That first “quick win” has several controls in it, some of which are subservient to the original.

1. Deploy an automated asset inventory discovery tool
1.1 Use the automated asset inventory tool to build a preliminary asset inventory of systems connected to the network.
1.2 Use active tools as appropriate to continuously scan the network to identify hosts based on analyzing their traffic.
1.3 Use passive tools as appropriate to continuously scan the network to identify hosts based on analyzing their traffic.

The reason that this quick win has to be split into several controls is simple – each task shown here can be independently tested and answered “yes we’ve done it”, “no we haven’t done it”, “this doesn’t apply.” You can’t do that when the “control” is written as a compound/complex sentence. One of the best things to do is think about going to court and having to answer yes/no/na to a question without telling a lie. Could you answer yes/no/na to the quick win as originally stated if you did part of it, didn’t do another part, and the rest wasn’t applicable? You couldn’t.

So that’s why we have to break each of these compound/complex paragraphs into the “perform *an* action on this person or asset” format.

Here is the actual first control under Critical Control 1: Inventory of Authorized and Unauthorized Devices:

1. Quick wins: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to the enterprise network. Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.

The author is correct in that the “controls” as stated aren’t controls. They aren’t even full sentences.

Take, for instance, “control 1″ which states “Inventory of Authorized and Unauthorized Devices”. If it were written “establish and maintain blah blah blah”, you’d have a control.

Because to control is to take action (or subvert an action from taking place, or mitigation against an action from taking place) on something or someone. The prepositional phrase stated is without action. Therefore, it isn’t a control.

The easiest way to tell if something is or is not a control is to ask it as a question. It would be absurd to ask “did you Inventory of Authorized and Unauthorized Devices?” You “could* ask if the person created, established, maintains, destroys, or any other action relating to the topic.

If someone were to teach the people at SANS a lesson in English, they might re-write those controls this way:

Critical Control 1: Establish and Maintain an Inventory of Authorized and Unauthorized Devices.
Critical Control 2: Establish and Maintain an Inventory of Authorized and Unauthorized Software.
Critical Control 3: Implement Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
Critical Control 4: Implement Secure Configurations for Network Devices such as Firewalls, Routers, and Switches.
Critical Control 5: Initiate and maintain a Boundary Defense program.
Critical Control 6: Establish, maintain, monitor, and analyze Security Audit Logs.
Critical Control 7: Establish and Maintain an Application Software Security program.
Critical Control 8: Control the Use of Administrative Privileges.
Critical Control 9: Establish and Maintain Access Based on the Need to Know.
Critical Control 10: Perform Continuous Vulnerability Assessment and Remediation.
Critical Control 11: Establish and Maintain Account Monitoring and Control program.
Critical Control 12: Establish and Maintain a Malware Defenses program.
Critical Control 13: Limit and control the use of Network Ports, Protocols, and Services.
Critical Control 14: Establish and Maintain Wireless Device Controls
Critical Control 15: Establish and Maintain a Data Loss Prevention program.
Critical Control 16: Follow Secure Network Engineering practices.
Critical Control 17: Perform Penetration Tests and Red Team Exercises.
Critical Control 18: Establish and Maintain an Incident Response Capability.
Critical Control 19: Establish and Maintain an Data Recovery Capability.
Critical Control 20: Perform Security Skills Assessments and Appropriate Training to Fill Gaps.

1) While your comment is not incorrect, it should advocate controls that are more granular than the app level. How about whitelisting end user behaviors? Everything can boil down to an executable.

2) The reason you don’t see any IPS achieve this is that it requires kernel level enforcement on any node where the controls are required. (Hint: Scalable MLS)

3) Yes its dumb. Got to get away from patch and prey to models that prevent threats from exploiting vulns, then you get protection where one can’t patch and against zero days.

4) Definitely lame. Many breakers would fail at building.

5) Educating users has generally proven to be poor value with limited effectiveness. Put those users on inherently secure high assurance systems and see how much education they need. People push education because they are selling it or its all they have to go on.

6) Early adoption for the sake of early adoption is plain dumb. Don’t bother to do anything unless conceptually it makes much more sense than the status quo, otherwise it is only incremental change.

As far as minor dumbs, a few new threats are inevitable until the end goal is reached. If we had networks full of inherently secure systems, how many problems do you think would just go away?

My2cs.

Id also add – user education.
Cyber criminals use the full range of the attack-vector spectrum, majorly –
social engineering. On that sense, like any citizen living on a country that is constantly threatened by terrorists,
your citizens must know whom to trust and what kind of threat to look for (a bag left on a bench in a train station…).
obviously, they must not know about the other great measure you mentioned in your article, as it may
lower their level of trust (“nothing to worry about with this download, im already protected…”).

–Oren

Finally, it would be a lot easier to simply admit the mistake, apologize for it, and move on.