The Evolution of Security: The Shifting Landscape of Critical Security Controls



Earlier this month the Center for Internet Security released an update to its Critical Security Controls. Here's part one in a three post breakdown of the changes they made.

The new phonebooks are here! The new phonebooks are here!


Steve Martin in The JerkSteve Martin in The Jerk. Image via MovieClips.com.

I admit to being a fan of Steve Martin, both his movies and more recently his music (he is a great bluegrass banjo player, check out Steep Canyon Ranger if you didn’t know this), but his line from The Jerk seems appropriate here to celebrate the updating of the Critical Security Controls. These top 20 controls, now under the management of the Center for Internet Security (CIS) after being developed with direction from the United States National Security Agency, are a manageable and measurable set of security actions focused on what best works to prevent attacks or respond to those that do happen. These are prioritized to give you an idea of where to start, and this is where the new list has a few interesting changes.

Looking at the top 5, or what the CIS refers to as those that are “foundational cyber hygiene,” there was little change from last year – number 1 through 4 were identical:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation

These all seem to follow a logical flow. First we need to keep devices from plugging in, or otherwise connecting to the corporate network, though given the dissolution of a defined perimeter, this can be a significant challenge. Once a device is on “my” network, as an infosec pro I want to know exactly what software that device is running to ensure that there is no malicious software, no rogue software, and the approved software is properly tracked and versioned. While license violations are not the chief concern of a CISO, being able to snuff these out can show incremental value to leadership. CSC #3 got a minor addition to now include mobile devices; this goes back to the elimination of a perimeter and the growth of BYOD. Still, mobile remains to become a significant attack vector – as per the 2015 VDBIR, “Mobile devices are not a preferred vector in data breaches.” That is not to say this won’t change, and given how the CSC is built using practical, field-based input, this may be their way of saying to watch this space.

Checking in at #4 is Continuous Vulnerability Assessment and Remediation; given the speed at which attackers are changing their tactics and the speed at which many are able to get in, point in time analysis is insufficient to provide the requisite visibility. Well before you are through your comprehensive, organization-wide vulnerability scan… the data is outdated. In a previous security life I was involved with the “continuous vs. point-in-time debate” and can see the merits of both sides, though the ideal scenario of meaningful alerts as they happens with low false positives is the ultimate goal.

CSC #5 is where the first big shakeup happens; the new #5 is Controlled Use of Administrative Privileges, jumping up from #12 in the previous CSC framework. This elevation on the list reflects the importance of protecting admin access – whether that be from malware taking hold on an admin machine, malicious activity from a disgruntled system admin, or a compromised admin password. The end result is the same; a malicious user the access and authority needed to carry out an attack. From there, traversing the network for the crown jewels, or even a series of petty thefts, can be simple. Stolen admin credentials give attackers a significant head start on any defenses given their de facto trusted status. As a result, Controlled Use of Administrative Privileges jumped to the #5 spot and Malware Defenses took a big tumble from #5 in the previous iteration down to #8, perhaps due to the ineffectiveness of many of signature-based tools.

That covers the CSC’s newest top 5 controls – in blog posts to come I will cover #6-15, which are aimed primarily at optimizing security measures for data protection, and #16-20, which include areas like appsec, security training, and incident response.

Bill Bradley

Dan Geer: The 5 Myths Holding Your Security Program Back

Use this eBook to find out if any of these myths are hurting your security program.

Download now

Related Articles
Findings from the 2015 Ponemon Institute Cost of Cybercrime Study: The Threats vs. Defenses Gap

Last month the Ponemon Institute released its annual Cost of Cybercrime report covering damages from cybercrimes in the past year. Here are some of the key findings.

Removable Media Security Alert

Did you see the Nova special Rise of the Hackers? I was stunned by an experiment they conducted:

Deus ex Machina: Securing Industrial Control Systems

The critical infrastructure that we rely on every day is becoming increasingly vulnerable to attack. What can be done to secure these systems?

Bill Bradley

Bill Bradley is director of product marketing at Digital Guardian, bringing over 20 years of technology, marketing, and sales experience to the role. He spent the first portion of his career in field sales and brings this customer-centric mentality to his role in marketing for Digital Guardian. Prior to Digital Guardian Bill was at Rapid7 and the General Electric Corporation.

Please post your comments here