Critical Security Controls Survey: Moving From Awareness To Action

Security issues are considered to be one of the most significant problems for virtually all companies today. With the onrush of technology, new security vulnerabilities appear, thus, every day it is necessary to not only keep track of current events but also be able to prevent different kinds of intrusions both from inside and outside. What are critical security controls? Critical Security Controls were created via a consortium of participating government agencies, corporations and IT security experts, coordinated by the SANS Institute.

Approximately twenty security areas, or controls, were identified as critical areas in which agencies and corporations should focus upon to improve their information security. After defining areas of security to control, SANS Institute also took a survey on how many companies are specifically aware of these fields, whether organizations have adopted or plan to adopt these controls, and what obstacles may be preventing them from doing so.

In this particular paper, the subject matter is to identify methods to move from awareness to implementation, but prior to this, it is required to understand the reasons for implementation necessity and how to increase the implementation rate.

The results of the survey denoted in the article by the SANS Institute state that several known barriers appear on the path of moving from understanding CSC to implementation, which are: organizational and IT problems, personnel training issues, lack of strategic planning, and managerial support. At first glance of these obstacles, there appears one, more obvious solution: to plan exact actions, or steps, required to be performed to implement a desired level of security.

Get quality help now

Prof. Finch

Verified

Proficient in: Affirmative Action

4.7 (346)

“ This writer never make an mistake for me always deliver long before due date. Am telling you man this writer is absolutely the best. ”

+84 relevant experts are online

Hire writer

Prior to implementing any of the controls, it is necessary to thoroughly understand and analyze the current state and any existing problems, then plan the realization and develop estimates to use after the implementation of controls. The plan also involves training and informing each and every related personnel about upcoming changes and their intended outcomes.

The primary recommendation on transitioning from awareness to realization is to thoroughly think through each required step to provide the desired security level. For each of the CSCs, it includes several other actions. Let’s look at the implementation of a few basic controls: inventory of authorized and unauthorized hardware and software, and vulnerability assessment and remediation. The first control we’ll discuss is the inventory of hardware. There is a plethora of tools that exist which can be used in order to implement this control. First of all, it is possible to use both active and passive discovery tools. Active discovery scans the system for devices like a ping sweep, while passive tools are exploited in order to find new devices by scanning various compliant security tools like DNS.

Secondly, it is vital to maintain accurate and up-to-date hardware inventory records and specific information about each, with constant and consistent updates. This can be as simple as a spreadsheet or a database that stores information about network and hardware IP and MAC addresses, device name, owner, and department where it is located, including whether a device is granted access to the network, along with what levels of access. Any changes should be automatically written to this database, making it possible to observe any occurring shifts in the real-time data along with alerts when out-of-spec. Lastly, it is possible to apply specific authentication policies for devices on the network, which will grant or deny access based upon the hardware inventory records and level of access attempting for authorization. This policy can be based on the port level access control, and in addition to managing device access, it will handle the removal of unauthorized hardware by creating a list, remembering uninvited guests.

The second control refers to the inventory of software assets. It is similar to the first reviewed control and involves analogous algorithms, but it is more complicated to support and track changes of the software installed on each of the devices within a company. For software inventory, it is recommended to create and maintain inventory of all authorized software, or rules applied to approved software types and categories. This may be completed in several steps, starting from denoting what is used now and noting what software is approved, and constantly checking for new software appearing in the system. For scanning on new devices, it is better to use existing enterprise tools. An example of such software can be File Integrity Monitoring Software by Solarwinds that allows performing change tracking on any occurring modifications within the operating system along with the general inventory software. The best solution might be to combine software and hardware inventories, tracking all software and hardware simultaneously.

Once the first step is accomplished (i.e., software inventory), it is possible to quickly find unauthorized software and deny its access or operation on the hardware it was found on, including its network access denial. Another significant note is the exploitation of application whitelisting. If this technology is applied on all software, only authorized programs will be executed, blocking all unwanted applications from running. In addition, whitelisting software can permit the running of authorized libraries and scripts in the system. The last control to review is vulnerability management. The basic component of this control is the constant scanning of the network to find all vulnerabilities within the system. To perform this on a regular basis, it is highly recommended to utilize automated vulnerability scanning tools. An enhancement to this is authenticated scanning, which runs on the local system and may have advantages over ordinary scanning due to the ability to gather information from both the outside and inside; thus, such scanning yields more accurate results.

Good practice in vulnerability scanning is to assign a risk score to the process. This is helpful because it is possible to quickly and efficiently protect the system from vulnerabilities by starting with the most urgent segments, leaving the lower-risk segments to wait until higher priorities have been addressed. Under this methodology there is little need to load the system recovering all vulnerabilities at once, leaving room for step-by-step remediation without damage to the system. Another beneficial solution is to allow operating systems and installed software to update automatically, but manual work still might be required because every time changes occur, there are often errors or bugs that may need further direct attention. While there are arguments against automatic updates applied system-wide for every user, the higher risk lies in devices not receiving OS and software updates and patches in a timely manner, thereby leaving more opportunities open for exploitation.

A final item worthy of attention is the recommendation for consistent comparisons of the scanning results. This is necessary to perform in order to ensure all the vulnerabilities have been remediated in real-time and without unintended consequences. Critical Security Controls discussed above, while not completely exhaustive, have been deemed as best practices and establish many necessities for analysis and implementation, as well as define practical solutions to three of the controls on how to implement them. As a result, it can be noted that Critical Security Controls are an absolute requirement for companies to understand, analyze, implement and review towards reducing the risk of exploitation attacks and making prospective attacks more visible. In summary, it is of critical importance to not only understand the controls’ value, but also communicate their value to stakeholders and ensure compliance with them throughout the organization.