Contact info: (604) 721-5732

Information Security Today – Has Anything Changed?

Posted by David Greer in Security | 0 comments


I recently interviewed Stephen Northcutt, President of the SANS Technology Institute, about how the security problems have remained the same for the last twenty years. He reminded me of the SANS 20 Critical Security Controls:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  5. Boundary Defense
  6. Maintenance, Monitoring, and Analysis of Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based on Need to Know
  10. Continuous Vulnerability Assessment and Remediation
  11. Account Monitoring and Control
  12. Malware Defenses
  13. Limitation and Control of Network Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Loss Prevention
  16. Secure Network Engineering
  17. Penetration Tests and Red Team Exercises
  18. Incident Response Capability
  19. Data Recovery Capability
  20. Security Skills Assessment and Appropriate Training to Fill Gaps

The majority of these controls existed twenty years ago. The specific details of how we provide security around each of the controls has changed, but the basic principles have not changed.

As we move to Cloud Computing environments, consider these questions:

  1. In a shared environment where your data is hosted by a third-party, what is to prevent someone at your supplier from using their administrator privileges from accessing your data and making it available to your competitors (#8)?
  2. How will you provide fine-grained control to your data and applications based on individual rights within your application (#9)?
  3. Does your vendor immediately inform you of any invalid use of your accounts (#11)?
  4. How does your vendor conduct pentration testing and if so do they report the results to you (#17)?

The questions may be the same, but you might be surprised at the answers that you get.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>