The document discusses recent updates and philosophies related to the 20 Critical Controls in information security, which were developed to assist organizations in prioritizing security measures against dedicated attackers. It emphasizes the need for consistent controls across enterprises, automated defenses, and establishes common metrics to measure security effectiveness. The latest version includes reclassification of controls, the addition of new sub-controls and automated data collection tools, and highlights the importance of prioritizing cybersecurity strategies.

1. Recent Changes to the 20 Critical Controls:
Updates and Philosophies (v.3)
James Tarala, Enclave Security

2. Information Security Standards
• Presently there are a number of information
security standards available
• But, there are too many to choose from:
– Individual Corporate / Agency Standards
– NIST 800-53 / 800-53 A
– FISMA / DIACAP
– HIPAA / SOX / GLBA
– PCI / NERC / CIP
– 20 Critical Controls / Consensus Audit Guidelines
The Consensus Audit Guidelines © Enclave Security 2010

3. One Option: 20 Critical Controls
• Developed at a tool for organizations
responsible for NIST 800-53
• Priorities for which controls will make the
most impact to stop dedicated attackers
• Written in response to compromised US
government agencies & contractors
• Collaborative effort by over 100 different
government, military, & civilian experts
The Consensus Audit Guidelines © Enclave Security 2010

4. CSIS & The SANS Institute
• The controls are a collaboration between the Center
for Strategic & International Studies, the SANS
Institute & other entities
• CSIS began engaging cyber security issues at the
beginning of the Obama administration
• Updates to the controls are a collaboration between
individuals at each of these groups
Recent Changes to the 20 Critical Controls © Enclave Security 2011

5. Project Guiding Principles
• Defenses should focus on
addressing the most common
and damaging attack activities
occurring today, and those
anticipated in the near future.
• Enterprise environments must
ensure consistent controls across
an enterprise to effectively
negate attacks.
The Consensus Audit Guidelines © Enclave Security 2010

6. Project Guiding Principles (2)
• Defenses should be automated
where possible, and periodically or
continuously measured using
automated measurement techniques
where feasible.
• To address current attacks occurring
on a frequent basis against numerous
organizations, a variety of specific
technical activities should be
undertaken to produce a more
consistent defense.
The Consensus Audit Guidelines © Enclave Security 2010

7. Project Guiding Principles (3)
• Root cause problems must be
fixed in order to ensure the
prevention or timely detection of
attacks.
• Metrics should be established
that facilitate common ground
for measuring the effectiveness
of security measures, providing a
common language to
communicate about risk.
The Consensus Audit Guidelines © Enclave Security 2010

8. Why are the Controls Important?
• Cyber security is complex and becoming even
more complicated every day
• Organizations are being compromised, even after
spending large portions of their budget on
infosec
• CIOs & CISOs need prioritized controls to get the
most return from their investment
• More controls rarely hurt, but how do we decide
which controls to start with?
• It’s critical that we have priorities!
The Consensus Audit Guidelines © Enclave Security 2010

9. Why are the Controls Important? (2)
• We need agreement between:
– Inspector Generals (IGs – auditors)
– Operations (sys-admins)
– Security Engineers
• We need metrics and measurements that
everyone can agree to use
• We need to stop people from violating
systems & compromising the C-I-A of our data
The Consensus Audit Guidelines © Enclave Security 2010

10. Categories of Sub-Controls
• Quick Wins (QW)
• Improved Visibility and
Attribution (Vis/Attrib)
• Hardened Configuration
and Improved Information
Security Hygiene
(Config/Hygiene)
• Advanced (Adv)
The Consensus Audit Guidelines © Enclave Security 2010

11. Document Contributors
• Blue team members inside the Department of Defense
• Blue team members who provide services for non-DoD
government agencies
• Red & blue teams at the US National Security Agency
• US-CERT and other non-military incident response
teams
• DoD Cyber Crime Center (DC3)
• Military investigators who fight cyber crime
• The FBI and other police organizations
• US Department of Energy laboratories
The Consensus Audit Guidelines © Enclave Security 2010

12. Document Contributors (2)
• US Department of State
• Army Research Laboratory
• US Department of Homeland Security
• DoD and private forensics experts
• Red team members in DoD
• The SANS Institute
• Civilian penetration testers
• Federal CIOs and CISOs
• Plus over 100 other collaborators
The Consensus Audit Guidelines © Enclave Security 2010

13. Revision History
• Version 1.0 – Original rough draft of controls
• Version 2.0 – Major revision of sub controls
based on community & agency feedback
• Version 2.1 – Minor revision of sub controls
based on community & agency feedback
• Version 2.3 – Addition of metrics & core
evaluation methodologies
• Version 3.0 – Minor revision of sub controls &
addition of standards mappings & sensors
• Version 3.1 – Reordering of controls based on
priority of controls
Recent Changes to the 20 Critical Controls © Enclave Security 2011

14. Updates to Version 3.0
In this version the following updates were
performed:
– Minor updates to sub controls based on threat
assessments & feedback
– Re-classification of controls
– Addition of mappings to additional standards
(Australian DSD, NSA MNP & ISO 27000)
– Addition of sensors for automated data collection
Recent Changes to the 20 Critical Controls © Enclave Security 2011

15. Edits to Sub Controls
• A number of controls were either added or
removed from the controls based on current
threats
• For example:
– “All remote administration of servers, workstation,
network devices, and similar equipment shall be
done over secure channels (control 3).”
– “Network-based IPS devices should be deployed
to compliment IDS by blocking known bad
signature or behavior of attacks (control 5).”
Recent Changes to the 20 Critical Controls © Enclave Security 2011

16. Re-Classification of Controls
• In addition to new or edited sub controls,
many of the controls were re-classified
• In most cases controls were lowered from
“Advanced” to “Config-Hygiene” or “Vis-
Attrib”
• For example in Control 6:
– “Organizations should deploy a SEIM system tool
for log aggregation and consolidation from
multiple machines and for log correlation and
analysis.”
Recent Changes to the 20 Critical Controls © Enclave Security 2011

17. Addition of “Sensors”
• Sensors = Tools to measure the effectiveness of
the implementation of a control
• For example in Control 3:
– Sensor: File integrity software
– Measurement: File integrity monitoring software is
deployed on servers as a part of the base
configuration. Centralized solutions are preferred over
stand-alone solutions.
– Score: 50 percent awarded for using a solution with a
central monitoring/reporting component. The
remaining 50 percent is based on the percentage of
servers on which the solution is deployed.
Recent Changes to the 20 Critical Controls © Enclave Security 2011

18. US Dept of State iPost
• Used to protect OpenNet, the DoS Sensitive But
Unclassified (SBU) network
• Consists of 5,000 routers and switches, and more
than 40,000 hosts
• The Risk Scoring program at DoS evolved in three
separate stages.
– Deployment of Enterprise management tools
– Delivery of operational data to the field in an
integrated application, iPost
– Establishment of a risk scoring program
The Consensus Audit Guidelines © Enclave Security 2010

19. Sample iPost Reporting
Recent Changes to the 20 Critical Controls © Enclave Security 2011

20. iPost Data Feeds
Recent Changes to the 20 Critical Controls © Enclave Security 2011

21. Additional Standards Mapping
• In version 3.0 and later additional mappings
were added between the 20 CC and other
industry or government standards
• Specifically now the control are mapped to:
– NIST 800-53
– US NSA Manageable Network Plan (MNP)
– Australian DSD Top 35 Mitigation Strategies
– ISO 27000 Series
Recent Changes to the 20 Critical Controls © Enclave Security 2011

22. Updates to Version 3.1
• In this version the following updates were
performed:
– A great deal of feedback on the controls was
gathered on the experiences of the Australian DSD
– The 20 Controls were reordered based on
priorities, value of each control & risk levels
Recent Changes to the 20 Critical Controls © Enclave Security 2011

23. Australian Top 35
• Australian Top 35 Mitigation Strategies, Australian
Department of Defence
• Defensive controls to block over 85% of attacks
directed against their systems
• The Top 35 Mitigation Strategies are ranked in order
of overall effectiveness
• Rankings are based on DSD’s analysis of reported
security incidents and vulnerabilities detected by
DSD
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
Recent Changes to the 20 Critical Controls © Enclave Security 2011

24. New Prioritized Control Order
1. Inventory of Authorized 6. Application Software
and Unauthorized Devices Security
2. Inventory of Authorized 7. Wireless Device Control
and Unauthorized 8. Data Recovery Capability
Software (validated manually)
3. Secure Configurations for 9. Security Skills Assessment
Hardware and Software on and Appropriate Training
Laptops, Workstations, to Fill Gaps (validated
and Servers manually)
4. Continuous Vulnerability 10. Secure Configurations for
Assessment and Network Devices such as
Remediation Firewalls, Routers, and
5. Malware Defenses Switches
Recent Changes to the 20 Critical Controls © Enclave Security 2011

25. New Prioritized Control Order (2)
11. Limitation and Control of 16. Account Monitoring and
Network Ports, Protocols, Control
and Services 17. Data Loss Prevention
12. Controlled Use of 18. Incident Response
Administrative Privileges Capability (validated
13. Boundary Defense manually)
14. Maintenance, Monitoring, 19. Secure Network
and Analysis of Security Engineering (validated
Audit Logs manually)
15. Controlled Access Based on 20. Penetration Tests and Red
the Need to Know Team Exercises (validated
manually)
Recent Changes to the 20 Critical Controls © Enclave Security 2011

26. Other Projects to Watch
• Security Content Automation Protocol (SCAP)
• Continuous Monitoring Efforts
– NASA
– CyberScope & FISMA Reporting
– US Office of Management & Budget (OMB)
• International Government Efforts
– United Arab Emirates (UAE)
– European Union
– Australian Department of Defence
Recent Changes to the 20 Critical Controls © Enclave Security 2011

27. In Summary
• There have been numerous changes to the controls,
but the philosophies remain the same
• Regardless if you follow the 20 CC, each organization
needs a strategy for defense
• Be aware of the changing threat landscape and have
a plan for preventing future attacks
• Organizations need to set priorities for system and
data defense, this is one good option
• Watch for more changes to come
Recent Changes to the 20 Critical Controls © Enclave Security 2011

28. Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit, @jamestarala
– Blog: http://www.enclavesecurity.com/blogs/
• Resources for further study:
– The 20 Critical Controls:
(http://www.sans.org/critical-security-controls/)
– SANS Security 566: Implementing and Auditing the Twenty
Critical Security Controls - In-Depth
Recent Changes to the 20 Critical Controls © Enclave Security 2011