The Critical Controls for Effective Cyber Defense (the Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses.
Critical Security Controls Significance and Impact
We are at a fascinating point in the evolution of what we now call cybersecurity. More so now than at any point in the last few decades, defenders have access to an extraordinary array of security tools and technology, security standards, training and classes, certifications, vulnerability databases, configuration guidance, best practices, catalogs of security controls, and countless security checklists, benchmarks, and recommendations. In terms of our understanding of the threat, we've seen the growth of numerous threat information feeds, reports, tools, alert services, standards, and threat sharing schemes. And to tie it all together, we are surrounded by security requirements, risk management frameworks, compliance regimes, regulatory mandates, and so forth.
There is a near-infinite list of "good things" for every enterprise to do and to know to improve the security of cyberspace, but not always clarity on what to prioritize. This overload of defensive support is like a "Fog of More"- more options, more tools, more knowledge, more advice, and more requirements... but not always more security. Despite all of this well-intended information and technology and oversight, our problem seems to be getting worse faster than we are getting better. It is also clear that in our complex, interconnected world, no enterprise can think of its security as a standalone problem.
So how can we as a community - the community at large, as well as within sectors, partnerships, and coalitions - band together to establish priority of action, support each other, and keep our knowledge and technology current in the face of a rapidly evolving problem? What are the most critical problems we need to solve, what should an enterprise do first, which defensive steps have the greatest value? These are the kinds of problems that drive the Critical Security Controls.
The Critical Security Controls for cyber defense are a baseline of high-priority information security measures and controls that can be applied across an organization in order to improve its cyber defense. The 20 controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organizations prioritize their efforts to defend against the current most common and damaging computer and network attacks. Outside of the technical realm, a comprehensive security program should also take into account many other areas of security, including overall policy, organizational structure, personnel issues and physical security. To help maintain focus, the 20 controls do not deal with these important but non-technical aspects of information security.
The 20 controls and supporting advice are dynamic in order that they recognize changing technology and methods of attack. All 20 controls, together with a brief description, are given on this site.
The 20 Critical Security Controls for Cyber Defense
1 - Inventory of Authorized and Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
2 - Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track and correct) all software on the network so that only authorized software is installed and can execute and that unauthorized and unmanaged software is found and prevented from installation or execution.
3 - Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Establish, implement and actively manage (track, reporting, correct) the security configuration of laptops, servers and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
4 - Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate and minimize the window of opportunity for attackers.
5 - Malware Defenses
Control the installation, spread and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering and corrective action.
6 - Application Software Security
Manage the security lifecycle of all in house developed and acquired software in order to prevent, detect and correct security weaknesses.
7 - Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANS), access points and wireless client systems.
8 - Data Recovery Capability
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
9 - Security Skills Assessment and Appropriate Training to Fill Gaps
For all functional roles in the organization prioritizing those mission critical to the business and its security), identify the specific knowledge, skills and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps and remediate through policy, organizational planning, training and awareness programs.
10 - Secure Configurations for Network Devices such as Firewalls, Routers and Switches
Establish, implement and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
11 - Limitation and Control of Network Ports, Protocols and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.
12 - Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment and configuration of administrative privileges on computers, networks and applications.
13 - Boundary Defense
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security damaging data.
14 - Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage and analyze audit logs of events that could help detect, understand or recover from an attack.
15 - Control Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, and systems) according to the formal determination of which persons, computers and applications have a need and right to access these critical assets based on an approved classification.
16 - Account Monitoring and Control
Actively manage the lifecycle of system and application accounts, their creation, use, dormancy, deletion in order to minimize opportunities for attackers to leverage them.
17 - Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.
18 - Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.
19 - Secure Network Engineering
Make security an inherent attribute of the enterprise by specifying, designing, and building in features that allow high confidence systems operations while denying or minimizing opportunities for attackers.
20 - Penetration Tests and Red Team Exercises
Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.
Council of Cyber Security. http://www.counciloncybersecurity.org
The actions defined by the Controls are demonstrably a subset of the comprehensive catalog defined by NIST SP 800-53. The Controls do not attempt to replace the National Institute of Standards and Technology comprehensive Risk Management Framework. The Controls instead prioritize and focus on a smaller number of actionable controls with high-payoff, aiming for a "must do first" philosophy. Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, with very strong consensus on the resulting set of controls, they serve as the basis for immediate high-value action.