Introduction to the CIS Top 20 Critical Security Controls
9 hours 54 minutes
Hey, everyone, welcome back to the course. So in the last video, we just talked about the course introduction. So we talked about things like the prerequisites for this particular course
as well as my background is your instructor
and this video. We're gonna take a brief introduction to the C. I. A s top 20 critical security controls.
So the learning objectives for this particular video we're gonna talk about what the CIA's controls are and also what the overall purpose of them is.
So what are they? Well, basically their actions that we can take innocent organization, and the whole overarching goal is to provide defense in debt. So when we talk about defensive depth, we're not going to be blocking everybody. We're not going to be preventing 100% of breaches. None of that's actually possible.
But what we are trying to do is put various layers in place to make it more difficult and more frustrating
for an attacker or group of Attackers to actually get whatever data were trying to protect.
So good analogy to use is the old school castles, right? So they would have the moat around them, so that body of water around them. A lot of times they would also have like an open field around them so they could see the enemy coming. They'll have toe the stone walls will have guards on the walls. So again,
all these things wouldn't prevent some massive army from getting into the castle. But what it would do is deter or
help the defenders a little more than if they just had, like, a wall, for example.
Another good analogy that's a little more nowadays is your home right? You might have a fence. You might have a security system. Maybe maybe you've got some dogs.
All that stuff is great. It's not going to stop somebody that's really determined to get in and steal your big screen TV. But it will deter most people in the whole goal without us to deter them. So they, you know, go down the road to the neighbors or something, right?
So the CIA's controls there's 20 of them and we're gonna talk through those throughout this course will take a high level overview of them in this particular video as well.
So here's the 1st 5 here. We're talking about hardware assets, so your physical things.
Software assets, right? So our code that we're trying to protect. So we need Teoh, get in inventory and then go ahead and maintain control of all those things. So a lot of organizations actually don't know everything that's on their network. So one of the first things you need to do when you go into a new organization is trying to determine everything that's touching that network.
Continuous vulnerability Management is important because, yes, we might patch things today. But there's always someone trying to break stuff. There's always some issue that's discovered, so we need to have some kind of program in place to help curb that
controlling admin privileges pretty self explanatory, right? We don't want everybody to be an administrator going in and breaking in his stuff and deleting stuff, etcetera
and then just making sure everything's security configured right? So that's where we talk about hardening of things. So again, this course is really intended for everyone is a more high level course, but we will take some deeper dives into particular areas.
Next five we have. We're talking about maintenance, right so and monitoring and we're really focused on the audit logs because what's the point of auditing things if we're never going to improve things or change things right, So we need to make sure we're doing that properly.
Our browser protection is one of the easiest ways to get into the someone. Stuff is through the brother or via email, right having them click a nefarious link.
We need to talk about my our defenses as well, because if we look at thes days and I'm filming this in 2020 we're looking at more targeted ransomware attacks. So you need to focus your organization on better malware defenses.
And a lot of that boils down to. In addition to technology controls, it also boils down to the human element, right. If you train your employees not to click that link, then you can really reduce your attack surface.
Also, that controlling the ports, right? So if we noticed that certain ports are open that we didn't open that we don't think any service should be running on, we can go ahead and take care of that and then just making sure we've got a plan for data recovery, etcetera again, we're gonna be covering these a little more in depth in each particular module of the course.
Secure configuration again for our network devices.
This is a cool, uh, router, By the way. I thought this was a cool image, so I want to throw it in the course. Anyways, I digress. So, boundary defense Pretty self explanatory. There again, our data protection. We also need a plan backup plan for data in case something happens
more or less access control again. Additional access based on need to know, etcetera, etcetera. Just going back to access control. Right? All that kind of loops in to the I am category
monitoring and control application software security. So again, just making sure that our code or the code that were using is hardened against some common like Oh! Oh, stop. 10 vulnerabilities, right? And then, of course, performing pen test and red team exercises to make sure that our defenses are actually adequate
to defend against the most common types of Attackers.
So what's the overall purpose of these C I s controls compared to, like, other frameworks out there? Right? Well, number one we're gonna talk about how they map to other things, like nist CSF throughout this course, But
these are gonna be very specific and actionable. So rather than here's a bunch of theory. And here's a bunch of thing that people with PhDs thought of in the university.
The these controls are actually developed from the real world, right? Real attacks. And so the whole goal with ease is taking a small amount of action and getting the most pay off out of it. Right, So we take a little action and we get a huge benefit.
And again, these are based on real life. These were actually developed by real practitioners in the industry, both on the offensive and defensive side of the house.
So this video we just talked about what are the C s security controls and also the overarching purpose? And the next module, we're gonna jump right into our first CS control.