IT Risk Assessment and the SANS Top 20 - Part IV

I know, I know. Before you even say it, they are called the Center for Internet Security Critical Security Controls, not the SANS Top 20 anymore. But, everyone knows them as the SANS Top 20 and often times still refers to them by this name which is why I stuck with it for the final part in this series. I promise that in future posts I will not refer to them as the SANS Top 20 and will refer to them by their correct, actual name. The good news is that we are in the final part of this blog series so you won't hear me call them by their old name anymore! On we go to the final 5 CSC's that make up the 20 Critical Security Controls:

• CSC 16: Account Monitoring and Control - The misuse of user accounts by hackers has long been a trick that they use to gain access to your network. The problem with this is that it doesn't raise any red flags since they are using what appear to be authentic credentials. The problem is that they are illegally accessing your network and I am guessing they are not in there to give you some suggestions on how to improve your business strategy. By monitoring your user accounts and having appropriate controls in place to terminate access when employees leave, you are closing a loophole that hackers love to exploit. In addition, you are preventing former employees from accessing your network and acting on what not be the best of intentions.
• CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps - What does this possibly mean as that is a mouthful? Essentially what this comes down to is education and training for all of your employees. Everyone thinks that Cybersecurity and Cyberdefense are just the IT Departments problem and they are ultimately responsible for these initiatives. Wrong. Information Security and Cyberdefense is and needs to be an organization wide focus and initiative. Why? Because hackers and nation states are looking for the weak link in the chain to exploit. This is why they send carefully crafted phishing emails, that look legit, to people in finance and other "non-technical" departments. Start with Security Awareness Training to get some education out there to your employees but don't stop there. Use controlled testing of your employees by sending them phishing emails, call and pretend to be from IT and ask them to download sketchy software, and do other things in a controlled environment to test them. Create a culture of security where they can question things that appear phishy (see what I did there?) so when the real threat comes, they are empowered to question something that looks a bit off and not just blindly follow by clicking on the link or downloading malware.
• CSC 18: Application Software Security - We focus quite a bit on network security, for good reason, but we also need to manage and pay attention to application security throughout the entire life cycle for both applications that are developed in house and those acquired by an organization. This is a common method of attack that has the potential to do significant damage to not only your organization, but to whoever accesses that application as well. Look for coding mistakes, logic errors, and incomplete requirements. Have an independent third part conduct a source code review to look for these things and give you some peace of mind that your application is secure. 
• CSC 19: Incident Response and Management - This is such a critical control and one that organizations don't pay enough attention to. Data breaches are a way of life these days. Most people don't want to admit that but it is true. I attended a presentation at the Florida Center for Cybersecurity back in 2014 and the keynote was given by Mike McConnell, former Director of the NSA. One of the points that he made during his presentation was that there are two types of companies in the world today: Those that have been hacked and know about it and those that have been hacked and don't know about it. How do you respond to a beach or breach attempt? Who takes on what responsibility? How do you get Bitcoins to pay a ransom? You need to have a cross-organizational plan that outlines the roles and responsibilities for team members so when things go south, you're prepared and know what to do!
• CSC 20: Penetration Tests and Red Team Exercises - This is my favorite control and one that companies don't necessarily think applies to them. They will gladly comply with CSC 4 around Vulnerability Scanning and Remediation, but they fail to take the next step and conduct thorough Penetration Testing. In addition, the terms Vulnerability Scanning and Penetration Testing are often times confused and used incorrectly, leading to organizations thinking they are getting apples but instead receiving oranges. Vulnerability Assessments are a good first step but they are not the end of the line. Take the next step and conduct Penetration Testing to see how strong your network (or application) is and what you can do to remediate any vulnerabilities to ultimately strengthen your network and protect your sensitive data. 

There you have it, the final 5 Critical Security Controls as outlined by the Center for Internet Security. All of these controls are critical and should be incorporated into your Information Security program to help you not only comply with various Federal, State, and Industry Regulations, but as a best practice to secure your network and keep your data safe. Information security is a game of cat and mouse and your goal is simple: Don't be the mouse!