Back in the late 1990’s, I was fortunate to be part of a team of cyber security experts who were asked to develop a list of the Top 10 Internet Security Threats. “On February 15, 2000, thirty Internet experts met with President Clinton to identify actions needed to defeat the wave of distributed denial of service attacks and to keep the Internet safe for continued growth.

“One of the resulting initiatives was a project to develop a community-wide consensus list of the most often exploited vulnerabilities. Forty two people from all parts of the Internet community worked together to reach consensus on the top priority threats.”

The document produced by this group listed 10 Internet Threats that were responsible for over 70% of the successful Internet attacks of the late 1990s.

Fast forward to 2008:

“Surprisingly, the clear consensus of the consortium was that there were only 20 Critical Controls that addressed the most prevalent attacks found in government and industry. This then became the focus for an initial draft document. The draft of the 20 Critical Controls was circulated in early 2009 to several hundred IT and security organizations for further review and comment. Over 50 organizations commented on the draft. They overwhelmingly endorsed the concept of a focused set of controls and the selection of the 20 Critical Controls. These commenters also provided valuable “fine tuning” to the control descriptions.” (

In a similar vein, the 20 Critical Controls followed the same path as the Top 10 Internet threats document. They provide a blueprint of actionable items that are components of overall operational security architecture. These actionable items help you detect and respond to 60-70% of the attacks seen today.

Organizations have tried to align their security architectures with various international standards (ISO 27001/2, NIST 800-53, Australian Top 35, etc.). Failure to distinguish between “compliance” and “assurance” usually results in security failures with repercussions aimed at upper security management. So, where do we start?

The goals of the Critical Security Controls:

  • Those with knowledge of threats & attacks help the groups defending systems as a part of a community risk assessment model to secure systems.
  • Defenses should focus on addressing the most common and damaging attack activities occurring today and those anticipated in the near future. Today’s defensive mechanisms should be based on actual attacks. Defenses must be based on tactics that can stop these attacks.
  • The Enterprise security architecture must be implemented in a consistent manner across the enterprise. If they are not implemented consistently across the enterprise, then the organization is opening the door for risk.
  • Defenses should be automated where possible and periodically or continuously measured using automated measurement techniques where feasible. “Trust but verify” is a must-do goal. Higher backbone speeds allow a tremendous amount of information to potentially be exfiltrated. Automated defenses can mitigate this data transfer but they must be tested and verified frequently.

The 20 Critical Controls are a set of technical controls that can help defend systems. There are other models that focus on process and operational tactics; this is not one of them.

Root cause problems must be fixed in order to ensure the prevention or timely detection of attacks. We are not simply attempting to address surface issues with these controls. We are trying to get to the heart of the issue. More money or more personnel are not always the solution to this problem. There may be other underlying causes that need to be addressed before we start to see success.

Metrics should be established that facilitate common ground for measuring the effectiveness of security measures, providing a common language to communicate about risk.” (James Tarala, Eric Cole)

The 20 Critical Controls are designed to help organizations protect their information systems. These controls are only useful if we take the time to implement and follow them.

I highly recommend doing a gap analysis to measure how your organization’s security architecture maps to the 20 Critical Controls. Asking the following questions helps you determine where the gaps are:

  • Where does your organization have deficiencies?
  • What are the most important next steps for your organization?
  • What evaluation plan will you follow in light of these controls?

Compliance with Established Security Architecture Standards

The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” – security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.

Standardization and automation is another top priority. The actions defined by the Controls are a subset of the Priority 1 controls defined by the National Institute of Standards and Technology (NIST) SP 800-53.

The Controls focus on a smaller number of actionable controls. Since the Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, they serve as the basis for immediate high-value action. is an excellent site created by James Tarala. He developed an spreadsheet showing how the 20 Critical Controls map to the well-known international standards:

  • NIST 800-53 rev 4
  • NIST Core Framework
  • DHS CDM Program
  • ISO 27002-2013, 27002-2005
  • Australian Top 35
  • NSA Top 10
  • GHCQ 10 Steps
  • UK Cyber Essentials
  • UK ICO Protecting Data
  • PCI DSS 3.0
  • FFIEC Examination Handbook
  • COBIT 5
  • NERC CIP v3, v4, v5
  • CSA (Cloud Security Alliance) CCM v3
  • FY15 FISMA Metrics
  • ITIL 2011 KPIs

I think you’ll agree with me when I say the 20 Critical Controls would satisfy any auditor’s question about compliance with well-known standards. You can download the Critical Security Control Master Standards Mapping (v.5b) spreadsheet along with some other valuable spreadsheets at: auditscripts.

Controls 1-5

In this section and subsequent posts, we’ll review the 20 Critical Controls.

Remember, our focus is ASSURANCE not compliance!

Control 1. Inventory of authorized and unauthorized devices

Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up-to-date inventory.

There’s a commercial that has the slogan “You can’t hack what you can’t see”. (Don’t get me started on this). I would prefer modifying the slogan to be “you can’t defend a) what you don’t know you have b) where it’s located in your network c) who is responsible for maintaining that asset. This isn’t a trivial task because most nets have a lot of ways to connect to their nets. For example, here are some possible connection points:

  • Wired, static IP addresses
  • Wired, DHCP assigned addresses
  • Wired VPN
  • Wireless, wireless DHCP, wireless VPN

Devices that connect to your network include mainframes, servers, desktops, laptops, and mobile devices, the “Internet of Things.”

You need to determine all of the possible ways a machine can connect to your network. Here are some possible sources of information to help you determine where your assets are:

  • Network management group – The network management group in your organization usually has some sort of database that lists the physical locations of wired hosts. This information is usually kept for diagnostic purposes to help technicians locate a device that is having connection problems.
  • Network scanner – the IT Security office, systems group or network management group may run daily scans of your organization’s network listing the number of servers by type. This list of IP addresses used in conjunction with the database mentioned in the previous bullet item gives an “inventory” of systems connected to your network.
  • Organization’s Property Inventory group – Every organization has a group that is responsible for maintaining physical inventories of IT equipment. While the information may be outdated, it’s a starting point for building a reasonable IT asset inventory.

Control 2. Inventory of authorized and unauthorized software

Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches).

With the exception of educational institutions and Internet Service Providers (ISP), most organizations can compile a list of authorized software installed on company IT assets. Individual software purchasing groups are another source of this information along with system administrators’ software inventory lists.

Control 3. Secure configurations for hardware and software on laptops, workstations, and servers

Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems deployed to the enterprise.

Configuration checklists for different classes of systems are one of those common sense things that most system administrators do as part of their regular job functions. Specific images aka ISO masters, Gold Disks, or Deep Freeze builds are examples of how you would comply with this control. I’ve seen checklists that include the “authorized ports” that should be open on specific classes of machines. This is a good feature but it does require a lot of work to determine exactly what ports a software product uses.

You can use the Center for Internet Security (CIS) benchmarks and scoring tools to set a verifiable “security” score for the different types of assets in your organization. For example, you would build a base system image then use the appropriate CIS benchmark to harden this system image.

Control 4. Continuous Vulnerability Assessment and Remediation

Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities.

This control seems pretty obvious to me for a number of reasons. First, running vulnerability scans against your systems helps you verify your secure configurations created in Control 3.  Second, a vulnerability scan provides a log “signature” on the target system that can help you determine the type of vulnerability scanner being used against your system. Third, this control helps you identify assets in your network (Control 1).

Control 5. Malware Defenses

Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading.

There are tons of classes of malware out there. From my perspective, the most dangerous classes of malware are the info stealer, downloader and keylogger classes. Info stealer malware searches the victim computer for any personally identifiable information (PII) such as social security number (SSN), bank/credit/debit account numbers, driver’s license numbers, and passport numbers. It compiles a list of files containing PII and prepares to upload them to a drop box system or CnC controller. Downloader malware makes the victim a temporary drop site for other malware or stolen data. Keylogger malware installs keylogging software on the victim machine to capture authentication information.

So, you should install appropriate malware defenses such as malware detection engines (FireEye, Damballa, etc.) or other host based software on critical assets or assets that may store PII or critical company intellectual property. Once installed, you need to set up a log analysis infrastructure using big data techniques to quickly provide your analysts with the information needed to respond to the malware attack. You should use this control to help you detect any exfiltration of sensitive data such as PII or intellectual property.


In this part, I’ve given you an introduction to the 20 critical controls, the motivation behind them and how they can help you comply with the various international security architecture standards. I’ve described briefly the first 5 controls and where you can get some information on how to implement them. In the next three parts, I’ll go over the remaining 15 controls. As always, I welcome any comments you may have.

The official home of the Critical Security Controls is the Council on Cybersecurity. The CEO of this effort is Jane Lute, the former Deputy Secretary of the US Department of Homeland Security. This not for profit group’s stated mission is:

“The Council on CyberSecurity is an independent, global organization committed to an open and secure Internet. We contribute to this vision by mobilizing a broad community of stakeholders who are willing to bring their knowledge, experience, and commitment to a common goal: to identify, validate, promote, and sustain the adoption of cybersecurity best practice – by people, with technology, and through policy – to create a world in which best practice becomes common practice.”

The Critical Security Controls is simply one of many cybersecurity projects managed by this council. The Critical Security Controls themselves are managed by Tony Sager, formerly of the US National Security Agency, and a board of advisors and volunteers. This is the group that manages the actual documentation and updates to the controls themselves.

Leave a Reply