• United States




Applying more Critical Security Controls to your organization

Nov 30, 20154 mins
Mobile SecurityNetwork SecuritySecurity

Breaking down the Center for Internet Security's new list of best practices.

security cloud ts
Credit: Thinkstock

The last time we looked at how Critical Security Controls (CSC) can help you build your InfoSec framework, we covered getting a handle on your software and your hardware inventories. Today, we’re going to discuss the importance of continually assessing and remediating vulnerabilities, keeping a tight control of administrative privileges, and monitoring your audit logs. These concepts are encapsulated in CSCs 4, 5, and 6.

You should develop stringent policies, consider devoting resources to properly circulating them and educating employees, and continually measure their effectiveness, making changes wherever necessary.

Critical Control 4 – Continuous Vulnerability Assessment and Remediation

New vulnerabilities emerge every day. If you aren’t continually scanning for them, then cybercriminals have an advantage they can exploit. The idea that you can put security in place and then rest on your laurels is dangerous. Identifying vulnerabilities is not enough, you also have to take action.

If you don’t find and deal with vulnerabilities, then you’re a sitting duck, when you really want to be a moving target.

It takes organizations 176 days on average to remediate a vulnerability, but it only takes a cybercriminal an average of 7 days to exploit it, according to NopSec’s 2015 State of Vulnerability Risk Management report. It’s vital to root out vulnerabilities and be proactive about addressing them, or you will be compromised.

Think about the following:

  • Automated real-time vulnerability scanning with intelligence updates.
  • Automated patch management for all software.
  • Compare results to confirm vulnerabilities have been patched.

You will also need to consider patch evaluation in a test environment to ensure business functions aren’t going to be adversely impacted. In some cases, alternative countermeasures to deal with a vulnerability might be necessary. It can also be a good idea to phase your patch rollouts to minimize disruption and prioritize patches for the riskiest vulnerabilities.

Critical Control 5 – Controlled Use of Administrative Privileges

The weakest link in your defenses is very often your employees. Verizon’s 2015 Data Breach Investigations Report revealed that more than two-thirds of cyber-espionage incidents are a result of phishing scams. It’s much easier for cybercriminals to get around your defenses by hacking passwords or tricking employees with administrative privileges into unwittingly downloading malware. You can stop insider attacks with the right tools, but it pays to tighten your policy in general.

  • Minimize administrative privileges.
  • Validate accounts and make sure privileges have been authorized.
  • Enforce usage of complex passwords and make sure they’re encrypted.
  • Flag new accounts and login attempts.

Keeping tight control over administrative privileges can drastically reduce the risk of a data breach.

Critical Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs

If you don’t maintain a system of audit logs, you may not even be able to determine when you’ve been attacked. According to the 2015 Trustwave Global Security Report only 19% of data breaches in 2014 were detected by the victim organization. It’s not unusual for companies to collect logs but never check them, leaving breaches undetected for months. Many companies keep records in order to tick a compliance box, but if you don’t monitor and analyze them thoroughly, then they aren’t doing their job.

  • You need at least two synchronized time sources for consistent timestamps.
  • Audit logs should be validated and recorded in a standardized format.
  • Make sure you have storage space and retain logs for a decent length of time.
  • Consider using separate logging servers to prevent attackers manipulating logs.
  • Collect, aggregate, and analyze logs regularly.

Proper analysis will help you to detect, understand, and recover from an attack.

Measure your effectiveness

When you’re trying to monitor vulnerabilities, privileges, and logs in real-time, you’ll often rely upon automated software systems to gather the data you need and flag any potential issues. Make sure that you test their effectiveness regularly. Dummy attacks can help you to identify weaknesses and flaws in your defenses.

Time is of the essence. The faster you remediate vulnerabilities, identify suspicious behavior, and uncover attacks, the better. You should set benchmarks for performance and put metrics in place, so that you can ensure your security performance is actually meeting expectations. Keep working to improve that performance and you can make life untenably difficult for would-be attackers.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.