This year for Cyber Security awareness month we are going to go through the 20 critical controls.  Because there are 20 controls we have decided that we will publish controls during the week days and a summary, expansion and/or some guest diaries on the weekends. So the schedule for the month looks roughly as follows:

  1 & 2/10 introduction 

  oct 3  Critical Control 1: Inventory of Authorized and Unauthorized Devices
  oct 4  Critical Control 2: Inventory of Authorized and Unauthorized Software
  oct 5  Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  oct 6  Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  oct 7  Critical Control 5: Boundary Defense

  8 & 9/10 Summary/free form/tie in/elaboration/Guest diary 

  oct 10  Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
  oct 11  Critical Control 7: Application Software Security
  oct 12  Critical Control 8: Controlled Use of Administrative Privileges
  oct 13  Critical Control 9: Controlled Access Based on the Need to Know
  oct 14  Critical Control 10: Continuous Vulnerability Assessment and Remediation

  15 & 16/10 Summary/free form/tie in/elaboration/Guest diary

  oct 17  Critical Control 11: Account Monitoring and Control
  oct 18  Critical Control 12: Malware Defenses 
  oct 19  Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
  oct 20  Critical Control 14: Wireless Device Control
  oct 21  Critical Control 15: Data Loss Prevention


  22 & 23/10 Summary/free form/tie in/elaboration/Guest diary

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.

  oct 24  Critical Control 16: Secure Network Engineering
  oct 25  Critical Control 17: Penetration Tests and Red Team Exercises
  oct 26  Critical Control 18: Incident Response Capability
  oct 27  Critical Control 19: Data Recovery Capability
  oct 28  Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps


  29 &30 /10 Summary/free form/tie in/elaboration/Guest diary

  31 Overview of the month.

 If you click on the link you will be taken to the appropriate control. Each control is divided into several sections.

• How do attackers exploit the control,
• how can it be implemented, automated and measured,
• Links to NIST and other documents, procedures and tools for implementing and automating the control.
• Example metrics and Example tests