Editor’s Note:  FISMA Focus, on an occasional basis, will provide information on the cybersecurity efforts of allied nations.

From: Centre for the Protection of National Infrastructure

The Top Twenty Critical Security Controls are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

The Centre for the Protection of National Infrastructure is participating in an international government-industry effort to promote the top twenty critical controls for computer and network security. The development of these controls is being coordinated by the SANS Institute.

The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks. Outside of the technical realm, a comprehensive security program should also take into account many other areas of security, including overall policy, organisational structure, personnel issues and physical security. To help maintain focus, the twenty controls do not deal with these important but non-technical aspects of information security.

The twenty controls and supporting advice are dynamic in order that they recognise changing technology and methods of attack. All twenty controls, together with a brief description, are given below. For further information, visit the SANS website.

CONTROL 1 – INVENTORY OF AUTHORISED AND UNAUTHORISED DEVICES

Reduce the ability of attackers to find and exploit unauthorised and unprotected systems. Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops, mobile, and remote devices.

CONTROL 2 – INVENTORY OF AUTHORISED AND UNAUTHORISED SOFTWARE

Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorised software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorised or unnecessary software.

CONTROL 3 – SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON LAPTOPS, WORKSTATIONS, AND SERVERS

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers. Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.

CONTROL 4 – CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION

Proactively identify and repair software vulnerabilities reported by security researchers or vendors. Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities – with critical problems fixed within 48 hours.

CONTROL 5 – MALWARE DEFENCES

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading. Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent systems from using auto-run programs to access removable media.

CONTROL 6 – APPLICATION SOFTWARE SECURITY

Scan for, discover, and remediate vulnerabilities in web-based and other application software. Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type).

CONTROL 7 – WIRELESS DEVICE CONTROL

Protect the security perimeter against unauthorised wireless access. Allow wireless devices to connect to the network only if they match an authorised configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.

CONTROL 8 – DATA RECOVERY CAPABILITY

Minimise the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly; back up sensitive systems more often. Regularly test the restoration process.

CONTROL 9 – SECURITY SKILLS ASSESSMENT AND APPROPRIATE TRAINING TO FILL GAPS

Find knowledge gaps, and fill them with exercises and training. Develop a Security Skills Assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.

CONTROL 10 – SECURE CONFIGURATIONS FOR NETWORK DEVICES SUCH AS FIREWALLS, ROUTERS, AND SWITCHES

Preclude electronic holes from forming at connection points with the Internet, other organisations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.

CONTROL 11 – LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES

Allow remote access only to legitimate users and services. Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.

CONTROL 12 – CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES

Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow known standards.

CONTROL 13 – BOUNDARY DEFENCE

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines. Establish multilayered boundary defences by relying on firewalls, proxies, demilitarised zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (“extranets”).

CONTROL 14 – MAINTENANCE, MONITORING, AND ANALYSIS OF SECURITY AUDIT LOGS

Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines. Generate standardised logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.

CONTROL 15 – CONTROLLED ACCESS BASED ON THE NEED TO KNOW

Prevent attackers from gaining access to highly sensitive data. Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to non-public data and files.

CONTROL 16 – ACCOUNT MONITORING AND CONTROL

Prevent attackers from impersonating legitimate users. Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that follow known standards.

CONTROL 17 – DATA LOSS PREVENTION

Stop unauthorised transfer of sensitive data through network attacks and physical theft. Scrutinise the movement of data across network boundaries, both electronically and physically, to minimise the exposure to attackers. Monitor people, processes, and systems, using a centralised management framework.

CONTROL 18 – INCIDENT RESPONSE CAPABILITY

Protect the organisation’s reputation, as well as its information. Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CONTROL 19 – SECURE NETWORK ENGINEERING

Keep poor network design from enabling attackers. Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks.

CONTROL 20 – PENETRATION TESTS AND RED TEAM EXERCISES

Use simulated attacks to improve organisational readiness. Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises—all out attempts to gain access to critical data and systems— to test existing defences and response capabilities.

Prioritisation of the critical controls:

The twenty controls are a baseline of high-priority ‘technical’ information security measures and controls that can be applied across an organisation to improve its cyber defence. In order for a control to be a high priority, it must provide a direct defence against attacks. Controls that mitigate known attacks, or a wide variety of attacks, or attacks early in the compromise cycle, all have priority over other controls. Controls that mitigate the impact of a successful attack also have a high priority. Special consideration is given to controls that help mitigate attacks that have not yet been discovered.