Summary
Last month, nGuard released a security advisory called CIS Controls v8 (Part 2) where we covered controls 7-12. This time, we are wrapping it up by covering the remaining 8 controls that are essential for a company who puts emphasis on a strong security posture. Read about these controls below and then take action within your organization to implement them.
Controls
Control 13: Network Monitoring and Defense
If an attacker gained access to your internal network, would you even know that it happened? It is essential that tools be in place to monitor network traffic for malicious activity and take action if necessary. Implementing an intrusion prevention system and log management system, then configuring it to meet the needs of your organization can halt simple attacks in their tracks.
Control 14: Security Awareness and Skills Training
Employees are the weakest link in the chain of organizational security landscape. Step 1 for any company looking to increase their security posture should be training employees to put a halt to social engineering attempts. At nGuard, we regularly conduct advanced social engineering campaigns for our customers — their employees fall for it every time. It is essential to establish and maintain a security awareness program for employees and conduct simulations if possible. Make security part of your company’s culture.
Control 15: Service Provider Management
We have been seeing a lot of disturbing headlines lately in which companies release data to third-parties and those vendors allow the data to become compromised. While the vendor may be responsible, perhaps the contracting organization didn’t conduct proper due diligence. Take service provider management seriously by having a developed process in place to evaluate whether or not this vendor is going to put security first while in possession of your sensitive data.
Control 16: Application Software Security
Any nGuard engineer will tell you that the easiest way to compromise a system is by exploiting critical, widely-known vulnerabilities due to outdated or unsupported software. Although these companies rely on a slew of software packages to conduct daily business operations, they fail to update them when security patches are released. nGuard recommends that you maintain a list of firmware and software that will need to be updated; sign up for mailing lists that will alert you when new patches are to be released; and configure automatic updates if possible. Do not let your software be outdated for an extended period of time!
Control 17: Incident Response Management
Many security professionals will tell you that it’s not a matter of “if,” but a matter of “when” a company will become compromised in some form or fashion. Is your organization prepared to recover from a ransomware attack? If not, maybe it’s time to think about this. Having a well-developed incident response plan in place can prevent a world a trouble. Develop policies, plans, procedures, define roles, conduct training, and develop communication plans to mitigate threats. Once these measures have been implemented, conduct table top exercises to test the plan you have put in place.
Control 18: Penetration Testing
This is nGuard’s favorite control. Penetration testing attempts to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. While vulnerability scans do a great job of pointing you to the low hanging fruit that attackers will take advantage of, penetration testing brings a real-world expert into your environment to chain together vulnerabilities and give you a better evaluation of potential risk. Start with external penetration testing to secure your public facing infrastructure and then move to internal penetration testing to make life harder for an attacker that gets in.
Next Steps
nGuard offers a wide variety of services that will help guide your organization on its path to implementing these critical security controls. Our Strategic Security Assessment allows your organization’s key players the opportunity to sit down with a security consultant who knows these controls like the back of their hand. Not only will they help you strengthen the controls that are already in place, they will make recommendations for the areas in which your organization falls short. Below are some other ways nGuard can help your business implement these controls:
