New Threats Prompt Changes to Critical Security Controls
*This post originally appeared on the AppSense blog prior to the rebrand in January 2017, when AppSense, LANDESK, Shavlik, Wavelink, and HEAT Software merged under the new name Ivanti.
By John Pescatore, Director of Emerging Technologies, SANS
For many years, real-world experience and studies such as the Verizon Data Breach Investigation Report have been finding that the majority of attacks are enabled by failures in basic security hygiene: the failure by businesses and government agencies to focus on the security basics that raise the highest barriers against real-world attacks.
Back in 2008, penetration testers at the National Security Agency responsible for assessing the security of critical infrastructure systems kept running into this issue and developed the initial version of what is now known as the Critical Security Controls.
Now maintained by nonprofit Center for Internet Security, those controls focus on these key steps to reduce the risk of real-world security threats:
- Let offense inform defense
Continually monitor attacks, determine root cause and focus on security controls that would eliminate attack paths, reduce time to detect, minimize attack impact and/or reduce time and cost to recover.
- Validate controls with “what works” operational data
Security controls that disrupt business operations will not succeed even if they are effective against real-world attacks. The CIS Critical Controls effort prioritizes security controls where there are proven, working implementations that have shown a measurable ability to reduce risk while minimizing business disruption.
- Integrate and automate
Simply adding more security processes and controls rarely increases security levels -- often, new “solutions” that require high levels of staffing and unavailable skills turn into shelfware. Hiring and keeping skilled security staff continues to be a problem for CISOs, according to multiple SANS Institute surveys. The controls effort prioritizes security controls where proven tools and processes are available to act as force multipliers for reasonably skilled security analysts and to support integration of security-relevant data across multiple security processes.
The Critical Controls are updated roughly every 18 months through an open, community-driven effort that revisits these factors in light of changes in threats, business technology demands and solutions maturity. The controls are then ranked in effectiveness and efficiency, and a new version of the controls (and validation guidelines) is documented and released.
The latest update cycle occurred during the third quarter of 2015, resulting in Version 6.0 of the CIS Critical Controls.
The threat data and solution effectiveness evaluation during the Version 6.0 update resulted in a number of changes. The most significant include the following:
- “Controlled Use of Administrative Privileges,” “Maintenance, Monitoring, and Analysis of Auditing Logs,” “Data Protection,” and “Controlled Access Based on the Need to Know” were significantly elevated in priority.
- “Malware Defenses,” “Wireless Access Control,” “Security Skills Assessment and Appropriate Training” and “Application Software Security” were lowered in priority.
- “Secure Network Engineering” was eliminated as a stand-alone security control, with its concepts included in other areas.
- “Email and Web Browser Protections” was added as a new control.
These changes were largely motivated by the recognition that in 2015 the vast majority of damaging, successful attacks used phishing or other email- or web-based techniques to obtain credentials and take advantage of legitimate user privileges to install targeted executables that evaded detection. Other changes in the wording and priority of sub-controls also reflect this approach.
The net result of Version 6.0 was to increase the emphasis on a few control areas that have shown to be immediately effective against real-world attacks. Several other organizations have validated these as the highest-payback security controls. For example, SANS has listed five controls -- the SANS “First Five” -- as providing the most immediate increase in efficient and effective reduction in risk from advanced targeted attacks:
1. Software whitelisting
2. Secure standard configurations
3. Application security patching
4. System security patching
5. Minimization of administrative privileges