“Networks are no longer safe if a company takes the egg-shell approach of simply using perimeter-centric hardware devices, anti-virus and anti-malware software and other approaches to keep intruders out" - William Boni, VP and CISO T-Mobile USA – Jan 2012.
I am a great believer that good security comes from a multi-layer approach. You don't lock your front gate and leave all the doors open, right? So why should IT security differ? This article looks at an interesting list of the "Top 20" critical security controls published recently by Center for the Protection of National Infrastructure (CPNI). CPNI was formed from the merger of the National Infrastructure Security Co-ordination Center (NISCC) and the National Security Advice Center (NSAC), formerly part of MI5 the UK's security service and have responsibility for providing information assurance guidance for the UK's national infrastructure.
Here is the list:
1. Inventory of Authorised and Unauthorised Devices
2. Secure Configurations (Hardware & Software)
3. Secure configurations for hardware and software on laptops, workstations, and servers
4. Continual Vulnerability Assessment
5. Malware Defences
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
10. Secure configurations for network devices such as firewalls, routers, and switches
11. Limit network ports, protocols and services
12. Controlled use of Admin privileges
13. Boundary Defence
14. Maintenance and Monitoring
15. Need to know permissions
16. Account monitoring and control
17. Data Loss Prevention
18. Incident Response
19. Secure network engineering
20. Penetration Testing
Being in security for the past 4 years I have audited and tested the security defences of 100+ organisations and I can honestly say I have never seen anyone organisation conducting satisfactory controls in all these areas, if any at all. Therefore, I suggest any organisation review this list and either use it as a basis for their IT security policy (if they have one) or conduct a simple audit of their systems against this list. If you have gone as far as classifying the information that flows in and out of your organisation you may want to use this list per classification.
My particular favourites are training and penetration tests. This maybe because I have conducted many social engineering and penetration tests, but these really standout for me. Penetration testing is a key indicator that the other 19 controls are working, and any tests they do not include elements of social engineering really are not true tests of the threats faced by organisations today. Just look at RSA.....
To contact Nettitude's editor, please contact firstname.lastname@example.org.