Top 20 Critical Security Controls (CSC) for Effective Cyber Defense Christian Espinosa Alpine Security [email protected] Background • Christian Espinosa | [email protected] • Entrepreneur, Penetration Tester, Security Researcher, Incident Response, Survival Instructor for Bear Grylls • Projects: Commercial Aircraft Penetration Testing, Healthcare Pen Testing, Abu Dhabi Forensic Work, Enterprise Security Analysis • Ed: BSGE, MBA • Certs: CISSP, CCSP, CISA, CRISC, CPT, CSSA, CEPT, CEH, CREA, ECI, LPT • Patents: • Systems and Methods for a Simulated Network Traffic Generator. US 2009/0319248 A1. December 24, 2009. • Systems and Methods for Network Monitoring and Analysis of a Simulated Network. US 20009/0319249 A1. December 24, 2009. • Systems and Methods for a Simulated Network Attack Generator. US 2009/0320137 A1. December 24, 2009. • Interests: • Ironman Triathlon, Mountaineering, Travel, Security, Things that Involve a Waiver Overview • Are we Winning? • Why the Center for Internet Security Critical Security Controls (CIS CSC) • CIS CSC Tenets • Top 20 • Top 5 Deep Dive • Tips Are We Winning? Unfortunate Facts • Most compromises are based on known problems that have known solutions • 85+% of incidents managed by the US-CERT come down to the same 5 basic defenses • Most attacks should have been blocked at the perimeter • Very few attackers use “stealth” techniques • Very few defenders have automated workflow Source: Mandiant M-Trends 2015 Source: Mandiant M-Trends 2015 Which should we do first? Penetration Test vs Asset Inventory Which should we do first? (20) Penetration Test vs (1) Asset Inventory Which should we do first? Data Loss Prevention (DLP) vs Audit Log Maintenance Which should we do first? (13) Data Loss Prevention (DLP) vs (6) Audit Log Maintenance Why CIS CSC? Risk-Based • What are we trying to protect? How much should we spend? • Risk is function of threat (offense), vulnerability (defense), probability, and, consequence • What can be controlled? Priority-Based Not Compliance-Based Community-Based Dynamic • Updated as attacks evolve and lessons are learned from breaches • Changes from v5.1 to 6: Affordable Reality-Based Simple CSC Five Tenets Offense Informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation (CDM) Automation Top 20 Controls CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrator Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises Top 5 Controls Deep Dive Top 5 – Foundational Cyber Hygiene (FCH) •Prevents/stops 85-90% attacks… • CSC 1: Inventory of Authorized and Unauthorized Devices • CSC 2: Inventory of Authorized and Unauthorized Software • CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • CSC 4: Continuous Vulnerability Assessment and Remediation • CSC 5: Controlled Use of Administrator Privileges •Know authorized & unauthorized devices •Know authorized & unauthorized software You can’t defend what you don’t know Control Basics • Categories • System • Network • Application • Layout • Why is the Control Critical? • Procedures and Tools • Entity Relationship Diagram CSC 1: Inventory of Authorized and Unauthorized Devices • Why? Unpatched Systems, Unchecked Networks, BYOD CSC 1: Inventory of Authorized and Unauthorized Devices • Procedures and Tools • • • • Active scanning Passive scanning DHCP 802.1x CSC 2: Inventory of Authorized and Unauthorized Software • Why? Attackers look for vulnerable software, malware installation, etc. CSC 2: Inventory of Authorized and Unauthorized Software • Procedures and Tools • Application Whitelisting • Application Blacklisting CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Why? Default configuration designed for use, not security. Security “Decay”. CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • Procedures and Tools: • Security Baselines • CIS Benchmarks • NIST National Checklist CSC 4: Continuous Vulnerability Assessment and Remediation • Why? Attackers exploit vulnerable systems. CSC 4: Continuous Vulnerability Assessment and Remediation • Procedures and Tools • Vulnerability Scanning Tools CSC 5: Controlled Use of Administrator Privileges • Why? One of the primary means attackers spread through an enterprise. CSC 5: Controlled Use of Administrator Privileges • Procedures and Tools • Use Built-in OS Features (runas, sudo, strong passwords, etc.) Tips • Take inventory and/or use existing tools or free tools to start. • CSC 1: Nmap, DHCP, 802.1x, Wireshark • CSC 2: Windows SRP, GPOs • CSC 3: CIS Security Benchmarks, DISA STIGs • https://benchmarks.cisecurity.org/ • http://iase.disa.mil/stigs/Pages/index.aspx • CSC 4: OpenVAS, Nmap • CSC 5: Runas, sudo Contact Info Christian Espinosa [email protected] www.alpinesecurity.com CIS CSC: https://www.cisecurity.org/critical-controls.cfm
© Copyright 2026 Paperzz