The Critical Security Controls (CSC) 1 – Modern cybersecurity is much like the early banking industry
There is nearly no area of the banking business which has been unchanged by security threats over the years. The agents of the FBI and U.S. Secret Service persuaded successful bank robbers to help inform the defense of these critical institutions once they were caught. They did this by learning how the robbers pulled off the heist and then informing the bank industry of these details. The banks adapted to these measures accordingly. This led to a successful detection, prevention, and hardening of banks of all sizes against a wide range of attacks. If we believe all of the marketing hyperbole, then the issue of modern-day hacking was solved a long time ago.
Amongst the marketing-induced noise, there remains a consistent methodology that is equally applicable in banking, to financial services, to manufacturing, to small business. That is, the concept of using an offense-informed defensive posture. The same way the banks have thwarted countless would-be robbers, so to can business safeguard business information systems.
CSC #1 – Inventory and Control of Hardware Assets
This process can be one of the most effective, if properly implemented, at mitigating and hardening against an attack or data breach. At its most basic level, Critical Security Control 1 dictates the establishment of different “zones of trust” throughout a computer network. It can be as simple as not permitting employees, clients, vendors, and/or guests from connecting their computer systems onto the same network as those used by the business computers. The more defensive model is to require authorization from a central authority prior to being permitted onto the network. Furthermore, these devices must be authorized within the specific area (zone of trust) to which they are connecting.
Critical Security Control 1 affords network administrators the ability to know and control what devices should be on their business computer networks. It also provides the means to detect and alert when a new or unknown devices is introduced. Implementing this control can be free to low-cost software, where the benefits provided far outweigh the ongoing human cost to administer and respond to the systems required to implement this control.
For a deeper understanding of CSC Control 1, check out CIT’s CSC Controls 1 blog.