The document discusses why organizations are implementing the Critical Security Controls (CSCs). It provides 7 key reasons: 1) organizations are experiencing breaches, 2) the CSCs were developed by hundreds of cybersecurity experts, 3) the CSCs provide comprehensive and practical guidance, 4) the CSCs can stop known attack techniques, 5) the CSCs define specific measures for assessing risk, 6) the CSCs are based on known current threats, and 7) implementing the CSCs helps organizations achieve compliance with other standards. The document uses a 2013 Java vulnerability as a case study to demonstrate how the CSCs could have prevented the attacks.

1. 1
CIS Critical Security Controls © Enclave Security 2015
The CIS Critical Security Controls: The International
Standard for Defense
James Tarala, The SANS Institute

2. 2
CIS Critical Security Controls © Enclave Security 2015
Why are so many people implementing the CSC?
• It’s 2015, and there are dozens of security standards to choose from
internationally
• CIOs & sysadmins have numerous choices
• Auditors have numerous choices
• Everyone has heard of standards such as:
• ISO 27000, NIST 800-53, the NIST Core Framework
• PCI DSS, NERC CIP, CoBIT, COSO, the ITAF, etc
• So why are the Critical Security Controls quickly becoming the de facto
standard for security standards?

3. 3
CIS Critical Security Controls © Enclave Security 2015
Reason #1: Organizations Are Getting Breached
• PrivacyRights.org maintains a chronology of data breaches since 2005
• Includes a searchable database of breaches by year / cause / industry
• Some of the more notable recent breaches include (2015):
– Anthem (80 million people)
– Office of Personnel Management (21.5 million people)
– UCLA Health System (4.5 million people)
– Ashley Madison (37 million people)
– Ubiquiti Networks ($46.7 million)
– ICANN (unknown / all web users)
– Excellus Blue Cross Blue Shield (10 million people)
– Experian / T-Mobile (15 million people)

4. 4
CIS Critical Security Controls © Enclave Security 2015
FBI Annual Internet Crime Complaints (cont)
http://www.nw3c.org/docs/IC3-Annual-Reports/2014-ic3-internet-crime-report.pdf

5. 5
CIS Critical Security Controls © Enclave Security 2015
Average Per Capita Cost of Data Breaches (2015)
Ponemon Institute Report 2015: http://www.ibm.com/security/data-breach

6. 6
CIS Critical Security Controls © Enclave Security 2015
Reason #2: Hundreds of Document Contributors
• Blue team members inside the
Department of Defense
• Blue team members who provide
services for non-DoD government
agencies
• Red & blue teams at the US National
SecurityAgency
• US-CERT and other non-military
incident response teams
• DoD Cyber Crime Center (DC3)
• Military investigators who fight cyber
crime
• The FBI and other police
organizations
• US Department of Energy
laboratories
• US Department of State
• Army Research Laboratory
• US Department of Homeland
Security
• DoD and private forensics experts
• Red team members in DoD
• The SANS Institute
• Civilian penetration testers
• Federal CIOs and CISOs
• Plus over 100 other collaborators

7. 7
CIS Critical Security Controls © Enclave Security 2015
Reason #3: Comprehensive Guiding Principles
1. Defenses should focus on addressing the attack activities occurring today,
2. Enterprise must ensure consistent controls across to effectively negate
attacks
3. Defenses should be automated where possible
4. Specific technical activities should be undertaken to produce a more
consistent defense
5. Root cause problems must be fixed in order to ensure the prevention or
timely detection of attacks
6. Metrics should be established that facilitate common ground for measuring
the effectiveness of security measures

8. 8
CIS Critical Security Controls © Enclave Security 2015
Reason #4: Technical Practicality
• The CIS Critical Security Controls were specifically designed to stop attacks
• They provide specific, practical, technical recommendations
• They do not leave it up to the reader to figure out what to do
• It is possible to map known threats to these defenses
• There’s a reason the Verizon Data Breach report, and many others make
reference to these controls and how to use them
• There’s a reason incident handlers & penetration testers recommend the
CSCs to their clients after breaches

9. 9
CIS Critical Security Controls © Enclave Security 2015
Case Study: 2013 Java Data Breaches

10. 10
CIS Critical Security Controls © Enclave Security 2015
2013 Java Attacks & Intrusion Kill Chain
1. The attacker discovered a weakness in software commonly utilized by the victim
(reconnaissance)
2. The attacker wrote attack code to exploit the discovered software weakness
(weaponization)
3. The attacker posted the attack code on a “watering hole” website that would be
trusted by the victim (delivery)
4. The victim was lured into visiting the “watering hole” website hosting the attack
code (exploitation)
5. The victim downloaded and executed the malicious code (installation)
5. The malicious code compromised the victim’s computer and connected to the
attacker’s command and control servers to allow the attacker access (command
and control)
6. The attacker performed his or her desired objectives on the victim’s computers
(actions on objectives)

11. 11
CIS Critical Security Controls © Enclave Security 2015
2013 Java Attacks – Defensive Tools
• Software whitelisting solution
• Automated patch management system
• Security ContentAutomation Protocol (SCAP) compliant
vulnerability management solution (CVEs & CCEs)

12. 12
CIS Critical Security Controls © Enclave Security 2015
Proof of Concept: Mimikatz

13. 13
CIS Critical Security Controls © Enclave Security 2015
The CSCs that would Stop this Attack
• If an organization implements the Critical Security Controls, could they stop
Mimikatz (v1 or v2) from working? – YES
• Some of the CSCs that would stop this attack:
– CSC #2: Inventory of Authorized and Unauthorized Software
– CSC #3: Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers 15
– CSC #4: Continuous Vulnerability Assessment and Remediation
– CSC #5: Controlled Use of Administrative Privileges
– CSC #8: Malware Defenses
– CSC #12: Boundary Defense

14. 14
CIS Critical Security Controls © Enclave Security 2015
Reason #5: Defined Business Measures
• The CSCs also define specific measures that organizations can use to track
their risk and defensive capabilities
• These are not generic, but rather specific measures
• All measures are not simply paperwork reviews
• All measures define defensive capabilities an organization may have
• Measures utilize time based or Boolean measures to define risk
• Help an organization to define both control and event based risk measures
• These have been especially useful to the audit and insurance industries

15. 15
CIS Critical Security Controls © Enclave Security 2015
Examples of Defined Measures
1. How many unauthorized / unknown computers are currently connected to
the organization’s network?
2. How many unauthorized software packages are running on the
organization’s computers?
3. What percentage of the organization’s computers are running software
whitelisting defenses which blocks unauthorized software programs from
running?
4. What is percentage of the organization’s computers that have been
configured (operating system and applications) according to the
organization’s documented standards?
5. What is the comprehensive Common Vulnerability Scoring System (CVSS)
vulnerability rating for each of the organization’s systems?

16. 16
CIS Critical Security Controls © Enclave Security 2015
Measures lead to Business Dashboards

17. 17
CIS Critical Security Controls © Enclave Security 2015
Reason #6: CSCs are Based on Known Threats
• The CSCs are based on current, observable threats
to information systems, not theories
• Hundreds of organizations have contributed
• One of the latest efforts is the release of a community
threat model, the Open Threat Taxonomy (v1.1),
which will be used to document and prioritize threats
• OTT will be used to define threats to define controls
• Will help standardize risk assessments, make one
less paperwork step for organizations to complete

18. 18
CIS Critical Security Controls © Enclave Security 2015
Reason #7: CSC Are an “On Ramp” to Compliance
• The primary goal of the Critical Security Controls is defense
• However, by prioritizing these controls, an organization is also making steps
towards compliance with other standards
• There doesn’t have to be a choice
• Mappings currently exist between the CSCs and:
– NIST 800-53 rev4
– ISO 27002 Control Catalog
– NERC CIPv5
– FFIEX Inherent Risk Controls & Examiner’s Handbook
– HIPAA / HITECH Act

19. 19
CIS Critical Security Controls © Enclave Security 2015
In Summary
• Regardless if you follow the Critical Security Controls, each organization
needs a strategy for defense
• Be aware of the changing threat landscape and have a plan for preventing
future attacks
• Organizations need to set priorities for system and data defense, this is one
good option
• Most importantly, the controls are only useful if they are implemented
• Watch for more changes to come & stay vigilant

20. 20
CIS Critical Security Controls © Enclave Security 2015
Further Questions
• James Tarala
– E-mail: james.tarala@enclavesecurity.com
– Twitter: @isaudit
– Blog: http://www.auditscripts.com/
• Resources for further study:
– The CIS Critical Security Controls Courses – SEC 440 / 566
– The CIS Critical Security Controls Project
– AuditScripts.com Resources