Critical Controls 2021

Each year, we review our critical controls against the incidents we have seen over the past 12 months. When correctly implemented, these controls would prevent, detect, or contain the majority of the attacks we’ve seen in the past year.

CERT NZ’s ten critical controls are designed to help you decide where best to spend your time and money. These have been developed based on the data and insights we received from reports and international threat feeds. 

The 2021 top ten list includes two new controls:

  • Provide and use a password manager
  • Secure internet-exposed services

In addition, we’re significantly updating two of the current controls:

  • Implement application allowlisting (otherwise known as whitelisting)
  • Configure logging and alerting

Plus, we’re splitting out one of our key controls:

  • Implement multi-factor authentication and verification

In 2020, we’ve seen a number of campaigns targeting internet-exposed services. In response, we’ve developed a control to help organisations identify and secure any internet-exposed services.

Providing and use of a password manager is something your organisation can do to support good password hygiene.

In previous years, we had combined multi-factor authentication (MFA) with our other authentication controls, however this devalued how critical MFA is. MFA remains one of our most common pieces of advice when helping organisations prevent and respond to incidents. The application allowlisting control will be refreshed, and the logging and alerting control will also receive a major update.

Although we have made changes and removed some controls, all of our previous controls and implementation guides can still be found and referenced on the CERT website.

Cybersecurity guides for IT specialists

This year’s critical controls

For each control, we’ll provide:

  • a page summarising the intent and success measures for decision makers, and
  • a separate page with implementation advice for practitioners.

1. Patch your software and systems

Keeping all software, from operating systems and applications to firewalls and routers, up-to-date continues to be one of the most cited controls in our list. A majority of the advisories we released in 2020 were related to vulnerabilities that could be mitigated if the systems were patched in a timely manner.


2. Implement multi-factor authentication and verification

This control is focused around enforcing the use of multi-factor authentication (MFA), especially for accounts accessible from anywhere on the internet or accounts with administrative access.

We see a large number of reports relating to unauthorised access, which are often caused by weak credentials. Enforcing MFA is the most critical control for preventing unauthorised access.

Our critical controls aren’t solely focused on technology. We also see incidents where business processes lack a verification step. This can result in incidents such as financial or credential loss. In this control we emphasis the importance of strong business processes.

Multi-factor authentication 

3. Provide and use a password manager

Even with multi-factor in place, a strong unique password is still important. Giving your people the tools to make this easy increases the likelihood of them using strong passwords that are different for each system. It also makes it easier to manage shared passwords such as your business’ social media accounts.

The important point of this control is that your organisation should be providing your staff with a password manager tool that works for them. Without the right tools, your staff won’t be able to make strong passwords.

4. Configure logging and alerting

Logging and alerting are key to incident detection and investigation efforts. Having a central logging system, which contains feeds from all your endpoints, is the first step in having visibility of all activity in your environment. The second step is identifying key events that alert you to incidents, and setting up actionable alerts to let you know when something unexpected happens.

Often incidents reported to CERT NZ don’t have enough detail to determine what actually happened. This means we can’t close the weakness or the gap with confidence. The only way to make sure you are cleaning up and patching the gaps is by having logs that tell you what actually happened.

Logging and alerting

5. Secure internet-exposed services

Keeping unused and unnecessary services running on a system can leave it vulnerable, especially if the host is exposed to the internet. Disabling these services, or segmenting them so they are not exposed unnecessarily, can reduce the risk and your attack surface.

For services that need to be exposed to the internet, you need to ensure you keep them secured. This means requiring multi-factor authentication for any authentication that is exposed, and making sure the service itself is up-to-date.

Securing internet-exposed services

6. Implement and test backups

Most organisations these days are reliant on their systems, and the data they hold. Significant disruption to the availability of this data can be devastating, whether it was caused by a cybersecurity incident, or simply an accident. In these situations, being able to restore from backup quickly makes all the difference.

Ransomware attacks are often highlighted in our quarterly reports because they happen regularly and have significant impacts to an organisation. Backups can reduce those impacts and allow your organisation to restore the lost data in the most cost effective way.

Implement and test backups

7. Implement application allowlisting

Malware campaigns continue to cause significant disruption. Application allowlisting (otherwise known as whitelisting) is a control that can prevent unauthorised files, such as malware, from executing on your computer.

Modern endpoint protection software can fulfil the intent of this control and give you visibility into potentially malicious activity in your environment. However you choose to implement this control, it gives your organisation greater protection against malware attacks such as ransomware.

Implement application allowlisting External Link

8. Enforce the principle of least privilege

The principle of least privilege means granting users the minimum level of access they need to perform their job. This prevents users from either accidentally or intentionally making changes that can cause security incidents. It also prevents an attacker from getting very far into the system or network if they manage to steal a user’s account credentials.

It also means creating separate accounts for users if they use normal and administrative privileges in a system. That way you can set more logging and authentication requirements for the administrative accounts since those are more valuable to an attacker.

Principle of least privilege

9. Implement network segmentation

Network segmentation means breaking down your network into smaller segments and setting access controls to manage connections across them. It allows your organisation to set more granular security controls on the smaller networks that have critical data or systems.

Without effective network segmentation, attackers can move around your network and gain access to additional systems. Implementing network controls limits an attacker’s access once they enter your network.

Network segmentation and separation

10. Set secure defaults for macros

Macros are small programs that can be run in office productivity software, like Microsoft Office. Attackers often use macros for hiding malicious programs. CERT NZ has noticed popular malware families, like Emotet, have been using macros to infect targets and spread.

Using secure defaults and configurations for macros in your organisation can prevent these incidents. If your organisation does not use macros, disabling macros entirely can protect your users from making a mistake. If your organisation does use macros, forcing them to run in sandboxed environments will reduce their impact and reach within your network.

Secure defaults for macros