The following list is one I recently came across which describes the ranking of security dangers. For those who have a say in their own or their organization's security decision making. I have always wondered what order these issues should have. Here is one very plausible answer!
==========================================================
(Adapted from www.sans.org/critical-security-controls/winter-2012-poster.pdf.)
Most security practitioners are familiar with the 20CSC. The controls are designed to counter an adversary’s actions of conducting reconnaissance, gaining access, keeping access and exploiting target systems by stopping attacks early, stopping multiple attacks, and mitigating the impact of any attacks that are implemented. The controls, listed in Figure 1, are prioritized by their capability to provide a direct defense against attacks. The first four controls have a very high effect on attack mitigation, while the last two are rated as having a low effect (but still important enough to be implemented.)
Critical Control Effect on Attack Mitigation
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Security Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response Capability
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
VERY HIGH HIGH MODERATE LOW
Figure 1: The 20 Critical Security Controls (Version 3.1) and Their Effect on Attack Mitigation
SANS Analyst Program 4 Reducing Federal Systems Risk with the SANS 20 Critical Controls.
======================================================
Tabula
Rosa Systems features a rich suite of "best of breed" products and
services for network, security and systems management. You can follow
our Twitter page or our website at:
I am the founder and president of a sister company, Netiquette IQ. It
has a website with great assets which are being added to on a regular basis as well as a new Twitter site. I
have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive
Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re
Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!”
will be published soon follow by a trilogy of books on Netiquette for young
people. You can view my profile, reviews of the book and content excerpts at:
If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications.
No comments:
Post a Comment