Transcription
Achieving Endpoint Protectionthrough the SANS Institute’s20 Critical Security ControlsAbstractToday’s technology provides a wealth of opportunity. Forexample, by adopting bring your own device (BYOD) policies,you can enable your employees to work from anywhere,anytime, increasing their productivity. And the ever-growingvolumes of data you collect present opportunities for datamining and business intelligence.But these market trends also represent security risks, especiallygiven that attacks are increasing in both number andsophistication. Therefore, protecting your environment is abalancing act. Be too lax on security and you incur too muchrisk. But apply too much security and your users can’t do theirjobs. It can seem like an impossible task, especially with limitedIT staff and budget.But it’s not. This paper details how you can protect yourenvironment, from endpoint to perimeter, by understandingthe critical security controls needed in today’s complexIT environments and choosing tools that make it easy toimplement those controls.IntroductionProtecting your environment today is a complex, multifaceted task. Accurately knowing what devices are connectingto your network and what software is on those devices laysthe foundation for security, and it also plays a critical role ineffective asset management and system backup and recovery.Once you know what’s accessing your network, you needto effectively manage the configurations of your endpoints(desktops, laptops, tablets, mobile devices, servers and more),and automatically and continually scan your network for newassets and vulnerabilities.You also have to address the security of applications, makingsure that they’re patched and up to date — especially criticalsecurity software such as antivirus applications. And you needtight controls over administrative privileges, since end users
continue to be catalysts forsecurity breaches.Forrester reportsthat 200 millionemployees alreadybring their owndevices to work.Finally, you need to accomplish all ofthis in a balanced approach that protectsyour environment without getting inthe way of your day-to-day operations.This paper explores the market trendscomplicating endpoint security today,explains the 20 Critical Security Controlsdefined by the SANS Institute forachieving endpoint security, and detailshow two solutions from Dell cover 16of the 20 controls — giving you broadcoverage of security best practicesquickly and easily.Market trends increasing pressureon endpoint securityProtecting your environment today isharder than ever. Several market trendsin particular are increasing pressureon endpoint security: expandingcompliance regulations, evolving userbehavior, ever more frequent andsophisticated threats, and limited IT staffand budgets (see Figure 1).Compliance pressuresYou have an increasing variety ofregulations, from software licenses toregulatory mandates like SOX, PCI andHIPAA with which to comply — so many,in fact, that 75 percent of organizationssay they lack resources to meetcompliance regulations, according toPonemon Institute.Evolving user behaviorIT infrastructures are already complex,often including distributed locationsand multiple operating systems.Trends in user behavior are adding tothat infrastructure complexity — andintroducing new security concerns. Inparticular, the scope of devices that arepotential catalysts of security breachesis swelling, as previously passive objectsbecome more intelligent and moreof them communicate wirelessly withthe advent of the Internet of Things(IoT). Forrester reports that 200 millionemployees already bring their owndevices to work, and Infinite Researchnotes that 96.38 million enterpriseEvolving user behavior200 million employees bring theirown device to work.126 billion new devices will beconnected to the internet by 2020.2Compliance pressures75% of organizations lack resourcesto meet compliance regulations.73% say increasing audit burdenis their biggest challenge.3EndpointsecurityLimited IT staffand budgetsAverage growth of IT budgetswas 2.1% in 2014.4Growing threatsIn just one month, 280 million maliciousprograms, 134 million Web-borneinfections, and 24 million maliciousURLs are detected.5Figure 1. Market trends are increasing pressure on endpoint security1“Mobile Is The New Face Of Engagement,” Forrester Research, February 2012.2“Forecast: The Internet of Things, Worldwide, 2013,” Gartner.3“2013 State of the Endpoint,” Ponemon Institute, December 2012.4“Forecast Alert: IT Spending, Worldwide, 2Q14 Update,” Gartner.5Kaspersky Threat Report, April 2012.Share:2
Expanding complexity and reach of threatsGlobalinfrastructure Cyber-terrorism, morphingand complex threatsRegionalnetworks AI (learn) hacking XSS, SQL Injection lcomputers Modern Securitycomputers1980 Espionage Worms Financial gain Trojans Homeland security threats DOS / DDOS Delivery via Web 2.0 and Physical againsocial networking sites(portable media) Firewall 101 Individual Internet Watering-hole attacks TSRs Ransomware Viruses System-hopping malware199020002014Figure 2. The expanding complexity and reach of threatstablets are expected to ship worldwidein 2016. Gartner predicts that theinstalled base of “things,” excludingPCs, tablets and smartphones, willgrow to 26 billion units in 2020. Moreconnected devices means more catalystfor security breaches.Enterprises want to take advantage ofthe benefits of these changes in userbehavior, while also protecting theirnetworks, data and users.Growing threatsMeanwhile, threats continue to growin both number and sophistication.For example, 280 million maliciousprograms, 134 million web-borneinfections and 24 million malicious URLswere detected — all in just one month.5Moreover, the complexity and range ofthose threats has morphed from “simple”viruses and worms to full-fledgedcyber-terrorism and other attacksusing sophisticated tactics such as SQLinjection (see Figure 2).Limited IT staff and budgetFinally, despite these growing pressureson endpoint protection, IT staff andbudgets grow marginally or not at all(see Figure 3), making it difficult tokeep your environment protected. Forinstance, StatCounter found that morethan 16 percent of PCs worldwide stillhave Windows XP installed even though72%212 billion 546of IT budget spenton maintenance 1devices by 2020 2annual IT labor cost ofPCs after deployment 32.1%average growth ofIT budgets in 20144Figure 3. IT departments today must do more with less.1“How to balance maintenance and IT innovation,” Computerworld, Oct. 21, 2013.2”Rethinking IT Asset Management in the Age of the Internet of Things,” IDC, March 2014.3“Desktop Total Cost of Ownership: 2013 Update,” Gartner.4“Worldwide IT Spending Forecast, 2Q14 Update,” Gartner.5Kaspersky Threat Report, April 2012.Share:3The complexityand range of threatshas morphedfrom “simple”viruses and wormsto full-fledgedcyber-terrorismand other attacksusing sophisticatedtactics such asSQL injection.
Microsoft’s support has already ended —a clear security and compliance risk.Part of the problem is that day-to-dayIT operations costs are so high: an IDCwhite paper sponsored by Dell foundthat the average deployment cost perPC is 615, and WIPRO pegged theannual cost of supporting a laptop at 969 (assuming a five-year refreshrate). Such costs can quickly erodewhatever budgets IT organizations have.In concert with aglobal consortiumof agencies andexperts from privateindustry, the SANSInstitute created alist of 20 actionablecontrols withhigh payoff.Protecting your environment hasnever been more importantUnderstanding the importance ofmastering these challenges andprotecting your environment requiresonly glancing at the headlines.Organizations are breached every day,by attacks on their networks and alsoin other ways, such as theft of laptopscontaining confidential data (see Figure4). As a result, organizations lose notonly valuable intellectual propertybut also the customer trust that is thefoundation of any business.AP twitterfeed hacked.Massive attack:LivingSocial loses50M passwords.Endpoint protection through theSANS 20 Critical Security ControlsHow, then, can organizations bestprotect their IT environments? In 2008,the National Security Agency (NSA)asked the same question, and beganassessing which controls have thegreatest impact in improving risk postureagainst real-world threats. In concertwith a global consortium of agenciesand experts from private industry, theSANS Institute created a list of 20actionable controls with high payoff.Since these controls were derived fromthe most common attack patterns andvetted across a broad internationalcommunity of governments andindustries, with very strong consensuson the resulting set of controls, theyserve as the basis for immediatehigh-value action. They provide yourorganization with a framework orchecklist, whether you’re just startingyour security program or have a moremature model in place.Colossal malwareattacks strike Staplescorporate systems.Lost, unencryptedUSB thumb driveimpacts 50KMedicaid providers.46% 49,246 194of lost laptops containconfidential data.1average value of a lost laptop. 80% is due to data breaches.1average cost percompromised record.21 out of 1045%80,000 37% 222laptops are lostor stolen overthe lifetime ofthe device.1of organizationsdo not enforceemployees’ use ofprivate clouds.3new malwarevariants createdevery day.4of data breachcases involvedmalicious attacks.2average cost percompromisedrecord due tomalicious attacks.2Figure 4. Protecting your environment has never been more important.1“The Billion Dollar Lost Laptop Problem,” Ponemon Institute, Sponsored by Intel,October 2010.2“2011 Cost of Data Breach Study,” Ponemon Institute, Sponsored by Symantec, March 2012.3“2013 State of the Endpoint,” Ponemon Institute, December 2012.4Panda Labs Q1 2012 Internet Threat Report.Share:4
The 20 Critical Security Controls,as detailed in “The Critical SecurityControls for Effective Cyber Defense,Version 5.0,” are:1. Inventory of authorized andunauthorized devices2. Inventory of authorized andunauthorized software3. Secure configurations for hardwareand software4. Continuous vulnerability assessmentand remediation5. Malware defenses6. Application software security7. Wireless access control8. Data recovery capability9. Security skills assessment and appropriatetraining to fill gaps10. Secure configurations for network devices:firewalls, routers and switches11. Limitation and control of network ports,protocols and services12. Controlled use of administrative privileges13. Boundary defense14. Maintenance, monitoring, and analysisof audit logs15. Controlled access based on theneed to know16. Account monitoring and control17. Data protection18. Incident response and management19. Secure network engineering20. Penetration tests and red team exercisesDell Endpoint Systems ManagementThese Critical Security Controls providea framework or checklist of sorts to allorganizations no matter what stage ofyour security program you’re in, whetheryou’re just starting out or have a moremature model in place. If executed in asystematic, automated and streamlinedway, these 20 Critical Security Controlsnot only lay the foundation for acomprehensive security program, butalso alleviate the day-to-day IT tasks thatbog down many organizations today.The problem is that establishing,maturing and balancing all 20 CriticalSecurity Controls can be dauntingtask. So, how can you easily put intoplace this long list of Critical SecurityControls? The best way to preventbeing overwhelmed is to break downthe Critical Security Controls intorelated areas: First look at these controls from anoperational security or endpoint securitylens. In our view those would be CriticalSecurity Controls 1–4, 6, 12 and 18.Next you’ll want to break down the CriticalSecurity Controls by network access. Inour view those would be Critical SecurityControls 5–7, 10, 11, 13–16 and 19.Then you’ll want to look at it from a dataprotection and backup lens, essentiallyCritical Security Controls 8 and 17.Dell SonicWALL5. Malware defenses1. Inventory of authorizedand unauthorized devices7. Wireless access control2. Inventory of authorizedand unauthorized software10. Secure configurations for network devices:firewalls, routers, and switches3. Secure configurations for hardwareand software11. Limitation and control of network ports,protocols, and services4. Continuous vulnerability assessmentand remediation6. Application software security12. Controlled use ofadministrative privileges15. Controlled access based on the need to know18. Incident response and managementDell AppAssure8. Data recovery capability13. Boundary defense14. Maintenance, monitoring, and analysisof audit logs16. Account monitoring and control19. Secure network engineeringDell SecureWorksDell Data Protection9. Security skills assessment andappropriate training to fill gaps17. Data protection20. Penetration testsand red team excersisesFigure 5. Dell offers the right mix of software and tools to address all20 Critical Security Controls.Share:5The 20 CriticalSecurity Controlsnot only lay thefoundation for acomprehensivesecurity program,but also alleviatethe day-to-dayIT tasks that bogdown manyorganizations today.
Finally, consider them from a securityassessment, performance and trainingangle; we see these as Critical SecurityControls 9, 18 and 20.By breaking up the Critical SecurityControls this way, you will create theneeded synergies between networkinggroups, security groups and endpointmanagement groups. An action plan for implementingthe Critical Security ControlsYou can address16 of the 20 CriticalSecurity Controlswith just twosolutions: DellEndpoint SystemsManagement(ESM) solutionsand Dell nextgeneration firewalls.Dell offers the right mix of software andtools to address all 20 Critical SecurityControls in your organization, helpingyou quickly and easily develop, maintainand manage an end-to-end securityplan that doesn’t require teams orcreate silos within your organization(see Figure 5).Even better, you can address 16 of the20 controls with just two solutions: DellEndpoint Systems Management (ESM)offerings and Dell SonicWALL nextgeneration firewalls. These two solutionsalone will give you broad coverage ofsecurity best practices quickly andeasily — without requiring complex andcostly security solutions. Let’s explorehow they enable you to implement thiswide range of controls.Dell Endpoint SystemsManagement solutionsDell ESM solutions comprise acombination of the following: Dell KACE K1000 Management and K2000Deployment Appliances (K1000 andK2000) are easy to use, comprehensiveand affordable, so they fulfill the systemsmanagement needs of organizations of allsizes, from systems deployment to ongoinginventory and management of virtually anynetwork connected device.Dell Desktop Authority ManagementSuite extends the systems managementcapabilities of the KACE appliances withgranular user environment customizationso you can offer each user the workspacethat makes him or her most productive.Dell Enterprise Mobility Management Suite(EMM) is a flexible, comprehensive mobileenablement solution that securely managesendpoints (including smartphones, tablets,laptops and desktops) and provides secureaccess to corporate resources, user selfservice, and real-time reporting and alerts.Addressing the Critical Security ControlsDell ESM solutions address endpointprotection needs from issue detection toassessment and remediation, and offer anumber of services to protect endpointintegrity (see Figure 6). They addressseven of the Critical Security Controls,as listed below, but more importantly,by addressing the first four foundationalcontrols, they lay the basis for acomprehensive security risk program.1. Inventory of authorizedand unauthorized devices2. Inventory of authorizedand unauthorized softwareDetect threats& vulnerabilitiesAssess currentstateRemediatesecurity gapsProtect endpointintegrity What is onyour network? How vulnerableam I to attacks? Closevulnerabilities Secure web access What is runningon your clientsystems? Are there anymissing O/S& applicationpatches? Deploy softwareupdates Are there anyconfigurationvulnerabilities? Enforceconfigurations Quarantine Address missingpatches Is my softwareup to date?Figure 6. Dell endpoint systems management solutions address many criticalsecurity controls.Share:6
applications themselves. The applicationcatalog is updated daily and can bedownloaded as frequently as needed. Italso automatically maps minor versions upto the parent package, thereby enablingtracking of licensing and usage acrossmajor versions. The K1000 is able todiscern whether an application has beeninstalled in standalone mode or as partof a greater software suite, so you canaccurately discover, track and managesoftware assets across Windows, Mac andLinux operating systems.3. Secure configurationsfor hardware and software4. Continuous vulnerabilityassessment and remediation6. Application software security12. Controlled use of administrative privileges18. Incident response and managementCritical Controls #1 and #2:Inventory of authorized andunauthorized devices and inventory ofauthorized and unauthorized software Device discovery and inventory — Manyorganizations cannot say with a high levelof confidence that they have a clear viewof everything accessing their network, andthat lack of visibility leaves them vulnerableto security attacks. The K1000 providescomprehensive IT asset managementthrough unified discovery, inventory, assetmanagement and reporting for virtually theentire enterprise infrastructure, regardlessof platform. By using a variety of protocolsto discover all network-connected devices,ICMP-based ping, Telnet, SSH2, SNMP andSocket tests, the K1000 can interrogate thenetwork. If you are unable to authenticateagainst an endpoint, you can use NMAP todetermine the probable operating systemresiding on a specified IP address. Scanningprotocols can be combined and automatedto provide fast and reliable identificationof all devices, versions of workstations,servers, printers, network devices and anyother SNMP-enabled device. Detailedconfiguration information is captured fordesktops, notebooks, servers, printers, andnetworking equipment such as routers andswitches. The full device discovery offeredby the K1000 will enable you to captureinformation about virtually every networkconnected device — rogue or legitimate.Software discovery and inventory —Keeping track of software licenses andusage has become exponentially harderdue to the proliferation of versions,inconsistent naming and trackingmechanisms, and increasingly complexlicense structures. With more than 110million software entries, the K1000’sapplication catalog contains importantinformation, including applicationversion and name variations, normalizedpublisher names and categorization of theCritical Control #3:Secure configurations for hardwareand software Configuration management andenforcement — The K1000 providesfine-grained control over configurationpolicies so you can easily set up ongoing,automated enforcement as newsystems, scripts and software packagesare made available. Dynamic policygroupings enable policies to keep theconstantly changing content and targetsystems updated automatically — withoutadministrator involvement.Configuration correction — With theK1000, you can create and enforcereliable endpoint configurations, as wellas maintain a complete audit trail ofconfiguration changes to satisfyregulatory compliance requirements.Software blacklisting — With theK1000, you can easily blacklist softwareapplications to prevent the execution ofundesirable programs known to containsecurity threats or vulnerabilities, or toprevent the installation of those deemedinappropriate, and enforce secure softwareconfigurations on all endpoint devices.Patch deployment — The huge numberof patches released every month canmake identifying, prioritizing and trackingpatches a challenge. The K1000 offersintuitive search capabilities and viewsthat enable you to quickly filter throughlarge numbers of patches and easily trackpatch deployment status. In addition,the K1000 provides one of the largestpatch repositories and offers WSUScontent parity. Plus, it supports Mac patchmanagement, as well as a wide range ofShare:7With the K1000,you can createand enforcereliable endpointconfigurations, aswell as maintain acomplete audit trailof changesto configurationsto satisfy regulatorycompliancerequirements.
third-party applications from vendors suchas Microsoft, Apple, Adobe, Symantec andMozilla, so you can keep the software on allyour systems up to date and secure.Critical Control #4:Continuous vulnerability assessmentand remediation The K1000 providesan optimal PClockdown solutionby enabling ITteams to assignflexible userprivileges thatmaintain bothsecurity anduser productivity. SCAP scanning — An integrated SCAPscanner within the K1000 provides easyto-use, automated scan scheduling anddetailed reporting so you can managecommon endpoint configurations andconfirm organizational complianceagainst requirements.OVAL scanning — The K1000 supportsOVAL-based vulnerability scanning of allmanaged Windows systems. This includessetting the testing schedule and reportingthe results. More than 1700 pre-definedtests are included, and new tests are addedas they are published.Patch compliance — The K1000 alsoprovides summary data on patchmanagement and deployment progress,so you can quickly determine whichpatches have rolled out successfully andwhich systems are in compliance, andidentify and remediate any systems wherepatching has failed.anti-virus settings: allow control of settingsfor McAfee and Symantec Antiviruspackages, verifying that the software isinstalled with the configuration specified.Critical Control #12:Controlled use of administrative privileges Critical Control #6:Application software security Software deployment and configurationenforcement — The K1000 makes iteasy to ensure that key software (such asanti-virus software) is deployed, patchedand maintained in accordance with yourrequirements. The K1000 enforcesDetectDevice discoveryAssessPC lockdown — The K1000 provides anoptimal PC lockdown solution by enablingIT teams to assign flexible user privilegesthat maintain both security and userproductivity. With the self-service softwareportal, your organization can publishapproved software titles, license keys,files and scripts that users can accessto install applications or configure theirsystems, whether or not they have localadmin rights. You can also blacklistunauthorized or malicious software toprevent it from executing. The integratedservice desk seamlessly merges withthe system management console soadministrators can view employee requestsregarding privileges and address them froma single location.Management of user privileges — WithDesktop Authority Management Suite,you can grant users permission to installsoftware, make desktop changes andinstall ActiveX controls that you deemsecure — without granting them localadmin rights that would allow them toinstall unapproved software, copy data toflash drives or incur other risks.Critical Control #18:Incident response and management Service desk — The K1000 service deskprovides an easy-to-use, comprehensiveRemediateSCAP resultsProtectSoftware deploymentPatch deploymentInventoryConfigurationenforcementOval resultsSCAP scanningOVAL scanningPatch igure 7. The Dell KACE K1000 Management Appliance addresses endpoint securityneeds from issue detection to assessment and remediation.Share:8
maintain a catalog of all the malwaresignatures that might be used tocompromise your network. By maintaininga continuous, expanding signaturedatabase of 16 million malware signaturesin the cloud, Dell SonicWALL firewallsleverage cloud technology to deliver ahigher level of security.appliance-based alternative to traditional IThelpdesk software management packages.It is fully integrated with the K1000’s assetand configuration management capabilitiesand offers advanced functionality to helpautomate repetitive management tasks andprovide incident management as user orsystem problems arise.Dell SonicWALLnext-generation firewallsCritical Control #6:Application software securityThe Dell SonicWALL family of firewallstightly integrates intrusion prevention,malware protection, and applicationintelligence and control with real-timevisualization. Dell SonicWALL firewallsprovide organizations of any size with adeeper level of network security becausethey are designed using a scalablemulti-core hardware architectureand a patented, single-pass, lowlatency, Reassembly-Free Deep PacketInspection (RFDPI) engine that scansall traffic regardless of port or protocol. Critical Control #7:Wireless access control Dell SonicWALL NGFWs address 10additional critical security controls:5. Malware defenses6. Application software security7. Wireless access control10. Secure configurations for network devices:firewalls, routers and switches11. Limitation and control of network ports,protocols and services13. Boundary defense14. Maintenance, monitoring, and analysisof audit logs15. Controlled access based on the need to know16. Account monitoring and control19. Secure network engineering Critical Control #5:Malware defenses Regular malware signature updates —Before you can react to new malware, youneed to see it. With more than one millionsensors and broad collaboration within Delland throughout the security community,we can identify cyber-attacks beforethey get to your network. Dell SonicWALLfirewalls receive timely updates onmalware signatures to protect you fromemerging threats.Cloud assist — A single firewall cannotApplication intelligence and control —Dell SonicWALL firewalls enable you tosee and manage all the traffic goingthrough your network in real time. You cancreate rules to prioritize important traffic,throttle less important traffic and blockunwanted yet legitimate traffic — all withjust three clicks. This traffic managementnot only protects your network but alsomakes it more efficient.Integrated wireless controller — The NSAand TZ models have integrated wirelesscontrollers that allow you to create wirelessconnectivity with SonicPoint access points.For small installations that need somewireless, the TZ line of products offers theoption of built-in wireless antennas.Wireless protection — The Dell SonicWALLClean Wireless solution goes beyondmere secure wireless solutions by makingwireless network as secure as wirednetworks. The Dell SonicWALL firewalldelivers dual protecting by first inspectingtraffic and identifying unauthorizedintrusions then encrypting the traffic. Withthe Enforced Anti-Virus option, the firewallcan require any wireless user to have themost current anti-virus profiles prior toallowing access to the network.Critical Control #10:Secure configurations for networkdevices, firewalls, routers and switches One-touch configuration — With a singleclick, you can apply Dell SonicWALL bestpractices to more than sixty configurationssettings. Think of it as a quick tune-upfor your firewall settings. Authorizedadministrators can easily review rules viathe management console.Share:9The Dell SonicWALLfamily of firewallstightly integratesintrusion prevention,malware protection,and applicationintelligence andcontrol with realtime visualization.
Dell SonicWALLfirewallstransparentlydecrypt SSL traffic,scan for and removeany threats, andre-encrypt trafficbefore sending it tothe destination.Passwords — The first step in the easy-touse firewall setup wizard requires theadministrator to change the default accesspassword. Passwords can be configuredsuch that administrators and users areusing secure passwords. You can alsorequire passwords be changed after aspecified number of days, lock out anaccount after incorrect attempts atlogin, and enforce password complexityand length.Critical Control #11:Limitation and control of network ports,protocols and services Full scanning — Unlike many competitors’solutions, the Dell SonicWALL firewall scansevery byte of every packet on all portsregardless of file size.RFDPI engine — The patented ReassemblyFree Deep Packet Engine enablessimultaneous, multi-threat and applicationscanning and analysis at extremely highspeeds to protect the network frominternal and external attacks with a singlepass, latency-free approach.SSL decryption and inspection — It isestimated that nearly one third of all trafficis encrypted with SSL. To provide trulydeep packet security, organizations needthe ability to inspect all traffic on any port,whether or not the traffic is encrypted. DellSonicWALL firewalls transparently decryptSSL traffic, scan for and remove any threats,and re-encrypt traffic before sending it tothe destination.Critical Control #14:Maintenance, monitoring and analysisof audit logs Critical Control #15:Controlled access based onthe need to know Granular control over external siteaccess — All Dell SonicWALL firewallsprovide the ability to block access toquestionable sites by using the contentfiltering capabilities. Sites can be addedto the content filtering list (blacklisting) orremoved from the filter (whitelisting).Detection and blocking of intrusionattempts — The first line of a strongdefense is the ability to block intrusions.Today, the best cybercriminals are oftenat the top of their class at evadingdetection. Dell SonicWALL usessophisticated anti-evasion technology toblock intrusion attempts.Share:10Zones — Access to all applications can becontrolled with physical interfaces. Securityzones are bound to each physical interfacewhere it acts as a conduit for inbound andoutbound traffic. Rules and policies canbe set within and across zones to restrictaccess to applications and websites.RADIUS — D
Next you'll want to break down the Critical Security Controls by network access. In our view those would be Critical Security Controls 5-7, 10, 11, 13-16 and 19. Then you'll want to look at it from a data protection and backup lens, essentially Critical Security Controls 8 and 17. The 20 Critical Security Controls not only lay the
