It is that time of the year again, Cyber Security Awareness Month. Over the last few years we have participated in the October Cyber Security Awareness month (just search the archive for cyber security awareness month). During the month, in addition to our normal diaries, we take a specific topic or theme and publish a diary on the topic.
This year the theme is the 20 Critical Security Controls. Iknow what you are thinking, 20 controls 31 days. A number of the controls will easily take a few days to cover. For those of you that are unfamiliar with the 20 critical security controls
These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.
There are 20 controls, 15 of these can be automated, the last 5 can not. Each will address a set of risks and the diaries will explore how you may be able to implement the control.
This year the controls were updated and include the Australian Defence Signals Directorate's 35 mitigating controls.
The controls are as follows:
Critical Control 1: Inventory of Authorized and Unauthorized Devices
Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Critical Control 5: Boundary Defense
Critical Control 6: Maintenance, Monitoring, and Analysis of Security Audit Logs
Critical Control 7: Application Software Security
Critical Control 8: Controlled Use of Administrative Privileges
Critical Control 9: Controlled Access Based on the Need to Know
Critical Control 10: Continuous Vulnerability Assessment and Remediation
Critical Control 11: Account Monitoring and Control
Critical Control 12: Malware Defenses
Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Loss Prevention
Critical Control 16: Secure Network Engineering
Critical Control 17: Penetration Tests and Red Team Exercises
Critical Control 18: Incident Response Capability
Critical Control 19: Data Recovery Capability
Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps
As always we value your contributions, so start putting your thinking caps on and think of how you can implement some or even all of the controls in your organisation. If you have a specific tip, hint, or suggestion fee free to pass it along. It will help if you use the contact form and specify the control. That way we can make sure we include your suggestions where we can.
There are of course things that you can do yourself in your organisation for cyber security awareness month. If you haven't run an awareness campaign for a while, maybe this October.
One of our readers (Nick) will be running a campaign within his organisation. He has developed some awesome posters, linked to a competition to improve awareness within his organisation. Maybe you have other ideas to help raise awareness in your organisation, let us know and maybe schedule some of these during October?
Mark - Shearwater
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.