October 2011 Cyber Security Awareness Month

Published: 2011-09-21
Last Updated: 2011-09-21 05:48:02 UTC
by Mark Hofman (Version: 1)
8 comment(s)

It is that time of the year again, Cyber Security Awareness Month.  Over the last few years we have participated in the October Cyber Security Awareness month (just search the archive for "cyber security awareness month").  During the month, in addition to our normal diaries, we take a specific topic or theme and publish a diary on the topic.

This year the theme is the "20 Critical Security Controls". I know what you are thinking, 20 controls 31 days. A number of the controls will easily take a few days to cover.  For those of you that are unfamiliar with the 20 critical security controls 

"These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities."


There are 20 controls, 15 of these can be automated, the last 5 can not. Each will address a set of risks and the diaries will explore how you may be able to implement the control.

This year the controls were updated and include the Australian Defence Signals Directorate's 35 mitigating controls.

The controls are as follows:

  • Critical Control 1: Inventory of Authorized and Unauthorized Devices
  • Critical Control 2: Inventory of Authorized and Unauthorized Software
  • Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  • Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Critical Control 5: Boundary Defense
  • Critical Control 6: Maintenance, Monitoring, and Analysis of Security Audit Logs
  • Critical Control 7: Application Software Security
  • Critical Control 8: Controlled Use of Administrative Privileges
  • Critical Control 9: Controlled Access Based on the Need to Know
  • Critical Control 10: Continuous Vulnerability Assessment and Remediation
  • Critical Control 11: Account Monitoring and Control
  • Critical Control 12: Malware Defenses
  • Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
  • Critical Control 14: Wireless Device Control
  • Critical Control 15: Data Loss Prevention


  • Critical Control 16: Secure Network Engineering
  • Critical Control 17: Penetration Tests and Red Team Exercises
  • Critical Control 18: Incident Response Capability
  • Critical Control 19: Data Recovery Capability
  • Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps

As always we value your contributions, so start putting your thinking caps on and think of how you can implement some or even all of the controls in your organisation.  If you have a specific tip, hint, or suggestion fee free to pass it along.  It will help if you use the contact form and specify the control.  That way we can make sure we include your suggestions where we can. 

There are of course things that you can do yourself in your organisation for cyber security awareness month.  If you haven't run an awareness campaign for a while, maybe this October. 

One of our readers (Nick) will be running a campaign within his organisation.  He has developed some awesome posters, linked to a competition to improve awareness within his organisation.  Maybe you have other ideas to help raise awareness in your organisation, let us know and maybe schedule some of these during October?

Mark - Shearwater





8 comment(s)


Maybe a bit boring, but why this sequence?
I expected "Controlled Use of Administrative Privileges" to be number 1 as it is the cause of 99.9% of our troubles, and the reason why 18 of the other 19 are the result of not having it "controlled".
@Jack, The sequence is just numbering and not a reflection of importance. You implement one or more controls based on your own risk profile. So if for you 11 is more important than 1, then you do 11 first. So all controls are equally important (or unimportant depending on your view) you implement them based on risk.

Hey guys I saw something flash across RWW yesterday about SSL being broken by two folks. Granted it was one story but I would REALLY like to get your take on it. Any chance you might be looking into it to see if it was legitimate? link is included for reference.


Thanks again for all that you do.

@EH Scroll down a couple of entries.
There's a ton of free resources at the National Cyber Security Alliance's site (StaySafeOnline.org) for National Security Awareness Month.
The link is here: http://www.staysafeonline.org/ncsam

Microsoft also posts free materials that are pretty nice.
That link is here:
My GCIA Gold paper, A Small Business No Budget Implementation of the SANS 20 Security Controls was recently published. I hope it inspires the reader to lean into their existing tools and capabilities to creatively address the SANS Top 20 Security Controls.

What about Security Awareness ! All the organisations i have worked for in the past have all suffered from what i call a Distrubuted Incompetance Attack (DIA). I.e a total lack of understanding of how to architect, implement, monitor and support a secure enterprise system concludes in a rather large self induced cluster f***
Russell, I'm going to look through your paper to see how it mirrors our actual environment as I work for a non-profit with a very limited budget.

Diary Archives