As a cyber security expert, one of the questions I often receive is what are the twenty critical controls? Details can be found at www.sans.org/cag but the general approach of the controls, and becoming a cyber security expert, is to begin the process of establishing the prioritized baseline of information security measures and controls that will lead to effective security. The consensus effort that has produced the controls has identified 20 specific technical security controls that are viewed as effective at defending against the most common methods of attack. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that are more difficult to be monitored continuously or automatically with current technology and practices; however they are critical to achieving an optimal level of security. Each of the 20 control areas includes multiple individual sub-controls, each specifying actions an organization can take to help improve its Defences and become a cyber security expert.
The 20 critical controls to becoming a cyber security expert are:
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4: Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
5: Boundary Defense
6: Maintenance and Analysis of Security Audit Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based On Need to Know
10: Continuous Vulnerability Assessment and Remediation
11: Account Monitoring and Control
12: Malware Defenses
13: Limitation and Control of Network Ports, Protocols, and Services
14: Wireless Device Control
15: Data Loss Prevention
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
Cyber Security Expert Skills Assessment and Training to Fill Gaps
Additionally, the controls are designed to support agencies and organizations that currently have different levels of information security capabilities, but are striving to become a cyber security expert. To help organizations focus on achieving a sound baseline of security and then improve beyond that baseline, certain subcontrols have been categorized as follows:
- Quick Wins: These fundamental aspects of information security can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment. It should be noted, however, that a Quick Win does not necessarily mean that these subcontrols provide comprehensive protection against the most critical attacks. If they did provide such protection, there would be no need for any other type of subcontrol. The intent of identifying Quick Win areas is to highlight where security can be improved rapidly, driving you towards becoming a cyber security expert.
- Improved Visibility and Attribution: These subcontrols focus on improving the process, architecture, and technical capabilities of organizations so that the organization can monitor their networks and computer systems, gaining better visibility into their IT operations. Attribution is associated with determining which computer systems, and potentially which users, are generating specific events. Such improved visibility and attribution support organizations in detecting attack attempts, locating the points of entry for successful attacks, identifying already-compromised machines, interrupting infiltrated attackers’ activities, and gaining information about the sources of an attack. In other words, these controls help to increase an organization’s situational awareness of their environment and ability to be a cyber security expert.
- Hardened Configuration and Improved Information Security Hygiene: These aspects of various controls are designed to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities as well as improving the operations of networked computer systems. This type of control focuses on protecting against poor security practices by system administrators and end users that could give an adversary an advantage in attacking target systems. Control guidelines in this category are formulated with the understanding that a well-managed network is typically a much harder target for computer attackers to exploit.
- Advanced: These items are designed to further improve the security of an organization beyond the other three categories. Organizations already following all of the other controls should focus on this category.
For additional details on the controls, please go to www.sans.org/cag. Portions of the above are taken from version 2.0 of The Twenty Critical Controls.
You can also follow Dr. Eric Cole on twitter at drericcole or email firstname.lastname@example.org with any questions.