Just moozing

Before you can check your notes, you must make them…

Council on cybersecurity and the 20 critical controls

leave a comment »

The council on cybersecurity’s 20 controls are “best practice” technology agnostic. When reading them, they include a lot of “that is obvious” and gives a mostly unbiased recommendations that you can refer to when discussing security controls.

For me it has put words on specific designs and procedures, that “we all know”. The problem with common knowledge is that you encounter people who disagrees, and the 20 CSC provides a reference.

Fictitious example:

Me: You should put web servers in a DMZ.
Customer: Why?
Me: Internet exposed servers and services are good points of attack for hackers. Network segregation in general enables you to monitor more specifically and set up more aggressive detection or prevention rules.
Customer: Really?
Me: It is industry recommended. You could look at CSC 19-1 about secure network engineering or CSC 13 on boundary defense, if you want some more information on this.

The 20 controls are as follows

CSC 20 CSC overviewAs can been seen, they are covering a lot of grounds, and each control has 5-10 sub controls, so there are a lot recommendations described. I my opinion the trick is to select the most important part.

They also introduce the concept of “The first five”. This is the basic controls that everybody must start with.

  1. Application whitelisting
  2. Use of standard, secure system configuration
  3. Patch application software within 48 hours
  4. Patch system within 48 hours
  5. Reduce number of users with administrative privileges

They look fairly inconspicuous. Going into the details of these reveal that it is not that obvious to implement. For workstations and servers, we have good tools to do most of this. What about switches, routers, printers, phones, and smart phones?

I think smart phones is the biggest challenge. It is a potent communications hub with lots of hardware to do wireless communication, limited security (also due to battery lifetime), it is used for everything and you bring it everywhere. Since it is so versatile, it will contain a lot of user names, passwords and certificates, which makes it a tempting target for hackers.

Working your way through all twenty controls for all devices on your network will keep you busy for a long while.

If compliance is relevant, mappings from CSC20 to e.g. NIST 800-53 is available.

Another document that I found interesting is the workforce management. It contains a lot of interesting words on what IT security professionals do, and a mapping between NICE and CSC20.

Click for full size

Click for full size

The document includes the essential tasks pyramid. The lowest tiers is about “everybody” and includes tasks like “Don’t plug-in unknown devices”. It is a task that many users find difficult.



Written by moozing

February 19, 2015 at 08:00

Posted in Tech

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: