The updates to the 20 Critical Controls focused on the following areas:
The strategies, methods, and means attackers use to compromise computer systems are constantly changing. With the rise of the advanced persistent threat, traditional defensive measures are not as effective. The 20 Critical Controls has been updated to better address and defend against the new threats aggressively compromising systems today.
To that end, the 20 Critical Controls feature an updated Introduction, laying out the current threat landscape and methods attackers use to break into systems. For example, DNS and infrastr Biotics Research A.D.P. ucture attacks have increased as a point of targeted attacks. Pivot points are also being used more by attackers as a way to penetrate deeper into organizations. Finally, data driven attacks are also becoming the primary focus of the sophisticated adversary.
A key defensive component is the ability to test and validate automatically whether current security measures are working and proactively remediate vulnerabilities in a timely manner. Continuous monitoring is a critical component of successful defensive mechanisms.
While the original 20 main controls are robust and remain valid, some of the sub-controls needed to be updated to reflect the changing threat. First, based on changes in technology and advances in typical organizations' security capabilities, many of the sub-controls are still valid, but the category they were originally listed under has changed. For example, some items that were previously categorized as "advanced" are now considered "config/hygiene", representing advances in security capabilities organizations should be making. Second, new technologies are available that were not previously considered robust, so those improved technologies have been added as additional measures for each control.
Under each of the main controls, each of the sub-controls has been updated to reflect changes in technology. In most cases, the "advanced" and "config/hygiene" sub-controls had the biggest changes. For example, both Network Access Control (NAC) and 802.1x have been added to Critical Control 1: Inventory of Authorized and Unauthorized Devices. In addition, Data Loss Prevention (DLP) has been added to Critical Control 9: Controlled Access Based on Need to Know.
A big push over the last few years has been defining concrete advice on how to implement the controls and which tools or sensors can be used to measure their effectiveness. In order to help organizations understand possible solutions for implementing the controls, recommendations for sensors have been added that identify the key requirements that are needed for a given solution. In addition to the sensor information, the new version of the controls feature a section on how to measure the effectiveness of a tool and how to create an overall score for the organization. Each of these changes is described in a sensor, measurement, and scoring section added as the last component of each control.
The following are sample sensors, measurement, and scoring descriptions for Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers:
Sensor: File integrity software
Measurement: File integrity monitoring software is deployed on servers as a part of the base configuration. Centralized solutions are preferred over stand-alone solutions.
Score: 50 percent awarded for using a solution with a central monitoring/reporting component. The remaining 50 percent is based on the percentage of servers on which the solution is deployed.
Sensor: Standard images
Measurement: Standard images for the installation of systems have been created based on an accepted security standard published by organizations such as CIS, NSA, DISA and others.
Sensor: Network-based image deployment system
Measurement: Computers are built from secured masters pushed out by image servers.
Score: Percentage of systems built from and potentially managed by the solution.
As more organizations focus on security, new, more effective defensive approaches are being created. To show the robustness of the controls, the 20 Critical Controls are being mapped to these new approaches to security. After the NIST mapping already included in the Critical Controls, a new section called Associated National Security Agency Manageable Network Plan (MNP) Revision 2.0 Milestones has been added for each control.
For example, the following are the MNP's for Critical Control 12: Malware Defenses
Milestone 6: Patch Management
Virus Scanners and Host Intrusion Prevention System
Portable Electronic Device Management
Network Access Protection (NAP)/Network Access Control (NAC)