" />

SANS & CIS Top 20 Critical Controls and the Future


SANS Institute

From Wikipedia, the free encyclopedia


The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in information security and cybersecurity training. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and audit. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The Institute has been recognized for its training programs and certification programs. SANS stands for SysAdmin, Audit, Network and Security


The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security and cybersecurity training.




From Wikipedia, the free encyclopedia


The Center for Internet Security (CIS) is a not-for-profit organization founded in October, 2000, whose mission is to "enhance the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration."

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware, Software on Mobile Devices, Laptops, Workstations and Servers

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges

CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

CSC 7: Email and Web Browser Protections

CSC 8: Malware Defenses

CSC 9: Limitation and Control of Network Ports, Protocols, and Services

CSC 10: Data Recovery Capability

CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

CSC 12: Boundary Defense

CSC 13: Data Protection

CSC 14: Controlled Access Based on the Need to Know

CSC 15: Wireless Access Control

CSC 16: Account Monitoring and Control

CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps

CSC 18: Application Software Security

CSC 19: Incident Response and Management

CSC 20: Penetration Tests and Red Team Exercises

Current Top 20 List 2017

How the top 20 critical controls have changed over time, but can it cope with the future and AI (Artifical Intelligence)?

In 2001, SANS jointly with the FBI annoucned some minimums people should apply to deal with the threats causing the majority of the incidents at the time and the top 20 critical controls was born.


The changes to be applied were very basic indeed, it would have taken the average admin no more than an hour to apply, in reality they could have been applied via a script in seconds for the more advanced admins. Really makes you wonder what the vendors (specially Microsoft) were thinking when the default of allowing null sessions (remote anonymous access with full admin and acknowledge as one ofthe worst ever vulnerabilities) with a recommendation to disable it when you install the O.S.?


Four years later in 2005, it was clear that minor operating system changes were not cutting it, we also had to secure our public facing services too such as web services and the networking kit, this was not new at all but many had absolutely no idea it was necessary, and why should they, the top 20 list never mentioned it.


Amazingly, CIS had really good configuration guidance by then for all sorts of technologies and applications but admins were either unaware, or thought it a waste of time to apply, or perhaps were getting poor security advice.


No sooner had the 2005 guidance been published and the nature and variety of attacks and exploits really took off. All sorts of applications and services were now being exploited and the 2006 guidance had to respond. There was now a lot more for admins to do easily doubling the number of confgurations to be applied.


Fast forward 2 years to 2008 and its clear that simply asking admins to apply hundreds of configurations was proving fruitless if admins lost sight of what hardware and software they had deployed, not kept their patch levels up and so on. The new updated top 20 was now a list of categories with tasks that admins needed to do outside of specific configuration changes. In fact, configuration changes were now a line item with an instruction to go and secure configurations.


Admins now faced the prospect of performing all sorts of activities from running scanning tools, monitoring, logging, conducting penetration tests, applying secure design principles and much more.  At this point in time, we are as close to an ISMS (information security management system)  as your going to get which, if you think back to 2001, the whole reason this list was created was becuase it was recognised that many could not do everything, in short implement an ISMS.


Since 2008, the top 20 has had some minor adjustments, governments have produced smaller lists like the UK's Cyber essentials which they believe will stop 75% of the problems. The next few years will feel like it did between 2001 and 2006, technologies like artificial intelligence could make life very difficult and impact many things, all we hear about is how clever it will be to detect and defeat hackers but these things are not one way, they can and will be used to defeat defences and evade detection also.


Some of the attacks organised crime could use AI for is spear phishing. AI would have the ability to create campaigns, write in a language and tone that will be very convincing, it can and will utlise open source and social media to build online relationships as well as business to business relations. Does this mean that our new check list needs to include resrtictions on social media to prevent such harvesting?


Testing security defences will be a big winner for crime, AI could perform discoveries, scans, solcial engineering, conduct vulnerability assessments and research, determine the most likely attack vectors to suceed and construct a plan. The beauty of AI is that unlike a human, the machine learning wont stop, get bored, tired, make mistakes in intepreting results and just like James Cameron's Terminator movie, AI will not give up and it cannot be reasoned with, which means, we need a way to slow it and prevent it from discovering our weaknesses.


Alex Rice, co-founder of security company HackerOne, told the Gaurdian “Anything that can be used to defensively find vulnerabilities can be used by criminals – they all end up becoming a double-edged sword,”.


Perhaps the future checklist needs to not only have guidance on social media to prevent learning by AI, designers and architects needs to now consider the attack surface they are creating and take measures to prevent robo hackers from learning too much. Security engineering was dropped from the list, does it need to come back with some principles on designing solutions with AI defences?


These robo hackers of the future could potenitally use quantum computing, but thats a whole new level of check list. When you listen to advisors such as the UK Cyber Essentials advocates, they say their lists prevent some 75% of attacks with the remainder described as un-defensible, AI may well force these percentages down, not just easily, but very soon too.


Perhaps the days of infosec team complaining they cant get infrastructure and applications diagrams from IT teams is coming to an end and in the future IT may well demand the creating and maintaining of  'threat landscape maps' from the security teams!


Exciting times ahead.



August 2017