Your SlideShare is downloading. ×
Recent changes to the 20 critical controls
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Recent changes to the 20 critical controls

1,707
views

Published on

The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These …

The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,707
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
  • Transcript

    • 1. Recent Changes to the 20 Critical Controls:Updates and Philosophies (v.3)James Tarala, Enclave Security
    • 2. Information Security Standards• Presently there are a number of information security standards available• But, there are too many to choose from: – Individual Corporate / Agency Standards – NIST 800-53 / 800-53 A – FISMA / DIACAP – HIPAA / SOX / GLBA – PCI / NERC / CIP – 20 Critical Controls / Consensus Audit Guidelines The Consensus Audit Guidelines © Enclave Security 2010
    • 3. One Option: 20 Critical Controls• Developed at a tool for organizations responsible for NIST 800-53• Priorities for which controls will make the most impact to stop dedicated attackers• Written in response to compromised US government agencies & contractors• Collaborative effort by over 100 different government, military, & civilian experts The Consensus Audit Guidelines © Enclave Security 2010
    • 4. CSIS & The SANS Institute• The controls are a collaboration between the Center for Strategic & International Studies, the SANS Institute & other entities• CSIS began engaging cyber security issues at the beginning of the Obama administration• Updates to the controls are a collaboration between individuals at each of these groups Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 5. Project Guiding Principles• Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.• Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. The Consensus Audit Guidelines © Enclave Security 2010
    • 6. Project Guiding Principles (2) • Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. • To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense. The Consensus Audit Guidelines © Enclave Security 2010
    • 7. Project Guiding Principles (3)• Root cause problems must be fixed in order to ensure the prevention or timely detection of attacks.• Metrics should be established that facilitate common ground for measuring the effectiveness of security measures, providing a common language to communicate about risk. The Consensus Audit Guidelines © Enclave Security 2010
    • 8. Why are the Controls Important?• Cyber security is complex and becoming even more complicated every day• Organizations are being compromised, even after spending large portions of their budget on infosec• CIOs & CISOs need prioritized controls to get the most return from their investment• More controls rarely hurt, but how do we decide which controls to start with?• It’s critical that we have priorities! The Consensus Audit Guidelines © Enclave Security 2010
    • 9. Why are the Controls Important? (2) • We need agreement between: – Inspector Generals (IGs – auditors) – Operations (sys-admins) – Security Engineers • We need metrics and measurements that everyone can agree to use • We need to stop people from violating systems & compromising the C-I-A of our data The Consensus Audit Guidelines © Enclave Security 2010
    • 10. Categories of Sub-Controls• Quick Wins (QW)• Improved Visibility and Attribution (Vis/Attrib)• Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene)• Advanced (Adv) The Consensus Audit Guidelines © Enclave Security 2010
    • 11. Document Contributors• Blue team members inside the Department of Defense• Blue team members who provide services for non-DoD government agencies• Red & blue teams at the US National Security Agency• US-CERT and other non-military incident response teams• DoD Cyber Crime Center (DC3)• Military investigators who fight cyber crime• The FBI and other police organizations• US Department of Energy laboratories The Consensus Audit Guidelines © Enclave Security 2010
    • 12. Document Contributors (2)• US Department of State• Army Research Laboratory• US Department of Homeland Security• DoD and private forensics experts• Red team members in DoD• The SANS Institute• Civilian penetration testers• Federal CIOs and CISOs• Plus over 100 other collaborators The Consensus Audit Guidelines © Enclave Security 2010
    • 13. Revision History• Version 1.0 – Original rough draft of controls• Version 2.0 – Major revision of sub controls based on community & agency feedback• Version 2.1 – Minor revision of sub controls based on community & agency feedback• Version 2.3 – Addition of metrics & core evaluation methodologies• Version 3.0 – Minor revision of sub controls & addition of standards mappings & sensors• Version 3.1 – Reordering of controls based on priority of controls Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 14. Updates to Version 3.0In this version the following updates wereperformed: – Minor updates to sub controls based on threat assessments & feedback – Re-classification of controls – Addition of mappings to additional standards (Australian DSD, NSA MNP & ISO 27000) – Addition of sensors for automated data collection Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 15. Edits to Sub Controls• A number of controls were either added or removed from the controls based on current threats• For example: – “All remote administration of servers, workstation, network devices, and similar equipment shall be done over secure channels (control 3).” – “Network-based IPS devices should be deployed to compliment IDS by blocking known bad signature or behavior of attacks (control 5).” Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 16. Re-Classification of Controls• In addition to new or edited sub controls, many of the controls were re-classified• In most cases controls were lowered from “Advanced” to “Config-Hygiene” or “Vis- Attrib”• For example in Control 6: – “Organizations should deploy a SEIM system tool for log aggregation and consolidation from multiple machines and for log correlation and analysis.” Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 17. Addition of “Sensors”• Sensors = Tools to measure the effectiveness of the implementation of a control• For example in Control 3: – Sensor: File integrity software – Measurement: File integrity monitoring software is deployed on servers as a part of the base configuration. Centralized solutions are preferred over stand-alone solutions. – Score: 50 percent awarded for using a solution with a central monitoring/reporting component. The remaining 50 percent is based on the percentage of servers on which the solution is deployed. Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 18. US Dept of State iPost• Used to protect OpenNet, the DoS Sensitive But Unclassified (SBU) network• Consists of 5,000 routers and switches, and more than 40,000 hosts• The Risk Scoring program at DoS evolved in three separate stages. – Deployment of Enterprise management tools – Delivery of operational data to the field in an integrated application, iPost – Establishment of a risk scoring program The Consensus Audit Guidelines © Enclave Security 2010
    • 19. Sample iPost Reporting Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 20. iPost Data FeedsRecent Changes to the 20 Critical Controls © Enclave Security 2011
    • 21. Additional Standards Mapping• In version 3.0 and later additional mappings were added between the 20 CC and other industry or government standards• Specifically now the control are mapped to: – NIST 800-53 – US NSA Manageable Network Plan (MNP) – Australian DSD Top 35 Mitigation Strategies – ISO 27000 Series Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 22. Updates to Version 3.1• In this version the following updates were performed: – A great deal of feedback on the controls was gathered on the experiences of the Australian DSD – The 20 Controls were reordered based on priorities, value of each control & risk levels Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 23. Australian Top 35• Australian Top 35 Mitigation Strategies, Australian Department of Defence• Defensive controls to block over 85% of attacks directed against their systems• The Top 35 Mitigation Strategies are ranked in order of overall effectiveness• Rankings are based on DSD’s analysis of reported security incidents and vulnerabilities detected by DSD http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 24. New Prioritized Control Order1. Inventory of Authorized 6. Application Software and Unauthorized Devices Security2. Inventory of Authorized 7. Wireless Device Control and Unauthorized 8. Data Recovery Capability Software (validated manually)3. Secure Configurations for 9. Security Skills Assessment Hardware and Software on and Appropriate Training Laptops, Workstations, to Fill Gaps (validated and Servers manually)4. Continuous Vulnerability 10. Secure Configurations for Assessment and Network Devices such as Remediation Firewalls, Routers, and5. Malware Defenses Switches Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 25. New Prioritized Control Order (2)11. Limitation and Control of 16. Account Monitoring and Network Ports, Protocols, Control and Services 17. Data Loss Prevention12. Controlled Use of 18. Incident Response Administrative Privileges Capability (validated13. Boundary Defense manually)14. Maintenance, Monitoring, 19. Secure Network and Analysis of Security Engineering (validated Audit Logs manually)15. Controlled Access Based on 20. Penetration Tests and Red the Need to Know Team Exercises (validated manually) Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 26. Other Projects to Watch• Security Content Automation Protocol (SCAP)• Continuous Monitoring Efforts – NASA – CyberScope & FISMA Reporting – US Office of Management & Budget (OMB)• International Government Efforts – United Arab Emirates (UAE) – European Union – Australian Department of Defence Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 27. In Summary• There have been numerous changes to the controls, but the philosophies remain the same• Regardless if you follow the 20 CC, each organization needs a strategy for defense• Be aware of the changing threat landscape and have a plan for preventing future attacks• Organizations need to set priorities for system and data defense, this is one good option• Watch for more changes to come Recent Changes to the 20 Critical Controls © Enclave Security 2011
    • 28. Further Questions• James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/• Resources for further study: – The 20 Critical Controls: (http://www.sans.org/critical-security-controls/) – SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls - In-Depth Recent Changes to the 20 Critical Controls © Enclave Security 2011