Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps

20 Critical Security Controls | Guidelines previous controlnext control

How do attackers exploit the absence of this control?

Five groups of people are frequently being tested by attackers:

1. End-users are fooled via social engineering scams in which they are tricked into providing passwords, opening infected attachments, loading software from untrusted sites, or visiting malicious web sites.

2. System and network administrators may be fooled in the same manner as normal users (and are often targeted because of their elevated privileges), but they are also tested when malicious software is operating on their systems and they may or may not see evidence of the infection and when they are unaware of vulnerabilities in software they have implemented allowing systems under their control to be compromised.

3. Security operators and analysts are tested with new and innovative attacks introduced on a continual basis. This requires that they upgrade their defenses, but they are often unaware of the new risks and of new defensive capabilities and techniques available to them.

4. Programmers are tested by criminals who find and exploit the vulnerabilities in the code that they write and engineers are tested by people searching for security flaws in their designs.

5. To a lesser degree, system owners are tested when they are asked to invest in cyber security but are unaware of the devastating impact a compromise and data exfiltration or alteration would have on their mission.

A constantly updated security awareness and education program for all users is important, but it will not stop determined attackers. Most determined adversaries will be stopped by effective implementation of the other Critical Controls, but some will slip through fissures in the security program. Skilled employees are essential for implementing and monitoring those Controls, for finding those attackers that get through the defenses, and for developing systems that are much harder to exploit. The most important mission-critical security jobs for most organizations, as identified by the 2012 Task Force on Cyber Skills established by the Secretary of Homeland Security, are as follows: (1) system and network penetration testers, (2) application penetration testers, (3) security monitoring and event analysts, (4) incident responders in-depth, (5) threat analysts/counter intelligence analysts, (6) risk assessment engineers, (7) advanced forensics analysts, (8) secure coders and code reviewers, (9) security engineers - operations, and (10) security engineers/architects who build security in.⁷

These task are so mission critical that organizations that do not execute them effectively often suffer dire consequences, including theft of critical data, corruption of sensitive information, major system outages, and, increasingly, actual destruction of systems, For any organization with high-value systems and information, effective skills development in these 10 job areas are an essential step to ensure that the right people with the right skills are in place.

Training is also closely tied to policy and awareness. Policies tell people what to do, training provides them the skills to do it, and awareness changes behaviors so that people follow the policy. Training should be mapped against the skills required to perform a given job. If, after training, users are still not following the policy, that policy should be augmented with heightened efforts to ensure that users are aware of and understand it.

How to Implement, Automate, and Measure the Effectiveness of this Control

1. Quick wins: Perform gap analysis to see which skills employees need and which behaviors employees are not adhering to, using this information to build a training and awareness roadmap.

2. Quick wins: Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training. A second option is to have outside teachers provide training onsite so the examples used will be directly relevant. If you have small numbers of people to train, use training conferences or online training to fill the gaps.

3. Quick wins: Implement an online security awareness program that (1) focuses only on the methods commonly used in intrusions that can be blocked through individual action, (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques, (4) is mandated for completion by all employees at least annually, and (5) is reliably monitored for employee completion.

4. Visibility/Hygiene: Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who fall victim to the exercise.

5. Configuration/Hygiene: Use security skills assessments for each of the mission-critical skills to identify skills gaps. Use hands-on, real-world examples to measure mastery. If you do not have such assessments, use one of the available online competitions that simulate real-world scenarios for each of the identified jobs in order to measure skills mastery.

Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls

AT-1, AT-2 (1), AT-3 (1)

Associated NSA Manageable Network Plan Milestones and Network Security Tasks

Training

Procedures and Tools to Implement and Automate this Control

The key to upgrading skills is measurement through assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite skills and knowledge can be called upon to mentor employees who need to improve their skills. In addition, the organization can develop training plans to fill the gaps and maintain employee readiness.

Notes

⁷ The Task Force on Cyber Skills report is available at http://www.dhs.gov/homeland-security-advisory-council-hsac#3.

Submit Comments and Feedback

20 Critical Security Controls previous controlnext control

List Of Controls

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Critical Control 4: Continuous Vulnerability Assessment and Remediation
• Critical Control 5: Malware Defenses
• Critical Control 6: Application Software Security
• Critical Control 7: Wireless Device Control
• Critical Control 8: Data Recovery Capability
• Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
• Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 12: Controlled Use of Administrative Privileges
• Critical Control 13: Boundary Defense
• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 15: Controlled Access Based on the Need to Know
• Critical Control 16: Account Monitoring and Control
• Critical Control 17: Data Loss Prevention
• Critical Control 18: Incident Response and Management
• Critical Control 19: Secure Network Engineering
• Critical Control 20: Penetration Tests and Red Team Exercises