Donald E. HesterCISSP, CISA, CAP, PSP, MCT
Maze & Associates / San Diego City College www.LearnSecurity.org
Prioritized ApproachTwenty Critical Controls
© 2010 Maze & Associates 2
The Problem
• Compliance does not equal security• Our highest priority is to secure our
systems• Compliance is required but not our
highest goal• We need a solution based on risk
Rev1/8/2010
© 2010 Maze & Associates 3
Solution• Limited resources– Time– Funding– Resources– Personnel
• With limited resources choices have to be made about which security controls are most important
• A prioritized approach in implementing controls is required
• Prioritized by greatest risk firstRev1/8/2010
© 2010 Maze & Associates 4
Available Resources
“This recommended sequencing prioritization helps ensure that foundational security controls upon which other controls depend are implemented first, thus enabling organizations to deploy controls in a more structured and timely manner in accordance with available resources. “- NIST SP 800-53 rev3
Rev1/8/2010
© 2010 Maze & Associates 5
A Prioritized Baseline
• How do we prioritize controls • Intelligence– Knowledge of actual attacks
• Controls that can prevent know attacks should be given a higher priority
• A consensus report has been developed to document 20 critical controls
Rev1/8/2010
© 2010 Maze & Associates 6
Focus
• Focus attention and resources on the most critical risk
• Defend against current and near term attacks
• They will be the highest payoff areas• Top, shared priority for CIO, CISO and IGs
Rev1/8/2010
© 2010 Maze & Associates 7
Risk Based
• Countermeasures should focus on addressing– High probability attack– High impact attacks
• Consistent implementation• Automated and continuously monitored• Additional technical activities should be
used to defend systems
Rev1/8/2010
© 2010 Maze & Associates 8
Control Implementation Sequence
“The priority allocation section provides the recommended priority codes used for sequencing decisions during security control implementation” - NIST SP 800-53 rev3
“Organizations can use the recommended priority code designation associated with each security control in the baselines to assist in making sequencing decisions for control implementation “- NIST SP 800-53 rev3
Rev1/8/2010
© 2010 Maze & Associates 9
Compliance
• The reality of limited resources does not mean we can ignore controls.
• Compliance requires all controls to be in place.
• A prioritized approach helps us implement the most important controls or the controls that give us the biggest bang first.
Rev1/8/2010
© 2010 Maze & Associates 10
Compliance
“The implementation of security controls by sequence priority code does not imply the achievement of any defined level of risk mitigation until all of the security controls in the security plan have been implemented. The priority codes are used only for implementation sequencing, not for making security control selection decisions.“- NIST SP 800-53 rev3
Rev1/8/2010
© 2010 Maze & Associates 11
Implementation Sequence
Rev1/8/2010
© 2010 Maze & Associates 12
THE TWENTY CRITICAL CONTROLS
Rev1/8/2010
© 2010 Maze & Associates 13
Collaborators
• Attack Data Resources– DoD Blue Team Members (Incident Response)– US-CERT– Military Investigators– FBI and other Police organizations– DoE Cybersecurity Experts– Forensic Experts– DoD Red Team Members (Penetrations Tests)– Civilian Penetration Testers– Federal CIOs and CISOs– GAO
Rev1/8/2010
© 2010 Maze & Associates 14
Prioritized Controls
• 20 controls• 15 controls that can be validated in part
automatically• 5 controls that must be validated
manually• Each control has subcontrols• Reinforce, NISP SP 800-53, SCAP, FDCC,
FISMA, DHS software assurance
Rev1/8/2010
© 2010 Maze & Associates 15
Categorize Subcontrols
• Quick Wins• Improved Visibility and Attribution• Hardened Configuration and Improved
Information Security Hygiene• Advanced
Rev1/8/2010
© 2010 Maze & Associates 16Rev1/8/2010
© 2010 Maze & Associates 17
Testing
• Periodic and/or Continual testing of controls
• Use as much automation as possible• Tools for remotely gathering, analyzing
and updating configuration• Items such as workstations, servers and
network devices
Rev1/8/2010
© 2010 Maze & Associates 18
CRITICAL CONTROLSFrom version 2.1 Aug 10, 2009
Rev1/8/2010
© 2010 Maze & Associates 19
Critical Controls
• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure configurations for Hardware and Software on laptops, workstations and servers
• Secure configurations for Network Devices such as firewalls, routers and switches
Rev1/8/2010
© 2010 Maze & Associates 20
Critical Controls
• Boundary Defense• Maintenance, Monitoring and Analysis of
Security Audit Logs• Application Software Security• Controlled use of Administrative
Privileges• Controlled access based on need to
know
Rev1/8/2010
© 2010 Maze & Associates 21
Critical Controls
• Continuous Vulnerability Assessment and Remediation
• Account Monitoring and Control• Malware Defenses• Limitation and Control of Network Ports,
Protocols and Services• Wireless Device Control• Data Loss Prevention
Rev1/8/2010
© 2010 Maze & Associates 22
Critical Controls
• Secure Network Engineering• Penetration Tests and Red Team
Exercises• Incident Response Capability• Data Recovery Capability• Security Skills Assessment and
Appropriate Training to fill gaps
Rev1/8/2010