Overview of the 20 critical controls

1,208
-1

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,208
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Overview of the 20 critical controls

  1. 1. International CyberSecurityEfforts & the 20 CriticalSecurity ControlsJames TaralaThe SANS Institute Overview of the 20 Critical Controls © James Tarala 2010
  2. 2. Stories from the Headlines Overview of the 20 Critical Controls © James Tarala 2010
  3. 3. Stories from the Headlines (cont) Overview of the 20 Critical Controls © James Tarala 2010
  4. 4. Stories from the Headlines (cont) Overview of the 20 Critical Controls © James Tarala 2010
  5. 5. Examples from the News• PrivacyRights.org (updated weekly)• Here are some that are reported (most are not)• Just a small sample (organization/records breached): – Heartland Payment Systems (130+ million – 1/2009) – Oklahoma Dept of Human Services (1 million – 4/2009) – Oklahoma Housing Finance Agency (225,000 – 4/2009) – University of California (160,000 – 5/2009) – Network Solutions (573,000 – 7/2009) – U.S. Military Veterans Administration (76 million – 10/2009) – BlueCross BlueShield Assn. (187,000 – 10/2009) Overview of the 20 Critical Controls © James Tarala 2010
  6. 6. State of Affairs• Clearly the bad guys seem to be winning the cybersecurity fight• While there are bright spots, they are few and far between• We seem to be getting better at detecting and responding to the threat• We need to be better at preventing the attacks from occurring in the first place Overview of the 20 Critical Controls © James Tarala 2010
  7. 7. Question to AnswerIn light of all the recent attacks…What efforts are underway by the US Congress, the current administration, and others to protect cyberspace? Overview of the 20 Critical Controls © James Tarala 2010
  8. 8. The Present State Overview of the 20 Critical Controls © James Tarala 2010
  9. 9. European Union Security Efforts Overview of the 20 Critical Controls © James Tarala 2010
  10. 10. Abu Dhabi (UAE) Security Efforts Overview of the 20 Critical Controls © James Tarala 2010
  11. 11. US Government Security Efforts• Initiated a 60 Day Cyber Security Review• Has discussed appointing a Cyber- Security Czar to oversee national efforts• New Laws have been proposed: – The Cybersecurity Act of 2009 (S. 773) – United States Information and Communications Enhancement Act of 2009 (S. 921) – Personal Data Privacy and Security Act (S. 1490) – Data Breach Notification Act (S. 139) Overview of the 20 Critical Controls © James Tarala 2010
  12. 12. US Military Security Efforts• Creation of a Central CyberCommand: – Referred to as Cybercom – To be led by Director of the National Security Agency (NSA) Lt. Gen. Keith Alexander – To be located at Fort Meade – Initial operating capacity by Oct 2009 and fully operational by Oct 2010 – To have both defensive and offensive capabilities – Will centrally coordinate all DoD cyber defensive activities Overview of the 20 Critical Controls © James Tarala 2010
  13. 13. DARPA’s Contribution Overview of the 20 Critical Controls © James Tarala 2010
  14. 14. Public / Private Partnerships• There are a number of industry groups also trying to address the issues• Numerous frameworks have been established, such as: – CoBIT – IT Assurance Framework (ITAF) – ISO 27000 Series – IT Baseline Protection Manual – Consensus Audit Guidelines / 20 Critical Controls – Many, many others Overview of the 20 Critical Controls © James Tarala 2010
  15. 15. 20 Critical Controls• The twenty key controls – 15 subject to automation – 5 that are important but cannot be easily automated• Coordinated by John Gilligan, Alan Paller, and others• These are the controls that stop known attacks and rapidly identify attacks that are occurring• Examples – automated inventory, automated configuration validation, etc Overview of the 20 Critical Controls © James Tarala 2010
  16. 16. Document Contributors• Blue team members inside the Department of Defense• Blue team members who provide services for non-DoD government agencies• Red & blue teams at the US National Security Agency• US-CERT and other non-military incident response teams• DoD Cyber Crime Center (DC3)• Military investigators who fight cyber crime• The FBI and other police organizations Overview of the 20 Critical Controls © James Tarala 2010
  17. 17. Document Contributors (2)• US Department of Energy laboratories• US Department of State• Army Research Laboratory• US Department of Homeland Security• DoD and private forensics experts• Red team members in DoD• The SANS Institute• Civilian penetration testers• Federal CIOs and CISOs• Plus over 100 other collaborators Overview of the 20 Critical Controls © James Tarala 2010
  18. 18. Information Security Standards• Presently there are a number of government information security standards available• But, there are too many to choose from: – Individual Corporate / Agency Standards – NIST 800-53 / 800-53 A – FISMA / DIACAP – HIPAA / SOX / GLBA – PCI / NERC / CIP – 20 Critical Controls / Consensus Audit Guidelines Overview of the 20 Critical Controls © James Tarala 2010
  19. 19. 20 CC Project Guiding Principles• Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.• Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. Overview of the 20 Critical Controls © James Tarala 2010
  20. 20. Project Guiding Principles (2) • Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. • To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense. Overview of the 20 Critical Controls © James Tarala 2010
  21. 21. Why are the Controls Important?• Cyber security is complex and becoming even more complicated every day• Organizations are being compromised, even after spending large portions of their budget on infosec• CIOs & CISOs need prioritized controls to get the most return from their investment• More controls rarely hurt, but how do we decide which controls to start with?• It’s critical that we have priorities! Overview of the 20 Critical Controls © James Tarala 2010
  22. 22. Why are the Controls Important? (2)• We need agreement between: – Inspector Generals (IGs – auditors) – Operations (sys-admins) – Security Engineers• We need metrics and measurements that everyone can agree to use• We need to stop people from violating systems & compromising the C-I-A of our data Overview of the 20 Critical Controls © James Tarala 2010
  23. 23. Concluding Thoughts• Regardless of who ultimately dictates our national cyber-security strategy, as a country we need: – Clear, coordinated leadership on the issue – Consistent, effective guidance on how to protect national data assets – Metrics that can be used to evaluate an agency’s performance – Resources to be allocated to the task Overview of the 20 Critical Controls © James Tarala 2010
  24. 24. Follow up Questions?• If you have additional questions, feel free to contact me at:• James Tarala – James.tarala@enclavesecurity.com – http://www.enclavesecurity.com/blogs/ – Twitter: @isaudit; @jamestarala Overview of the 20 Critical Controls © James Tarala 2010

×