SlideShare a Scribd company logo

Overview of the 20 critical controls

E
EnclaveSecurity
TechnologyBusiness
1 of 24
International CyberSecurity Efforts & the 20 Critical Security Controls James Tarala The SANS Institute Overview of the 20 Critical Controls © James Tarala 2010
Stories from the Headlines Overview of the 20 Critical Controls © James Tarala 2010
Stories from the Headlines (cont) Overview of the 20 Critical Controls © James Tarala 2010
Stories from the Headlines (cont) Overview of the 20 Critical Controls © James Tarala 2010
Examples from the News • PrivacyRights.org (updated weekly) • Here are some that are reported (most are not) • Just a small sample (organization/records breached): – Heartland Payment Systems (130+ million – 1/2009) – Oklahoma Dept of Human Services (1 million – 4/2009) – Oklahoma Housing Finance Agency (225,000 – 4/2009) – University of California (160,000 – 5/2009) – Network Solutions (573,000 – 7/2009) – U.S. Military Veterans Administration (76 million – 10/2009) – BlueCross BlueShield Assn. (187,000 – 10/2009) Overview of the 20 Critical Controls © James Tarala 2010
State of Affairs • Clearly the bad guys seem to be winning the cybersecurity fight • While there are bright spots, they are few and far between • We seem to be getting better at detecting and responding to the threat • We need to be better at preventing the attacks from occurring in the first place Overview of the 20 Critical Controls © James Tarala 2010
Question to Answer In light of all the recent attacks… What efforts are underway by the US Congress, the current administration, and others to protect cyberspace? Overview of the 20 Critical Controls © James Tarala 2010
The Present State Overview of the 20 Critical Controls © James Tarala 2010
European Union Security Efforts Overview of the 20 Critical Controls © James Tarala 2010
Abu Dhabi (UAE) Security Efforts Overview of the 20 Critical Controls © James Tarala 2010
US Government Security Efforts • Initiated a 60 Day Cyber Security Review • Has discussed appointing a Cyber- Security Czar to oversee national efforts • New Laws have been proposed: – The Cybersecurity Act of 2009 (S. 773) – United States Information and Communications Enhancement Act of 2009 (S. 921) – Personal Data Privacy and Security Act (S. 1490) – Data Breach Notification Act (S. 139) Overview of the 20 Critical Controls © James Tarala 2010
US Military Security Efforts • Creation of a Central CyberCommand: – Referred to as Cybercom – To be led by Director of the National Security Agency (NSA) Lt. Gen. Keith Alexander – To be located at Fort Meade – Initial operating capacity by Oct 2009 and fully operational by Oct 2010 – To have both defensive and offensive capabilities – Will centrally coordinate all DoD cyber defensive activities Overview of the 20 Critical Controls © James Tarala 2010
DARPA’s Contribution Overview of the 20 Critical Controls © James Tarala 2010
Public / Private Partnerships • There are a number of industry groups also trying to address the issues • Numerous frameworks have been established, such as: – CoBIT – IT Assurance Framework (ITAF) – ISO 27000 Series – IT Baseline Protection Manual – Consensus Audit Guidelines / 20 Critical Controls – Many, many others Overview of the 20 Critical Controls © James Tarala 2010
20 Critical Controls • The twenty key controls – 15 subject to automation – 5 that are important but cannot be easily automated • Coordinated by John Gilligan, Alan Paller, and others • These are the controls that stop known attacks and rapidly identify attacks that are occurring • Examples – automated inventory, automated configuration validation, etc Overview of the 20 Critical Controls © James Tarala 2010
Document Contributors • Blue team members inside the Department of Defense • Blue team members who provide services for non-DoD government agencies • Red & blue teams at the US National Security Agency • US-CERT and other non-military incident response teams • DoD Cyber Crime Center (DC3) • Military investigators who fight cyber crime • The FBI and other police organizations Overview of the 20 Critical Controls © James Tarala 2010
Document Contributors (2) • US Department of Energy laboratories • US Department of State • Army Research Laboratory • US Department of Homeland Security • DoD and private forensics experts • Red team members in DoD • The SANS Institute • Civilian penetration testers • Federal CIOs and CISOs • Plus over 100 other collaborators Overview of the 20 Critical Controls © James Tarala 2010
Information Security Standards • Presently there are a number of government information security standards available • But, there are too many to choose from: – Individual Corporate / Agency Standards – NIST 800-53 / 800-53 A – FISMA / DIACAP – HIPAA / SOX / GLBA – PCI / NERC / CIP – 20 Critical Controls / Consensus Audit Guidelines Overview of the 20 Critical Controls © James Tarala 2010
20 CC Project Guiding Principles • Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future. • Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. Overview of the 20 Critical Controls © James Tarala 2010
Project Guiding Principles (2) • Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. • To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense. Overview of the 20 Critical Controls © James Tarala 2010
Why are the Controls Important? • Cyber security is complex and becoming even more complicated every day • Organizations are being compromised, even after spending large portions of their budget on infosec • CIOs & CISOs need prioritized controls to get the most return from their investment • More controls rarely hurt, but how do we decide which controls to start with? • It’s critical that we have priorities! Overview of the 20 Critical Controls © James Tarala 2010
Why are the Controls Important? (2) • We need agreement between: – Inspector Generals (IGs – auditors) – Operations (sys-admins) – Security Engineers • We need metrics and measurements that everyone can agree to use • We need to stop people from violating systems & compromising the C-I-A of our data Overview of the 20 Critical Controls © James Tarala 2010
Concluding Thoughts • Regardless of who ultimately dictates our national cyber-security strategy, as a country we need: – Clear, coordinated leadership on the issue – Consistent, effective guidance on how to protect national data assets – Metrics that can be used to evaluate an agency’s performance – Resources to be allocated to the task Overview of the 20 Critical Controls © James Tarala 2010
Follow up Questions? • If you have additional questions, feel free to contact me at: • James Tarala – James.tarala@enclavesecurity.com – http://www.enclavesecurity.com/blogs/ – Twitter: @isaudit; @jamestarala Overview of the 20 Critical Controls © James Tarala 2010

Recommended

Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmasterHafid CHEBRAOUI
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 

Recommended

Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmasterHafid CHEBRAOUI
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Skybox Security
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...Tahir Abbas
 

More Related Content

What's hot

Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3Lisa Niles
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the CloudNetStandard
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 

What's hot (20)

Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure Infrastructure
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 

Viewers also liked

Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Skybox Security
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...Tahir Abbas
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryProlifics
 
Jazz for Service Management
Jazz for Service ManagementJazz for Service Management
Jazz for Service ManagementIBM Danmark
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...Risk Analysis Consultants, s.r.o.
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemLancope, Inc.
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedMike Chapple
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Raul Soto
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudAppian
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls Dyan Cornacchio
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsKristian Alisasis Pura
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsInstitute of Validation Technology
 

Viewers also liked (20)

Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11
 
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...20 Critical Controls for Effective Cyber Defense (A must read for security pr...
20 Critical Controls for Effective Cyber Defense (A must read for security pr...
 
Winter 2012-poster
Winter 2012-posterWinter 2012-poster
Winter 2012-poster
 
Cyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities IndustryCyber Security in Energy & Utilities Industry
Cyber Security in Energy & Utilities Industry
 
Jazz for Service Management
Jazz for Service ManagementJazz for Service Management
Jazz for Service Management
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
 
The Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch SystemThe Critical Security Controls and the StealthWatch System
The Critical Security Controls and the StealthWatch System
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
A Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons LearnedA Year of Cloud First: Lessons Learned
A Year of Cloud First: Lessons Learned
 
Company Product Sheet
Company Product SheetCompany Product Sheet
Company Product Sheet
 
Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)Network Infrastructure Validation Conference @UPRA (2003)
Network Infrastructure Validation Conference @UPRA (2003)
 
Ispe Article
Ispe ArticleIspe Article
Ispe Article
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
Meet You GxP Compliance in the Cloud
Meet You GxP Compliance in the CloudMeet You GxP Compliance in the Cloud
Meet You GxP Compliance in the Cloud
 
ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls ACI's Global Encryption, Cloud & Cybersecurity Controls
ACI's Global Encryption, Cloud & Cybersecurity Controls
 
Virtual infrastructure qualification
Virtual infrastructure qualificationVirtual infrastructure qualification
Virtual infrastructure qualification
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Cybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security ControlsCybersecurity: Connectivity, Collaboration and Security Controls
Cybersecurity: Connectivity, Collaboration and Security Controls
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Regulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS EnvironmentsRegulatory Considerations for use of Cloud Computing and SaaS Environments
Regulatory Considerations for use of Cloud Computing and SaaS Environments
 

Similar to Overview of the 20 critical controls

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC Advisory Group
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesJohn Gilligan
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsSolarWinds
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceGwanhoo Lee
 
Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015
Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015
Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015TierPoint
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and FutureJohn Gilligan
 

Similar to Overview of the 20 critical controls (20)

Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
CMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBsCMMC 2.0 Explained: Impact for SMBs
CMMC 2.0 Explained: Impact for SMBs
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
Cybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best PracticesCybersecurity: Challenges, Initiatives, and Best Practices
Cybersecurity: Challenges, Initiatives, and Best Practices
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity Governance
 
Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015
Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015
Tierpoint_Beware of These Four Cloud Security Myths_Oct 2015
 
Cyber Security: Past and Future
Cyber Security: Past and FutureCyber Security: Past and Future
Cyber Security: Past and Future
 
Cyber Risk in the Energy Industry
Cyber Risk in the Energy IndustryCyber Risk in the Energy Industry
Cyber Risk in the Energy Industry
 

More from EnclaveSecurity

Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionEnclaveSecurity
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usualEnclaveSecurity
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 

More from EnclaveSecurity (10)

Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security fail
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Overview of the 20 critical controls

  • 1. International CyberSecurity Efforts & the 20 Critical Security Controls James Tarala The SANS Institute Overview of the 20 Critical Controls © James Tarala 2010
  • 2. Stories from the Headlines Overview of the 20 Critical Controls © James Tarala 2010
  • 3. Stories from the Headlines (cont) Overview of the 20 Critical Controls © James Tarala 2010
  • 4. Stories from the Headlines (cont) Overview of the 20 Critical Controls © James Tarala 2010
  • 5. Examples from the News • PrivacyRights.org (updated weekly) • Here are some that are reported (most are not) • Just a small sample (organization/records breached): – Heartland Payment Systems (130+ million – 1/2009) – Oklahoma Dept of Human Services (1 million – 4/2009) – Oklahoma Housing Finance Agency (225,000 – 4/2009) – University of California (160,000 – 5/2009) – Network Solutions (573,000 – 7/2009) – U.S. Military Veterans Administration (76 million – 10/2009) – BlueCross BlueShield Assn. (187,000 – 10/2009) Overview of the 20 Critical Controls © James Tarala 2010
  • 6. State of Affairs • Clearly the bad guys seem to be winning the cybersecurity fight • While there are bright spots, they are few and far between • We seem to be getting better at detecting and responding to the threat • We need to be better at preventing the attacks from occurring in the first place Overview of the 20 Critical Controls © James Tarala 2010
  • 7. Question to Answer In light of all the recent attacks… What efforts are underway by the US Congress, the current administration, and others to protect cyberspace? Overview of the 20 Critical Controls © James Tarala 2010
  • 8. The Present State Overview of the 20 Critical Controls © James Tarala 2010
  • 9. European Union Security Efforts Overview of the 20 Critical Controls © James Tarala 2010
  • 10. Abu Dhabi (UAE) Security Efforts Overview of the 20 Critical Controls © James Tarala 2010
  • 11. US Government Security Efforts • Initiated a 60 Day Cyber Security Review • Has discussed appointing a Cyber- Security Czar to oversee national efforts • New Laws have been proposed: – The Cybersecurity Act of 2009 (S. 773) – United States Information and Communications Enhancement Act of 2009 (S. 921) – Personal Data Privacy and Security Act (S. 1490) – Data Breach Notification Act (S. 139) Overview of the 20 Critical Controls © James Tarala 2010
  • 12. US Military Security Efforts • Creation of a Central CyberCommand: – Referred to as Cybercom – To be led by Director of the National Security Agency (NSA) Lt. Gen. Keith Alexander – To be located at Fort Meade – Initial operating capacity by Oct 2009 and fully operational by Oct 2010 – To have both defensive and offensive capabilities – Will centrally coordinate all DoD cyber defensive activities Overview of the 20 Critical Controls © James Tarala 2010
  • 13. DARPA’s Contribution Overview of the 20 Critical Controls © James Tarala 2010
  • 14. Public / Private Partnerships • There are a number of industry groups also trying to address the issues • Numerous frameworks have been established, such as: – CoBIT – IT Assurance Framework (ITAF) – ISO 27000 Series – IT Baseline Protection Manual – Consensus Audit Guidelines / 20 Critical Controls – Many, many others Overview of the 20 Critical Controls © James Tarala 2010
  • 15. 20 Critical Controls • The twenty key controls – 15 subject to automation – 5 that are important but cannot be easily automated • Coordinated by John Gilligan, Alan Paller, and others • These are the controls that stop known attacks and rapidly identify attacks that are occurring • Examples – automated inventory, automated configuration validation, etc Overview of the 20 Critical Controls © James Tarala 2010
  • 16. Document Contributors • Blue team members inside the Department of Defense • Blue team members who provide services for non-DoD government agencies • Red & blue teams at the US National Security Agency • US-CERT and other non-military incident response teams • DoD Cyber Crime Center (DC3) • Military investigators who fight cyber crime • The FBI and other police organizations Overview of the 20 Critical Controls © James Tarala 2010
  • 17. Document Contributors (2) • US Department of Energy laboratories • US Department of State • Army Research Laboratory • US Department of Homeland Security • DoD and private forensics experts • Red team members in DoD • The SANS Institute • Civilian penetration testers • Federal CIOs and CISOs • Plus over 100 other collaborators Overview of the 20 Critical Controls © James Tarala 2010
  • 18. Information Security Standards • Presently there are a number of government information security standards available • But, there are too many to choose from: – Individual Corporate / Agency Standards – NIST 800-53 / 800-53 A – FISMA / DIACAP – HIPAA / SOX / GLBA – PCI / NERC / CIP – 20 Critical Controls / Consensus Audit Guidelines Overview of the 20 Critical Controls © James Tarala 2010
  • 19. 20 CC Project Guiding Principles • Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future. • Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. Overview of the 20 Critical Controls © James Tarala 2010
  • 20. Project Guiding Principles (2) • Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. • To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense. Overview of the 20 Critical Controls © James Tarala 2010
  • 21. Why are the Controls Important? • Cyber security is complex and becoming even more complicated every day • Organizations are being compromised, even after spending large portions of their budget on infosec • CIOs & CISOs need prioritized controls to get the most return from their investment • More controls rarely hurt, but how do we decide which controls to start with? • It’s critical that we have priorities! Overview of the 20 Critical Controls © James Tarala 2010
  • 22. Why are the Controls Important? (2) • We need agreement between: – Inspector Generals (IGs – auditors) – Operations (sys-admins) – Security Engineers • We need metrics and measurements that everyone can agree to use • We need to stop people from violating systems & compromising the C-I-A of our data Overview of the 20 Critical Controls © James Tarala 2010
  • 23. Concluding Thoughts • Regardless of who ultimately dictates our national cyber-security strategy, as a country we need: – Clear, coordinated leadership on the issue – Consistent, effective guidance on how to protect national data assets – Metrics that can be used to evaluate an agency’s performance – Resources to be allocated to the task Overview of the 20 Critical Controls © James Tarala 2010
  • 24. Follow up Questions? • If you have additional questions, feel free to contact me at: • James Tarala – James.tarala@enclavesecurity.com – http://www.enclavesecurity.com/blogs/ – Twitter: @isaudit; @jamestarala Overview of the 20 Critical Controls © James Tarala 2010