How would you compare the SANS Top 20 Critical Security Controls with the Defence Signals Directorate from the Australian government, particularly as control sets for avoiding common application exploits?
Ask the Expert!
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
SANS and the Australian Defence Signals Directorate (DSD) both provide excellent advice and resources for anyone who is involved with or concerned about information security. SANS is aimed more at the IT security professional, while the DSD site targets a wider audience, including senior managers and home users, as well as IT pros.
The SANS Top 20 Critical Security Controls were selected based on advice and input from more than 100 government agencies, security firms and forensics experts and pen testers that serve the banking and critical infrastructure communities. They don't attempt to solve every conceivable security problem, instead they focus on the steps necessary to block known attacks and find the ones that get through enterprise defenses. This "Offense Informs Defense" philosophy uses specific knowledge of actual attacks so administrators can focus their resources on the most cost-effective defensive strategy by using risk-based prioritization. This helps tackle the frustration caused by many compliance and regulatory laws, which often have hundreds of security requirements, but give no weight to their importance.
Many of the controls listed by SANS are available as freeware and open source versions, but still provide effective security in terms of stopping attacks. The controls complement many existing security frameworks and compliance regimes, and support continuous monitoring, measurement and automation. The U.S. State Department reportedly reduced measured risk by more than 90% since it implemented and automated these controls in a continuous monitoring and mitigation program.
The security advice from the DSD is, at first glance, far more simplistic and less detailed than that provided by SANS. Their slogan is, "Patch Catch Match", which breaks down to the following: Patch all your applications with updates; catch malicious software with a whitelist; match the right people with the right access.
It may sound simplistic, but it's an effective security strategy that supposedly prevents at least 85% of the intrusion techniques to which DSD responds. It's also very well explained by DSD in layman's terms. Getting senior management on board is essential for any security initiative to work, and the site has lots of resources to help senior managers understand the effectiveness of implementing these strategies.
I recommend that those responsible for IT security within their organization make use of both sets of resources. The DSD advice is full of best practice recommendations and in-depth explanations from world experts, and it's free. The SANS information may be more technical and detailed, but unless your users understand security, you will always be fighting a losing battle, so make use of the DSD publications in your awareness training so everyone can be part of the protection.
This was first published in August 2013