Version 6 Discussion Brian Russell, Leidos Member 20 Critical Controls Editorial Panel & Chair, Cloud Security Alliance (CSA) IoT WG 20 Critical Security Controls

1. New Control: and Web Browser Protection 2. Deleted Control: Secure Network Engineering 3. Re-ordered control: Controlled Use of Administrative Privileges 4. Spreadsheet version of Controls 5. New Companion Guides −Metrics and Measures Companion Guide −IoT Companion Guide −Mobile Security Companion Guide −Privacy Companion Guide Summary Changes for Version 6 of the 20 CSC

CSC 7 and Web Browser Protections ControlControl Description 7.1Ensure that only fully supported web browsers and clients are allowed to execute in the organization, ideally only using the latest version of the browsers provided by the vendor in order to take advantage of the latest security functions and fixes 7.2Uninstall or disable any unnecessary or unauthorized browser or client plugins or add-on applications. Each plugin shall utilize application/URL whitelisting and only allow the use of the application for pre-approved domains 7.3Limit the use of unnecessary scripting languages in all web browsers and clients. This includes the use of languages such as ActiveX and JavaScript on systems where it is unnecessary to support such capabilities 7.4Log all URL requests from each of the organization’s systems where onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and systems.

CSC 7 and Web Browser Protections (continued) ControlControl Description 7.5Deploy two separate browser configurations to each system. One configuration should disable the use of all plugins, unnecessary scripting languages, and generally be configured with limited functionality and be used for general web browsing. The other configuration should allow for more browser functionality but should only be used to access specific websites that require the use of such functionality. 7.6The organization shall maintain and enforce network based URL filters that limit a system’s ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. 7.7To lower the chance of spoofed messages, implement the Sender Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers. 7.8Scan and block all attachments entering the organization’s gateway if they contain malicious code or file types that are unnecessary for the organization’s business. This scanning should be done before the is placed in the user’s inbox. This includes content filtering and web content filtering.

 IMO weakest control from Version 5  Outputs of control actions should be covered in other controls Deleted Control – Secure Network Engineering

Reflects the need to focus on securing high value administrative credentials Streamlined sub-controls within CSC5 Minimizing administrative privileges Using automated tools to inventory administrative accounts Changing default passwords Logging/alerting on the addition/removal of admin accts Logging/alerting on unsuccessful logins to admin accts Use MFA for admin access or long (14+ char) passwords if MFA not supported Use Sudo/RunAs, etc to elevate to admin privileges Use dedicated machine for admin tasks Promoted Controlled Use of Administrative Privileges from CSC 12 to CSC 5

 Needed a clear and concise recommendation for assessing and reporting on current state of implementation  Adopted terminology from NIST (Cyber Security Metrics and Measures): −“A measure is a concrete, objective attribute, such as the percentage of systems within an organization that are fully patched, the length of time between the release of a patch and its installation on a system, or the level of access to a system that a vulnerability in the system could provide.” −“A metric is an abstract, somewhat subjective attribute, such as how well an organization’s systems are secured against external threats or how effective the organization’s incident response team is. An analyst can approximate the value of a metric by collecting and analyzing groups of meaures.” Metrics & Measurements Companion Guide

 Each control includes a list of Measures with a unique ID for tracking  For each Measure, we present Metrics consisting of three “Risk Threshold” values −Enterprise adopters of the 20 Controls can choose a specific threshold that becomes a benchmark against which progress can be measured  Each control also includes an Effectiveness Test, which are suggested ways to independently verify the effectiveness of the control implementations Using the Metrics & Measurements Companion Guide

Focused on supporting a privacy impact assessment of the implementation of the 20 Controls 1. Overview: Outline the purpose of each Control and provide justification for any actual or potential intersection with privacy- sensitive information. 2. Authorities: Identify the legal authorities or enterprise policies that would permit or, conversely, limit or prohibit the collection or use of information by the Control. 3. Characterizing Control-related Information: Identify the type of data the Control collects, uses, disseminates, or maintains 4. Uses of Control-related Information: Describe the Control’s use of PII or privacy protected data. Describe how and why the Control uses this data 5. Security: Complete a security plan for the information system(s) supporting the Control Privacy Companion Guide

6. Notice: Identify if any notice to individuals must be put in place regarding the implementation of the Control, PII collected, the right to consent to uses of information, and the right to decline to provide information (if practical) 7. Data Retention: Will there be a requirement to develop a records retention policy, subject to approval by the appropriate enterprise authorities, to govern information gathered and generated by the Control? 8. Information Sharing: Describe the scope of the information sharing within and external to the enterprise that could be required to support the Control. 9. Redress: Enterprises should have in place procedures for invidiuals to seek redress if they believe their PII may have been improperly or inadvertently disclosed or misued through implementation of the Controls. 10. Auditing and Accountability: Describe what technical and policy safeguards and security measures might be needed to support the Control. Include an examination of technical and policy safeguards, such as information sharing protocols, special access restrictions, and other controls. Privacy Companion Guide (continued)

 IoT Companion Guide −A first effort to map IoT applicability to the 20 Controls  Mobile Security Companion Guide −A mapping of mobile security topics to the IoT We expect that these companion guides will feed into future updates to the 20 Controls Other Companion Guides