Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month Day 1/2 - Introduction to the controls

Published: 2011-10-02
Last Updated: 2011-10-02 04:27:18 UTC
by Mark Hofman (Version: 1)
1 comment(s)

Information security is a vast field and it can be difficult to determine where your efforts will do the most good. Even when controls are implemented it is often difficult to determine whether they are working as expected or they are achieving their objective.  The 20 critical controls have been built to provide guidance and address those areas that will improve the over all security of the organisation.  They won't solve all your problems, but they have to potential to solve many of your problems. 

The controls were built by a wide group of professionals and were designed with some guiding principles in place.

  • Defenses  should address the attacks that are actually occurring today
  • Automated - We all have limited resources and by automating tasks we can achieve more.
  • Root Causes - The controls attempt to fix the root cause of the issue resulting in a compromise.
  • Metrics - A mechanism by which the effectiveness can be measured

http://www.sans.org/critical-security-controls/guidelines.php

The controls are divided into two groups. Controls 1 through 15 can be automated, controls 16 through 20 are broader and can typically not be fully automated.  The idea behind the implementation is certainly not to start with control 1 and work your way up to control 20.  The controls are designed to be implemented on their own merit and based on the risk profile of the organisation.  Some of the controls overlap a little. For example if you are implementing control 11 "Account monitoring and Control" then likely you will have touched most if not all aspect of control 8. The idea is to look at the controls and what they can achieve and implement those that will do your organisation good first, before working on the others. If you decide that some do not apply in your organisation, then that is also fine. So please do not get stuck on thinking you have to implement control 1, before 2, etc.  Implement those you can, it will be one more control than is currently being done and will therefore help.

Each control will have some quickwins that will help you get over the line quickly, but if you already have things in place, there is the advanced component.  Something to aim for in future plans.  When implementing the controls make sure you do not skimp on the metrics or audit component of the control.  Knowing whether a control is functioning as expected is almost as valuable as having it in place in the first place. Regarding the metrics, each control will have a suggested time period, e.g. check every 24 hours or have a detection target of x hours.  Again this is a guide and whilst aiming for the suggested time is the idea, if you can only check for new devices once per week, sure not ideal, but again better than what is likely being done right now.  

Over the next few weeks, we'll go through the controls and outline what has worked for us. As always we'd like you all to contribute via comments or the contact forms.

Regards

Mark

1 comment(s)

Cyber Security Awareness Month Day 1/2 - Schedule

Published: 2011-10-02
Last Updated: 2011-10-02 02:51:43 UTC
by Mark Hofman (Version: 1)
0 comment(s)

This year for Cyber Security awareness month we are going to go through the 20 critical controls.  Because there are 20 controls we have decided that we will publish controls during the week days and a summary, expansion and/or some guest diaries on the weekends. So the schedule for the month looks roughly as follows:

  1 & 2/10 introduction 
  oct 3  Critical Control 1: Inventory of Authorized and Unauthorized Devices
  oct 4  Critical Control 2: Inventory of Authorized and Unauthorized Software
  oct 5  Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  oct 6  Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  oct 7  Critical Control 5: Boundary Defense

  8 & 9/10 Summary/free form/tie in/elaboration/Guest diary 

  oct 10  Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
  oct 11  Critical Control 7: Application Software Security
  oct 12  Critical Control 8: Controlled Use of Administrative Privileges
  oct 13  Critical Control 9: Controlled Access Based on the Need to Know
  oct 14  Critical Control 10: Continuous Vulnerability Assessment and Remediation

  15 & 16/10 Summary/free form/tie in/elaboration/Guest diary

  oct 17  Critical Control 11: Account Monitoring and Control
  oct 18  Critical Control 12: Malware Defenses 
  oct 19  Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
  oct 20  Critical Control 14: Wireless Device Control
  oct 21  Critical Control 15: Data Loss Prevention


  22 & 23/10 Summary/free form/tie in/elaboration/Guest diary

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.

  oct 24  Critical Control 16: Secure Network Engineering
  oct 25  Critical Control 17: Penetration Tests and Red Team Exercises
  oct 26  Critical Control 18: Incident Response Capability
  oct 27  Critical Control 19: Data Recovery Capability
  oct 28  Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps


  29 &30 /10 Summary/free form/tie in/elaboration/Guest diary

  31 Overview of the month.

 If you click on the link you will be taken to the appropriate control. Each control is divided into several sections.

  • How do attackers exploit the control,
  • how can it be implemented, automated and measured,
  • Links to NIST and other documents, procedures and tools for implementing and automating the control.
  • Example metrics and Example tests

 

0 comment(s)
Diary Archives