SANS 20 Critical Security Controls
The SANS 20 Security Controls, published by the Center for Strategic International Studies (CSIS), are prioritized mitigation steps that your organization can use to improve cyber security. They include a set of 20 controls that will help you counter common threat pathways and remediate potential vulnerabilities. The SANS Top 20 CSCs are often used by organizations that have yet to develop a comprehensive security information program. Learn more about the 20 critical security controls and what they mean for your organization.
What Are the SANS 20 Critical Security Controls?
The Top 20 CSCs can be seen as a roadmap for implementing a successful cyber security program. SANS is an organization dedicated to information security training and security certification, and the Critical Security Controls effort focuses on prioritizing security controls that have demonstrated real-world effectiveness. The controls advocate for the use of automated information security software. According to SANS, there was more than a 94% reduction in measured security risk through the rigorous automation and measurement of the Top 20 Controls.
The 20 critical security controls include:
Critical Control 1: Inventory of Authorized and Unauthorized Devices
Cyber attackers will typically scan address spaces waiting for new and unprotected IT assets to be added to the system. The first control encourages companies to use an inventory discovery tool to automatically log and track all devices that exist in the company’s IT infrastructure. Many organizations do not have a complete list of all assets that need protection.
Critical Control 2: Inventory of Authorized and Unauthorized Software
SANS encourages companies to include authorized and unauthorized software in their IT asset inventory database. Most cyber attacks are carried out using a combination of social engineering, phishing emails and, vulnerabilities — Java, Adobe Flash and Acrobat, Firefox and Chrome plugins, 0-day client-side / browser vulnerabilities. The vulnerability discovery tool should automatically include both types of software into the scanning process to ensure that these assets are protected as well.
SANS Critical Control 3: Secure Configurations
Control 3 focuses on ensuring companies set up and install the proper security configurations on all workstations, laptops, servers, and mobile devices. Individuals can use a configuration review scanner and authenticated scans to monitor the security of their operating systems automatically and make sure they aren’t affected by malware.
Critical Control 4: Continuous Vulnerability Assessment and Remediation
The fourth control focuses on the value of continuous vulnerability management and remediation. Many companies will only scan their assets for potential vulnerabilities every three to six months, which may be the bare minimum for compliance purposes. Still, SANS urges companies to monitor their assets continuously. Hackers are waiting for potential vulnerabilities to pop up online. Companies simply can’t afford to wait every few weeks to perform an audit. The latest vulnerability assessment and remediation software will scan assets every few seconds for continuous monitoring. The system will then alert the IT department, so they can remediate vulnerabilities by patching the system as soon as possible.
Critical Control 5: Malware Defenses
Malware remains a dangerous threat to organizations of all sizes. Companies can use the last vulnerability management software to automatically scan assets for malware before it can spread to other parts of the network.
Critical Control 6: Application Software Security
Web and mobile applications can often be the weakest link in the security chain. This control encourages companies to install web application firewalls to protect these applications while including them in the VRM scanning process.
Critical Control 7: Wireless Device Control
Wireless networks and the devices that use them often lack the necessary security protocols to ward off a potential attack. Control 7 outlines the ways in which organizations can test, monitor, and analyze their wireless networks for potential vulnerabilities while encrypting sensitive information and setting administrative privileges.
Critical Control 8 and 9: Data Recovery Capability & Security Skill Assessment
Control 8 refers to an organization’s ability to recover data in the event of a breach or attack. This often includes storing a secure backup outside of the company’s IT system.
Control 9 refers to an organization’s ongoing security training program and security skill improvement. Employees need to regularly improve their skills to keep up with the latest trends in cyber security.
Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
This control speaks to the importance of setting security configurations for network devices, including internet routers, which often lack the necessary cyber security protections.
Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
Control 11 focuses on limiting access to network ports, protocols, and other services. The latest VRM software will analyze production systems for unauthorized ports, protocols, and services while blocking unauthorized users using the application firewall.
Critical Control 12: Controlled Use of Administrative Privileges
This control deals with an organization’s ability to track and control the use of administrative privileges.
Critical Control 13: Boundary Defense
Boundary defenses are cybersecurity tools that automatically differentiate networks based on their trustworthiness such as firewalls, intrusion detection and prevention systems, web content filtering, network access controls, routers/switches, and proxy servers that can help organizations prevent attacks.
Critical Controls 14 and 15: Audit Logs and Controlled Access
Control 14 refers to audit logs for firewalls, network devices, servers, and hosts. They are usually the only way to determine whether the host has been compromised. The logs need to be aggregated, safeguarded, and correlated with other relevant security events. Control 15 deals with controlling access to data from people with the appropriate need to know, based on their level in the organization. This can help organizations prevent sensitive information from falling into the wrong hands.
Critical Control 16: Account Monitoring and Control
This control talks about the need to the protect privileged user and administrative accounts. Automatic scanning tools will automatically identify potential access control vulnerabilities, including expired or weak passwords and outdated lockout policies.
Critical Controls 17, 18 and 19: Data Loss Prevention, Incident Response and Management, Secure Network Engineering
These controls focus on how companies can prevent potential data breaches, improve their incident response times, and avoid permanent data loss.
Critical Control 20: Penetration Tests and Red Team Exercises
The last control talks about the importance of penetration testing and how companies can hire ethical hackers to conduct simulated attacks on the system without disrupting operations. The organization can then patch the system before a real attack occurs.
Download the full SANS 20 Critical Security Controls Whitepaper from NopSec to understand each control and how features in Unified VRM map to the respective control.