The document outlines the 20 critical controls for information security, developed as a collaborative tool by various experts to help organizations prioritize defenses against cyber attacks. These controls aim to address the most common security threats and streamline compliance with various information security standards. It emphasizes the need for consistent practices, automated measures, and strategic resource allocation to enhance cybersecurity effectiveness across organizations.

1. More Practical Insights on the 20 Critical Controls
Case Studies & Practical What Works
James Tarala, Enclave Security

2. Information Security Standards
• Presently there are a number of information
security standards available
• But, there are too many to choose from:
– Individual Corporate / Agency Standards
– NIST 800-53 / 800-53 A
– FISMA / DIACAP
– HIPAA / SOX / GLBA
– PCI / NERC / CIP
– 20 Critical Controls / Consensus Audit Guidelines
The Consensus Audit Guidelines © Enclave Security 2010

3. One Option: 20 Critical Controls
• Developed at a tool for organizations
responsible for NIST 800-53
• Priorities for which controls will make the
most impact to stop dedicated attackers
• Written in response to compromised US
government agencies & contractors
• Collaborative effort by over 100 different
government, military, & civilian experts
The Consensus Audit Guidelines © Enclave Security 2010

4. 20 CC Project Guiding Principles
• Defenses should focus on
addressing the most common
and damaging attack activities
occurring today, and those
anticipated in the near future.
• Enterprise environments must
ensure consistent controls
across an enterprise to
effectively negate attacks.
The Consensus Audit Guidelines © Enclave Security 2010

5. Project Guiding Principles (2)
• Defenses should be automated
where possible, and periodically or
continuously measured using
automated measurement techniques
where feasible.
• To address current attacks occurring
on a frequent basis against numerous
organizations, a variety of specific
technical activities should be
undertaken to produce a more
consistent defense.
The Consensus Audit Guidelines © Enclave Security 2010

6. Why are the Controls Important?
• Cyber security is complex and becoming even
more complicated every day
• Organizations are being compromised, even after
spending large portions of their budget on
infosec
• CIOs & CISOs need prioritized controls to get the
most return from their investment
• More controls rarely hurt, but how do we decide
which controls to start with?
• It’s critical that we have priorities!
The Consensus Audit Guidelines © Enclave Security 2010

7. Why are the Controls Important? (2)
• We need agreement between:
– Inspector Generals (IGs – auditors)
– Operations (sys-admins)
– Security Engineers
• We need metrics and measurements that
everyone can agree to use
• We need to stop people from violating
systems & compromising the C-I-A of our data
The Consensus Audit Guidelines © Enclave Security 2010

8. Why are the Controls Important? (3)
• It is a triage strategy for enterprise defense
• Most organizations are already bleeding, so
how can we perform first aid?
• The 20 Critical Controls are meant:
– To prioritize controls
– To prioritize resources
– To give enterprises a list of what to do first
– To define controls effective at stopping attacks
The Consensus Audit Guidelines © Enclave Security 2010

9. Current Related Efforts
• US Department of State iPost System
• Security Content Automation Protocol (SCAP)
• Continuous Monitoring Efforts
• International Government Efforts
The Consensus Audit Guidelines © Enclave Security 2010

10. US Dept of State iPost
• Used to protect OpenNet, the DoS Sensitive But
Unclassified (SBU) network
• Consists of 5,000 routers and switches, and more
than 40,000 hosts
• The Risk Scoring program at DoS evolved in three
separate stages.
– Deployment of Enterprise management tools
– Delivery of operational data to the field in an
integrated application, iPost
– Establishment of a risk scoring program
The Consensus Audit Guidelines © Enclave Security 2010

11. iPost Reporting
The Consensus Audit Guidelines © Enclave Security 2010

12. iPost Reporting (2)
The Consensus Audit Guidelines © Enclave Security 2010

13. iPost Reporting (3)
The Consensus Audit Guidelines © Enclave Security 2010

14. iPost Data Feeds
The Consensus Audit Guidelines © Enclave Security 2010

15. SCAP
• Security Content Automation Protocol (SCAP)
• “SCAP comprises specifications for organizing and
expressing security-related information in
standardized ways, as well as related reference
data such as unique identifiers for vulnerabilities”
• Three Primary NIST Publications:
– NIST SP 800-117
– NIST SP 800-126
– NIST IR 7511
• More information can be found at:
– http://scap.nist.gov/

16. SCAP (2)
• Multiple existing specifications in affiliation
with SCAP
• Protocols:
– Security Content Automation Protocol (SCAP) –
ver. 1.0
• Languages:
– The eXtensible Configuration Checklist Description
Format (XCCDF)
– Open Vulnerability and Assessment Language
(OVAL)

17. SCAP (3)
• Enumerations:
– Common Configuration Enumeration (CCE)
– Common Platform Enumeration (CPE)
– Common Vulnerabilities and Exposures (CVE)
• Metrics:
– Common Vulnerability Scoring System (CVSS)
• For more information visit:
– http://scap.nist.gov/revision/1.0/index.html

18. SCAP (4)
• Multiple emerging specifications in affiliation
with SCAP
• Languages:
– Asset Reporting Format (ARF)
– Open Checklist Interactive Language (OCIL)
– Open Checklist Reporting Language (OCRL)
• Metrics:
– Common Configuration Scoring System (CCSS)
– Common Misuse Scoring System (CMSS)
• For more information visit:
– http://scap.nist.gov/emerging-specs/listing.html

19. Continuous Monitoring
• The idea is to use automation and real time
information feeds to report on historical risk
levels within organizations
• Many groups are currently working to develop
ways to encourage these activities:
– US Federal Agencies (NIST, OMB)
– Individual Gov’t& private sector groups (NASA)
– Research Groups (such as CSIS & SANS)
– SIEM Vendors (ArcSight, Splunk, Red Seal, etc)
The Consensus Audit Guidelines © Enclave Security 2010

20. OMB Memos
• OMB m09-29: Reporting Instructions for FISMA
• OMB m10-15: Reporting Instructions for FISMA
• OMB m10-19: Fiscal Year 2012 Budget Guidance
• OMB m10-30: Science and Technology Priorities for
the FY 2012 Budget
The Consensus Audit Guidelines © Enclave Security 2010

21. CyberScope
• New tool for reporting FISMA compliance status
for US federal agencies
• An automated process of recording information,
meant to replace paperwork reporting tools
• Purpose is to save money through automation,
and increase security through continuous
monitoring
• Deadline for agencies to begin using the tool is
Nov 2010
• Additional FISMA dashboard to be released
spring 2011
The Consensus Audit Guidelines © Enclave Security 2010

22. OMB m10-30
• Science and Technology Priorities for the FY 2012
Budget
• “Developing the technologies to protect our
troops, citizens, and national interests:
– Support cybersecurity R&D to investigate novel means
for designing and developing trustworthy
cyberspace—a system of defensible subsystems that
operate safely in an environment that is presumed to
be compromised. Agencies should respond to the call
in the President’s Cyberspace Policy Review for R&D in
game-changing technologies, including moving target
defense strategies, tailored trustworthy spaces, and
cyber incentives.”
The Consensus Audit Guidelines © Enclave Security 2010

23. NIST & Continuous Monitoring
• NIST also is publishing guidance for
continuous monitoring for information
security
• Many of these NIST and OMB
recommendations are reflecting the 20 Critical
Controls
• NIST has released two guides:
– An FAQ for Continuous Monitoring
– An updated version of NIST 800-37: Risk
Management Framework
The Consensus Audit Guidelines © Enclave Security 2010

24. NASA & Continuous Monitoring
• Defined in NASA Information Technology
Requirement (NITR) 2810-12
• For NASA, the purpose is for:
– Configuration Management & Control
– Security Control Monitoring
– Status Reporting & Documentation
The Consensus Audit Guidelines © Enclave Security 2010

25. European Union Security Efforts
The Consensus Audit Guidelines © Enclave Security 2010

26. Abu Dhabi (UAE) Security Efforts
The Consensus Audit Guidelines © Enclave Security 2010

27. Practical Tips Learned So Far
• The philosophy must be embraced by
everyone, not just a few engineers
• Don’t prioritize too many priorities, focus
• Strategic tool selection is critical to success
• Automation must be planned from the
beginning of the project
• Effectiveness comes when we can show
historical reports to executives
The Consensus Audit Guidelines © Enclave Security 2010

28. Concluding Thoughts
• Much of what we are doing for enterprise
defense is not working
• What we need is:
– Clear, coordinated leadership on the issue
– Consistent, effective guidance on how to protect
information assets
– Metrics that can be used to evaluate an agency’s
performance
– Resources to be allocated to the task
The Consensus Audit Guidelines © Enclave Security 2010

29. Further Questions
• If you have further questions & want to talk more…
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit, @jamestarala
– Blog: http://www.enclavesecurity.com/blogs/
• Resources for further study:
– CSIS & SANS 20 Critical Controls
– OMB Memorandum M-10-15 & NIST FAQ
– NIST Security Control Automation Protocol (SCAP)
The Consensus Audit Guidelines © Enclave Security 2010