20 Critical Security Controls - Version 2.3

20 CSC Home Printer Friendly Version first control >>

Twenty Critical Controls for Effective Cyber Defense: Consensus Audit

Version 2.3: November 13, 2009

Update: Added NIST SP 800-53 Revision 3 mapping to each control, and updated appendix to include each area of direct mapping between 20 Critical Controls and 800-53 Rev 3 Priority 1 controls. Also, added metrics and tests for each of the automatable controls (the first 15). Finally, added an appendix summarizing the attack types that motivated the development of each control.

Introduction

Securing our nation against cyber attacks has become one of the nation's highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against a variety of threats, both internal and external. Furthermore, for those attacks that are successful, defenses must be capable of detecting, thwarting, and responding to follow-on attacks on internal enterprise networks as attackers spread inside a compromised network.

A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that "offense must inform defense." In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting the U.S. ICE Act of 2009 (the new FISMA). That new proposed legislation calls upon Federal agencies to (and on the White House to ensure that they):

"monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations" and "continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented."

Because federal agencies do not have unlimited money, current and past federal CIOs and CISOs have agreed that the only rational way they can hope to meet these requirements is to jointly establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms. In addition, most agencies have highly interconnected systems and information requiring an enterprise approach to cyber security since cyber attacks exploit the weak areas in an enterprise to gain access to other enterprise capabilities. As we look to the future, it is also clear that ongoing initiatives within the Federal government will continue to expand interconnectivity across agencies to better support citizens and internal government operations. Security vulnerabilities in one area of a particular Federal agency can become the path to compromise other parts of the Federal enterprise. It is essential that a prioritized set of security controls be established that can be applied across agency enterprise environments and potentially across the Federal government.

This consensus document of 20 crucial controls is designed to begin the process of establishing that prioritized baseline of information security measures and controls that can be applied across Federal enterprise environments. The consensus effort that has produced this document has identified 20 specific technical security controls that are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future. Fifteen of these controls can be monitored, at least in part, automatically and continuously. The consensus effort has also identified a second set of five controls that are essential but that do not appear to be able to be monitored continuously or automatically with current technology and practices. Each of the 20 control areas includes multiple individual subcontrols, each specifying actions an organization can take to help improve its defenses.

The control areas and individual subcontrols described focus on various technical aspects of information security, with a primary goal of supporting organizations in prioritizing their efforts in defending against today's most common and damaging computer and network attacks. Outside of the technical realm, a comprehensive security program should also take into account numerous additional areas of security, including overall policy, organizational structure, personnel issues (e.g., background checks, etc.), and physical security. To help maintain focus, the controls in this document do not deal with these important, but non-technical, aspects of information security. Organizations should build a comprehensive approach in these other aspects of security as well, but overall policy, organization, personnel, and physical security are outside of the scope of this document.

In summary, the guiding principles used in devising these control areas and their associated subcontrols include:

• Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.
• Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks.
• Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible.
• To address current attacks occurring on a frequent basis against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense.

Additionally, the controls are designed to support agencies and organizations that currently have different levels of information security capabilities. To help organizations focus on achieving a sound baseline of security and then improve beyond that baseline, certain subcontrols have been categorized as follows:

• Quick Wins: These fundamental aspects of information security can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment. It should be noted, however, that a Quick Win does not necessarily mean that these subcontrols provide comprehensive protection against the most critical attacks. The intent of identifying Quick Win areas is to highlight where security can be improved rapidly. These items are identified in this document with the label of "QW."
• Improved Visibility and Attribution: These subcontrols focus on improving the process, architecture, and technical capabilities of organizations so that organizations can monitor their networks and computer systems, gaining better visibility into the IT operations. Attribution is associated with determining which computer systems, and potentially which users, are generating specific events. Such improved visibility and attribution support organizations in detecting attack attempts, locating the points of entry for successful attacks, identifying already-compromised machines, interrupting infiltrated attackers' activities, and gaining information about the sources of an attack. In other words, these controls help to increase an organization's situational awareness of its environment. These items are labeled as "Vis/Attrib."
• Hardened Configuration and Improved Information Security Hygiene: These aspects of various controls are designed to improve the information security stance of an organization by reducing the number and magnitude of potential security vulnerabilities as well as improving the operations of networked computer systems. This type of control focuses on protecting against poor security practices by system administrators and end users that could give an adversary an advantage in attacking target systems. Control guidelines in this category are formulated with the understanding that a well managed network is typically a much harder target for computer attackers to exploit. Throughout this document, these items are labeled as "Config/Hygiene."
• Advanced: These items are designed to further improve the security of an organization beyond the other three categories. Organizations already following all of the other controls should focus on this category. Items in this category are simply called "Advanced."

In general, organizations should examine all 20 control areas against their current status and develop an agency-specific plan to implement the controls as a critical component of an overall security program. Ultimately, organizations should strive to implement each control area, applying all of the subcontrols within each control, working from QW, through Vis/Attrib and Config/Hygiene, up to Advanced. However, as a start, organizations with limited information security programs may want to address the "Quick Wins" aspects of the controls in order to make rapid progress and to build momentum within their information security program.

Many of these controls can be implemented and measured using existing tools found in many enterprises. Other controls can be fulfilled using commercial or, in some cases, free, open-source software. Still others may require an investment in new enterprise tools and personnel expertise.

Each control area also includes a metric section that provides detailed information about the specific timing and related objectives associated with the most important elements of the given control area. Furthermore, each control area also includes a test section that provides information about how organizations can evaluate their implementation of each control metric. These tests were devised to support automation wherever possible, so that organizations could achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.

Why This Project Is So Important: Gaining Agreement among CISOs, CIOs and IGs, with Technical Requirements for System Administrators and Security Personnel

Federal Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) are charged with improving the state of information security across the federal government. Moreover, they are spending increasing amounts of money to secure their systems. However, the complexity of securing their systems is enormous, and therefore there is a need to focus attention and resources on the most critical risk (and therefore the highest payoff) areas. In addition, CISOs and CIOs want and need specific guidance that can be consistently applied across their agencies enterprise-wide, and upon which their performance in improving security can be consistently and fairly evaluated. At the same time, Federal Inspectors General (IGs) and auditors want to ensure that CIOs and CISOs are doing what is necessary to secure systems, but IGs and auditors, too, need specific guidance on how to measure security. And, finally, technical personnel associated with information security operations and system administration require a specific set of technical activities that will aid them in defending against current and near-term attack vectors.

This document is a first step toward providing specific guidelines that CISOs, CIOs, IGs, and various Computer Emergency Response Teams can adopt and provide to their technical system administration and information security personnel to ensure their agency systems have the most critical baseline security controls in place. The controls take advantage of the knowledge gained in analyzing the myriad attacks that are being actively and successfully launched against federal systems and our nation's industrial base systems.

This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards areas include the common identification of vulnerabilities, definition of secure configurations, inventory of systems and platforms, vulnerability severity, and identification of application weaknesses. These standards have emerged over the last decade through collaborative research and deliberation between government, academia, and industry. While still evolving, these efforts have made their way into commercial solutions and government, industry, and academic usage. Perhaps most visible of these has been the Security Content Automation Program (SCAP), sponsored by NIST, which was mandated for the Federal Desktop Core Configuration (FDCC). SCAP utilizes mature standardizations to clearly define common security nomenclature and evaluation criteria for vulnerability, patch, and configuration measurement and is intended for adoption by automated tools. It is recommended that automated tools used to implement or verify security controls identified in this document employ SCAP or similar standardization efforts for clearly defined nomenclature and evaluation criteria not covered by SCAP.

Relationship of the 20 Critical Controls to NIST Guidelines

The National Institute of Standards and Technology (NIST) has produced excellent security guidelines that provide a very comprehensive set of security controls in NIST Special Publication 800-53, revision 3. This document by contrast seeks to identify a subset of security control activities that CISOs, CIOs and IGs can focus on as their top, shared priority for cyber security based on attacks occurring today and those anticipated in the near future. As noted above, the 20 Critical Controls only address principally technical control areas. However, the controls do map directly to about one third of the 145 controls identified in NIST Special Publication 800-53. In fact the mapping shows that the 20 Critical Controls are a proper subset of the Priority 1 items in 800-53. A mapping for each of the 20 Critical Controls to the specific set of 800-53 controls is provided in the text below and a complete mapping is included as an appendix to this document. Moreover, the attack-based analysis for the 20 Critical Controls confirms these controls as the most critical subset of the NIST Special Publication 800-53 control catalog. Once agencies have addressed the 20 Critical Controls, it is recommended that 800-53 be used to ensure that they have assessed and implemented an appropriate set of management controls as well as additional technical controls that address agency or system specific risk areas.

The authors of this document recommended that agency CIOs and CISOs assess the 20 Critical Controls as a baseline set of "Common Controls" for their agency as defined by 800-53. The basis for this recommendation is that the consensus process used to develop the 20 Critical Controls as well as pilot efforts by the State Department have validated that the controls correlate to the highest technical and operational threat areas for Federal agency enterprise environment (as well as private sector enterprise environments). Within the guidance of 800-53, the 20 Critical Controls can be viewed as necessary to address agency "high water mark" when assessing the enterprise-wide potential security risk of confidentiality, integrity or availability of interconnected systems and information within the agency's enterprise environment. Once this agreement has been reached by the CIO and CISO, it is recommended that the 20 Critical Controls be the foundation for technical and operational controls within an agency. Similarly, the 20 Critical Controls would also serve as a primary basis for future security audits and evaluations. If an agency CIO and CISO determined that their environment warranted additional controls, the processes provided in 800-53 should be used to identify additional required controls. Based on the overwhelming consensus from security experts who contributed to this document, it is unlikely that an agency with Internet connectivity would determine that the 20 Critical Controls were not applicable to their agency. However, if an agency CIO and CISO determined that some of the 20 Critical Controls were not applicable to an agency, this also be documented using processes outlined in 800-53.

Document Contributors

What makes this document effective is that it reflects knowledge of actual attacks and defines controls that would have stopped those attacks from being successful. To construct the document, the following types of people have provided first-hand knowledge and input regarding how computer and network attacks are being carried out and the defensive techniques that are most important in thwarting attacks:

1. Blue team members inside the Department of Defense who are often called in when military commanders find their systems have been compromised and who perform initial incident response services on impacted systems
2. Blue team members who provide services for non-DoD government agencies who identify prior intrusions while conducting vulnerability assessment activities
3. US-CERT and other non-military incident response employees and consultants who are called upon by civilian agencies and companies to identify the most likely method by which systems and networks were compromised
4. Military investigators who fight cyber crime
5. The FBI and other police organizations that investigate cyber crime
6. Cybersecurity experts at US Department of Energy laboratories and federally funded research and development centers
7. DoD and private forensics experts who analyze computers that have been infected
8. Red team members in DoD tasked with finding ways of circumventing military cyber defenses during their exercises
9. Civilian penetration testers who test civilian government and commercial systems to determine how they can be penetrated with the goal of better understanding risk and implementing better defenses
10. Federal CIOs and CISOs who have intimate knowledge of cyber attacks

Additionally, input from over one hundred other collaborators has been incorporated into the current version of the document. To assemble these Top 20 Critical Controls, these contributors first identified the most prevalent and damaging attack types and scenarios, so that appropriate defenses could be identified. These attacks are described in the introduction to each individual control in a section titled "How do attackers exploit the lack of this control?" Furthermore, Appendix B of this document provides a list of each of the attack types that fueled the development of the Top 20 Critical Controls.

The Twenty Critical Controls

These 20 critical security controls were agreed upon by knowledgeable individuals from the groups listed above. The list includes 15 controls that can be validated at least in part in an automated manner and five that must be validated manually. It is important to note that the 20 control categories are not presented in order of priority. The process of gathering these specific controls and subcontrols focused on identifying the highest priority defenses and represent a subset of controls found in other audit guidelines and documents. Each of the 20 categories is important and offers high-priority techniques for thwarting real-world attacks.

Critical Controls Subject to Automated Collection, Measurement, and Validation:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention

Additional Critical Controls (not directly supported by automated measurement and validation):

16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training to Fill Gaps

In the pages that follow, each of these controls is described more fully. Descriptions include how attackers currently exploit the lack of the control, detailed subcontrols that describe what an organization needs to do in each area and requirements for measuring these activities, and suggestions regarding how standardized measurements can be applied. As pilot implementations are completed and agencies gain experience with automation, it is expected that the document will be expanded into a detailed audit guide that agency CIOs can use to ensure they are doing the right things for effective cyber defense and that IGs can use to verify the CIOs' tests.

Insider Threats vs. Outsider Threats

A quick review of the critical controls may lead some readers to think that they are heavily focused on outsider threats and may, therefore, not fully deal with insider attacks. In reality, the insider threat is well covered in these controls in two ways. First, specific controls such as maintenance of security audit logs, control of administrative privileges, controlled access based on need to know, data loss prevention, and effective incident response all directly address the key ways that insider threats can be mitigated. Second, the insider and outsider threats sometimes merge as outsiders penetrate security perimeters and effectively become "insiders." All of the controls that limit unauthorized access within the organization work to mitigate both insider and outsider threats. It is important to note that these controls are meant to deal with multiple kinds of computer attackers, including but not limited to malicious internal employees and contractors, independent individual external actors, organized crime groups, terrorists, and nation state actors, as well as mixes of these different threats. While these controls are designed to provide protection against each of these threats, very sophisticated, well-funded actors such as nation states may sometimes employ attack techniques that require extreme defenses that go beyond the scope of this document.

These controls are not limited to blocking only the initial compromise of systems, but also address detecting already-compromised machines, and preventing or disrupting attacker's actions. The defenses identified through these controls deal with decreasing the initial attack surface by hardening security, identifying already-compromised machines to address long-term threats inside an organization's network, controlling super-user privileges on systems, and disrupting attackers' command-and-control of implanted malicious code. Figure 1 illustrates the scope of different kinds of attacker activities that these controls are designed to help thwart.

The rings of Figure 1 represent the actions computer attackers often take against target machines. These actions include initially compromising a machine to establish a foothold by exploiting one or more vulnerabilities. Attackers can then maintain long-term access on a system, often by creating accounts, subverting existing accounts, or altering the software on the machine to include backdoors and rootkits. Attackers with access to machines can also cause damage, which could include stealing, altering, or destroying information; impairing the system's functionality to jeopardize its business effectiveness or mission; or using it as a jump-off point for compromise of other systems in the environment. Where these rings overlap, attackers have even more ability to compromise sensitive information or cause damage.

The various defensive strategies located outside of each set of rings in the figure are covered throughout the controls described in this document. Defenses in any of the rings help to limit the abilities of attackers, but improved defenses are required across all three rings and their intersections. It is important to note that the Twenty Critical Controls for Effective Cyber Defense are designed to help improve defenses across each of these rings, rather than to merely prevent initial compromise.

Figure 1: Types of Computer Attacker Activities These Controls Are Designed to Help Thwart

Relationship to Other Federal Guidelines, Recommendations, and Requirements

These controls are meant to reinforce and prioritize some of the most important elements of the guidelines, standards, and requirements put forth in other US Government documentation, such as NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems, SCAP, FDCC, FISMA, and Department of Homeland Security Software Assurance documents. These guidelines do not conflict with such recommendations. In fact, the guidelines set forth are a proper subset of the recommendations of NIST SP 800-53, designed so that organizations can focus on a specific set of actions associated with current threats and computer attacks they face every day. A draft of the mapping of individual controls in this document to specific recommendations of NIST SP 800-53 is included in Appendix A.

Periodic and Continual Testing of Controls

Each control included in this document describes a series of tests that organizations can conduct on a periodic or, in some cases, continual basis to ensure that appropriate defenses are in place. One of the goals of the tests described is to provide as much automation of testing as possible. By leveraging standardization efforts and repositories of content like SCAP, these automated test suites and scripts can be highly sharable between organizations, consistent to a large extent, and easily used by auditors for validation. A key element to support automation of measurement is the management infrastructure of the enterprise network. Well managed networks tend to have enterprise tools for remotely gathering, analyzing, and updating the configuration of workstations, servers, and network equipment on a fine-grained basis.

It is important to note that, at various phases of the tests described in the controls, human testers are needed to set up tests or evaluate results in a fashion that cannot be automated. The testers responsible for measuring such controls must be trusted individuals, as the test may require them to access sensitive systems or data in the course of their tests. Without appropriate authorization, background checks, and possibly clearance, such tests may be impossible. Such tests should also be supervised or reviewed by appropriate agency officials well versed in lawful monitoring and analysis of Information Technology systems as well as regulatory requirements for protecting sensitive Personally Identifiable Information.

Future Evolution of the Twenty Critical Controls for Effective Cyber Defense

The consensus effort to define critical security controls is an evolving effort. In fact, changing technology and changing attack patterns will necessitate future changes even after the current set of controls has been finalized. In a sense, this will be a living document moving forward, but the controls described in this version are a solid start on the quest to make fundamental computer security defenses a well understood, repeatable, measurable, scalable, and reliable process throughout the federal government.

Description of Controls

• Critical Control 1: Inventory of Authorized and Unauthorized Devices
• Critical Control 2: Inventory of Authorized and Unauthorized Software
• Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based on Need to Know
• Critical Control 10: Continuous Vulnerability Assessment and Remediation
• Critical Control 11: Account Monitoring and Control
• Critical Control 12: Malware Defenses
• Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Loss Prevention

Additional Security Controls

The following sections identify additional controls that are important but cannot be fully automatically or continuously monitored to the same degree as the controls covered earlier in this document.

• Critical Control 16: Secure Network Engineering
• Critical Control 17: Penetration Tests and Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps

Summary

This document has been developed through the collaboration of a diverse set of security experts. While there is no such thing as absolute protection, proper implementation of the security controls identified in this document will ensure that an organization is protecting against the most significant attacks. As attacks change, additional controls or tools become available, or the state of common security practice advances, this document will be updated to reflect what is viewed by the collaborating authors as the most important security controls to defend against cyber attacks.

Appendix A: Mapping between Top 20 Critical Controls and NIST SP 800-53 Rev 3 Priority 1 Items

This mapping relates the controls set forth in this document to NIST SP 800-53 Rev 3. Please note that the NIST controls may impose additional requirements beyond those explicitly stated in this document.

Control	References
Critical Control 1: Inventory of Authorized and Unauthorized Devices	CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
Critical Control 2: Inventory of Authorized and Unauthorized Software	CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7), CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9, PM-6, SA-6, SA-7
Critical Control 3: Secure Configurations for Hardware and Software	CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6
Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches	AC-4 (7, 10, 11, 16), CM-1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9
Critical Control 5: Boundary Defense	AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18, SI-4 (c, 1, 4, 5, 11), PM-7
Critical Control 6: Maintenance, Monitoring and Analysis of Security Audit Logs	AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12 (2), SI-4 (8)
Critical Control 7: Application Software Security	CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10
Critical Control 8: Controlled Use of Administrative Privileges	AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)
Critical Control 9: Controlled Access Based on Need to Know	AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a)
Critical Control 10: Continuous Vulnerability Assessment and Remediation	RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)
Critical Control 11: Account Monitoring and Control	AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3
Critical Control 12: Malware Defenses	SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)
Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services	CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12)
Critical Control 14: Wireless Device Control	AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-24, SI-4 (14, 15)
Critical Control 15: Data Loss Prevention	AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7
Critical Control 16: Secure Network Engineering	IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC-21, SC-22, PM-7,
Critical Control 17: Penetration Tests and Red Team Exercises	CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)
Critical Control 18: Incident Response Capability	IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8
Critical Control 19: Data Recovery Capability	CP-9 (a, b, d, 1, 3), CP-10 (6)
Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps	AT-1, AT-2 (1), AT-3 (1)

Appendix B: Attack Types

As described in the introduction to the Twenty Critical Controls, numerous contributors who are responsible for responding to actual attacks or conducting Red Team exercises were involved in the creation of this document. The resulting controls are therefore based on first-hand knowledge or real-world attacks and the associated defenses.

Attack Summary	Most Directly Related Control
Attackers continually scan for new, unprotected systems, including test or experimental systems, and exploit such systems to gain control of them.	1
Attackers continually scan for vulnerable software and exploit it to gain control of target machines.	2
Attackers distribute hostile content on Internet-accessible (and sometimes internal) websites that exploits unpatched and improperly secured client software running on victim machines.	2
Attackers use currently infected or compromised machines to identify and exploit other vulnerable machines across an internal network.	2
Attackers exploit weak default configurations of systems that are more geared to ease of use than security.	3
Attackers exploit and infiltrate through network devices whose security configuration has been weakened over time by granting , for specific short-term business needs, supposedly temporary exceptions that are never removed.	4
Attackers exploit boundary systems on Internet-accessible DMZ networks, and then pivot to gain deeper access on internal networks.	5
Attackers operate undetected for extended periods of time on compromised systems because of a lack of logging and log review.	6
Attackers exploit weak application software, particularly web applications, through attack vectors such as SQL injection, Cross-Site-Scripting, and related issues.	7
Attackers trick a user with an administrator level account into opening a phishing-style e-mail with attachment or surfing to the attacker's content on an Internet website, allowing the attacker's malicious code or exploit to run on the victim machine with full administrator privileges.	8
Attackers escalate their privileges on victim machines by launching password guessing, password cracking, or privilege escalation exploit s to gain administrator control of systems, which is then used to propagate to other victim machines across an enterprise.	8
Attackers gain access to sensitive documents in an organization that does not properly identify and protect sensitive information , separating it from non-sensitive information.	9
Attackers exploit new vulnerabilities on systems that lack critical patches in organizations that do not know that they are vulnerable because they lack continuous vulnerability assessments and effective remediation.	10
Attackers compromised inactive user accounts left behind by temporary workers, contractors, and former employees, including accounts left behind by the attackers themselves who are former employees.	11
Attackers use malicious code to gain and maintain control of target machines, capture sensitive data, and spread to other systems, sometimes wielding code that disables or dodges signature-based anti-virus tools.	12
Attackers scan for remotely accessible services on target systems that are often unneeded for business activities, but provide an avenue of attack and compromise of the organization.	13
Attackers exploit wireless access points to gain entry into a target organization's internal network, as well as exploit wireless client systems to steal sensitive information.	14
Attackers who gain access to internal enterprise systems gather and exfiltrate sensitive information without detection by the victim organization.	15
Attackers exploit poorly designed network architectures by locating unneeded or unprotected connections, weak filtering, or a lack of separation of important systems or business functions.	16
Attackers compromise target organizations that do not exercise their defenses to determine and continually improve their effectiveness.	17
Attackers operate undiscovered in organizations without effective incident response capabilities, and when they are discovered, such organizations often cannot properly contain the attack, eradicate the attacker's presence, and recover to a secure production state.	18
Attackers who compromise systems may alter important data, potentially jeopardizing organizational effectiveness via polluted information.	19
Attackers exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness.	20