Master These Critical Security Controls Without Breaking the Bank

Getting good cybersecurity advice can get expensive, but one of the best places to begin FOR FREE is the fundamental guidelines put out by the SANS Institute along with the Center for Internet Security (CIS). This partnership between SANS and CIS, whose headquarters is located locally in East Greenbush, was formed with a shared mission to insure that organizations have strong protective security and enhance the cybersecurity readiness in the face of an attack. SANS is one of the top players and training institutions in cyber security, and their “Top 20” Critical Security Controls is a great place to start for affordable cybersecurity plans. There is a lot to these steps so we’re going to rundown these affordable cybersecurity steps in smaller groups over the next few weeks, explaining how you can take these steps to make your company more cybersecure without breaking the bank.


  1. Inventory of authorized and unauthorized devices – Actively manage (inventory, track & correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized & unmanaged devices are found and prevented from gaining access.

Hackers are constantly searching for vulnerable devices entering a company’s network. If a new hardware is installed in the afternoon but not updated with proper security measures until the next morning that is a hole that hackers can take advantage of. They search for devices that come and go on the network, which has become quite common on account of a lot of people bringing in their own devices from home to do their work. These outside devices could even already be compromised before they are connected to the network, which is why it’s important to know what is being connected to your network. To fulfill this security control you should use an automated asset inventory discovery tool to create an inventory of the devices on your system.

Long story short: Manage and monitor all devices on your network to look out for things that don’t belong, and make sure this constantly stays up to date.


  1. Inventory of authorized and unauthorized software – Actively manage (inventory, track & correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized & unmanaged software is found and prevented from installation or execution.

Without knowledge/control of the software being used in an organization, companies cannot properly secure their assets. Hackers are always searching for software versions being used by organizations that are vulnerable and can be used to infiltrate a company’s network. Hackers can also compromise devices on your network by deploying malicious web pages, documents, or media files onto the web and luring an employee to click on the content. To make sure nothing malicious enters your system we advise that you create a list of authorized software as well as the most updated version of that software for every kind of system on the network. This list should be monitored to make sure no new updated version have been released.

Long story short: Only give administrative access to people who need it, and create a list of applications that are authorized to be downloaded.


  1. Secure configurations for hardware and software on mobile devices, laptops, workstations and servers – Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

The preset configurations for operating systems and applications are not usually built with an emphasis on security. The devices are very exploitable when they are at default. Which means it’s up to you to find a way to secure configurations. However, doing this is a very complex task and is difficult for most individuals to do. This where someone like us can be an extremely helpful asset to you. With our IT expertise we can help you create secure configurations and manage these configurations when they need to be updated or patched.

Long story short: Come to an expert (like Groff NetWorks) if you have a difficult time with this step, but look into security configuration management, secure the configurations, and make sure your vendors meet your requirements as well. 


  1. Continuous vulnerability assessment and remediation – Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, & minimize the window of opportunity for attackers.

When information gets released about vulnerabilities, hackers receive the same information we do. They become aware of where the flaw is and immediately make plans to exploit that weakness on organizations that have not yet updated their systems. For this reasons, it is of the upmost importance that you keep your eyes peeled for new flaws being reported and regularly scan for vulnerabilities. This, again, is something Groff NetWorks can help you with. We can run vulnerability scanning tools against all your systems to see if there are vulnerabilities present and which vulnerabilities are the most critical.

Long story short:  Have an effective vulnerability assessment, and constantly scan for new vulnerabilities.


  1. Controlled use of administrative privileges – The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Misusing administrative privileges is a primary method for hackers to infiltrate an organization. If a privileged administrative user is not properly using his/her workstation (surfing the web, downloading content that is not work related) they are much more likely to fall victim to a malicious link or other forms of malware. From there hackers can install keystroke loggers, sniffers, or remote control software to find sensitive business data. To oblige this step you should make sure that all administrator-level passwords are unique and complex. You can look at our previous blog on how to create strong passwords. Passwords should be different from one another as well. That way, if a hacker cracks one of your passwords he doesn’t have access to your whole infrastructure. You can use automated tools to keep inventory of all the administrative accounts and validate that each account has been authorized. You can also block remote and local access to a machine for administrator-level accounts.

Long story short: Limit administrative power only to those who need it, make sure they are educated on what phishing attacks or malware looks like, and have strong complex passwords.


A lot of these steps may sound complicated to someone who isn’t an expert in the IT field, and honestly a lot of this stuff is. There’s no shame in admitting you don’t fully understand. If you don’t, it’s better to reach out for help then to do it incorrectly and hurt your business. You can contact Groff NetWorks anytime on our website or by calling our number 518-320-8906. More blogs on SANS 20 Critical Security Controls are on the way, so stay tuned.



Groff NetWorks provides IT support and managed services for Troy, Albany, and Schenectady businesses at a price that doesn’t break the bank.