Based upon the Consensus Audit Guidelines 20 critical IT controls have been selected for priority implementation. Getting the biggest bang for your buck in cyber security.

1. Donald E. Hester
CISSP, CISA, CAP, PSP, MCT
Maze & Associates / San Diego City College
www.LearnSecurity.org

2. The Problem
• Compliance does not equal security
• Our highest priority is to secure our
systems
• Compliance is required but not our
highest goal
• We need a solution based on risk
Rev1/8/2010 2© 2010 Maze & Associates

3. Solution
• Limited resources
– Time
– Funding
– Resources
– Personnel
• With limited resources choices have to be
made about which security controls are
most important
• A prioritized approach in implementing
controls is required
• Prioritized by greatest risk first
Rev1/8/2010 3© 2010 Maze & Associates

4. Available Resources
“This recommended sequencing prioritization helps
ensure that foundational security controls upon
which other controls depend are implemented first,
thus enabling organizations to deploy controls in a
more structured and timely manner in accordance
with available resources. “
- NIST SP 800-53 rev3
Rev1/8/2010 4© 2010 Maze & Associates

5. A Prioritized Baseline
• How do we prioritize controls
• Intelligence
– Knowledge of actual attacks
• Controls that can prevent know attacks
should be given a higher priority
• A consensus report has been developed
to document 20 critical controls
Rev1/8/2010 5© 2010 Maze & Associates

6. Focus
• Focus attention and resources on the
most critical risk
• Defend against current and near term
attacks
• They will be the highest payoff areas
• Top, shared priority for CIO, CISO and IGs
Rev1/8/2010 6© 2010 Maze & Associates

7. Risk Based
• Countermeasures should focus on
addressing
– High probability attack
– High impact attacks
• Consistent implementation
• Automated and continuously monitored
• Additional technical activities should be
used to defend systems
Rev1/8/2010 7© 2010 Maze & Associates

8. Control Implementation Sequence
“The priority allocation section provides the recommended
priority codes used for sequencing decisions during security
control implementation” - NIST SP 800-53 rev3
“Organizations can use the recommended priority code
designation associated with each security control in the
baselines to assist in making sequencing decisions for control
implementation “
- NIST SP 800-53 rev3
Rev1/8/2010 8© 2010 Maze & Associates

9. Compliance
• The reality of limited resources does not
mean we can ignore controls.
• Compliance requires all controls to be in
place.
• A prioritized approach helps us
implement the most important controls
or the controls that give us the biggest
bang first.
Rev1/8/2010 9© 2010 Maze & Associates

10. Compliance
“The implementation of security controls by sequence
priority code does not imply the achievement of any
defined level of risk mitigation until all of the security
controls in the security plan have been implemented.
The priority codes are used only for implementation
sequencing, not for making security control selection
decisions.“
- NIST SP 800-53 rev3
Rev1/8/2010 10© 2010 Maze & Associates

11. Implementation Sequence
Rev1/8/2010 11© 2010 Maze & Associates

12. THE TWENTY CRITICAL
CONTROLS
Rev1/8/2010 12© 2010 Maze & Associates

13. Collaborators
• Attack Data Resources
– DoD Blue Team Members (Incident Response)
– US-CERT
– Military Investigators
– FBI and other Police organizations
– DoE Cybersecurity Experts
– Forensic Experts
– DoD Red Team Members (Penetrations Tests)
– Civilian Penetration Testers
– Federal CIOs and CISOs
– GAO
Rev1/8/2010 13© 2010 Maze & Associates

14. Prioritized Controls
• 20 controls
• 15 controls that can be validated in part
automatically
• 5 controls that must be validated
manually
• Each control has subcontrols
• Reinforce, NISP SP 800-53, SCAP, FDCC,
FISMA, DHS software assurance
Rev1/8/2010 14© 2010 Maze & Associates

15. Categorize Subcontrols
• Quick Wins
• Improved Visibility and Attribution
• Hardened Configuration and Improved
Information Security Hygiene
• Advanced
Rev1/8/2010 15© 2010 Maze & Associates

16. Rev1/8/2010 16© 2010 Maze & Associates

17. Testing
• Periodic and/or Continual testing of
controls
• Use as much automation as possible
• Tools for remotely gathering, analyzing
and updating configuration
• Items such as workstations, servers and
network devices
Rev1/8/2010 17© 2010 Maze & Associates

18. CRITICAL CONTROLS
From version 2.1 Aug 10, 2009
Rev1/8/2010 18© 2010 Maze & Associates

19. Critical Controls
• Inventory of Authorized and Unauthorized
Devices
• Inventory of Authorized and Unauthorized
Software
• Secure configurations for Hardware and
Software on laptops, workstations and
servers
• Secure configurations for Network Devices
such as firewalls, routers and switches
Rev1/8/2010 19© 2010 Maze & Associates

20. Critical Controls
• Boundary Defense
• Maintenance, Monitoring and Analysis
of Security Audit Logs
• Application Software Security
• Controlled use of Administrative
Privileges
• Controlled access based on need to
know
Rev1/8/2010 20© 2010 Maze & Associates

21. Critical Controls
• Continuous Vulnerability Assessment
and Remediation
• Account Monitoring and Control
• Malware Defenses
• Limitation and Control of Network Ports,
Protocols and Services
• Wireless Device Control
• Data Loss Prevention
Rev1/8/2010 21© 2010 Maze & Associates

22. Critical Controls
• Secure Network Engineering
• Penetration Tests and Red Team
Exercises
• Incident Response Capability
• Data Recovery Capability
• Security Skills Assessment and
Appropriate Training to fill gaps
Rev1/8/2010 22© 2010 Maze & Associates