Joint Written Project (JWP) Assignment
Automating Crosswalk between SP 800, the 20
Critical Controls, and the Australian Government
Defence Signals Directorate’s 35 Mitigating
Strategies
GIAC Enterprises
Authors:
Ahmed Abdel-Aziz
Robert Sorensen
February 2012
Automating Crosswalk between SP 800 and the 20 Critical Controls 2
Table of Contents
1. EXECUTIVE SUMMARY ...................................................................................................................... 3
2. INTRODUCTION .................................................................................................................................... 4
3. RELATIONSHIP BETWEEN SP 800, 20 CRITICAL CONTROLS, AND THE AUSTRALIAN
GOVERNMENT DSD’S 35 MITIGATING STRATEGIES .................................................................... 5
3.1 SP 800 ................................................................................................................................................. 5
3.2 20 CRITICAL SECURITY CONTROLS ...................................................................................................... 5
3.3 AUSTRALIAN GOVERNMENT DEFENCE SIGNALS DIRECTORATE’S 35 MITIGATING STRATEGIES ......... 8
4. DEVELOPING APT-FOCUSED SECURITY GUIDANCE STRATEGY ......................................... 8
4.1 ADVANCED PERSISTENT THREATS (APTS) ........................................................................................... 8
4.2 RISK-BASED APPROACH ...................................................................................................................... 9
5. AUTOMATION APPROACH FOR CRITICAL CONTROLS 15 AND 17 ......................................12
5.1 EXPLOITING THE ABSENCE OF CRITICAL CONTROLS 15 AND 17 ..........................................................12
5.2 FOCUSING ON THE DATA .....................................................................................................................12
5.3 ESTABLISHING A RISK-BASED DLP PROGRAM ....................................................................................13
5.4 AUTOMATING DATA CLASSIFICATION AND POLICY DEFINITION .........................................................14
5.5 AUTOMATING THE CONTROL OF DATA-IN-MOTION ............................................................................16
5.6 AUTOMATING THE CONTROL OF DATA-AT-REST/DATA-IN-USE ..........................................................18
6. AUTOMATION APPROACH FOR CRITICAL CONTROLS 4 AND 5 ..........................................22
6.1 EXPLOITING THE ABSENCE OF CRITICAL CONTROLS 4 AND 5 ..............................................................24
6.2 FOCUSING ON THE APTS, AND THE THREAT VECTORS THROUGH CONTINUOUS MONITORING ..........24
6.3 CONTROL 4 - AUTOMATING CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION ..........26
6.4 CONTROL 5 - AUTOMATING CONTINUOUS MONITORING OF MALICIOUS SOFTWARE AND MALWARE
CALLBACKS. ..............................................................................................................................................30
7. RECOMMENDED RISK-BASED ACTION PLAN ............................................................................33
8. REFERENCES ........................................................................................................................................35
9. APPENDIX ..............................................................................................................................................40
APPENDIX A: FIPS PUB 200 - SPECIFICATIONS FOR MINIMUM SECURITY REQUIREMENTS .....................40
APPENDIX B: MAPPING BETWEEN THE 20 CRITICAL SECURITY CONTROLS AND NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY SPECIAL PUBLICATION 800-53, REVISION 3, PRIORITY 1 ITEMS .............44
APPENDIX C: MAPPING BETWEEN THE 20 CRITICAL SECURITY CONTROLS AND THE AUSTRALIAN
GOVERNMENT DEFENCE SIGNALS DIRECTORATE’S 35 MITIGATION STRATEGIES .....................................46
Automating Crosswalk between SP 800 and the 20 Critical Controls 3
1. Executive Summary
GIAC Enterprises is a small to medium sized growing business (1,000 employees)
with two data centers and 200 people in central business and IT. The GIAC Enterprises
Fortune Cookie sayings are a closely guarded secret and have come under attack from
competitors in the past. Recently, a security expert from a respected consultancy gave a
briefing on a topic titled, “Operation Shady RAT,” that outlined a scenario where many
corporations and government organizations were compromised routinely over a period of
five years (Alperovitch, 2011). This has prompted our organization to examine key
security investments, come up with sound advice regarding security strategy, and how to
implement that strategy.
In making this recommendation, we reached out for guidance included in widely
recognized information security frameworks. Our analysis showed SANS’ Consensus
Audit Guidelines (CAG) reinforces and prioritizes some of the important elements put
forth in U.S. government documentation such as NIST SP 800-53. Furthermore, portions
of the CAG are reinforced by the Australian Government Defence Signals Directorate’s
(DSD) 35 strategies to mitigate targeted cyber intrusions. After reviewing the direct
mapping between the 20 critical controls and NIST SP 800-53, and DSD’s 35 strategies,
we adopted a security guidance strategy that is based on or designed to counter Advanced
Persistent Threats (APTs). APTs currently pose significant risks to GIAC Enterprises,
and it is likely the situation will stay that way for the foreseeable future. Therefore, our
risk-based security guidance strategy is information focused and gives special attention to
four security controls, which are geared well for attacks with APT characteristics. The
four security controls are: 1) Controlled Access based on the Need-to-Know; 2)
Continuous Vulnerability Assessment and Remediation; 3) Malware Defenses; and 4)
Data Loss Prevention (DLP).
We have devised automation approaches for these four controls to facilitate
implementing them. We argue that more attention is needed to secure the data, and have
proposed a model for a DLP program. Therefore, we have developed an automation
approach for data classification and DLP policy definition. This was followed by
automation approaches to control data-in-motion, data-at-rest, and data-in-use. We knew
that for an attack to succeed, it will need to exploit a vulnerability. That is why we also
focused on reducing our attack surface by developing an automation approach for
continuous vulnerability assessment and remediation, as well as malware defenses.
Finally, our research ends with a recommended action plan for GIAC Enterprises.
The objective of this action plan is to take the organization from its current security state,
to the desired security state, in a step-by-step fashion.
Automating Crosswalk between SP 800 and the 20 Critical Controls 4
2. Introduction
Advanced Persistent Threats (APTs) (Andress, 2011)! Operation Shady RAT
(Lau, 2011)! These are terms or references that just a few years ago would not have
raised an eyebrow. Today, they are well known and often overused buzzwords.
However, that does not change the nature of the threat that they have exposed. From the
highly visible case of “Operation Aurora,” where Google, Adobe, and dozens of other
companies came under attack in 2009 and 2010 from sources believed to be in China
(McClure, 2010), to the sophistication and stealth of the compromise of RSA intellectual
property (Coviello, 2011), major corporations have come under attack. What is to
prevent your enterprise from suffering the same fate?
As reported in the Second Qualys annual report, modern-day attackers employ
organized, well written, and highly sophisticated exploit code to do their deeds (Dausin,
2010). To assist in counteracting the many assaults, one needs to take proactive steps to
manage risk and exposure. Guidance to help mitigate this risk has been provided as a
result of multiple initiatives. Examples of such initiatives are: Federal Information
Security Management Act (FISMA), the 20 Critical Security Controls, and the Australian
Government Defence Signals Directorate’s (DSD) 35 Mitigating Strategies. An
informative explanation follows to describe the relationship and synergy between these
specific three initiatives.
In an effort to maximize the benefit of these initiatives with minimal resources,
one must target a subset of controls to initially implement. This idea of initially targeting
a subset of controls was proven successful by the Australian DSD, which will be covered
in more detail. This research is based on a similar targeting approach; however, the subset
of controls selected is a subset of the 20 Critical Controls. The development of a security
guidance strategy for GIAC Enterprises, as well as automation approaches for that
strategy will be explored in detail.
Automating Crosswalk between SP 800 and the 20 Critical Controls 5
3. Relationship between SP 800, 20 Critical Controls, and
the Australian Government DSD’s 35 Mitigating
Strategies
3.1 SP 800
Title III of the E-Government Act of 2002 (P.L. 107-347), authorized the Federal
Information Security Management Act (FISMA), was designed to strengthen information
security government wide (E-Government Act of 2002). The National Institute of
Standards and Technology (NIST) was tasked to develop, document, and implement an
organization-wide program to provide security for the information systems that support
its operations and assets. The result was the establishment of the FISMA Implementation
Project in January 2003 (FISMA Implementation Project, 2009). One of the key
publications that came from this effort is SP 800-53 - Recommended Security Controls
for Federal Information Systems and Organizations (SP 800-53 Revision 3, 2010). This
is designed to cover the steps in the Risk Management Framework that address security
control selection for federal information systems in accordance with the security
requirements in Federal Information Processing Standard (FIPS) 200. This standard
specifies the minimum security requirements in seventeen security-related areas and all
federal agencies must be in compliance with this standard (FIPS PUB 200, 2006, p. v).
There are specifications outlined for the minimum security requirements which
can be found in Appendix A: FIPS PUB 200 - Specifications for Minimum Security
Requirements (FIPS PUB 200, 2006, p. 2-4).
As noted, SP 800-53 is currently in its third revision. It will continue to be updated
to reflect the current state of information security to include guidance concerning insider
threats; software application security; social networking; mobile devices; cloud
computing; cross domain solutions; advanced persistent threat; supply chain security;
Industrial/process control systems; and privacy (Smith, 2011).
3.2 20 Critical Security Controls
In early 2008, as a response to the extreme data losses experienced by leading
companies in the U.S. defense industrial base, a consortium of federal agencies and
Automating Crosswalk between SP 800 and the 20 Critical Controls 6
private organizations developed Version 1.0 of the Consensus Audit Guidelines that
define the most critical security controls to protect federal and contractor information and
information systems (Baseline Standard of Due Care for Cybersecurity, 2009).
This effort has continued to evolve, and the 20 Critical Security Controls, Version
3.1, was released in October 2011 (Consensus Audit Guidelines Version 3.1, 2011). The
effectiveness of this document is based on the knowledge of actual attacks and the
defensive techniques that are most important to counteract them. Contributors include
(CAG, 2011, p. 8):
Consensus Audit Guidelines Contributors
1) Blue team members inside the Department of Defense (DoD) who are often called
in when military commanders find their systems have been compromised and who
perform initial incident response services on impacted systems.
2) Blue team members who provide services for non-DoD government agencies that
identify prior intrusions while conducting vulnerability assessment activities.
3) US Computer Emergency Readiness Team staff and other nonmilitary incident
response employees and consultants who are called upon by civilian agencies and
companies to identify the most likely method by which systems and networks
have been compromised.
4) Military investigators who fight cyber crime.
5) The FBI and other law enforcement organizations that investigate cyber crime.
6) Cybersecurity experts at US Department of Energy laboratories and federally
funded research and development centers.
7) DoD and private forensics experts who analyze computers that have been infected
to determine how the attackers penetrated the systems and what they did
subsequently.
8) Red team members inside the DoD tasked with finding ways of circumventing
military cyber defenses during their exercises.
9) Civilian penetration testers who test civilian government and commercial systems
to determine how they can be penetrated, with the goal of better understanding
risk and implementing better defenses.
10) Federal CIOs and CISOs who have intimate knowledge of cyber attacks.
The 20 Critical Controls include 15 controls that can be continuously monitored
and validated at least in part in an automated manner and five that must be validated
manually (CAG, 2011, p. 9-10).
Critical Controls subject to automated collection, measurement, and validation:
1) Inventory of Authorized and Unauthorized Devices
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware and Software on Laptops, Workstations, and
Servers
Automating Crosswalk between SP 800 and the 20 Critical Controls 7
4)
5)
6)
7)
8)
9)
Continuous Vulnerability Assessment and Remediation
Malware Defenses
Application Software Security
Wireless Device Control
Data Recovery Capability (validated manually)
Security Skills Assessment and Appropriate Training to Fill Gaps (validated
manually)
10) Secure Configurations for Network Devices such as Firewalls, Routers, and
Switches
11) Limitation and Control of Network Ports, Protocols, and Services
12) Controlled Use of Administrative Privileges
13) Boundary Defense
14) Maintenance, Monitoring, and Analysis of Security Audit Logs
15) Controlled Access Based on the Need to Know
16) Account Monitoring and Control
17) Data Loss Prevention
18) Incident Response Capability (validated manually)
19) Secure Network Engineering (validated manually)
20) Penetration Tests and Red Team Exercises (validated manually)
As described in the document, there is a direct relationship to the U.S. Federal
Guidelines:
The 20 Critical Controls are meant to reinforce and prioritize some of the
most important elements of the guidelines, standards, and requirements
put forth in other US government documentation, such as NIST Special
Publication 800-53, SCAP, FDCC, FISMA, manageable network plans,
and Department of Homeland Security software assurance documents.
These guidelines do not conflict with such recommendations. In fact, the
guidelines set forth are a proper subset of the recommendations of NIST
Special Publication 800-53, designed so that organizations can focus on a
specific set of actions associated with current threats and computer
attacks they face every day (CAG, 2011, p. 12).
The direct mapping between the 20 Critical Security Controls and NIST Special
Publication 800-53, Revision 3, Priority 1 items can be found in Appendix B.
The U.K. Centre for the Protection of National Infrastructure (CPNI) recently
released a new guidance document detailing the Top Twenty Critical Security Controls.
These provide a baseline of high-priority information security measures and controls that
can be applied across an organization in order to improve its cyber defense. CPNI is
participating in an international government-industry effort to promote the top twenty
Automating Crosswalk between SP 800 and the 20 Critical Controls 8
critical controls for computer and network security which is being coordinated by the
SANS Institute (Continuity Central, 2012).
3.3 Australian Government Defence Signals Directorate’s 35
Mitigating Strategies
In 2010, the Australian Defence Signals Directorate (DSD) developed a list of 35
prioritized mitigation strategies to defend networks and systems from cyber attack based
on the study of all known targeted intrusions against government systems, and articulated
what would have stopped the infections from spreading. The DSD updated and
reprioritized this list in 2011 and determined that at least 85% of the targeted cyber
intrusions could have been prevented by following the top four mitigation strategies.
Because of this ground-breaking directive of focusing on the top four controls and
implementing them, they received the 2011 U.S. National Cybersecurity Innovation
Award (SANS Press Release, 2011). The top four specific controls (nicknamed the
“sweet spot”) are:
1) Patch applications such as PDF readers, Microsoft Office, Java, Flash
Player and web browsers;
2) Patch operating system vulnerabilities;
3) Minimize the number of users with administrative privileges; and
4) Use application whitelisting to help prevent malicious software and
other unapproved programs from running.
The DSD’s 35 Mitigating Strategies focus on individual tasks organizations can
undertake to improve their security stance. They are a focused subset of the 20 Critical
Controls with a direct mapping detailed in Appendix C: Mapping between the 20 Critical
Security Controls and the Australian Government Defense Signals Directorate’s 35
Mitigation Strategies (CAG, 2011, pp. 72-75).
4. Developing APT-focused Security Guidance Strategy
4.1 Advanced Persistent Threats (APTs)
In the past few years, intelligence agencies and computer security vendors have
begun using the term Advanced Persistent Threats (APTs) to describe a series of cyberbased attacks. The term, APTs, typically describes a foreign nation state government with
the advanced capability and persistence to commit cyber espionage (Binde, 2011).
Automating Crosswalk between SP 800 and the 20 Critical Controls 9
Publicly, we have seen a majority of companies in every industry deal with significant
and costly attack vectors. In January 2010, the source code and intellectual property of
Google and at least 20 other companies in the high-tech industry and defense industrial
base were targeted and compromised during “Operation Aurora” (McClure, 2010). In
November 2009, “Operation Night Dragon” included a series of coordinated and targeted
attacks against the global oil and gas companies (Shook, 2011). Most recently, in the
“Operation Shady RAT" described attack, around 70 corporations and government
organizations were compromised routinely over a period of 5 years (Alperovitch, 2011).
The above attacks included several commonalities. Routinely, the attackers used
previously unknown attack vectors known as zero-day attacks. Unsuspecting users
opening email attachments or browsing malicious websites introduced these attacks into
the victim network. Additionally, all of these attacks relied upon a remote command and
control channel to steal the data out of the infected networks. In most cases, the victims
compromised were eventually discovered only after virus researchers discovered the
attacker’s command and control servers (Command, 2011).
4.2 Risk-based Approach
From SANS’ point of view, focusing on the 20 Critical Controls will help an
organization be prepared for the most important actual threats that exist in today’s world.
The 20 Critical Controls help organizations make better use of their limited security
resources, by using a prioritized set of overarching security controls. GIAC Enterprises
will highly benefit from fully adopting the 20 Critical Controls; however, fully adopting
these Critical Controls will take considerable time.
Therefore, we argue that GIAC Enterprises would benefit most if it takes a riskbased approach to initially implement only a subset of the 20 Critical Controls that
address its highest risks first. Afterwards, the remaining 20 Critical Controls can be
implemented. It is our belief that due to the nature of GIAC Enterprises’ business, and
being the world’s largest supplier of Fortune Cookie sayings, its intellectual property is a
target for theft. This makes APTs-related risks the highest at this point of time for GIAC
Enterprises. The initial focus should be on mitigating such risks. The next step of the
strategy is to apply the “offense-informs-defense” concept to determine which subset of
Automating Crosswalk between SP 800 and the 20 Critical Controls 10
controls is better geared to mitigate APTs-related risks. To determine the appropriate
subset of controls, one would highly benefit from tapping in to the collective experience
of the 20 Critical Controls’ contributors, who are responsible for responding to actual
attacks or conducting red team exercises (CAG, 2011, pp. 8-9). Based on the
contributors’ first-hand knowledge of real world attacks and associated defenses, the
contributors included a table of attacks mapped to the most directly related control. That
table represents the foundation for selecting a subset of controls, which is based on the
“offense-informs-defense” concept.
Reviewing the Attack Types table included in the 20 Critical Controls Consensus
Audit Guidelines’ Appendix (CAG, 2011, pp. 76-77), it is clear that four attacks stand out
as having APT characteristics. The same table suggests which critical control is most
appropriate for that attack. The four attacks and the related controls are included in the
table below:
Attack Summary
Attackers exploit new vulnerabilities on
systems that lack critical patches in
organizations that do not know that they are
vulnerable because they lack
continuous vulnerability assessments and
effective remediation
Attackers use malicious code to gain and
maintain control of target machines,
capture sensitive data, and then spread it to
other systems, sometimes wielding
code that disables or dodges signature-based
anti-virus tools
Attackers gain access to sensitive documents in
an organization that does not properly identify
and protect sensitive or separate it from nonsensitive information
Attackers gain access to internal enterprise
systems to gather and exfiltrate
sensitiveinformation, without detection by the
victim organization.
Most Directly Related Control
Critical Control 4:
Continuous Vulnerability
Assessment and Remediation
Critical Control 5:
Malware Defenses
Critical Control 15:
Controlled Access Based on the
Need-to-Know
Critical Control 17:
Data Loss Prevention (DLP)
The methodology described above for selecting a subset of controls led to the
selection of Critical Controls 4, 5, 15, and 17. A proper analysis would not be complete
Automating Crosswalk between SP 800 and the 20 Critical Controls 11
without comparing this subset of controls to a statistically proven subset of controls such
as the one recommended by the Australian DSD. The Australian DSD determined that at
least 85% of targeted cyber intrusions could be prevented by implementing four specific
controls:
1. Patch applications such as PDF readers, Microsoft Office, Java, Flash
Player, and web browsers;
2. Patch operating system vulnerabilities;
3. Minimize the number of users with administrative privileges; and
4. Use application white-listing to help prevent malicious software and other
unapproved programs from running.
It is the authors’ opinion that the subset of controls selected actually resonates with
the Australia DSD recommendation:



Australia’s DSD Controls 1 and 2 are in line with selecting Control 4
“Continuous Vulnerability Assessment and Remediation;”
Australia’s DSD Control 3 is in line with selecting Controls 15 and
17 “Controlled Access Based on Need-to-Know, and DLP;” and
Australia’s DSD Control 4 is in line with selecting Control 5
“Malware Defenses.”
It is imperative that GIAC Enterprises protect its sensitive data -intellectual
property. The risk-based methodology used resulted in a subset of controls which are
rather unique in that they are information-focused, and not identical to statistically
supported work such as the systems-focused Australia DSD. Based on GIAC Enterprises’
need, and the recent shift in attention from securing networks, to securing systems, to
securing the data itself (CAG, 2011), we argue that GIAC Enterprises would benefit more
from adopting our recommended subset of controls. Perhaps future work based on this
research may provide evidence that this approach is more effective in securing
intellectual property.
Therefore, the subset of the 20 Critical Controls to implement first for GIAC
Enterprises are: Controls 4, 5, 15, and 17. These controls lend themselves to automation,
and so the next sections of the paper will highlight some automation approaches for these
controls.
Automating Crosswalk between SP 800 and the 20 Critical Controls 12
5. Automation Approach for Critical Controls 15 and 17
Critical Controls 15 and 17 of the 20 Critical Controls state that data access is to be
controlled, and access to data should be on a need-to-know basis. In addition, data loss
prevention capabilities should be in place. Going back to the “offense-informs-defense”
theme, one needs to first understand how attackers exploit the absence of these controls,
before attempting to automate them.
5.1 Exploiting the Absence of Critical Controls 15 and 17
Organizations often do not carefully identify and separate sensitive information
from publicly available information on their information systems. Because there is no
such separation between the two different types of information, internal users will have
access to all or most of the sensitive information. This makes it easy for attackers who
have penetrated the network to find and exfiltrate the sensitive information. What
compounds the problem further is that an organization may not be monitoring data
outflows to quickly detect such exfiltration. While some information is leaked as a result
of theft or espionage, the vast majority of such problems occur from poorly understood
data practices, lack of effective policy, and user error (CAG, 2011, p. 60). The loss of
control over sensitive information (such as cookie sayings intellectual property) is a
serious vulnerability, and introduces a high risk to GIAC Enterprises.
5.2 Focusing on the Data
Over the last few years, there has been a noticeable shift in attention and
investment from securing the network to securing systems within the network, and to
securing the data itself (CAG, 2011). To be able to secure the sensitive data, one needs to
know what constitutes sensitive data. Two main types of sensitive data exist: Regulatory
Data, and Corporate Data.
Automating Crosswalk between SP 800 and the 20 Critical Controls 13
Sensitive
Regulatory Data
Sensitive
Corporate Data
• Credit card data
• Intellectual property
• Privacy data (PII)
• Financial information
• Health care information
• Trade secrets
Regulatory Data is found in many organizations. It takes the same form regardless
of which organization it is stored. On the flip side, Corporate Data is usually unique data
that differs from one organization to another. The unique property of Corporate Data
makes it more challenging to identify, control, and secure. The intellectual property of
GIAC Enterprises (cookie sayings) falls into the Corporate Data type of sensitive data.
Controlling sensitive data can take place when the data is at rest (e.g., data storage),
when the data is in motion (e.g., network actions), and when the data is in use (e.g.,
endpoint actions). To facilitate controlling sensitive data, GIAC Enterprises need to
establish a proper Data Loss Prevention (DLP) program.
Control
Data-at-Rest
Control
Data-in-Motion
Control
Data-in-Use
5.3 Establishing a Risk-based DLP Program
There are many publications in the market about how complex and expensive
(DLP) projects can get if not properly handled. It can be argued, a primary reason for
such perception, is a lack of importance to people and process in DLP projects. Rather
than considering DLP as a point product, one can benefit from considering DLP a
Automating Crosswalk between SP 800 and the 20 Critical Controls 14
technology that helps build processes to prevent people from leaking sensitive data. To
establish a proper DLP program for GIAC Enterprises, the following three-phased model
is suggested:
DLP Program Lifecycle Management
(driven by risk-based
policies)
DISCOVER
EDUCATE
ENFORCE
Risk across the Infrastructure
End Users & Risk Teams
Security Controls
?
RISK
Understand Risk
Reduce Risk
Time
Whether sensitive data is being controlled at rest, in use or in motion, this threephased model will be used. The first step is to better understand risk by identifying
sensitive data through a discovery process. The risk discovery phase can occur while data
is in use, in motion, or at rest. The next step is where risk starts to be mitigated through
education of both end users and risk teams. Finally, risk mitigation reaches its peak by
enforcing effective security controls that don’t get in the way of business productivity.
5.4 Automating Data Classification and Policy Definition
For GIAC Enterprises, the cookie sayings intellectual property is the data that
needs to be controlled. As described earlier, this represents sensitive data of type:
Corporate Data. For technology to identify sensitive data through a discovery process, it
needs to understand what sensitive data is. It would be optimum to just tell technology
that sensitive data is any cookie saying; unfortunately, it is not that simple. If cookie
sayings one day become part of Regulatory Data (e.g., credit card number), then
technology can easily understand that cookie sayings are sensitive data.
Automating Crosswalk between SP 800 and the 20 Critical Controls 15
Data classification (defining data sensitivity) is a complex task, because only the
business owners know this information. The sensitivity of cookie sayings, as well as
other data, is dynamic and often varies by business function and time. It is a challenge for
security teams to define what data is sensitive and how it should be handled according to
policy. The logical approach is to involve the line of business in the process of data
classification and policy definition, but involving line of business is not trivial. An
effective way to address this challenge is by enabling the business owners to directly
define what data is sensitive (or what criteria makes data sensitive), and how the sensitive
data should be handled. To automate this challenge, a portal with a workflow engine can
be used to complete the operation. This type of automation can be achieved by
Governance, Risk, and Compliance (GRC) tools, if these tools are integrated with the
DLP technology being used. One example of such a solution is the RSA DLP Policy
Workflow Manager illustrated below:
+
Step 1
Identify files & set
business rules

Step 3
DLP Policy is routed for
approval
Business
Managers
Step 2
Create DLP Policy &
check for feasibility
DLP
Admin
End
Users
Step 4
Approve
d
DLP
policy
Policy applied across the organization
It is important to point out that this stage is not about using a tool to go around and
locate sensitive data all across the organization. This stage is merely defining what is it
that we should look for, and when we find what we are looking for, how should it be
handled. This stage is about defining criteria and rules, and not about scanning. The
output of this stage is a set of risk-based DLP policies such as the following:
Automating Crosswalk between SP 800 and the 20 Critical Controls 16
Enforce Security Controls Based on the Risk of a Violation
User Action
Defined
in DLP
Policy
Data Sensitivity
RISK
LOW
User Identity
HIGH
ALLOW
QUARANTIN
E
MOVE
ENCRYPT
NOTIFY
JUSTIFY
BLOCK
SHRED
AUDIT
COPY
DELETE
RMS (DRM)
Manual
or
Automated
Data sensitivity is one of three key elements constituting the risk level for a DLP
policy. For sake of simplicity, GIAC Enterprises can initially start with only two
classification levels: sensitive, and public. In the future, the classification levels can
possibly be extended to three levels: Secret, private, and public. A properly integrated
DLP and GRC solution represents an abstraction layer for the line of business to define
technical DLP policies. These policies will then be used to control data in motion, at rest,
or in use. This DLP and GRC integrated solution is technology that is helping to fill the
undesired gap of people and process in DLP projects.
Using such an automation approach for data classification and DLP policy
definition can reduce the duration of these activities from weeks to days. This section
helps to automate sub-control 15.1, and lays the foundation for automating most subcontrols of Critical Controls 15 and 17 (CAG, 2011, p. 55).
5.5 Automating the Control of Data-in-Motion
People and process elements of DLP projects are often ignored. To address these
two elements when automating the control of data in motion, GIAC Enterprises needs to
follow this process:
1) Initially understand the risk of data-in-motion across the various protocols
(Monitor only);
2) Just-in-time education can be introduced to users to mitigate risk (Monitor
and Educate); and
Automating Crosswalk between SP 800 and the 20 Critical Controls 17
3) In the enforcement phase, an action such as automating encryption of
sensitive data can be implemented. Also in the final phase, unauthorized
encrypted data can be blocked to mitigate the exfiltration of sensitive data
that was encrypted by APTs (Automate Action).
Process to Reach Automation (Data-in-Motion)
?
RISK
DISCOVER
(Data-in-Motion)
EDUCATE
(Data-in-Motion)
ENFORCE
(Data-in-Motion)
Risk Across:
web protocols, emails, IM,
generic TCP/IP protocols
Users Just-in-Time
Encryption, Blocking,
etc.
(Monitor Only)
Understand Risk Action)
(Monitor & Educate)
(Automate
Reduce Risk
Time
The following scenario is an example of just-in-time education when controlling
data-in-motion: A GIAC Enterprises employee just sent out an email containing a
sensitive cookie saying. When the network traffic is scanned by the DLP system, an alert
is sent to the employee saying the email they just sent possibly violates GIAC Enterprises
intellectual property policy. The alert would also include the policy itself and why this
email represents a violation. The employee is then given the option (in figure below) of
sending the email because they are sure this is not a policy violation, or not sending the
email at all. The action is logged, and the employee is educated just-in-time. If the
employee faces a similar experience in the future, the employee will likely make a better
decision, and therefore, reduce GIAC Enterprises’ risk level.
This section helps to automate sub-controls 17.2, 17.3, 17.5, 17.6, 17.9, 17.10
(CAG, 2011, pp. 61-62), and 15.4 (CAG, 2011, p. 55).
Automating Crosswalk between SP 800 and the 20 Critical Controls 18
5.6 Automating the Control of Data-at-Rest/Data-in-Use
At this stage, as well as the earlier stage of controlling data in motion, sensitive
data has been identified using techniques highlighted in section 5.4. Where the sensitive
data is, who has access to it, and how it is being used is still not clear at this point in time.
The risk exposure is therefore unknown. When these questions are answered, the risk
exposure becomes known. The focus of this section is to fix that by addressing how to
answer these important questions in an automated manner. Moving on with the same
theme (giving more attention to the people and process elements of DLP projects), GIAC
Enterprises needs to follow this process for automating the control of data-at-rest and
data-in-use:
1) Understand the risk of data-at-rest in all data stores. This requires scanning all
data stores to identify where sensitive data is located. The tools available for this
vary from open source tools such as OpenDLP, to commercial DLP tools. Once
the location of sensitive data is identified, the next step is to know who has access
to sensitive data, and whether they have a need-to-know. This other scanning
operation is often performed using a different set of tools, some of which are free
and gather ACLs of files and folders on network shares such as ShareEnum. Other
tools may be built-in and monitor file activities, such as the Windows audit
logging capability for files (Scanning);
2) Just-in-time education can be introduced to users to mitigate risk associated with
sensitive data. As line-of-business becomes more educated, proper data
governance policies can be defined (Monitor and Educate); and
3) In the enforcement phase, data governance policies can be implemented to further
reduce risk. An action such as automating encryption of sensitive data at rest can
be implemented. Also in this final phase, integration of DLP with other
technologies, such as Digital Rights Management (DRM) tools can be leveraged.
An integration example would be the automatic application of DRM controls on
sensitive data when DLP senses the data is being copied to an external drive
(Automate Action).
Automating Crosswalk between SP 800 and the 20 Critical Controls 19
Process to Reach Automation (Data-at-Rest/-in-Use)
DISCOVER
EDUCATE
ENFORCE
(Data-at-Rest/-in-Use) (Data-at-Rest/-in-Use) (Data-at-Rest/-inUse)
?
RISK
Risk across Data
Permissions and Stores:
File shares, databases,
endpoints, repositories,
etc.
(Scanning)
Understand Risk
Users Just-in-Time
(Monitor & Educate)
Data governance
policy: Encryption,
DRM, Block, Shred, Log,
etc.
(Automate Action)
Reduce Risk
Time
For GIAC Enterprises, the cookie sayings intellectual property is likely scattered all
across the organization. At this stage, the line of business has defined what sensitive data
is and that is incorporated into DLP policies. The security/risk team now knows what it is
they are looking for. The scanning operations that take place in the discovery phase of the
above process will answer two important questions: 1) Where is the sensitive data?; and
2) Who has access to it? The answers to these two questions will help GIAC Enterprises
understand the risks associated with sensitive data (cookie sayings) at rest and in use. It is
definitely a challenge to locate sensitive data out of terabytes of data spread across
multiple sites. In fact, it resembles trying to locate gems in extremely long sandy shores.
Luckily, technology is available to overcome this problem, even in massive
environments. Scanning technology of commercial DLP vendors can transform existing
servers into a powerful cluster to scan terabytes of data in parallel with no additional
hardware. Using temporary software agents, sensitive data is identified in multiple
repositories such as file servers, endpoints, databases, and collaborative environments
such as Microsoft SharePoint. Monitoring incremental changes to data repositories is
possible to facilitate scanning on a regular basis. By bringing the scanning software to the
data, and not vice versa, it is possible to scan massive amounts of data without saturating
Automating Crosswalk between SP 800 and the 20 Critical Controls 20
the network. The figure below illustrates the architecture used to perform sensitive data
discovery in a multi-site environment, with multiple data repositories:
Databa
se
Main Data
Center
DLP Administrator
Software Agents
Secondary
Data Center
SharePoint
Remote
Offices
After using technology in the discovery phase to answer where sensitive data is,
one has a better understanding of risk. However, understanding the risk is only the first
half of the story. The second half is risk remediation and it is not trivial.
The second half of the story (risk remediation for sensitive data at rest) is around
defining the appropriate data governance policy and applying it so that files with
sensitive data content are properly protected. However, encrypting a file, moving it to a
more secured repository, or changing its permissions without involving the end users of
the file in the process can have a negative impact on any organization. The proper way to
address this challenge is to involve the line of business in the remediation process. The
benefit of this is that proper data governance policies can be defined for cookie sayings
and the business is not negatively impacted. The drawback is the duration of the risk
remediation process can significantly increase with emails, phone calls, and spreadsheets
going back and forth between the security/risk team and the line of business to properly
protect a large number of files located all around GIAC Enterprises.
The drawback described earlier is a workflow challenge, and can be overcome
using a proper risk management workflow module that automates risk remediation. This
Automating Crosswalk between SP 800 and the 20 Critical Controls 21
type of automation can be achieved by GRC tools; especially if these tools are integrated
with the scanning tools used to discover sensitive data, permissions, and file activity. The
module would enable the security/risk team to send remediation options and
questionnaires about the business context in an automated manner to the business owners.
This empowers the business users to take appropriate decisions about the sensitive files
they own. An example is the RSA DLP Risk Remediation Manager (RRM) solution as
follows:
SharePoint
Grid
Business Users
Apply DRM
Databases
Virtual Grid
Data Loss
Prevention (DLP
NAS/SAN
Temp Agents
File Servers
Encrypt
Risk Remediation
Manager (RRM)
RRM
File Activity
Tools
GRC
Systems
Delete / Shred
Change Permissions
Policy Exception
Agents
Endpoints
Discover Sensitive Data
Manage Remediation
Workflow
Apply
Controls
Using such an automation approach for risk remediation of data-at-rest, can take
down the duration time of these activities from months to weeks. The benefit of the
automation approach is twofold:

The automation will allow just-in-time education to the line-of-business,
which will facilitate the definition of the data governance policy, and
improve future actions; and

The automation will significantly reduce the remediation time for data
governance policy violations without negative business impact. This
represents increasing the efficiency of a reactive control, and reduces the
window of opportunity for APTs.
Automating Crosswalk between SP 800 and the 20 Critical Controls 22
This section helps to automate sub-controls 15.2, 15.3, 15.5, 15.6, 15.7 (CAG,
2011, pp. 55-56), 17.4, and 17.7 (CAG, 2011, p. 61).
6. Automation Approach for Critical Controls 4 and 5
Critical controls 4 and 5 of the 20 Critical Controls state attackers exploit new
vulnerabilities on systems that lack critical patches and use malicious code to gain control
of target system which could allow for the capture of sensitive information such as
cooking sayings from GIAC Enterprises.
To fully understand what controls are best suited for the prevention and mitigation
of APTs, one first needs to understand the attack vector typically used.
Malware innovations have been driven by attackers’ quest to gain increasing
control of compromised systems and the networks in which they reside. In a recent
White paper sponsored by Imperva entitled, ‘Advanced Persistent Threat: Are You the
Next Target?,’ a nice diagram detailing the anatomy of an APT attack is presented as
follows (Bitpipe.com 2011):
Automating Crosswalk between SP 800 and the 20 Critical Controls 23
Considering the dynamics of the advanced malware infection lifecycle, the
following illustrates another commonly adopted infection approach (Damballa, 2011):
1) Victim surfs to a website or clicks on email with link (e.g. phishing, drive-by
download);
2) Browser is redirected to a malicious dropper site;
3) Victim is misled into downloading the dropper - or dropper is automatically
downloaded through an exploit;
4) Dropper unpacks on the Victim machine and runs;
5) Dropper contacts a new site: UPDATE;
6) UPDATE sends Command&Control (C&C) instructions;
7) Dropper contacts C&C Site #1 with Victim identity details;
8) C&C Site #1 sends encrypted malware with new C&C instructions. Might even
be ‘locked' to Victim machine;
9) Malware is decrypted by Dropper and installed. Dropper may stay behind as false
evidence for investigators, or delete itself so that investigators believe that no
infection has occurred; and
10) Malware contacts C&C Site #2. Sends passwords/data/etc. as encrypted payload.
Steps 8, 9, and 10 can repeat indefinitely, with the malware ‘evidence' and C&C
connection instructions changing constantly. The malware can be repurposed or told to
lay silent for prolonged periods of time.
As one can deduce from the above description of APTs, the client is the primary
target of the attackers. Through the use of social engineering, targeted spear phishing
emails are sent to known key users in an organization. A carefully crafted email entices
Automating Crosswalk between SP 800 and the 20 Critical Controls 24
an unsuspecting victim to click on a malicious attachment that is enhanced to appear as a
typical file the user expects from the spoofed sender.
Control 4 was chosen to help block the above threat vector by focusing on clientbased authenticated vulnerability scanning to include the presence or absence of key
patches and quickly remediate any found vulnerabilities. Control 5 was chosen to reduce
and remediate the effect malware has on APTs.
6.1 Exploiting the Absence of Critical Controls 4 and 5
Any time new vulnerabilities are discovered and reported by security researchers
or vendors, attackers are quick to develop exploit code and immediately launch the
attack. Delays in finding or patching software with exploitable vulnerabilities provides
ample opportunity for persistent attackers to gain the critical foothold in the enterprise.
Without thoroughly scanning for vulnerabilities and addressing discovered flaws
proactively, leaves one open to system compromises. Also, malicious software is used to
target end users via web browsing, email attachments, mobile devices, and other vectors.
This code attempts to capture sensitive data, spreads it to other systems, as well as aims
to avoid signature-based and even disables anti-virus tools running on systems (CAG,
2011, pp. 23-26). John Pescatore, a distinguished Gartner analyst, said at a recent
Gartner Security and Risk Management Summit, “There is no such thing as the
unstoppable attack in cybersecurity. Every attack, in order to succeed, needs to exploit
avulnerability” (infosecurity.com, 2011). Without having a means to detect or prevent
malicious software from being installed and then establishing a command and control
channel, introduces risk to GIAC Enterprises that is unacceptable.
6.2 Focusing on the APTs, and the Threat Vectors through
Continuous Monitoring
Whether attackers use viruses, Trojans, bots, or rootkits, today’s malware is
designed for the long-term control of compromised client machines. Advanced malware
also established outbound communications across several different protocols to upload
collected data and further download of malware payloads for additional criminal
purposes. One of the keys to protecting sensitive data is through the means of continuous
monitoring. This can include the aspect of verifying that systems are not susceptible to
Automating Crosswalk between SP 800 and the 20 Critical Controls 25
well-known exploits through vulnerability assessments and being diligent in patch
management.
The Risk Assessment (RA-3) and Vulnerability Scanning (RA-5) guidance
provided by NIST conforms to this concept. As shown in the workflow diagram below,
an assessment of risk is performed, document risk, review results, and then update risk
assessment. In regards to vulnerability scanning, a similar diagram is presented with a
continual cycle of scanning for vulnerabilities, analyzes of scan reports, remediate
legitimate vulnerabilities, correlate and share results to reduce systemic weaknesses or
deficiencies (SP 800-53 Revision 3, 2010, pp. F92-93).
Review and
Update Risk
Assessment
Conduct
Assessment of
Risk
Document Risk
Assessment
Results
Workflow 1 - Risk Assessment
Correlate and share
results to reduce
systemic
weaknesses or
deficiencies.
Remediate
Legitimate
Vulnerabilities
Workflow 2 – Vulnerability Scanning
Conduct
Vulnerability
Scans
Analyze
Vulnerability
Scan Reports
Automating Crosswalk between SP 800 and the 20 Critical Controls 26
Continuous monitoring is a crucial element in the Risk Management Framework
developed by NIST. NIST’s recently released SP 800-137, “Information Security
Continuous Monitoring for Federal Information Systems and Organizations,” defines
continuous monitoring as “maintaining ongoing awareness of information security,
vulnerabilities, and threats to support organizational risk management decision” (SP 800137, 2011, p. vi). In addition, an organization’s overall security architecture and
accompanying security program are monitored to ensure that organization-wide
operations remain within an acceptable level or risk, despite any changes that occur.
Recent guidance from the Office of Management and Budget on FISMA reporting
emphasizes monitoring on an ongoing basis rather than periodic assessments (Jackson,
2011).
6.3 Control 4 - Automating Continuous Vulnerability
Assessment and Remediation
Considering that any APTs always starts with a compromised system that was
vulnerable, a means to understanding what vulnerabilities exist and what patches are
available to remediate them is critical. This is where GIAC Enterprises can take positive
steps to protect and isolate themselves from easily prevented client-based exploits.
Research indicates that a limited number of exploits in just a handful of widely used
third-party applications are responsible for nearly all successful enterprise malware
infections on Windows clients. According to research released last September by the
research firm CSIS Security Group, a three-month study of real-time attack data showed
that as many as 85% of all virus infections occurred as a result of automated drive-by
attacks created with commercial exploit kits, and nearly all of them targeted the five
popular third-party applications – Java Runtime Environment (JRE), Adobe Flash, Adobe
Acrobat and Reader, Internet Explorer, and Apple QuickTime (Kruse, 2011). This
research provides additional credence to the focus of the Australian DSD findings.
Automated vulnerability scanning should run on all organizational assets on at
least a weekly basis. Anytime a new system is introduced to the network, a scan should
automatically occur. In addition, authenticated scans of known system types should
occur. For example, an administrative account should be established on all windowsbased systems and the vulnerability scans should incorporate the privilege of this account
Automating Crosswalk between SP 800 and the 20 Critical Controls 27
when performing scans. This can be part of an enterprise solution incorporating agentbased clients to facilitate the scans.
Scanning tools should scan for specific functionality, ports, protocols, and
services that should not be accessible to users or devices and for improperly configured
systems. More importantly, modern scanners should determine if key operating system
as well as third-party applications patches are applied Mobile code technologies such as
Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and
VBScript should be closely monitored, and perhaps, even restricted. Malware targeting
vulnerabilities in application layer software, as those mentioned above, needs to be
restricted by ensuring all application software is at the most current release. Perhaps it is
time to ban these dangerous third-party applications, as editorialized by Eric Parizo,
Senior Site Editor of SearchSecurity.com (Parizo, 2012)? If not completely ban the use
of third-party applications, consider implementing security controls such as removing
Java from the Internet zone in Internet Explorer, configuring Adobe Reader to prompt for
JavaScript execution, or disallowing embedded executables from running in PDFs.
Research by Dan Guido and the Exploit Intelligence Project has proven these steps to be
the most efficient (Guido, 2011).
These vulnerabilities should be expressed in an industry-recognized vulnerability,
configuration, and platform classification schemes. Also, languages such as Common
Vulnerabilities and Exposure (CVE) naming convention that uses the Open Vulnerability
Assessment Language (OVAL) to test for the existence of vulnerabilities. Other
excellent resources for vulnerability information can be found in the Common Weakness
Enumeration (CWE) and the National Vulnerability Database (NVD).
Correlating the existence of known vulnerabilities that can be easily remedied by
appropriate patching must be integrated into this process. By applying the known trifecta
associated with quality vulnerability scanning and remediation, GIAC Enterprises can hit
the ‘Sweet Spot’ to further reduce and eliminate easily exploitable holes.
Automating Crosswalk between SP 800 and the 20 Critical Controls 28
By reducing or eliminating known security risks in the computing environment,
GIAC Enterprises needs to follow this process for automating this critical control by:
1) Implement an automated approach to patching by utilizing solutions such as
Microsoft Windows Update Service (WSUS) or other commercial management
software for operating system and third-party software on all systems;
2) Identify, analyze, and remediate vulnerabilities by implementing an effective
continuous vulnerability assessment program. All vulnerability scanning should
be performed in authenticated mode either with agents running locally on each
system to analyze the security configuration or with remote scanners that are
given administrative rights on the client systems being tested;
3) Scanning tools should be tuned to identify changes over time on each client
machine for both authorized and unauthorized services. This will assist in
detecting backdoors that might have been created on a compromised system; and
4) Enlist senior management to provide effective incentives in the mitigation
process by tracking the numbers of unmitigated, critical vulnerabilities for each
group.
One known commercial example of this is from Tenable Network Security, Inc.,
(who recently announced its Nessus Vulnerability Scanner and SecurityCenter) which
now integrates with top patch management solutions, including Red Hat Network
Satellite Server, Microsoft Windows Server Update Services (WSUS), Microsoft System
Center Configuration Manager (SCCM), and VMware Go. The integration bridges the
gap between vulnerability management and patch management solutions
Automating Crosswalk between SP 800 and the 20 Critical Controls 29
(darkReading.com, 2011). This is a very viable solution to GIAC’s concerns of
preventing malicious software from entering their enterprise. It is critical to have a
strong vulnerability management and patch management strategy.
In addition, they recently published a white paper entitled, ‘Real-Time Auditing
for SANS Consensus Audit Guidelines – Leveraging Asset-Based Configuration and
Vulnerability analysis with Real-Time Event Management’ (Gula, Fennelly, 2011). This
paper describes how their solutions can be leveraged to achieve compliance with the
SANS Consensus Audit Guidelines (CAG) by ensuring that key assets are properly
configured and monitored for security compliance. It is interesting to note how it can
assist in the focus of Control 4. The following table referenced from the aforementioned
white paper outlines the effectiveness in helping GIAC Enterprises in this critical
application of reducing the exposed footprint for virus and malware attacks.
4. Continuous Vulnerability Assessment and Remediation
Interpretation
Tenable
Solution
It is important to monitor systems for vulnerabilities in as close to
real time as possible. Penetration tests can discover vulnerabilities in
the IT infrastructure, but they are only a snapshot in time. A system
that is scanned one day and found to be free of vulnerabilities may
be completely exploitable the next day.
Tenable was founded on the belief that it is crucial to monitor
systems in a manner as close to real time as possible to ensure the
organization does not drift out of compliance over time. The greater
the gap between monitoring cycles, the more likely it is for
vulnerabilities to be undetected. To achieve this goal, Tenable offers
several technologies that can be leveraged:
> Nessus can perform rapid network scans. A typical vulnerability
scan can take just a few minutes. With the SC, multiple Nessus
scanners can be combined to perform load balanced network scans.
> Nessus credential scans can be leveraged to perform highly
accurate and rapid configuration and vulnerability audits.
Credentialed scans also enumerate all UDP and TCP ports in just a
few seconds.
> The Passive Vulnerability Scanner (PVS) monitors all network
traffic in real time to find new hosts, new vulnerabilities, and new
applications. It scans for the same vulnerabilities detected by the
Nessus scanner.
Automating Crosswalk between SP 800 and the 20 Critical Controls 30
This section helps to automate sub-controls 4.1, 4.2, 4.3, 4.4, 4.6, 4.7, and 4.8
(CAG, 2011, pp. 23-24).
6.4 Control 5 - Automating Continuous Monitoring of Malicious
software and malware callbacks.
According to the most recent security threat report that Sophos published, they
reported that they analyzed 95,000 malware pieces every day, nearly doubling the amount
tracked the prior year. This accounts for one unique file every 0.9 seconds, 24 hours per
day, each day of the year (Sophos, 2011).
Attackers have developed ways to bypass outdated security techniques, such as
signatures, leaving businesses and consumers vulnerable to attack. Signature-based
technologies like IPS and antivirus software, both within perimeter and endpoint
solutions, are increasingly ineffective against this rapidly evolving, blended threat. In
fact, Bob Walder from Gartner reported, “Some IPS/IDS/Next-Generation firewalls
(NGFW) vendors are no better at handling evasions today than they were when they
released their original products” (Walder, 2010).
A common denominator to any malware delivery system is the human element.
Quoting from the book, Information Security Management Handbook, Sixth Edition, “It
is well recognized that the greatest information security danger to any organization is not
a particular process, technology, or equipment, rather it is the people who work within
the “system” that hide the inherent danger” (Tipon, Krause, 2007, Ch. 43). An educated
work force is also critical to combating malware.
With the sophisticated approach used by modern attackers to inject malware in an
organization, it is almost impossible to prevent systems from being compromised. A
process has to be in place to implement an incident response for when malware is
detected. This process has to be timely in order to quickly contain any infections that
have occurred. The efficiency of modern malware to gather propriety information and
transmit it back via encrypted channels is too alarming to ignore. A compromised system
has to be removed from the network as soon as possible through detection methods, then
eradicated and recovered following best-practice incident response procedures. NIST, in
2005, introduces Special Publication 800-83 ‘Guide to Malware Incident Prevention and
Handling’. This publication provides recommendations for improving an organization’s
Automating Crosswalk between SP 800 and the 20 Critical Controls 31
malware incident prevention measures. It also gives extensive recommendations for
enhancing an organization’s existing incident response capability so that it is better
prepared to handle malware incidents (Mell, 2005).
With the primary challenges businesses are facing today of zero-day and APT
attacks, GIAC Enterprises needs to follow this process for automating, and thus, reducing
the risk of data loss through malware infections by:
1) Implement basic and necessary malware protection. This includes both
perimeter and endpoint solutions for Intrusion Prevention Systems (IPS) as well
as antivirus/antimalware protection. Even though these typical signature-based
solutions are increasingly not as effective, it still will prevent many infections
from occurring. Host-based IPS (HIPS) can and should be implemented as
another layer of protection. This can prevent known malware from infecting
systems;
2) Train and educate users in the art of recognizing social engineering tactics.
Conduct simulated, but real-world scenarios, such as sending targeted spear
phishing email with a payload that reports successful installation back to IT
management;
3) Configure laptops, workstations, and servers so that they will not auto-run
content from USB, CD/DVDs, Firewire or other externally connectable sources;
4) Deploy network access control tools to verify security and patch-level
compliance before granting access to network;
5) Implement a malware incident response process that quickly detects, contains,
eradicates, and recovers malware infected hosts; and
6) Considering that the above recommendations might mitigate 80% of the risk to
GIAC Enterprises, the remaining 20% is where the real challenge lies. With this
in mind, advanced technology such as virtual inspection of executable malware
and inspection engines that monitor malware infections in real time and identify
and block communication from compromised systems to attackers command and
control servers are needed.
Recognizing the importance of the GIAC Enterprises cookie sayings, a technology
needs to be recommended to compensate for the deficiencies just mentioned. In
particular, how can one detect and prevent zero-day attacks? Is there a way to monitor
both inbound and outbound traffic to detect command and control sessions? One
Automating Crosswalk between SP 800 and the 20 Critical Controls 32
commercial example of such technology is FireEye, which recently shared its five key
principles to designing an effective network-based defense. The five key principals
which GIAC Enterprises will focus on are (FireEye, p. 5):
1)
2)
3)
4)
5)
Dynamic defenses to stop targeted, zero-day attacks;
Real-time protection to block data exfiltration attempts;
Integrated inbound and outbound filtering across protocols;
Accurate, low false positive rates; and
Global intelligence on advanced threats to protect the local network.
They have developed next-generation protection against stealth malware to
prevent data loss and intellectual property theft. A diagram depicting this technology is
included below (FireEye, pp. 6-8):
Another example of a commercial solution sensor is provided by Damballa
Failsafe (Damballa Failsafe, 2011). It fulfills GIAC Enterprises’ goal of monitoring
malware infections in real time by monitoring DNS, egress and proxy traffic, and utilize
multi-dimensional deep-packet inspection engines to correlate suspicious behaviors to
rapidly identify and isolate a breach by blocking the communication from compromised
endpoints to criminal C&C servers. The following diagram depicts this approach:
Automating Crosswalk between SP 800 and the 20 Critical Controls 33
This section helps to automate sub-controls 5.1, 5.2, 5.3, 5.5, 5.6, 5.7, 5.8, and 5.9
(CAG, 2011, pp. 26-27).
7. Recommended Risk-based Action Plan
Clearly APTs pose significant risks to GIAC Enterprises and other organizations.
This has led the Chief Legal Officer (CLO), and Chief Information Officer (CIO) for
GIAC Enterprises to express concern, since the organization has a responsibility to do
what is reasonable and prudent to protect the stakeholders. Therefore, a special team has
been assigned the task of analyzing requirements, and surveying available security
standards and guidelines such as ISO, NIST, the 20 Critical Controls, and the Australian
DSD 35 mitigating strategies. Appropriate research has also been conducted , and the
relationship between the various frameworks has been mapped out. In addition,
automation approaches have been developed for the most pressing controls from the point
of view of the assigned team. One of the results of this research is a risk-based action
plan for GIAC Enterprises to follow. The objective of this plan is to give tailored security
guidance advice. The recommended plan is based on the action plan laid out at the end of
the 20 Critical Controls – Consensus Audit Guidelines (CAG, 2011, p. 69), augmented
with steps the team believes is essential for the organization’s specific requirements.
Implementing all the 20 Critical Controls to the “advanced controls” level can take
Automating Crosswalk between SP 800 and the 20 Critical Controls 34
multiple years. To quickly mitigate risk, the team believes that once the “Quick Wins”
are implemented for the 20 Critical Controls, the focus should be on implementing
controls 4, 5, 15, 17 right away.
Action Plan:
1) Conduct a gap assessment to compare the organization’s current security stance to
the detailed recommendations of the critical controls;
2) Implement the “quick win” critical controls to address the gaps identified by the
assessment over the next one or two quarters;
3) Implement critical controls numbers 4 and 5. Leverage the suggested automation
approaches included in this research. Reaching the “advanced controls” level is
preferred, but not necessary;
4) Implement critical controls numbers 15 and 17. Leverage the suggested
automation approaches included in this research. Reaching the “advanced
controls” level is preferred, but not necessary;
5) Assign security personnel to analyze and understand how the remaining critical
controls beyond quick wins, and controls: 4, 5, 15, 17 can be deployed;
6) For remaining controls, devise detailed plans to implement the “visibility and
attribution” and “hardened configuration and improved information security
hygiene” over the next year; and
7) Plan for the deployment of the “advanced controls” over the longer term, giving
priority to controls: 4, 5, 15, and 17.
Automating Crosswalk between SP 800 and the 20 Critical Controls 35
8. References
Alperovitch, D. et al (2011, August 2). Revealed: Operation Shady Rat. Retrieved from
http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat
Andress, J. (2011). Advanced Persistent Threat. ISSA Journal, 2011(June), 18-24.
Retrieved from https://www.issa.org/images/upload/files/AndressAdvanced%20Persistent%20Threat.pdf
Baseline Standard of Due Care for Cybersecurity (2009, February, 23). U.S. Federal
Cybersecurity Experts Name Top 20 Controls. Retrieved December 22, 2011,
from http:// http://www.gilligangroupinc.com/headlines/2009/feb-23related/20090223-cag-press-release-pdf.html
Binde, B. et al (2011, May 22). Assessing outbound traffic to uncover advanced
persistent threat. Retrieved from http://www.sans.edu/student-files/projects/JWPBinde-McRee-OConnor.pdf
Bitpipe.com (2011, September 22). Advanced Persistent Threat: Are You the Next
Target? [White paper sponsored by Imperva]. Retrieved December 14, 2011,
from
http://www.bitpipe.com/detail/RES/1316630992_836.html?asrc=RSS_BP_TERM
Command Party Five Ltd. (2011, September 01). SK Hack by an Advanced Persistent
Threat. Retrieved from
http://www.commandfive.com/papers/C5_APT_SKHack.pdf
Consensus Audit Guidelines (CAG) Version 3.1 (2011, October 03). Twenty Critical
Security Controls for Effective Cyber Defense: Consensus Audit Guidelines
(CAG). Retrieved December 23, 2011 from http://www.sans.org/critical-securitycontrols/cag3_1.pdf
Continuity Central – The international business continuity information portal. (2012,
January, 13). Twenty critical controls for effective cyber defense (U.K. Centre
for the Protection of National Infrastructure). Website retrieved January 14, 2012,
from http://continuitycentral.com/news06099.html
Coviello, A. (2011, March 18). Open Letter to RSA Customers. Retrieved December 22,
2011, from RSA.com: http://www.rsa.com/node.aspx?id=3872
Automating Crosswalk between SP 800 and the 20 Critical Controls 36
Damballa. (2011). Advanced Malware. Retrieved January 2, 2012, from
http://www.damballa.com/cyber-threats/advanced_malware.php
Damballa Failsafe. (2011). Damballa Failsafe 5.0 Demo. Retrieved January 2, 2012,
from http://www.damballa.com/solutions/damballa-failsafedemo.php?mkt_tok=3RkMMJWWfF9wsRokuKzPZKXonjHpfsX66OUkXaeg384
31UFwdcjKPmjr1YEIT9QhcOuuEwcWGog8xA1VGOGZcIE%3D
darkReading.com (2011, December 13). Tenable Network Security Offers Unique
Integration With Top Patch Management Solutions. Retrieved December 27,
2011, from
http://www.darkreding.com/taxonomy/index/printarticle/id/232300437
Dausin, M. (2010, September 16). Top Cyber Security Risks 2010. Retrieved from
http://dvlabs.tippingpoint.com/blog/2010/09/16/top-syber-security-risks-2010.
E-Government Act of 2002. (2002, December 17). Public Law 107-347. Retrieved
December 21, 2011, from website: http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ347.107.pdf
FIPS PUB 200. (2006, March 09). Federal Information Processing Standards 200 –
Announcing the Standard for Minimum Security Requirements for Federal
Information and Information Systems. Website retrieved December 21, 2011,
from http:// http://csrc.nist.gov/publications/fips/fips200/FIPS-200-finalmarch.pdf
FireEye. (n.d.) 5 Design Principles for Advanced Malware Protection [White paper].
Retrieved December 27, 2011, from
http://docs.media.bitpipe.com/io_10x/io_100086/item_407114/FireEye_5DesignP
rinciples_wp.pdf
FISMA Implementation Project. (2009, June 12). FISMA Implementation Project.
Website retrieved December 21, 2011, from
http://www.nist.gov/itl/csd/sma/fisma.cfm
Guido, D. (2011, April 20) The Exploit Intelligence Project. Website retrieved January
28, 2012, from http://www.isecpartners.com/presentations/the-exploitintelligence-project.html
Automating Crosswalk between SP 800 and the 20 Critical Controls 37
Gula, R., & Fennelly, C. (2011, November 16). Real-Time Auditing for SANS
Consensus Audit Guidelines – Leveraging Asset-Based Configuration and
Vulnerability Analysis with Real-Time Event Management. Retrieved December
28, 2011 from
http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/uploads/docu
ments/whitepapers/tenable_SANS-CAG_compliance.pdf
InfoSecurity (2011, June 23). The Hype, and the Reality, Behind Advanced Persistent
Threats. Website retrieved December 27, 2011, from http://www.infosecuritymagazine.com/view/18897/the-hype-and-the-reality-behind-advanced-persistentthreats/
Jackson, W. (2011, October, 03). NIST offers a how-to for must-do continuous
monitoring. Website retrieved January 5, 2012, from
http://gcn.com/Articles/2011/10/03/NIST-continuous-monitoringsecurity.aspx?Page=1
Kruse, P. (2011, September 27). This is how windows get infected by malware. Website
retrieved January 28, 2012, from http://www.csis.dk.en.csis/news/3321.
Lau, H. (2011, August 04). The Truth Behind the Shady Rat [Web log message].
Retrieved from http://www.symantec.com/connect/blogs/truth-behind-shady-rat
McClure, S. et al. (2010, March 03). Protecting Your Critical Assets: Lessons Learned
from “Operation Aurora” [White paper]. Retrieved December 22, 2011, from
McAfee.com: http://www.mcafee.com/us/resources/white-papers/wp-protectingcritical-assets.pdf
Mell, P. et al. (2005, November 23). Special Publication 800-83 - Guide to Malware
Incident Prevention and Handling. Website retrieved January 30, 2012, from
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
Parizo, E. (2012, January, 27). Time to ban dangerous apps? Exploring third-party app
security. Website retrieved January 27, 2012, from
http://searchsecurity.techtarget.com/opinion/Time-to-ban-dangerous-appsExploring-third-party-app-security?asrc=EM_NLN_16192387&track=NL105&ad=860220&
Automating Crosswalk between SP 800 and the 20 Critical Controls 38
RSA Data Loss Prevention (DLP) Suite (2011, December 20). Retrieved from
http://www.rsa.com/node.aspx?id=3426
RSA Data Loss Prevention (DLP) Policy Workflow Manager (PWM) (2011, December
23). Retrieved from
http://www.rsa.com/products/DLP/ds/11436_DLPPWM_DS_0611.pdf
RSA Data Loss Prevention (DLP) Risk Remediation Manager (RRM) (2011, December
24). Retrieved from
http://www.rsa.com/products/DLP/ds/11435_DLPRRM_DS_0611.pdf
SANS Press Release. (2011, October 24). Australian Defence Signals Directorate wins
U.S. National Cybersecurity Innovation Award – Identifying and Implementing
the Four Key Controls That Stop the Spread of Targeted Cyber Intrusions.
Retrieved January 13, 2012, from http://www.sans.org/press/australian-defencesignals-directorate-national-cybersecurity-award.php
Shook, S. et al. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”.
Retrieved from http://www.mcafee.com/in/resources/white-papers/wp-globalenergy-cyberattacks-night-dragon.pdf
Smith, M. (2011, February 27). NIST SP 800-53 Rev. 4 already in the works. Retrieved
December 22, 2011, from http:// http://netlocksmith.blogspot.com/2011/02/nistsp-800-53-rev-4-already-in-works.html
Sophos. (2011). Security threat report 2011 [White paper]. Retrieved from
http://www.sophos.com/medialibrary/Gated Assets/white
papers/sophossecuritythreatreport2011wpna.pdf
SP 800-137. (2011, September). NIST Special Publication 800-137 – Information
Security Continuous Monitoring (ISCM) for Federal Information Systems and
Organizations. Website retrieved January 5, 2012, from
http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf
SP 800-53 Revision 3. (2010, May 01). NIST Special Publication 800-53 Revision 3 –
Recommended Security Controls for Federal Information Systems and
Organizations. Website retrieved December 21, 2011, from
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3final_updated-errata_05-01-2010.pdf.
Automating Crosswalk between SP 800 and the 20 Critical Controls 39
Tipon, H. & Krause, M. (2007). Information security management handbook, sixth
edition. [Books24x7 version] Available from
http://common.books24x7.com/toc.aspx?bookid=26438
Walder, B. (2010, November 29). Advanced Evasion Technologies: Weapon of Mass
Destruction or Absolute Dud?. Retrieved December 29, 2011 from
http://www.stonesoft.com/export/download/partner_mat/advanced_evasion_techn
iques__209087.pdf
Automating Crosswalk between SP 800 and the 20 Critical Controls 40
9. APPENDIX
Appendix A: FIPS PUB 200 - Specifications for Minimum
Security Requirements
Specifications
Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)
Certification, Accreditation, and
Security Assessments (CA)
Description
Organizations must limit information system
access to authorized users, processes acting on
behalf of authorized users, or devices (including
other information systems) and to the types of
transactions and functions that authorized users
are permitted to exercise.
Organizations must: (i) ensure that managers
and users of organizational information systems
are made aware of the security risks associated
with their activities and of the applicable laws,
Executive Orders, directives, policies,
standards, instructions, regulations, or
procedures related to the security of
organizational information systems; and (ii)
ensure that organizational personnel are
adequately trained to carry out their assigned
information security-related duties and
responsibilities.
Organizations must: (i) create, protect, and
retain information system audit records to the
extent needed to enable the monitoring,
analysis, investigation, and reporting of
unlawful, unauthorized, or inappropriate
information system activity; and (ii) ensure that
the actions of individual information system
users can be uniquely traced to those users so
they can be held accountable for their actions.
Organizations must: (i) periodically assess the
security controls in organizational information
systems to determine if the controls are
effective in their application; (ii) develop and
implement plans of action designed to correct
deficiencies and reduce or eliminate
vulnerabilities in organizational information
systems; (iii) authorize the operation of
organizational information systems and any
associated information system connections; and
Automating Crosswalk between SP 800 and the 20 Critical Controls 41
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication
(IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
(iv) monitor information system security
controls on an ongoing basis to ensure the
continued effectiveness of the controls.
Organizations must: (i) establish and maintain
baseline configurations and inventories of
organizational information systems (including
hardware, software, firmware, and
documentation) throughout the respective
system development life cycles; and (ii)
establish and enforce security configuration
settings for information technology products
employed in organizational information
systems.
Organizations must establish, maintain, and
effectively implement plans for emergency
response, backup operations, and post-disaster
recovery for organizational information systems
to ensure the availability of critical information
resources and continuity of operations in
emergency situations.
Organizations must identify information system
users, processes acting on behalf of users, or
devices and authenticate (or verify) the
identities of those users, processes, or devices,
as a prerequisite to allowing access to
organizational information systems.
Organizations must: (i) establish an operational
incident handling capability for organizational
information systems that includes adequate
preparation, detection, analysis, containment,
recovery, and user response activities; and (ii)
track, document, and report incidents to
appropriate organizational officials and/or
authorities.
Organizations must: (i) perform periodic and
timely maintenance on organizational
information systems; and (ii) provide effective
controls on the tools, techniques, mechanisms,
and personnel used to conduct information
system maintenance.
Organizations must: (i) protect information
system media, both paper and digital; (ii) limit
access to information on information system
media to authorized users; and (iii) sanitize or
destroy information system media before
disposal or release for reuse.
Automating Crosswalk between SP 800 and the 20 Critical Controls 42
Physical and Environmental
Protection (PE)
Planning (PL)
Personnel Security (PS)
Risk Assessment (RA)
System and Services Acquisition
(SA)
Organizations must: (i) limit physical access to
information systems, equipment, and the
respective operating environments to authorized
individuals; (ii) protect the physical plant and
support infrastructure for information systems;
(iii) provide supporting utilities for information
systems; (iv) protect information systems
against environmental hazards; and (v) provide
appropriate environmental controls in facilities
containing information systems.
Organizations must develop, document,
periodically update, and implement security
plans for organizational information systems
that describe the security controls in place or
planned for the information systems and the
rules of behavior for individuals accessing the
information systems.
Organizations must: (i) ensure that individuals
occupying positions of responsibility within
organizations (including third-party service
providers) are trustworthy and meet established
security criteria for those positions; (ii) ensure
that organizational information and information
systems are protected during and after personnel
actions such as terminations and transfers; and
(iii) employ formal sanctions for personnel
failing to comply with organizational security
policies and procedures.
Organizations must periodically assess the risk
to organizational operations (including mission,
functions, image, or reputation), organizational
assets, and individuals, resulting from the
operation of organizational information systems
and the associated processing, storage, or
transmission of organizational information.
Organizations must: (i) allocate sufficient
resources to adequately protect organizational
information systems; (ii) employ system
development life cycle processes that
incorporate information security considerations;
(iii) employ software usage and installation
restrictions; and (iv) ensure that third-party
providers employ adequate security measures to
protect information, applications, and/or
services outsourced from the organization.
Automating Crosswalk between SP 800 and the 20 Critical Controls 43
System and Communications
Protection (SC)
System and Information Integrity
(SI)
Organizations must: (i) monitor, control, and
protect organizational communications (i.e.,
information transmitted or received by
organizational information systems) at the
external boundaries and key internal boundaries
of the information systems; and (ii) employ
architectural designs, software development
techniques, and systems engineering principles
that promote effective information security
within organizational information systems.
Organizations must: (i) identify, report, and
correct information and information system
flaws in a timely manner; (ii) provide protection
from malicious code at appropriate locations
within organizational information systems; and
(iii) monitor information system security alerts
and advisories and take appropriate actions in
response.
Automating Crosswalk between SP 800 and the 20 Critical Controls 44
Appendix B: Mapping between the 20 Critical Security Controls
and National Institute of Standards and Technology Special
Publication 800-53, Revision 3, Priority 1 Items
Control
Critical Control 1: Inventory of
Authorized and Unauthorized Devices
Critical Control 2: Inventory of
Authorized and Unauthorized Software
Critical Control 3: Secure
Configurations for Hardware and
Software
Critical Control 4: Continuous
Vulnerability Assessment and Remediation
Critical Control 5: Malware Defenses
Critical Control 6: Application Software
Security
Critical Control 7: Wireless Device
Control
Critical Control 8: Data Recovery
Capability
Critical Control 9: Security Skills
Assessment and Appropriate Training to
Fill Gaps
Critical Control 10: Secure
Configurations for Network Devices
such as Firewalls, Routers, and Switches
Critical Control 11: Limitation and
Control of Network Ports, Protocols, and
Services
Critical Control 12: Controlled Use of
Administrative Privileges
Critical Control 13: Boundary Defense
Critical Control 14: Maintenance,
Monitoring, and Analysis of Security
Audit Log
Critical Control 15: Controlled Access
Based on the Need to Know
Critical Control 16: Account Monitoring
and Control
References
CM-8 (a, c, d, 2, 3, 4), PM-5, PM-6
CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7),
CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9,
PM-6, SA-6, SA-7
CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3),
CM-5 (2), CM-6 (1, 2, 4), CM-7 (1), SA-1
(a), SA-4 (5), SI-7 (3), PM-6
RA-3 (a, b, c, d), RA-5 (a, b, 1, 2, 5, 6)
SC-18, SC-26, SI-3 (a, b, 1, 2, 5, 6)
CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8,
SI-3, SI-10
AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC24, SI-4 (14, 15)
CP-9 (a, b, d, 1, 3), CP-10 (6)
AT-1, AT-2 (1), AT-3 (1)
AC-4 (7, 10, 11, 16), CM-1, CM-2 (1),
CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7
(1, 3), IA-2 (1, 6), IA-5, IA-8, RA-5, SC-7
(2, 4, 5, 6, 8, 11, 13, 14, 18), SC-9
CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5,
11, 12)
AC-6 (2, 5), AC-17 (3), AC-19, AU-2 (4)
AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8,
RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC-18,
SI-4 (c, 1, 4, 5, 11), PM-7
AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2),
AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9
(1, 2), AU-12 (2), SI-4 (8)
AC-1, AC-2 (b, c), AC-3 (4), AC-4, AC-6,
MP-3, RA-2 (a)
AC-2 (e, f, g, h, j, 2, 3, 4, 5), AC-3
Automating Crosswalk between SP 800 and the 20 Critical Controls 45
Critical Control 17: Data Loss
Prevention
Critical Control 18: Incident Response
Capability
Critical Control 19: Secure Network
Engineering
Critical Control 20: Penetration Tests
and Red Team Exercises
AC-4, MP-2 (2), MP-4 (1), SC-7 (6, 10),
SC-9, SC-13, SC-28 (1), SI-4 (4, 11), PM-7
IR-1, IR-2 (1), IR-4, IR-5, IR-6 (a), IR-8
IR-4 (2), SA-8, SC-7 (1, 13), SC-20, SC21, SC-22, PM-7
CA-2 (1, 2), CA-7 (1, 2), RA-3, RA-5 (4,
9), SA-12 (7)
Automating Crosswalk between SP 800 and the 20 Critical Controls 46
Appendix C: Mapping between the 20 Critical Security Controls
and the Australian Government Defence Signals
Directorate’s 35 Mitigation Strategies
Mitigation
Strategy
Effectiveness
Ranking
1
2
3
4
5
6
7
8
9
10
Mitigation Strategy
Patch applications (e.g., PDF viewer, Flash Player,
Microsoft Office and Java). Patch or mitigate within two
days for high-risk vulnerabilities. Use the latest version
of applications.
Patch operating system vulnerabilities. Patch or mitigate
within two days for high-risk vulnerabilities. Use the
latest operating system version.
Minimize the number of users with domain or local
administrative privileges. Such users should use a
separate unprivileged account for e-mail and web
browsing.
Application white listing to help prevent malicious
software and other unapproved programs from running
(e.g., by using Microsoft Software Restriction Policies or
AppLocker).
Host-based intrusion detection/prevention system to
identify anomalous behavior such as process injection,
keystroke logging, driver loading, and call hooking.
White-listed email content filtering allowing only
attachment types required for business functionality.
Preferably convert/sanitize PDF and Microsoft Office
attachments.
Block spoofed e-mails using sender policy framework
checking of incoming e-mails, and a “hard fail” SPF
record to help prevent spoofing of your organization’s
domain.
User education (e.g., Internet threats and spear phishing
socially engineered emails). Avoid weak pass phrases,
pass phrase re-use, exposing e-mail addresses,
unapproved USB devices.
Web content filtering of incoming and outgoing traffic,
using signatures, reputation ratings, and other heuristics,
and white listing allowed types of web content.
Web domain white listing for all domains, since this
approach is more proactive and thorough than black
listing a tiny percentage of malicious domains.
Matching
Top 20
Critical
Controls
4.3
4.3
19.1, 19.6
2.4
8.1, 8.6
8.5
12.5
19.1, 17.1,
17.2, 17.3,
17.4, 17.5
12.1, 12.2,
12.3
12.1, 12.7
Automating Crosswalk between SP 800 and the 20 Critical Controls 47
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Web domain whitelisting for HTTPS/SSL domains, since
this approach is more proactive and thorough than black
listing a tiny percentage of malicious domains.
Workstation inspection of Microsoft Office files for
abnormalities (e.g., using the Microsoft Office File
Validation feature).
Application-based workstation firewall, configured to
deny traffic by default, to protect against malicious or
otherwise unauthorized incoming network traffic.
Application-based workstation firewall, configured to
deny traffic by default, that white lists which applications
are allowed to generate outgoing network traffic.
Network segmentation and segregation into security
zones to protect sensitive information and critical
services such as user authentication and user directory
information.
Multi-factor authentication especially implemented for
when the user is about to perform a privileged action, or
access a database or other sensitive information
repository.
Randomized local administrator pass phrases that are
unique and complex for all computers. Use domain group
privileges instead of local administrator accounts.
Enforce a strong pass phrase policy covering complexity
and length, and avoiding both pass phrase re-use and the
use of dictionary words.
Border gateway using an IPv6-capable firewall to
prevent computers from directly accessing the Internet
except via a split DNS server, an e-mail server, or an
authenticated web proxy.
Data execution prevention using hardware and software
mechanisms for all software applications that support
DEP.
Anti-virus software with up-to-date signatures, reputation
ratings, and other heuristic detection capabilities. Use
gateway and desktop anti-virus software from different
vendors.
Nonpersistent, virtualized trusted operating environment
with limited access to network file shares, for risky
activities such as reading e-mail and web browsing.
Centralized and time-synchronized logging of allowed
and blocked network activity, with regular log analysis,
storing logs for at least 18 months.
Centralized and time-synchronized logging of successful
and failed computer events, with regular log analysis,
storing logs for at least 18 months.
12.1, 12.7
8.1, 8.6
3.3, 8.1, 5.1
3.3, 8.1, 8.8,
5.1
10.8, 12.6,
20.4, 11.1,
11.5
10.6, 19.11
19.1, 19.7
19.1, 19.8,
13.7
10.5, 12.7,
11.3
3.3
8.1, 8.2, 8.5,
8.6
2.6
7.1, 7.3, 7.5,
7.6,
7.7
7.1, 7.4, 7.5,
7.6
Automating Crosswalk between SP 800 and the 20 Critical Controls 48
25
26
27
28
29
30
31
32
33
34
35
Standard operating environment with unrequired
operating system functionality disabled (e.g., IPv6,
autorun and Remote Desktop). Harden file and registry
permissions.
Workstation application security configuration hardening
(e.g., disable unrequired features in PDF viewers,
Microsoft Office applications, and web browsers).
Restrict access to NetBIOS services running on
workstations and on servers where possible.
Server application security configuration hardening (e.g.,
databases, web applications, customer relationship
management, and other data storage
systems).
Removable and portable media control as part of a data
loss prevention strategy, including storage, handling,
white listing allowed USB devices, encryption, and
destruction.
TLS encryption between e-mail servers to help prevent
legitimate e-mails from being intercepted and used for
social engineering. Perform content scanning after email
traffic is decrypted.
Disable LanMan password support and cached
credentials on workstations and servers to make it harder
for adversaries to crack password hashes.
Block attempts to access websites by their IP address
instead of by their domain name.
Network-based intrusion detection/prevention system
using signatures and heuristics to identify anomalous
traffic both internally and crossing network perimeter
boundaries.
Gateway black listing to block access to known
malicious domains and IP addresses, including dynamic
and other domains provided free to anonymous Internet
users.
Full network traffic capture to perform post-incident
analysis of successful intrusions, storing network traffic
for at least the previous seven days.
3.1, 3.2, 3.3,
8.3
3.1, 3.2, 3.3
20.3, 20.4
3.1, 3.2, 3.3
8.3, 8.4, 9.7,
9.8, 9.10
20.4
3.1, 3.2, 3.3,
19.5
12.1, 12.7
12.2, 12.3
12.1
12.4