Extending the 20 critical security controls to gap assessments and security maturity modeling. Specifically, the controls are decomposed into Base Practices from a Process perspective. Implementation approaches are viewed from a Robustness perspective.

1. Extending the 20 Critical Security Controls to
Gap Assessments & Security Maturity Modeling
ShmooCon Fire Talks
Hyatt Regency Washington
400 New Jersey Avenue, NW
Washington, DC 20001
February 16, 2013
John M. Willis, pINFOSEC
2020 Pennsylvania Ave NW #400
Washington DC 20006
John.Willis@pINFOSEC.com
LinkedIn.com/in/johnmwillis
(202) 670-7179

2. Extending the 20 Critical Security Controls to
Gap Assessment & Security Maturity Modeling
Purpose:
Using the 20 Critical Security Controls, create Base
Practice Statements against which security engineering
and operations processes may be assessed for capability
and maturity.
Provide model framework to base Gap Assessments upon.
Facilitate focus of Remediation Planning.
Poll for interest in creating the model.
Call for volunteers to create the model.
2

3. 20 Critical Security Controls
Attack-focused controls created by a consortium of
government agencies, major corporations, and many
others. Formerly known as the Consensus Audit
Guidelines, a complete copy of the controls may be found
on SANS Institute web site. Currently, the Consortium for
Cybersecurity Action is the organization engaged in
various projects pertaining to the controls.
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
3

4. 20 Critical Controls (cont'd)
9. Security Skills Assessment and Appropriate
Training to Fill Gaps
10. Secure Configurations for Network Devices
such as Firewalls, Routers, and Switches
11. Limitation and Control of Network
Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of
Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Loss Prevention
18. Incident Response and Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
4

5. Each control has a short title, and a
sentence describing the control
For example:
http://www.sans.org/critical-security-controls/control.php?id=1
“Critical Control 1: Inventory of Authorized and
Unauthorized Devices
“The processes and tools used to
track/control/prevent/correct network access by
devices (computers, network
components, printers, anything with an IP
address) based on an asset inventory of which
devices are allowed to connect to the network.”
Implementation information follows…
5

6. Proposed Decomposed Base Practice
Version of Critical Control 1
BP.01.01 – Manage inventory of authorized devices
(computers, network
components, printers, anything with IP addresses)
BP.01.02 – Limit network access to authorized
devices
All text under the Critical Control section, including
details from the referenced NIST SP 800-53
sections, should be taken into consideration when
crafting the Base Practice language.
6

7. Process Capability Maturity Levels
0 – No – No Process Exists
1 – Exists – Process Exists
2 – Defined – Defined Process of some sort Exists
3 – Practiced – Vetted Process is now a routine Practice
4 – Reviewed – The Process is formally Reviewed on a
Specified Periodic Basis
5 – Continuous – The Process is reviewed periodically
and is subjected to Continuous Improvement
7

8. Example of Tailoring Assessment
Category Description Maturity
Level
Asset Management List servers by type/function and
2
location.
Device How to know device is authorized
Authentication before admitting to network?
Validate device certificate? 1
Otherwise, scan for unauthorized
devices every 12 hours?
Network Admission Control every switch port via NAC
(user ports controlled, audited.
0
Non-user ports verified and
audited).
Utilize network scanning tools to
identify unauthorized wireless 1
devices.
8

9. Another Approach
One approach is to assign maturity levels to the
categories (Implementation Levels) listed under
"How to Implement, Automate, and Measure the
Effectiveness of this Control”:
• Quick Wins
• Visibility/Attribution
• Configuration/Hygiene
• Advanced
The information in these categories is
informative & through-provoking, but does not
define an assessment framework.
9

10. Proposed Model
The proposed model focuses on process capability maturity
using Base Practices restated from the Critical Controls.
Based on all such Base Practices, a formal or informal Gap
Assessment can be created and saved as a baseline.
For example:
• BP.01.01 – Manage Device Inventory, Maturity Level 2
• BP.01.02 – Limit Network Access, Maturity Level 1
Remediation planning is then focused on getting the
organization to the point where the Base Practices are least
Practiced, etc.
10

11. Extension of Proposed Model
In addition to process capability, consider including
measures for Robustness Levels.
Focus on security architecture and engineering
rigor, to include the following (for example):
• Visibility/Attribution
• Configuration/Hygiene
• Automation
• Breadth & Depth of coverage
• Integrity
• Resilience
• Ability to provide/consume situational awareness
data
• Common Criteria Evaluation Assurance Level-like
criteria
• and/or whatever makes sense
11

12. Poll for Interest / Call for Action
Does this approach make sense? Would anyone
use it? Who wants to help create such a Model, in
conjunction with the Consortium for Cybersecurity
Action?
Three key components:
1. Create the Base Practice Statements for each
Critical Control
2. Define Robustness Levels, and assessment
method
3. Create Tailoring Guidelines
12

13. Credits & Legal
• Thanks to Tony Sager, Consortium for Cybersecurity
Action for his input and encouragement to promote
this Proposed Model
• Copyrights, Registration and Service Marks, etc., if
any, are property of their respective owners
• The current version of the 20 Critical Controls may
be found at http://www.sans.org/critical-security-
controls/, and is licensed under the Creative
Commons License
(http://creativecommons.org/licenses/by-nd/3.0/)
13

14. Contact Information
John M. Willis
pINFOSEC.com
2020 Pennsylvania Ave NW #400
Washington DC 20006
John.Willis@pINFOSEC.com
LinkedIn.com/in/johnmwillis
(202) 670-7179
14