New 'Critical Controls' framework out


Written by

The Center for Internet Security released version 6.0 of their ubiquitous Critical Security Controls framework Thursday, giving enterprises another reference on how to properly stand up a cybersecurity program that can mitigate and defend against attacks.

The security nonprofit reworked this version to better reflect the latest technologies and threats they are seeing across all enterprises and lay them out in a manner in which people outside of IT operations can understand and validate.

Jane Holl Lute, the organization’s CEO, said during a SANS Institute event Friday the guide reflects that the population as a whole is “really just waking up to the challenges in cybersecurity.”

“When you don’t come out of this world, but come to this world, it is a withering experience to even try [to] master the vocabulary and master the questions that you have,” she said.

Version 6.0 has been modified to put greater emphasis on safeguarding personally identifiable information, the theft of which has been the goal of the vast majority of high-profile cyberattacks in the past few years. The first few chapters cover the cornerstones of good cyber hygiene: inventory and secure configurations of devices and software; continuous vulnerability assessments; and controlled use of administrative privileges. In addition, a section on email and Web browser protections was added to this latest version.

“The idea was to try and build consensus for what do auditors look for,” said Tony Sager, the organization’s senior vice president and chief evangelist. “If we can bring consistency to that, you can cause a lot of positive change at large scale.”

There are also appendices that deal with how privacy plans and the National Institute of Standards and Technology’s own cybersecurity framework can be worked into enterprise IT systems.

“Why should every company that wants to present their work in the NIST framework figure that out on their own? Let’s figure it out as a group,” Sager said.

Chris Butera with the Department of Homeland Security’s Computer Emergency Readiness team reinforced the greater points of the CIS guide, saying what enterprises should take as basic practice: minimize administrative privileges, white list applications, patch both apps and systems, and segment networks.

He also stressed upping the visibility into the enterprise’s environment to track attackers’ movement in the event of a breach. Butera told the crowd Friday he has seen too many times where IT shops try to take systems offline and block IP addresses, only to realize the adversary has been in the system long enough to get around those tactics.

“If the adversaries have been there for a significant amount of time, they’re already somewhere else where you can’t see them,” Butera said.

Sager, who spent three decades working at the National Security Agency, said guides like this help move cybersecurity out of “the wizardry stage” and into a common language that every facet of an enterprise can understand.

“We are taking what we know as technologists and putting in the context of risk and business management,” he said. “We learn from other folks’ failure. The hope is we learn enough to change behaviors.”

He also stressed that the framework was not constructed to expose gaps, but to enlighten people outside of the technology sector on what needs to be done if enterprises are to take cybersecurity seriously.

“The controls are not produced by a room full of nameless bureaucrats off in a nameless corner,” Sager said. “One of the great things I can say with a straight face is the business of technology and security is full of great people and good will.”

Download the full framework on the Center for Internet Security’s website.