• United States




Always be prepared: Monitor, analyze and test your security

Sep 27, 20164 mins
Application SecurityEndpoint ProtectionInternet Security

Stay vigilant, plan your response and test your defenses with CIS Controls 18, 19 and 20

This is the final entry in our series on the 20 Critical Security Controls devised by the Center for Internet Security (CIS) as best practices to help the public and private sectors tighten their cybersecurity.

We started down the path of building a solid security foundation by taking inventory of hardware and software, we looked at vulnerability assessment and administrative privileges, and we discussed how to build malware defenses. We also explored how to create a data recovery plan, how to protect your data, and the importance of monitoring and training employees.

We’ve reached the last three Critical Security Controls, so this article will round off our series with a look at the importance of monitoring software, establishing a response protocol, and conducting pen tests and red team exercises.

Critical Control 18: Application Software Security

Vulnerabilities in software offer a potential route into your organization for attackers. Vulnerabilities can be caused by a wide variety of different errors, so you have to take steps to prevent them, detect them and correct them.

When a vulnerability is present in open-source software, it’s more likely to become common knowledge and be exploited by attackers. Consider that 93 percent of organizations use open-source software, and 78 percent run part or all of their operations on it, according to The Tenth Annual Future of Open Source Survey.


Understanding the 20 Critical Security Controls:


It’s vital to ensure that all the software you use is fully updated to the latest version and patched for the latest security fixes. Web application firewalls should be deployed to inspect traffic and identify common attacks. In-house and third-party software must be stringently tested to identify security weaknesses. Avoid exposing error messages to end users, and don’t allow developers unmonitored access to production environments. Your developers should ideally have some training in secure code writing. A great resource to learn more about web application security is OWASP.

Critical Control 19: Incident Response and Management

Assuming you can completely block all attacks is not realistic, no matter how many resources you devote to security. Incidents will occur from time to time, so you must have a framework in place to discover them, contain the damage, purge the attacker and restore your systems. Far too many companies find vulnerabilities or suspicious activity, but they fail to take action swiftly enough to limit the damage.

You need a clear incident response plan with procedures to follow and a hierarchy of roles assigned so that everyone understands their responsibilities. Make sure the key players are empowered to take the necessary actions to deal with an incident. You should also establish standards to ensure that incidents are reported in detail in a timely manner and meet all legal and regulatory requirements. All employees should be aware of who needs to know about an incident, both internally and externally, for it to be resolved. When you have a plan in place, test it with a mock scenario to ensure it works as expected.

Critical Control 20: Penetration Tests and Red Team Exercises

The only way to be sure your defenses work is to simulate real-world scenarios and emulate a cyber attack. Hire someone to play the part of an attacker, and have them try to gain access to your systems and data. An experienced security professional can view your organization as an attacker might and find the weak spots to exploit. This will help you to find gaps that need to be plugged.

Internal and external penetration testing should reveal vulnerabilities that attackers might use to breach your systems. With a clear demonstration of where a problem lies, you can plan mitigation. Red team exercises take a holistic view of your defenses, including your policies and processes, to identify where improvements might be made. Both penetration tests and red team exercises should be conducted regularly, and the results should show a steady improvement over time. Always be careful to tidy up afterwards and keep the results confidential.

Your security has to evolve over time because attackers are constantly developing new methods and finding new ways in. Your security standards and your response plan depend upon monitoring, analysis and testing to be truly effective.

We hope this CIS Critical Security Controls series has been useful for you as an introduction to security standards. Follow these best practices, and you can dramatically reduce your potential attack surface and make life much harder for any would-be attacker.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.