World-class instructors teaching today's, critical cyber skills - SANS Online Training

Security Leadership: May 2021 - Live Online

Virtual, US Central | Mon, May 24 - Fri, May 28, 2021

SEC566: Implementing and Auditing CIS Critical Controls New

Mon, May 24 - Fri, May 28, 2021

Associated Certification: GIAC Critical Controls Certification (GCCC)

 Watch a free preview of this course

Course Syllabus  ·  30 CPEs  ·   Lab Requirements
Instructor: Randy Marchany  ·  Price: 6,340 USD

Building and Auditing Critical Security Controls

Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult than ever to prevent and defend against them. In addition to defending their information systems, many organizations find themselves responsible for being compliant with a number of cybersecurity standards and requirements as a prerequisite for doing business. Dozens of cybersecurity standards exist throughout the world and most organizations are responsible for being compliant with more than one such standard. Does your organization have an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches?

In February of 2016, then California Attorney General, Vice President Kamala Harris recommended that "the 20 controls in the Center for Internet Security's Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."

The CIS Critical Controls are specific security controls that CISOs, CIOs, IGs, systems administrators, and information security personnel can use to manage and measure the effectiveness of their defenses. They are designed to complement existing standards, frameworks, and compliance schemes by prioritizing the most critical threat and highest payoff defenses, while providing a common baseline for action against risks that we all face.

As threats and attack surfaces change and evolve, an organization's security should as well. To enable your organization to stay on top of this ever-changing threat scenario, SANS has designed a comprehensive course on how to implement the CIS Critical Controls, a prioritized, risk-based approach to security. Designed by private and public sector experts from around the world, the CIS Critical Controls are the best way to block known attacks and mitigate damage from successful attacks. They have been adopted by international governments, the U.S. Department of Homeland Security, state governments, universities, and numerous private firms.

This course helps you master specific, proven techniques and tools needed to implement and audit the CIS Controls v8 as documented by the Center for Internet Security (CIS), as well as those defined by NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC). Students will learn how to merge these various standards into a cohesive strategy for defending their organization and being compliant with industry standards.

SANS' in-depth, hands-on training will teach security practitioners to understand not only how to stop a threat, but why the threat exists, and how to ensure that security measures deployed today will be effective against the next generation of threats. SEC566 shows security professionals how to implement the controls in an existing network through cost-effective automation. For auditors, CIOs, and risk officers, this course is the best way to understand how you will measure whether the Controls and other standards are effectively implemented.

THIS COURSE WILL PREPARE YOU TO:

  • Apply a security framework based on actual threats that is measurable, scalable, and reliable in stopping known attacks and protecting organizations' important information and systems
  • Understand the importance of each control, how it is compromised if ignored, and explain the defensive goals that result in quick wins and increased visibility of network and systems
  • Identify and utilize tools that implement controls through automation
  • Learn how to create a scoring tool for measuring the effectiveness of each controls the effectiveness of each control
  • Employ specific metrics to establish a baseline and measure the effectiveness of security controls
  • Understand how critical controls map to standards such as the NIST Cybersecurity Framework, NIST 800-171, CMMC, and more
  • Audit each of the CIS Critical Controls, with specific, proven templates, checklists, and scripts provided to facilitate the audit process

The CIS Controls v8 are listed below. You will find the full document describing them in detail posted at the Center for Internet Security.

CIS CRITICAL CONTROLS

  • CIS Control #1: Inventory and Control of Enterprise Assets
  • CIS Control #2: Inventory and Control of Software Assets
  • CIS Control #3: Data Protection
  • CIS Control #4: Secure Configuration of Enterprise Assets and Software
  • CIS Control #5: Account Management
  • CIS Control #6: Access Control Management
  • CIS Control #7: Continuous Vulnerability Management
  • CIS Control #8: Audit Log Management
  • CIS Control #9: Email and Web Browser Protections
  • CIS Control #10: Malware Defenses
  • CIS Control #11: Data Recovery
  • CIS Control #12: Network Infrastructure Management
  • CIS Control #13: Network Monitoring and Defense
  • CIS Control #14: Security Awareness and Skills Training
  • CIS Control #15: Service Provider Management
  • CIS Control #16: Application Software Security
  • CIS Control #17: Incident Response Management
  • CIS Control #18: Penetration Testing

NOTICE TO STUDENTS

The CIS released version 8 of the Controls in May 2021. This course content is updated to reflect the changes in the CIS Controls, as well as the most recent versions of the NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC).

LAB INFORMATION

During this course, students will have the opportunity to participate in hands-on lab exercises which illustrate the concepts discussed in class. The goal of these labs is to complement and enhance the student?s understanding of the defenses discussed in the course and to provide practical examples of how these controls can be applied in a practical, real-world scenario.

WHAT YOU WILL RECEIVE

  • MP3 audio files of the complete course lecture
  • Printed and Electronic Courseware

ADDITIONAL RESOURCES

WHAT TO TAKE NEXT

Course Syllabus


Randy Marchany
Mon May 24th, 2021
9:00 AM - 5:00 PM CT

Overview

Students will learn the background and context for the CIS Controls v8 as well as the NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC). These standards, or control frameworks organize and influence cyber security practices. These controls or safeguards are organized into defensive domains. To understand how these defensive domains interact, students need to first understand building blocks of a cyber security program including the importance of a governance foundation and how to streamline control implementation across multiple frameworks. We will establish a baseline knowledge of key terms used in the defensive domains.

In addition, the following domain will be covered in depth:

Inventory and Control of Enterprise Assets

Any time a new device is installed on a network, the risks of exposing the network to unknown vulnerabilities or hampering its operation are present. Malicious code can take advantage of new hardware that is not configured and patched with appropriate security updates at the time of installation. Attackers can use these vulnerable systems to install backdoors before they are hardened. In automating CIS Control #1, it is critical for all devices to be included in an accurate and up-to-date inventory control system. Any device not in the database should be prohibited from connecting to the network. Some organizations maintain asset inventories by using specific large-scale enterprise commercial products or by using free solutions to periodically track and sweep the network.

Exercises
  • Preparing Student Laptops for Class
  • How to Use the AuditScripts CIS Critical Control Initial Assessment Tool
  • Asset Inventory with Microsoft PowerShell

CPE/CMU Credits: 6

Topics
  • Understanding the CIS Critical Controls
  • Understanding NIST SP 800-171 and CMMC
  • Understanding the Collective Control Catalog
  • Establishing the Governance Foundation of a Security Program
  • CIS Control #1: Inventory and Control of Enterprise Assets


Randy Marchany
Tue May 25th, 2021
9:00 AM - 5:00 PM CT

Overview

During Section 2, the course will begin to cover the defensive domains of data protection, identification and authentication, and access control management., and audit and accountability. Students will learn how identity and access control promote data protection and they will also learn the importance of audit log management.

Data Protection

The loss of protected and sensitive data is a serious threat to business operations consumer privacy, and potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices. These include, but are not limited to, a lack of effective policy architectures and user error. The phrase "Data Loss Prevention" (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. The system must be capable of identifying unauthorized datum leaving the organization's systems whether via network file transfers or removable media.

Account Management

The most common method attackers use to infiltrate a target enterprise is through a misuse of account privileges ? whether those of a normal business user or privileged account. An attacker can easily convince a workstation user to open a malicious e-mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built-in operating system features can extract lists of accounts with super-user privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely.

Access Control Management

Some organizations do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built-in separation of administrator accounts from non-administrator accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e-mail for administrative personnel. This includes information on local systems or network accessible file shares.

Audit Log Management

At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs are not reviewed, organizations do not know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-based systems.

Exercises
  • How to Use Veracrypt to Encrypt Data at Rest
  • How to Use Mimikatz to Abuse Privileged Access
  • Understanding Windows Management Instrumentation (WMI) for Baselining

CPE/CMU Credits: 6

Topics
  • CIS Control #3: Data Protection
  • CIS Control #5: Account Management
  • CIS Control #6: Access Control Management
  • CIS Control #8: Audit Log Management


Randy Marchany
Wed May 26th, 2021
9:00 AM - 5:00 PM CT

Overview

During Section 3 , the course will cover the defensive domains of configuration management, system and software integrity, vulnerability management, and physical protection. Specifically during this section of the course, students will learn the following defensive domains:

Inventory and Control of Software Assets

An organization without the ability to inventory and control its computers' installed programs has more vulnerable systems and is more likely to be attacked. Furthermore, poorly managed machines are more likely to be outdated and needless software that introduces potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this threat, an organization should scan its network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications, pulling information about the patch level of each installed program. This ensures that leverages standardized application names, like those found in the Common Platform Enumeration (CPE) specification as well as it is the latest version. In addition to inventory checks, tools that implement whitelists (allow) and blacklists (deny) of programs are included in many modern end-point protection security suites.

Continuous Vulnerability Management

Soon after security researchers and vendors discover and report new vulnerabilities , attackers create or update exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines identified by the asset inventory system must be scanned for vulnerabilities.

Secure Configuration of Enterprise Assets and Software

Default configurations of software are often geared to ease-of-deployment and ease-of-use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network-accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization.

Physical Protection Controls (800-171 & CMMC)

Physical security used to be limited to controlling access to an organization?s buildings and data centers, but now physical protections also involve restricting access to systems, mobile devices, removable media, and limiting data access to authorized individuals. Physical security includes additional requirements such as identifying, escorting, and monitoring visitors, clean desk protocols, and maintaining logs of physical access to facilitates and data centers.

Exercises
  • How to Use Microsoft AppLocker to Enforce Application Control
  • Using PowerShell to Test for Software Updates
  • How to Use the CIS-CAT Tool to Audit Configurations
  • How to Parse Nmap Output with PowerShell

CPE/CMU Credits: 6

Topics
  • CIS Control #2: Inventory and Control of Software Assets
  • CIS Control #7: Continuous Vulnerability Management
  • CIS Control #4: Secure Configuration of Enterprise Assets and Software
  • Physical Security Controls (800-171 & CMMC)

Randy Marchany
Thu May 27th, 2021
9:00 AM - 5:00 PM CT

Overview

During Section 4, the course will cover the defensive domains of system integrity, system and communications protection, configuration management, and media protection. Specifically, during this section of the course, students will learn the following cybersecurity controls: email and browser protections, endpoint detection and response, data recovery, and network device management

Email and Web Browser Protections

Web browsers and email clients are very common points of entry and attack because of their high technical complexity and flexibility, and their direct interaction with users and within the other systems and websites. Content can be crafted to entice of spoof users into taking actions that greatly increase risk and allow introduction of malicious code, loss of valuable data, and other attacks. Organizations must minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

Malware Defenses

Malicious software is an integral and dangerous aspect of internet threats because it targets end users and organizations via Web browsing, e-mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's components, capture sensitive data, and spread infected code to other systems. To ensure anti-virus signatures are up-to-date, effective organizations use automation. They use the built-in administrative features of enterprise endpoint security suites to verify that anti-virus, anti-spyware, and host-based Intrusion Detection Systems (IDS) features are active on every managed system. They also run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed, attempted to be installed, executed, or attempted to be executed, on a computer system.

Data Recovery

When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them onto a test bed environment. The restored systems should be verified to ensure that the operating system, application, and data from the backup are all intact and functional.

Network Infrastructure Management

Attackers penetrate defenses by searching for electronic holes and misconfigurations in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic to a malicious system masquerading as a trusted system, and intercept and alter data while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices, which determine whether they are consistent or in conflict and provide an automated check of network filters. Additionally, these commercial tools search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies.

Network Monitoring and Defense

By attacking internet-facing systems, attackers can create a relay point or bridgehead to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi-layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability-scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted.

Exercises
  • How to Use GoPhish to Performing Phishing Assessments
  • How to Use Nipper to Audit Network Device Configurations
  • How to Use Wireshark to Detect Malicious Activity

CPE/CMU Credits: 6

Topics
  • CIS Control #9: Email and Web Browser Protections
  • CIS Control #10: Malware Defenses
  • CIS Control #11: Data Recovery
  • CIS Control #12: Network Infrastructure Management
  • CIS Control #13: Network Monitoring and Defense

Randy Marchany
Fri May 28th, 2021
9:00 AM - 5:00 PM CT

Overview

During Section 5 of the course, we will cover the defensive domains of security awareness , service provider management, application development security, incident management, and penetration testing. Specifically during this section of the course, students will learn the following cybersecurity domains:

Security Awareness and Skills Training

An organization hoping to find and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement, not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness.

Service Provider Management

More and more organizations use third party service providers to supplement their technology needs or services. Examples of service providers include outsourced consultants, IT providers, payroll providers, electronic billing providers, manufacturers, and more. Third parties can introduce additional risks to an organization?s security posture through remote connections, business to business networks, and sharing and processing data.

Application Software Security

Criminal organizations frequently attack vulnerabilities in both web-based and non-web-based application software. In fact, it is a top priority for criminals. Application software is vulnerable to remote compromise in three ways:

  • It does not properly check the size of user input
  • It fails to sanitize user input by filtering out potentially malicious character sequences
  • It does not initialize and clear variables properly

To avoid attacks, internally developed and third party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application-level software attack, and must generate an alert or send e-mail to enterprise administrative personnel.

Incident Response Management

Without an incident response plan, an organization may not discover an attack in the first place. Even if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have far higher impact on the target organization, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible. After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training. This includes, but is not limited to, working through a series of attack scenarios that are fine-tuned to the threats and vulnerabilities the organization faces.

Penetration Testing

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Penetration testing involves mimicking the actions of computer attackers, and exploiting them to determine what kind of access an attacker can gain. Each organization should define a clear scope and the rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at least, systems with the highest value information and production processing functionality.

CPE/CMU Credits: 6

Topics
  • CIS Control #14: Security Awareness and Skills Training
  • CIS Control #15: Service Provider Management
  • CIS Control #16: Application Software Security
  • CIS Control #17: Incident Response Management
  • CIS Control #18: Penetration Testing

Additional Information

Important! Bring your own system configured according to these instructions!

We ask that you do 5 things to prepare prior to class start. This early preparation will allow you to get the most out of your training. One of those five steps is ensuring that you bring a properly configured system to class. This document details the required system hardware and software configuration for your class. You can also watch a series of short videos on these topics at the following web link https://sansurl.com/sans-setup-videos.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

SANS courses consist of instruction and hands-on sessions. The hands-on sessions are designed to allow students to utilize the knowledge gained throughout the course in an instructor-led environment. Students will have the opportunity to install, configure, and use the tools and techniques that they have learned.

Requirement #1: Bring a Properly Configured Laptop to Class

Students attending this course are required to bring a laptop computer in order to complete the exercises in class. Please make sure you bring a computer that meets the following requirements and that it is properly configured. There is not enough time in class to help you install your computer. Please note that your computer must be properly installed and configured before you come to class so you can get the most from the class. Please do not bring a regular production computer for this class! When installing software, there is always a chance of breaking something else on the system. Students should assume the worst and that all data could be lost.

Requirement #2: Laptop Hardware Requirements

In order to complete the in-class activities, please ensure the laptop that you bring to class is configured with at least the following hardware:

  • 8 GB of hardware memory
  • 64-bit processor
  • 64 GB free disk space (at least)
  • Wireless (802.11) network adapter
  • USB ports (not restricted)
  • BIOS / processor support for virtualization*

*Please verify that virtualization is supported on your laptop prior to coming to class. More information on how to do so can be found at https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003944.

Prior to coming to class, please ensure that the network interfaces are tested to prove that they can be configured and that all of the proper drivers have been installed.

Requirement #3: Laptop Operating System Requirements

In order to complete the in class activities, please ensure the laptop that you bring to class is configured with at least the following operating system or configurations:

  • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • Students must be local administrator of this host operating system
  • Students must know all BIOS or other passwords used on the system
  • No Group Policy Objects (GPOs) or other similar OS restrictions should be in place, ideally this laptop should not be a member of any domain prior to class.

Apple Mac OSX machines may be brought, however all lab activities assume that the host operating system is Microsoft Windows based. Students will need to be confident reconfiguring and administering their own system if they bring a laptop running any OS other than Microsoft Windows noted above.

Requirement #4: Laptop Software Requirements

In order to complete the in class activities, please ensure the laptop that you bring to class is configured with at least the following software or configurations:

  • Microsoft Office 2010 (or later) installed and licensed on the laptop
  • Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
  • Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
  • VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

Our hope is that by following these simple instructions you will be able to make the most of your classroom experience.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Information Assurance Auditors
  • System Implementers or Administrators
  • Network Security Engineers
  • IT Administrators
  • Department of Defense (DoD) personnel or contractors
  • Federal agencies or clients
  • Private sector organizations looking to improve information assurance processes and secure their systems
  • Security vendors and consulting groups looking to stay current with frameworks for information assurance
  • Alumni of
    • SEC440: CIS Critical Controls: A Practical Introduction
    • MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
    • MGT551: Building and Leading Security Operations Centers
    • MGT512: Security Leadership Essentials For Managers
    • SEC401: SANS Security Essentials Bootcamp Style
    • SEC501: Advanced Security Essentials - Enterprise Defender

"A comprehensive walk through of the Critical Security Controls, not just focusing on the 'what', but more importantly the 'why'. Its been an invaluable learning experience for me." - Justin Cornell, LOM (UK) Limited

Author Statement

"Even though of cybersecurity professionals like us have been working in this industry for more than twenty years, there are days when we wonder if our profession as a whole is getting better or worse at providing clear guidance to organizations that want to defined their information systems. An online search for cybersecurity standards will yield dozens of possible documents, which all tell their readers that their approach is the one best suited to defend them against the myriad of threats facing them today. When each of these documents gives conflicting or vague advise, how is an organization to know what they should practically do to defend their organizations?

In this course, SANS SEC566: Implementing and Auditing the CIS Critical Controls, we are going are going to solve that problem. In preparation for writing this course we have analyzed all of the most popular cybersecurity standards in order to better understand the common cybersecurity controls that should be considered cybersecurity hygiene principles. While we have considered dozens of control libraries in order to prepare for this course, we will focus on those with the potential to provide the most meaningful impact to organizations today. Using the Center for Internet Security's Critical Controls, NIST SP 800-171, and the Cybersecurity Maturity Model Certification (CMMC), this course will provide students with an understanding of a prioritized set of cybersecurity defenses that can help organizations actually defend their information systems. And personally, we hope to cut through the confusion to provide students with a clear and concise view of what they can do to be successful in this endeavor."

- James Tarala and Kelli K. Tarala

"Loved this course. It provides a method of measuring your security posture and applying the concept to any organization." - John M., US Military