20 Critical Security Controls

20 Critical Security

Controls

How CA Technologies can help federal agencies automate

compliance processes

Philip Kenney

Table of Contents

Executive Summary 3

SECTION 1: 4

Meeting FISMA and NIST requirements

SECTION 2: 6

How CA Technologies supports the 20 CSCs

SECTION 3: 7

Technologies for automating the 20 CSCs SECTION 4: Conclusions 14 A practical platform for implementing

the 20 CSCs

SECTION 5: 15

Challenge

In 2008, the Center for Strategic and International Studies (CSIS) created a diverse consortium of information security experts from both public and private sectors to identify key security controls that agencies should implement. The resulting document, 20 Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, identified a core set of measures that federal agencies should employ to reduce risk and conform to FISMA requirements. By focusing on these measures as a subset of the comprehensive NIST guidelines, security administrators can implement an evolving approach to comprehensive security by instituting what the document calls “quick wins.”

While the document sets forth activities that CISOs, CIOs and IGs can adopt as their top, shared priorities, many agencies lack critical components of the security infrastructure required to carry them out. Many of the controls require process support or automation to be truly effective. Even with a majority of these individual measures in place, compliance will still be elusive if agencies cannot achieve overall management visibility and control.

Opportunity

The “20 Critical Security Controls” document designates areas where agencies can quickly improve their security postures and sustain those enhancements over time. Given the scope, scale and complexity of the typical agency enterprise, it is certain that neither of those things can be accomplished solely with manual methods and processes.

But by automating controls—and by managing and documenting control performance—agencies can achieve the ultimate goal of FISMA and NIST 800-53, which is to provide improved security. In addition, agencies will be better able to meet their own goals of regulatory compliance.

Benefits

CA Technologies gives federal agencies a practical and affordable way to enable implementation of many of the 20 Critical Security Controls (CSCs) by combining security automation with service assurance and automation management technology. Security Management solutions from CA Technologies deliver security automation that can help build policy enforcement into processes, improve quality of compliance and reduce burdens on administrators. Service Assurance and Service Automation solutions from CA Technologies provide agencies with centralized visibility into and additional control over their 20 Critical Security Control efforts.

CA Technologies is uniquely qualified to support agencies with an overall solution for 20 CSC

management and compliance. CA Technologies gives agencies an efficient, cost-effective way to enable and manage compliance—by building on what they already own.

Section 1:

Meeting FISMA and NIST requirements

The National Institute of Standards and Technology (NIST) has produced excellent security guidelines that provide a comprehensive set of security controls in NIST Special Publication 800-53, revision 3. By contrast, the CSIS authored document, “Twenty Critical Security Controls for Effective Cyber Defense,” identifies a subset of security control activities that CISOs, CIOs and IGs can focus on as their foremost priorities for cyber security. This subset is based on attacks occurring recently and those anticipated in the near future.

A “Head Start” for compliance with NIST 800-53

The 20 Critical Security Controls (20 CSCs) principally address technical areas. However, they do map directly to a critical subset of the Priority Code 1 controls identified in NIST Special Publication 800-53. They are intended to give agencies a sound head start in achieving overall NIST 800-53 compliance. The intent is to help agencies ensure that they have assessed and implemented an appropriate set of management and technical controls to address their specific risk areas.

Within the guidance of 800-53, the 20 CSCs can be viewed as requirements for establishing consensus priorities when assessing potential security risks to the confidentiality, integrity and availability of systems and information within the agency’s enterprise environment. Once a consensus on priorities has been reached by the CIO and CISO, it is recommended that the 20 CSCs be the foundation for implementing management and technical controls within an agency.

Both management and technical controls are required

Both the 20 CSCs and NIST Special Publication 800-53 make it clear that controls must address two aspects: overall management and specific implementation. Agencies must not only put controls in place, they must also be able to monitor those controls and document their performance. Failure in either aspect constitutes non-compliance.

In addition to the requirements of the 20 CSCs and NIST 800-53, agencies must accommodate another practical consideration: the architecture and elements of the security infrastructure they already own. Agencies are unlikely to pursue any approach to implementing the 20 CSCs that does not use their existing systems as a foundation. This means that almost every implementation of the 20 CSCs will take place in a multi-vendor, heterogeneous environment.

Finding the right balance

It is perhaps easiest to visualize the implementation of the 20 CSCs in three core dimensions:

Specific technical controls are those that address individual devices and functions such as cataloging

authorized devices, securing configurations, managing access, etc.

Management, visibility and control includes capabilities that enable administrators to track, analyze,

manage and document data, alerts and other outputs from technical controls.

Existing technologies are the systems and software agencies already own. These must serve as a

foundation for new implementations.

The appropriate balance between dimensions will vary for each agency, depending on the maturity of their security infrastructures, their resources and the particular risks they face.

Figure A.

Three core dimensions in a heterogeneous environment

Section 2:

How CA Technologies supports the 20 CSCs

CA Technologies combines security automation with service assurance and automation management to help streamline agency implementations of the 20 CSCs.

As an industry leading provider of enterprise IT management software, CA Technologies is uniquely positioned to support any agency aiming to meet the requirements for securing their environment. CA Technologies has been providing management and security solutions to industry and government for over thirty years.

Based on our experience in providing management and security solutions in large, heterogeneous environments all over the globe, we have developed the following solutions map for implementing the 20 CSCs:

Management

Unified, central view across the IT environment

CA Technologies Supports Management Automation of Controls Can Be

Automated CA Technologies Supports Automation

1 Inventory of authorized and

unauthorized devices 3 3 3 2 Inventory of authorized and

unauthorized software 3 3 3 3 Secure configurations for hardware

and software on laptops, workstations and servers

3 3 3

4 Continuous vulnerability assessment

and remediation 3 3 3 5 Malware defenses 3

6 Application software security 3 3 7 Wireless device control 3 3 3 8 Data recovery capability 3 9 Security skills assessment and training 3

Management

Unified, central view across the IT environment

CA Technologies Supports Management Automation of Controls Can Be

Automated CA Technologies Supports Automation

10 Secure configurations for network devices such as firewalls, routers and switches

3 3 3

11 Limitation and control of network

ports, protocols, and services 3 3 3 12 Controlled use of administrative

privileges 3 3 3 13 Boundary defense 3 3 14 Maintenance, monitoring and analysis

of security audit logs 3 3 3 15 Controlled access based on need

to know 3 3 3 16 Account monitoring and control 3 3 3 17 Data loss prevention 3 3 3 18 Incident response capability 3 19 Secure network engineering 3 20 Penetration tests and red

team exercise 3

Section 3:

Technologies for automating the 20 CSCs

CA Technologies combines security automation with service assurance and automation management to help streamline agency implementations of the 20 CSCs.

The 20 Critical Security Controls document categorizes tasks into six basic areas:

1. Identifying what assets agencies have

3. Controlling access according to roles and responsibilities

4. Keeping configurations, versions and patches up-to-date

5. Managing security data to improve compliance and support audits

6. Ensuring availability by identifying and pre-empting threats

Multiply those few tasks by the number of assets in inventory and the number of stakeholders using them and the result is a lot of work for compliance administrators.

In addition to identifying the 20 controls, this document provides guidance on how organizations can further improve their controls. The document lists four different categories of increased security that organizations can strive towards. These four categories are:

1. Quick wins: These are identified in the 20 CSC document as “QWs”. Implementing a QW does not

completely mitigate a given threat, but as the name implies, it does identify where security can be rapidly improved.

2. Improved visibility and attribution: These are identified in the 20 CSC document as “Vis/Attrib”

and are focused on improving existing processes and increasing awareness and visibility against given security threat vectors.

3. Hardened configuration and improved information security hygiene: These are identified in

the 20 CSC document as “Config/Hygiene”. This area deals with methods to improve security operations and end-user behavior to reduce vulnerabilities.

4. Advanced: These are identified in the 20 CSC document as “Advanced” and should only be

considered after an organization has addressed the preceding three categories.

CA Technologies directly supports 12 of the 15 CSCs that can be automated with security solutions for asset management/configuration, identity management, security information management and threat management:

CSC #1: Inventory of authorized and unauthorized devices

CA CSC Solution: CA Client Automation

CA Client Automation helps provide the level of enforcement and reporting required for detecting

and cataloging authorized and unauthorized devices. It can automatically detect systems across heterogeneous platforms and operating systems, and then use both agent and agent-less methods to capture detailed hardware inventory and usage levels for each asset.

CA Client Automation contains advanced discovery tools, which can provide continuous monitoring of the network, detection of new devices and application of policy to the newly discovered devices. Collected asset data can be assessed against policies to determine if enforcement or remediation is

CSC #2: Inventory of authorized and unauthorized software

CA CSC Solution: CA Client Automation

CA Client Automation helps provide the level of enforcement and reporting to detect and catalog

application usage. It can automatically detect systems across heterogeneous platforms and operating systems, then capture detailed inventory information, including:

• All operating system software • All user applications and software • Release, versions and patch levels • Usage histories and levels

Asset data can be assessed against policies to enable enforcement and remediation where necessary. Unauthorized software can be remediated by patching it to the appropriate levels or removing it completely.

CSC #3: Secure configurations for hardware & software _{on laptops, workstations, & servers} CA CSC Solution: CA Client Automation, CA Configuration Automation,

CA ControlMinderTM

CA Client Automation collects and manages detailed hardware and software information for a

heterogeneous set of platforms and operating systems.

The Federal Desktop Core Configuration (FDCC) Scanner within CA Client Automation provides the capability to continuously scan managed systems for compliance with various mandated FDCC security configurations. Where necessary, automated remediation steps may be provisioned to help eliminate vulnerabilities and bring variant systems into compliance. This scanning can be augmented to include agency-specific controls and to meet agency-specific requirements.

CA Configuration Automation uses compliance rules to check that server and application

configurations adhere to compliance policies. Built-in rules are used to facilitate compliance with industry standards such as PCI and DISA STIG.

In addition to scanning for configuration compliance, the operating systems can be made resistant to unauthorized changes. CA ControlMinder is a privileged user management solution that creates an

environment where fine-grained, system hardening settings on servers can be configured, deployed and enforced. It helps protect that environment by hardening servers according to policies and preventing unauthorized persons from changing settings. CA ControlMinder works by hardening the underlying OS, and applying policies that have been pre-defined by an organization to enforce segregation of duty, and enforcing a policy of least privilege. It enables management visibility and control over the environment by automatically generating reports and alerts when a policy violation occurs, or has been prevented. CA ControlMinder can also provide logs files to be centrally collected by CA User Activity Reporting Module. See CSC#6 for additional information.

CSC #4: Continuous vulnerability assessment and remediation

CA CSC Solution: CA Client Automation, CA Spectrum®, CA Configuration Automation

As noted above, CA Client Automation collects and manages detailed hardware and software

information for a heterogeneous set of platforms and operating systems. CA Client Automation will scan workstations and servers on a scheduled basis, on demand, or in response to an event, for example a security log entry. CA Spectrum will similarly scan network devices on a schedule, on

demand, or in response to an event.

The Federal Desktop Core Configuration (FDCC) Scanner within CA Client Automation provides the capability to continuously scan managed systems for compliance with various mandated FDCC security configurations. Where necessary, automated remediation steps may be provisioned to help eliminate vulnerabilities and bring variant systems into compliance.

CA Client Automation includes remediation capability, being able to patch systems and apply configuration settings. This remediation can be initiated manually, or automatic detection of non-compliance can trigger automated remediation.

CA Configuration Automation uses compliance rules to check that server and application

configurations adhere to compliance policies. Built-in rules are used to facilitate compliance with industry standards such as PCI and DISA STIG.

CSC #7: Wireless Device Control

CA CSC Solution: CA Spectrum, CA Client Automation

CA Spectrum helps meet the requirements of this security control. CA Spectrum modules provide

Wireless Device control, MIB and trap support, descriptive device type identification, OneClick views, technology support and standard capabilities for specific devices and firmware. Examples of device-family management modules include Catalyst, PIX Firewall, Wireless LAN Controller and AiroNet.

CA Client Automation can be installed on supported wireless devices to help provide protection at the

level of workstations as described under Control #3 and others.

CSC #10: Secure configurations for network devices such as _{firewalls, routers, and switches} CA CSC Solution: CA Spectrum

CA Spectrum helps provide the level of Secure Configurations (SSH v2 Support/communication mode),

enforcement and reporting required by this control. It identifies and monitors the configurations of device families and single devices including routers, hubs and switches. Each device can be configured to provide specific services.

Details on how devices operate and how they are customized can be included in each configuration. The CA Spectrum Network Configuration Manager component increases uptime, eliminates network issues and lowers costs by enabling administrators to:

• Create policies for configurations and verify that devices are compliant • Prevent or detect performance problems by verifying configurations • Manage configurations for devices modeled in Spectrum/OneClick • Capture configurations and store them in the Spectrum database • Load/merge configurations to devices of the same family type • Set up a schedule of automatic captures and policies

• Maintain a history of network device configurations

CSC #11: Limitation and control of network ports, protocols _{and services} CA CSC Solution: CA ControlMinder, CA Client Automation

As noted under Control #3, CA ControlMinder helps protect sensitive data and critical applications

that reside on the protected host by strictly controlling access to system resources. CA ControlMinder can lock down ports and provide Host-based Intrusion Detection.

CA Client Automation can be used, as described under Control #3, to scan open ports and active

services and to apply policy to the results. This can include alerting appropriate personnel up to closure of unauthorized ports and termination of disallowed services.

CSC #12: Controlled use of administrative privileges

CA CSC Solution: CA ControlMinder

CA ControlMinder is a security enforcement tool that manages user privileges, including

administrative privileges and superusers. Misuse of administrative privileges is the number one method attackers use to compromise enterprise security. CA ControlMinder protects server resources by controlling user, superuser and administrator privileges. It constrains levels of access solely to authorized uses.

With the Privileged User Password Management (PUPM) component, administrative passwords are obtained as they are needed, and available for use only while checked out to an authorized user. As soon as a user checks in the password it is changed on the target system. Additionally, CA ControlMinder allows agencies to create and enforce password quality including password composition, minimum and maximum length, repetition and dictionary review. CA ControlMinder helps ensure that any time users change their password they must comply with agency policies and guidelines.

CA ControlMinder also aids in eliminating privilege creep through delegation of access rights to designated systems operators. It allows administrators to precisely match users with the privileges they need, thereby helping to eliminate any reason to grant excessive rights.

CA ControlMinder includes protected logs that capture administrative actions; these can be forwarded to CA User Activity Reporting Module for central collection and review. This provides an additional level of protection and review since actions by administrators will be collected and audited as standard operating procedures.

CSC #14: Maintenance, monitoring and analysis of security _{audit logs} CA CSC Solution: CA User Activity Reporting Module

CA User Activity Reporting Module (CA UARM) is a log collection, review, reporting and archiving

solution that supports this control requirement. CA UARM collects logs from virtually any source; operating systems, network devices, Syslogs and applications. Collected logs can then be reviewed either by using built-in queries that map to most significant regulatory requirements (HIPAA, FISMA, DoD, etc.), or with user-defined queries. Administrators can define action alerts that will be

automatically generated when queries meet certain criteria.

CA UARM also centralizes log management. Geographically separated office logs can be collected locally and then reviewed and reported at a central location—without moving large volumes of data. Federalized queries can be processed so a review for a specific log event can be created in one location and then used to check all other CA UARM managed sites.

CA UARM includes 350+ different reports for many different regulatory requirements as well as extensive ad hoc reporting capabilities. It also supports long-term management with archiving capabilities that keep logs either online or near-online as required.

CSC #15: Controlled access based on need to know

CA CSC Solution: CA ControlMinder

CA ControlMinder helps enforce controlled access based on a need-to-know basis by enabling

administrators to associate access rules with specific systems. Users are granted access to sensitive or classified information only if they meet a pre-defined set of criteria. Any type of resource can be associated with access rules that incorporate just about any type of policy-driven qualifications. CA ControlMinder manages access to all these types of resources:

• Files and folders • Processes

• Network connections • Terminals

• User-defined resources

Because access and protections are governed by a combination of policy, procedure and enforcement, CA ControlMinder can help protect data and files, entire systems or processes and even registry entries from authorized access or changes. User activity is captured in audit logs and can be centralized with CA User Activity Reporting Module.

CSC #16: Account monitoring and control

CA CSC Solution: CA IdentityMinderTM_{, CA GovernanceMinder}TM_,

CA User Activity Reporting Module

CA Technologies is uniquely positioned to support this control because it provides a full complement of components that manage a user’s identity life cycle. From the creation of the original user account, managing that account’s access throughout its lifecycle, enforcing least privilege rules and access rights, to collecting the complete audit trail of associated user activity CA Technologies offers a robust security solution for account monitoring and control.

CA IdentityMinder, CA GovernanceMinder and CA User Activity Reporting Module work together to

provide agencies with an integrated identity management platform that helps automate the creation, modification and deletion of user identities and govern access to enterprise resources. CA IdentityMinder goes beyond traditional provisioning systems by providing a unified solution that enables the management of highly diverse and growing user populations on a wide range of enterprise systems, from mainframes to web applications.

Key features of CA IdentityMinder include:

• Automated provisioning & de-provisioning of user accounts and access permissions • Centralized audit & reporting of user entitlements

• Delegated user administration • Integrated workflow

• Password management • Registration services • User self-service

• Supports periodic review of user access and creates attestation reports

CA GovernanceMinder provides advanced pattern recognition technology and analytical tools that serve as a flexible foundation on which to establish cross-system identity security policies and automate processes required to meet compliance audits. These include entitlements certification and enforcement of consistent identity compliance policies, continually validating that users, roles

and resources have appropriately associated entitlements, which helps meet compliance objectives and security requirements.

As noted under Control #14, CA User Activity Reporting Module can collect logs from a wide variety of sources, including operating systems, network devices, syslogs and applications.

CSC #17: Data loss prevention

CA CSC Solution: CA DataMinderTM

CA DataMinder monitors a wide breadth of data activities and provides a spectrum of response

actions so that the appropriate balance between continuity and enforcement can be achieved throughout an organization.

It provides a scalable, accurate and cost effective way to protect and control data-in-motion on the network and in messaging systems, data-in-use at endpoints and data-at-rest on servers and in repositories. CA DataMinder capabilities include:

• Broad protection coverage • Built-in and user-defined policies • Automated enforcement actions • Secure review for sensitive data

Section 4: Conclusions

A practical platform for implementing the 20 CSCs

The 20 Critical Security Controls document embodies a “quick-wins” strategy designed to help agencies accelerate compliance with NIST Special Publication 800-53. Both the 20 Critical Security Controls document and 800-53 indicate that compliance must consist of both overall management and implementation of controls.

Of the 15 CSCs that are technology based, 12 can be automated with CA Technologies solutions. All 20 controls can be monitored and managed through the combined capabilities of the referenced tools from CA Technologies.

Of course, technology alone cannot secure an IT environment. This requires a combination of sound governance, consistent management and the persistent evaluation of results. Security solutions from CA Technologies give agencies a practical platform for doing all three of these things.

The 20 CSCs are a means to an end: maintaining a secure IT environment. CA Technologies helps agencies facilitate that means—with proven solutions that streamline the process of managing

Copyright © 2012 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or nonin-fringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages.

CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard,

For more information on this topic and other areas of IT, please contact your CA Technologies account team or the CA Technologies Federal Sales Hotline at 866-836-5234.

Section 5:

About the Author

Philip Kenney is a Director of Security Management Solutions, for CA Technologies Inc. In his role, Mr. Kenney works with DoD and civilian agencies to ensure that CA Technologies security products are meeting their needs. He coordinates with product management teams to represent the requirements of federal customers as CA Technologies security solutions are developed. Additionally, he manages a team of technical consultants who help government customers understand and realize the full value of Security Management solutions from CA Technologies.

Mr. Kenney has over 25 years of IT experience in operational, management and consulting roles spanning a wide range of platforms in both government and business organizations. He focuses on a results oriented approach to ensure technology outcomes are aligned with business needs.

Connect with CA Technologies at ca.com

Agility Made Possible: The CA Technologies Advantage

CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organizations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. CA Technologies is committed to ensuring our customers achieve their desired outcomes and expected business value through the use of our technology. To learn more about our customer success programs, visit ca.com/customer-success. For more information about CA Technologies go to ca.com.