Recent changes to the 20 critical controls

Recent Changes to the 20 Critical Controls:
Updates and Philosophies (v.3)

James Tarala, Enclave Security

Information Security Standards
• Presently there are a number of information
security standards available
• But, there are too many to choose from:
– Individual Corporate / Agency Standards
– NIST 800-53 / 800-53 A
– FISMA / DIACAP
– HIPAA / SOX / GLBA
– PCI / NERC / CIP
– 20 Critical Controls / Consensus Audit Guidelines

The Consensus Audit Guidelines © Enclave Security 2010

One Option: 20 Critical Controls
• Developed at a tool for organizations
responsible for NIST 800-53
• Priorities for which controls will make the
most impact to stop dedicated attackers
• Written in response to compromised US
government agencies & contractors
• Collaborative effort by over 100 different
government, military, & civilian experts


CSIS & The SANS Institute
• The controls are a collaboration between the Center
for Strategic & International Studies, the SANS
Institute & other entities
• CSIS began engaging cyber security issues at the
beginning of the Obama administration
• Updates to the controls are a collaboration between
individuals at each of these groups

Recent Changes to the 20 Critical Controls © Enclave Security 2011

Project Guiding Principles
• Defenses should focus on
addressing the most common
and damaging attack activities
occurring today, and those
anticipated in the near future.
• Enterprise environments must
ensure consistent controls across
an enterprise to effectively
negate attacks.


Project Guiding Principles (2)
• Defenses should be automated
where possible, and periodically or
continuously measured using
automated measurement techniques
where feasible.
• To address current attacks occurring
on a frequent basis against numerous
organizations, a variety of specific
technical activities should be
undertaken to produce a more
consistent defense.


Project Guiding Principles (3)
• Root cause problems must be
fixed in order to ensure the
prevention or timely detection of
attacks.
• Metrics should be established
that facilitate common ground
for measuring the effectiveness
of security measures, providing a
common language to
communicate about risk.


Why are the Controls Important?
• Cyber security is complex and becoming even
more complicated every day
• Organizations are being compromised, even after
spending large portions of their budget on
infosec
• CIOs & CISOs need prioritized controls to get the
most return from their investment
• More controls rarely hurt, but how do we decide
which controls to start with?
• It’s critical that we have priorities!


Why are the Controls Important? (2)
• We need agreement between:
– Inspector Generals (IGs – auditors)
– Operations (sys-admins)
– Security Engineers
• We need metrics and measurements that
everyone can agree to use
• We need to stop people from violating
systems & compromising the C-I-A of our data


Categories of Sub-Controls
• Quick Wins (QW)
• Improved Visibility and
Attribution (Vis/Attrib)
• Hardened Configuration
and Improved Information
Security Hygiene
(Config/Hygiene)
• Advanced (Adv)


Document Contributors
• Blue team members inside the Department of Defense
• Blue team members who provide services for non-DoD
government agencies
• Red & blue teams at the US National Security Agency
• US-CERT and other non-military incident response
teams
• DoD Cyber Crime Center (DC3)
• Military investigators who fight cyber crime
• The FBI and other police organizations
• US Department of Energy laboratories


Document Contributors (2)
• US Department of State
• Army Research Laboratory
• US Department of Homeland Security
• DoD and private forensics experts
• Red team members in DoD
• The SANS Institute
• Civilian penetration testers
• Federal CIOs and CISOs
• Plus over 100 other collaborators


Revision History
• Version 1.0 – Original rough draft of controls
• Version 2.0 – Major revision of sub controls
based on community & agency feedback
• Version 2.1 – Minor revision of sub controls
based on community & agency feedback
• Version 2.3 – Addition of metrics & core
evaluation methodologies
• Version 3.0 – Minor revision of sub controls &
addition of standards mappings & sensors
• Version 3.1 – Reordering of controls based on
priority of controls


Updates to Version 3.0
In this version the following updates were
performed:
– Minor updates to sub controls based on threat
assessments & feedback
– Re-classification of controls
– Addition of mappings to additional standards
(Australian DSD, NSA MNP & ISO 27000)
– Addition of sensors for automated data collection


Edits to Sub Controls
• A number of controls were either added or
removed from the controls based on current
threats
• For example:
– “All remote administration of servers, workstation,
network devices, and similar equipment shall be
done over secure channels (control 3).”
– “Network-based IPS devices should be deployed
to compliment IDS by blocking known bad
signature or behavior of attacks (control 5).”


Re-Classification of Controls
• In addition to new or edited sub controls,
many of the controls were re-classified
• In most cases controls were lowered from
“Advanced” to “Config-Hygiene” or “Vis-
Attrib”
• For example in Control 6:
– “Organizations should deploy a SEIM system tool
for log aggregation and consolidation from
multiple machines and for log correlation and
analysis.”


Addition of “Sensors”
• Sensors = Tools to measure the effectiveness of
the implementation of a control
• For example in Control 3:
– Sensor: File integrity software
– Measurement: File integrity monitoring software is
deployed on servers as a part of the base
configuration. Centralized solutions are preferred over
stand-alone solutions.
– Score: 50 percent awarded for using a solution with a
central monitoring/reporting component. The
remaining 50 percent is based on the percentage of
servers on which the solution is deployed.


US Dept of State iPost
• Used to protect OpenNet, the DoS Sensitive But
Unclassified (SBU) network
• Consists of 5,000 routers and switches, and more
than 40,000 hosts
• The Risk Scoring program at DoS evolved in three
separate stages.
– Deployment of Enterprise management tools
– Delivery of operational data to the field in an
integrated application, iPost
– Establishment of a risk scoring program


Sample iPost Reporting


iPost Data Feeds


Additional Standards Mapping
• In version 3.0 and later additional mappings
were added between the 20 CC and other
industry or government standards
• Specifically now the control are mapped to:
– NIST 800-53
– US NSA Manageable Network Plan (MNP)
– Australian DSD Top 35 Mitigation Strategies
– ISO 27000 Series


Updates to Version 3.1
• In this version the following updates were
performed:
– A great deal of feedback on the controls was
gathered on the experiences of the Australian DSD
– The 20 Controls were reordered based on
priorities, value of each control & risk levels


Australian Top 35
• Australian Top 35 Mitigation Strategies, Australian
Department of Defence
• Defensive controls to block over 85% of attacks
directed against their systems
• The Top 35 Mitigation Strategies are ranked in order
of overall effectiveness
• Rankings are based on DSD’s analysis of reported
security incidents and vulnerabilities detected by
DSD
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm


New Prioritized Control Order
1. Inventory of Authorized 6. Application Software
and Unauthorized Devices Security
2. Inventory of Authorized 7. Wireless Device Control
and Unauthorized 8. Data Recovery Capability
Software (validated manually)
3. Secure Configurations for 9. Security Skills Assessment
Hardware and Software on and Appropriate Training
Laptops, Workstations, to Fill Gaps (validated
and Servers manually)
4. Continuous Vulnerability 10. Secure Configurations for
Assessment and Network Devices such as
Remediation Firewalls, Routers, and
5. Malware Defenses Switches


New Prioritized Control Order (2)
11. Limitation and Control of 16. Account Monitoring and
Network Ports, Protocols, Control
and Services 17. Data Loss Prevention
12. Controlled Use of 18. Incident Response
Administrative Privileges Capability (validated
13. Boundary Defense manually)
14. Maintenance, Monitoring, 19. Secure Network
and Analysis of Security Engineering (validated
Audit Logs manually)
15. Controlled Access Based on 20. Penetration Tests and Red
the Need to Know Team Exercises (validated
manually)


Other Projects to Watch
• Security Content Automation Protocol (SCAP)
• Continuous Monitoring Efforts
– NASA
– CyberScope & FISMA Reporting
– US Office of Management & Budget (OMB)
• International Government Efforts
– United Arab Emirates (UAE)
– European Union
– Australian Department of Defence


In Summary
• There have been numerous changes to the controls,
but the philosophies remain the same
• Regardless if you follow the 20 CC, each organization
needs a strategy for defense
• Be aware of the changing threat landscape and have
a plan for preventing future attacks
• Organizations need to set priorities for system and
data defense, this is one good option
• Watch for more changes to come


Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit, @jamestarala
– Blog: http://www.enclavesecurity.com/blogs/

• Resources for further study:
– The 20 Critical Controls:
(http://www.sans.org/critical-security-controls/)
– SANS Security 566: Implementing and Auditing the Twenty
Critical Security Controls - In-Depth


Recent changes to the 20 critical controls

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Recent changes to the 20 critical controls

Ähnlich wie Recent changes to the 20 critical controls (20)

Mehr von EnclaveSecurity

Mehr von EnclaveSecurity (9)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Recent changes to the 20 critical controls

Hinweis der Redaktion