It is that time of the year again, Cyber Security Awareness Month.  Over the last few years we have participated in the October Cyber Security Awareness month (just search the archive for "cyber security awareness month").  During the month, in addition to our normal diaries, we take a specific topic or theme and publish a diary on the topic.

This year the theme is the "20 Critical Security Controls". I know what you are thinking, 20 controls 31 days. A number of the controls will easily take a few days to cover.  For those of you that are unfamiliar with the 20 critical security controls 

"These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities."

(http://www.sans.org/critical-security-controls/)

There are 20 controls, 15 of these can be automated, the last 5 can not. Each will address a set of risks and the diaries will explore how you may be able to implement the control.

This year the controls were updated and include the Australian Defence Signals Directorate's 35 mitigating controls.

The controls are as follows:

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring, and Analysis of Security Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based on the Need to Know
• Critical Control 10: Continuous Vulnerability Assessment and Remediation
• Critical Control 11: Account Monitoring and Control
• Critical Control 12: Malware Defenses
• Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Loss Prevention

• Critical Control 16: Secure Network Engineering
• Critical Control 17: Penetration Tests and Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps

As always we value your contributions, so start putting your thinking caps on and think of how you can implement some or even all of the controls in your organisation.  If you have a specific tip, hint, or suggestion fee free to pass it along.  It will help if you use the contact form and specify the control.  That way we can make sure we include your suggestions where we can. 

There are of course things that you can do yourself in your organisation for cyber security awareness month.  If you haven't run an awareness campaign for a while, maybe this October. 

One of our readers (Nick) will be running a campaign within his organisation.  He has developed some awesome posters, linked to a competition to improve awareness within his organisation.  Maybe you have other ideas to help raise awareness in your organisation, let us know and maybe schedule some of these during October?

Mark - Shearwater