Last Updated: 2011-10-02 04:27:18 UTC
by Mark Hofman (Version: 1)
Information security is a vast field and it can be difficult to determine where your efforts will do the most good. Even when controls are implemented it is often difficult to determine whether they are working as expected or they are achieving their objective. The 20 critical controls have been built to provide guidance and address those areas that will improve the over all security of the organisation. They won't solve all your problems, but they have to potential to solve many of your problems.
The controls were built by a wide group of professionals and were designed with some guiding principles in place.
- Defenses should address the attacks that are actually occurring today
- Automated - We all have limited resources and by automating tasks we can achieve more.
- Root Causes - The controls attempt to fix the root cause of the issue resulting in a compromise.
- Metrics - A mechanism by which the effectiveness can be measured
The controls are divided into two groups. Controls 1 through 15 can be automated, controls 16 through 20 are broader and can typically not be fully automated. The idea behind the implementation is certainly not to start with control 1 and work your way up to control 20. The controls are designed to be implemented on their own merit and based on the risk profile of the organisation. Some of the controls overlap a little. For example if you are implementing control 11 "Account monitoring and Control" then likely you will have touched most if not all aspect of control 8. The idea is to look at the controls and what they can achieve and implement those that will do your organisation good first, before working on the others. If you decide that some do not apply in your organisation, then that is also fine. So please do not get stuck on thinking you have to implement control 1, before 2, etc. Implement those you can, it will be one more control than is currently being done and will therefore help.
Each control will have some quickwins that will help you get over the line quickly, but if you already have things in place, there is the advanced component. Something to aim for in future plans. When implementing the controls make sure you do not skimp on the metrics or audit component of the control. Knowing whether a control is functioning as expected is almost as valuable as having it in place in the first place. Regarding the metrics, each control will have a suggested time period, e.g. check every 24 hours or have a detection target of x hours. Again this is a guide and whilst aiming for the suggested time is the idea, if you can only check for new devices once per week, sure not ideal, but again better than what is likely being done right now.
Over the next few weeks, we'll go through the controls and outline what has worked for us. As always we'd like you all to contribute via comments or the contact forms.
Last Updated: 2011-10-02 02:51:43 UTC
by Mark Hofman (Version: 1)
This year for Cyber Security awareness month we are going to go through the 20 critical controls. Because there are 20 controls we have decided that we will publish controls during the week days and a summary, expansion and/or some guest diaries on the weekends. So the schedule for the month looks roughly as follows:
1 & 2/10 introduction
oct 3 Critical Control 1: Inventory of Authorized and Unauthorized Devices oct 4 Critical Control 2: Inventory of Authorized and Unauthorized Software oct 5 Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers oct 6 Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches oct 7 Critical Control 5: Boundary Defense 8 & 9/10 Summary/free form/tie in/elaboration/Guest diary oct 10 Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs oct 11 Critical Control 7: Application Software Security oct 12 Critical Control 8: Controlled Use of Administrative Privileges oct 13 Critical Control 9: Controlled Access Based on the Need to Know oct 14 Critical Control 10: Continuous Vulnerability Assessment and Remediation 15 & 16/10 Summary/free form/tie in/elaboration/Guest diary oct 17 Critical Control 11: Account Monitoring and Control oct 18 Critical Control 12: Malware Defenses oct 19 Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services oct 20 Critical Control 14: Wireless Device Control oct 21 Critical Control 15: Data Loss Prevention 22 & 23/10 Summary/free form/tie in/elaboration/Guest diary
The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.
oct 24 Critical Control 16: Secure Network Engineering oct 25 Critical Control 17: Penetration Tests and Red Team Exercises oct 26 Critical Control 18: Incident Response Capability oct 27 Critical Control 19: Data Recovery Capability oct 28 Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps 29 &30 /10 Summary/free form/tie in/elaboration/Guest diary 31 Overview of the month.
If you click on the link you will be taken to the appropriate control. Each control is divided into several sections.
- How do attackers exploit the control,
- how can it be implemented, automated and measured,
- Links to NIST and other documents, procedures and tools for implementing and automating the control.
- Example metrics and Example tests