More Related Content
Similar to Overview of the 20 critical controls
Similar to Overview of the 20 critical controls (20)
More from EnclaveSecurity
More from EnclaveSecurity (10)
Overview of the 20 critical controls
- 2. Stories from the Headlines
Overview of the 20 Critical Controls © James Tarala 2010
- 3. Stories from the Headlines (cont)
Overview of the 20 Critical Controls © James Tarala 2010
- 4. Stories from the Headlines (cont)
Overview of the 20 Critical Controls © James Tarala 2010
- 5. Examples from the News
• PrivacyRights.org (updated weekly)
• Here are some that are reported (most are not)
• Just a small sample (organization/records
breached):
– Heartland Payment Systems (130+ million – 1/2009)
– Oklahoma Dept of Human Services (1 million –
4/2009)
– Oklahoma Housing Finance Agency (225,000 –
4/2009)
– University of California (160,000 – 5/2009)
– Network Solutions (573,000 – 7/2009)
– U.S. Military Veterans Administration (76 million –
10/2009)
– BlueCross BlueShield Assn. (187,000 – 10/2009)
Overview of the 20 Critical Controls © James Tarala 2010
- 6. State of Affairs
• Clearly the bad guys seem to be winning
the cybersecurity fight
• While there are bright spots, they are few
and far between
• We seem to be getting better at detecting
and responding to the threat
• We need to be better at preventing the
attacks from occurring in the first place
Overview of the 20 Critical Controls © James Tarala 2010
- 7. Question to Answer
In light of all the recent attacks…
What efforts are underway by the US
Congress, the current administration, and
others to protect cyberspace?
Overview of the 20 Critical Controls © James Tarala 2010
- 10. Abu Dhabi (UAE) Security Efforts
Overview of the 20 Critical Controls © James Tarala 2010
- 11. US Government Security Efforts
• Initiated a 60 Day Cyber Security Review
• Has discussed appointing a Cyber-
Security Czar to oversee national efforts
• New Laws have been proposed:
– The Cybersecurity Act of 2009 (S. 773)
– United States Information and
Communications Enhancement Act of 2009
(S. 921)
– Personal Data Privacy and Security Act (S.
1490)
– Data Breach Notification Act (S. 139)
Overview of the 20 Critical Controls © James Tarala 2010
- 12. US Military Security Efforts
• Creation of a Central CyberCommand:
– Referred to as Cybercom
– To be led by Director of the National
Security Agency (NSA) Lt. Gen. Keith
Alexander
– To be located at Fort Meade
– Initial operating capacity by Oct 2009 and
fully operational by Oct 2010
– To have both defensive and offensive
capabilities
– Will centrally coordinate all DoD cyber
defensive activities
Overview of the 20 Critical Controls © James Tarala 2010
- 14. Public / Private Partnerships
• There are a number of industry groups
also trying to address the issues
• Numerous frameworks have been
established, such as:
– CoBIT
– IT Assurance Framework (ITAF)
– ISO 27000 Series
– IT Baseline Protection Manual
– Consensus Audit Guidelines / 20 Critical
Controls
– Many, many others
Overview of the 20 Critical Controls © James Tarala 2010
- 15. 20 Critical Controls
• The twenty key controls
– 15 subject to automation
– 5 that are important but cannot be easily
automated
• Coordinated by John Gilligan, Alan Paller,
and others
• These are the controls that stop known
attacks and rapidly identify attacks that are
occurring
• Examples – automated inventory,
automated configuration validation, etc
Overview of the 20 Critical Controls © James Tarala 2010
- 16. Document Contributors
• Blue team members inside the Department of
Defense
• Blue team members who provide services for
non-DoD government agencies
• Red & blue teams at the US National Security
Agency
• US-CERT and other non-military incident
response teams
• DoD Cyber Crime Center (DC3)
• Military investigators who fight cyber crime
• The FBI and other police organizations
Overview of the 20 Critical Controls © James Tarala 2010
- 17. Document Contributors (2)
• US Department of Energy laboratories
• US Department of State
• Army Research Laboratory
• US Department of Homeland Security
• DoD and private forensics experts
• Red team members in DoD
• The SANS Institute
• Civilian penetration testers
• Federal CIOs and CISOs
• Plus over 100 other collaborators
Overview of the 20 Critical Controls © James Tarala 2010
- 18. Information Security Standards
• Presently there are a number of
government information security standards
available
• But, there are too many to choose from:
– Individual Corporate / Agency Standards
– NIST 800-53 / 800-53 A
– FISMA / DIACAP
– HIPAA / SOX / GLBA
– PCI / NERC / CIP
– 20 Critical Controls / Consensus Audit
Guidelines
Overview of the 20 Critical Controls © James Tarala 2010
- 19. 20 CC Project Guiding Principles
• Defenses should focus on
addressing the most
common and damaging
attack activities occurring
today, and those anticipated
in the near future.
• Enterprise environments
must ensure consistent
controls across an enterprise
to effectively negate attacks.
Overview of the 20 Critical Controls © James Tarala 2010
- 20. Project Guiding Principles (2)
• Defenses should be automated
where possible, and periodically or
continuously measured using
automated measurement techniques
where feasible.
• To address current attacks occurring
on a frequent basis against
numerous organizations, a variety of
specific technical activities should be
undertaken to produce a more
consistent defense.
Overview of the 20 Critical Controls © James Tarala 2010
- 21. Why are the Controls Important?
• Cyber security is complex and becoming
even more complicated every day
• Organizations are being compromised,
even after spending large portions of their
budget on infosec
• CIOs & CISOs need prioritized controls to
get the most return from their investment
• More controls rarely hurt, but how do we
decide which controls to start with?
• It’s critical that we have priorities!
Overview of the 20 Critical Controls © James Tarala 2010
- 22. Why are the Controls Important? (2)
• We need agreement between:
– Inspector Generals (IGs – auditors)
– Operations (sys-admins)
– Security Engineers
• We need metrics and measurements that
everyone can agree to use
• We need to stop people from violating
systems & compromising the C-I-A of our
data
Overview of the 20 Critical Controls © James Tarala 2010
- 23. Concluding Thoughts
• Regardless of who ultimately dictates our
national cyber-security strategy, as a
country we need:
– Clear, coordinated leadership on the issue
– Consistent, effective guidance on how to
protect national data assets
– Metrics that can be used to evaluate an
agency’s performance
– Resources to be allocated to the task
Overview of the 20 Critical Controls © James Tarala 2010
- 24. Follow up Questions?
• If you have additional questions, feel free
to contact me at:
• James Tarala
– James.tarala@enclavesecurity.com
– http://www.enclavesecurity.com/blogs/
– Twitter: @isaudit; @jamestarala
Overview of the 20 Critical Controls © James Tarala 2010