Editor’s Note: Attached below is the SANS Institute’s “Twenty Critical Security Controls for Effective CyberDefense: Consensus Audit Guidelines (CAG)” which discusses the 20 Critical Controls in detail.
From: SANS Institute
SANS Announces the Release of a Major Update to the 20 Critical Controls
The SANS Institute announced today the release of a major update to the 20 Critical Controls, a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks from cyber attacks.
Targeted cyber attacks in recent years such as Stuxnet, Spy Eye, and WikiLeaks underscore the ever changing information security threat landscape. Version 3.0 of the 20 Critical Controls released today has been exhaustively tested and proven to be an effective way to implement cost-effective security to thwart these intrusions. The control areas focus on critical technical aspects of information security with the primary goal of helping organizations prioritize and automate their efforts to defend against the most common and damaging insider and outsider attacks.
The 20 Critical Controls, which have already been effectively implemented by many government and commercial organizations, help to automate key security controls, providing metrics to help gauge and improve the security posture. Version 3.0 updates the controls based on knowledge of actual attacks and defines controls that would have prevented those attacks from being successful. It draws on first-hand knowledge of how attacks are being carried out, with input from the US Department of Homeland Security, US Department of Defense, US Computer Readiness Team, the Australian Government Department of Defence, US military investigators who fight cyber crime, the FBI and other law enforcement agencies, forensics experts, penetration testers who carry out simulated attacks against government and commercial systems, and federal chief information and information security officers.
Version 3.0 of the 20 Critical Controls is based on four key items which generated compelling reasons to take the control framework to the next level of development. The first key item was alignment of each of the 20 controls and the associated subcontrols. The realignment of the subcontrols was done based on the current technology and threat environment, includingnew threat vectors. As zero-day attacks increase and the focus shifts to advanced persistent threats, new subcontrols have also been added to facilitate rapid detection and prevention of attacks.
The second major development was the alignment of 20 Controls to the National Security Agency’s Associated Manageable Network Plan Revision 2.0 Milestones. Close mapping and correlation with these plans enables the 20 Critical Controls to put forth a step-by-step and cost-effective approach to transform an unmanageable and insecure network into one poised to provide continuous defense.
The third significant item was establishment of definitions, guidelines and proposed scoring criteria to evaluate tools for their ability to satisfy the requirements of each of the 20 Controls. These guidelines allows organizations to select capable tools so that the controls can be automated.
The fourth material development was the inclusion of the findings of the Australian Government Department of Defence, which produced the Top 35 Key Mitigation Strategies. These mitigation strategies, which have been mapped to the 20 Controls, provide measures to help reduce the impact of attacks.
The 20 Critical Security Controls are:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on the Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
- Secure Network Engineering
- Penetration Tests and Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Appropriate Training to Fill Gaps
Additional information on the 20 Critical Controls may be found at: http://www.sans.org/critical-security-controls/
SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – Internet Storm Center. SANS also sponsored the creation of GIAC, a leading industry security certification. The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
- ### -