A couple days ago, The SANS Institute announced the release of a major update (Version 3.0) to the 20 Critical Controls, a prioritized baseline of information security measures designed to provide continuous monitoring to.... The information security threat landscape is always changing, especially this year with the well publicized breaches. The particular controls have been tested and provide an effective solution to defending against cyber-attacks. The focus is critical technical areas than can help an organization prioritize efforts to protect against the most common and dangerous attacks. Automating security controls is another key area, to help gauge and improve the security posture of an organization.
The update takes into account the information gleaned from law enforcement agencies, forensics experts and penetration testers who have analyzed the various methods of attack. SANS outlines the controls that would have prevented those attacks from being successful. Version 3.0 was developed to take the control framework to the next level. They have realigned the 20 controls and the associated sub-controls based on the current technology and threat environment, including the new threat vectors. Sub-controls have been added to assist with rapid detection and prevention of attacks. The 20 Controls have been aligned to the NSA’s Associated Manageable Network Plan Revision 2.0 Milestones. They have added definitions, guidelines and proposed scoring criteria to evaluate tools for their ability to satisfy the requirements of each of the 20 Controls. Lastly, they have mapped the findings of the Australian Government Department of Defence, which produced the Top 35 Key Mitigation Strategies, to the 20 Controls, providing measures to help reduce the impact of attacks.
The 20 Critical Security Controls are:
Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Maintenance, Monitoring, and Analysis of Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based on the Need to Know
Continuous Vulnerability Assessment and Remediation
Account Monitoring and Control
Limitation and Control of Network Ports, Protocols, and Services
Wireless Device Control
Data Loss Prevention
Secure Network Engineering
Penetration Tests and Red Team Exercises
Incident Response Capability
Data Recovery Capability
Security Skills Assessment and Appropriate Training to Fill Gaps
And of course, F5 has solutions that can help with most, if not all, the 20 Critical Controls.