October 2011 Cyber Security Awareness Month
It is that time of the year again, Cyber Security Awareness Month. Over the last few years we have participated in the October Cyber Security Awareness month (just search the archive for "cyber security awareness month"). During the month, in addition to our normal diaries, we take a specific topic or theme and publish a diary on the topic.
This year the theme is the "20 Critical Security Controls". I know what you are thinking, 20 controls 31 days. A number of the controls will easily take a few days to cover. For those of you that are unfamiliar with the 20 critical security controls
"These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities."
(http://www.sans.org/critical-security-controls/)
There are 20 controls, 15 of these can be automated, the last 5 can not. Each will address a set of risks and the diaries will explore how you may be able to implement the control.
This year the controls were updated and include the Australian Defence Signals Directorate's 35 mitigating controls.
The controls are as follows:
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 5: Boundary Defense
- Critical Control 6: Maintenance, Monitoring, and Analysis of Security Audit Logs
- Critical Control 7: Application Software Security
- Critical Control 8: Controlled Use of Administrative Privileges
- Critical Control 9: Controlled Access Based on the Need to Know
- Critical Control 10: Continuous Vulnerability Assessment and Remediation
- Critical Control 11: Account Monitoring and Control
- Critical Control 12: Malware Defenses
- Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 14: Wireless Device Control
- Critical Control 15: Data Loss Prevention
- Critical Control 16: Secure Network Engineering
- Critical Control 17: Penetration Tests and Red Team Exercises
- Critical Control 18: Incident Response Capability
- Critical Control 19: Data Recovery Capability
- Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps
As always we value your contributions, so start putting your thinking caps on and think of how you can implement some or even all of the controls in your organisation. If you have a specific tip, hint, or suggestion fee free to pass it along. It will help if you use the contact form and specify the control. That way we can make sure we include your suggestions where we can.
There are of course things that you can do yourself in your organisation for cyber security awareness month. If you haven't run an awareness campaign for a while, maybe this October.
One of our readers (Nick) will be running a campaign within his organisation. He has developed some awesome posters, linked to a competition to improve awareness within his organisation. Maybe you have other ideas to help raise awareness in your organisation, let us know and maybe schedule some of these during October?
Mark - Shearwater
Comments
I expected "Controlled Use of Administrative Privileges" to be number 1 as it is the cause of 99.9% of our troubles, and the reason why 18 of the other 19 are the result of not having it "controlled".
Jack
Sep 21st 2011
1 decade ago
M
Mark
Sep 21st 2011
1 decade ago
http://www.readwriteweb.com/archives/breaking_the_internet_researchers_successfully_hac.php
Thanks again for all that you do.
EH
EH
Sep 21st 2011
1 decade ago
David
Sep 21st 2011
1 decade ago
The link is here: http://www.staysafeonline.org/ncsam
Microsoft also posts free materials that are pretty nice.
That link is here:
http://www.microsoft.com/security/resources/default.aspx#Free-materials
Jeff H.
Sep 21st 2011
1 decade ago
http://www.giac.org/paper/gcia/1131/small-business-budget-implementation-20-security-controls/107303
Russell
Sep 21st 2011
1 decade ago
DylanD
Sep 21st 2011
1 decade ago
Alan
Sep 25th 2011
1 decade ago