Critical Controls

Each year, we review our critical controls against the incidents we have seen over the past 12 months. When correctly implemented, these controls would prevent, detect, or contain the majority of the attacks we’ve seen in the past year.

CERT NZ’s critical controls are designed to help you decide where best to spend your time and money. They have been developed based on data and insights we received from reports and international threat feeds.

Many of our controls start by encouraging organisations to identify their assets. This is fundamental in any security operation because it’s difficult to protect systems and infrastructure if you don’t know they exist.

Although we sometimes make changes and removed some controls from our top ten, all of our previous controls are still relevant and implementation guides can still be found and referenced on the CERT NZ website.

Cyber security guides for IT specialists

CERT NZ's Critical Controls [PDF, 490 KB]

For each control, we’ll provide:

  • a page summarising the intent and success measures for decision makers, and
  • a separate page with implementation advice for practitioners.

Patch your software and systems

Keeping all software, from operating systems and applications to firewalls and routers, up-to-date continues to be one of the most cited controls in our list. A majority of the advisories we released in 2022 were related to vulnerabilities that could be mitigated if the systems were patched in a timely manner.


Implement multi-factor authentication and verification

This control is focused around enforcing the use of multi-factor authentication (MFA), especially for accounts accessible from anywhere on the internet or accounts with administrative access.

We see a large number of reports relating to unauthorised access, which are often caused by weak credentials. Enforcing MFA is the most critical control for preventing unauthorised access.

Our critical controls aren’t solely focused on technology. We also see incidents where business processes lack a verification step. This can result in incidents such as financial or credential loss. In this control we emphasis the importance of strong business processes.

Multi-factor authentication 

Provide and use a password manager

Even with multi-factor in place, a strong unique password is still important. Giving your people the tools to make this easy increases the likelihood of them using strong passwords that are different for each system. It also makes it easier to manage shared passwords such as your business’ social media accounts.

The important point of this control is that your organisation should be providing your staff with a password manager tool that works for them. Without the right tools, your staff won’t be able to make strong passwords.

Password manager

Configure logging and alerting

Logging and alerting are key to incident detection and investigation efforts. Having a central logging system, which contains feeds from all your endpoints, is the first step in having visibility of all activity in your environment. The second step is identifying key events that alert you to incidents, and setting up actionable alerts to let you know when something unexpected happens.

Often incidents reported to CERT NZ don’t have enough detail to determine what actually happened. This means we can’t close the weakness or the gap with confidence. The only way to make sure you are cleaning up and patching the gaps is by having logs that tell you what actually happened.

Logging and alerting

Security awareness building 

Cyber attackers often rely on human behaviour, such as clicking on links or downloading and opening/executing files, to give them valid credentials or access into a network or system. Reports show that 82% of all breaches involve a human element, which means your people play a key role in making sure that your organisation and information are kept secure.

Alongside implementing technical controls, investing in your people’s security awareness and training is a long-term commitment to improving the security of your organisation.

Security awareness building

Asset lifecycle management

Asset lifecycle management is a way to keep your view of your environment accurate and up-to-date. It tracks the software and hardware you have through each key stage – purchase/development, maintenance and decommissioning.

A critical part of this lifecycle is monitoring when a system goes from supported to legacy. Legacy systems are systems that a vendor no longer supports, or systems that an organisation no longer maintains.

We have seen a lot of incidents caused by lack of system maintenance. Systems are either left hardened or left unpatched because an organisation has forgotten to maintain them, sometimes beyond their end-of-support date.

Asset lifecycle management

Implement and test backups

Most organisations these days are reliant on their systems, and the data they hold. Significant disruption to the availability of this data can be devastating, whether it was caused by a cybersecurity incident, or simply an accident. In these situations, being able to restore from backup quickly makes all the difference.

Ransomware attacks are often highlighted in our quarterly reports because they happen regularly and have significant impacts to an organisation. Backups can reduce those impacts and allow your organisation to restore the lost data in the most cost effective way.

Implement and test backups

Implement application control

Application control allows organisations to restrict the execution of specific software packages on their systems. This control can include a previous control, application allowlisting, which only permits specific programs to run. Application control can also include limiting the types of files that can be downloaded, open, or run.

Application control has evolved over time and is now a feature found in most modern endpoint security software that can help to alleviate the need for manually configuring policies and rules. Endpoint security software should include regular updates from the vendor to detect and block the latest malware behaviours.

Implement Application control 

Enforce the principle of least privilege

The principle of least privilege means granting users the minimum level of access they need to perform their job. This prevents users from either accidentally or intentionally making changes that can cause security incidents. It also prevents an attacker from getting very far into the system or network if they manage to steal a user’s account credentials.

It also means creating separate accounts for users if they use normal and administrative privileges in a system. That way you can set more logging and authentication requirements for the administrative accounts since those are more valuable to an attacker.

Principle of least privilege

Implement network segmentation

Network segmentation means breaking down your network into smaller segments and setting access controls to manage connections across them. It allows your organisation to set more granular security controls on the smaller networks that have critical data or systems.

Without effective network segmentation, attackers can move around your network and gain access to additional systems. Implementing network controls limits an attacker’s access once they enter your network.

Network segmentation and separation