20 Critical Controls For Cyber Defense QA

24 June 2014 ISACA CSX Cybersecurity Webinar
20 Critical Controls for Cyber Defense

Attendee Questions & Answers
On 24 June 2014, Dr. Vilius Benetis, CISA, CRISC, cyber-security solutions architect,
presented a 60-minute webinar on 20 Critical Controls for Cyber Defense. It will be
available on archive until June 2015; please visit
http://www.isaca.org/cyber/Pages/Archived-CyberWebinars.aspx to access.
Vilius has been able to respond to the many of questions that were asked by
attendees. Below is a recap:
#
QUESTION
The controls details pre-incident
activity, where do I get
information about an attack in
progress, and how to get back to
a good state?
Can the 20 critical controls used

to assist in compliance
management? If yes how in
relation to COBIT 5?
Is there a mapping of these top

20 controls mapped to NIST SP
800-53 rev 4
Critical controls only deal with

technical controls
I Have a question what is the

best way to protect the cyber
security at work place?
We do have the firewall and all
the security system however
user still accessing the website
which are not allowed.
ANSWER
CC18 is about incident response, however it
is very brief. So I would suggest looking at
NIST SP 800-61, Rev. 2, for overall capability
building. And for practical guidance - what to
do - if you already have CC in place, you have
plenty of information to analyses from,
especially if you have capable HIDS and
forensic on host monitoring/recording
capability. Finally, if attack is advanced - you
might need to put new image on the system.
There are quite some activity guidance on
ISACA CSX publications/books I have
presented - www.isaca.org/cyber
CCs provide technical capabilities and
measurements to help prove compliance.
Most probably, if compliance is about
information security, the CCs will be relevant
for that.
Yes,
http://www.counciloncybersecurity.org/criticalcontrols/tools/ has mapping, however only for
critical controls 4.1, not updated to v5 yet but the essence is the same.
They are designed to deal with technical
aspects - practically what to do. In such way
they assist any management framework.
Most probably you should get Secure Web
Gateway function, if you google for them as
well include word "Gartner", you would get
analysis document of what such function
does, and what kind of vendors are players in
the market.

10
11
12
13
14
15
16
You mentioned that the NIST

Cyber security framework
doesn't attend to all controls,
how much of cybersecurity
controls does it cover?
Here is the document for the
mapping of 20 critical security
controls to NIST Framework:
http://systemexperts.com/media
/pdf/SystemExperts-SANS201.pdf (Page 3 onwards)
Do you have any opinion on the
use of VPNs to secure cyber
activity?
Can the controls also be used as

a general best practice for IS
What in your personal view
would you consider to be the
premier framework for
cybersecurity? You did not give
preference to any
When will the cybersecurity
fundamentals course be
available globally apart from the
conferences and where will they
be offered?
Is there a likelihood that those
who create malware enjoy
reading this information since it
is open?
Is there any material on the 20
CC for CD in combination with
data protection/privacy
legislation?
what is your contact email

It is suggested that one should
study the three books that you
can download to pass the soon
to be release cyber exam?
How important is Risk
There are no direct overlap mapping, there is

association mapping in the NIST framework
itself, please have a look at the tables there.
Yes, this is good document, just be aware

that it is almost 3 years old, I would suggest
to check from time to time for updated list of
tools at
http://www.counciloncybersecurity.org/criticalcontrols/tools/
VPNs provides layer of encapsulation for your
traffic, however, for you should appropriately
set the authentication, authorization and
encryption in VPNs - which covers quite a lot
of things to do.
yes
Each framework is designed with particular
need, target. Thus there is no single one
"best". CCs are the most practical guidance
on technical aspects, to my knowledge.
Please contact ISACA HQ directly for this.
Sure, but they know this information anyway.
Not that I am aware direct mapping. There is

good analysis of German/French privacy laws
and cybersecurity equipment, done jointly by
EMC/RSA and KPMG:
http://www.kpmg.de/bescheinigungen/Reques
tReportLaw.aspx?37823
vb@nrd.no
For sure they would help, but not sufficient.
Certification information will be
communicated for members according ISACA
HQ plan.
Risk Management identifies what are the
2

17
18
19
20
21
22
23
24
25
26
Management to Cyber Security

Defense and what can be done
from the Risk perspective
towards Cybersecurity defense?
The list of 20 critical security
controls seems to come from the
SANS Institute, but they were
not mentioned. Is this an
oversight?
What was the source of the CSC
questions?
How can the controls framework
contribute to an audit of
Cybersecurity?
Any more details on the
certification yet?
In your opinion, what are the
most reliable vulnerability
testing tools?
For the automation metrics,
reviewing reports daily falls into
the same pitfall as the reviewing
logs etc.
How can we build logic into
these automated reports?
What tools (e.g. Splunk etc.)
exist to provide a better view of
these reports?
Where can we go to look for
some of these tools for logic
building?
BYOD question, since the future
is to allow any device to be
connected to enterprise network
How can we allow any device to
access enterprise data safely?
Do you have any KRIs defined
for monitoring risk
Speaker is talking about control
8 but my presentation view is of
control 5?
I have probably missed
something, but looking on the
unmitigated threats to your assets/business.

If those are related to cybersecurity, CCs will
definitely assist towards mitigating them.
As I have briefly mentioned, critical controls
were moved from SANS to Council On
Cybersecurity, in order to better manage
them (Council is not for profit).
http://www.counciloncybersecurity.org/criticalcontrols
Via measurement of metrics.
No, please follow ISACA.org information.

Depends on what you testing, I suggest to
use several one and crosscheck them, which
always helps. I would like to avoid endorsing
any of the tools/vendors.
Reports should be targeted for exception
(=deviation from baseline) reporting, and
should be send in short form daily by email.
In that case you could easily review as your
daily routine)
You need to apply many techniques, and it

depends on the data you are trying to protect
and from whom.
This talk was not focused on risk, thus I would

not go this route here, sorry.
Example was about malware defenses, #5
It is attached as well to the presentation at

additional materials.
3

27
28
29
30
31
32
Council on Cyber Security

website, I cannot find the
document Vilius is referring to.
Is it possible to provide a URL to
the document?
Most of the 20 controls seem to
be present in COBIT 5 process
DSS05 - Manage Security
Services. COBIT 5 also provides
process goals which provide
good measurement of
effectiveness of this process and
IT goals that this process
supports. This can be used very
effectively.
Does compliance not drive
assurance?
Does CC on #6 mean Council of

Cybersecurity?
Does consulting function of audit
(as oppose to assurance) helps
to achieve compliance?
I think you mean: "bake in" the
security controls, as verse
installation AFTER deployment
(?)
I am not a practitioner but I want
to build a career in
cybersecurity/ Information
Security. Do you have any other
webinars for beginners?
sure
To particular extent, sure. In reality compliance often is achieved via certification

audits, and ends up being point in time
assurance/compliance. Thus even often the
PCI-DSS compliant organizations are found
non-compliant when the breach was accruing
(according to VISA spokesman)
No, it means - "Critical Control"
Yes, it might be so. In reality it depends.
"bake in" in the sense of "integrated into

operations", "make it seamless
BrightTALK information security channel could

be good place to start, even though it is quite
loaded with vendor marketing:
https://www.brighttalk.com/channel/288 .
Additionally please have a look at courses
freely available online.
ISACA offers cutting-edge thought leadership,
research and advice on the current and
emerging threat environment and how you
can be better prepared to counter it. You can
access them here:
4

http://www.isaca.org/cyber/Pages/CyberWebin
ars.aspx

20 Critical Controls For Cyber Defense QA

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

20 Critical Controls For Cyber Defense QA

Enviado por

Direitos autorais:

Formatos disponíveis

24 June 2014 ISACA CSX Cybersecurity Webinar