Critical Controls for Effective Cyber Defense Table of Contents Introduction: Critical Controls for Effective Cyber Defense
3
The Goal ........................................................................................................................................3 The Methodology ...........................................................................................................................3 Why The Controls Work..................................................................................................................3 How to Apply the Controls..............................................................................................................4 Prioritizing the Controls ..................................................................................................................4 Contributors...................................................................................................................................5 The Critical Controls Document.......................................................................................................5 Moving Ahead ................................................................................................................................5 Description of Controls
6
Critical Control 1: Inventory of Authorized and Unauthorized Devices .............................................6 Critical Control 2: Inventory of Authorized and Unauthorized Software .........................................12 Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers .......................................................................................................... 166 Critical Control 4: Continuous Vulnerability Assessment and Remediation ................................... 221 Critical Control 5: Malware Defenses ............................................................................................27 Critical Control 6: Application Software Security ...........................................................................31 Critical Control 7: Wireless Device Control ....................................................................................35 Critical Control 8: Data Recovery Capability ..................................................................................39 Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps ........................ 41 Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches ......................................................................................................................................44 Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services ..................... 48 Critical Control 12: Controlled Use of Administrative Privileges .....................................................51 Critical Control 13: Boundary Defense...........................................................................................55 Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs ......................................60 Critical Control 15: Controlled Access Based on the Need to Know .................................................64 Critical Control 16: Account Monitoring and Control .....................................................................67 Critical Control 17: Data Loss Prevention .......................................................................................71 Critical Control 18: Incident Response and Management ...............................................................75 Critical Control 19: Secure Network Engineering............................................................................78 Critical Control 20: Penetration Tests and Red Team Exercises .......................................................80
1