Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense. a presentation by John M. Gilligan at the National Summit on Planning and Implementing the 20 Critical Controls, held in November 2009.
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
The SANS Institute, in collaboration with the Center for Strategic and International Studies (CSIS) have recently released updates to the 20 Critical Controls / Consensus Audit Guidelines. These updates are based on industry changes and new attack signatures which have been collected over the previous 18 months from those directly involved on the front lines of stopping targeted cyber-attacks. This presentation will share details on the changes to the most recent version of the controls and share insights into the development of the controls, future evolutions, along with practical tips collected from organizations actively involved in implementing these controls.
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
Developing a Continuous Monitoring Action PlanTripwire
At the direction of OMB and NIST, security and IT pros in federal government must develop plans to implement "continuous monitoring," the practice of using IT security controls to constantly monitor and manage the security status of their information systems and networks. The transition from static security to continuous monitoring requires a new approach to IT security, and IT teams must devise a strategy and roadmap to be successful.
In this editorial Webcast, cybersecurity experts will help discuss the tools and processes involved in moving from a traditional security environment to one designed around continuous monitoring. This Webcast will help government IT pros:
Understand the objectives of continuous monitoring, such as reduced threat exposure through real time risk assessment and response.
Identify the steps involved, including determining the security impact of changes to IT systems and producing assessment reports.
Assess system requirements in areas such as malware detection and event and incident management.
Determine the need for upgrades and investment in new technologies.
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals.
They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
"Backoff" Malware: How to Know If You're InfectedTripwire
The US-CERT organization recently updated its Alert TA14-212A, which warns that Point-of-Sale (POS) memory-scraping malware has been found in 3 separate forensic investigations. The Secret Service estimates over 1000+ businesses of all types that accept credit card transactions may be affected. Most may not know it yet.
Join us to learn key “Indicators of Compromise” (IOCs) for Backoff, and what you can do about it.
Achieving Continuous Monitoring with Security AutomationTripwire
This presentation provides:
An overview of continuous monitoring
Discusses federal requirements for continuing monitoring
Explains why it is critical for risk mitigation
Describes an effective continuous monitoring strategy that brings together data from different security controls in one place
Watch the webcast here: http://www.tripwire.com/register/achieving-continuous-monitoring-easily-with-security-automation/
More practical insights on the 20 critical controlsEnclaveSecurity
This presentation is for both alumni of the SANS 440 / 566 courses on the 20 Critical Controls and anyone considering implementing these controls in their organizations. Since the first version of the 20 Critical Controls were released, many organizations internationally have been considering implementing these controls as guideposts and metrics for effectively stopping directed attacks. Some organizations have been doing this effectively, others have struggled. This presentation will give case studies of organizations that have implemented these controls, what they have learned from their implementations about what works and what does not work practically. Not only will the discussion focus around what organizations are doing to implement the controls, but also what vendors are doing to help automate the controls and the status of resources and projects in the industry. Students will walk away with even more tools to be effective with their implementations.
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.
Developing a Continuous Monitoring Action PlanTripwire
At the direction of OMB and NIST, security and IT pros in federal government must develop plans to implement "continuous monitoring," the practice of using IT security controls to constantly monitor and manage the security status of their information systems and networks. The transition from static security to continuous monitoring requires a new approach to IT security, and IT teams must devise a strategy and roadmap to be successful.
In this editorial Webcast, cybersecurity experts will help discuss the tools and processes involved in moving from a traditional security environment to one designed around continuous monitoring. This Webcast will help government IT pros:
Understand the objectives of continuous monitoring, such as reduced threat exposure through real time risk assessment and response.
Identify the steps involved, including determining the security impact of changes to IT systems and producing assessment reports.
Assess system requirements in areas such as malware detection and event and incident management.
Determine the need for upgrades and investment in new technologies.
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
Extending the 20 critical security controls to gap assessments and security maturity modeling.
Specifically, the controls are decomposed into Base Practices from a Process perspective.
Implementation approaches are viewed from a Robustness perspective.
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
The development of the Critical Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at limited cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they’ve reached certain goals.
They were developed and agreed upon by a consortium including NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center as well as the top commercial forensics experts and pen testers serving the banking and critical infrastructure communities. Since the US State Department implemented these controls they have demonstrated “more than 80% reduction in ‘measured’ security risk through the rigorous automation and measurement of the Top 20 Controls.”
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
"Backoff" Malware: How to Know If You're InfectedTripwire
The US-CERT organization recently updated its Alert TA14-212A, which warns that Point-of-Sale (POS) memory-scraping malware has been found in 3 separate forensic investigations. The Secret Service estimates over 1000+ businesses of all types that accept credit card transactions may be affected. Most may not know it yet.
Join us to learn key “Indicators of Compromise” (IOCs) for Backoff, and what you can do about it.
Achieving Continuous Monitoring with Security AutomationTripwire
This presentation provides:
An overview of continuous monitoring
Discusses federal requirements for continuing monitoring
Explains why it is critical for risk mitigation
Describes an effective continuous monitoring strategy that brings together data from different security controls in one place
Watch the webcast here: http://www.tripwire.com/register/achieving-continuous-monitoring-easily-with-security-automation/
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
Information technology is a complex business, at best. While IT can provide amazing benefits, it still requires vigilance and diligence to ensure it is running correctly and that it is secure. A security framework can be an excellent tool to evaluate what you might be missing and confirm that what you are already doing is spot-on correct. This session will discuss the importance of using security frameworks and walk attendees through the NIST Cyber Security Framework to review how the framework functions, how to use a framework, and most importantly, how the use of a framework can and will benefit their organization.
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
How to Perform Continuous Vulnerability ManagementIvanti
Without treating security as an ongoing process, hackers will find, weaponize, deploy, and attack your infrastructure faster than your team can patch. At the same time, the experience of your IT team working with the security group is frustrating and leads to many, many hours of manual work. Learn how to stay ahead of the bad guys and improve the experience for your team with continuous vulnerability management.
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
The protection of applications against cyber threats is paramount. With hackers becoming increasingly sophisticated, organizations must prioritize robust security testing practices. In this informative session, we will unveil a comprehensive security testing checklist designed to fortify your applications against potential vulnerabilities and attacks.
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
For many energy companies, readying for compliance with the latest version of NERC Critical Infrastructure Protection (CIP) standards, whether they be v5, v6, v7 or beyond is not the first priority – delivering reliable energy to the BES is. So, how does a company deal not only with the impending changes of CIP v5, but do so in a manner that best positions them for compliance with future versions and secures their cyber environment?
Join our live webcast on Thursday February 5 to hear from ICF, Tripwire, and AssurX industry experts who are helping organizations already grappling with the new and upcoming CIP requirements, implementing a risk based approach, the steps they are taking to get ahead of the curve, and addressing the uncertainty.
Key Takeaways - Regarding Readiness for NERC CIPv5 (and beyond):
•Best approaches for achieving compliance in a changing environment. (i.e. v5, v6, v7).
•How to save time, resources, and achieve automation with practical guidance on compliance efforts for current and future CIP requirements.
•Practical highlights and key controls from those already working on the most pressing issues.
Understanding Technology Stakeholders: Their Progress and Challenges, a presentation by John M. Gilligan at the Department of Homeland Security Software Assurance Conference, held in November 2009.
Cyber Security: Past and Future, a presentation by John M. Gilligan at CERT's 20th Anniversary Technology Symposium, held in March 2009 in Pittsburgh, PA.
Ensuring Effective Security The CIOs Dilemma 11 17 08John Gilligan
The Consensus Audit Guidelines Project is a joint effort, by a broadly-based group of security and audit experts inside and outside government, to identify the core elements of security programs that (1) are essential because they can actually block or mitigate attacks that are hitting federal systems, (2) can be measured in a reliable way so that executives can rely on the conclusions.
Cyber Security - the 21st Century DomainJohn Gilligan
John Gilligan gave a presentation at the Common Defense 2008 Conference, held in Washington, DC at the National Press Club. His presentation was titled, "Cyber Security - the 21st Century Domain."
The Consensus Audit Guidelines is a collaborative effort between industry and government to identify the most critical security controls to defending our Nation’s cyber systems from attacks.
How much security is enough..and where should investments be applied? John Gilligan thinks it is time to require that IT vendors deliver “locked down” configurations and employ standards as well as automated tools to “enforce” continued security compliance.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
1. Solving the CIO’s Cybersecurity Dilemma:
20 Critical Controls for Effective Cyber Defense
John M. Gilligan
www.gilligangroupinc.com
National Summit on Planning and Implementing the
20 Critical Controls
November 12, 2009
2. Topics
• Background
• Philosophy and Approach for the “20 Critical
Controls”
• Control Examples and List of Controls
• Relationship of 20 Critical Controls to FISMA
• Recommendations
• Final thoughts
2
3. A CIO’s Environment
• We are in a cyber “war” and are losing badly!
• The IT industry has produced an inherently
unsecure environment—total is security not
achievable
• CIO mandates exceed time and resources
available
• Cyber security is an enormously complex
challenge—there are very few true experts
It is time for CIOs and CISOs to focus on ways to make
real and measurable improvements in security 3
4. The Challenge
• CIOs/CISOs can lead global change
• In the near-term, we must focus and measure
progress
• Automation of security control implementation
and continuous assessment is essential
• A well managed system is a harder target to
attack and costs less to operate
4
CIOs/CISOs must take the lead in fighting the cyber war
5. FISMA Was Well Intended; What is Not Working??
• Original intent was good:
– Ensure effective controls
– Improve oversight of security programs
– Provide for independent evaluation
• Implementation took us off course
– Agencies unable to adequately assess cyber risks
– (Lots of) NIST “guidance” became mandatory
– No auditable basis for independent evaluation
– Grading became overly focused on paperwork
5
Bottom Line: OMB mandates and paperwork debates has distracted
CIOs/CISOs from achieving real security improvements
6. Analogy of Current Cybersecurity Approach
• An ambulance shows up at a hospital emergency
room with a bleeding patient
• Hospital takes a detailed medical history, gives
inoculations for seasonal flu, swine flu, tetanus,
shingles, and vaccination updates
• Hospital tests for communicable diseases, high blood
pressure, sends blood sample for cholesterol check,
gives eye exam, checks hearing, etc.
• At some point, a nurse’s aid` inquires about the red
fluid on the floor
6
Implementation of FISMA has Resulted in a Checklist
Approach: Not A Focus on Biggest Cyber Threats/Risks!
7. Meanwhile, the patient is
bleeding to death!!
7
We Need Cybersecurity Triage—
Not Comprehensive Medical Care
8. An “Aha” Moment!
• Scene: 2002 briefing by NSA regarding latest
penetration assessment of DoD systems
• Objective: Embarrass DoD CIOs for failure to provide
adequate security.
• Subplot: If CIOs patch/fix current avenues of
penetration, NSA would likely find others
• Realization: Let’s use NSA’s offensive capabilities to
guide security investments
8
Let “Offense Inform Defense”!
9. “20 Critical Controls”: The Philosophy
• Assess cyber attacks to inform cyber defense –
focus on high risk technical areas first
• Ensure that security investments are focused
to counter highest threats — pick a subset
• Maximize use of automation to enforce
security controls — negate human errors
• Define metrics for critical controls
• Use consensus process to collect best ideas
9
Focus investments by letting cyber offense inform defense
10. Approach for developing 20 Critical Controls
• NSA “Offensive Guys”
• NSA “Defensive Guys”
• DoD Cyber Crime Center (DC3)
• US-CERT (plus 3 agencies that were hit
hard)
• Top Commercial Pen Testers
• Top Commercial Forensics Teams
• JTF-GNO
• AFOSI
• Army Research Laboratory
• DoE National Laboratories
• FBI and IC-JTF
10
Identify top attacks—the critical risk areas
Prioritize controls to match successful attacks—mitigate critical
risks
Identify automation/verification methods and measures
Engage CIOs, CISOs, Auditors, and oversight organizations
Coordinate with Congress regarding FISMA updates
Engage the best security experts:
11. Top 20 Attack Patterns—the biggest risks*
1. Scan for unprotected systems on networks
2. Scan for vulnerable versions of software
3. Scan for software with weak configurations
4. Scan for network devices with exploitable
vulnerabilities
5. Attack boundary devices
6. Attack without being detected and maintain
long-term access due to weak audit logs
7. Attack web-based or other application
software
8. Gain administrator privileges to control
target machines
9. Gain access to sensitive data that is not
adequately protected
10. Exploit newly discovered and un-patched
vulnerabilities
11. Exploit inactive user accounts
12. Implement malware attacks
13. Exploit poorly configured network services
14. Exploit weak security of wireless devices
15. Steal sensitive data
16. Map networks looking for vulnerabilities
17. Attack networks and systems by exploiting
vulnerabilities undiscovered by target
system personnel
18. Attack systems or organizations that have
no or poor attack response
19. Change system configurations and/or data
so that organization cannot restore it
properly
20. Exploit poorly trained or poorly skilled
employees
11
* Developed as a part of developing 20 Critical Controls and not in priority order
12. Example--Critical Control #1
Inventory of Authorized and Unauthorized Devices
• Attacker Exploit: Scan for new, unprotected systems
• Control:
– Quick Win: Automated asset inventory discovery tool
– Visibility/Attribution: On line asset inventory of devices with net
address, machine name, purpose, owner
– Configuration/Hygiene: Develop inventory of information assets
(incl. critical information and map to hardware devices)
• Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
– CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
• Automated Support: Employ products available for asset inventories,
inventory changes, network scanning against known configurations
• Evaluation: Connect fully patched and hardened test machines to
measure response from tools and staff. Control identifies and isolate
new systems (Min--24 hours; best practice--less than 5 minutes)
12
13. Example--Critical Control #3
Secure Configurations for Hardware and Software on
Laptops, Workstations and Servers
• Attacker Exploit: Automated search for improperly configured systems
• Control:
– QW: Define controlled standard images that are hardened versions
– QW: Negotiate contracts for secure images “out of the box”
– Config/Hygiene: Tools enforce configurations; executive metrics
with trends for systems meeting configuration guidelines
• Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
– CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4),
CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6
• Automated Support: Employ SCAP compliant tools to monitor/validate
HW/SW/Network configurations
• Evaluation: Introduce improperly configured system to test response
times/actions (Minimum--24 hours; best practice--less than 5 min)
13
14. 20 Critical Controls for Effective Cyber Defense (1 of 2)
Critical Controls Subject to Automated Collection, Measurement, and Validation:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and
Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention
14
15. 20 Critical Controls for Effective Cyber Defense (2 of 2)
Additional Critical Controls (partially supported by automated measurement and
validation):
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training to Fill Gaps
15
Federal CIO Observation: The 20 Critical Controls are
nothing new; they are recognized elements of a well
managed enterprise
16. Complying with FISMA and NIST Guidelines
• FISMA
– Implement security protection commensurate with risk
– Develop and maintain minimum controls
– Selection of specific security solutions left to agencies
– Ensure independent testing and evaluation of controls
• NIST Guidelines
– Use risk assessment to categorize systems
– Select controls based on risk
– Assess security controls
16
17. Relevance of 20 Critical Controls to FISMA
and NIST Guidelines
FISMA and NIST
1. Assess cyber security risk in
an organization
2. Implement security based on
risk
3. Select controls from NIST SP
800-53 to mitigate risk areas
4. Objectively evaluate control
effectiveness
20 Critical Controls
1. Based on government-wide
(shared) risk assessment
2. Controls address top cyber
risks
3. 20 Critical Controls are subset
of 800-53 Priority 1 controls
4. Use automated tools and
periodic evaluations to provide
continuous monitoring
17
20 Critical Controls are designed to help agencies comply
with FISMA and NIST guidance!
18. 20 Critical Controls—Implementation
Recommendations
Step 1: Accept CAG consensus threats as risk baseline for your
organization
Step 2: Implement 20 Critical Controls
Step 3: Use organization specific risk assessment to select and
implement additional controls from 800-53
– Focus on unique, mission critical capabilities and data
Step 4: Use automated tools and periodic evaluations to
continuously measure compliance (demonstrate risk
reduction)
Step 5: Partner with senior management and auditors to motivate
compliance improvement
– Use examples and lessons learned from State Dept. and others
18
19. Final Thoughts
• CIOs must lead global change
• In the near-term CIOs/CISOs must focus and
measure
• Automation of security control implementation
and continuous assessment is essential
• A well managed system is a harder target to
attack and costs less to operate – the ultimate
“no brainer” for a CIO
19
It is all about leadership.
We need to stop the bleeding—Now!
21. FISMA Original Intent
• Framework to ensure effective information security
controls
• Recognize impact of highly networked environment
• Provide for development and maintenance of
minimum controls
• Improved oversight of agency information security
programs
• Acknowledge potential of COTS capabilities
• Selection of specific technical hardware and software
information security solutions left to agencies
• Provide independent evaluation of security program
21
However: FISMA has evolved to “grading” agencies based largely on secondary artifacts