2. Why Center for Internet Security (CIS) Critical Security Controls
Work?
Based on actual
attacks and
effective defenses
Based on priorities
Not one-size-fits-all
solutions
Non-Export controlled technical information
Non-Export controlled technical information
3. 1. Inventory of Hardware
Authorized and
Unauthorized Devices
– Attackers are
continuously scanning
the target organizations
– Attackers are waiting
for new and
unprotected systems to
be attached to network
Non-Export controlled technical information
Non-Export controlled technical information
4. 2. Inventory of Software
Authorized and
Unauthorized
Software
–Attackers are
continuously looking
for vulnerable
versions of software
that can be remotely
exploited
Non-Export controlled technical information
Non-Export controlled technical information
5. 3. Secure Configurations of Hardware and Software
Default configurations
are for ease-of-use
not security
Open services, ports,
default account or
passwords
–Can be exploitable
Non-Export controlled technical information
Non-Export controlled technical information
6. 4. Continuous Vulnerability Assessment and Remediation
Scan for vulnerabilities and
address discovered flaws
Understand and manage
vulnerabilities is a continuous
discovered activity
Attackers have the same
information
– Race to deploy an attack
Non-Export controlled technical information
Non-Export controlled technical information
7. 5. Controlled Use of Administrative Privileges
Track and control the
use of administrative
privileges
Attackers can take
advantage of
uncontrolled
administrative privileges
–Can crack the
password
Non-Export controlled technical information
Non-Export controlled technical information
8. 6. Maintenance, Monitoring and Analysis of Audit Logs
Collect, analyze audit logs
of events
– Detect an attack
– Recover from an attack
Sometimes, logs are the
only evidence of an attack
Attackers can also hide
their activities
Non-Export controlled technical information
Non-Export controlled technical information
9. 7. Email and Web Browser Protections
Minimize the attack surface
through web browsers
–Fully up to date and patched
–Default – not installing
plugins, ActiveX controls
–Block third-party cookies
Attackers use phishing emails
as the entry point of attack
Non-Export controlled technical information
Non-Export controlled technical information
10. 8. Malware Defenses
Control the installation and
spread of malicious code
Attackers can use
malware to attack target
organizations via number
of entry points like end-
user devices, email
attachments and web
pages
Non-Export controlled technical information
Non-Export controlled technical information
11. 9. Limitation and Control of Network Ports and Services
Manage and track the use
of ports, protocols and
services
Attackers are continuously
searching for remotely
accessible network services
and open ports
Non-Export controlled technical information
Non-Export controlled technical information
12. 10. Data Recovery Capability
Backup critical information
When attackers compromise
systems
– Make significant changes to
configurations of software
– Make alterations of data
When discovered, need to
remove all data that have
been altered by attackers
Non-Export controlled technical information
Non-Export controlled technical information
16. Biography
Mary Y Wang
Information Systems Security Officer
Raytheon Space and Airborne Systems, California
Mary Wang joined Raytheon in August, 2015. Currently, she works in the Raytheon Space
and Airborne Systems Information Assurance organization. She has a strong passion in
cybersecurity especially in the penetration testing and application security areas. Prior to
joining Raytheon, she was a Senior Software Engineer and Project Lead at The Boeing
Company. She worked on a variety of software projects at Boeing. Mary holds a Bachelor
of Science degree in Computer Science and Masters degree in Master Business
Administration. She is currently attending SANS Technology Institute for a graduate degree
in Pen Testing & Ethical Hacking. Mary also has been a frequent speaker at Annual
Women Engineers Conferences.