The threats that organizations face change continually, but almost all successful attacks exploit a core set of security weaknesses. The Center for Internet Security regularly updates its Critical Security Controls, a prioritized list of 20 security controls that, when implemented well, have proved effective in blocking most advanced target threats and supporting faster detection and resolution of those that do get through initial defenses.
A subset of the highest-priority controls within the CIS Controls provides “quick wins,” with immediate risk reduction against advanced target threats. For example, almost all forms of attack use privilege escalation when installing malware that needs administrative privileges. Phishing, which continues to be the most common front end for damaging attacks, is used to obtain user credentials from which to start the escalation, and phishing succeeds because of poor hygiene in application and privilege management.
The latest update of the controls, Version 6.0, recognized this common weakness and elevated the priority of these areas. For example, “Controlled Use of Administration Privileges” moved up from control number 12 to control number 5, and “Controlled Access Based on the Need to Know” moved up slightly, from number 15 to number 14. “Inventory of Authorized and Unauthorized Software” remained the most critical control, while “Secure Configuration for Hardware and Software” remained the third-most critical control.
Other efforts at defining security controls have placed similar emphasis on application and privilege management. For example, “Controlling Administrator Privileges” is second on the National Security Agency’s IA Top Ten Migration Strategies, and application whitelisting controls, as well as operating system patching, application patching and the restriction of administrative privileges, are listed in the Australian Signals Directorate Top 4 Strategies to Mitigate Cyber Intrusions.
The security benefits of application control and privilege management are well known— they are often considered to be Security 101. Nonetheless, the majority of breach reports have determined that attacks succeeded because of either missing or ineffective controls and processes in these areas.
The biggest barrier to enabling application control and privilege management has been fear of self-inflicted wounds: causing business disruption or huge increases in help desk calls as legitimate software and business-critical access are blocked. But products and techniques have improved over the past few years, and today you can find many success stories that show what works in enabling application control and privilege management with minimal or no interference to business operations.
This whitepaper will describe the recent update to Version 6.0 of the CIS Critical Controls, with a focus on application control and privilege management as high-payback, quick wins—when done right.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program