Extending the 20 critical security controls to gap assessments and security maturity modeling-john willis-pinfosec
Download as PPTX, PDF1 like2,442 views
The document proposes extending the 20 critical security controls to facilitate gap assessments and maturity modeling within cybersecurity practices. It outlines a model framework that aims to enhance remediation planning and invites collaboration for its development. Key components include creating base practice statements, defining robustness levels, and establishing assessment guidelines.
Extending the 20 critical security controls to gap assessments and security maturity modeling-john willis-pinfosec
- 1. Extending the 20 Critical Security Controls to Gap Assessments & Security Maturity Modeling ShmooCon Fire Talks Hyatt Regency Washington 400 New Jersey Avenue, NW Washington, DC 20001 February 16, 2013 John M. Willis, pINFOSEC 2020 Pennsylvania Ave NW #400 Washington DC 20006 John.Willis@pINFOSEC.com LinkedIn.com/in/johnmwillis (202) 670-7179
- 2. Extending the 20 Critical Security Controls to Gap Assessment & Security Maturity Modeling Purpose: Using the 20 Critical Security Controls, create Base Practice Statements against which security engineering and operations processes may be assessed for capability and maturity. Provide model framework to base Gap Assessments upon. Facilitate focus of Remediation Planning. Poll for interest in creating the model. Call for volunteers to create the model. 2
- 3. 20 Critical Security Controls Attack-focused controls created by a consortium of government agencies, major corporations, and many others. Formerly known as the Consensus Audit Guidelines, a complete copy of the controls may be found on SANS Institute web site. Currently, the Consortium for Cybersecurity Action is the organization engaged in various projects pertaining to the controls. 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability 3
- 4. 20 Critical Controls (cont'd) 9. Security Skills Assessment and Appropriate Training to Fill Gaps 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring, and Analysis of Audit Logs 15. Controlled Access Based on the Need to Know 16. Account Monitoring and Control 17. Data Loss Prevention 18. Incident Response and Management 19. Secure Network Engineering 20. Penetration Tests and Red Team Exercises 4
- 5. Each control has a short title, and a sentence describing the control For example: http://www.sans.org/critical-security-controls/control.php?id=1 “Critical Control 1: Inventory of Authorized and Unauthorized Devices “The processes and tools used to track/control/prevent/correct network access by devices (computers, network components, printers, anything with an IP address) based on an asset inventory of which devices are allowed to connect to the network.” Implementation information follows… 5
- 6. Proposed Decomposed Base Practice Version of Critical Control 1 BP.01.01 – Manage inventory of authorized devices (computers, network components, printers, anything with IP addresses) BP.01.02 – Limit network access to authorized devices All text under the Critical Control section, including details from the referenced NIST SP 800-53 sections, should be taken into consideration when crafting the Base Practice language. 6
- 7. Process Capability Maturity Levels 0 – No – No Process Exists 1 – Exists – Process Exists 2 – Defined – Defined Process of some sort Exists 3 – Practiced – Vetted Process is now a routine Practice 4 – Reviewed – The Process is formally Reviewed on a Specified Periodic Basis 5 – Continuous – The Process is reviewed periodically and is subjected to Continuous Improvement 7
- 8. Example of Tailoring Assessment Category Description Maturity Level Asset Management List servers by type/function and 2 location. Device How to know device is authorized Authentication before admitting to network? Validate device certificate? 1 Otherwise, scan for unauthorized devices every 12 hours? Network Admission Control every switch port via NAC (user ports controlled, audited. 0 Non-user ports verified and audited). Utilize network scanning tools to identify unauthorized wireless 1 devices. 8
- 9. Another Approach One approach is to assign maturity levels to the categories (Implementation Levels) listed under "How to Implement, Automate, and Measure the Effectiveness of this Control”: • Quick Wins • Visibility/Attribution • Configuration/Hygiene • Advanced The information in these categories is informative & through-provoking, but does not define an assessment framework. 9
- 10. Proposed Model The proposed model focuses on process capability maturity using Base Practices restated from the Critical Controls. Based on all such Base Practices, a formal or informal Gap Assessment can be created and saved as a baseline. For example: • BP.01.01 – Manage Device Inventory, Maturity Level 2 • BP.01.02 – Limit Network Access, Maturity Level 1 Remediation planning is then focused on getting the organization to the point where the Base Practices are least Practiced, etc. 10
- 11. Extension of Proposed Model In addition to process capability, consider including measures for Robustness Levels. Focus on security architecture and engineering rigor, to include the following (for example): • Visibility/Attribution • Configuration/Hygiene • Automation • Breadth & Depth of coverage • Integrity • Resilience • Ability to provide/consume situational awareness data • Common Criteria Evaluation Assurance Level-like criteria • and/or whatever makes sense 11
- 12. Poll for Interest / Call for Action Does this approach make sense? Would anyone use it? Who wants to help create such a Model, in conjunction with the Consortium for Cybersecurity Action? Three key components: 1. Create the Base Practice Statements for each Critical Control 2. Define Robustness Levels, and assessment method 3. Create Tailoring Guidelines 12
- 13. Credits & Legal • Thanks to Tony Sager, Consortium for Cybersecurity Action for his input and encouragement to promote this Proposed Model • Copyrights, Registration and Service Marks, etc., if any, are property of their respective owners • The current version of the 20 Critical Controls may be found at http://www.sans.org/critical-security- controls/, and is licensed under the Creative Commons License (http://creativecommons.org/licenses/by-nd/3.0/) 13
- 14. Contact Information John M. Willis pINFOSEC.com 2020 Pennsylvania Ave NW #400 Washington DC 20006 John.Willis@pINFOSEC.com LinkedIn.com/in/johnmwillis (202) 670-7179 14