we are seeing such an increase in organizations using these Critical Security Controls as the measuring stick for their IT Security program.

Today we are going to look at the first 5 CSC's in order and provide some context around them to further explain why these are so important and why your organization should consider incorporating these controls into your Information Security Program:

  • CSC 1: Inventory of Authorized and Unauthorized Devices - On the surface, this one makes perfect sense. You have to know what is on your network to properly secure your network. But what about the Bring Your Own Device (BYOD) phenomenon that is taking place in organizations all over the world? If these devices are accessing your network, which they most likely are, what risks do they pose to the information that traverses your network? These may or may not be considered unauthorized devices but as a best practice, you need to be able to know what these devices are to measure and mitigate your risk
  • CSC 2: Inventory of Authorized and Unauthorized Software - Software has to run on hardware somewhere down the line, whether that is within your organization or hosted by a third party provider. Just like you need to know what devices are on your network, you need to know what software is running on those devices to understand what risk they pose. Attackers are constantly looking for opportunities to gain access to your network and vulnerable versions of software are a tool that they use. Is the software that your employees have installed needed for business purposes? If not, what risk does this present, particularly if it is not properly managed and maintained.
  • CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers - When operating systems and applications are sent to organizations, they are traditionally configured to make them easy to deploy and not necessarily with security at the top of the priority list. With that, you have to update these configurations to make security a priority. In addition, you have to consistently manage these configurations as patches are released and software is updated to avoid holes that introduce risk. 
  • CSC 4: Continuous Vulnerability Assessment and Remediation - I'm not going to lie, this is a big one that organizations need to pay attention to. Many organizations do a vulnerability assessment, but they do it once a year to meet a compliance regulation. While that is okay, it is certainly not ideal. Information Security is like a game of cat and mouse with attackers constantly working to find ways to access your systems. If you are "defending" against those attacks once a year, how successful will you be? We all know that resources are limited but at the end of the day, you have an obligation to your clients and customers to take the necessary steps to secure their confidential information. Continuous Vulnerability Assessments and Remediation are a key step in this fight!
  • CSC 5: Controlled Use of Administrator Privileges - This is a primary method that attackers use to gain access to an organization's systems and ultimately expand their presence throughout the organization. One of the methods that we use when conducting Penetration Testing (discussed later in the SANS Top 20), the elevation of privileges to administrator is one of the tests that we always run. This can be done through cracking weak passwords or guessing passwords that are used on less critical systems and are loosely distributed through the organization. 

As an organization, you must consistently evaluate your security position and make the necessary changes to elevate your security position, ultimately mitigating your overall risk. The first 5 CSC's are a great place to start and are often referred to as the "First Five" as must haves for an organization. If you are looking for a place to start, these 5 controls are perfect. For more information on how Compass can assist your organization, contact us for an initial consultation!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think