| By Peter Silva | Article Rating: |
|
| August 24, 2011 09:15 AM EDT | Reads: |
862 |
A couple days ago, The SANS Institute announced the release of a major update (Version 3.0) to the 20 Critical Controls, a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks from cyber attacks. The information security threat landscape is always changing, especially this year with the well publicized breaches. The particular controls have been tested and provide an effective solution to defending against cyber-attacks. The focus is critical technical areas than can help an organization prioritize efforts to protect against the most common and dangerous attacks. Automating security controls is another key area, to help gauge and improve the security posture of an organization.
The update takes into account the information gleaned from law enforcement agencies, forensics experts and penetration testers who have analyzed the various methods of attack. SANS outlines the controls that would have prevented those attacks from being successful. Version 3.0 was developed to take the control framework to the next level. They have realigned the 20 controls and the associated sub-controls based on the current technology and threat environment, including the new threat vectors. Sub-controls have been added to assist with rapid detection and prevention of attacks. The 20 Controls have been aligned to the NSA’s Associated Manageable Network Plan Revision 2.0 Milestones. They have added definitions, guidelines and proposed scoring criteria to evaluate tools for their ability to satisfy the requirements of each of the 20 Controls. Lastly, they have mapped the findings of the Australian Government Department of Defence, which produced the Top 35 Key Mitigation Strategies, to the 20 Controls, providing measures to help reduce the impact of attacks.
The 20 Critical Security Controls are:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on the Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
And of course, F5 has solutions that can help with most, if not all, the 20 Critical Controls.
ps
Resources:
- SANS 20 Critical Controls
- Top 35 Mitigation Strategies: DSD Defence Signals Directorate
- NSA Manageable Network Plan (pdf)
- Internet Storm Center
- Google Report: How Web Attackers Evade Malware Detection
- F5 Security Solutions
Technorati Tags: F5, SANS, integration, cloud computing, Pete Silva, security, business, education, technology, application delivery, cloud, context-aware, infrastructure 2.0, web, internet
| Connect with Peter: | Connect with F5: |
Read the original blog entry...
Published August 24, 2011 Reads 862
Copyright © 2011 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Peter Silva
Peter Silva covers security for F5’s Technical Marketing Team. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.
Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.
Bringing the slightly theatrical and fairly technical together, he covers training, writing, speaking, along with overall product direction and evangelism for F5’s security line. Prior to joining F5, he was the Business Development Manager with Pacific Wireless Communications. He’s also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others. He earned his B.S. from Marquette University, and is a certified instructor in the Wisconsin System of Vocational, Technical & Adult Education.
- The Top 100 Bloggers on Cloud Computing
- Most Powerful Voices in Security
- IT Looks to Open Trusted Technology Forum to Help Secure Supply Chains
- Externalizing Fine-Grained Authorization from Applications
- Spooks Get Their Own Cloud
- The Development of a Perl-based Password Complexity Filter
- Cloud Computing From "Android" to the "U.S. Patriot Act"
- BlueBridge Networks Partners with Bluemile for Cloud Computing
- SoftLayer Launches High-Availability Dedicated Firewalls
- SharePoint in the Cloud
- Imperva to Exhibit at Cloud Expo 2011 Silicon Valley
- Cloud Encryption and Key Management for Software Vendors
- The Top 100 Bloggers on Cloud Computing
- Is Cloud Computing for Real?
- Most Powerful Voices in Security
- Cloud Expo Silicon Valley Call for Papers Deadline September 16
- IT Looks to Open Trusted Technology Forum to Help Secure Supply Chains
- Externalizing Fine-Grained Authorization from Applications
- Perils of the Cloud – FBI Seizure
- Cloud Computing: Abiquo CEO Anticipates FBI Server Seizure
- Vyatta to Exhibit at Cloud Expo 2011 Silicon Valley
- Spooks Get Their Own Cloud
- The Development of a Perl-based Password Complexity Filter
- Cloud Computing From "Android" to the "U.S. Patriot Act"
- Effective Page Authorization In JavaServer Faces
- The Top 250 Players in the Cloud Computing Ecosystem
- IBM Security Report Predicts Mobile/Satellite Attacks in 2005
- SOA Focus - Web Services Security in Java EE
- Java Application Security in the Corporate World
- ColdFusion Security Best Practices
- How to Provide Dynamic Security Permissions
- Cloud Expo New York Call for Papers Now Open
- SPI Dynamics Security Guru to Speak at AJAXWorld Conference 2007 East
- How Important Is Security?
- Enterprise Web Services Security: A Reference Architecture
- The Next Chapter in the Virtualization Story Begins





































