To combat cyber-attacks with a set of actions that focus on the latest advanced security threats, a set of twenty Controls were derived from the most common attack patterns and vetted across a very broad community of government and industry.
Critical Security Controls
The National Security Agency (NSA) prioritized the list of controls which would yield a stronger risk position against real-world threats. In 2008, the NSA strategy positioned itself promoting “offense to inform defense:” They developed recommendations we now know today as “Critical Security Controls (the Controls), coordinated through the SANS Institute. The Council on Cyber Security (the Council) received ownership of the Controls in 2013. The Council remains an independent, global non-profit organization committed to ensuring a secure and open Internet.
The best way to describe this purpose is from the authors of the guidelines themselves, who in version 3.0 of the CSC have the following to say:
“Securing our nation against cyber-attacks has become one of the nation’s highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against a variety of threats, bother internal and external. Furthermore for those attacks that are successful, defenses must be capable of detecting, thwarting and responding to follow-on attacks on internal networks as attackers spread inside a compromised network.”
“Because federal agencies do not have unlimited money, current and past federal CIOS and CISOs have agreed that the only rational way they can hope to meet these requirements is to jointly establish a prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms.”
Why are Critical Controls Important?
- Security Breaches are on the rise
- Cyber Security strategies require complex solutions
- Ongoing breaches in security occur even after investing in security products
- Security metrics determine the effectiveness of your security programs, projects and operational security will ultimately report on your ROI.
- 1. Offense informs defense:
Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from those events to build effective, practical defenses. Include only those controls that can be shown to stop know rea-world attacks.2. Prioritization
Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.3. Metrics:
Establish common metrics to provide a shared language for executives, IT specialists, auditors and security officials to measure the effectiveness of security measures with an organization so that required adjustments can be identified and implemented quickly.4. Continuous diagnostics and mitigation
carry out continuous measurement to test and validate the effectiveness of current security measures, and to help drive the priority of next steps.5. Automation
Automate defenses so that organizations can achieve reliable, scalable and continuous measurements of their adherence to the controls and related metrics.
Why are Core Security Controls Successful ?
Twenty clearly defined Critical Security Controls have been defined by top experts from government, defense, finance, transportation, academia, security, consulting and IT in an attempt to defend against Cyber Attacks. Critical Security Controls include a list of the best defensive techniques to detect, prevent, respond and mitigate damage from invasive treats and attacks. These Controls are a shortlist of the comprehensive catalog defined by the National Institute of Standards and Technology (NIST) SP 800-53.
CKSS focusses on Assurance and not Compliance when auditing your organization against the Critical Controls. If your organization is implementing NIST 800-53 controls, we use the Critical Controls as a starting point for our Gap Analysis.
- If you are an organization that is already used to implementing the NIST 800-53 controls, the critical controls can be sees as starting point for conducting a Gap Analysis or measuring your organization to see if you in line with them. The focus for this type of audit is ASSURANCE and not COMPLIANCE, not just simply complying with another checklist.