If protecting your organization from cyberattack is your responsibility, you probably have heard of the 20 baseline security controls that the Consensus Audit Guidelines (CAG) project defines and recommends. Speaking at the Gartner Information Security Summit 2009 in London, SANS instructor Stephen Armstrong outlined 15 “quick wins” based on these controls: simple steps you can […]
If protecting your organization from cyberattack is your responsibility, you probably have heard of the 20 baseline security controls that the Consensus Audit Guidelines (CAG) project defines and recommends.
Speaking at the Gartner Information Security Summit 2009 in London, SANS instructor Stephen Armstrong outlined 15 “quick wins” based on these controls: simple steps you can take to make an immediate difference to your security.
Here are the 20 controls, and Armstrong’s quick wins and other advice:
Quick win: Deploy an automated asset inventory tool that both scans designated IP address ranges and analyses traffic to identify devices and software. You can’t secure your network unless you know exactly what hardware and software is running on your network.
Quick win: Remove games, hyperterminals and “crapware” that comes bundled with many end user machines, and unnecessary software on servers. If you need six applications on a machine, then there should be six, not twenty. Ideally, deploy standardized images, and document whenever a non standardized image is used for any reason.
Quick win: Implement ingress and egress filtering, allowing only those ports and services with a documented business need. Configurations should be documented and checked to ensure they are secure.
Quick win: Deploy whitelists and blacklists, and an IDS system, and configure outbound controls. If you have no egress monitoring, you are leaving yourself vulnerable.
Quick win: Logs are created for a reason. Make sure they are monitored so you can see what is going on on your network and spot any anomalies or unusual behavior.
Quick win: Use Web application firewalls and application layer security to protect your applications from SQL injections, cross site scripting and other attacks.
Quick win: Some IT staff need admin privileges, but not for reading email. Ensure they have different accounts and passwords for admin and non-admin activities. It’s also important to ensure that all devices have usernames and passwords changed from their defaults.
Quick win: Make sure you know which data needs protecting, where it is, and who need s access to it, and ensuring controls are in place to restrict access to authorized users.
Quick win: One way to do this is to use a vulnerability scanner like Nessus. It needs to be updated and run often, because a mild vulnerability one day can become a critical vulnerability the next.
Quick win: Disable any accounts that can’t be associated with current staff or contractors, and create a procedure for disabling accounts when users leave. It’s also useful to generate regular reports on accounts that are not used regularly and attempts to access disabled accounts
Quick win: Ensuring anti-malware software is running on all systems is important, but make sure you have a system in place so that every system is updated regularly. Another quick win measure you can take is disabling autorun for removable storage devices.
Quick win: Make sure your routers can only be accessed internally, and that firewalls or filters drop all traffic except for services and ports that are explicitly allowed.
Quick win: Scan for rogue access points on your network regularly. Using centrally managed enterprise-class devices with an authorized configuration and security profile is also important.
Advice: Ensure that laptop hard drives are encrypted, and scan outbound traffic on your network for keywords.
Hit the next page for five more pieces of advice that may not be quick wins, but are worth your consideration.
The following advice doesn’t fall into the category of “quick wins,” but is worth considering:
Advice: If you are starting from scratch, make sure your network is secure by design. This implies looking for single points of failure, and building in “choke points” you can monitor.
Advice: Carry these out regularly, from inside and outside the network perimeter. Use your own staff, automated tools, and outside consultants as well. Remember, a penetration test that finds no vulnerabilities tells you nothing.
Advice: Make written preparations in advance so you can react quickly and efficiently during an incident, instead of going in to panic mode and risking making the wrong decisions and making things worse.
Advice: Make sure backups are performed regularly and are stored offline and offsite. Backups should include applications and operating systems as well as data.
Advice: Just half an hour of training per year explaining how to choose a secure password and why, or why clicking on email attachments from unknown sources is a bad idea, can pay huge security dividends.
For more formal, detailed advice for each of these controls, visit SANS’ 20 Critical Security Controls – Version 2.1 guidelines.
Paul Rubens is a technology journalist specializing in enterprise networking, security, storage, and virtualization. He has worked for international publications including The Financial Times, BBC, and The Economist, and is now based near Oxford, U.K. When not writing about technology Paul can usually be found playing or restoring pinball machines.
Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
