The 4 Security Controls Your Business Should Take Now
Security experts have defined the 20 most important security controls any organization should make now. Start with these four.
Fri, March 08, 2013
PC World — There never will be a perfect computer or network defense. Computer security is a constantly elevating game of cat-and-mouse. As quickly as you address the latest threat, attackers have already developed a new technique to access your network and compromise your PCs. But if you focus on the fundamentals, you can minimize your risk and defend against most attacks.
Small companies have limited IT resources, and can't possibly defend against every possible exploit or attack. How do you know what to prioritize? Start with the 20 Critical Security Controls report, written by the Center for Internet Security (CIS), the SANS Institute, and the National Security Agency (NSA). To help businesses and governments, they have defined the security controls that block the most frequent attacks.
Speaking recently at the RSA Security conference, Philippe Courtot, chairman and CEO of Qualys, cautioned against mistaking compliance for security. He stressed that security should facilitate rather than impede business goals, naming the report as a valuable starting point.
John Pescatore, director of the SANS Institute, drew a comparison to the Pareto principle. The axiom commonly referred to as the "80/20 rule" says essentially that 20 percent of the effort or input results in 80 percent of the output.
It turns out that the top 20 priorities you should tackle to address 80 percent of the possible attacks againstA your network and PCs are common-sense fundamentals that have long been best security practices. However, even this relatively narrow list is too broad. To break it down further, here are the top four security controls you should put into practice immediately.
1. Inventory of authorized and unauthorized devices
You can't stay on top of every vulnerability and exploit for every device made, and you can't protect things if you don't even know they exist. Take an accurate inventory of both your physical and virtual servers, as well as the PCs, smartphones, tablets, and other devices connected to your network or in use in your environment.
Trying to keep track of every device on your network manually is impractical--and it wouldn't help you monitor the rogue, unauthorized devices. You should use an asset tracking tool like GFI MAX or QualysGuard to automate the process.
2. Inventory of authorized and unauthorized software
Similarly, you can't follow every flaw in every application ever written, either. Know what software is on the devices connected to your network in order to determine the risk and potential impact of any emerging threats.
Maintaining an accurate inventory of the hardware and software used on your network is difficult--especially without a tool to automate the process. However, the same tools used for taking an inventory of hardware can monitor applications as well.