SANS Security East 2011: Implementing and Auditing the Twenty Critical Security Controls

Thursday, January 20, 2011 – Monday, January 24, 2011

In the last couple of years it has become obvious that in the world of information security, the offense is outperforming the defense. Even though budgets increase and management pays more attention to the risks of data loss and system penetration, data is still being lost and systems are still being penetrated. Over and over people are asking, “What can we practically do to protect our information?” The answer has come in the form of 20 information assurance controls known as the Consensus Audit Guidelines (CAG), located at http://www.sans.org/critical-security-controls/guidelines.php.

This course has been written to help those setting/implementing/deploying a strategy for information assurance in their agency or organization by enabling them to better understand these guidelines. Specifically the course has been designed in the spirit of the offense teaching the defense to help security practitioners understand not only what to do to stop a threat, but why the threat exists and how later to audit to ensure that the organization is indeed in compliance with their standards. Walking away from this course students should better understand how to create a strategy for successfully defending their data, implement controls to prevent their data from being compromised, and audit their systems to ensure compliance with the standard. And in SANS style, this course will not only provide a framework for better understanding, but will give you a hands-on approach to learning these objectives to ensure that what you learn today, you’ll be able to put into practice in your organization tomorrow.

This course helps you master specific, proven techniques and tools needed to implement and audit the Top Twenty Most Critical Security Controls. These Top 20 Security Controls, listed below, are rapidly becoming accepted as the highest priority list of what must be done and proven before anything else at nearly all serious and sensitive organizations. These controls were selected and defined by the US military and other government and private organizations (including NSA, DHS, GAO, and many others) who are the most respected experts on how attacks actually work and what can be done to stop them. They defined these controls as their consensus for the best way to block the known attacks and the best way to help find and mitigate damage from the attacks that get through. For security professionals, the course enables you to see how to put the controls in place in your existing network though effective and widespread use of cost-effective automation. For auditors, CIOs, and risk officers the course is the best way to understand how you will measure whether the Top 20 controls are effectively implemented. It closely reflects the Top 20 Critical Security Controls found at http://www.sans.org/critical-security-controls/guidelines.php.

The Top 20 are listed below.

• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
• Secure Configurations of Network Devices, Such as Firewalls, Routers, and Switches
• Boundary Defense
• Maintenance and Analysis of Security Audit Logs
• Application Software Security
• Controlled Use of Administrative Privileges
• Controlled Access Based On Need to Know
• Continuous Vulnerability Assessment and Remediation
• Account Monitoring and Control
• Malware Defenses
• Limitation and Control of Network Ports, Protocols, and Services
• Wireless Device Control
• Data Loss Prevention
• Additional Critical Controls (not directly supported by automated measurement and validation):
• Secure Network Engineering
• Penetration Tests and Red Team Exercises
• Incident Response Capability
• Data Recovery Capability
• Security Skills Assessment and Training to Fill Gaps