The new phonebooks are here! The new phonebooks are here!

Steve Martin in The Jerk. Image via MovieClips.com.

I admit to being a fan of Steve Martin, both his movies and more recently his music (he is a great bluegrass banjo player, check out Steep Canyon Ranger if you didn’t know this), but his line from The Jerk seems appropriate here to celebrate the updating of the Critical Security Controls. These top 20 controls, now under the management of the Center for Internet Security (CIS) after being developed with direction from the United States National Security Agency, are a manageable and measurable set of security actions focused on what best works to prevent attacks or respond to those that do happen. These are prioritized to give you an idea of where to start, and this is where the new list has a few interesting changes.

Looking at the top 5, or what the CIS refers to as those that are “foundational cyber hygiene,” there was little change from last year – number 1 through 4 were identical:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation

These all seem to follow a logical flow. First we need to keep devices from plugging in, or otherwise connecting to the corporate network, though given the dissolution of a defined perimeter, this can be a significant challenge. Once a device is on “my” network, as an infosec pro I want to know exactly what software that device is running to ensure that there is no malicious software, no rogue software, and the approved software is properly tracked and versioned. While license violations are not the chief concern of a CISO, being able to snuff these out can show incremental value to leadership. CSC #3 got a minor addition to now include mobile devices; this goes back to the elimination of a perimeter and the growth of BYOD. Still, mobile remains to become a significant attack vector – as per the 2015 VDBIR, “Mobile devices are not a preferred vector in data breaches.” That is not to say this won’t change, and given how the CSC is built using practical, field-based input, this may be their way of saying to watch this space.

Checking in at #4 is Continuous Vulnerability Assessment and Remediation; given the speed at which attackers are changing their tactics and the speed at which many are able to get in, point in time analysis is insufficient to provide the requisite visibility. Well before you are through your comprehensive, organization-wide vulnerability scan… the data is outdated. In a previous security life I was involved with the “continuous vs. point-in-time debate” and can see the merits of both sides, though the ideal scenario of meaningful alerts as they happens with low false positives is the ultimate goal.

CSC #5 is where the first big shakeup happens; the new #5 is Controlled Use of Administrative Privileges, jumping up from #12 in the previous CSC framework. This elevation on the list reflects the importance of protecting admin access – whether that be from malware taking hold on an admin machine, malicious activity from a disgruntled system admin, or a compromised admin password. The end result is the same; a malicious user the access and authority needed to carry out an attack. From there, traversing the network for the crown jewels, or even a series of petty thefts, can be simple. Stolen admin credentials give attackers a significant head start on any defenses given their de facto trusted status. As a result, Controlled Use of Administrative Privileges jumped to the #5 spot and Malware Defenses took a big tumble from #5 in the previous iteration down to #8, perhaps due to the ineffectiveness of many of signature-based tools.

That covers the CSC’s newest top 5 controls – in blog posts to come I will cover #6-15, which are aimed primarily at optimizing security measures for data protection, and #16-20, which include areas like appsec, security training, and incident response.