The 20 Security Controls: Smartly Enhancing Enterprise Security

Bob Gourley July 26, 2013

We have written before about SANS and the virtuous collaborative work they encourage in the community. They work so well with others and have for so long that a community of trust has arose around them. The collegial project that produced the “20 security controls” referenced here includes a wide range of experienced organizations with knowledge of real attacks and insight into what really works in stopping them (for more on the history of these controls and list of participants who maintain them see SANS).

So, if you are looking to quickly get up to speed on what really works when thwarting attacks, a great source is the community coordinated 20 Critical Security Controls for Effective Cyber Defense.

Here is more from SANS on what these are:

To secure against cyber attacks, organizations must vigorously defend their networks and systems from a variety of internal and external threats. They must also be prepared to detect and thwart damaging follow-on attack activities inside a network that has already been compromised. Two guiding principles are: “Prevention is ideal but detection is a must” and “Offense informs defense.”
The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.

And now the full list of the 20 controls, with links to the SANS hosted site explaining each:

20 Critical Security Controls – Version 4.1

Critical Control 1: Inventory of Authorized and Unauthorized Devices
Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Critical Control 4: Continuous Vulnerability Assessment and Remediation
Critical Control 5: Malware Defenses
Critical Control 6: Application Software Security
Critical Control 7: Wireless Device Control
Critical Control 8: Data Recovery Capability
Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
Critical Control 12: Controlled Use of Administrative Privileges
Critical Control 13: Boundary Defense
Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Control 15: Controlled Access Based on the Need to Know
Critical Control 16: Account Monitoring and Control
Critical Control 17: Data Loss Prevention
Critical Control 18: Incident Response and Management
Critical Control 19: Secure Network Engineering
Critical Control 20: Penetration Tests and Red Team Exercises

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

Give Your Career A Boost By Learning From Experienced Decision Makers

Our video and audio podcast, the OODAcast, provides content that can help accelerate your career and improve your decision making. The series is based on interviews of some of the greatest most accomplished enterprise technologists we can find. We ask questions designed to pull out lessons applicable to accelerating the career of any professional. We […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Please help spread the word: USNI and NIP Essay Contest: This year’s challenge area a key one for the nation

Please help share the content at this link to any thinker/writer you know: 2020 Information Warfare Essay Contest This contest is open to all contributors, active-duty, military, reservists, veterans, and civilians. Generally the winners have had a solid understanding of the nature of modern conflict, but really any thinkers/writers should look over the contest and […]

Centripetal wins historic $2.6-$3.2 Bil vs. Cisco Systems; largest US patent infringement award to date

Editor’s note: I am proud to say I have a history with Centripetal Networks serving on their board and then later as an advisor. It was horrible to learn that a Tech Titan like Cisco was infringing on their patents. It is good now to see when the facts were reviewed justice was done. -bg […]

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

Westworld season one was a great mix of science fiction and drama and action and it was done in a way that should help people think through many tech ethics questions, like how do we want to treat our robots? Does treating robots with violence change our nature? Can robots become sentient? HBO has a […]

20 Critical Security Controls – Version 4.1

Related

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

CTOvision and OODA: Big Changes Coming Soon

Give Your Career A Boost By Learning From Experienced Decision Makers

Cyber War

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

Please help spread the word: USNI and NIP Essay Contest: This year’s challenge area a key one for the nation

Centripetal wins historic $2.6-$3.2 Bil vs. Cisco Systems; largest US patent infringement award to date

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

HBO’s Westworld: The Man In Black is a special kind of Twitter user

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

20 Critical Security Controls – Version 4.1

Share this:

Related

About Bob Gourley

More Content

Cyber War

SciFi