How critical is critical: Thoughts on the CERT NZ Critical Controls
Published by
Michael Shearer
on
For many organisations, knowing what “cyber security stuff” to do is a real challenge. Vendors are always looking to sell you the next silver bullet, so how do you get advice you can trust? Luckily for all of us, CERT NZ provides the Critical Controls – an annually updated, easy to follow, vendor neutral list of the security controls that all organisations should implement. At CyberCX, we use these to help our customers stay secure, from threats ranging from phishing and scam emails, to ransomware and everything in between.
Critical Controls – what’s new?
Each year, CERT NZ publishes their Critical Controls, a list of 10 security controls that would “prevent, detect, or contain the majority of the attacks” they’ve seen. The Critical Controls are written in plain English and provide any security manager some simple questions to ask about the state of their organisation’s security. CERT NZ have recently published the 2022 list, so let’s take a look.
First, what has changed? Well, “Secure internet-exposed services” has been removed and replaced with Asset lifecycle management, which was previously seen in the 2020 list. The removal of “Secure internet-exposed services” from the list makes sense, as this was never really a control of its own, but merely a combination of controls such as patching, multifactor authentication (MFA), and logging and alerting, which need to be applied to all systems, not just those that are exposed to the internet.
We welcome the return of asset management to the Critical Controls, as we have seen through events like the late 2021 Log4j vulnerability, knowing what technology you have in your environment is critical: you can’t secure internet-exposed services if you don’t know what services you have. Having an accurate and updated list of your assets is one of the very the first steps in securing your environment.
Second, the Implement application allowlisting control has been renamed to Implement Application Control, and slightly refocused. This appears to be a recognition of the fact that in most organisations, application allowlisting is very difficult, or outright not feasible. EDR tools--when correctly configured and used--can largely fulfil the intent of application allowlisting and provide your organisation good control and visibility of what is allowed to execute in your environment. However, it is important to note that this is not a complete replacement for application allowlisting, and not all EDR tools are equal in this capability.
And the rest?
The rest of the controls are unchanged from 2021, which makes sense as these are still practical controls that really would make a difference if implemented. We do recommend organisations implement each of these controls. While they are presented as discrete controls, in many cases they are interrelated, and are most effective when they are all implemented together.
Patching systems and enforcing Multifactor Authentication (MFA) are two of the most basic and important steps that all organisations should take to secure themselves from cyber threats. CyberCX own Digital Forensics and Incident Response team responds to incidents every day which could have been mitigated through more complete implementation of these controls.
Providing and using a password manager is a great way to reduce the burden of having to remember lots of different passwords. In many cases, they can even handle MFA for the accounts they store, making it even easier for your staff to have highly secure accounts.
Logging and alerting supports most of the controls, and is key to detecting potentially malicious activity in your network. This might take the form of a SIEM, or even just starting with alerting out of an EDR platform. However you approach it, without logging and alerting, you’ll struggle to quickly and effectively respond to incidents.
Disabling macros, or otherwise controlling what macros can be executed from things like Word or Excel documents, is a key control to preventing malware such as trickbot or Qbot from being loaded on your machines. We often see these as the first step in a ransomware attack.
Network segmentation is an effective way to prevent an attacker from spreading across your network. Especially when combined with the principle of least privilege, these controls are all about stopping an attacker from gaining administrative access to your systems. That level of access is what allows attackers to rapidly deploy malware or carry out data theft and destruction across your entire environment.
If an attacker does get through your defences, particularly ransomware attacks, then having robust backups is a vital part of your recovery plan. Backups need to be kept offline or otherwise disconnected from your environment to prevent deletion, as ransomware crews do try to delete backups, to make recovery more difficult and increase their chances of being paid.
The growing ransomware threat
Also released in 2021, related to the Critical Controls, was CERT NZ guidance about protecting against ransomware, showing how the Critical Controls could be used to provide defence-in-depth against the growing threat of ransomware. The content is good, but the highlight is a series of graphics clearly showing the different phases of a ransomware attack, with the Critical Controls mapped out visually against the phases of an attack. We do hope to see this updated with the 2022 controls soon..
In combination with our own Ransomware and Extortion guide, these guides provide organisations a fantastic base to plan and prepare your defences. If your organisation is seeking further assurance about the state of your readiness against ransomware, contact CyberCX, we have a range of services including a “Rapid Ransomware Readiness Assessment”, designed to help you verify and enhance your defences.
Finally, if you need help on your implementation of any of these security controls, or want to validate the effectiveness of your implementation, get in touch with our experts today.
Michael Shearer is a Senior Consultant, Security Integration and Engineering
The CyberCX Best Practice Guide: Ransomware and Cyber Extortion is available for download here. The Guide provides practical tools for people at all levels of an organisation to understand and manage the risk posed by ransomware and cyber extortion.
Read more about our practices and insights:
If you need assistance responding to a cyber incident, please contact our investigation and response team here.