Today, I will be going over Control 20 from version 7 of the CIS top 20 Critical Security Controls – Penetration Tests and Red Team Exercises. I will go through the eight requirements and offer my thoughts on what I’ve found.

Key Take Aways from Control 20

  1. Rely on the previous controls. So much of what’s happening in Control 20 leverages some of the earlier Controls. Understanding your attack surfaces from Controls 1 and 2 can help scope sections 1 through 3. Control 3 is going to define your vulnerability management tool set, which can be leveraged across most of the sections in this control. The findings from your red team exercises are going to help mature your coverage in every previous control.
  2. Where’s the remediation? Section 7 states that results should be compared over time; however, there is no guidance on giving these results to the Blue Team to close the gaps discovered from the penetration tests.

Requirement Listing for Control 20

  1. Establish a Penetration Testing Program

    • Description: Establish a program for penetration tests that includes a full scope of blended attacks such as wireless, client-based, and web application attacks.
    • Notes: This has taken the place as the starting point for those looking to start penetration tests against their assets. If you’re just beginning, don’t try to tackle the full blend of attacks at once. Start with something you may have expertise in and/or a critical finding from a vulnerability scan. Over time, you can get to having the full blend of attacks in your arsenal.

  2. Conduct Regular External and Internal Penetration Tests

    • Description: Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.
    • Notes: This section remains relatively intact from the previous (Read more...)