The Evolution of Security: The Shifting Landscape of Critical Security Controls

Earlier this month the Center for Internet Security released an update to its Critical Security Controls. Here's part one in a three post breakdown of the changes they made.

The new phonebooks are here! The new phonebooks are here!

Steve Martin in The JerkSteve Martin in The Jerk. Image via

I admit to being a fan of Steve Martin, both his movies and more recently his music (he is a great bluegrass banjo player, check out Steep Canyon Ranger if you didn’t know this), but his line from The Jerk seems appropriate here to celebrate the updating of the Critical Security Controls. These top 20 controls, now under the management of the Center for Internet Security (CIS) after being developed with direction from the United States National Security Agency, are a manageable and measurable set of security actions focused on what best works to prevent attacks or respond to those that do happen. These are prioritized to give you an idea of where to start, and this is where the new list has a few interesting changes.

Looking at the top 5, or what the CIS refers to as those that are “foundational cyber hygiene,” there was little change from last year – number 1 through 4 were identical:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation

These all seem to follow a logical flow. First we need to keep devices from plugging in, or otherwise connecting to the corporate network, though given the dissolution of a defined perimeter, this can be a significant challenge. Once a device is on “my” network, as an infosec pro I want to know exactly what software that device is running to ensure that there is no malicious software, no rogue software, and the approved software is properly tracked and versioned. While license violations are not the chief concern of a CISO, being able to snuff these out can show incremental value to leadership. CSC #3 got a minor addition to now include mobile devices; this goes back to the elimination of a perimeter and the growth of BYOD. Still, mobile remains to become a significant attack vector – as per the 2015 VDBIR, “Mobile devices are not a preferred vector in data breaches.” That is not to say this won’t change, and given how the CSC is built using practical, field-based input, this may be their way of saying to watch this space.

Checking in at #4 is Continuous Vulnerability Assessment and Remediation; given the speed at which attackers are changing their tactics and the speed at which many are able to get in, point in time analysis is insufficient to provide the requisite visibility. Well before you are through your comprehensive, organization-wide vulnerability scan… the data is outdated. In a previous security life I was involved with the “continuous vs. point-in-time debate” and can see the merits of both sides, though the ideal scenario of meaningful alerts as they happens with low false positives is the ultimate goal.

CSC #5 is where the first big shakeup happens; the new #5 is Controlled Use of Administrative Privileges, jumping up from #12 in the previous CSC framework. This elevation on the list reflects the importance of protecting admin access – whether that be from malware taking hold on an admin machine, malicious activity from a disgruntled system admin, or a compromised admin password. The end result is the same; a malicious user the access and authority needed to carry out an attack. From there, traversing the network for the crown jewels, or even a series of petty thefts, can be simple. Stolen admin credentials give attackers a significant head start on any defenses given their de facto trusted status. As a result, Controlled Use of Administrative Privileges jumped to the #5 spot and Malware Defenses took a big tumble from #5 in the previous iteration down to #8, perhaps due to the ineffectiveness of many of signature-based tools.

That covers the CSC’s newest top 5 controls – in blog posts to come I will cover #6-15, which are aimed primarily at optimizing security measures for data protection, and #16-20, which include areas like appsec, security training, and incident response.

Bill Bradley

Dan Geer: The 5 Myths Holding Your Security Program Back

Use this eBook to find out if any of these myths are hurting your security program.

Download now

Related Articles
How to Avoid Cyber Alert Fatigue: Tips from Infosec Pros

23 cybersecurity pros discuss the best ways to avoid cyber alert fatigue.

Of Bugs and Bounties

When vendors first began crediting security researchers for reporting vulnerabilities in their products, the reward typically was your name in 12-point Arial at the bottom of a security advisory*. Those days are long past, and the bug bounty game has changed so dramatically now that independent security researchers can make a very comfortable living by finding bugs in the right kinds of products.

Terabytes of Data Stolen? The Lessons of Operation Iron Tiger

A report from the security firm Trend Micro claims that targeted attacks against US firms have resulted in the theft of intellectual property on a massive scale – including 58 gigabytes of data from a single target. But how?

Bill Bradley

Bill Bradley is director of product marketing at Digital Guardian, bringing over 20 years of technology, marketing, and sales experience to the role. He spent the first portion of his career in field sales and brings this customer-centric mentality to his role in marketing for Digital Guardian. Prior to Digital Guardian Bill was at Rapid7 and the General Electric Corporation.

Please post your comments here