1、 ETSI TR 103 305 V1.1.1 (2015-05) CYBER; Critical Security Controls for Effective Cyber Defence TECHNICAL REPORT ETSI ETSI TR 103 305 V1.1.1 (2015-05) 2 Reference DTR/CYBER-003 Keywords Cyber Security, Cyber-defence, information assurance ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex -
2、FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be
3、 made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print
4、, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of thi
5、s and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or uti
6、lized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to
7、reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and o
8、f the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 305 V1.1.1 (2015-05) 3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Executive summary 4g3Introduction 5g31 Scope 6g32 References
9、 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Critical Security Controls . 8g34.0 Structure of the Critical Security Controls Document 8g34.1 CSC 1: Inventory of Authorized and Unauthorized Devices 9g3
10、4.2 CSC 2: Inventory of Authorized and Unauthorized Software 12g34.3 CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers . 15g34.4 CSC 4: Continuous Vulnerability Assessment and Remediation . 20g34.5 CSC 5: Malware Defences . 23g34.6 CSC 6: Ap
11、plication Software Security . 26g34.7 CSC 7: Wireless Access Control 29g34.8 CSC 8: Data Recovery Capability 32g34.9 CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps . 34g34.10 CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 36g34.11
12、CSC 11: Limitation and Control of Network Ports, Protocols, and Services . 39g34.12 CSC 12: Controlled Use of Administrative Privileges . 41g34.13 CSC 13: Boundary Defence . 45g34.14 CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs . 49g34.15 CSC 15: Controlled Access Based on the Need to
13、 Know 52g34.16 CSC 16: Account Monitoring and Control . 54g34.17 CSC 17: Data Protection 57g34.18 CSC 18: Incident Response and Management . 60g34.19 CSC 19: Secure Network Engineering . 62g34.20 CSC 20: Penetration Tests and Red Team Exercises . 64g3Annex A: Attack Types 67g3History 68g3ETSI ETSI T
14、R 103 305 V1.1.1 (2015-05) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 00
15、0 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investiga
16、tion, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR
17、) has been produced by ETSI Technical Committee Cyber Security (CYBER). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules
18、(Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive summary The present document captures and describes the top twenty Enterprise industry level cybersecurity best practices that provide enhanced c
19、yber security, developed and maintained by the Council on CyberSecurity as an independent, expert, global non-profit organization. The Council provides ongoing development, support, adoption, and use of the Critical Controls i.5. See (www.counciloncybersecurity.org). The Critical Security Controls r
20、eflect the combined knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem. This ensures that the Controls are an effective and specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to
21、 the most advanced of those attacks. The Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventing or disrupting attackers follow-on actions. The defences identified through these Controls deal with reducing the ini
22、tial attack surface by hardening device configurations, identifying compromised machines to address long-term threats inside an organizations network, disrupting attackers command-and-control of 5 implanted malicious code, and establishing an adaptive, continuous defence and response capability that
23、 can be maintained and improved. The five critical tenets of an effective cyber defence system as reflected in the Critical Security Controls are: Offense informs defence: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events t
24、o build effective, practical defences. Include only those controls that can be shown to stop known real-world attacks. Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented
25、in your computing environment. Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quick
26、ly. Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures, and to help drive the priority of next steps. Automation: Automate defences so that organizations can achieve reliable, scalable, and continuous measuremen
27、ts of their adherence to the Controls and related metrics. ETSI ETSI TR 103 305 V1.1.1 (2015-05) 5 Introduction The evolution of cyber defence is increasingly challenging. Massive data losses, theft of intellectual property, credit card breaches, identity theft, threats to privacy, denial of service
28、 - these have become endemic. Access exists to an extraordinary array of security tools and technology, security standards, training and classes, certifications, vulnerability databases, guidance, best practices, catalogues of security controls, and countless security checklists, benchmarks, and rec
29、ommendations. But all of this technology, information, and oversight have become a veritable “Fog of More“: competing options, priorities, opinions, and claims. The threats have evolved, the actors have become smarter, and users have become more mobile. Data is now distributed across multiple locati
30、ons, many of which are not within our organizations infrastructure anymore. With more reliance on cloud computing data centres, the data and even applications are becoming more distributed. In a complex, interconnected world, no enterprise can think of its security as a standalone problem, and colle
31、ctive action is nearly impossible. Focus is needed to establish priority of action, collective support, and keeping knowledge and technology current in the face of rapidly evolving problems and an apparently infinite number of possible solutions. The most critical areas need to be addressed and the
32、first steps taken toward maturing risk management programs. This includes a roadmap of fundamentals, and guidance to measure and improve the implementation defensive steps that have the greatest value. These issues led to, and drive, the Critical Security Controls. The value is determined by knowled
33、ge and data - the ability to prevent, alert, and respond to the attacks that are plaguing enterprises today. The Critical Security Controls and Other Risk Management Approaches The Critical Security Controls are not a replacement for comprehensive mandatory compliance or regulatory schemes. The Cont
34、rols instead prioritize and focus on a smaller number of actionable controls with high-payoff. Although lacking the formality of traditional Risk Management Frameworks, the Critical Security Controls process constitutes a “foundational risk assessment“ - one that can be used by an individual enterpr
35、ise as a starting point for immediate, high-value action, is demonstrably consistent with formal risk management frameworks, and provides a basis for common action across diverse communities (e.g. that might be subject to different regulatory or compliance requirements). The Critical Security Contro
36、ls also proactively align with and leverage ongoing work in security standards and best practices. Examples include: the Security Content Automation Program (SCAP) and Special Publication 800-53 i.1 (Recommended Security Controls for Federal Information Systems and Organizations) sponsored by the Na
37、tional Institute of Standards and Technology (NIST); the Australian Signals Directorates “Top 35 Strategies to Mitigate Targeted Cyber Intrusions“; and the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27002:2013 i.4 Information technology - Sec
38、urity techniques - Code of practice for information security controls. References and mappings to these can be found at www.counciloncybersecurity.org. Initiating Implementation Some of the Critical Security Controls, in particular CSC 1 through CSC 5, are foundational, and should be considered as t
39、he actions to be taken. This is the approach taken by, for example, the DHS Continuous Diagnostic and Mitigation (CDM) Program. For a highly focused and direct starting point, five especially useful actions have the most immediate impact on preventing attacks. These actions are specially noted in th
40、e Controls listings, and consist of: 1) application whitelisting (found in CSC 2); 2) use of standard, secure system configurations (found in CSC 3); 3) patch application software within 48 hours (found in CSC 4); 4) patch system software within 48 hours (found in CSC 4); and 5) reduced number of us
41、ers with administrative privileges (found in CSC 3 and CSC 12). ETSI ETSI TR 103 305 V1.1.1 (2015-05) 6 1 Scope The present document describes a specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks. T
42、he measures reflect the combined knowledge of actual attacks and effective defences. The present document is technically equivalent and compatible with the 5.1 version of the “The Critical Security Controls for Effective Cyber Defence,“ 10 July 2014, which can be found at the website http:/www.counc
43、iloncybersecurity.org/critical-controls/. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest
44、 version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publicatio
45、n, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or no
46、n-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their lon
47、g term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 NIST Special Publication 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations“.
48、 i.2 NIST Special Publication 800-57: “Recommendation for Key Management - Part 1: General“. i.3 NIST Special Publication 800-132: “Recommendation for Password-Based Key Derivation - Part 1: Storage Applications“. i.4 ISO/IEC 27002:2013: “Information technology - Security techniques - Code of practi
49、ce for information security controls“. i.5 Council on Cybersecurity: “The Critical Security Controls for Effective Cyber Defence“. ETSI ETSI TR 103 305 V1.1.1 (2015-05) 7 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: Critical Security Control (CSC): specified capabilities that reflect the combined knowledge of actual attacks and effective defences of experts that are maintained by the Council on Cybersecurity and found at the website http:/www.counciloncyb
