THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols



Similar documents
Critical Controls for Cyber Security.

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Looking at the SANS 20 Critical Security Controls

The Protection Mission a constant endeavor

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

SANS Top 20 Critical Controls for Effective Cyber Defense

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Defending Against Data Beaches: Internal Controls for Cybersecurity

Critical Security Controls

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Jumpstarting Your Security Awareness Program

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Top 20 Critical Security Controls

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Patch and Vulnerability Management Program

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Security Management. Keeping the IT Security Administrator Busy

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

5 Steps to Advanced Threat Protection

NERC CIP VERSION 5 COMPLIANCE

TRIPWIRE NERC SOLUTION SUITE

White Paper: Consensus Audit Guidelines and Symantec RAS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Information and Communication Technology. Patch Management Policy

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Attachment A. Identification of Risks/Cybersecurity Governance

IBM Security QRadar Risk Manager

Information Technology Risk Management

Vulnerability Management

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

Ovation Security Center Data Sheet

Enterprise Computing Solutions

Cybersecurity and internal audit. August 15, 2014

Assessing the Effectiveness of a Cybersecurity Program

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Extreme Networks Security Analytics G2 Risk Manager

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

IBM Security QRadar Risk Manager

Breaking down silos of protection: An integrated approach to managing application security

Guide to Vulnerability Management for Small Companies

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Goals. Understanding security testing

Vulnerability management lifecycle: defining vulnerability management

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

ForeScout CounterACT. Continuous Monitoring and Mitigation

CDM Hardware Asset Management (HWAM) Capability

Verve Security Center

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

End-user Security Analytics Strengthens Protection with ArcSight

Risk-based solutions for managing application security

Larry Wilson Version 1.0 November, University Cyber-security Program Controls Book

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Technical Testing. Network Testing DATA SHEET

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

PCI DSS Requirements - Security Controls and Processes

Cisco Advanced Services for Network Security

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

PCI Requirements Coverage Summary Table

1 Introduction Product Description Strengths and Challenges Copyright... 5

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Best Practices for Building a Security Operations Center

Managed Services. Business Intelligence Solutions

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Leveraging SANS and NIST to Evaluate New Security Tools

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Concierge SIEM Reporting Overview

SCAC Annual Conference. Cybersecurity Demystified

PCI Compliance. Top 10 Questions & Answers

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Cybersecurity: What CFO s Need to Know

5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT

Eliminating Cybersecurity Blind Spots

PCI Requirements Coverage Summary Table

The Value of Vulnerability Management*

Avoiding the Top 5 Vulnerability Management Mistakes

Payment Card Industry Data Security Standard

Protecting Organizations from Cyber Attack

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Transcription:

THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols

THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE FOUR SECURITY CONTROLS AT THE TOP OF THE LIST. THESE ARE THE ONES TODAY S ORGANIZATIONS ABSOLUTELY MUST TACKLE TO ENSURE THEY ARE ADEQUATELY PROTECTED.

FOR EACH, WE LL PULL OUT THE THREE MOST IMPORTANT FACTORS AND PROVIDE GUIDANCE ON WHAT YOU SHOULD DO NEXT IF YOUR OWN CONTROLS ARE LACKING. For a more comprehensive guide to the full list of controls, download The Executive s Guide To The Top 20 Critical Security Controls at: www.tripwire.com/20criticalcontrols

INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES Reduce the ability of attackers to find and exploit unauthorized and unprotected systems. Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops and remote devices.

What to do Start small and basic Take these requirements your vendors How to do it This control is process heavy and benefits from automation, but if you move too big too fast, you re likely to end up in the integration ring of hell. Start by getting the discovery and inventory maintenance down pat and integrating that with incident detection and response system (people, process and technology). If your tool vendors aren t aware of these requirements, the data integration between business to processes will be your burden. Look for standard The tools you have today should support standard data data formats to be formats. The tools you acquire in the future should supported in tools support the asset identification specification, or one that is well-aligned with the model it puts forward.

INVENTORY OF AUTHORIZED AND UNAUTHORIZED SOFTWARE Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches). Then monitor for unauthorized or unnecessary software.

What to do Start small and basic Take Control 1 and 2 together Take these requirements your vendors How to do it As with Control 1, there s too much that can go wrong if you try to go big too soon. Start with the understanding that there are some pretty obvious edge cases that you ll need to eventually cover. The reality is that computing devices and software are, from a business perspective, assets. Tracking them both with a reasonable degree of accuracy is important, so why make the distinction from a process perspective? If your tool vendors aren t aware of these requirements, the data integration between business to processes will be your burden.

SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON MOBILE DEVICES, LAPTOPS, WORKSTATIONS, AND SERVERS Prevent attackers from exploiting services and settings that allows easy access through networks and browsers. Build a secure image that s used for all new systems. Host these images on secure storage servers and regularly validate and update them. Track system images in a configuration management system.

What to do If you do one thing, do this Prepare for incidents Take these your vendors How to do it Start with security configuration management (SCM). Look at the past year s breach reports from a variety of sources to see whether misconfigurations are common breach enablers. This is linked to your incident detection and response processes, whatever their level of maturity. If you need SCM resources to be on stand-by, prepare for it here. This control details requirements for both internal developers and vendors. Have your developers read through this control. Also consider internal common configuration enumeration identifiers for your in-house application configuration settings.

CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION Proactively identify and repair software vulnerabilities reported by security researchers or vendors. Regularly run automated vulnerability scanning tools against all systems. Quickly remediate any vulnerabilities (fix critical problems within 48 hours).

What to do Operational maturity Interoperability Coverage How to do it This control is somewhat different than the others. It s more focused on the time it takes to accomplish specific tasks and about the process of continuous vulnerability management. The efficiency of security processes is what s most important here. The three most obvious points of integration are with asset management, alerting and ticketing systems. No less important are integration opportunities with LDAP for user roles and the relationship of vulnerability management with configuration management. These points of interoperability are critically important to security automation. The requirements explicitly state that integration with the asset inventory system is important. As you re looking for scanning tools, be sure to have a list of all software asset classes covered straight out of your asset inventory system to ensure that you have adequate coverage of your enterprise.

HOW DO YOU RANK THREATS TO YOUR BUSINESS? Today, you need to ensure your business is protected against an ever-evolving range of security threats. In this guide and the accompanying poster, we ve outlined the key controls you need to have in place to minimize the risk to your organization. But what should you focus on first? Use the table opposite to rank the controls in order of priority for your business. This will help you prioritize what s most important within your organization to ensure you re adequately protected.

NSA Rank Control Your Rank (1-20) NSA Rank Control Your Rank (1-20) 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Malware Defenses 6 Application Software Security 7 Wireless Access Control 8 Data Recovery Capability 9 Security Skills Assessment and Appropriate Training to Fill Gaps 10 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11 Limitation and Control of Network Ports, Protocols, and Services 12 Controlled Use of Administrative Privileges 13 Boundary Defense 14 Maintenance, Monitoring, and Analysis of Audit Logs 15 Controlled Access Based on the Need to Know 16 Account Monitoring and Control 17 Data Protection 18 Incident Response and Management 19 Secure Network Engineering 20 Penetration Tests and Red Team Exercises

HOW WE CAN HELP Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats.

LEARN MORE: tripwire.com IMPORTANT SECURITY QUESTIONS: tripwire.com/20securityquestions FOLLOW US ON TWITTER: @TripwireInc MEET US ON LINKEDIN: /company/tripwire SECURITY NEWS AND INSIGHTS: tripwire.com/blog

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information