Assurance, not Compliance - Using the 20 Critical Security Controls
By Randy Marchany, CISO, Virginia Tech IT Security Office and Lab
The Center for Internet Security (CIS) 20 Critical Security Controls (CSC) provides a bridge between high level architectural concepts and actual implementation. The 20 CSC are a set of technical controls that can help defend systems. They are designed to help organizations protect their information systems. These controls are only useful if we take the time to implement and follow them.
Compliance with Established Security Architecture Standards
The CSC provides effective responses against the latest and common threats with a strong emphasis on known actions that provide results. They were derived from the most common attack patterns and were vetted across a widespread community of government and industry.
Our focus is ASSURANCE not compliance
Step 1: Do the CSC gap analysis first
I highly recommend doing a gap analysis to measure how your organization's security architecture maps to the 20 CSC. Asking the following questions helps you determine where the gaps are:
• Where does your organization have deficiencies?
• What are the most important next steps for your organization?
• What evaluation plan will you follow in light of these controls?
The first step of the implementation strategy is to identify the gaps between the current state of an organization and meeting the requirements of each control. Figure 1 shows a sample gap analysis of a hypothetical company. The control number is shown on the X-axis and the percentage complete is shown on the Y-axis. Frankly, you should expect your first gap analysis to be somewhat dismal. The orange bars highlight areas where a control implementation is less than 50 percent. Your initial gap analysis establishes the baseline to be used to measure progress of the implementation. Subsequent gap analyses should show improvement in the deficient areas of a previous gap analysis.
Suppose we want to determine how well we can comply with Control 1—Inventory of Authorized and Unauthorized hardware, we need to answer the what, who and how questions.
The 20 Critical Security Controls provide you with a blueprint for creating an effective security plan for your organization
What should be in the inventory?
• Network hardware – routers, switches, access points, accurate locations of these devices
• “Traditional” hardware – servers, desktops, laptops, BYOD
• “Specialized” hardware – IoT devices such as cameras, access controls, industrial control systems, laboratory data acquisition equipment, building management systems
You have to find the asset before you can defend it. This isn't a trivial task because most nets have a lot of ways to connect to their nets. For example, here are some possible connection points:
• Wired, static IP addresses (IPv4 and IPv6)
• Wired, DHCP assigned addresses
• Wired VPN
• Wireless, wireless DHCP, wireless VPN
Who has the information for the equipment in the above list?
Hardware asset information is spread out over multiple departments within an organization. You need to determine all of the possible ways a machine can connect to your network. Here are some possible sources of information to help you determine where your assets are:
• Network management group – The network management group in your organization usually has some sort of database that lists the physical locations of wired hosts. This information is usually kept for diagnostic purposes to help technicians locate a device that is having connection problems.
• Individual and departmental system administrators – Usually for some spreadsheets or inventory tracking software for the assets in their groups.
• Network scanner – the IT Security office, systems group or network management group may run daily scans of your organization's network listing the number of servers by type. This list of IP addresses used in conjunction with the database mentioned in the previous bullet item gives an “inventory” of systems connected to your network.
• SIEMs, centralized log servers
How do I obtain copies of the above information to determine what our gaps are?
Once you identify who has the information then you see if you can get copies of that data. This will test your political skills mostly because work groups want to restrict access to their data. You will need to prepare a business case for accessing and/or copying the appropriate information.
Once you’ve finished the gap analysis for each of the 20 CSC, the next step is to prepare an operational plan to implement the controls throughout your organization. You’ll find that you’re better off in implementing some of the controls.
In this article, I’ve described the basics of the 20 Critical Security Controls, how they map to well-known Infosec standards and the basics of doing a gap analysis to determine how your security architecture follows the controls. The 20 Critical Security Controls provide you with a blueprint for creating an effective security plan for your organization.