The 4 security controls your business should take now
By Tony Bradley, PCWorldMar 8, 2013 11:42 am PST
There never will be a perfect computer or network defense. Computer security is a constantly elevating game of cat-and-mouse. As quickly as you address the latest threat, attackers have already developed a new technique to access your network and compromise your PCs. But if you focus on the fundamentals, you can minimize your risk and defend against most attacks.
Small companies have limited IT resources, and can’t possibly defend against every possible exploit or attack. How do you know what to prioritize? Start with the 20 Critical Security Controls report, written by the Center for Internet Security (CIS), the SANS Institute, and the National Security Agency (NSA). To help businesses and governments, they have defined the security controls that block the most frequent attacks.
Speaking recently at the RSA Security conference, Philippe Courtot, chairman and CEO of Qualys, cautioned against mistaking compliance for security. He stressed that security should facilitate rather than impede business goals, naming the report as a valuable starting point.
John Pescatore, director of the SANS Institute, drew a comparison to the Pareto principle. The axiom commonly referred to as the “80/20 rule” says essentially that 20 percent of the effort or input results in 80 percent of the output.
It turns out that the top 20 priorities you should tackle to address 80 percent of the possible attacks against your network and PCs are common-sense fundamentals that have long been best security practices. However, even this relatively narrow list is too broad. To break it down further, here are the top four security controls you should put into practice immediately.
1. Inventory of authorized and unauthorized devices
You can’t stay on top of every vulnerability and exploit for every device made, and you can’t protect things if you don’t even know they exist. Take an accurate inventory of both your physical and virtual servers, as well as the PCs, smartphones, tablets, and other devices connected to your network or in use in your environment.
Trying to keep track of every device on your network manually is impractical—and it wouldn’t help you monitor the rogue, unauthorized devices. You should use an asset tracking tool like GFI MAX or QualysGuard to automate the process.
2. Inventory of authorized and unauthorized software
Similarly, you can’t follow every flaw in every application ever written, either. Know what software is on the devices connected to your network in order to determine the risk and potential impact of any emerging threats.
Maintaining an accurate inventory of the hardware and software used on your network is difficult—especially without a tool to automate the process. However, the same tools used for taking an inventory of hardware can monitor applications as well.
3. Continuous vulnerability assessment and remediation
Most attacks exploit known vulnerabilities—publicly disclosed flaws that vendors have already developed patches for. Even if there is no active exploit in the wild, once a vendor releases a patch attackers can reverse-engineer it to create a new attack. A system of vulnerability assessment and patch management will help you plug those holes before attackers find them.
New vulnerabilities are discovered almost constantly, though, so almost as soon as you conduct a vulnerability scan the results are outdated. If you use a tool like QualysGuard, or nCircle PureCloud, you can set up automated vulnerability scans to be conducted on a regular basis.
4. Malware defenses
The vast majority of attacks come in the form of malware, including viruses, worms, Trojans, botnets, and rootkits. If you have antimalware protection in place—such as McAfee Internet Security 2013 or BitDefender Internet Secuirty 2013—and keep it updated regularly, it should be able to detect and block known malware threats. Most antimalware tools also include heuristic techniques capable of identifying suspicious or malicious behavior to defend against new, unknown attacks.
The 20 Critical Security Controls have been around for a few years, but they’re periodically updated. This latest is version 4.0.