3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4: Secure Configurations of Network Devices Such as Firewalls and Routers.
5: Boundary Defense
6: Maintenance and Analysis of Complete Security Audit Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based On Need to Know
10: Continuous Vulnerability Testing and Remediation
11: Dormant Account Monitoring and Control
12: Anti-Malware Defenses
13: Limitation and Control of Ports, Protocols and Services
14: Wireless Device Control
15: Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
16. Secure Network Engineering
17. Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
Security Skills Assessment and Training to Fill Gaps
In the pages that follow, each of these controls is described more fully. Descriptions include how attackers would exploit the lack of the control, how to implement the control, and how to measure if the control has been properly implemented, along with suggestions regarding how standardized measurements can be applied. As pilot implementations are complete and agencies get experience with automation, we expect the document to be expanded into a detailed audit guide that agency CIOs can use to ensure they are doing the right things for effective cyber defense and that IGs can use to verify the CIOs’ tests.
Insider Threats vs. Outsider Threats