20 Critical Security Controls - Summary Update

Twenty Critical Controls Update Summary

August 18, 2011

The updates to the 20 Critical Controls focused on the following areas:

New Threats

The strategies, methods, and means attackers use to compromise computer systems are constantly changing. With the rise of the advanced persistent threat, traditional defensive measures are not as effective. The 20 Critical Controls has been updated to better address and defend against the new threats aggressively compromising systems today.

To that end, the 20 Critical Controls feature an updated Introduction, laying out the current threat landscape and methods attackers use to break into systems. For example, DNS and infrastr Biotics Research A.D.P. ucture attacks have increased as a point of targeted attacks. Pivot points are also being used more by attackers as a way to penetrate deeper into organizations. Finally, data driven attacks are also becoming the primary focus of the sophisticated adversary.

A key defensive component is the ability to test and validate automatically whether current security measures are working and proactively remediate vulnerabilities in a timely manner. Continuous monitoring is a critical component of successful defensive mechanisms.

Updated Sub-Controls

While the original 20 main controls are robust and remain valid, some of the sub-controls needed to be updated to reflect the changing threat. First, based on changes in technology and advances in typical organizations' security capabilities, many of the sub-controls are still valid, but the category they were originally listed under has changed. For example, some items that were previously categorized as "advanced" are now considered "config/hygiene", representing advances in security capabilities organizations should be making. Second, new technologies are available that were not previously considered robust, so those improved technologies have been added as additional measures for each control.

Under each of the main controls, each of the sub-controls has been updated to reflect changes in technology. In most cases, the "advanced" and "config/hygiene" sub-controls had the biggest changes. For example, both Network Access Control (NAC) and 802.1x have been added to Critical Control 1: Inventory of Authorized and Unauthorized Devices. In addition, Data Loss Prevention (DLP) has been added to Critical Control 9: Controlled Access Based on Need to Know.

Sensors, Measurement, and Scoring

A big push over the last few years has been defining concrete advice on how to implement the controls and which tools or sensors can be used to measure their effectiveness. In order to help organizations understand possible solutions for implementing the controls, recommendations for sensors have been added that identify the key requirements that are needed for a given solution. In addition to the sensor information, the new version of the controls feature a section on how to measure the effectiveness of a tool and how to create an overall score for the organization. Each of these changes is described in a sensor, measurement, and scoring section added as the last component of each control.

The following are sample sensors, measurement, and scoring descriptions for Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers:

Sensor: File integrity software
Measurement: File integrity monitoring software is deployed on servers as a part of the base configuration. Centralized solutions are preferred over stand-alone solutions.
Score: 50 percent awarded for using a solution with a central monitoring/reporting component. The remaining 50 percent is based on the percentage of servers on which the solution is deployed.

Sensor: Standard images
Measurement: Standard images for the installation of systems have been created based on an accepted security standard published by organizations such as CIS, NSA, DISA and others.
Score: Pass/Fail

Sensor: Network-based image deployment system
Measurement: Computers are built from secured masters pushed out by image servers.
Score: Percentage of systems built from and potentially managed by the solution.

Additional Mappings

As more organizations focus on security, new, more effective defensive approaches are being created. To show the robustness of the controls, the 20 Critical Controls are being mapped to these new approaches to security. After the NIST mapping already included in the Critical Controls, a new section called Associated National Security Agency Manageable Network Plan (MNP) Revision 2.0 Milestones has been added for each control.

For example, the following are the MNP's for Critical Control 12: Malware Defenses
Milestone 6: Patch Management
Virus Scanners and Host Intrusion Prevention System
Portable Electronic Device Management
Network Access Protection (NAP)/Network Access Control (NAC)

PDF

View the 2011 US Government CIO Security Reporting Requirements (FISMA Metrics)

Latest Whitepapers

Securing BYOD With Network Access Control, a Case Study
By Lawrence Orans

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Latest Tweets

SANS San Francisco 2013 offers 7 courses to boost your Cyber [...]
May 23, 2013 - 3:06 PM

Excellent blog post by @MarkBaggett on pen testing MS SQL vi [...]
May 22, 2013 - 7:39 PM

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
- Michael Hall, Drivesavers

"This has been a great way to get working knowledge that would have taken years of experience to learn."
- Josh Carlson, Nelnet

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee