Presentation is loading. Please wait.

Presentation is loading. Please wait.

Version 6 Discussion Brian Russell, Leidos Member 20 Critical Controls Editorial Panel & Chair, Cloud Security Alliance (CSA) IoT WG 20 Critical Security.

Published byDorothy Andrews Modified over 9 years ago

Similar presentations

Presentation on theme: "Version 6 Discussion Brian Russell, Leidos Member 20 Critical Controls Editorial Panel & Chair, Cloud Security Alliance (CSA) IoT WG 20 Critical Security."— Presentation transcript:

1 Version 6 Discussion Brian Russell, Leidos Member 20 Critical Controls Editorial Panel & Chair, Cloud Security Alliance (CSA) IoT WG 20 Critical Security Controls

2

3 1. New Control: Email and Web Browser Protection 2. Deleted Control: Secure Network Engineering 3. Re-ordered control: Controlled Use of Administrative Privileges 4. Spreadsheet version of Controls 5. New Companion Guides −Metrics and Measures Companion Guide −IoT Companion Guide −Mobile Security Companion Guide −Privacy Companion Guide Summary Changes for Version 6 of the 20 CSC

4 CSC 7 Email and Web Browser Protections ControlControl Description 7.1Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers provided by the vendor in order to take advantage of the latest security functions and fixes 7.2Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications. Each plugin shall utilize application/URL whitelisting and only allow the use of the application for pre-approved domains 7.3Limit the use of unnecessary scripting languages in all web browsers and email clients. This includes the use of languages such as ActiveX and JavaScript on systems where it is unnecessary to support such capabilities 7.4Log all URL requests from each of the organization’s systems where onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

5 CSC 7 Email and Web Browser Protections (continued) ControlControl Description 7.5Deploy two separate browser configurations to each system. One configuration should disable the use of all plugins, unnecessary scripting languages, and generally be configured with limited functionality and be used for general web browsing. The other configuration should allow for more browser functionality but should only be used to access specific websites that require the use of such functionality. 7.6The organization shall maintain and enforce network based URL filters that limit a system’s ability to connect to websites not approved by the organization. The organization shall subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. 7.7To lower the chance of spoofed email messages, implement the Sender Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers. 7.8Scan and block all email attachments entering the organization’s email gateway if they contain malicious code or file types that are unnecessary for the organization’s business. This scanning should be done before the email is placed in the user’s inbox. This includes email content filtering and web content filtering.

6  IMO weakest control from Version 5  Outputs of control actions should be covered in other controls Deleted Control – Secure Network Engineering

7 Reflects the need to focus on securing high value administrative credentials Streamlined sub-controls within CSC5 Minimizing administrative privileges Using automated tools to inventory administrative accounts Changing default passwords Logging/alerting on the addition/removal of admin accts Logging/alerting on unsuccessful logins to admin accts Use MFA for admin access or long (14+ char) passwords if MFA not supported Use Sudo/RunAs, etc to elevate to admin privileges Use dedicated machine for admin tasks Promoted Controlled Use of Administrative Privileges from CSC 12 to CSC 5

8  Needed a clear and concise recommendation for assessing and reporting on current state of implementation  Adopted terminology from NIST (Cyber Security Metrics and Measures): −“A measure is a concrete, objective attribute, such as the percentage of systems within an organization that are fully patched, the length of time between the release of a patch and its installation on a system, or the level of access to a system that a vulnerability in the system could provide.” −“A metric is an abstract, somewhat subjective attribute, such as how well an organization’s systems are secured against external threats or how effective the organization’s incident response team is. An analyst can approximate the value of a metric by collecting and analyzing groups of meaures.” Metrics & Measurements Companion Guide

9  Each control includes a list of Measures with a unique ID for tracking  For each Measure, we present Metrics consisting of three “Risk Threshold” values −Enterprise adopters of the 20 Controls can choose a specific threshold that becomes a benchmark against which progress can be measured  Each control also includes an Effectiveness Test, which are suggested ways to independently verify the effectiveness of the control implementations Using the Metrics & Measurements Companion Guide

10

11 Focused on supporting a privacy impact assessment of the implementation of the 20 Controls 1. Overview: Outline the purpose of each Control and provide justification for any actual or potential intersection with privacy- sensitive information. 2. Authorities: Identify the legal authorities or enterprise policies that would permit or, conversely, limit or prohibit the collection or use of information by the Control. 3. Characterizing Control-related Information: Identify the type of data the Control collects, uses, disseminates, or maintains 4. Uses of Control-related Information: Describe the Control’s use of PII or privacy protected data. Describe how and why the Control uses this data 5. Security: Complete a security plan for the information system(s) supporting the Control Privacy Companion Guide

12 6. Notice: Identify if any notice to individuals must be put in place regarding the implementation of the Control, PII collected, the right to consent to uses of information, and the right to decline to provide information (if practical) 7. Data Retention: Will there be a requirement to develop a records retention policy, subject to approval by the appropriate enterprise authorities, to govern information gathered and generated by the Control? 8. Information Sharing: Describe the scope of the information sharing within and external to the enterprise that could be required to support the Control. 9. Redress: Enterprises should have in place procedures for invidiuals to seek redress if they believe their PII may have been improperly or inadvertently disclosed or misued through implementation of the Controls. 10. Auditing and Accountability: Describe what technical and policy safeguards and security measures might be needed to support the Control. Include an examination of technical and policy safeguards, such as information sharing protocols, special access restrictions, and other controls. Privacy Companion Guide (continued)

13  IoT Companion Guide −A first effort to map IoT applicability to the 20 Controls  Mobile Security Companion Guide −A mapping of mobile security topics to the IoT We expect that these companion guides will feed into future updates to the 20 Controls Other Companion Guides

Download ppt "Version 6 Discussion Brian Russell, Leidos Member 20 Critical Controls Editorial Panel & Chair, Cloud Security Alliance (CSA) IoT WG 20 Critical Security."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Similar presentations

Ads by Google