CRITICAL SECURITY

CONTROLS
HANDBOOK
 Critical Security Controls

1. Inventory of Authorized and Unauthorized Devices

Detailed Explanation:
Maintaining an inventory of devices ensures only trusted devices are allowed to
connect to the network. Unauthorized devices, such as personal devices or
rogue hardware, pose risks to the organization’s security.

Key Aspects:

Identification: Each device is tracked by unique identifiers (MAC

addresses, serial numbers).
Authorized Devices: Devices approved by the organization (company-
issued laptops, phones).
Unauthorized Devices: Personal devices (BYOD) or devices outside the
organization's control.
Control Mechanisms: Network Access Control (NAC) systems can
block unauthorized devices.

Example:
An organization uses a NAC system like Cisco ISE to prevent personal devices
from accessing the corporate network by scanning MAC addresses before
granting network access.

2. Inventory of Authorized and Unauthorized Software

Detailed Explanation:
Inventorying software ensures that only authorized, secure, and licensed
applications are used, avoiding the risk posed by unauthorized or outdated
software.

Key Aspects:

Authorized Software: Tools approved for use, e.g., Microsoft Office,

enterprise resource planning (ERP) systems.
Unauthorized Software: Unlicensed, outdated, or risky software (e.g.,
unapproved torrent clients).
 Software Inventory Management: Tools like SCCM or Lansweeper can
help keep track of all installed software.

Example:
Using SCCM, an organization automatically detects any unauthorized software,
such as a rogue file-sharing application, and removes it from the network,
ensuring compliance with security standards.

3. Secure Configuration for Hardware and Software

Detailed Explanation:
Secure configuration is the process of setting up systems, devices, and software
to ensure they are protected against attacks. It involves applying security best
practices, like disabling unnecessary features and changing default settings.

Key Aspects:

System Hardening: Removing unnecessary services and ports, applying

security patches.
Changing Default Settings: Admin credentials and configurations must
be modified to secure the system.
Security Patches: Regular updates to prevent exploitation of known
vulnerabilities.

Example:
On a server, an admin disables unused ports (FTP, Telnet), applies security
patches, and sets strong passwords to ensure no unauthorized access occurs.

4. Continuous Vulnerability Assessment and Remediation

Detailed Explanation:
Vulnerability management is an ongoing process of detecting, classifying,
prioritizing, and fixing vulnerabilities in systems and networks. Regular
assessments help minimize attack surfaces.

Key Aspects:
 Scanning: Tools like Nessus scan for vulnerabilities in software and
systems.
Prioritization: Critical vulnerabilities are patched first, based on risk.
Remediation: Patches, updates, and reconfigurations mitigate
vulnerabilities.
Continuous Monitoring: Vulnerabilities are constantly monitored, and
scans are automated.

Example:
An organization uses Qualys for automated vulnerability scanning. It detects an
outdated version of Apache and prioritizes its update based on the risk it poses
to the organization.

5. Controlled Use of Administration Privileges

Detailed Explanation:
Limiting administrative privileges is crucial for preventing unauthorized access
and misuse of critical systems. Only authorized personnel should have elevated
access.

Key Aspects:

Least Privilege Principle: Administrators only receive access needed to

perform their job.
Role-Based Access Control (RBAC): Different roles have different
access levels.
Audit Logging: Tracking and logging all admin activities for auditing
and forensic purposes.

Example:
Using CyberArk, the organization controls and monitors admin access to critical
systems, ensuring that any unusual activities or unauthorized use of privileged
accounts are flagged and investigated.

6. Maintenance, Monitoring, and Analysis of Audit Logs

Detailed Explanation:
Audit logs record key actions and events that occur in systems and networks,
helping detect suspicious activities. Continuous monitoring of these logs is
critical for identifying breaches early.

Key Aspects:

Log Collection: Logs are collected from servers, applications, and

network devices.
Real-time Monitoring: Automated systems (e.g., SIEM tools) analyze
logs to detect anomalies.
Alerting: Administrators are notified if suspicious activity is detected,
such as login attempts outside normal hours.

Example:
Splunk analyzes logs from firewalls, servers, and applications in real-time,
sending alerts if there are signs of a brute-force attack on the login system.

7. Email and Web Browser Protection

Detailed Explanation:
Email and web browsers are primary attack vectors for phishing, malware, and
other threats. Implementing protection measures for both is vital to prevent data
breaches.

Key Aspects:

Anti-Phishing: Email filters block malicious emails and attachments.

Web Filtering: Blocking access to known malicious or phishing
websites.
Browser Security: Ensure browsers are updated and configured to block
potentially harmful scripts.

Example:
The organization uses Mimecast for email security, which filters out phishing
emails, and Webroot to block malicious websites, providing an additional layer
of defense for employees accessing the internet.
8. Malware Defense

Detailed Explanation:
Malware defense involves multiple strategies to prevent, detect, and remove
malicious software, such as viruses, worms, and ransomware.

Key Aspects:

Antivirus and Anti-malware Software: Endpoint protection solutions

(e.g., CrowdStrike) detect and prevent malware.
Behavioral Analysis: Identifies malware based on suspicious behaviors,
even if the signature is unknown.
Endpoint Detection and Response (EDR): Monitors endpoint activities
and can contain threats.

Example:
CrowdStrike provides endpoint protection by using machine learning to identify
malware patterns, even if they have never been encountered before, and
quarantines suspicious files for further analysis.

9. Limitation and Control of Network Ports

Detailed Explanation:
Controlling and limiting network ports ensures that only necessary services are
available, reducing the number of potential entry points for an attacker.

Key Aspects:

Port Management: Only open ports that are required for business
operations.
Firewall Rules: Use firewalls to block unnecessary ports and limit access
to specific IP addresses.
Segmentation: Divide networks into segments to isolate critical systems.

Example:
In a network firewall, only ports 80 (HTTP) and 443 (HTTPS) are open for web
servers, while other ports like 23 (Telnet) and 21 (FTP) are closed to prevent
unauthorized access.

10. Data Recovery Capability

Detailed Explanation:
Data recovery ensures that organizations can restore data in the event of a
system failure, natural disaster, or cyberattack, such as ransomware.

Key Aspects:

Backup Solutions: Regular, encrypted backups should be taken, either

onsite or in the cloud.
Backup Testing: Backup systems should be regularly tested to ensure
they can be restored quickly.
Disaster Recovery (DR): A DR plan must be in place for major
incidents.

Example:
Using Veeam Backup & Replication, an organization ensures that daily backups
of its critical systems are stored in both on-site storage and the cloud, ensuring
recovery in case of a disaster.

11. Secure Configuration for Network Devices

Detailed Explanation:
Configuring network devices securely is critical to avoid exploitation through
known vulnerabilities. Network devices like routers, switches, and firewalls
must be securely configured to protect network traffic.

Key Aspects:

Disabling Unnecessary Services: Turn off unused ports and services.

Strong Passwords: Set strong and unique passwords for device logins.
Firmware Updates: Regularly update device firmware to patch
vulnerabilities.
Example:
An organization configures its routers to disable Telnet and ensure that SSH is
the only remote access method. Additionally, the routers’ firmware is regularly
updated to patch vulnerabilities.

12. Boundary Defense

Detailed Explanation:
Boundary defense involves protecting the perimeter of an organization's
network, including both physical and digital defenses, to prevent unauthorized
access.

Key Aspects:

Firewalls: Protect the network by filtering incoming and outgoing traffic

based on predefined security rules.
Intrusion Detection Systems (IDS)/Intrusion Prevention Systems
(IPS): Monitor and block malicious traffic.
Segmentation: Dividing networks into smaller zones to limit lateral
movement of attackers.

Example:
A company uses a firewall to restrict incoming traffic to authorized IP addresses
and deploys an IDS to monitor suspicious activity in real-time, blocking any
potential intrusions.

13. Data Protection

Detailed Explanation:
Data protection ensures the confidentiality, integrity, and availability of data,
including encryption and access controls to prevent unauthorized data access or
breaches.

Key Aspects:
 Encryption: Encrypt data both at rest and in transit to ensure it’s
unreadable to unauthorized users.
Access Control: Enforce strict access controls to limit who can view,
modify, or delete data.
Data Masking: Mask sensitive data when displayed to unauthorized
users.

Example:
An organization encrypts sensitive customer data both in storage (using AES-
256) and during transmission (using TLS) to ensure that even if the data is
intercepted, it cannot be read.

14. Controlled Access Based on the Need to Know

Detailed Explanation:
Access to sensitive information should be granted based on necessity. This
limits exposure and reduces the risk of unauthorized access to critical systems
or data.

Key Aspects:

Need-to-Know Policy: Employees and users are granted access only to

the data required for their specific role.
RBAC: Role-Based Access Control can be used to implement this policy
efficiently.
Data Classification: Different levels of access based on data
classification (public, confidential, restricted).

Example:
A finance employee can access financial reports, but not marketing data,
because they only need access to the financial data for their role.

15. Wireless Access Control

Detailed Explanation:
Wireless networks must be secured to prevent unauthorized devices from
connecting and accessing the internal network. This includes using strong
encryption and authentication methods.

Key Aspects:

Encryption: Use WPA3 encryption to secure Wi-Fi communications.

SSID Broadcasting: Disable SSID broadcasting to hide the network
from unauthorized users.
MAC Filtering: Only allow authorized devices to connect by using MAC
address filtering.

Example:
The organization enables WPA3 on its Wi-Fi network and uses MAC filtering
to ensure only approved devices can connect.

16. Account Monitoring and Control

Detailed Explanation:
Account monitoring involves tracking and auditing user accounts to detect
unauthorized access or suspicious activity.

Key Aspects:

Login Attempts: Monitor failed login attempts to detect potential brute

force attacks.
Account Lockout Policies: Implement lockout policies after a defined
number of failed login attempts.
Audit Trails: Keep detailed logs of user activities for forensic analysis.

Example:
An organization uses an SIEM solution like Splunk to monitor login attempts
and sends alerts if multiple failed attempts are detected, potentially indicating a
brute-force attack.

17. Security Skills Assessment and Appropriate Training to Fill Gaps

Detailed Explanation:
Security skills assessment helps organizations identify gaps in the skills of their
security personnel, ensuring they are properly trained to handle current and
future threats.

Key Aspects:

Training Needs Assessment: Regular assessments identify areas where

employees or security teams lack knowledge.
Continuous Education: Provide ongoing security training to keep skills
up-to-date with emerging threats.
Simulated Attacks: Conduct red team exercises to assess readiness and
response.

Example:
The organization conducts regular phishing simulations to test employees’
ability to recognize phishing emails and offers additional training for those who
fail.

18. Application Software Security

Detailed Explanation:
Securing application software involves identifying and addressing
vulnerabilities in both the code and deployment environment.

Key Aspects:

Secure Coding Practices: Use secure coding guidelines to avoid

vulnerabilities like SQL injection or cross-site scripting.
Application Security Testing: Tools like static and dynamic analysis can
identify vulnerabilities during development and deployment.
Patch Management: Regularly update applications to fix known
vulnerabilities.

Example:
A development team uses tools like OWASP ZAP to test for security
vulnerabilities in their web applications before deployment, ensuring they are
free of common vulnerabilities.
19. Incident Response and Management

Detailed Explanation:
Incident response involves preparing for, detecting, and managing security
incidents, such as data breaches or cyberattacks.

Key Aspects:

Incident Response Plan (IRP): A well-defined plan for responding to

different types of incidents.
Detection: Use monitoring tools to detect incidents in real-time.
Containment, Eradication, and Recovery: Effective containment,
removal of threats, and recovery of systems and data.

Example:
The organization has an incident response plan where if a ransomware attack is
detected, systems are immediately isolated, the malware is eradicated, and
recovery from backups is initiated.

20. Penetration Tests and Red Team Exercises

Detailed Explanation:
Penetration testing (pen testing) involves simulating real-world attacks to
identify weaknesses before attackers can exploit them. Red team exercises are
similar, but they test the organization’s overall security posture.

Key Aspects:

Penetration Testing: Ethical hackers simulate attacks on systems to find

vulnerabilities.
Red Team Exercises: A full-scope, multi-layered test of an
organization’s defenses, from physical security to digital assets.
Reporting and Remediation: After tests, vulnerabilities are reported and
remediated before real attackers can exploit them.
Example:
A red team conducts a full-scale attack on an organization, simulating tactics
used by advanced persistent threats (APTs), and provides a report with
remediation steps to improve security.