20 Critical Security Controls for MSPs

Today’s threats use multiple vectors to attack, from malicious email attachments to infected web ads to phishing sites. Criminals combine a range of threat technologies, deployed in numerous stages to infect computers and networks. This blended approach increases the likelihood of success, the speed of contagion, and the severity of damage.

The only way to keep your clients safe is through an ecosystem of layered security that covers any gaps or vulnerabilities across endpoint protection, application protection, network protection, and end user controls.

This checklist of 20 critical security controls1 shows what measures you and your clients need to implement for an effective security posture.

1. Device inventory

Determine which devices are being used, as well as where, how, and by whom.

2. Software inventory

Determine which applications are being used, as well as where, how, and by whom.

3. Secure configuration for hardware and software

Shore up all settings on mobile devices, laptops, work stations and servers.

4. Vulnerability assessment and remediation

Use automated utilities to regularly (and continuously) scan for vulnerabilities.

5. Controlled use of administrative privileges

Maintain an inventory of administrative accounts, change all default passwords, and enable 2-factor authentication.

6. Maintenance, monitoring, and analysis of audit logs

Activate audit logging and consider deploying a security information and event management (SIEM) or log analysis tool for correlation.

7. Email and web browser protections

Make sure only fully supported email clients and web browsers are in use, disable unnecessary/unauthorized plugins, and limit use of scripting languages.

8. Malware defenses

Use automated, next-gen tools to continuously monitor and protect endpoint computers, servers, and mobile devices with antivirus, antimalware, personal firewalls, etc.

9. Control of network ports, protocols, and services

Perform regular automated port scans and ensure only approved ports, protocols, and services are running.

10. Data recovery

Make sure your clients have regular, automated, encrypted backups and full system backups, and be sure to test them often.

11. Secure configuration for network devices

Check all firewalls, routers, and switches, update firmware, change default passwords, etc.

12. Boundary defense

Take and maintain an up-to-date inventory of all the network boundaries, scan for unauthorized connections, and block communications with malicious IPs.

13. Data protection

Make sure end users don’t (or can’t) send sensitive or critical information outside the corporate network.

14. Controlled access

Review and re-review access permissions based on the “need to know”.

15. Wireless access control

Encrypt wireless traffic, ensure all wireless access points are manageable using management tools, and configure scanning tools to detect wireless access points.

16. Account monitoring and control

Ensure all accounts have an expiration date, disable dormant accounts, and monitor attempts to access deactivated accounts.

17. Security skills assessment and training

Understand any skills shortages and implement appropriate training to fill the gaps.

18. Application software security

Ensure sure all applications are up to date, patched, hardened, and encrypted (where applicable).

19. Incident response and management

Develop incident response processes, keep up-to-date documentation, and make sure all personnel understand their duties for incident response.

20. Penetration tests and Red Team exercises

Develop a penetration test program that includes a full scope of blended attacks.

1 Center for Internet Security Critical Security Controls for Effective Cyber Defense, version 7.1 (April 2019)

Webroot Can Help

Start a free 30-day, no-risk, no-software-conflict trial today to see the Webroot difference for yourself. Have other questions? Ask away.