The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and targeted attacks?”

2. Fog of War
“Nebel des Krieges”
The unavoidable aspect of war wherein the
intelligence gathered is always incomplete to a degree,
thereby making any decisions concerning said war a bit...
foggy.
.

3. The Security “Fog of More”

6. Simple
Achievable
Understandable
Affordable
Real World ,
Finally After lots of …………. …
( Internet Browsing )
CIS ( SANS ) Critical Security Controls

7. EFFECTIVE CYBER DEFENSE
USING
CIS CRITICAL SECURITY CONTROLS
Vikas Singh Yadav
vikassinghyadav@gmail.com
@VikasSYadav
09999402059

8. Who am I ?
• Vikas Singh Yadav
• Information Security Professional
• M Tech (Comp Science) – IIT Khargapur
• Certifications - PMP, CISM, CCSK
• Member – ISACA , CCICI, PMI, CISO Platform
• Indian Army Officer
• Soldier and Leader - OP Vijay , Op Parakram
• Information Warrior
• Speaker , Writer , Blogger.

9. Overview
• Are we Doing Enough ?
• Why the CIS CSC ?
• CIS 20 Controls
• Top 5 – Foundational Cyber Hygiene
• Benefits
• Action points

10. Are we not doing Enough ?
Audits
Firewall
UTM
Air Gap
DMZ
VLAN
Policies
DLP
Compliance
Anti
Malware
IDS / IPS
SIEM

11. Are we Winning ?

13. Median time to discover Incidents
Source : Fireye MTrends Asia Pacific 2016

14. What are CIS Critical Security Controls ?
“ Technical Controls selected and prioritized by
consensus agreement “
“ Prioritized well vetted and supported Security
Actions that organizations can take to assess and
improve their current security state”

16. CIS CSC Body of Knowledge
90 page PDF with pictures

18. Core Principles or Critical Tenets
Automation
Are we reducing human effort and error ?
Continuous Diagnostics and Mitigation
Are the controls still in place and functional ?
Metrics
Is What we are doing Effective ?
Prioritization
Are u investing in Controls that provide greatest Risk Reduction?
Offense informs Defense
Use Knowledge of Actual Attacks

19. Exercise
What are the top controls for
your organisation ?

20. The Top 5 Controls
CSC 5: Controlled Use of Administrator Privileges
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 3: Secure Configurations for Hardware and Software
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 1: Inventory of Authorized and Unauthorized Devices
Prevents/stops 85-90% attacks…

21. CIS Critical Security Controls
CSC 10: Data Recovery Capability
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 8: Malware Defenses
CSC 7: Email and Web Browser Protections
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

22. CIS Critical Security Controls
CSC 15: Wireless Access Control
CSC 14: Controlled Access based on the Need to Know
CSC 13: Data Protection
CSC 12: Boundary Defense
CSC 11: Secure Configurations for Network Devices

23. CIS Critical Security Controls
CSC 20: Penetration Tests and Red Team Exercises
CSC 19: Incident Response and Management
CSC 18: Application Software Security
CSC 17: Security Skills Assessment and Training
CSC 16: Account Monitoring and Control

24. CIS CRITICAL SECURITY CONTROLS

27. Sub Controls
• 198 Sub Controls
• Each controls has 4 – 8 Sub Controls
• Categories
• Foundational
• Advanced

28. CIS CSC 1 – Inventory of Devices

29. CSC 1
Inventory of Devices
Why? Unpatched Systems, Unchecked
Networks, BYOD
“‘If you can’t see it, you can’t protect it’
Identify all
devices
Document
the
inventory
Keep the
inventory
current

30. CSC 2
Inventory of Auth and UnAuth Software
Why? Attackers look for vulnerable
software, malware installation, etc.
List of Auth
software
Application
whitelisting
Software
inventory
tools
Use of VMs
and Air
Gapped
NWs
Vikas Singh Yadav 30

31. CSC 3
Secure Config for HW and SW
Why? Default configuration designed
for use, not security. Security “Decay”.
Secure
Config for
OS and
SW
Strict
Config
Mgt
File
integrity
Checkers
Config
Mgt Tools
Vikas Singh Yadav 31

32. CSC 4
Continuous Vulnerability Assess & Remediation
Why? Attackers exploit vulnerable
systems
“Vendors continue to produce security
remediations, it does little good if they
are not installed by the end user.”
Automated
Scanning
Tools
Automated
Patch Mgt
Monitor
event logs
Vikas Singh Yadav 32

33. CSC 5
Controlled use of Admin Privileges
Why? One of the primary means
attackers spread through an enterprise.
Minimize
Admin
Privileges
Inventory
Admin
Accounts
Change
default
passwords
Use Multi
Factor
Auth
Vikas Singh Yadav 33

34. Benefits of CIS Controls
• Risk based
• Simple.
• Reality based
• Dynamic
• Affordable

35. Additional Benefits
Solid Platform to build
other standards on
Can be used to
create a Roadmap
A starting point for those who don’t
know where to begin

36. Getting Started
Answer Key Questions
• What am I trying to protect ?
• What are my Gaps ?
• What are my priorities ?
• Where can I automate ?
• How can my vendor partners help ?

37. Implementation
• Depends on your Environment
• Areas which you are weak
• Gap Analysis
• Do the Foundational first
• Then tackle Advanced

38. Action Steps
• Read the CIS CSC version 6.1
• Do a Gap Assessment
• Read implementation articles
• Make a roadmap for 1 / 3 / 6 / 12 months what
you want to accomplish in your organisation.

39. Critical Security Controls
Initial Assessment Tool

40. Starting Off
Take inventory and/or use existing tools
or free tools to start.
• CSC 1: Nmap, DHCP, 802.1x, Wireshark
• CSC 2: Windows SRP, GPOs
• CSC 3: CIS Security Benchmarks
• CSC 4: OpenVAS, Nmap
• CSC 5: Runas, sudo

42. Issues and Concerns
• Technology Centric
• Overlooks Policies and Governance
• Is not a replacement for a proper Risk
Management Framework.

43. Which is the most widely
used Information Security
framework in India ?

44. Are we doing all this ?
Simple Basic Intuitive
Is it prioritized ?

45. Questions
https://linkedin.com/in/vikassinghydav
@VikasSYadav
vikassinghyadav@gmail.com
09999402059

46. Vikas Singh Yadav
• Information Security professional with specialization in
Telecom and Cloud Computing.
• 15 years plus experience in field of Information Security,
Cyber Audit, Incident Response, Technology Management,
Project Management, Training & Development and Personnel
Management.
• Leadership role in It and Cyber Security for last 6 years.
• B Tech (Telecom and IT) , M Tech (Comp Science) – IIT
Khargapur
• Certifications - PMP, CISM, CCSK
• Member – ISACA , CCICI, PMI, CISO Platform
• Keen Photographer, Travel Enthusiast and Golfer.

47. REFERENCES
• The CIS Critical Controls for Effective Cyber Defence Version 6.0 -
http://www.cisecurity.org/critical-controls.
• SANS Critical Controls - http://www.sans.org/critical-security-controls
• NIST Cyber Security Framework (CSF) -
http://www.nist.gov/cyberframework/
• UK Cyber Essentials Scheme -
https://www.cyberstreetwise.com/cyberessentials/
• ISO 27001 - www.iso.org/iso/iso27001
• Open Vulnerability Assessment System (OpenVAS)-
http://www.openvas.org
• Total Network Inventory - http://www.softinventive.com
• CIS Security Benchmark resources -
https://benchmarks.cisecurity.org/downloads
• NIST SP 800-128 Guide for Security-Focused Configuration Management
of Information Systems -
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
128.pdf