Overview of Control 1

00:00

Hey, everyone, welcome back to the core. So in the last video, we took a look at an introduction to the C. I s critical security controls.

00:07

In this video, we're to take a look at control number one.

00:13

So our goals here are to talk about first the implementation group. So we need to understand which types of companies thes controls apply to. And then we're gonna talk about control one as well. It's a sub controls that are under that. And then in the next video were to be going through the sub controls and mapping those to the NIST cybersecurity framework.

00:32

So our implementation groups, we've got three of them,

00:35

and basically, group number one is gonna be your smaller types of businesses, right? So the small mom, mom and pop shops of small to medium sized businesses. Usually they've got some kind of limited I d department. So they might just have, like, one employee that has tech support for them. But they don't normally have Like a dedicated cyber security team.

00:53

They're really focused on business operations because if they have to shut down for any period of time, it could actually mean that their business is done for

01:02

and they usually dealing with less sensitive data. So this might be like myself. I have an online company, and I use 1/3 party for payment processing. So I don't store sensitive data, so this would be I would my particular organization would fit into group number one.

01:19

Group two is gonna be that medium to enterprise level. So they've usually got a dedicated team, a team that also might They may have a general security type person, or they might Their i t t might be handling the security, but they don't have a dedicated, uh,

01:34

cyber security team. Right? So they don't have like, a sock. They don't have pen testers. Usually

01:40

they've got more your your jack of all trades, right? Or you're Jane of all trades.

01:44

They are handling some sensitive data, and the real focus here for them, besides business operations, is around public confidence. So if there's a data breach that could affect this company and shut them down.

01:57

And finally, group number three is your bigger enterprise, right? So they've usually got security experts on staff, so that might be a sock or pen testers, cybersecurity engineers, etcetera etcetera. They're really focused around regulatory and compliance issues, and they're really focused on the CIA. Try it. Right

02:14

and thes. These particular organizations are usually the target of attacks that we've seen that a lot of s amis are being attacked just because they're much easier targets.

02:24

So what is control number one? This is where we're talking about the inventory in control of our hardware assets. Right. So when we talk about that and most organizations don't know fully everything that's touching their network, especially now that we have the b Y o d right to bring your own device,

02:39

you may not know everything that's on your network, but we want to get is much view as possible of the hardware assets that are touching our network.

02:49

We also want to make sure we address any type of administrative account. So we don't want to link up those accounts where they could be accessed by someone joining the guest network, for example.

02:59

So let's just jump through the various sub controls real quick. Some control, 1.1 talking about utilizing active discovery tools.

03:06

This affects groups two and three, primarily

03:08

so. Usually your smaller companies are going to be using these types of tools. Some control. 1.2 passive active Discovery tool. You see Group three there where it's a more dedicated thing.

03:19

Some control 1.3 we're talking about using D A C P Logging toe update our asset inventory

03:28

some control. One point for maintaining a detailed asset inventory again. The whole purpose here is to understand what's actually on our network and what do we don't actually need to defend?

03:38

Maintaining the asset inventory information some control 1.5

03:43

addressing unauthorized assets. So make sure that we ensure unauthorized assets are either removed from our network or re quarantine them.

03:53

And we also update our inventory to make sure that yes, it is unauthorized asset or no, it's not. Or Hey, we've removed this and now it shouldn't be showing as something we have

04:03

some control. 1.7 Deploying port level axes control. So following 802.1 x standards to control what devices can actually authenticate toe our network, right.

04:15

And then just utilizing client certificates to authenticate thes hardware assets.

04:21

So in this video, what has talked about the various CS implementation groups again? Remember There are three of those, and they cover the whole breath from the small mom of pop shops, all the way up to the large enterprises like her, Amazon or Google.