This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Most people who have anything to do with cybersecurity are familiar with the Center for Internet Security (CIS) Critical Security Controls, also commonly known as the SANS Top 20, or more simply the Controls. This list consists of a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks.
Implementing the Controls is no guarantee an organization will have a bullet-proof defensive posture, but it significantly reduces both the risk that a breach will happen and the impact to the organization if such an event were to occur. What's more, theControls constitute a minimum level of security that any organization that collects or maintains personal or sensitive information should meet.
According to SANS Institute, which for years has been a leading proponent of the Controls, a principle benefit is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work—NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation's top forensics and incident response organizations.
This group of experts attempted to answer the question, "What do we need to do to stop known attacks?" and reached consensus on the most current Controls.
The key to the continued value is that the Controls are updated based on new attacks that are identified and analyzed by expert security groups so the Controls can stop or mitigate those attacks. We are now on version 6 of the Controls:
CSC 1 Inventory of Authorized and Unauthorized Devices
CSC 2 Inventory of Authorized and Unauthorized Software
CSC 3 Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers
CSC 4 Continuous Vulnerability Assessment and Remediation
CSC 5 Controlled Use of Administrative Privileges
CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7 Email and Web Browser Protections
CSC 8 Malware Defenses
CSC 9 Limitation and Control of Network Ports, Protocols, and Services
CSC 10 Data Recovery Capability
CSC 11 Secure Configurations for Network Devices such as Firewall Routers, and Switches
CSC 12 Boundary Defense
CSC 13 Data Protection
CSC 14 Controlled Access Based on the Need to Know
CSC 15 Wireless Access Control
CSC 16 Account Monitoring and Control
CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18 Application Software Security
CSC 19 Incident Response and Management
CSC 20 Penetration Tests and Red Team Exercises
(To learn more about the CIS Critical Security Controls and download a free detailed version please visit: http://www.cisecurity.org/critical-controls/.)
Did you know that the Center for Internet Security also has companion lists of controls for mobile devices and the Internet of Things? As you can imagine, there are slight differences in how you would secure, say, an iPhone compared to a Windows-based laptop computer. For example, Critical Security Control 8 covers malware defenses. On a laptop or server, you can implement anti-virus/anti-malware software, but these traditional techniques don't apply to a device running the iOS operating system. Thus the mobile device version of the Top 20 Controls offers suggestions of how to implement malware controls that are appropriate for the mobile platform.
Likewise there are subtle differences in how some of the Controls must be implemented for the IoT. CIS points out, for example, that SCADA systems can be considered to be IoT devices. While CSC 1 indicates the need to inventory authorized and unauthorized devices, using traditional network scanning techniques can actually be dangerous to some industrial control systems, putting them into error states. Thus the Controls document prescribes other ways to achieve the same goal.
The companion documents for mobile and IoT controls can both be accessed via http://www.cisecurity.org/critical-controls/. You will need to register to get a token to access the documents, but it's free to do so.