Specific (actual) attacks that the control stops or mitigates;
Best practices in automating the control (for 15 controls that can be automated);
Tests that can determine whether each control is effectively implemented.
“This is the best example of risk-based security we have ever seen
“The team that was brought together represents the nation’s most complete understanding of the risk faced by our systems. In the past, cyber security was driven by people who had no clue of how the attacks are carried out. They created an illusion of security.
After severe data losses in companies doing business. Very quickly the our experts recognized that the attacks targeting the defense infrastructure were nearly identical to those targeting private and public firms.
Security Controls are a baseline for building onto their overall security model, especially in the areas of wireless device control and application software security.
“Security these days should be considered an evolutionary process”. “As fast as we move to secure networks, the bad guys are moving faster to find new ways to get into our systems.”
The 20 Controls
Following is a list of the 20 controls:
- Inventory of Authorized and Unauthorized Hardware.
- Inventory of Authorized and Unauthorized Software.
- Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
- Secure Configurations of Network Devices Such as Firewalls And Routers.
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Assured Data Back-Up
- Security Skills Assessment and Training to Fill Gap