In my last article, I talked about using the 20 Critical Controls as a practical security strategy.  I showed how the controls map to a wide variety of international and national standards.  I also mentioned a great www site,, where you can download 3 excellent spreadsheets to help you measure your progress in the controls implementation.

I’ve said a border based security strategy (“keep them from coming in”) was a recipe for failure. I do believe the data breaches of the past couple of years support my assertion.  A risk-based approach to security is the most effective strategy for any security program.  It is also the most difficult strategy to implement. An effective cyber defense strategy has four parts:

  1. Continuous monitoring ensures current security measures are functioning correctly.
  2. Automation allows the organization to obtain continuous measurements of the status of the defense systems.
  3. Metrics are an important component of any cyber security strategy. The underlying principle of “if you didn’t write it down, it didn’t happen “uses metrics to measure the effectiveness of installed security measures.
  4. Offense informs defense. This may seem counterintuitive but you need to know how to attack the system or network in order to be able to defend it.

Part 1 of this series describes the first 5 of the 20 Critical Controls. In this article, we’ll take a look at the next 5 controls.

Controls 6 – 10

Control six deals with application software security. It doesn’t matter whether the applications are developed locally or by a vendor. Obviously, we have more control over in-house development. It’s important that such software systems build security into their design from the beginning.  We want to neutralize any vulnerability in web-based or other application software.  Application software vulnerabilities give hackers a vector into an organization’s systems.  Software vulnerabilities allow hackers to complete 7 of the 8 steps in the Mandiant Attack Life Cycle:

1.Initial recon

2.Initial compromise

3.Establish foothold

4.Escalate privileges

5.Internal recon

6.Move laterally

7.Maintain presence

This control attempts to provide proactive methods of either preventing such software from being installed on any of your system or mitigating vulnerabilities created by these flaws.

The end-user is made aware of any of these vulnerabilities and may be required to purchase additional controls to address those long abilities. This control ties in with a risk based security strategy.  How? An informed user is the best asset one can have in institutional cyber security architecture.

If the software package is a sole source for a critical business function, it’s going to get purchased/developed and used regardless of security problems.  So, the ISO shouldn’t prevent the acquisition (remember – business need trumps security in today’s climate) BUT must recommend additional controls to address software weaknesses.  Software security questionnaires are one way to determine the security posture of vendor and application software.  Such a questionnaire is available at our VirginiaTech site.

The purpose of the questionnaire is to inform the purchaser of any software security issues with a vendor software package.  One of my favorite sayings is “trust but verify.” The security questionnaire is an example of the “trust” part of the saying.

Running vulnerability scanners, pen test tools against your software applications are the “verify” part of the saying.  I’m a firm believer of running scanners against our own infrastructure. We might as well find out what a potential attacker can find out about us.

Control seven deals with wireless device controls. Wireless networks changed location of the border from defined access paths to the individual device itself. Since it’s relatively straightforward to connect to an internal host via wireless techniques, it is critical that this control addresses how systems connect to the wireless network, how users are identified and where the wireless system is located.

Security engineers sometimes forget wireless networks eventually connect to the wired network. Control 1 (Inventory of Hardware Connected to Your Network) plays an important role in control 6’s implementation.

The challenge with this control is not WHO gets connected to the wireless network. NAC solutions address the authorization and authentication aspects of connection. The challenge is determining WHERE the wireless device is currently located. Wireless by its nature implies mobility and it’s critical that the organization be able to locate a wireless device. Data logging and retention are the only ways one can determine location of wireless devices. How long does your organization retain wireless access point (AP), authentication, DHCP, NAT, and other logs?

Control eight is called data recovery capability and it deals with the methods and strategies used to recover data in the event of an accident or deliberate attack. Things like network backup services organized backups, cloud storage, off-site storage are examples of data recovery capabilities. Proper data recovery techniques mitigate the effects of cryptoware attacks and other ransomware attacks.

I said over the years that poorly trained end-user and system administrators are the biggest threats to any organizations cyber security pot. Control nine investigates what type of security skills assessment and appropriate security training are available to the university community. Examples range from homegrown security presentations, seminars, printed materials to vendor supplied training systems be they online or in house.

Control 10 is similar to control three but it deals with secure configurations for network devices such as routers firewalls switches whereas control three deals with end-user systems. This is one of the most critical controls to have in place because the items in this control protect the network infrastructure. If you lose the network infrastructure to a hacker control, the game is over. Network segmentation, firewall configuration, router configuration, and basic network architecture are examples of components that need to be examined in order to successfully this implement control.


In this article, we’ve reviewed Critical Controls 6-10. Controls 6 and 7 are particularly important but they are two of the most difficult ones to implement.  Control 6 is needs to be inserted into your company’s purchasing process.  Control 7 helps defenders determine the location of a wireless device. This is important in determining whether you have 1 infected device that is moving around your network or multiple infections.

A good backup process is key to the recovery step of incident response. There’s a reason why professional teams and the military practice constantly. The goal is to do things efficiently and training is one of the most important steps in developing your staff.

We’ll talk some more in part 3 of this series.

Leave a Reply