iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Critical Controls

Featuring 36 Papers as of November 14, 2016

  • Auditing Windows installed software through command line scripts by Jonathan Risto - November 14, 2016 

    The 20 Critical Controls provides guidance on managing and securing our networks. The second control states there should be a software inventory of the products for all devices within the infrastructure. Within this paper, the auditor will be enabled to compare Windows system baseline information against the currently installed software configuration. Command line tools utilized will be discussed and scripts provided to simplify and automate these tasks.


  • Reducing Attack Surface: SANS’ Second Survey on Continuous Monitoring Programs Analyst Paper
    by Barbara Filkins - November 14, 2016 

    Continuous monitoring is not a single activity. Rather, it is a set of activities, tools and processes (asset and configuration management, host and network inventories, and continuous vulnerability scanning) that must be integrated and automated all the way down to the remediation workflow. Although CM is shifting focus and slowly improving, it still has a way to go to attain the maturity needed to become a critical part of an organization’s business strategy.


  • Triaging the Enterprise for Application Security Assessments by Stephen Deck - November 4, 2016 

    Conducting a full array of security tests on all applications in an enterprise may be infeasible due to both time and cost. According to the Center for Internet Security, the purpose of application specific and penetration testing is to discover previously unknown vulnerabilities and security gaps within the enterprise. These activities are only warranted after an organization attains significant security maturity, which results in a large backlog of systems that need testing. When organizations finally undertake the efforts of penetration testing and application security, it can be difficult to choose where to begin. Computing environments are often filled with hundreds or thousands of different systems to test and each test can be long and costly. At this point in the testing process, little information is available about an application beyond the computers involved, the owners, data classification, and the extent to which the system is exposed. With so few variables, many systems are likely to have equal priority. This paper suggests a battery of technical checks that testers can quickly perform to stratify the vast array of applications that exist in the enterprise ecosystem. This process allows the security team to focus efforts on the riskiest systems first.


  • Security Intelligence and the Critical Security Controls v6 Analyst Paper
    by G. W. Ray Davidson, PhD - September 29, 2016 

    Security data is everywhere—in our logs, feeds from security devices (IDS/IPS/ rewalls, whitelists, etc.), network and endpoint systems, anomaly reports, access records, network tra c data, security incident and event monitoring (SIEM) systems, and even in applications hosted in the cloud. All of this data—and the processes that use them— combine to form an organization’s security intelligence ecosystem. The major challenge of managing this ecosystem of security data is tying all these bits of data together and automating their correlation and use, with the goal of faster detection, prevention, continued security improvement and ultimately, reduced risk.1 The key to success is through automation and integration, according to the CIS Critical Security Controls, which is now in version 6.


  • Practical Considerations on IT Outsourcing Implementation under the Monetary Authority of Singapore’s Technology Risk Management Guidelines Masters
    by Andre Shori - September 19, 2016 

    Singapore ranks third overall in the Global Financial Centres Index. The Monetary Authority of Singapore (MAS), Singapore’s central bank, has helped to achieve this success through guidance and regulation of the financial industry including how to conduct themselves in a secure and reliable manner. The Technology Risk Management Guidelines (TRM) are both a cyber philosophy and a set of regulatory requirements for financial institutions to address existing and emerging technological risks. However, successful implementation of TRM can be challenging from a practical standpoint for today’s Cybersecurity Managers. TRM’s Management of IT Outsourcing Risk is a key focus area which encompasses many of the principles and requirements promoted throughout the Guideline. By utilizing threat based, hierarchical measures such as those advocated by the Centre of Internet Security, Cybersecurity Managers can adhere to the Spirit of the Guidelines while implementing effective operational cybersecurity and safe Vendor integration.


  • Know Thy Network - Cisco Firepower and Critical Security Controls 1 & 2 Masters
    by Ryan Firth - September 19, 2016 

    Previously known as the SANS Top 20, the Critical Security Controls are based on real-world attack and security breach data from around the world, and are objectively the most effective technical controls against known cyber-attacks. Due to competing priorities and demands, however, organizations may not have the expertise to figure out how to implement and operationalize the Critical Security Controls in their environments. This paper will help bridge that gap for security and network teams using Cisco Firepower.


  • Automating Provisioning of NetFlow Analyzers Masters
    by Sumesh Shivdas - September 14, 2016 

    NetFlow is an embedded instrumentation within Cisco IOS software (Introduction to Cisco IOS NetFlow). NetFlow tracks every network conversation and thus provides insight into the network traffic. Third party NetFlow analyzers are available to store, analyze, alert and report on the NetFlow data. NetFlow analyzers allow users to create custom alerts and reports based on the network traffic. To maximize the benefits from custom alerting and reporting the analyzers must be configured with details of the network environment. Manual configuration of the analyzer can soon be out of sync with the actual setup thus creating false negatives and false positives. This paper proposes an option to automate the configuration of the NetFlow analyzer from a central repository.


  • Windows Installed Software Inventory by Jonathan Risto - September 7, 2016 

    The 20 Critical Controls provide a guideline for the controls that need to be placed in our networks to manage and secure our systems. The second control states there should be a software inventory that contains the names and versions of the products for all devices within the infrastructure. The challenge for a large number of organizations is the ability to have accurate information available with minimal impact on tight IT budgets. This paper will discuss the Microsoft Windows command line tools that will gather this information, and provide example scripts that can be run by the reader.


  • Applying Machine Learning Techniques to Measure Critical Security Controls by Balaji Balakrishnan - September 6, 2016 

    Implementing and measuring Critical Security Controls (CSC) requires analyzing all data types (structured, semi-structured and unstructured). This implementation can be a daunting task. One of the goals of effective implementation of Critical Security Controls is to automate as much as possible. Machine learning techniques can help automate many of the measurements in Critical Security Controls. This paper proposes a method to integrate all types of data into a single data repository, extract relationships between different entities and perform machine learning to automate the analysis. This solution provides the security team the ability to analyze the information, and make data-driven security decisions.


  • Android Security: Web Browsers and Email Applications by Marsha Miller - August 29, 2016 

    Mobile devices are popular communication tools that allow people to stay connected in most places at all times. Despite the varied proliferation of applications that can be installed on smartphones and tablets, web browsers and email applications are default applications that remain highly vulnerable if not properly addressed. This paper will compare several different mobile versions of these applications and use the E-mail and Web Browser Protections critical control to suggest ways to secure these end points.


  • Simple Approach to Access Control: Port Control and MAC Filtering by Bill Knaffl - August 22, 2016 

    Many times businesses will spend time and money on "Magic Bullet" security and focus on a single technology or threat. This focus can lend itself more towards placing a "check in the box" for compliance rather than on actual security and facing today's threats. Frequently, missing controls can have a cascading effect where because one control was missing or inadequate, other failures occur turning a minor problem into a breach. This paper approaches one such incident, calls out which control was identified as the primary failure and offers an evaluation of a specific tool that could have helped prevent this attack. It covers not only the cost of the tool and the time to implement but discusses other costs such as training, monitoring, maintenance, user impact and offers a guide for a successful implementation.


  • Implementing the Critical Security Control: Controlled Use of Administrative Privileges by Paul Ackerman - July 25, 2016 

    There is a plethora of information available to help organizations protect their cyber assets.


  • How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System Masters
    by Matthew Hosburgh - July 12, 2016 

    Imagine a device that could decrypt all encryption—within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.


  • Critical Security Controls: Software Designed Inventory, Configuration, and Governance Masters
    by Lenny Rollison - May 24, 2016 

    The events of September 11, 2001, show us how isolated communication and the inability to share intelligence could paralyze decision making (Johnston, 2003).


  • Managing Accepted Vulnerabilities Masters
    by Tracy Brockman - May 20, 2016 

    Every day a new vulnerability is discovered in a piece of code or software and shortly afterwards the news of a new virus, malware, or hack is being used to exploit the vulnerability.


  • Case Study: How CIS Controls Can Limit the Cascading Failures During an Attack Masters
    by Bill Knaffl - May 3, 2016 

    Every day it seems that new information becomes public about the latest data breach.


  • Methods for Understanding and Reducing Social Engineering Attacks Masters
    by Michael Alexander - May 3, 2016 

    Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization.


  • Methods for Understanding and Reducing Social Engineering Attacks Masters
    by Michael Alexander - May 3, 2016 

    Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization.


  • Creating a Secure and Compliant Digital Forensics and Incident Response Network with Remote Access Masters
    by Scott Perry - April 29, 2016 

    News stories involving data breaches, cybercrime, and conversely, crimes solved with digital forensics, are becoming daily occurrences.


  • The Automotive Top 5: Applying the Critical Controls to the Modern Automobile Masters
    by Roderick Currie - April 4, 2016 

    The car of today is an inherently vulnerable platform. At its core is a computing architecture from the 1980s which was designed to be lightweight and efficient, with very little thought given to security. As the modern automobile becomes increasingly connected, its attack surface only continues to grow. In the wake of several recent high- profile car hacking demonstrations, automakers face the daunting task of trying to lock down this insecure platform with bolt-on security fixes. This paper proposes a plausible strategy for securing modern automotive systems which takes into account some of the key limitations of the automobile industry, in addition to presenting a methodology for applying the Critical Controls to the modern automobile platform.


  • Leading Effective Cybersecurity with the Critical Security Controls Masters
    by Wes Whitteker - March 8, 2016 

    Cybersecurity is a domain where organizations need to be right all the time and a bad actor needs to be right once.


  • Tracing the Lineage of DarkSeoul Masters
    by David Martin - March 4, 2016 

    The highly publicized 2014 cyber-attack on Sony brought the threat of cyberwarfare, broadly defined as destructive cyber-attacks launched by one nation state against another, to the attention of the American public.


  • Implementing the Critical Security Controls in the Cloud Masters
    by Jon Mark Allen - February 10, 2016 

    Amazon refers to cloud computing as “the on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing” (Amazon Web Services, 2015).


  • The Case for Endpoint Visibility Masters
    by Robert Mier - February 10, 2016 

    On February 12, 2013 President Barack Obama issued executive order Improving Critical Infrastructure Cybersecurity, thus, recognizing the “Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.”


  • Budgeting for the Critical Security Controls Masters
    by Paul Hershberger - January 20, 2016 

    In 2008, the National Security Agency (NSA) initiated an effort to prioritize the controls within the multiple frameworks to identify a manageable set of controls that are effective in implementing a Cybersecurity program with an "offense must inform defense" approach designed to directly address how attacks happen.


  • An Organic Approach to Implementing the Critical Security Controls Masters
    by Jim Hendrick - January 12, 2016 

    The Critical Security Controls (CSCs) describe a set of specific actions designed to improve an organization’s ability to resist or recover from information security incidents ("CIS critical security controls," 2015).


  • The Nightmare on Cryptville Street: 20 Pills for a Night of Sleep Masters
    by Oleg Bogomolniy - January 12, 2016 

    According to Center for Strategic and International Studies, by the year 2014, cybercrime has grown into its own $400+ billion industry and has plenty of room for growing potential (2014).


  • Cybersecurity Inventory at Home Masters
    by Glen Roberts - January 7, 2016 

    Consumers need better home network security guidance for managing the inventory of devices on their home network as well as the apps installed on the many devices attached to their network.


  • Continuous Security: Implementing the Critical Controls in a DevOps Environment Masters
    by Alyssa Robinson - December 23, 2015 

    DevOps is an agile-aligned software development methodology that is growing quickly in popularity, expected to reach nearly 25% of Global 2000 organizations (Gartner, 2015) by 2016. Adoption of DevOps practices introduces complications for implementing and auditing standardized security controls, presenting issues such as constantly changing assets, continuous deployment and a breakdown in the traditional segregation of duties. DevOps tools and philosophies also provide advantages, providing opportunity for integration of security automation as part of the development and deployment of applications and giving Security early input into design and implementation.


  • The Scary and Terrible Code Signing Problem You Don't Know You Have Masters
    by Sandra Dunn - October 28, 2015 

    SSL 3.0 / TLS 1.0 certificates are built on the X.509v3 PKI standard and provide the framework that the code signing process uses. Code signing uses PKI and X.509v3 certificates issued by a trusted certificate authority to validate that the code being installed on a device comes from a trusted vendor.


  • The Business Case for TLS Certificate Enterprise Key Management of Web Site Certificates: Wrangling TLS Certificates on the Wild Web Masters
    by Sandra E. Dunn - October 28, 2015 

    An Enterprise Key Certificate Management System (EKCM) provides a best-in-class solution for TLS certificate management.


  • Audits Made Simple by David W. Belangia - October 27, 2015 

    A company just got notified there is a big external audit coming in 3 months. Getting ready for an audit can be challenging, scary, and full of surprises. This Gold Paper describes a typical audit from notification of the intent to audit through disposition of the final report including Best Practices, Opportunities for Improvement (OFI), and issues that must be fixed. Good preparation can improve the chances of success. Ensuring the auditors understand the environment and requirements is paramount to success. It helps the auditors understand that the enterprise really does think that security is important. Understanding and following a structured process ensures a smooth audit process. Ensuring follow-up on OFIs and issues in a structured fashion will also make the next audit easier. It is important to keep in mind that the auditors will use the previous report as a starting point. Now the only worry is the actual audit and subsequent report and how well the company has done.


  • Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs and a Traditional Monitoring Tool Masters
    by Dallas Haselhorst - October 26, 2015 

    What security concerns keep you up at night? Is it pivoting, persistent access, the time to detect compromise, or one of a thousand other possibilities? What if you were told that without a doubt, you have tools at your disposal to periodically verify your security posture and you are not presently using them? Why spend more hours and more budget implementing a new product with new agents and new headaches that will not effectively reduce your workload or anxiety level? Even if you have commercial tools already monitoring your systems for security events, how do you know they are working? Is it even practical to use a customized PowerShell scripts/plugins, built-in event logs, and a traditional monitoring tool such as Nagios to monitor for indicators of compromise on Windows systems? In addition, you will be presented with some applied research as well as easy to follow guidelines you can integrate into your own environment(s).


  • Technical Implementation of the Critical Control "Inventory of Authorized and Unauthorized Devices" for a Small Office/Home Office Masters
    by Kenton Groombridge - October 26, 2015 

    There is great value in the proper employment of the Critical Security Controls. The Critical Security Controls are written with terminology that makes them appear applicable only to organizations and other large environments. Implementing the Critical Security Controls can be beneficial to any size network, but can they be applied to a Small Office/Home Office with a limited budget and expertise? This document examines the technical implementation of "Inventory of Authorized and Unauthorized Devices" for a Small Office/Home Office. Topics discussed will be the selection of hardware, evaluation of open-source software and third-party firmware, and custom scripts that function with most modern operating systems.


  • The Fall of SS7 – How Can the Critical Security Controls Help? Masters
    by Hassan Mourad - August 31, 2015 

    For decades, the security of one of the fundamental protocols in telecommunications networks, Signaling System No. 7 (SS7), has been solely based on the mutual trust between the interconnecting operators. Operators relied on their trust in other operators to play by the rules, and the SS7 network has been regarded as a closed trusted network. This notion of trust and security has recently changed after several security researchers announced major vulnerabilities in the SS7 protocol that threatens the user’s privacy and can lead to user location tracking, fraud, denial of service, or even call interception. In this paper we will discuss each individual attack and examine the possibility of using the critical security controls to protect against such attacks and enhance the security of SS7 interconnections.


  • Paying Attention to Critical Controls Masters
    by Edward Zamora - August 21, 2015 

    International organizations such as the Australia DSD, the European Commission and the US NSA have developed their lists of top mitigations and actions they consider necessary for organizations and governments to implement. It has been further established by the international information security community that the twenty critical security controls are the top relevant guidelines for implementing and achieving greater security. Many of the controls require the deployment and installation of security software. But is installing software all there is to it? Will an organization be better defended by buying lots of security products? In one particular use case, attackers were able to break through the network defenses of an organization that implemented many of the security controls but did not do so properly. Under the sense of false security, the senior leadership woke up to some bad news when they learned that gigabytes of data were stolen from the organization’s network after controls were in place. The implementation of security controls should be done with careful planning and attention to detail. This paper covers what the attackers did to circumvent the controls in place in the organization, how they could have implemented the critical controls properly to prevent this compromise, and what an organization needs to do to avoid this pitfall.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.