To secure against cyber attacks, organizations must vigorously defend their networks and systems from a variety of internal and external threats. They must also be prepared to detect and thwart damaging follow-on attack activities inside a network that has already been compromised. Two guiding principles are: "Prevention is ideal but detection is a must" and "Offense informs defense."
The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.
The strength of the Critical Controls is that they reflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive and deep knowledge about current threats. These experts come from multiple agencies of the U.S. Department of Defense, Nuclear Laboratories of the U.S. Department of Energy, the U.S. Computer Emergency Readiness Team of the U.S. Department of Homeland Security, the United Kingdom's Centre for the Protection of Critical Infrastructure, the FBI and other law enforcement agencies, the Australian Defence Signals Directorate and government and civilian penetration testers and incident handlers. Top experts from all these organizations pooled their extensive first-hand knowledge of actual cyber attacks and developed a consensus list of the best defensive techniques to stop them. This has ensured that the Critical Controls are the most effective and specific set of technical measures available to detect, prevent, and mitigate damage from the most common and damaging of those attacks.
In addition, the Consortium for Cybersecurity Action (CCA) was established in 2012 to ensure that updated versions of the Critical Controls incorporate the most relevant threat information and to share lessons learned by organizations implementing them.1 The roster of government agencies and private organizations from around the world participating in the CCA has expanded significantly, and each member is committed to sharing information on the latest attacks and root causes of those attacks.
Thus, the Controls are both a living document updated regularly based on changing threats as well as a solid, prioritized program for making fundamental computer security defenses a well-understood, replicable, measurable, scalable, reliable, automatable, and continuous process. The Controls deal with multiple kinds of computer attackers, including malicious internal employees and contractors, independent individual external actors, organized crime groups, terrorists, and nation-state actors, as well as mixes of these different threats.
The Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventing or disrupting attackers' follow-on actions. The defenses identified through these controls deal with reducing the initial attack surface by hardening security, identifying compromised machines to address long-term threats inside an organization's network, and disrupting attackers' command-and-control of implanted malicious code.
The Critical Controls encompass and amplify efforts over the last decade to develop security standards, including the Security Content Automation Program (SCAP) sponsored by the National Institute of Standards and Technology (NIST) and the Associated Manageable Network Plan Milestones and Network Security Tasks developed by the National Security Agency (NSA). In particular, NSA's work allowed for prioritizing the controls based on whether they address operational conditions being actively targeted and exploited, combat a large number of attacks, block attacks early in the compromise cycle, and deal with an expected high impact of successful exploitation. The Controls focus on automation to provide cost efficiency, measurable results, scalability, and reliability.
The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are:
Hundreds of organizations from national cybersecurity agencies to medium-sized companies have adopted the Critical Controls as their standard of due care, and some are reporting benefits beyond improved security.2 With so many organizations asking for the same controls, buyers report that more vendors are competing aggressively by offering lower prices, especially when government agencies band together to buy in volume.
Dozens of early adopters of the Critical Controls have shared their experiences and lessons learned with the Consortium for Cybersecurity Action (CCA). A pattern has emerged of steps common to many organizations that have made substantial progress in reducing risk using the Critical Controls:
The CCA is putting together detailed case studies that it will make available to help organizations implement each of these steps.
The presentation of each Critical Control in this document includes:
This document has been developed through the collaboration of a diverse set of security experts. While there is no such thing as absolute protection, proper implementation of the security controls identified in this document will ensure that an organization is protecting itself against the most significant attacks. As attacks change, additional controls or tools become available, or the state of common security practice advances, this document will continue to be updated to reflect what is viewed by the collaborating authors as the most important security controls to defend against cyber attacks.
Given that these critical controls so closely track current threats and attacks, we recommend that CIOs and CISOs consider several immediate actions to ensure the effectiveness of their security programs:
1 The CCA is led by Tony Sager, the recently retired Chief Operating Officer of the U.S. National Security Agency’s (NSA) Information Assurance Directorate who previously managed the Vulnerability Analysis & Operations Group of NSA.
2 As reported by the Consortium for Cybersecurity Action.
3 Five "quick wins" delineated in Critical Controls 2, 3, and 4 (with one repeated in Control 12) are highlighted as the "First Five." They are being implemented first by the most security-aware and skilled organizations because they are the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations. The "First Five" cover (1) software white listing, (2) secure standard configurations, (3) application security patch installation within 48 hours, (4) system security patch installation within 48 hours, and (5) ensuring administrative privileges are not active while browsing the web or handling email. Most organizations monitor the coverage and effectiveness of these sub-controls through Continuous Monitoring and Mitigation as outlined in Critical Control 4.
This mapping relates the Critical Controls set forth in this document to National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3. Please note that the NIST controls may impose additional requirements beyond those explicitly stated in this document.
|Critical Control 1: Inventory of Authorized and Unauthorized Devices||CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6|
|Critical Control 2: Inventory of Authorized and Unauthorized Software||CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7), CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9, PM-6, SA-6, SA-7|
|Critical Control 3: Secure Configurations for Hardware and Software||CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6|
|Critical Control 4: Continuous Vulnerability Assessment and Remediation||RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)|
|Critical Control 5: Malware Defenses||SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)|
|Critical Control 6: Application Software Security||CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10|
|Critical Control 7: Wireless Device Control||AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-24, SI-4 (14, 15)|
|Critical Control 8: Data Recovery Capability||CP-9 (a, b, d, 1, 3), CP-10 (6)|
|Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps||AT-1, AT-2 (1), AT-3 (1)|
|Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches||AC-4 (7, 10, 11, 16), CM-1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9|
|Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services||CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12)|
|Critical Control 12: Controlled Use of Administrative Privileges||AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)|
|Critical Control 13: Boundary Defense||AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18, SI-4 (c, 1, 4, 5, 11), PM-7|
|Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs||AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12 (2), SI-4 (8)|
|Critical Control 15: Controlled Access Based on the Need to Know||AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a)|
|Critical Control 16: Account Monitoring and Control||AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3|
|Critical Control 17: Data Loss Prevention||AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7|
|Critical Control 18: Incident Response Capability||IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8|
|Critical Control 19: Secure Network Engineering||IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC-21, SC-22, PM-7,|
|Critical Control 20: Penetration Tests and Red Team Exercises||CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7)|
As described in the Introduction, numerous contributors who are responsible for responding to actual attacks or conducting red team exercises were involved in the creation of this document. The resulting Critical Controls are therefore based on first-hand knowledge of real-world attacks and the associated defenses.
|Attack Summary||Most Directly Related Control|
|Attackers continually scan for new, unprotected systems, including test or experimental systems, and exploit such systems to gain control of them.||1|
|Attackers distribute hostile content on Internet-accessible (and sometimes internal) websites that exploit unpatched and improperly secured client software running on victim machines.||2, 3|
|Attackers continually scan for vulnerable software and exploit it to gain control of target machines.||2, 4|
|Attackers use currently infected or compromised machines to identify and exploit other vulnerable machines across an internal network.||2, 10|
|Attackers exploit weak default configurations of systems that are more geared to ease of use than security.||3, 10|
|Attackers exploit new vulnerabilities on systems that lack critical patches in organizations that do not know that they are vulnerable because they lack continuous vulnerability assessments and effective remediation.||4, 5|
|Attackers compromise target organizations that do not exercise their defenses to determine and continually improve their effectiveness.||4, 5, 11, 20|
|Attackers use malicious code to gain and maintain control of target machines, capture sensitive data, and then spread it to other systems, sometimes wielding code that disables or dodges signature-based anti-virus tools.||5, 15, 17|
|Attackers scan for remotely accessible services on target systems that are often unneeded for business activities, but provide an avenue of attack and compromise of the organization.||5, 10, 11|
|Attackers exploit weak application software, particularly web applications, through attack vectors such as SQL injection, cross-site scripting, and similar tools.||6, 20|
|Attackers exploit wireless access points to gain entry into a target organization's internal network, and exploit wireless client systems to steal sensitive information.||7|
|Attackers exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness.||9, 12, 16|
|Attackers exploit and infiltrate through network devices whose security configuration has been weakened over time by granting, for specific short-term business needs, supposedly temporary exceptions that are never removed.||10, 13|
|Attackers trick a user with an administrator-level account into opening a phishing-style e-mail with an attachment or surfing to the attacker's content on an Internet website, allowing the attacker's malicious code or exploit to run on the victim machine with full administrator privileges.||9, 12|
|Attackers exploit boundary systems on Internet-accessible DMZ networks, and then pivot to gain deeper access on internal networks.||13, 19|
|Attackers exploit poorly designed network architectures by locating unneeded or unprotected connections, weak filtering, or a lack of separation of important systems or business functions.||13, 19|
|Attackers operate undetected for extended periods of time on compromised systems because of a lack of logging and log review.||14|
|Attackers gain access to sensitive documents in an organization that does not properly identify and protect sensitive information or separate it from nonsensitive information.||15, 17|
|Attackers compromise inactive user accounts left behind by temporary workers, contractors, and former employees, including accounts left behind by the attackers themselves who are former employees.||16|
|Attackers escalate their privileges on victim machines by launching password guessing, password cracking, or privilege escalation exploits to gain administrator control of systems, which is then used to propagate to other victim machines across an enterprise.||12, 16|
|Attackers gain access to internal enterprise systems and gather and exfiltrate sensitive information without detection by the victim organization.||17|
|Attackers compromise systems and alter important data, potentially jeopardizing organizational effectiveness via polluted information.||15, 17|
|Attackers operate undiscovered in organizations without effective incident-response capabilities, and when the attackers are discovered, the organizations often cannot properly contain the attack, eradicate the attacker's presence, or recover to a secure production state.||18|