This year for Cyber Security awareness month we are going to go through the 20 critical controls. Because there are 20 controls we have decided that we will publish controls during the week days and a summary, expansion and/or some guest diaries on the weekends. So the schedule for the month looks roughly as follows:
1 2/10 introduction
oct 3 Critical Control 1: Inventory of Authorized and Unauthorized Devices
oct 4 Critical Control 2: Inventory of Authorized and Unauthorized Software
oct 5 Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
oct 6 Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
oct 7 Critical Control 5: Boundary Defense
8 9/10 Summary/free form/tie in/elaboration/Guest diary
oct 10 Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
oct 11 Critical Control 7: Application Software Security
oct 12 Critical Control 8: Controlled Use of Administrative Privileges
oct 13 Critical Control 9: Controlled Access Based on the Need to Know
oct 14 Critical Control 10: Continuous Vulnerability Assessment and Remediation
15 16/10 Summary/free form/tie in/elaboration/Guest diary
oct 17 Critical Control 11: Account Monitoring and Control
oct 18 Critical Control 12: Malware Defenses
oct 19 Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
oct 20 Critical Control 14: Wireless Device Control
oct 21 Critical Control 15: Data Loss Prevention
22 23/10 Summary/free form/tie in/elaboration/Guest diary
The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.
oct 24 Critical Control 16: Secure Network Engineering
oct 25 Critical Control 17: Penetration Tests and Red Team Exercises
oct 26 Critical Control 18: Incident Response Capability
oct 27 Critical Control 19: Data Recovery Capability
oct 28 Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps
29 30 /10 Summary/free form/tie in/elaboration/Guest diary
31 Overview of the month.
If you click on the link you will be taken to the appropriate control. Each control is divided into several sections.
How do attackers exploit the control,
how can it be implemented, automated and measured,
Links to NISTand other documents, procedures and tools for implementing and automating the control.
Example metrics and Example tests
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.