General security

20 Critical Controls

January 7, 2019 by Rodika Tollefson

Despite organizations’ increased spending on defense-in-depth, the number of data breaches and their costs continue to mount. Every second, 71 data records are lost or stolen worldwide according to Gemalto’s Breach Level Index. Using Ponemon Institute’s estimated average cost of $148 per record, this translates to a staggering $37,828,800 in combined global losses every hour.

Budget constraints, security staff shortage and complexities due to orchestration are the top three obstacles for security teams, according to a 2018 Cisco survey of more than 3,600 respondents across 26 countries. The growing number of security tools may especially be a hindrance, because organizations are adding more vendors every year, and frequently those products don’t integrate with each other.

Best Practices for Solving Top Security Challenges

The good news is that more organizations are becoming proactive with their defenses. IDG found that 52 percent of businesses planned to increase their security budget in 2018, compared to 42 percent the previous year. At the same time, more expected to increase their security staff headcount — 54 percent in the 2018 survey vs. 37 percent in 2017.

Solving the problem of incompatible vendor products, on the other hand, is more complicated. One major challenge is that as practitioners struggle with “alert fatigue,” they often have no choice but ignore security alerts, based on their priorities.

Organizations go about prioritizing their actions in different ways, but there are certain best practices you should be using. One set of widely-accepted best practices comes from the Center for Internet Security (CIS), a nonprofit whose mission is to “harness the power of a global IT community to safeguard private and public organizations against cyber threats.”

Based on the combined knowledge of its expert community and actual attacks and defenses, the CIS recommends 20 controls that are the most effective in defending against cyberattacks. These controls fall into three categories: basic (essential key controls), foundational (technical best practices) and organizational (focused on people and processes).

Basic Controls — Cybersecurity Hygiene

Inventory and control hardware: It’s hard to build defenses when you don’t have a clear picture of your ecosystem. Adversaries are constantly scanning for vulnerable devices. Since your assets are always changing, you need discovery tools and processes to help you keep a regular inventory.

Inventory and control software assets: Like hardware, unpatched software and applications can give attackers an easy way in. Look no further than the havoc WannaCry wreaked in 2017 — a patch had already been available for EternalBlue, the Windows vulnerability that the ransomware exploited.

Constantly manage vulnerabilities: Once you’ve identified all your hardware and software assets, you need to keep up with new vulnerabilities. Besides patches, resources such as security bulletins, threat advisories and automated scanning tools should be part of your toolbox.

Control administrative privileges: Every account that has administrative privileges gives an attacker an entry point into the network. All it takes is an easily-cracked password or a phishing email, and a bad actor could completely take over a system. Strong passwords, multi-factor authentication, restricted use of admin accounts and dedicated workstations for admins are some of the procedures you should be using.

Use secure configurations: Every workstation, mobile device, laptop and server needs its hardware and software configured for security, and it’s not something you’re likely to get fresh out of the box. Even when the default configurations are strong, you still need to review them periodically as patches and updates are applied.

Monitor audit logs: Audit logs are essential for detecting and understanding security incidents, and you’ll need them to recover from an attack. Many firewalls, operating systems and network services come with built-in logging capabilities. Collecting, monitoring and analyzing the logs, both with automated tools and by humans, can help you detect attacks much faster.

Foundational Controls — Technology Tools

Defend against malware: Malware is the second most common type of tactic behind hacking, according to Verizon’s annual data breach investigations report. And every day, the independent research institute AV-TEST registers 350,000 new malicious programs and potentially unwanted applications. Mobile and IoT malware are also on the rise. You can easily connect the dots here as to why you need tools like anti-malware software.

Protect email and Web browsers: Email remains the top malware vector — Verizon found that 92 percent of analyzed malware attacks originated with an email attachment. Web browsers are also a common entry point for various types of attacks. Some of the controls you can apply include restricting plug-ins, using the latest browser and email app versions, sandboxing email attachments and applying network-based URL filters and DNS filtering.

Manage ports, protocols and services: Bad actors are constantly scanning for vulnerabilities they can exploit, and that includes open ports, protocols and network services that they can access remotely. You need procedures and tools in place for inventorying and managing these on all your networked devices. Examples include firewalls, automated port scanning and port filtering.

Be ready for data recovery: When your systems are compromised, so is your data access and integrity. It’s not enough to have a reliable backup strategy such as automated backups: you also need to consistently test the recovery tools and perform a restoration process to check the integrity of the data backup.

Manage network infrastructure configurations: Your network devices — routers, switches and firewalls — typically have default configurations geared toward easy out-of-the-box deployment. Things like unnecessary open ports and weak default passwords can be easily exploited. Ensure you are actively monitoring the settings and making corrections to eliminate vulnerabilities.

Prevent and mitigate data exfiltration: Sensitive information is a primary target for attackers, and encryption is only one of the tools available at your disposal. Other controls include monitoring and blocking unauthorized network traffic, ensuring the use of only secure cloud-based apps and managing USB devices.

Manage user privileges: User identity management is a struggle for many organizations, yet the more users have access to sensitive data, the more likely that data will be compromised. Restricting access based on job roles, encrypting data in transit and at rest, segmenting the network and using host-based data loss protection (DLP) tools are some of the ways to limit access to data.

Protect the perimeter and flow: While it’s true that protecting your perimeter is no longer enough, it’s still an important control as part of a multilayer defense. Attackers can compromise perimeter devices as well as leverage them to gain access into the interconnected vendor ecosystem. Your comprehensive strategy needs to include controls like firewalls, proxies, traffic filtering and network-based intrusion-detection systems.

Manage and protect wireless access: Today’s mobile workforce creates yet another advantage for bad actors, especially if your organization offers flexible and remote work arrangements. To track, control and secure your wireless local area networks and other wireless access points, you need a variety of detecting, discovery and scanning tools. These can be anything from WIDS (wireless intrusion-detection systems) to advanced encryption standards.

Control user accounts: It’s not uncommon for a DevOps team or a Red Team to set up temporary accounts for testing, then abandon them. Many organizations also don’t have procedures for removing accounts of terminated employees. These inactive user accounts should be disabled (and eventually removed) because they can be used to impersonate legit users. Use tools to automatically disable dormant accounts, keep a tight inventory of users and establish secure authentication protocols.

Organizational Controls — People and Processes

Implement an awareness and training program: As security practitioners love to emphasize, people are the weakest link in an organization’s defenses. Creating a security-based culture, including a consistent cybersecurity awareness and training program, is a critical part of an all-encompassing approach.

Manage application security: Whether you design your software in-house, outsource it to a vendor or use off-the-shelf products, you need a process for addressing vulnerabilities, including regularly testing for vulnerabilities and using Web application firewalls. For in-house teams, consider the DevSecOps approach — a growing trend to integrate security into the entire DevOps cycle.

Conduct penetration testing: Organizations are increasingly using penetration testers, or white-hat hackers, to put their defenses to the test. Penetration tests, as well as Red Team exercises, use the same objectives as malicious hackers and simulate their tactics. A comprehensive penetration-testing program can also evaluate your policies and processes, as well as the effectiveness of all the controls you have in place.

Create an incident-response strategy: An incident response plan and infrastructure will help your organization quickly discover and mitigate attacks. If you wait until an incident happens, you create a chaotic, reactive environment. An incident-response plan gives your cross-functional response team the ability to discuss procedures, implement policies and train for various scenarios.

[Free Trial] Email Reporting and Threat Analysis

Sign up for a SecurityIQ free trial and try PhishNotify email reporting and PhishHunter threat analysis today!

Learn More

Security Controls: Takeaways

Navigating all the tools and approaches can be overwhelming but choosing the right framework can help your organization mature in its security strategy. A successful risk-mitigation strategy must consider not only technology but also people and processes.

Implementing best practices can help create a strong foundation, but it’s important to remember that just like threats are constantly evolving, so must your controls.



  1. 2018 Security Priorities Study, IDG
  2. Breach Level Index, Gemalto
  3. 2018 Cost of a Data Breach Study, Ponemon Institute/IBM
  4. Annual Cybersecurity Report, 2018, Cisco
  5. CIS Controls, Center for Internet Security, Inc.
  6. What is WannaCry ransomware, how does it infect and who was responsible?, CSO Online
  7. Malware Statistics, AV-TEST Institute
  8. 2018 Data Breach Investigations Report, Verizon
Posted: January 7, 2019
Rodika Tollefson
View Profile

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at