InfoSec News

Information security is a vast field and it can be difficult to determine where your efforts will do the most good. Even when controls are implemented it is often difficult to determine whether they are working as expected or they are achieving their objective. The 20 critical controls have been built to provide guidance and address those areas that will improve the over all security of the organisation. They won't solve all your problems, but they have to potential to solve many of your problems.
The controls were built by a wide group of professionals and were designed with some guiding principles in place.

Defenses should address the attacks that are actually occurring today
Automated - We all have limited resources and by automating tasks we can achieve more.
Root Causes - The controls attempt to fix the root cause of the issue resulting in a compromise.
Metrics - A mechanism by which the effectiveness can be measured

The controls are divided into two groups. Controls 1 through 15 can be automated, controls 16 through 20 are broader and can typically not be fully automated. The idea behind the implementation is certainly not to start with control 1 and work your way up to control 20. The controls are designed to be implemented on their own merit and based on the risk profile of the organisation. Some of the controls overlap a little. For example if you are implementing control 11 Account monitoring and Control then likely you will have touched most if not all aspect of control 8. The idea is to look at the controls and what they can achieve and implement those that will do your organisation good first, before working on the others. If you decide that some do not apply in your organisation, then that is also fine. So please do not get stuck on thinking you have to implement control 1, before 2, etc. Implement those you can, it will be one more control than is currently being done and will therefore help.

Each control will have some quickwins that will help you get over the line quickly, but if you already have things in place, there is the advanced component. Something to aim for in future plans. When implementing the controls make sure you do not skimp on the metrics or audit component of the control. Knowing whether a control is functioning as expected is almost as valuable as having it in place in the first place. Regarding the metrics, each control will have a suggested time period, e.g. check every 24 hours or have a detection target of x hours. Again this is a guide and whilst aiming for the suggested time is the idea, if you can only check for new devices once per week, sure not ideal, but again better than what is likely being done right now.

Over the next few weeks, we'll go through the controls and outline what has worked for us. As always we'd like you all to contribute via comments or the contact forms.


Mark (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Something has gone terribly wrong on the plant floor at ACME Specialty Chemical International Inc.
This year for Cyber Security awareness month we are going to go through the 20 critical controls. Because there are 20 controls we have decided that we will publish controls during the week days and a summary, expansion and/or some guest diaries on the weekends. So the schedule for the month looks roughly as follows:

1 2/10 introduction

oct 3 Critical Control 1: Inventory of Authorized and Unauthorized Devices
oct 4 Critical Control 2: Inventory of Authorized and Unauthorized Software
oct 5 Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
oct 6 Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
oct 7 Critical Control 5: Boundary Defense

8 9/10 Summary/free form/tie in/elaboration/Guest diary

oct 10 Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
oct 11 Critical Control 7: Application Software Security
oct 12 Critical Control 8: Controlled Use of Administrative Privileges
oct 13 Critical Control 9: Controlled Access Based on the Need to Know
oct 14 Critical Control 10: Continuous Vulnerability Assessment and Remediation

15 16/10 Summary/free form/tie in/elaboration/Guest diary

oct 17 Critical Control 11: Account Monitoring and Control
oct 18 Critical Control 12: Malware Defenses
oct 19 Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
oct 20 Critical Control 14: Wireless Device Control
oct 21 Critical Control 15: Data Loss Prevention

22 23/10 Summary/free form/tie in/elaboration/Guest diary

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.

oct 24 Critical Control 16: Secure Network Engineering
oct 25 Critical Control 17: Penetration Tests and Red Team Exercises
oct 26 Critical Control 18: Incident Response Capability
oct 27 Critical Control 19: Data Recovery Capability
oct 28 Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps

29 30 /10 Summary/free form/tie in/elaboration/Guest diary

31 Overview of the month.

If you click on the link you will be taken to the appropriate control. Each control is divided into several sections.

How do attackers exploit the control,
how can it be implemented, automated and measured,
Links to NISTand other documents, procedures and tools for implementing and automating the control.
Example metrics and Example tests

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Lenovo's ThinkStation C20 compact workstation saves space and supports high-end graphics.
Nokia and RIM, two of the pioneers in wireless communications, are now scrambling to adjust to newcomers such as Apple and Google
Columnist Mike Elgan discovers that a cool new Web service and a simple hack turn a Google+ stream into an automated Total Information Awareness dashboard of real-time data.
Internet Storm Center Infocon Status