Critical controls

Every few weeks we'll publish more information about a critical control. For each control a page will summarise the intent and success measures for business owners and a separate page will provide implementation advice for practitioners.

10 critical controls for 2018

This is a summary of the ten controls that would mitigate the majority of information security incidents that CERT NZ has analysed so far.

1. Patching

Keeping your software up-to-date is one of the most simple and effective steps to take, to ensure your environment stays secure.

2. Legacy systems

Legacy systems are systems that are no longer supported by the vendor, or systems that an organisation no longer maintains. This includes end-of-life or unsupported software.

3. Unused services and protocols

Unused or older services and protocols often have their own vulnerabilities. Proactively scan your network for any that are not used or vulnerable, and disable them.

4. Application Whitelisting

Application whitelisting is a method of strictly controlling what programs can be run in your environment.

5. Default credentials

Change the passwords on any systems that come with default credentials before you use the systems in your environment.

6. Multi-factor authentication

You can authenticate with something you know, something you have, or something you are. Multi-factor authentication (MFA) improves security by requiring two or more of these methods.

7. Principle of least privilege

The principle of least privilege means only having the access you need to do your job.

8. Implement and test backups

After an incident, restoring your data from backups is often the best way to return to business as usual. Performing and testing backups often will help prevent the loss of data in the event of an incident.

9. Centralised logging

Storing and securing your logs in a central place makes log analysis and alerting easier.