Critical Controls 2022

Each year, we review our critical controls against the incidents we have seen over the past 12 months. When correctly implemented, these controls would prevent, detect, or contain the majority of the attacks we’ve seen in the past year.

CERT NZ’s critical controls are designed to help you decide where best to spend your time and money. They have been developed based on data and insights we received from reports and international threat feeds. 

CERT NZ’s 2022 critical controls list includes two changes:

  • asset lifecycle management, and
  • implement application control.

Many of our controls start by encouraging organisations to identify their assets. This is fundamental in any security operation because it’s difficult to protect systems and infrastructure if you don’t know they exist. To help organisations with this process we’ve added asset lifecycle management to our critical controls.

The application allowlisting control has been remodelled to provide less restrictive advice and encourage organisations to adopt this control.

Although we have made changes and removed some controls from our top ten, all of our previous controls are still relevant and implementation guides can still be found and referenced on the CERT NZ website.

Cyber security guides for IT specialists

Critical Controls 2022 [PDF, 769 KB]

This year’s critical controls

For each control, we’ll provide:

  • a page summarising the intent and success measures for decision makers, and
  • a separate page with implementation advice for practitioners.

1. Patch your software and systems

Keeping all software, from operating systems and applications to firewalls and routers, up-to-date continues to be one of the most cited controls in our list. A majority of the advisories we released in 2020 were related to vulnerabilities that could be mitigated if the systems were patched in a timely manner.

Patching

2. Implement multi-factor authentication and verification

This control is focused around enforcing the use of multi-factor authentication (MFA), especially for accounts accessible from anywhere on the internet or accounts with administrative access.

We see a large number of reports relating to unauthorised access, which are often caused by weak credentials. Enforcing MFA is the most critical control for preventing unauthorised access.

Our critical controls aren’t solely focused on technology. We also see incidents where business processes lack a verification step. This can result in incidents such as financial or credential loss. In this control we emphasis the importance of strong business processes.

Multi-factor authentication 

3. Provide and use a password manager

Even with multi-factor in place, a strong unique password is still important. Giving your people the tools to make this easy increases the likelihood of them using strong passwords that are different for each system. It also makes it easier to manage shared passwords such as your business’ social media accounts.

The important point of this control is that your organisation should be providing your staff with a password manager tool that works for them. Without the right tools, your staff won’t be able to make strong passwords.

Password manager

4. Configure logging and alerting

Logging and alerting are key to incident detection and investigation efforts. Having a central logging system, which contains feeds from all your endpoints, is the first step in having visibility of all activity in your environment. The second step is identifying key events that alert you to incidents, and setting up actionable alerts to let you know when something unexpected happens.

Often incidents reported to CERT NZ don’t have enough detail to determine what actually happened. This means we can’t close the weakness or the gap with confidence. The only way to make sure you are cleaning up and patching the gaps is by having logs that tell you what actually happened.

Logging and alerting

5. Asset lifecycle management

Asset lifecycle management is a way to keep your view of your environment accurate and up-to-date. It tracks the software and hardware you have through each key stage – purchase/development, maintenance and decommissioning.

A critical part of this lifecycle is monitoring when a system goes from supported to legacy. Legacy systems are systems that a vendor no longer supports, or systems that an organisation no longer maintains.

We have seen a lot of incidents caused by lack of system maintenance. Systems are either left hardened or left unpatched because an organisation has forgotten to maintain them, sometimes beyond their end-of-support date.

Asset lifecycle management

6. Implement and test backups

Most organisations these days are reliant on their systems, and the data they hold. Significant disruption to the availability of this data can be devastating, whether it was caused by a cybersecurity incident, or simply an accident. In these situations, being able to restore from backup quickly makes all the difference.

Ransomware attacks are often highlighted in our quarterly reports because they happen regularly and have significant impacts to an organisation. Backups can reduce those impacts and allow your organisation to restore the lost data in the most cost effective way.

Implement and test backups

7. Implement application control

Application control is a security control that only permits specific software packages to run. This control has evolved over time and used to be reliant on manually configuring policies and rules.

Application control can include application allowlisting, (previously called “whitelisting”), which is a security control that only permits specific programs to run.

Application control is a feature found in most modern endpoint security software that should include regular updates from the vendor to detect and block the latest malware behaviours.

Drive-by downloads, or unintentional downloading of files from a website, and malicious email attachments are the most common causes of malware incidents. Endpoint protection with application control protection can prevent these incidents.

Implement Application control 

8. Enforce the principle of least privilege

The principle of least privilege means granting users the minimum level of access they need to perform their job. This prevents users from either accidentally or intentionally making changes that can cause security incidents. It also prevents an attacker from getting very far into the system or network if they manage to steal a user’s account credentials.

It also means creating separate accounts for users if they use normal and administrative privileges in a system. That way you can set more logging and authentication requirements for the administrative accounts since those are more valuable to an attacker.

Principle of least privilege

9. Implement network segmentation

Network segmentation means breaking down your network into smaller segments and setting access controls to manage connections across them. It allows your organisation to set more granular security controls on the smaller networks that have critical data or systems.

Without effective network segmentation, attackers can move around your network and gain access to additional systems. Implementing network controls limits an attacker’s access once they enter your network.

Network segmentation and separation

10. Set secure defaults for macros

Macros are small programs that can be run in office productivity software, like Microsoft Office. Attackers often use macros for hiding malicious programs. CERT NZ has noticed popular malware families, like Emotet, have been using macros to infect targets and spread.

Using secure defaults and configurations for macros in your organisation can prevent these incidents. If your organisation does not use macros, disabling macros entirely can protect your users from making a mistake. If your organisation does use macros, forcing them to run in sandboxed environments will reduce their impact and reach within your network.

Secure defaults for macros