Security Training
Security Certification
Cyber Security Graduate School
Internet Storm Center
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software SecurityCSIS: 20 Critical Security Controls - Version 4.1
Introduction: Critical Controls for Effective Cyber Defense
To secure against cyber attacks, organizations must vigorously defend their networks and systems from a variety of internal and external threats. They must also be prepared to detect and thwart damaging follow-on attack activities inside a network that has already been compromised. Two guiding principles are: "Prevention is ideal but detection is a must" and "Offense informs defense."
The Goal of the Critical Controls
The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.
Why the Controls Work So Well: Methodology and Contributors
The strength of the Critical Controls is that they reflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive and deep knowledge about current threats. These experts come from multiple agencies of the U.S. Department of Defense, Nuclear Laboratories of the U.S. Department of Energy, the U.S. Computer Emergency Readiness Team of the U.S. Department of Homeland Security, the United Kingdom's Centre for the Protection of Critical Infrastructure, the FBI and other law enforcement agencies, the Australian Defence Signals Directorate and government and civilian penetration testers and incident handlers. Top experts from all these organizations pooled their extensive first-hand knowledge of actual cyber attacks and developed a consensus list of the best defensive techniques to stop them. This has ensured that the Critical Controls are the most effective and specific set of technical measures available to detect, prevent, and mitigate damage from the most common and damaging of those attacks.
In addition, the Consortium for Cybersecurity Action (CCA) was established in 2012 to ensure that updated versions of the Critical Controls incorporate the most relevant threat information and to share lessons learned by organizations implementing them.1 The roster of government agencies and private organizations from around the world participating in the CCA has expanded significantly, and each member is committed to sharing information on the latest attacks and root causes of those attacks.
Thus, the Controls are both a living document updated regularly based on changing threats as well as a solid, prioritized program for making fundamental computer security defenses a well-understood, replicable, measurable, scalable, reliable, automatable, and continuous process. The Controls deal with multiple kinds of computer attackers, including malicious internal employees and contractors, independent individual external actors, organized crime groups, terrorists, and nation-state actors, as well as mixes of these different threats.
The Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventing or disrupting attackers' follow-on actions. The defenses identified through these controls deal with reducing the initial attack surface by hardening security, identifying compromised machines to address long-term threats inside an organization's network, and disrupting attackers' command-and-control of implanted malicious code.
Building on Lessons Learned from Developing Cybersecurity Standards
The Critical Controls encompass and amplify efforts over the last decade to develop security standards, including the Security Content Automation Program (SCAP) sponsored by the National Institute of Standards and Technology (NIST) and the Associated Manageable Network Plan Milestones and Network Security Tasks developed by the National Security Agency (NSA). In particular, NSA's work allowed for prioritizing the controls based on whether they address operational conditions being actively targeted and exploited, combat a large number of attacks, block attacks early in the compromise cycle, and deal with an expected high impact of successful exploitation. The Controls focus on automation to provide cost efficiency, measurable results, scalability, and reliability.
The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are:
- Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.
Unanticipated Benefit
Hundreds of organizations from national cybersecurity agencies to medium-sized companies have adopted the Critical Controls as their standard of due care, and some are reporting benefits beyond improved security.2 With so many organizations asking for the same controls, buyers report that more vendors are competing aggressively by offering lower prices, especially when government agencies band together to buy in volume.
How Organizations Are Applying the Controls
Dozens of early adopters of the Critical Controls have shared their experiences and lessons learned with the Consortium for Cybersecurity Action (CCA). A pattern has emerged of steps common to many organizations that have made substantial progress in reducing risk using the Critical Controls:
- Step 1. Perform Initial Gap Assessment - determining what has been implemented and where gaps remain for each control and sub-control.
- Step 2. Develop an Implementation Roadmap - selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations.
- Step 3. Implement the First Phase of Controls - identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training.
- Step 4. Integrate Controls into Operations - focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations.
- Step 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap.
The CCA is putting together detailed case studies that it will make available to help organizations implement each of these steps.
Structure of the Critical Controls Document
The presentation of each Critical Control in this document includes:
- Proof that the control blocks known attacks and an explanation of how attackers actively exploit the absence of this control.
- Listing of the specific actions that organizations are taking to implement, automate, and measure effectiveness of this control. The sub-controls are grouped into four categories:
-
- Quick wins that provide solid risk reduction without major procedural, architectural, or technical changes to an environment, or that provide such substantial and immediate risk reduction against very common attacks that most security-aware organizations prioritize these key controls.3
- Visibility and attribution measures to improve the process, architecture, and technical capabilities of organizations to monitor their networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers' activities, and gain information about the sources of an attack.
- Improved information security configuration and hygiene to reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems, with a focus on protecting against poor security practices by system administrators and end-users that could give an attacker an advantage.
- Advanced sub-controls that use new technologies that provide maximum security but are harder to deploy or more expensive than commoditized security solutions. - Associated NIST Special Publication 800-53 controls and NSA network security tasks corresponding to each Critical Control.
- Procedures and tools that enable implementation and automation.
- Metrics and tests to assess implementation status and effectiveness.
- Sample entity relationship diagrams that show components of implementation.
Description of Controls
- Critical Control 1: Inventory of Authorized and Unauthorized Devices
- Critical Control 2: Inventory of Authorized and Unauthorized Software
- Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Critical Control 4: Continuous Vulnerability Assessment and Remediation
- Critical Control 5: Malware Defenses
- Critical Control 6: Application Software Security
- Critical Control 7: Wireless Device Control
- Critical Control 8: Data Recovery Capability
- Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
- Critical Control 12: Controlled Use of Administrative Privileges
- Critical Control 13: Boundary Defense
- Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
- Critical Control 15: Controlled Access Based on the Need to Know
- Critical Control 16: Account Monitoring and Control
- Critical Control 17: Data Loss Prevention
- Critical Control 18: Incident Response and Management
- Critical Control 19: Secure Network Engineering
- Critical Control 20: Penetration Tests and Red Team Exercises
Summary and Action Plan
This document has been developed through the collaboration of a diverse set of security experts. While there is no such thing as absolute protection, proper implementation of the security controls identified in this document will ensure that an organization is protecting itself against the most significant attacks. As attacks change, additional controls or tools become available, or the state of common security practice advances, this document will continue to be updated to reflect what is viewed by the collaborating authors as the most important security controls to defend against cyber attacks.
Action Plan
Given that these critical controls so closely track current threats and attacks, we recommend that CIOs and CISOs consider several immediate actions to ensure the effectiveness of their security programs:
- Conduct a gap assessment to compare the organization's current security stance to the detailed recommendations of the Critical Controls
- Implement the "First Five" and other "quick win" Critical Controls to address the gaps identified by the assessment over the next one or two quarters
- Assign security personnel to analyze and understand how Critical Controls beyond the quick wins can be deployed in the organization's environment
- Devise detailed plans to implement the "visibility and attribution" and "hardened configuration and improved information security hygiene" Critical Controls over the next year
- Plan for deployment of the "advanced controls" over the longer term.
Notes
1 The CCA is led by Tony Sager, the recently retired Chief Operating Officer of the U.S. National Security Agency’s (NSA) Information Assurance Directorate who previously managed the Vulnerability Analysis & Operations Group of NSA.
2 As reported by the Consortium for Cybersecurity Action.
3 Five "quick wins" delineated in Critical Controls 2, 3, and 4 (with one repeated in Control 12) are highlighted as the "First Five." They are being implemented first by the most security-aware and skilled organizations because they are the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations. The "First Five" cover (1) software white listing, (2) secure standard configurations, (3) application security patch installation within 48 hours, (4) system security patch installation within 48 hours, and (5) ensuring administrative privileges are not active while browsing the web or handling email. Most organizations monitor the coverage and effectiveness of these sub-controls through Continuous Monitoring and Mitigation as outlined in Critical Control 4.
Appendix A: Mapping between the Critical Controls and National Institute of Standards and Technology Special Publication 800-53, Revision 3, Priority 1 Items
This mapping relates the Critical Controls set forth in this document to National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3. Please note that the NIST controls may impose additional requirements beyond those explicitly stated in this document.
| Control | References |
|---|---|
| Critical Control 1: Inventory of Authorized and Unauthorized Devices | CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6 |
| Critical Control 2: Inventory of Authorized and Unauthorized Software | CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7), CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9, PM-6, SA-6, SA-7 |
| Critical Control 3: Secure Configurations for Hardware and Software | CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1 (a), SA-4 (5), SI-7 (3), PM-6 |
| Critical Control 4: Continuous Vulnerability Assessment and Remediation | RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6) |
| Critical Control 5: Malware Defenses | SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6) |
| Critical Control 6: Application Software Security | CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10 |
| Critical Control 7: Wireless Device Control | AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-24, SI-4 (14, 15) |
| Critical Control 8: Data Recovery Capability | CP-9 (a, b, d, 1, 3), CP-10 (6) |
| Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps | AT-1, AT-2 (1), AT-3 (1) |
| Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches | AC-4 (7, 10, 11, 16), CM-1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9 |
| Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services | CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12) |
| Critical Control 12: Controlled Use of Administrative Privileges | AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4) |
| Critical Control 13: Boundary Defense | AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18, SI-4 (c, 1, 4, 5, 11), PM-7 |
| Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs | AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12 (2), SI-4 (8) |
| Critical Control 15: Controlled Access Based on the Need to Know | AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6, MP-3, RA-2 (a) |
| Critical Control 16: Account Monitoring and Control | AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3 |
| Critical Control 17: Data Loss Prevention | AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10), SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7 |
| Critical Control 18: Incident Response Capability | IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8 |
| Critical Control 19: Secure Network Engineering | IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC-21, SC-22, PM-7, |
| Critical Control 20: Penetration Tests and Red Team Exercises | CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4, 9), SA-12 (7) |
Appendix B: Attack Types
As described in the Introduction, numerous contributors who are responsible for responding to actual attacks or conducting red team exercises were involved in the creation of this document. The resulting Critical Controls are therefore based on first-hand knowledge of real-world attacks and the associated defenses.
| Attack Summary | Most Directly Related Control |
|---|---|
| Attackers continually scan for new, unprotected systems, including test or experimental systems, and exploit such systems to gain control of them. | 1 |
| Attackers distribute hostile content on Internet-accessible (and sometimes internal) websites that exploit unpatched and improperly secured client software running on victim machines. | 2, 3 |
| Attackers continually scan for vulnerable software and exploit it to gain control of target machines. | 2, 4 |
| Attackers use currently infected or compromised machines to identify and exploit other vulnerable machines across an internal network. | 2, 10 |
| Attackers exploit weak default configurations of systems that are more geared to ease of use than security. | 3, 10 |
| Attackers exploit new vulnerabilities on systems that lack critical patches in organizations that do not know that they are vulnerable because they lack continuous vulnerability assessments and effective remediation. | 4, 5 |
| Attackers compromise target organizations that do not exercise their defenses to determine and continually improve their effectiveness. | 4, 5, 11, 20 |
| Attackers use malicious code to gain and maintain control of target machines, capture sensitive data, and then spread it to other systems, sometimes wielding code that disables or dodges signature-based anti-virus tools. | 5, 15, 17 |
| Attackers scan for remotely accessible services on target systems that are often unneeded for business activities, but provide an avenue of attack and compromise of the organization. | 5, 10, 11 |
| Attackers exploit weak application software, particularly web applications, through attack vectors such as SQL injection, cross-site scripting, and similar tools. | 6, 20 |
| Attackers exploit wireless access points to gain entry into a target organization's internal network, and exploit wireless client systems to steal sensitive information. | 7 |
| Attackers exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness. | 9, 12, 16 |
| Attackers exploit and infiltrate through network devices whose security configuration has been weakened over time by granting, for specific short-term business needs, supposedly temporary exceptions that are never removed. | 10, 13 |
| Attackers trick a user with an administrator-level account into opening a phishing-style e-mail with an attachment or surfing to the attacker's content on an Internet website, allowing the attacker's malicious code or exploit to run on the victim machine with full administrator privileges. | 9, 12 |
| Attackers exploit boundary systems on Internet-accessible DMZ networks, and then pivot to gain deeper access on internal networks. | 13, 19 |
| Attackers exploit poorly designed network architectures by locating unneeded or unprotected connections, weak filtering, or a lack of separation of important systems or business functions. | 13, 19 |
| Attackers operate undetected for extended periods of time on compromised systems because of a lack of logging and log review. | 14 |
| Attackers gain access to sensitive documents in an organization that does not properly identify and protect sensitive information or separate it from nonsensitive information. | 15, 17 |
| Attackers compromise inactive user accounts left behind by temporary workers, contractors, and former employees, including accounts left behind by the attackers themselves who are former employees. | 16 |
| Attackers escalate their privileges on victim machines by launching password guessing, password cracking, or privilege escalation exploits to gain administrator control of systems, which is then used to propagate to other victim machines across an enterprise. | 12, 16 |
| Attackers gain access to internal enterprise systems and gather and exfiltrate sensitive information without detection by the victim organization. | 17 |
| Attackers compromise systems and alter important data, potentially jeopardizing organizational effectiveness via polluted information. | 15, 17 |
| Attackers operate undiscovered in organizations without effective incident-response capabilities, and when the attackers are discovered, the organizations often cannot properly contain the attack, eradicate the attacker's presence, or recover to a secure production state. | 18 |
This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.
You may use the following code to embed the 20 Critical Controls on your site:
<iframe src="http://www.sans.org/critical-security-controls/?iframe=1" width="1000" height="1200" />
