Implementing and Auditing the Critical Controls February 13, 2018 ISACA NTX / Fort Worth IIA Clay Risenhoover, CPA.CITP, CISA, CISM, CISSP

Copyright © 2018 Risenhoover Consulting, Inc. Agenda History of the Controls Philosophy Overview Grouping / Implementation Order Audit Techniques Additional Resources Copyright © 2018 Risenhoover Consulting, Inc.

History of the Critical Security Controls 2008/9 – NSA / SANS Institute (SANS Top 20/Consensus Audit Guideline) 2013 – Transferred to Council on Cyber Security 2014 – Version 5 2015 – Permanent (?) home at Center for Internet Security 2015 (Oct) – Version 6.0 2016 (Aug) – Version 6.1 – refinement of 6.0, same ordering 2018 – Version 7 – In draft for release soon (more later) Copyright © 2018 Risenhoover Consulting, Inc.

Philosophy Behind the Controls “Offense informs defense” – Analysis of real-world attacks “Prioritization” – Best bang for the buck “Metrics” – Common metrics for controls “Continuous diagnostics and mitigation” – Designed with continuous measurement in mind “Automation” – to enhance scalability Copyright © 2018 Risenhoover Consulting, Inc.

Overview of the Critical Security Controls Really a set of 20 control groups Listed in recommended implementation order May not always be 20 Three distinct groups; may allow for parallel implementation Copyright © 2018 Risenhoover Consulting, Inc.

Controls 1-10: Cyber Hygiene Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Copyright © 2018 Risenhoover Consulting, Inc.

Controls 1-10: Cyber Hygiene (2) Maintenance, Monitoring, and Analysis of Audit Logs Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Data Recovery Capability Copyright © 2018 Risenhoover Consulting, Inc.

Controls 11-16: Networking/Infrastructure Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Copyright © 2018 Risenhoover Consulting, Inc.

Copyright © 2018 Risenhoover Consulting, Inc. Observations Note the lack of verbs: “Inventory of Authorized and Unauthorized Devices” Sub-controls contain the finer details – and the verbs Each sub-control is marked as foundational or advanced: Foundational: Essential Less expensive Easier to implement Advanced: Newer technology More difficult More expensive Copyright © 2018 Risenhoover Consulting, Inc.

Why Foundational and Advanced? Copyright © 2018 Risenhoover Consulting, Inc.

Copyright © 2018 Risenhoover Consulting, Inc. Example – Control 1 Copyright © 2018 Risenhoover Consulting, Inc.

Copyright © 2018 Risenhoover Consulting, Inc. Example – Control 1 (2) Copyright © 2018 Risenhoover Consulting, Inc.

Copyright © 2018 Risenhoover Consulting, Inc. Example – Control 1 (3) Copyright © 2018 Risenhoover Consulting, Inc.

Entity Relationship Diagrams Copyright © 2018 Risenhoover Consulting, Inc.

Controls 17-20: Application (Program / Governance) Security Skills Assessment and Appropriate Training to Fill Gaps Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises Copyright © 2018 Risenhoover Consulting, Inc.

Copyright © 2018 Risenhoover Consulting, Inc. Example – Control 19 Copyright © 2018 Risenhoover Consulting, Inc.

Copyright © 2018 Risenhoover Consulting, Inc. Auditing the Controls Sub-controls make a basic work program by themselves Structure lends itself to time and percentage-based measurements Measurement companion gives target metrics Maturity Progression: Approved Policy -> Implementation -> Automation -> Reporting Copyright © 2018 Risenhoover Consulting, Inc.

Extra Resource: Measurement Companion Copyright © 2018 Risenhoover Consulting, Inc.

Extra Resource: AuditScripts Initial Assessment Copyright © 2018 Risenhoover Consulting, Inc.

Extra Resource: AuditScripts Master Mapping Copyright © 2018 Risenhoover Consulting, Inc.

CSC Version 7 – In Draft Now Couple of controls renamed Some reordering compared to version 6 Version 6 Version 7 Draft 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 3: Continuous Vulnerability Assessment and Remediation 4: Continuous Vulnerability Assessment and Remediation 4. Controlled Use of Administrative Privileges 5: Controlled Use of Administrative Privileges 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Copyright © 2018 Risenhoover Consulting, Inc.

CSC Version 7 – Controls 17-20 May be handled differently Remove sub-controls, replace with principles of effective program Link to other organizations/standards (i.e. OWASP for 18. Application Software Security) Copyright © 2018 Risenhoover Consulting, Inc.

Copyright © 2018 Risenhoover Consulting, Inc. Useful Resources Center for Internet Security https://www.cisecurity.org/ https://www.cisecurity.org/white-papers/a-measurement-companion-to-the-cis-critical- controls/ AuditScripts free resources https://www.auditscripts.com/ https://www.auditscripts.com/free-resources/critical-security-controls/ SANS poster https://www.sans.org/security-resources/posters/leadership/20-critical-security- controls-55 California Attorney General 2016 data breach report https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf Copyright © 2018 Risenhoover Consulting, Inc.