If protecting your organization from cyberattack is your responsibility, you probably have heard of the 20 baseline security controls that the Consensus Audit Guidelines (CAG) project defines and recommends.
Speaking at the Gartner Information Security Summit 2009 in London, SANS instructor Stephen Armstrong outlined 15 “quick wins” based on these controls: simple steps you can take to make an immediate difference to your security.
Here are the 20 controls, and Armstrong’s quick wins and other advice:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
Quick win: Deploy an automated asset inventory tool that both scans designated IP address ranges and analyses traffic to identify devices and software. You can’t secure your network unless you know exactly what hardware and software is running on your network.
3. Secure Configurations For Hardware and Software on Laptops, Workstations, and Servers
Quick win: Remove games, hyperterminals and “crapware” that comes bundled with many end user machines, and unnecessary software on servers. If you need six applications on a machine, then there should be six, not twenty. Ideally, deploy standardized images, and document whenever a non standardized image is used for any reason.
4. Secure Configurations For Network Devices Such as Firewalls, Routers, and Switches
Quick win: Implement ingress and egress filtering, allowing only those ports and services with a documented business need. Configurations should be documented and checked to ensure they are secure.
5. Boundary Defense
Quick win: Deploy whitelists and blacklists, and an IDS system, and configure outbound controls. If you have no egress monitoring, you are leaving yourself vulnerable.
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
Quick win: Logs are created for a reason. Make sure they are monitored so you can see what is going on on your network and spot any anomalies or unusual behavior.
7. Application Software Security
Quick win: Use Web application firewalls and application layer security to protect your applications from SQL injections, cross site scripting and other attacks.
8. Controlled Use of Administrative Privileges
Quick win: Some IT staff need admin privileges, but not for reading email. Ensure they have different accounts and passwords for admin and non-admin activities. It’s also important to ensure that all devices have usernames and passwords changed from their defaults.
9. Controlled Access Based on Need to Know
Quick win: Make sure you know which data needs protecting, where it is, and who need s access to it, and ensuring controls are in place to restrict access to authorized users.
10. Continuous Vulnerability Assessment and Remediation
Quick win: One way to do this is to use a vulnerability scanner like Nessus. It needs to be updated and run often, because a mild vulnerability one day can become a critical vulnerability the next.
11. Account Monitoring and Control
Quick win: Disable any accounts that can’t be associated with current staff or contractors, and create a procedure for disabling accounts when users leave. It’s also useful to generate regular reports on accounts that are not used regularly and attempts to access disabled accounts
12. Malware Defenses
Quick win: Ensuring anti-malware software is running on all systems is important, but make sure you have a system in place so that every system is updated regularly. Another quick win measure you can take is disabling autorun for removable storage devices.
13. Limitation and Control of Network Ports, Protocols, and Services
Quick win: Make sure your routers can only be accessed internally, and that firewalls or filters drop all traffic except for services and ports that are explicitly allowed.
14. Wireless Device Control
Quick win: Scan for rogue access points on your network regularly. Using centrally managed enterprise-class devices with an authorized configuration and security profile is also important.
15. Data Loss Prevention
Advice: Ensure that laptop hard drives are encrypted, and scan outbound traffic on your network for keywords.
Hit the next page for five more pieces of advice that may not be quick wins, but are worth your consideration.
The following advice doesn’t fall into the category of “quick wins,” but is worth considering:
1. Secure Network Engineering
Advice: If you are starting from scratch, make sure your network is secure by design. This implies looking for single points of failure, and building in “choke points” you can monitor.
2. Penetration Tests and Red Team Exercises
Advice: Carry these out regularly, from inside and outside the network perimeter. Use your own staff, automated tools, and outside consultants as well. Remember, a penetration test that finds no vulnerabilities tells you nothing.
3. Incident Response Capability
Advice: Make written preparations in advance so you can react quickly and efficiently during an incident, instead of going in to panic mode and risking making the wrong decisions and making things worse.
4. Data Recovery Capability
Advice: Make sure backups are performed regularly and are stored offline and offsite. Backups should include applications and operating systems as well as data.
5. Security Skills Assessment and Appropriate Training to Fill Gaps
Advice: Just half an hour of training per year explaining how to choose a secure password and why, or why clicking on email attachments from unknown sources is a bad idea, can pay huge security dividends.
For more formal, detailed advice for each of these controls, visit SANS’ 20 Critical Security Controls – Version 2.1 guidelines.