Twenty critical security controls for effective cyber-defense
Date : November 29, 2012
Version 4.0 of the « 20 Critical Security Controls for Effective Cyber-Defense » document has been released in November 2012. This document, which was made public for the first time in August 2009 (it was version 2.1 at this time), is gaining popularity and is now recognized as a reference material for securing systems. This guide is sometimes called the CAG (Consensus Audit Guidelines) because its design involved a large number of contributors from the United States defense sphere.
This document was built to provide a security guidance to American government Agencies as well as other sensitive industries in the U.S. It is also promoted in Britain by the CPNI (Centre for the Protection of National Infrastructure). It describes the 20 most important measures that should be put in place to counter the risks of intrusion via the organization IT systems. These measures are listed in order of effectiveness, the first being those deemed most effective to prevent intrusions.
We describe these measures in the table below. They are standard security in depth measures, but what is interesting here, is the prioritization and the fact that the guide explains, for each control, several ways to achieve the assigned goals. In particular, it includes "Quick wins" sections: they describe the most effective measures to quickly improve organisations capabilities. In the table below, we list the 20 Security controls identified by the guide as well as examples of "quick wins". We selected and reformulated the "Quick wins" so that you can quickly understand the purpose of each control.
Critical Control title / « Quick win »example | |
1 |
Inventory of Authorized and Unauthorized Devices. |
2 | Inventory of Authorized and Unauthorized Software. Quick win: Perform regular scanning on systems to identify when unapproved software are being installed . |
3 | Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. Quick win: Build a secure image that will be used to set up all new systems that are deployed in the enterprise. |
4 | Continuous Vulnerability Assessment and Remediation. Quick win: Run automated vulnerability scanning tools to identify vulnerable systems. |
5 | Malware Defenses. Quick win: Employ antivirus software on all systems, and disable auto-run features for removable media. |
6 | Application Software Security. Quick win: Use WAF (Web Application Firewall) solutions to protect web applications against common attacks. |
7 | Wireless Device Control. Quick win: Authorize Wifi access only for approved users and known devices. |
8 | Data Recovery Capability. Quick win: Ensure that each system is automatically backed up weekly for both operating system and user data. |
9 | Security Skills Assessment and Appropriate Training to Fill Gaps. Quick win: develop awareness trainings based on deviations observed from the security policy. |
10 | Secure Configurations for Network Devices such as Firewalls, Routers, and Switches. Quick win: Regularly check the configuration of network equipements to ensure there is no deviation from the approved baseline. |
11 | Limitation and Control of Network Ports, Protocols, and Services. Quick win: Disable on each system any network service that is not needed. |
12 | Controlled Use of Administrative Privileges. Quick win: Use automated tools to inventory all administrative accounts and validate that each account has been authorized. |
13 | Boundary Defense. Quick win: Use a filtering solution (based on white-lists or black-lists) to deny network connections to unsafe IP addresses or URLs. |
14 | Maintenance, Monitoring, and Analysis of Audit Logs. Quick win: Establish a security log management policy. |
15 | Controlled Access Based on the Need to Know. Quick win: Any sensitive information should be located on separated VLANS with proper firewall filtering. |
16 | Account Monitoring and Control. Quick win: Regularly review all system accounts and disable any account that cannot be associated with a business process and/or owner. |
17 | Data Loss Prevention. Quick win: Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data. |
18 | Incident Response and Management. Quick win: Ensure that there are written incident response procedures that include a definition of roles and phases for handling incidents |
19 | Secure Network Engineering. Quick win: The network should be designed using a minimum of a three-tier architecture : DMZ, middleware, and private network. |
20 | Penetration Tests and Red Team Exercises. Quick win: Conduct regular external and internal penetration tests. |
This guide enforces strict security measures that could be seen by some people as too restrictive or inappropriate for modern computing practices. For example, it is far from dealing with BIOD or Cloud concerns. However, let's be clear: it really describes what must be done to ensure a good level of security. The French “Guide de l’hygiène informatique” (Health guidelines for IT systems) published in October 2012 by the ANSSI (the French National Agency for IT security), or the speech of Mr Patrick Pailloux (ANSSI director) at the « Assises de la Sécurité » conference also provide the same kind of recommendations. The « 20 Critical Controls » document thus should be considered as a best practice description that includes what experts recommend for any company that deals with sensitive data. Measuring the deviation of an organisation from this reference may give a good idea of the level of protection of this organisation against an APT (Advanced Persistent Threat) attacks: the greater the deviation is, the more likely the organization IT system will be an easy target in case of attack.
For more information :
- The officiel website for the « 20 Critical Controls » : http://www.sans.org/critical-security-controls/
- CPNI video that introces the « 20 Critical Controls » : http://www.youtube.com/watch?v=2xWYMhy-Zds
- Critical review of the initiative : http://www.guerilla-ciso.com/archives/1494