Home / Resources / News and Trends / Newsletters / AtIsaca / 2023 / Volume 7 / Specific Controls You Can Use

Beyond the Buzzwords: Specific Controls You Can Use

Author: Ricky Hamilton, CISA, CRISC, CCSK, Lean Six Sigma
Date Published: 15 February 2023

I’ve found that much of the material published about audit and cybersecurity is directed toward experienced professionals. Nothing wrong with that – in fact, most people who are far along enough in their career to be reading an article or blog post about audit or cybersecurity likely understand the material and can apply it in real-world situations.

For a newly minted IT auditor or cybersecurity practitioner, however, the volume of information can feel immense. From learning about frameworks, best practices, professional organizations (such as ISACA), creating audit programs, understanding industry terms, and learning vendor tools, it’s quite a challenge for anyone to process. Often, you’ll see common phrases along the lines of “Physical security,” “Network security,” “Reducing your attack surface,” “Harden your systems” and “Secure your endpoint.” These are necessary broad terms in order to explain and label concepts, but one is left to their own devices on what it means to “secure endpoints” at a more granular level.

Let’s change that and look at some specific controls you can add to your next audit or checklist to improve your security posture. After all, at the heart of IT auditing are controls. You are probably already familiar with control categories but just to refresh, ISACA describes them as:

  1. Administrative – The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies.
  2. Detective – Exists to detect and report when errors, omissions and unauthorized uses or entries occur
  3. Preventative – An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product
  4. Corrective – Designed to correct errors, omissions and unauthorized uses and intrusions once they are detected

In reality, something as simple as “Securing your endpoints” does not mean throwing on an antivirus program and calling it a day. It is instead a combination of reviewing multiple controls and ensuring they are implemented to the standard of your organization’s risk appetite. Though the following lists are not meant to be a comprehensive instruction guide, I’ve included some maybe-not-so-common controls to think about when auditing or remediating. I hope it spurs your thinking from broad to granular and reinforces the concepts of controls.

Task: Secure your endpoints

  1. Policies in places
    This administrative control creates accountability by instructing and deterring negligent use. People cannot be expected to follow non-existent rules. Find out if they exist.
  1. Local administrative rights
    This preventative control is perhaps the single best control you can audit and implement on an endpoint. This action generally prevents files from executing should someone download a malicious file and can limit what an attacker can do should access be gained to this device.

  2. Encryption
    Especially important with mobile phone devices but also important on laptops and tablets. This preventative control can give you some peace of mind compared to a non-encrypted device if it’s ever lost or stolen.

  3. Malware or antivirus is installed
    This is a classic preventive control. You’ve likely heard about the need for antivirus all your life, even before becoming a professional in the field. This software can help stop and/or report an undesirable event from occurring.

  4. Software and OS updates
    If policies exist detailing the how, when and what gets updated, this can be both an administrative and preventative control. What happens when a device isn’t updated with the latest security updates? You’re leaving it open to entry. Unpatched vulnerabilities can be manipulated to allow privilege escalation. Simply put, threat actors can gain entry and administrative rights from unpatched software.

  5. SIEM implementation
    This detective control monitors endpoints (among other things) and alerts the organization to a variety of undesirable events. Examples include when someone is attempting a brute force login attempt or an undesirable process is executed on the device, and it allows your cybersecurity team to react.

Task: Secure your network

  1. Patching firewalls
    This preventative control helps keep intruders out of your network, but it needs to be on the latest firmware version that has been chosen in order to keep it protected. Even if you are not technical, have your IT team send you a screenshot of the version of the firewall it is on and compare it to the manufacturer’s information on the latest patches.
  2. Network segmentation
    Segmentation is a preventive control that can help lessen the damage a threat actor can do by isolating them to a particular section of the network. This makes lateral movement within the network hard or impossible. In basic terms, the threat actor is contained to a particular place within the network.
  3. Strong Passwords
    Strong passwords are a preventive control that is a basic building block of security. You might think that everyone uses a strong password but that is certainly not the case. Does the organization have a policy on passwords? Does it abide by them? How far is the policy from widely accepted standards such as NIST?
  4. Multi-Factor Authentication (MFA)
    MFA is a strong preventive control and should be in use as much as feasibly possible, especially where cloud environments are concerned. Request evidence that MFA is widely enabled, or at least enabled, in order to access sensitive material.
  5. Active directory lockout
    This preventive control can be a bit tricky. There are other mitigations that can allow for different numbers of login attempts before lockout and there seems to be no accepted standard. I’ve personally observed the following during an audit: active directory lockout was set into the hundreds. Why? Generic shared accounts were being used domain-wide, and this was a way to prevent lockout from multiple simultaneous accounts. This creates an accountability problem, and it also means someone could attempt to brute force multiple elevated accounts and go relatively undetected.
  6. Generic accounts
    As noted above, generic accounts create an accountability problem. If this account happens to also have local administration privileges, it’s a recipe for disaster. From the curious staff member who has just enough technical know-how to be dangerous to a truly malicious threat actor, you have a gaping hole that needs to be remediated.

Task: Protect your data

  1. Timely termination policy
    An important administrative control is to have a policy outlining the process of employees who have left the organization for one reason or another. This process that this control covers is important in protecting you from exfiltration of data and potentially even a violation such as HIPAA. If someone normally receives covered data in an emailed report and is terminated, are they still receiving data when they no longer have a business need?

  2. Mail forwarding rules
    One preventive control I’ve not seen audited much is mail forwarding rules. Are employees allowed to create mail redirection rules to their personal email? What data is leaving the organization as a result? Unencrypted documents that mainly contain regulated data? Trade secrets?

  3. USB devices
    A truly malicious threat actor with determined intention can trick a device to act as an input device and bypass USB blocking in cases but will need physical access. By implementing this preventive control and disabling USB access for storage devices, the organization can make it harder for the average disgruntled or negligent employee from moving data over to a USB drive or introducing threats such as a virus to the environment.

  4. Backups and disaster recovery
    Data backups are a corrective control that protects your data by being able to access it when needed. In the age of ransomware, it’s a must. Ask for evidence of backup and successful test restores via screenshots or logs. Determine if an offsite backup copy of some sort is kept.

  5. Elevated privileges and separated administration accounts
    This is an administrative control that details how access should be determined. Following the principle of least privilege, systems administrators and other employees who occasionally need administrative rights should use them only when necessary. Watch for employees who stay logged in to their elevated privileges account almost full-time in order to make work more convenient. They, too, can click a well-designed phishing email.

I hope this has helped you move beyond broad catchphrases to some practical specifics the next time you are auditing or remediating. If you would like to discuss further, you can reach me at rickyhmltn@outlook.com or contact me on LinkedIn.