THE TOP 4 CONTROLS
THE TOP 20 CRITICAL SECURITY
CONTROLS ARE RATED IN
SEVERITY BY THE NSA FROM
VERY HIGH DOWN TO LOW. IN
THIS MINI-GUIDE, WE’RE GOING
TO LOOK AT THE FOUR SECURITY
CONTROLS AT THE TOP OF THE LIST.
THESE ARE THE ONES TODAY’S
For a more comprehensive guide to
the full list of controls, download The
Executive’s Guide To The Top 20 Critical
Security Controls at:
www.tripwire.com/20criticalcontrols
INVENTORY OF AUTHORIZED
AND UNAUTHORIZED DEVICES
Reduce the ability of attackers to find and exploit
What to do How to do it
Start small and basic This control is process heavy and benefits from automation, but if you move too big too fast, you’re likely to end up in the integration ring of hell. Start by getting the discovery and inventory maintenance down pat and integrating that with incident detection and response system (people, process and technology).
Take these If your tool vendors aren’t aware of these requirements, the data integration between
requirements business to processes will be your burden.
your vendors
INVENTORY OF AUTHORIZED
AND UNAUTHORIZED SOFTWARE
What to do How to do it
Start small and basic As with Control 1, there’s too much that can go wrong if you try to go big too soon. Start with the understanding that there are some pretty obvious edge cases that you’ll need to eventually cover.
Take Control 1 The reality is that computing devices and software are, from a business perspective,
and 2 together assets. Tracking them both with a reasonable degree of accuracy is important, so why make the distinction from a process perspective?
Take these If your tool vendors aren’t aware of these requirements, the data integration between
requirements business to processes will be your burden.
SECURE CONFIGURATIONS FOR
HARDWARE AND SOFTWARE
ON MOBILE DEVICES, LAPTOPS,
WORKSTATIONS, AND SERVERS
What to do How to do it
If you do one thing, Start with security configuration management (SCM). Look at the past year’s breach
do this reports from a variety of sources to see whether misconfigurations are common breach enablers.
Prepare for incidents This is linked to your incident detection and response processes, whatever their level of maturity. If you need SCM resources to be on stand-by, prepare for it here.
Take these This control details requirements for both internal developers and vendors. Have your
CONTINUOUS VULNERABILITY
ASSESSMENT AND REMEDIATION
What to do How to do it
Operational maturity This control is somewhat different than the others. It’s more focused on the time it takes to accomplish specific tasks and about the process of continuous vulnerability management. The efficiency of security processes is what’s most important here.
Interoperability The three most obvious points of integration are with asset management, alerting and ticketing systems. No less important are integration opportunities with LDAP for user roles and the relationship of vulnerability management with configuration management. These points of interoperability are critically important to security automation.
HOW DO YOU RANK THREATS
TO YOUR BUSINESS?
NSA Control
Rank Your Rank (1-20) NSA Control Rank Your Rank (1-20)
1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and
Unauthorized Software
3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4 Continuous Vulnerability Assessment and Remediation
5 Malware Defenses
6 Application Software Security 7 Wireless Access Control 8 Data Recovery Capability 9 Security Skills Assessment and
Appropriate Training to Fill Gaps 10 Secure Configurations for Network Devices
such as Firewalls, Routers, and Switches
11 Limitation and Control of Network Ports, Protocols, and Services 12 Controlled Use of
Administrative Privileges 13 Boundary Defense
14 Maintenance, Monitoring, and Analysis of Audit Logs
15 Controlled Access Based on the Need to Know
16 Account Monitoring and Control 17 Data Protection
18 Incident Response and Management 19 Secure Network Engineering 20 Penetration Tests and Red
