How would you compare the SANS Top 20 Critical Security Controls with the Defence Signals Directorate from the...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Australian government, particularly as control sets for avoiding common application exploits?
Ask the Expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
SANS and the Australian Defence Signals Directorate (DSD) both provide excellent advice and resources for anyone who is involved with or concerned about information security. SANS is aimed more at the IT security professional, while the DSD site targets a wider audience, including senior managers and home users, as well as IT pros.
The SANS Top 20 Critical Security Controls were selected based on advice and input from more than 100 government agencies, security firms and forensics experts and pen testers that serve the banking and critical infrastructure communities. They don't attempt to solve every conceivable security problem, instead they focus on the steps necessary to block known attacks and find the ones that get through enterprise defenses. This "Offense Informs Defense" philosophy uses specific knowledge of actual attacks so administrators can focus their resources on the most cost-effective defensive strategy by using risk-based prioritization. This helps tackle the frustration caused by many compliance and regulatory laws, which often have hundreds of security requirements, but give no weight to their importance.
Many of the controls listed by SANS are available as freeware and open source versions, but still provide effective security in terms of stopping attacks. The controls complement many existing security frameworks and compliance regimes, and support continuous monitoring, measurement and automation. The U.S. State Department reportedly reduced measured risk by more than 90% since it implemented and automated these controls in a continuous monitoring and mitigation program.
The security advice from the DSD is, at first glance, far more simplistic and less detailed than that provided by SANS. Their slogan is, "Patch Catch Match", which breaks down to the following: Patch all your applications with updates; catch malicious software with a whitelist; match the right people with the right access.
It may sound simplistic, but it's an effective security strategy that supposedly prevents at least 85% of the intrusion techniques to which DSD responds. It's also very well explained by DSD in layman's terms. Getting senior management on board is essential for any security initiative to work, and the site has lots of resources to help senior managers understand the effectiveness of implementing these strategies.
I recommend that those responsible for IT security within their organization make use of both sets of resources. The DSD advice is full of best practice recommendations and in-depth explanations from world experts, and it's free. The SANS information may be more technical and detailed, but unless your users understand security, you will always be fighting a losing battle, so make use of the DSD publications in your awareness training so everyone can be part of the protection.
Dig Deeper on Information Security Policies, Procedures and Guidelines
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.