Critical Security Controls Could Thwart 70% of Cyber Attacks

Most cyber attacks could be avoided by adopting a list of Critical Security Controls that were created by the Center for Internet Security. That’s the message from Steve Mustard at his session at Design and Manufacturing Minneapolis last week. Mustard is a cyber security expert with the Automation Federation . His talk featured the newest version of the Critical Security Controls which was released by the Center for Internet Security in August.

While Mustard noted there is no perfect solution for avoiding attacks, he insisted that using the practices on the list will knock out most intrusions. “The thing about security, like safety, is you can’t make it 100%, and you have to keep improving it,” he said. “Yet the majority of cyber attacks -- 70% -- could be prevented by using the controls on the list.”

Center for Internet Security’s Critical Security Controls:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software
  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Continuous Vulnerability Assessment and Remediation
  • Controlled Use of Administrative Privileges
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections 27
  • Malware Defenses
  • Limitation and Control of Network Ports, Protocols, and Services
  • Data Recovery Capability
  • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on the Need to Know
  • Wireless Access Control
  • Account Monitoring and Control
  • Security Skills Assessment and Appropriate Training to Fill Gaps
  • Application Software Security
  • Incident Response and Management
  • Penetration Tests and Red Team Exercises

Part of creating effective cyber protection is getting a good idea what needs to be protected and where the entry points might be. “You have to establish a good monitoring regime. The key thing is you have to understand what equipment you have and how it’s connected,” said Mustard. “If you don’t understand that, you’re going to struggle in protecting your assets.”

Employees Can Make a Difference with Security

Cybersecurity isn’t just technology and it isn’t just the IT department. Everyone within the plant needs to be trained to spot intrusions. “One of the things that can really help is the people in the organization. They can tell if one of their machines begins to operate in a funny way, or whether there are more pop-ups than usual,” said Mustard. “People can start to draw conclusions. When employees are aware and know what they can do to prevent an attack, the more likely you can avoid an attack in the first place.”

While employees can help detect intrusions, they can also inadvertently invite intrusions. “People are a good first line of defense, but they are also the weak link in the chain, since they might open an attachment that lets the attack into the system,” said Mustard. “Even the best firewall on the perimeter isn’t sufficient if an employee puts an

Add new comment

By submitting this form, you accept the Mollom privacy policy.