20 critical controls do improve cybersecurity, but are you using them?

In the last four years the list of 20 Critical Security Controls for cyber defense developed by a consortium of government and private organizations has gained wide acceptance in the security community, but implementation of these prioritized tools and techniques is not yet mature, according to a recent survey.

20 Critical Security Controls

1. Inventory of authorized and unauthorized devices
2. Inventory of authorized and unauthorized software
3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
4. Continuous vulnerability assessment and remediation
5. Malware defenses
6. Application software security
7. Wireless device control
8. Data recovery capability
9. Security skills assessment and appropriate training to fill gaps
10. Secure configurations for network devices such as firewalls, routers, and switches
11. Limitation and control of network ports, protocols, and services
12. Controlled use of administrative privileges
13. Boundary defense
14. Maintenance, monitoring, and analysis of audit logs
15. Controlled access based on the need to know
16. Account monitoring and control
17. Data loss prevention
18. Incident response and management
19. Secure network engineering
20. Penetration tests and red team exercises

Source: SANS Institute

That does not mean the controls aren’t working, said Ron Gula, CEO of Tenable Network Security, an enterprise vulnerability management company that participates in the consortium.
“In the large enterprises it’s going to take people a year or two to implement a plan” based on the controls, Gula said. “I think it’s in a good place.”
Government, which made up the largest segment of the respondents to the survey, with about 20 percent of the total, probably leads the private sector in using the controls, Gula said. Overall, his company’s government customers are ahead of the curve in adopting standardized, centralized security monitoring and auditing programs, which he said is a key part of defending IT systems. “If you are trying to keep the bad guys out, if you can’t manage that centrally you’re not going to be able to keep them out.”
Agencies’ willingness to use the controls list is not surprising, as they initially were conceived as a framework to shore up federal IT security. The surprise is the degree to which they are being adopted by the private sector as well.
The online survey of 699 security professionals was conducted earlier this year by the SANS Institute, one of the organizations involved in developing the list.
The Critical Security Controls were developed to help make work originally done by the National Security Agency available to civilian agencies and non-government organizations. NSA participated in the effort to take the information public, which was led by SANS, the Center for Internet Security and the Center for Strategic and International Studies. The original list was published in 2009 and has been updated periodically since then.
The goal of the list is to prioritize actions to improve enterprise security posture through a threat-focused approach rather than focusing on regulatory compliance. It offers a lens for focusing activity on areas of highest payback by concentrating on what threats are actually used to exploit security weaknesses.
more..