25 February 2022
The controls have been developed based on the data and insights received from reports and international threat feeds and are refined on an annual basis. When correctly implemented, these controls would prevent, detect, or contain most of the attacks we’ve seen in the past year.
Each of the controls are explained, with instructions on implementation, on the CERT NZ website: CERT NZ's Critical Controls 2022 | CERT NZ.
This year CERT NZ has updated two controls.
Asset lifecycle management has been added as it is the basis of many controls. Identifying your assets, and knowing if they are legacy or not, is fundamental in any security operation. You can’t defend things if you don’t know they exist.
CERT NZ has refocussed the previous control, application allowlisting, into application control. We received industry feedback that this is a much more pragmatic and realistic option than traditional allowlisting, which is not workable for most organisations.
Threat and Incident Response Manager Nadia Yousef said that these controls are vital for businesses wanting to keep their data and clients safe.
“These controls represent the essential steps organisations need to focus on, in order to prevent cyber attacks before they do real damage.”
Critical controls for 2022.
- Patch your software and systems
- Implement multi-factor authentication and verification
- Provide and use a password manager
- Configure logging and alerting
- Asset Lifecycle Management
- Implement and test backups
- Implement Application Control
- Enforce the principle of least privilege
- Implement network segmentation
- Set secure defaults for macros