Critical controls
For each control we provide a page summarising the intent and success measures for decision makers. We have a separate page providing implementation advice for practitioners.
This is CERT NZ’s second annual list of ten critical controls for organisations. These controls would prevent, or better contain, the majority of attacks we’ve seen in the past year.
You can authenticate with something you know, something you have, or something you are. Multi-factor authentication (MFA) improves security by requiring two or more of these methods.
Keeping your software up-to-date is one of the most simple and effective steps to take, to ensure your environment stays secure.
Unused or older services and protocols often have their own vulnerabilities. Proactively scan your network for any that are not used or vulnerable, and disable them.
Change the passwords on any systems that come with default credentials before you use the systems in your environment.
After an incident, restoring your data from backups is often the best way to return to business as usual. Performing and testing backups often will help prevent the loss of data in the event of an incident.
Application whitelisting is a method of strictly controlling what programs can be run in your environment.
The principle of least privilege means only having the access you need to do your job.
Storing and securing your logs in a central place makes log analysis and alerting easier.
When paired together, segmentation and separation can add an additional level of access control and security to your network, systems, and data.
Using single sign-on with a large cloud identity provider allows your users to protect fewer passwords and your IT staff to manage fewer accounts.