Thursday, August 6, 2015

Tabula Rosa Systems Twenty Greatest Security Risks


The following list is one I recently came across which describes the ranking of security dangers. For those who have a say in their own or their organization's security decision making. I have always wondered what order these issues should have. Here is one very plausible answer!
==========================================================
(Adapted from www.sans.org/critical-security-controls/winter-2012-poster.pdf.)

Most security practitioners are familiar with the 20CSC. The controls are designed to counter an adversary’s actions of conducting reconnaissance, gaining access, keeping access and exploiting target systems by stopping attacks early, stopping multiple attacks, and mitigating the impact of any attacks that are implemented. The controls, listed in Figure 1, are prioritized by their capability to provide a direct defense against attacks. The first four controls have a very high effect on attack mitigation, while the last two are rated as having a low effect (but still important enough to be implemented.)    
Critical Control Effect on Attack Mitigation    
1. Inventory of Authorized and Unauthorized Devices    
2.     Inventory of Authorized and Unauthorized Software    
3.     Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers    
4.     Continuous Vulnerability Assessment and Remediation    
5.     Malware Defenses    
6.     Application Software Security    
7.     Wireless Device Control    
8.     Data Recovery Capability    
9.     Security Skills Assessment and Appropriate Training to Fill Gaps    
10.     Secure Configurations for Network Devices such as Firewalls, Routers, and Switches    
11.     Limitation and Control of Network Ports, Protocols, and Services    
12.     Controlled Use of Administrative Privileges    
13.     Boundary Defense    
14.     Maintenance, Monitoring, and Analysis of Security Audit Logs    
15.     Controlled Access Based on the Need to Know    
16.     Account Monitoring and Control    
17.     Data Loss Prevention    
18.     Incident Response Capability    
19.     Secure Network Engineering    
20.     Penetration Tests and Red Team Exercises    
    VERY HIGH HIGH MODERATE LOW    
   Figure 1: The 20 Critical Security Controls (Version 3.1) and Their Effect on Attack Mitigation  
SANS Analyst Program 4 Reducing Federal Systems Risk with the SANS 20 Critical Controls.
     ======================================================
Tabula Rosa Systems features a rich suite of "best of breed" products and services for network, security and systems management.  You can follow our Twitter page or our website at:

www.tabularosa.net or call us at (609) 818 1802. 

=======================================
 I am the founder and president of  a sister company, Netiquette IQ. It has a website with great assets which are being added to on a regular basis as well as a new Twitter site. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” will be published soon follow by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:


 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  Additionally, I provide content for an online newsletter via paper.li. I have also established Netiquette discussion groups with Linkedin and Yahoo.  I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. Further, I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and have been a contributor to numerous blogs and publications. 

No comments:

Post a Comment