Each October the folks at the SANS Internet Storm Center [ISC] participate in Cyber-Security Awareness month. This year, they will focus on an examination of Twenty Critical Security Controls. Each day during the month, the ISC handlers will post a diary entry about one of the controls. (A few of the controls will require more than one day’s entry to cover.) The controls themselves, which are described in more detail here, were developed through a consensus process involving a group of security professionals.
This consensus document of 20 Critical Controls aims to begin the process of establishing a prioritized baseline of information security measures and controls that can be applied across federal and commercial environments. The consensual effort that produced this document identifies 20 specific technical security controls that are viewed as effective in blocking currently known high-priority attacks as well as those attack types expected in the near future.
A brief introduction to the controls highlights some of the key principles involved in their construction
- Defenses should address the attacks that are actually occurring today
- Automated – We all have limited resources and by automating tasks we can achieve more.
- Root Causes – The controls attempt to fix the root cause of the issue resulting in a compromise.
- Metrics – A mechanism by which the effectiveness can be measured
A diary entry yesterday gives an overview of the month’s schedule, and also has links to more detailed descriptions of the individual controls.
If you are at all interested in system security, especially in an organizational context, I strongly recommend the ISC material. The ISC volunteer handlers are experienced security professionals, who understand the reality of dealing with security issues in the real world. And they are not trying to sell you a security “solution”, no matter how well designed.
Update Tuesday, 4 October, 21:05 EDT
I neglected to mention that National Cyber-Security Awareness Month is sponsored by the US Department of Homeland Security. Their web page on the program has some links to other resources.