Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
TheCISCriticalSecurityControlsfor
EffectiveCyberDefenseVersion6.1
i
TheCenterforInternetSecurityCriticalSecurityControlsforEffectiveCyberDefense
Version6.1August31,2016
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-NoDerivatives4.0InternationalPublicLicense(thelinkcanbefoundathttps://creativecommons.org/licenses/by-nc-nd/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtotheCISCriticalSecurityControlscontent,youareauthorizedtocopyandredistributethecontentasaframeworkforusebyyou,withinyourorganizationandoutsideofyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,and(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISCriticalSecurityControls,youmaynotdistributethemodifiedmaterials.UsersoftheCISCriticalSecurityControlsframeworkarealsorequiredtoreferto(http://www.cisecurity.org/critical-controls.cfm)whenreferringtotheCISCriticalSecurityControlsinordertoensurethatusersareemployingthemostuptodateguidance.CommercialuseoftheCISCriticalSecurityControlsissubjecttothepriorapprovalofTheCenterforInternetSecurity.
ii
TheCISCriticalSecurityControlsforEffectiveCyberDefense
Introduction 1
CSC1:InventoryofAuthorizedandUnauthorizedDevices 6
CSC2:InventoryofAuthorizedandUnauthorizedSoftware 10
CSC3:SecureConfigurationsforHardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers 13
CSC4:ContinuousVulnerabilityAssessmentandRemediation 17
CSC5:ControlledUseofAdministrativePrivileges 21
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs 24
CSC7:EmailandWebBrowserProtections 27
CSC8:MalwareDefenses 31
CSC9:LimitationandControlofNetworkPorts,Protocols,andServices 34
CSC10:DataRecoveryCapability 36
CSC11:SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches 38
CSC12:BoundaryDefense 41
CSC13:DataProtection 46
CSC14:ControlledAccessBasedontheNeedtoKnow 50
CSC15:WirelessAccessControl 53
CSC16:AccountMonitoringandControl 56
CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps 59
CSC18:ApplicationSoftwareSecurity 63
CSC19:IncidentResponseandManagement 66
CSC20:PenetrationTestsandRedTeamExercises 69
AppendixA:EvolvingAnAttackModelfortheCISCriticalSecurityControls. 73
iii
AppendixB:AttackTypes 76
AppendixC:TheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity 78
AppendixD:TheNationalCyberHygieneCampaign 80
AppendixE:CriticalGovernanceControlsandtheCISCriticalSecurityControls 81
AppendixF:TowardAPrivacyImpactAssessment(PIA)fortheCISCriticalSecurityControls 85
AppendixG:CategorizationfortheCISCriticalSecurityControls 91
1
Introduction
Weareatafascinatingpointintheevolutionofwhatwenowcallcyberdefense.Massivedatalosses,theftofintellectualproperty,creditcardbreaches,identitytheft,threatstoourprivacy,denialofservice–thesehavebecomeawayoflifeforallofusincyberspace.
Ironically,asdefenderswehaveaccesstoanextraordinaryarrayofsecuritytoolsandtechnology,securitystandards,trainingandclasses,certifications,vulnerabilitydatabases,guidance,bestpractices,catalogsofsecuritycontrols,andcountlesssecuritychecklists,benchmarks,andrecommendations.Tohelpusunderstandthethreat,we’veseentheemergenceofthreatinformationfeeds,reports,tools,alertservices,standards,andthreatsharingframeworks.Totopitalloff,wearesurroundedbysecurityrequirements,riskmanagementframeworks,complianceregimes,regulatorymandates,andsoforth.Thereisnoshortageofinformationavailabletosecuritypractitionersonwhattheyshoulddotosecuretheirinfrastructure.
Butallofthistechnology,information,andoversighthasbecomeaveritable“FogofMore”:competingoptions,priorities,opinions,andclaimsthatcanparalyzeordistractanenterprisefromvitalaction.Businesscomplexityisgrowing,dependenciesareexpanding,usersarebecomingmoremobile,andthethreatsareevolving.Newtechnologybringsusgreatbenefits,butitalsomeansthatourdataandapplicationsarenowdistributedacrossmultiplelocations,manyofwhicharenotwithinourorganization’sinfrastructure.Inthiscomplex,interconnectedworld,noenterprisecanthinkofitssecurityasastandaloneproblem.
Sohowcanweasacommunity–thecommunity-at-large,aswellaswithinindustries,sectors,partnerships,andcoalitions–bandtogethertoestablishpriorityofaction,supporteachother,andkeepourknowledgeandtechnologycurrentinthefaceofarapidlyevolvingproblemandanapparentlyinfinitenumberofpossiblesolutions?Whatarethemostcriticalareasweneedtoaddressandhowshouldanenterprisetakethefirststeptomaturetheirriskmanagementprogram?Ratherthanchaseeverynewexceptionalthreatandneglectthefundamentals,howcanwegetontrackwitharoadmapoffundamentals,andguidancetomeasureandimprove? Whichdefensivestepshavethegreatestvalue?
ThesearethekindsofissuesthatledtoandnowdrivetheCISCriticalSecurityControls.Theystartedasagrass-rootsactivitytocutthroughthe“FogofMore”andfocusonthemostfundamentalandvaluableactionsthateveryenterpriseshouldtake.Andvaluehereisdeterminedbyknowledgeanddata–theabilitytoprevent,alert,andrespondtotheattacksthatareplaguingenterprisestoday.
LedbytheCenterforInternetSecurity(CIS),theCISCriticalSecurityControls(“theControls”)havebeenmaturedbyaninternationalcommunityofindividualsandinstitutionsthat:
2
• shareinsightintoattacksandattackers,identifyrootcauses,andtranslatethatintoclassesofdefensiveaction;
• documentstoriesofadoptionandsharetoolstosolveproblems;• tracktheevolutionofthreats,thecapabilitiesofadversaries,andcurrentvectorsof
intrusions;• maptheControlstoregulatoryandcomplianceframeworksandbringcollective
priorityandfocustothem;• sharetools,workingaids,andtranslations;and• identifycommonproblems(likeinitialassessmentandimplementationroadmaps)
andsolvethemasacommunityinsteadofalone.
TheseactivitiesensurethattheControlsarenotjustanotherlistofgoodthingstodo,butaprioritized,highlyfocusedsetofactionsthathaveacommunitysupportnetworktomakethemimplementable,usable,scalable,andcompliantwithallindustryorgovernmentsecurityrequirements.
WhytheCISCriticalSecurityControlsWork:MethodologyandContributors
TheCISCriticalSecurityControlsareinformedbyactualattacksandeffectivedefensesandreflectthecombinedknowledgeofexpertsfromeverypartoftheecosystem(companies,governments,individuals);witheveryrole(threatrespondersandanalysts,technologists,vulnerability-finders,toolmakers,solutionproviders,defenders,users,policy-makers,auditors,etc.);andwithinmanysectors(government,power,defense,finance,transportation,academia,consulting,security,IT)whohavebandedtogethertocreate,adopt,andsupporttheControls.Topexpertsfromorganizationspooledtheirextensivefirst-handknowledgefromdefendingagainstactualcyber-attackstoevolvetheconsensuslistofControls,representingthebestdefensivetechniquestopreventortrackthem.ThisensuresthattheControlsarethemosteffectiveandspecificsetoftechnicalmeasuresavailabletodetect,prevent,respond,andmitigatedamagefromthemostcommontothemostadvancedofthoseattacks.
TheControlsarenotlimitedtoblockingtheinitialcompromiseofsystems,butalsoaddressdetectingalready-compromisedmachinesandpreventingordisruptingattackers’follow-onactions.ThedefensesidentifiedthroughtheseControlsdealwithreducingtheinitialattacksurfacebyhardeningdeviceconfigurations,identifyingcompromisedmachinestoaddresslong-termthreatsinsideanorganization’snetwork,disruptingattackers’command-and-controlofimplantedmaliciouscode,andestablishinganadaptive,continuousdefenseandresponsecapabilitythatcanbemaintainedandimproved.
ThefivecriticaltenetsofaneffectivecyberdefensesystemasreflectedintheCISCriticalSecurityControlsare:
TheCenterforInternetSecurity,Inc.(CIS)isa501c3nonprofitorganizationwhosemissionistoidentify,develop,validate,promote,andsustainbestpracticesincybersecurity;deliverworld-classcybersecuritysolutionstopreventandrapidlyrespondtocyberincidents;andbuildandleadcommunitiestoenableanenvironmentoftrustincyberspace.
Foradditionalinformation,goto<http://www.cisecurity.org/>
3
Offenseinformsdefense:Useknowledgeofactualattacksthathavecompromisedsystemstoprovidethefoundationtocontinuallylearnfromtheseeventstobuildeffective,practicaldefenses.Includeonlythosecontrolsthatcanbeshowntostopknownreal-worldattacks.Prioritization:InvestfirstinControlsthatwillprovidethegreatestriskreductionandprotectionagainstthemostdangerousthreatactorsandthatcanbefeasiblyimplementedinyourcomputingenvironment.Metrics:Establishcommonmetricstoprovideasharedlanguageforexecutives,ITspecialists,auditors,andsecurityofficialstomeasuretheeffectivenessofsecuritymeasureswithinanorganizationsothatrequiredadjustmentscanbeidentifiedandimplementedquickly.Continuousdiagnosticsandmitigation:Carryoutcontinuousmeasurementtotestandvalidatetheeffectivenessofcurrentsecuritymeasuresandtohelpdrivethepriorityofnextsteps.Automation:Automatedefensessothatorganizationscanachievereliable,scalable,andcontinuousmeasurementsoftheiradherencetotheControlsandrelatedmetrics.
HowtoGetStarted
TheCISCriticalSecurityControlsarearelativelysmallnumberofprioritized,well-vetted,andsupportedsecurityactionsthatorganizationscantaketoassessandimprovetheircurrentsecuritystate.Theyalsochangethediscussionfrom“whatshouldmyenterprisedo”to“whatshouldweALLbedoing”toimprovesecurityacrossabroadscale.
Butthisisnotaone-size-fits-allsolution,ineithercontentorpriority.Youmuststillunderstandwhatiscriticaltoyourbusiness,data,systems,networks,andinfrastructures,andyoumustconsidertheadversaryactionsthatcouldimpactyourabilitytobesuccessfulinthebusinessoroperations.EvenarelativelysmallnumberofControlscannotbeexecutedallatonce,soyouwillneedtodevelopaplanforassessment,implementation,andprocessmanagement.
ControlsCSC1throughCSC5areessentialtosuccessandshouldbeconsideredamongtheveryfirstthingstobedone.Werefertotheseas“FoundationalCyberHygiene”–thebasicthingsthatyoumustdotocreateastrongfoundationforyourdefense.Thisistheapproachtakenby,forexample,theDHSContinuousDiagnosticandMitigation(CDM)Program,oneofthepartnersintheCISCriticalSecurityControls.AsimilarapproachisrecommendedbyourpartnersintheAustralianSignalsDirectorate(ASD)withtheir“TopFourStrategiesto
4
MitigateTargetedIntrusions”1–awell-regardedanddemonstrablyeffectivesetofcyber-defenseactionsthatmapverycloselyintotheCISCriticalSecurityControls.ThisalsocloselycorrespondstothemessageoftheUSCERT(ComputerEmergencyReadinessTeam).
Foraplain-language,accessible,andlow-costapproachtotheseideas,considertheCenterforInternetSecurity’s“NationalCyberHygieneCampaign”.(AppendixDandwww.cisecurity.org)
ThisVersionoftheCISCriticalSecurityControls
TheControlsweredevelopedbasedonspecificknowledgeofthethreatenvironmentaswellasthecurrenttechnologiesinthemarketplaceuponwhichourcommunicationsanddatarely.OneofthekeybenefitsoftheControlsisthattheyarenotstatic;theyareupdatedregularlyandaretailoredtoaddressthesecurityissuesoftheday.ThisversionoftheControlsreflectsdeliberationandconsiderationtoensurethateverycontrolandsub-controlisaccurate,essential,conciseandrelevant.
Changesfromversion5.1toVersion6.0includethefollowing:
• Re-orderingsothat“ControlledUseofAdministrativePrivileges”ishigherinpriority(itmovedfromControl#12toControls#5)
• DeletionofControl#19“SecureNetworkEngineering”• NewControl#7“EmailandWebBrowserProtections”• Newcategorizationschemebasedon“families”ofControlsandremovalofthe
“quickwin”categories.• Eachsub-ControlisgroupedintooneofthreeFamilies:
o Systemo Networko Application
• NewappendicesontheNISTCybersecurityFramework,theNationalHygieneCampaignforCyberHygieneandsecuritygovernance.
ChangesfromVersion6.0toVersion6.1includethefollowing:
• Eachsub-Controlisidentifiedaseither“Foundational”or“Advanced”asanaidtoprioritizationandplanning.ThisreplacestheoriginalschemefoundinVersion5butdroppedinVersion6.0.SeeAppendixGforadetailedexplanation.
• Correctionofafewminortyposorformattingerrors.• NochangewasmadetothewordingororderingofanyControlorsub-Control.
1http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm
5
Inadditiontotechnicalcontent,theControlshaveanewhomeandnewname.In2015,theCenterforInternetSecurityintegratedwiththeCouncilonCybersecurity,sotheyarenowreferredtoasthe“CISCriticalSecurityControls.”
OtherResources
ThetruepoweroftheControlsisnotaboutcreatingthebestlistofthingstodo,it’saboutharnessingtheexperienceofacommunityofindividualsandenterprisesthatmakesecurityimprovementsthroughprioritization,sharingideas,andcollectiveaction.
Tosupportthis,theCenterforInternetSecurityactsasacatalystandclearinghousetohelpusalllearnfromeachother.PleasecontacttheCenterforInternetSecurityforthefollowingkindsofworkingaidsandothersupportmaterials:
• MappingsfromtheControlstoaverywidevarietyforformalRiskManagementFrameworks(likeFISMA,ISO,etc.).
• UseCasesofenterpriseadoption• PointerstovendorwhitepapersandothermaterialsthatsupporttheControls.• DocumentationonalignmentwiththeNISTCybersecurityFramework.
StructureoftheCISCriticalSecurityControlsDocument
ThepresentationofeachControlinthisdocumentincludesthefollowingelements:
• AdescriptionoftheimportanceoftheControl(WhyisThisControlCritical)inblockingoridentifyingpresenceofattacksandanexplanationofhowattackersactivelyexploittheabsenceofthiscontrol.
• Achartofthespecificactions(“sub-controls”)thatorganizationsaretakingtoimplement,automate,andmeasureeffectivenessofthiscontrol.
• ProceduresandToolsthatenableimplementationandautomation.• SampleEntityRelationshipDiagramsthatshowcomponentsofimplementation.
Inadditiontothisdocument,westronglyrecommend“AMeasurementCompaniontotheCISCriticalSecurityControls”,availablefromtheCenterforInternetSecurity.
Acknowledgements
TheCenterforInternetSecuritywouldliketothankthemanysecurityexpertswhovolunteeredtheirtimeandtalenttosupporttheControlseffort.Manyoftheindividualswhoworkedonthisversioncontinuetolendtheirexpertiseyearafteryear.Weareextremelygratefulfortheirtimeandexpertise.SpecialrecognitionalsogoestoTheSANSInstitute,amajorcontributortotheeffort.
6
CSC1:InventoryofAuthorizedandUnauthorizedDevices
Activelymanage(inventory,track,andcorrect)allhardwaredevicesonthenetworksothatonlyauthorizeddevicesaregivenaccess,andunauthorizedandunmanageddevicesarefoundandpreventedfromgainingaccess.
WhyIsThisControlCritical?
Attackers,whocanbelocatedanywhereintheworld,arecontinuouslyscanningtheaddressspaceoftargetorganizations,waitingfornewandunprotectedsystemstobeattachedtothenetwork.Attackersalsolookfordevices(especiallylaptops)whichcomeandgooffoftheenterprise’snetwork,andsogetoutofsynchwithpatchesorsecurityupdates.Attackscantakeadvantageofnewhardwarethatisinstalledonthenetworkoneeveningbutnotconfiguredandpatchedwithappropriatesecurityupdatesuntilthefollowingday.EvendevicesthatarenotvisiblefromtheInternetcanbeusedbyattackerswhohavealreadygainedinternalaccessandarehuntingforinternaljumppointsorvictims.Additionalsystemsthatconnecttotheenterprise’snetwork(e.g.,demonstrationsystems,temporarytestsystems,guestnetworks)shouldalsobemanagedcarefullyand/orisolatedinordertopreventadversarialaccessfromaffectingthesecurityofenterpriseoperations.
Asnewtechnologycontinuestocomeout,BYOD(bringyourowndevice)—whereemployeesbringpersonaldevicesintoworkandconnectthemtotheenterprisenetwork—isbecomingverycommon.Thesedevicescouldalreadybecompromisedandbeusedtoinfectinternalresources.
Managedcontrolofalldevicesalsoplaysacriticalroleinplanningandexecutingsystembackupandrecovery.
CSC1:InventoryofAuthorizedandUnauthorizedDevicesFamily CSC ControlDescription Foun-
dationalAdvanced
System 1.1 Deployanautomatedassetinventorydiscoverytoolanduseittobuildapreliminaryinventoryofsystemsconnectedtoanorganization’spublicandprivatenetwork(s).BothactivetoolsthatscanthroughIPv4orIPv6networkaddressrangesandpassivetoolsthatidentifyhostsbasedonanalyzingtheirtrafficshouldbeemployed.
Y
Useamixofactiveand
passivetools,andapplyaspartofacontinuousmonitoringprogram.
System 1.2 IftheorganizationisdynamicallyassigningaddressesusingDHCP,thendeploydynamichostconfigurationprotocol(DHCP)serverlogging,andusethisinformationtoimprovetheassetinventoryandhelpdetectunknownsystems.
Y
7
Family CSC ControlDescription Foun-dational
Advanced
System 1.3 Ensurethatallequipmentacquisitionsautomaticallyupdatetheinventorysystemasnew,approveddevicesareconnectedtothenetwork.
Y
System 1.4 Maintainanassetinventoryofallsystemsconnectedtothenetworkandthenetworkdevicesthemselves,recordingatleastthenetworkaddresses,machinename(s),purposeofeachsystem,anassetownerresponsibleforeachdevice,andthedepartmentassociatedwitheachdevice.TheinventoryshouldincludeeverysystemthathasanInternetprotocol(IP)addressonthenetwork,includingbutnotlimitedtodesktops,laptops,servers,networkequipment(routers,switches,firewalls,etc.),printers,storageareanetworks,VoiceOver-IPtelephones,multi-homedaddresses,virtualaddresses,etc.Theassetinventorycreatedmustalsoincludedataonwhetherthedeviceisaportableand/orpersonaldevice.Devicessuchasmobilephones,tablets,laptops,andotherportableelectronicdevicesthatstoreorprocessdatamustbeidentified,regardlessofwhethertheyareattachedtotheorganization’snetwork.
Y
System 1.5 Deploynetworklevelauthenticationvia802.1xtolimitandcontrolwhichdevicescanbeconnectedtothenetwork.The802.1xmustbetiedintotheinventorydatatodetermineauthorizedversusunauthorizedsystems. Y
Authenticationmechanismsarecloselycoupledto
managementofhardwareinventory
System 1.6 Useclientcertificatestovalidateandauthenticatesystemspriortoconnectingtotheprivatenetwork.
Y
CSC1ProceduresandTools
ThisControlrequiresbothtechnicalandproceduralactions,unitedinaprocessthataccountsforandmanagestheinventoryofhardwareandallassociatedinformationthroughoutitslifecycle.Itlinkstobusinessgovernancebyestablishinginformation/assetownerswhoareresponsibleforeachcomponentofabusinessprocessthatincludesinformation,software,andhardware.Organizationscanuselarge-scale,comprehensiveenterpriseproductstomaintainITassetinventories.Othersusemoremodesttoolstogatherthedatabysweepingthenetwork,andmanagetheresultsseparatelyinadatabase.
MaintainingacurrentandaccurateviewofITassetsisanongoinganddynamicprocess.Organizationscanactivelyscanonaregularbasis,sendingavarietyofdifferentpackettypestoidentifydevicesconnectedtothenetwork.Beforesuchscanningcantakeplace,organizationsshouldverifythattheyhaveadequatebandwidthforsuchperiodicscansby
8
consultingloadhistoryandcapacitiesfortheirnetworks.Inconductinginventoryscans,scanningtoolscouldsendtraditionalpingpackets(ICMPEchoRequest)lookingforpingresponsestoidentifyasystematagivenIPaddress.Becausesomesystemsblockinboundpingpackets,inadditiontotraditionalpings,scannerscanalsoidentifydevicesonthenetworkusingtransmissioncontrolprotocol(TCP)synchronize(SYN)oracknowledge(ACK)packets.OncetheyhaveidentifiedIPaddressesofdevicesonthenetwork,somescannersproviderobustfingerprintingfeaturestodeterminetheoperatingsystemtypeofthediscoveredmachine.
Inadditiontoactivescanningtoolsthatsweepthenetwork,otherassetidentificationtoolspassivelylistenonnetworkinterfacesfordevicestoannouncetheirpresencebysendingtraffic.Suchpassivetoolscanbeconnectedtoswitchspanportsatcriticalplacesinthenetworktoviewalldataflowingthroughsuchswitches,maximizingthechanceofidentifyingsystemscommunicatingthroughthoseswitches.
Manyorganizationsalsopullinformationfromnetworkassetssuchasswitchesandroutersregardingthemachinesconnectedtothenetwork.Usingsecurelyauthenticatedandencryptednetworkmanagementprotocols,toolscanretrieveMACaddressesandotherinformationfromnetworkdevicesthatcanbereconciledwiththeorganization’sassetinventoryofservers,workstations,laptops,andotherdevices.OnceMACaddressesareconfirmed,switchesshouldimplement802.1xandNACtoonlyallowauthorizedsystemsthatareproperlyconfiguredtoconnecttothenetwork.
Wirelessdevices(andwiredlaptops)mayperiodicallyjoinanetworkandthendisappear,makingtheinventoryofcurrentlyavailablesystemsverydynamic.Likewise,virtualmachinescanbedifficulttotrackinassetinventorieswhentheyareshutdownorpaused.Additionally,remotemachinesaccessingthenetworkusingvirtualprivatenetwork(VPN)technologymayappearonthenetworkforatime,andthenbedisconnectedfromit.Whetherphysicalorvirtual,eachmachineusinganIPaddressshouldbeincludedinanorganization’sassetinventory.
9
CSC1SystemEntityRelationshipDiagram
AssetInventoryDatabase
PublicKeyInfrastructure(PKI)
ComputingSystems
NetworkLevelAuthentication(NLA)
PassiveDeviceDiscovery
ActiveDeviceDiscovery
Alerting/ReportingAnalyticsSystem
10
CSC2:InventoryofAuthorizedandUnauthorizedSoftware
Activelymanage(inventory,track,andcorrect)allsoftwareonthenetworksothatonlyauthorizedsoftwareisinstalledandcanexecute,andthatunauthorizedandunmanagedsoftwareisfoundandpreventedfrominstallationorexecution.
WhyIsThisControlCritical?
Attackerscontinuouslyscantargetorganizationslookingforvulnerableversionsofsoftwarethatcanberemotelyexploited.Someattackersalsodistributehostilewebpages,documentfiles,mediafiles,andothercontentviatheirownwebpagesorotherwisetrustworthythird-partysites.Whenunsuspectingvictimsaccessthiscontentwithavulnerablebrowserorotherclient-sideprogram,attackerscompromisetheirmachines,ofteninstallingbackdoorprogramsandbotsthatgivetheattackerlong-termcontrolofthesystem.Somesophisticatedattackersmayusezero-dayexploits,whichtakeadvantageofpreviouslyunknownvulnerabilitiesforwhichnopatchhasyetbeenreleasedbythesoftwarevendor.Withoutproperknowledgeorcontrolofthesoftwaredeployedinanorganization,defenderscannotproperlysecuretheirassets.
Poorlycontrolledmachinesaremorelikelytobeeitherrunningsoftwarethatisunneededforbusinesspurposes(introducingpotentialsecurityflaws),orrunningmalwareintroducedbyanattackerafterasystemiscompromised.Onceasinglemachinehasbeenexploited,attackersoftenuseitasastagingpointforcollectingsensitiveinformationfromthecompromisedsystemandfromothersystemsconnectedtoit.Inaddition,compromisedmachinesareusedasalaunchingpointformovementthroughoutthenetworkandpartneringnetworks.Inthisway,attackersmayquicklyturnonecompromisedmachineintomany.Organizationsthatdonothavecompletesoftwareinventoriesareunabletofindsystemsrunningvulnerableormalicioussoftwaretomitigateproblemsorrootoutattackers.
Managedcontrolofallsoftwarealsoplaysacriticalroleinplanningandexecutingsystembackupandrecovery.
CSC2:InventoryofAuthorizedandUnauthorizedSoftwareFamily CSC ControlDescription Foun-
dationalAdvanced
System 2.1 Devisealistofauthorizedsoftwareandversionthatisrequiredintheenterpriseforeachtypeofsystem,includingservers,workstations,andlaptopsofvariouskindsanduses.Thislistshouldbemonitoredbyfileintegritycheckingtoolstovalidatethattheauthorizedsoftwarehasnotbeenmodified.
Y
Fileintegrityisverifiedaspartofacontinuousmonitoringprogram.
11
Family CSC ControlDescription Foun-dational
Advanced
System 2.2 Deployapplicationwhitelistingthatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.
Y
Whitelistapplicationlibraries(suchasDLLs)inadditiontoexecutablebinaries(suchasEXEsandMSIs.
System 2.3 Deploysoftwareinventorytoolsthroughouttheorganizationcoveringeachoftheoperatingsystemtypesinuse,includingservers,workstations,andlaptops.Thesoftwareinventorysystemshouldtracktheversionoftheunderlyingoperatingsystemaswellastheapplicationsinstalledonit.Thesoftwareinventorysystemsmustbetiedintothehardwareassetinventorysoalldevicesandassociatedsoftwarearetrackedfromasinglelocation.
Y
Hardwareandsoftwareinventory
managementarecloselycoupled,andmanagedcentrally.
System 2.4 Virtualmachinesand/orair-gappedsystemsshouldbeusedtoisolateandrunapplicationsthatarerequiredforbusinessoperationsbutbasedonhigherriskshouldnotbeinstalledwithinanetworkedenvironment.
Y
CSC2ProceduresandTools
Whitelistingcanbeimplementedusingacombinationofcommercialwhitelistingtools,policiesorapplicationexecutiontoolsthatcomewithanti-virussuitesandwithWindows.Commercialsoftwareandassetinventorytoolsarewidelyavailableandinuseinmanyenterprisestoday.Thebestofthesetoolsprovideaninventorycheckofhundredsofcommonapplicationsusedinenterprises,pullinginformationaboutthepatchlevelofeachinstalledprogramtoensurethatitisthelatestversionandleveragingstandardizedapplicationnames,suchasthosefoundinthecommonplatformenumerationspecification.
Featuresthatimplementwhitelistsareincludedinmanymodernendpointsecuritysuites.Moreover,commercialsolutionsareincreasinglybundlingtogetheranti-virus,anti-spyware,personalfirewall,andhost-basedintrusiondetectionsystems(IDS)andintrusionpreventionsystems(IPS),alongwithapplicationwhiteandblacklisting.Inparticular,mostendpointsecuritysolutionscanlookatthename,filesystemlocation,and/orcryptographichashofagivenexecutabletodeterminewhethertheapplicationshouldbeallowedtorunontheprotectedmachine.Themosteffectiveofthesetoolsoffercustomwhitelistsbasedonexecutablepath,hash,orregularexpressionmatching.Someeven
12
includeagraylistfunctionthatallowsadministratorstodefinerulesforexecutionofspecificprogramsonlybycertainusersandatcertaintimesofday.
CSC2SystemEntityRelationshipDiagram
AssetInventoryDatabase
ComputingSystems
SoftwareInventoryTool
SoftwareWhitelisting
OSVirtualizationSystem
Alerting/ReportingAnalyticsSystem
13
CSC3:SecureConfigurationsforHardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers
Establish,implement,andactivelymanage(track,reporton,correct)thesecurityconfigurationoflaptops,servers,andworkstationsusingarigorousconfigurationmanagementandchangecontrolprocessinordertopreventattackersfromexploitingvulnerableservicesandsettings.
WhyIsThisControlCritical?
Asdeliveredbymanufacturersandresellers,thedefaultconfigurationsforoperatingsystemsandapplicationsarenormallygearedtoease-of-deploymentandease-of-use–notsecurity.Basiccontrols,openservicesandports,defaultaccountsorpasswords,older(vulnerable)protocols,pre-installationofunneededsoftware;allcanbeexploitableintheirdefaultstate.
Developingconfigurationsettingswithgoodsecuritypropertiesisacomplextaskbeyondtheabilityofindividualusers,requiringanalysisofpotentiallyhundredsorthousandsofoptionsinordertomakegoodchoices(theProceduresandToolsectionbelowprovidesresourcesforsecureconfigurations).Evenifastronginitialconfigurationisdevelopedandinstalled,itmustbecontinuallymanagedtoavoidsecurity“decay”assoftwareisupdatedorpatched,newsecurityvulnerabilitiesarereported,andconfigurationsare“tweaked”toallowtheinstallationofnewsoftwareorsupportnewoperationalrequirements.Ifnot,attackerswillfindopportunitiestoexploitbothnetwork-accessibleservicesandclientsoftware.
CSC3:SecureConfigurationsforHardwareandSoftwareFamily CSC ControlDescription Foun-
dationalAdvanced
System 3.1 Establishstandardsecureconfigurationsofoperatingsystemsandsoftwareapplications.Standardizedimagesshouldrepresenthardenedversionsoftheunderlyingoperatingsystemandtheapplicationsinstalledonthesystem.Theseimagesshouldbevalidatedandrefreshedonaregularbasistoupdatetheirsecurityconfigurationinlightofrecentvulnerabilitiesandattackvectors.
Y
System 3.2 Followstrictconfigurationmanagement,buildingasecureimagethatisusedtobuildallnewsystemsthataredeployedintheenterprise.Anyexistingsystemthatbecomescompromisedshouldbere-imagedwiththesecurebuild.Regularupdatesorexceptionstothisimageshouldbeintegratedintotheorganization’schangemanagementprocesses.Imagesshouldbecreatedforworkstations,servers,andothersystemtypesusedbytheorganization.
Y
14
Family CSC ControlDescription Foun-dational
Advanced
System 3.3 Storethemasterimagesonsecurelyconfiguredservers,validatedwithintegritycheckingtoolscapableofcontinuousinspection,andchangemanagementtoensurethatonlyauthorizedchangestotheimagesarepossible.Alternatively,thesemasterimagescanbestoredinofflinemachines,air-gappedfromtheproductionnetwork,withimagescopiedviasecuremediatomovethembetweentheimagestorageserversandtheproductionnetwork.
Y
Fileintegrityofmasterimagesareverifiedas
partofacontinuousmonitoringprogram.
System 3.4 Performallremoteadministrationofservers,workstation,networkdevices,andsimilarequipmentoversecurechannels.Protocolssuchastelnet,VNC,RDP,orothersthatdonotactivelysupportstrongencryptionshouldonlybeusediftheyareperformedoverasecondaryencryptionchannel,suchasSSL,TLSorIPSEC.
Y
System 3.5 Usefileintegritycheckingtoolstoensurethatcriticalsystemfiles(includingsensitivesystemandapplicationexecutables,libraries,andconfigurations)havenotbeenaltered.Thereportingsystemshould:havetheabilitytoaccountforroutineandexpectedchanges;highlightandalertonunusualorunexpectedalterations;showthehistoryofconfigurationchangesovertimeandidentifywhomadethechange(includingtheoriginallogged-inaccountintheeventofauserIDswitch,suchaswiththesuorsudocommand).Theseintegritychecksshouldidentifysuspicioussystemalterationssuchas:ownerandpermissionschangestofilesordirectories;theuseofalternatedatastreamswhichcouldbeusedtohidemaliciousactivities;andtheintroductionofextrafilesintokeysystemareas(whichcouldindicatemaliciouspayloadsleftbyattackersoradditionalfilesinappropriatelyaddedduringbatchdistributionprocesses).
Y
Fileintegrityofcriticalsystemfilesareverifiedaspartofacontinuousmonitoringprogram.
System 3.6 Implementandtestanautomatedconfigurationmonitoringsystemthatverifiesallremotelytestablesecureconfigurationelements,andalertswhenunauthorizedchangesoccur.Thisincludesdetectingnewlisteningports,newadministrativeusers,changestogroupandlocalpolicyobjects(whereapplicable),andnewservicesrunningonasystem.WheneverpossibleusetoolscompliantwiththeSecurityContentAutomationProtocol(SCAP)inordertostreamlinereportingandintegration.
Y
15
Family CSC ControlDescription Foun-dational
Advanced
System 3.7 Deploysystemconfigurationmanagementtools,suchasActiveDirectoryGroupPolicyObjectsforMicrosoftWindowssystemsorPuppetforUNIXsystemsthatwillautomaticallyenforceandredeployconfigurationsettingstosystemsatregularlyscheduledintervals.Theyshouldbecapableoftriggeringredeploymentofconfigurationsettingsonascheduled,manual,orevent-drivenbasis.
Y
CSC3ProceduresandTools
Ratherthanstartfromscratchdevelopingasecuritybaselineforeachsoftwaresystem,organizationsshouldstartfrompubliclydeveloped,vetted,andsupportedsecuritybenchmarks,securityguides,orchecklists.Excellentresourcesinclude:
• TheCenterforInternetSecurityBenchmarksProgram(www.cisecurity.org)• TheNISTNationalChecklistProgram(checklists.nist.gov)
Organizationsshouldaugmentoradjustthesebaselinestosatisfylocalpoliciesandrequirements,butdeviationsandrationaleshouldbedocumentedtofacilitatelaterreviewsoraudits.
Foracomplexenterprise,theestablishmentofasinglesecuritybaselineconfiguration(forexample,asingleinstallationimageforallworkstationsacrosstheentireenterprise)issometimesnotpracticalordeemedunacceptable.Itislikelythatyouwillneedtosupportdifferentstandardizedimages,basedontheproperhardeningtoaddressrisksandneededfunctionalityoftheintendeddeployment(example,awebserverintheDMZvs.anemailorotherapplicationserverintheinternalnetwork).Thenumberofvariationsshouldbekepttoaminimuminordertobetterunderstandandmanagethesecuritypropertiesofeach,butorganizationsthenmustbepreparedtomanagemultiplebaselines.
Commercialand/orfreeconfigurationmanagementtoolscanthenbeemployedtomeasurethesettingsofoperatingsystemsandapplicationsofmanagedmachinestolookfordeviationsfromthestandardimageconfigurations.Typicalconfigurationmanagementtoolsusesomecombinationofanagentinstalledoneachmanagedsystem,oragentlessinspectionofsystemsbyremotelyloggingintoeachmanagedmachineusingadministratorcredentials.Additionally,ahybridapproachissometimesusedwherebyaremotesessionisinitiated,atemporaryordynamicagentisdeployedonthetargetsystemforthescan,andthentheagentisremoved.
16
CSC3SystemEntityRelationshipDiagram
ComputingSystems
FileIntegrityAssessment(FIA)
SystemImages&Baselines
SCAPConfigurationScanner
ConfigurationEnforcementSystem
Alerting/ReportingAnalyticsSystem
17
CSC4:ContinuousVulnerabilityAssessmentandRemediation
Continuouslyacquire,assess,andtakeactiononnewinformationinordertoidentifyvulnerabilities,remediate,andminimizethewindowofopportunityforattackers.
WhyIsThisControlCritical?
Cyberdefendersmustoperateinaconstantstreamofnewinformation:softwareupdates,patches,securityadvisories,threatbulletins,etc.Understandingandmanagingvulnerabilitieshasbecomeacontinuousactivity,requiringsignificanttime,attention,andresources.
Attackershaveaccesstothesameinformationandcantakeadvantageofgapsbetweentheappearanceofnewknowledgeandremediation.Forexample,whenresearchersreportnewvulnerabilities,aracestartsamongallparties,including:attackers(to“weaponize”,deployanattack,exploit);vendors(todevelop,deploypatchesorsignaturesandupdates),anddefenders(toassessrisk,regression-testpatches,install).
Organizationsthatdonotscanforvulnerabilitiesandproactivelyaddressdiscoveredflawsfaceasignificantlikelihoodofhavingtheircomputersystemscompromised.Defendersfaceparticularchallengesinscalingremediationacrossanentireenterprise,andprioritizingactionswithconflictingpriorities,andsometimes-uncertainsideeffects.
CSC4:ContinuousVulnerabilityAssessmentandRemediationFamily CSC ControlDescription Foun-
dationalAdvanced
System 4.1 Runautomatedvulnerabilityscanningtoolsagainstallsystemsonthenetworkonaweeklyormorefrequentbasisanddeliverprioritizedlistsofthemostcriticalvulnerabilitiestoeachresponsiblesystemadministratoralongwithriskscoresthatcomparetheeffectivenessofsystemadministratorsanddepartmentsinreducingrisk.UseaSCAP-validatedvulnerabilityscannerthatlooksforbothcode-basedvulnerabilities(suchasthosedescribedbyCommonVulnerabilitiesandExposuresentries)andconfiguration-basedvulnerabilities(asenumeratedbytheCommonConfigurationEnumerationProject).
Y
Vulnerabilityriskscoringiscentrally
measuredandmanaged,andintegratedintoactionplanning.
System 4.2 Correlateeventlogswithinformationfromvulnerabilityscanstofulfilltwogoals.First,personnelshouldverifythattheactivityoftheregularvulnerabilityscanningtoolsisitselflogged.Second,personnelshouldbeabletocorrelateattackdetectioneventswithpriorvulnerabilityscanningresultstodeterminewhetherthegivenexploitwasusedagainstatargetknowntobevulnerable.
Y
18
Family CSC ControlDescription Foun-dational
Advanced
System 4.3 Performvulnerabilityscanninginauthenticatedmodeeitherwithagentsrunninglocallyoneachendsystemtoanalyzethesecurityconfigurationorwithremotescannersthataregivenadministrativerightsonthesystembeingtested.Useadedicatedaccountforauthenticatedvulnerabilityscans,whichshouldnotbeusedforanyotheradministrativeactivitiesandshouldbetiedtospecificmachinesatspecificIPaddresses.Ensurethatonlyauthorizedemployeeshaveaccesstothevulnerabilitymanagementuserinterfaceandthatrolesareappliedtoeachuser.
Y
System 4.4 Subscribetovulnerabilityintelligenceservicesinordertostayawareofemergingexposures,andusetheinformationgainedfromthissubscriptiontoupdatetheorganization’svulnerabilityscanningactivitiesonatleastamonthlybasis.Alternatively,ensurethatthevulnerabilityscanningtoolsyouuseareregularlyupdatedwithallrelevantimportantsecurityvulnerabilities.
Y
System 4.5 Deployautomatedpatchmanagementtoolsandsoftwareupdatetoolsforoperatingsystemandsoftware/applicationsonallsystemsforwhichsuchtoolsareavailableandsafe.Patchesshouldbeappliedtoallsystems,evensystemsthatareproperlyairgapped.
Y
System 4.6 Monitorlogsassociatedwithanyscanningactivityandassociatedadministratoraccountstoensurethatthisactivityislimitedtothetimeframesoflegitimatescans.
Y
System 4.7 Comparetheresultsfromback-to-backvulnerabilityscanstoverifythatvulnerabilitieswereaddressed,eitherbypatching,implementingacompensatingcontrol,ordocumentingandacceptingareasonablebusinessrisk.Suchacceptanceofbusinessrisksforexistingvulnerabilitiesshouldbeperiodicallyreviewedtodetermineifnewercompensatingcontrolsorsubsequentpatchescanaddressvulnerabilitiesthatwerepreviouslyaccepted,orifconditionshavechanged,increasingtherisk.
Y
System 4.8 Establishaprocesstorisk-ratevulnerabilitiesbasedontheexploitabilityandpotentialimpactofthevulnerability,andsegmentedbyappropriategroupsofassets(example,DMZservers,internalnetworkservers,desktops,laptops).Applypatchesfortheriskiestvulnerabilitiesfirst.Aphasedrolloutcanbeusedtominimizetheimpacttotheorganization.Establishexpectedpatchingtimelinesbasedontheriskratinglevel.
Y
19
CSC4ProceduresandTools
Alargenumberofvulnerabilityscanningtoolsareavailabletoevaluatethesecurityconfigurationofsystems.Someenterpriseshavealsofoundcommercialservicesusingremotelymanagedscanningappliancestobeeffective.Tohelpstandardizethedefinitionsofdiscoveredvulnerabilitiesinmultipledepartmentsofanorganizationorevenacrossorganizations,itispreferabletousevulnerabilityscanningtoolsthatmeasuresecurityflawsandmapthemtovulnerabilitiesandissuescategorizedusingoneormoreofthefollowingindustry-recognizedvulnerability,configuration,andplatformclassificationschemesandlanguages:CVE,CCE,OVAL,CPE,CVSS,and/orXCCDF.
Advancedvulnerabilityscanningtoolscanbeconfiguredwithusercredentialstologintoscannedsystemsandperformmorecomprehensivescansthancanbeachievedwithoutlogincredentials.Thefrequencyofscanningactivities,however,shouldincreaseasthediversityofanorganization’ssystemsincreasestoaccountforthevaryingpatchcyclesofeachvendor.
Inadditiontothescanningtoolsthatcheckforvulnerabilitiesandmisconfigurationsacrossthenetwork,variousfreeandcommercialtoolscanevaluatesecuritysettingsandconfigurationsoflocalmachinesonwhichtheyareinstalled.Suchtoolscanprovidefine-grainedinsightintounauthorizedchangesinconfigurationortheinadvertentintroductionofsecurityweaknessesbyadministrators.
Effectiveorganizationslinktheirvulnerabilityscannerswithproblem-ticketingsystemsthatautomaticallymonitorandreportprogressonfixingproblems,andthatmakeunmitigatedcriticalvulnerabilitiesvisibletohigherlevelsofmanagementtoensuretheproblemsaresolved.
Themosteffectivevulnerabilityscanningtoolscomparetheresultsofthecurrentscanwithpreviousscanstodeterminehowthevulnerabilitiesintheenvironmenthavechangedovertime.Securitypersonnelusethesefeaturestoconductvulnerabilitytrendingfrommonthtomonth.
Asvulnerabilitiesrelatedtounpatchedsystemsarediscoveredbyscanningtools,securitypersonnelshoulddetermineanddocumenttheamountoftimethatelapsesbetweenthepublicreleaseofapatchforthesystemandtheoccurrenceofthevulnerabilityscan.Ifthistimewindowexceedstheorganization’sbenchmarksfordeploymentofthegivenpatch’scriticalitylevel,securitypersonnelshouldnotethedelayanddetermineifadeviationwasformallydocumentedforthesystemanditspatch.Ifnot,thesecurityteamshouldworkwithmanagementtoimprovethepatchingprocess.
Additionally,someautomatedpatchingtoolsmaynotdetectorinstallcertainpatchesduetoanerrorbythevendororadministrator.Becauseofthis,allpatchchecksshouldreconcilesystempatcheswithalistofpatcheseachvendorhasannouncedonitswebsite.
20
CSC4SystemEntityRelationshipDiagram
ComputingSystems
SCAPVulnerabilityScanner
PatchManagement
Alerting/ReportingAnalyticsSystem
21
CSC5:ControlledUseofAdministrativePrivileges
Theprocessesandtoolsusedtotrack/control/prevent/correcttheuse,assignment,andconfigurationofadministrativeprivilegesoncomputers,networks,andapplications.
WhyIsThisControlCritical?
Themisuseofadministrativeprivilegesisaprimarymethodforattackerstospreadinsideatargetenterprise.Twoverycommonattackertechniquestakeadvantageofuncontrolledadministrativeprivileges.Inthefirst,aworkstationuserrunningasaprivilegeduser,isfooledintoopeningamaliciousemailattachment,downloadingandopeningafilefromamaliciouswebsite,orsimplysurfingtoawebsitehostingattackercontentthatcanautomaticallyexploitbrowsers.Thefileorexploitcontainsexecutablecodethatrunsonthevictim’smachineeitherautomaticallyorbytrickingtheuserintoexecutingtheattacker’scontent.Ifthevictimuser’saccounthasadministrativeprivileges,theattackercantakeoverthevictim’smachinecompletelyandinstallkeystrokeloggers,sniffers,andremotecontrolsoftwaretofindadministrativepasswordsandothersensitivedata.Similarattacksoccurwithemail.Anadministratorinadvertentlyopensanemailthatcontainsaninfectedattachmentandthisisusedtoobtainapivotpointwithinthenetworkthatisusedtoattackothersystems.
Thesecondcommontechniqueusedbyattackersiselevationofprivilegesbyguessingorcrackingapasswordforanadministrativeusertogainaccesstoatargetmachine.Ifadministrativeprivilegesarelooselyandwidelydistributed,oridenticaltopasswordsusedonlesscriticalsystems,theattackerhasamucheasiertimegainingfullcontrolofsystems,becausetherearemanymoreaccountsthatcanactasavenuesfortheattackertocompromiseadministrativeprivileges.
CSC5:ControlledUseofAdministrativePrivilegesFamily CSC ControlDescription Foun-
dationalAdvanced
System 5.1 Minimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
Y
System 5.2 Useautomatedtoolstoinventoryalladministrativeaccountsandvalidatethateachpersonwithadministrativeprivilegesondesktops,laptops,andserversisauthorizedbyaseniorexecutive.
Y
System 5.3 Beforedeployinganynewdevicesinanetworkedenvironment,changealldefaultpasswordsforapplications,operatingsystems,routers,firewalls,wirelessaccesspoints,andothersystemstohavevaluesconsistentwithadministration-levelaccounts.
Y
22
Family CSC ControlDescription Foun-dational
Advanced
System 5.4 Configuresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.
Y
System 5.5 Configuresystemstoissuealogentryandalertonanyunsuccessfullogintoanadministrativeaccount. Y
System 5.6 Usemulti-factorauthenticationforalladministrativeaccess,includingdomainadministrativeaccess.Multi-factorauthenticationcanincludeavarietyoftechniques,toincludetheuseofsmartcards,certificates,OneTimePassword(OTP)tokens,biometrics,orothersimilarauthenticationmethods.
Y
System 5.7 Wheremulti-factorauthenticationisnotsupported,useraccountsshallberequiredtouselongpasswordsonthesystem(longerthan14characters).
Y
System 5.8 Administratorsshouldberequiredtoaccessasystemusingafullyloggedandnon-administrativeaccount.Then,onceloggedontothemachinewithoutadministrativeprivileges,theadministratorshouldtransitiontoadministrativeprivilegesusingtoolssuchasSudoonLinux/UNIX,RunAsonWindows,andothersimilarfacilitiesforothertypesofsystems.
Y
System 5.9 Administratorsshalluseadedicatedmachineforalladministrativetasksortasksrequiringelevatedaccess.Thismachineshallbeisolatedfromtheorganization'sprimarynetworkandnotbeallowedInternetaccess.Thismachineshallnotbeusedforreadingemail,composingdocuments,orsurfingtheInternet.
Y
CSC5ProceduresandTools
Built-inoperatingsystemfeaturescanextractlistsofaccountswithsuper-userprivileges,bothlocallyonindividualsystemsandonoveralldomaincontrollers.Toverifythatuserswithhigh-privilegedaccountsdonotusesuchaccountsforday-to-daywebsurfingandemailreading,securitypersonnelshouldperiodicallygatheralistofrunningprocessestodeterminewhetheranybrowsersoremailreadersarerunningwithhighprivileges.Suchinformationgatheringcanbescripted,withshortshellscriptssearchingforadozenormoredifferentbrowsers,emailreaders,anddocumenteditingprogramsrunningwithhighprivilegesonmachines.Somelegitimatesystemadministrationactivitymayrequiretheexecutionofsuchprogramsovertheshortterm,butlong-termorfrequentuseofsuchprogramswithadministrativeprivilegescouldindicatethatanadministratorisnotadheringtothiscontrol.
23
Toenforcetherequirementforstrongpasswords,built-inoperatingsystemfeaturesforminimumpasswordlengthcanbeconfiguredtopreventusersfromchoosingshortpasswords.Toenforcepasswordcomplexity(requiringpasswordstobeastringofpseudo-randomcharacters),built-inoperatingsystemsettingsorthird-partypasswordcomplexityenforcementtoolscanbeapplied.
CSC5SystemEntityRelationshipDiagram
ComputingSystems
AuthenticationSystem
Identity&AccessManagementSystem Workforce
Members
Alerting/ReportingAnalyticsSystem
DedicatedAdministrationSystems
24
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs
Collect,manage,andanalyzeauditlogsofeventsthatcouldhelpdetect,understand,orrecoverfromanattack.
WhyIsThisControlCritical?
Deficienciesinsecurityloggingandanalysisallowattackerstohidetheirlocation,malicioussoftware,andactivitiesonvictimmachines.Evenifthevictimsknowthattheirsystemshavebeencompromised,withoutprotectedandcompleteloggingrecordstheyareblindtothedetailsoftheattackandtosubsequentactionstakenbytheattackers.Withoutsolidauditlogs,anattackmaygounnoticedindefinitelyandtheparticulardamagesdonemaybeirreversible.
Sometimesloggingrecordsaretheonlyevidenceofasuccessfulattack.Manyorganizationskeepauditrecordsforcompliancepurposes,butattackersrelyonthefactthatsuchorganizationsrarelylookattheauditlogs,sotheydonotknowthattheirsystemshavebeencompromised.Becauseofpoorornonexistentloganalysisprocesses,attackerssometimescontrolvictimmachinesformonthsoryearswithoutanyoneinthetargetorganizationknowing,eventhoughtheevidenceoftheattackhasbeenrecordedinunexaminedlogfiles.
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogsFamily CSC ControlDescription Foun-
dationalAdvanced
System 6.1 Includeatleasttwosynchronizedtimesourcesfromwhichallserversandnetworkequipmentretrievetimeinformationonaregularbasissothattimestampsinlogsareconsistent.
Y
System 6.2 Validateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
Y
System 6.3 Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
Y
System 6.4 Havesecuritypersonneland/orsystemadministratorsrunbiweeklyreportsthatidentifyanomaliesinlogs.Theyshouldthenactivelyreviewtheanomalies,documentingtheirfindings.
Y
25
Family CSC ControlDescription Foun-dational
Advanced
System 6.5 Configurenetworkboundarydevices,includingfirewalls,network-basedIPS,andinboundandoutboundproxies,toverboselylogalltraffic(bothallowedandblocked)arrivingatthedevice.
Y
System 6.6 DeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.
Y
CSC6ProceduresandTools
Mostfreeandcommercialoperatingsystems,networkservices,andfirewalltechnologiesofferloggingcapabilities.Suchloggingshouldbeactivated,withlogssenttocentralizedloggingservers.Firewalls,proxies,andremoteaccesssystems(VPN,dial-up,etc.)shouldallbeconfiguredforverboselogging,storingalltheinformationavailableforloggingintheeventafollow-upinvestigationisrequired.Furthermore,operatingsystems,especiallythoseofservers,shouldbeconfiguredtocreateaccesscontrollogswhenauserattemptstoaccessresourceswithouttheappropriateprivileges.Toevaluatewhethersuchloggingisinplace,anorganizationshouldperiodicallyscanthroughitslogsandcomparethemwiththeassetinventoryassembledaspartofCriticalControl1inordertoensurethateachmanageditemactivelyconnectedtothenetworkisperiodicallygeneratinglogs.
AnalyticalprogramssuchasSIM/SEMsolutionsforreviewinglogscanprovidevalue,butthecapabilitiesemployedtoanalyzeauditlogsarequiteextensive,evenincluding,importantly,justacursoryexaminationbyaperson.Actualcorrelationtoolscanmakeauditlogsfarmoreusefulforsubsequentmanualinspection.Suchtoolscanbequitehelpfulinidentifyingsubtleattacks.However,thesetoolsareneitherapanaceanorareplacementforskilledinformationsecuritypersonnelandsystemadministrators.Evenwithautomatedloganalysistools,humanexpertiseandintuitionareoftenrequiredtoidentifyandunderstandattacks.
26
CSC6SystemEntityRelationshipDiagram
ComputingSystems
NetworkTimeProtocol(NTP)System
Alerting/ReportingAnalyticsSystem
27
CSC7:EmailandWebBrowserProtections
Minimizetheattacksurfaceandtheopportunitiesforattackerstomanipulatehumanbehaviorthoughtheirinteractionwithwebbrowsersandemailsystems.
WhyIsThisControlCritical?
Webbrowsersandemailclientsareverycommonpointsofentryandattackbecauseoftheirhightechnicalcomplexityandflexibility,andtheirdirectinteractionwithusersandwiththeothersystemsandwebsites.Contentcanbecraftedtoenticeorspoofusersintotakingactionsthatgreatlyincreaseriskandallowintroductionofmaliciouscode,lossofvaluabledata,andotherattacks.
CSC7:EmailandWebBrowserProtectionsFamily CSC ControlDescription Foun-
dationalAdvanced
System 7.1 Ensurethatonlyfullysupportedwebbrowsersandemailclientsareallowedtoexecuteintheorganization,ideallyonlyusingthelatestversionofthebrowsersprovidedbythevendorinordertotakeadvantageofthelatestsecurityfunctionsandfixes.
Y
System 7.2 Uninstallordisableanyunnecessaryorunauthorizedbrowseroremailclientpluginsoradd-onapplications.Eachpluginshallutilizeapplication/URLwhitelistingandonlyallowtheuseoftheapplicationforpre-approveddomains.
Y
System 7.3 Limittheuseofunnecessaryscriptinglanguagesinallwebbrowsersandemailclients.ThisincludestheuseoflanguagessuchasActiveXandJavaScriptonsystemswhereitisunnecessarytosupportsuchcapabilities.
Y
System 7.4 LogallURLrequestsfromeachoftheorganization'ssystems,whetheronsiteoramobiledevice,inordertoidentifypotentiallymaliciousactivityandassistincidenthandlerswithidentifyingpotentiallycompromisedsystems.
Y Includemobiledevices.
System 7.5 Deploytwoseparatebrowserconfigurationstoeachsystem.Oneconfigurationshoulddisabletheuseofallplugins,unnecessaryscriptinglanguages,andgenerallybeconfiguredwithlimitedfunctionalityandbeusedforgeneralwebbrowsing.Theotherconfigurationshallallowformorebrowserfunctionalitybutshouldonlybeusedtoaccessspecificwebsitesthatrequiretheuseofsuchfunctionality.
Y
28
Family CSC ControlDescription Foun-dational
Advanced
System 7.6 TheorganizationshallmaintainandenforcenetworkbasedURLfiltersthatlimitasystem'sabilitytoconnecttowebsitesnotapprovedbytheorganization.TheorganizationshallsubscribetoURLcategorizationservicestoensurethattheyareup-to-datewiththemostrecentwebsitecategorydefinitionsavailable.Uncategorizedsitesshallbeblockedbydefault.Thisfilteringshallbeenforcedforeachoftheorganization'ssystems,whethertheyarephysicallyatanorganization'sfacilitiesornot.
Y
System 7.7 Tolowerthechanceofspoofedemailmessages,implementtheSenderPolicyFramework(SPF)bydeployingSPFrecordsinDNSandenablingreceiver-sideverificationinmailservers.
Y
System 7.8 Scanandblockallemailattachmentsenteringtheorganization'semailgatewayiftheycontainmaliciouscodeorfiletypesthatareunnecessaryfortheorganization'sbusiness.Thisscanningshouldbedonebeforetheemailisplacedintheuser'sinbox.Thisincludesemailcontentfilteringandwebcontentfiltering.
Y
CSC7ProceduresandTools
WebBrowser
Mostwebbrowserstodayhavebasicsecurityfeatures,butitisnotadequatetorelyononeaspectofsecurity.Awebserverismadeupoflayersthatprovidemultipleavenuesofattack.Thefoundationofanywebbrowseristheoperatingsystemandthesecrettoensuringthatitremainssecureissimple:keepitupdatedwiththelatestsecuritypatches.Ensurethatyourpatchesareup-to-dateandinstalledproperly,asanyserverrunningoldpatcheswillbecomeavictim.
Updateanysoftwarecomponentsthatrunonawebserver.Anythingthatisnon-essential,suchasDNSserversandremoteadministrationtoolslikeVNCorRemoteDesktop,shouldbedisabledorremoved.Ifremoteadministrationtoolsareessential,however,thenavoidusingdefaultpasswordsoranythingthatcanbeeasilyguessed.Thisisnotonlyapplicableforremoteaccesstools,butuseraccounts,switchesandroutersaswell.
Aflexiblefirewallisoneofthestrongestformsofdefenseagainstsecuritybreaches.Whenawebserveristargetedtheattackwillattempttouploadhackingtoolsormalwareimmediately,soastotakeadvantageofthesecuritybreachbeforeitisfixed.Withoutagoodanti-viruspackage,abreachinsecuritycangounnoticedforasignificantamountoftime.
29
Cybercriminalscanexploitcookiesinmaliciousways.Changingyourbrowsersettingstoblockthirdpartycookieswillhelpreducethisrisk.Theautocompleteorautofillfeaturesaveskeystrokesbystoringinformationyourecentlytyped.However,autocompleteforlogininformationposesabigriskifyourlaptopislostorstolen.Andrestrictingadd-onstoanabsoluteminimumwillreducetheattacksurface.Add-onscanharbormalwareandincreasethepossibilitiesforattackingyourbrowser.Configureyourbrowserstopreventthemfrominstallingadd-onswithoutaprompt.
Mostpopularbrowsersemployadatabaseofphishingand/ormalwaresitestoprotectagainstthemostcommonthreats.Makesurethatyouandyourusersenablecontentfilters.Andturnonthepopupblockers.Popupsarenotonlyannoying,theyalsocanhostembeddedmalwaredirectlyorlureusersintoclickingonsomethingusingsocialengineeringtricks.Besurethatyourselectedbrowserhaspopupblockingenabled
EmailEmailrepresentsonethemostinteractivewayshumansworkwithcomputers,encouragingtherightbehaviorisjustasimportantasthetechnicalsettings.
Passwordscontainingcommonwordsorphrasesareeasytocrack.Ensurecomplexpasswordsarecreated;acombinationofletters,numbersandspecialcharactersiscomplexenough.Passwordsshouldbechangedonaregularbasis,every45-60days.
Implementingtwo-factorauthenticationisanotherwaytoensuretheuserisauthentic,reducingtheattacksurface.Usingaspam-filteringtoolreducesthenumberofmaliciousemailsthatcomeintoyournetwork.InitiatingaSenderPolicyFrameworktoverifythatthedomainanemailiscomingfromisauthentic,helpsreduceSpamandPhishingactivities.Installinganencryptiontooltosecureemailandcommunicationsaddsanotherlayerofuserandnetworkedbasedsecurity.
30
CSC7SystemEntityRelationshipDiagram
NetworkDevices
Alerting/ReportingAnalyticsSystem ConfigurationEnforcementSystem
URL/EmailFilteringProxySystem
31
CSC8:MalwareDefenses
Controltheinstallation,spread,andexecutionofmaliciouscodeatmultiplepointsintheenterprise,whileoptimizingtheuseofautomationtoenablerapidupdatingofdefense,datagathering,andcorrectiveaction.
WhyIsThisControlCritical?
MalicioussoftwareisanintegralanddangerousaspectofInternetthreats,andcanbedesignedtoattackyoursystems,devices,oryourdata.Itcanbefast-moving,fast-changing,andenterthroughanynumberofpointslikeend-userdevices,emailattachments,webpages,cloudservices,useractions,andremovablemedia.Modernmalwarecanbedesignedtoavoiddefenses,ortoattackordisablethem.
Malwaredefensesmustbeabletooperateinthisdynamicenvironmentthroughlarge-scaleautomation,rapidupdating,andintegrationwithprocesseslikeIncidentResponse.Theymustalsobedeployedatmultiplepossiblepoints-of-attacktodetect,stopthemovementof,orcontroltheexecutionofmalicioussoftware.Enterpriseendpointsecuritysuitesprovideadministrativefeaturestoverifythatalldefensesareactiveandcurrentoneverymanagedsystem.
CSC8:MalwareDefensesFamily CSC ControlDescription Foun-
dationalAdvanced
System 8.1 Employautomatedtoolstocontinuouslymonitorworkstations,servers,andmobiledeviceswithanti-virus,anti-spyware,personalfirewalls,andhost-basedIPSfunctionality.Allmalwaredetectioneventsshouldbesenttoenterpriseanti-malwareadministrationtoolsandeventlogservers.
Y
System 8.2 Employanti-malwaresoftwarethatoffersacentralizedinfrastructurethatcompilesinformationonfilereputationsorhaveadministratorsmanuallypushupdatestoallmachines.Afterapplyinganupdate,automatedsystemsshouldverifythateachsystemhasreceiveditssignatureupdate.
Y
System 8.3 Limituseofexternaldevicestothosewithanapproved,documentedbusinessneed.Monitorforuseandattempteduseofexternaldevices.Configurelaptops,workstations,andserverssothattheywillnotauto-runcontentfromremovablemedia,likeUSBtokens(i.e.,“thumbdrives”),USBharddrives,CDs/DVDs,FireWiredevices,externalserialadvancedtechnologyattachmentdevices,andmountednetworkshares.Configuresystemssothattheyautomaticallyconductananti-malwarescanofremovablemediawheninserted.
Y
Activelymonitortheuseof
externaldevices(inadditionto
logging).
32
Family CSC ControlDescription Foun-dational
Advanced
System 8.4 Enableanti-exploitationfeaturessuchasDataExecutionPrevention(DEP),AddressSpaceLayoutRandomization(ASLR),virtualization/containerization,etc.Forincreasedprotection,deploycapabilitiessuchasEnhancedMitigationExperienceToolkit(EMET)thatcanbeconfiguredtoapplytheseprotectionstoabroadersetofapplicationsandexecutables.
Y
System 8.5 Usenetwork-basedanti-malwaretoolstoidentifyexecutablesinallnetworktrafficandusetechniquesotherthansignature-baseddetectiontoidentifyandfilteroutmaliciouscontentbeforeitarrivesattheendpoint.
Y
System 8.6 Enabledomainnamesystem(DNS)queryloggingtodetecthostnamelookupforknownmaliciousC2domains. Y
CSC8ProceduresandTools
Toensureanti-virussignaturesareuptodate,organizationsuseautomation.Theyusethebuilt-inadministrativefeaturesofenterpriseendpointsecuritysuitestoverifythatanti-virus,anti-spyware,andhost-basedIDSfeaturesareactiveoneverymanagedsystem.Theyrunautomatedassessmentsdailyandreviewtheresultstofindandmitigatesystemsthathavedeactivatedsuchprotections,aswellassystemsthatdonothavethelatestmalwaredefinitions.
Someenterprisesdeployfreeorcommercialhoneypotand“tarpit”toolstoidentifyattackersintheirenvironment.Securitypersonnelshouldcontinuouslymonitorthesetoolstodeterminewhethertrafficisdirectedtothemandaccountloginsareattempted.Whentheyidentifysuchevents,thesepersonnelshouldgatherthesourceaddressfromwhichthistrafficoriginatesandotherdetailsassociatedwiththeattackforfollow-oninvestigation.
33
CSC8SystemEntityRelationshipDiagram
ComputingSystems
NetworkMalwareDetection
EndPointProtectionSoftware/EMET
Alerting/ReportingAnalyticsSystem
34
CSC9:LimitationandControlofNetworkPorts,Protocols,andServices
Manage(track/control/correct)theongoingoperationaluseofports,protocols,andservicesonnetworkeddevicesinordertominimizewindowsofvulnerabilityavailabletoattackers.
WhyIsThisControlCritical?
Attackerssearchforremotelyaccessiblenetworkservicesthatarevulnerabletoexploitation.Commonexamplesincludepoorlyconfiguredwebservers,mailservers,fileandprintservices,anddomainnamesystem(DNS)serversinstalledbydefaultonavarietyofdifferentdevicetypes,oftenwithoutabusinessneedforthegivenservice.Manysoftwarepackagesautomaticallyinstallservicesandturnthemonaspartoftheinstallationofthemainsoftwarepackagewithoutinformingauseroradministratorthattheserviceshavebeenenabled.Attackersscanforsuchissuesandattempttoexploittheseservices,oftenattemptingdefaultuserIDsandpasswordsorwidelyavailableexploitationcode.
CSC9:LimitationandControlofNetworkPortsFamily CSC ControlDescription Foun-
dationalAdvanced
System 9.1 Ensurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem. Y
System 9.2 Applyhost-basedfirewallsorportfilteringtoolsonendsystems,withadefault-denyrulethatdropsalltrafficexceptthoseservicesandportsthatareexplicitlyallowed.
Y
System 9.3 Performautomatedportscansonaregularbasisagainstallkeyserversandcomparetoaknowneffectivebaseline.Ifachangethatisnotlistedontheorganization’sapprovedbaselineisdiscovered,analertshouldbegeneratedandreviewed.
Y
System 9.4 VerifyanyserverthatisvisiblefromtheInternetoranuntrustednetwork,andifitisnotrequiredforbusinesspurposes,moveittoaninternalVLANandgiveitaprivateaddress.
Y
System 9.5 Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers. Y
System 9.6 Placeapplicationfirewallsinfrontofanycriticalserverstoverifyandvalidatethetrafficgoingtotheserver.Anyunauthorizedservicesortrafficshouldbeblockedandanalertgenerated.
Y
35
CSC9ProceduresandTools
Portscanningtoolsareusedtodeterminewhichservicesarelisteningonthenetworkforarangeoftargetsystems.Inadditiontodeterminingwhichportsareopen,effectiveportscannerscanbeconfiguredtoidentifytheversionoftheprotocolandservicelisteningoneachdiscoveredopenport.Thislistofservicesandtheirversionsarecomparedagainstaninventoryofservicesrequiredbytheorganizationforeachserverandworkstationinanassetmanagementsystem.Recentlyaddedfeaturesintheseportscannersarebeingusedtodeterminethechangesinservicesofferedbyscannedmachinesonthenetworksincethepreviousscan,helpingsecuritypersonnelidentifydifferencesovertime.
CSC9SystemEntityRelationshipDiagram
ComputingSystems
SCAPVulnerabilityScanner
Host/ApplicationFirewallSystems
Alerting/ReportingAnalyticsSystem
36
CSC10:DataRecoveryCapability
Theprocessesandtoolsusedtoproperlybackupcriticalinformationwithaprovenmethodologyfortimelyrecoveryofit.
WhyIsThisControlCritical?
Whenattackerscompromisemachines,theyoftenmakesignificantchangestoconfigurationsandsoftware.Sometimesattackersalsomakesubtlealterationsofdatastoredoncompromisedmachines,potentiallyjeopardizingorganizationaleffectivenesswithpollutedinformation.Whentheattackersarediscovered,itcanbeextremelydifficultfororganizationswithoutatrustworthydatarecoverycapabilitytoremoveallaspectsoftheattacker’spresenceonthemachine.
CSC10:DataRecoveryCapabilityFamily CSC ControlDescription Foun-
dationalAdvanced
System 10.1 Ensurethateachsystemisautomaticallybackeduponatleastaweeklybasis,andmoreoftenforsystemsstoringsensitiveinformation.Tohelpensuretheabilitytorapidlyrestoreasystemfrombackup,theoperatingsystem,applicationsoftware,anddataonamachineshouldeachbeincludedintheoverallbackupprocedure.Thesethreecomponentsofasystemdonothavetobeincludedinthesamebackupfileorusethesamebackupsoftware.Thereshouldbemultiplebackupsovertime,sothatintheeventofmalwareinfection,restorationcanbefromaversionthatisbelievedtopredatetheoriginalinfection.Allbackuppoliciesshouldbecompliantwithanyregulatoryorofficialrequirements.
Y
System 10.2 Testdataonbackupmediaonaregularbasisbyperformingadatarestorationprocesstoensurethatthebackupisproperlyworking.
Y
System 10.3 Ensurethatbackupsareproperlyprotectedviaphysicalsecurityorencryptionwhentheyarestored,aswellaswhentheyaremovedacrossthenetwork.Thisincludesremotebackupsandcloudservices.
Y
System 10.4 Ensurethatkeysystemshaveatleastonebackupdestinationthatisnotcontinuouslyaddressablethroughoperatingsystemcalls.ThiswillmitigatetheriskofattackslikeCryptoLockerwhichseektoencryptordamagedataonalladdressabledatashares,includingbackupdestinations.
Y
37
CSC10ProceduresandTools
Onceperquarter(orwhenevernewbackupequipmentispurchased),atestingteamshouldevaluatearandomsampleofsystembackupsbyattemptingtorestorethemonatestbedenvironment.Therestoredsystemsshouldbeverifiedtoensurethattheoperatingsystem,application,anddatafromthebackupareallintactandfunctional.
Intheeventofmalwareinfection,restorationproceduresshoulduseaversionofthebackupthatisbelievedtopredatetheoriginalinfection.
CSC10SystemEntityRelationshipDiagram
ComputingSystems
DataBackupSystem
Offsite/OfflineBackups
Alerting/ReportingAnalyticsSystem
38
CSC11:SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches
Establish,implement,andactivelymanage(track,reporton,correct)thesecurityconfigurationofnetworkinfrastructuredevicesusingarigorousconfigurationmanagementandchangecontrolprocessinordertopreventattackersfromexploitingvulnerableservicesandsettings.
WhyIsThisControlCritical?
Asdeliveredfrommanufacturersandresellers,thedefaultconfigurationsfornetworkinfrastructuredevicesaregearedforease-of-deploymentandease-of-use–notsecurity.Openservicesandports,defaultaccounts(includingserviceaccounts)orpasswords,supportforolder(vulnerable)protocols,pre-installationofunneededsoftware;allcanbeexploitableintheirdefaultstate.
Attackerstakeadvantageofnetworkdevicesbecominglesssecurelyconfiguredovertimeasusersdemandexceptionsforspecificbusinessneeds.Sometimestheexceptionsaredeployedandthenleftundonewhentheyarenolongerapplicabletothebusinessneeds.Insomecases,thesecurityriskoftheexceptionisneitherproperlyanalyzednormeasuredagainsttheassociatedbusinessneedandcanchangeovertime.Attackerssearchforvulnerabledefaultsettings,electronicholesinfirewalls,routers,andswitchesandusethosetopenetratedefenses.Theyexploitflawsinthesedevicestogainaccesstonetworks,redirecttrafficonanetwork,andinterceptinformationwhileintransmission.Throughsuchactions,theattackergainsaccesstosensitivedata,altersimportantinformation,orevenusesacompromisedmachinetoposeasanothertrustedsystemonthenetwork.
CSC11:SecureConfigurationsforNetworkDevicesFamily CSC ControlDescription Foun-
dationalAdvanced
Network 11.1 Comparefirewall,router,andswitchconfigurationagainststandardsecureconfigurationsdefinedforeachtypeofnetworkdeviceinuseintheorganization.Thesecurityconfigurationofsuchdevicesshouldbedocumented,reviewed,andapprovedbyanorganizationchangecontrolboard.Anydeviationsfromthestandardconfigurationorupdatestothestandardconfigurationshouldbedocumentedandapprovedinachangecontrolsystem.
Y
39
Family CSC ControlDescription Foun-dational
Advanced
Network 11.2 Allnewconfigurationrulesbeyondabaseline-hardenedconfigurationthatallowtraffictoflowthroughnetworksecuritydevices,suchasfirewallsandnetwork-basedIPS,shouldbedocumentedandrecordedinaconfigurationmanagementsystem,withaspecificbusinessreasonforeachchange,aspecificindividual’snameresponsibleforthatbusinessneed,andanexpecteddurationoftheneed.
Y
Network 11.3 Useautomatedtoolstoverifystandarddeviceconfigurationsanddetectchanges.Allalterationstosuchfilesshouldbeloggedandautomaticallyreportedtosecuritypersonnel.
Y
Network 11.4 Managenetworkdevicesusingtwo-factorauthenticationandencryptedsessions. Y
Network 11.5 Installthelateststableversionofanysecurity-relatedupdatesonallnetworkdevices. Y
Network 11.6 Networkengineersshalluseadedicatedmachineforalladministrativetasksortasksrequiringelevatedaccess.Thismachineshallbeisolatedfromtheorganization'sprimarynetworkandnotbeallowedInternetaccess.Thismachineshallnotbeusedforreadingemail,composingdocuments,orsurfingtheInternet.
Y
Network 11.7 Managethenetworkinfrastructureacrossnetworkconnectionsthatareseparatedfromthebusinessuseofthatnetwork,relyingonseparateVLANsor,preferably,onentirelydifferentphysicalconnectivityformanagementsessionsfornetworkdevices.
Y
CSC11ProceduresandTools
Someorganizationsusecommercialtoolsthatevaluatetherulesetofnetworkfilteringdevicestodeterminewhethertheyareconsistentorinconflict,providinganautomatedsanitycheckofnetworkfiltersandsearchforerrorsinrulesetsoraccesscontrolslists(ACLs)thatmayallowunintendedservicesthroughthedevice.Suchtoolsshouldberuneachtimesignificantchangesaremadetofirewallrulesets,routerACLs,orotherfilteringtechnologies.
40
CSC11SystemEntityRelationshipDiagram
NetworkDeviceManagementSystem
NetworkDevices
Alerting/ReportingAnalyticsSystem
DedicatedAdministrationSystems
AuthenticationSystem
41
CSC12:BoundaryDefense
Detect/prevent/correcttheflowofinformationtransferringnetworksofdifferenttrustlevelswithafocusonsecurity-damagingdata.
WhyIsThisControlCritical?
AttackersfocusonexploitingsystemsthattheycanreachacrosstheInternet,includingnotonlyDMZsystemsbutalsoworkstationandlaptopcomputersthatpullcontentfromtheInternetthroughnetworkboundaries.Threatssuchasorganizedcrimegroupsandnation-statesuseconfigurationandarchitecturalweaknessesfoundonperimetersystems,networkdevices,andInternet-accessingclientmachinestogaininitialaccessintoanorganization.Then,withabaseofoperationsonthesemachines,attackersoftenpivottogetdeeperinsidetheboundarytostealorchangeinformationortosetupapersistentpresenceforlaterattacksagainstinternalhosts.Additionally,manyattacksoccurbetweenbusinesspartnernetworks,sometimesreferredtoasextranets,asattackershopfromoneorganization’snetworktoanother,exploitingvulnerablesystemsonextranetperimeters.
Tocontroltheflowoftrafficthroughnetworkbordersandpolicecontentbylookingforattacksandevidenceofcompromisedmachines,boundarydefensesshouldbemulti-layered,relyingonfirewalls,proxies,DMZperimeternetworks,andnetwork-basedIPSandIDS.Itisalsocriticaltofilterbothinboundandoutboundtraffic.
Itshouldbenotedthatboundarylinesbetweeninternalandexternalnetworksarediminishingasaresultofincreasedinterconnectivitywithinandbetweenorganizationsaswellastherapidriseindeploymentofwirelesstechnologies.Theseblurringlinessometimesallowattackerstogainaccessinsidenetworkswhilebypassingboundarysystems.However,evenwiththisblurringofboundaries,effectivesecuritydeploymentsstillrelyoncarefullyconfiguredboundarydefensesthatseparatenetworkswithdifferentthreatlevels,setsofusers,andlevelsofcontrol.Anddespitetheblurringofinternalandexternalnetworks,effectivemulti-layereddefensesofperimeternetworkshelplowerthenumberofsuccessfulattacks,allowingsecuritypersonneltofocusonattackerswhohavedevisedmethodstobypassboundaryrestrictions.
42
CSC12:BoundaryDefenseFamily CSC ControlDescription Foun-
dationalAdvanced
Network 12.1 Denycommunicationswith(orlimitdataflowto)knownmaliciousIPaddresses(blacklists),orlimitaccessonlytotrustedsites(whitelists).TestscanbeperiodicallycarriedoutbysendingpacketsfrombogonsourceIPaddresses(non-routableorotherwiseunusedIPaddresses)intothenetworktoverifythattheyarenottransmittedthroughnetworkperimeters.ListsofbogonaddressesarepubliclyavailableontheInternetfromvarioussources,andindicateaseriesofIPaddressesthatshouldnotbeusedforlegitimatetraffictraversingtheInternet.
Y
Network 12.2 OnDMZnetworks,configuremonitoringsystems(whichmaybebuiltintotheIDSsensorsordeployedasaseparatetechnology)torecordatleastpacketheaderinformation,andpreferablyfullpacketheaderandpayloadsofthetrafficdestinedfororpassingthroughthenetworkborder.ThistrafficshouldbesenttoaproperlyconfiguredSecurityInformationEventManagement(SIEM)orloganalyticssystemsothateventscanbecorrelatedfromalldevicesonthenetwork.
Y
Network 12.3 Deploynetwork-basedIDSsensorsonInternetandextranetDMZsystemsandnetworksthatlookforunusualattackmechanismsanddetectcompromiseofthesesystems.Thesenetwork-basedIDSsensorsmaydetectattacksthroughtheuseofsignatures,networkbehavioranalysis,orothermechanismstoanalyzetraffic.
Y
Network 12.4 Network-basedIPSdevicesshouldbedeployedtocomplementIDSbyblockingknownbadsignaturesorthebehaviorofpotentialattacks.Asattacksbecomeautomated,methodssuchasIDStypicallydelaytheamountoftimeittakesforsomeonetoreacttoanattack.Aproperlyconfigurednetwork-basedIPScanprovideautomationtoblockbadtraffic.Whenevaluatingnetwork-basedIPSproducts,includethoseusingtechniquesotherthansignature-baseddetection(suchasvirtualmachineorsandbox-basedapproaches)forconsideration.
Y
43
Family CSC ControlDescription Foun-dational
Advanced
Network 12.5 DesignandimplementnetworkperimeterssothatalloutgoingnetworktraffictotheInternetmustpassthroughatleastoneapplicationlayerfilteringproxyserver.Theproxyshouldsupportdecryptingnetworktraffic,loggingindividualTCPsessions,blockingspecificURLs,domainnames,andIPaddressestoimplementablacklist,andapplyingwhitelistsofallowedsitesthatcanbeaccessedthroughtheproxywhileblockingallothersites.OrganizationsshouldforceoutboundtraffictotheInternetthroughanauthenticatedproxyserverontheenterpriseperimeter.
Y
Network 12.6 Requireallremoteloginaccess(includingVPN,dial-up,andotherformsofaccessthatallowlogintointernalsystems)tousetwo-factorauthentication.
Y
Network 12.7 Allenterprisedevicesremotelyloggingintotheinternalnetworkshouldbemanagedbytheenterprise,withremotecontroloftheirconfiguration,installedsoftware,andpatchlevels.Forthird-partydevices(e.g.,subcontractors/vendors),publishminimumsecuritystandardsforaccesstotheenterprisenetworkandperformasecurityscanbeforeallowingaccess.
Y
Network 12.8 Periodicallyscanforback-channelconnectionstotheInternetthatbypasstheDMZ,includingunauthorizedVPNconnectionsanddual-homedhostsconnectedtotheenterprisenetworkandtoothernetworksviawireless,dial-upmodems,orothermechanisms.
Y
Network 12.9 DeployNetFlowcollectionandanalysistoDMZnetworkflowstodetectanomalousactivity. Y
Network 12.10
Tohelpidentifycovertchannelsexfiltratingdatathroughafirewall,configurethebuilt-infirewallsessiontrackingmechanismsincludedinmanycommercialfirewallstoidentifyTCPsessionsthatlastanunusuallylongtimeforthegivenorganizationandfirewalldevice,alertingpersonnelaboutthesourceanddestinationaddressesassociatedwiththeselongsessions.
Y
CSC12ProceduresandTools
TheboundarydefensesincludedinthiscontrolbuildonCriticalControl10.TheadditionalrecommendationsherefocusonimprovingtheoverallarchitectureandimplementationofbothInternetandinternalnetworkboundarypoints.Internalnetworksegmentationiscentraltothiscontrolbecauseonceinsideanetwork,manyintrudersattempttotargetthemostsensitivemachines.Usually,internalnetworkprotectionisnotsetuptodefendagainstaninternalattacker.Settingupevenabasiclevelofsecuritysegmentationacross
44
thenetworkandprotectingeachsegmentwithaproxyandafirewallwillgreatlyreduceanintruder’saccesstotheotherpartsofthenetwork.
OneelementofthiscontrolcanbeimplementedusingfreeorcommercialIDSandsnifferstolookforattacksfromexternalsourcesdirectedatDMZandinternalsystems,aswellasattacksoriginatingfrominternalsystemsagainsttheDMZorInternet.Securitypersonnelshouldregularlytestthesesensorsbylaunchingvulnerability-scanningtoolsagainstthemtoverifythatthescannertraffictriggersanappropriatealert.ThecapturedpacketsoftheIDSsensorsshouldbereviewedusinganautomatedscripteachdaytoensurethatlogvolumesarewithinexpectedparametersandthatthelogsareformattedproperlyandhavenotbeencorrupted.
Additionally,packetsniffersshouldbedeployedonDMZstolookforHypertextTransferProtocol(HTTP)trafficthatbypassesHTTPproxies.Bysamplingtrafficregularly,suchasoverathree-hourperiodonceaweek,informationsecuritypersonnelcansearchforHTTPtrafficthatisneithersourcedbynordestinedforaDMZproxy,implyingthattherequirementforproxyuseisbeingbypassed.
Toidentifyback-channelconnectionsthatbypassapprovedDMZs,networksecuritypersonnelcanestablishanInternet-accessiblesystemtouseasareceiverfortestingoutboundaccess.Thissystemisconfiguredwithafreeorcommercialpacketsniffer.Then,securitypersonnelcanconnectasendingtestsystemtovariouspointsontheorganization’sinternalnetwork,sendingeasilyidentifiabletraffictothesniffingreceiverontheInternet.Thesepacketscanbegeneratedusingfreeorcommercialtoolswithapayloadthatcontainsacustomfileusedforthetest.Whenthepacketsarriveatthereceiversystem,thesourceaddressofthepacketsshouldbeverifiedagainstacceptableDMZaddressesallowedfortheorganization.Ifsourceaddressesarediscoveredthatarenotincludedinlegitimate,registeredDMZs,moredetailcanbegatheredbyusingatraceroutetooltodeterminethepaththatpacketstakefromthesendertothereceiversystem.
45
CSC12SystemEntityRelationshipDiagram
NetworkDevices
NetworkMonitoringSystems(IDS&IPS)
AuthenticationSystem
ConfigurationEnforcementSystem
NetworkDeviceManagementSystem
ApplicationFirewall/ProxySystem
Alerting/ReportingAnalyticsSystem
46
CSC13:DataProtection
Theprocessesandtoolsusedtopreventdataexfiltration,mitigatetheeffectsofexfiltrateddata,andensuretheprivacyandintegrityofsensitiveinformation.
WhyIsThisControlCritical?
Dataresidesinmanyplaces.Protectionofthatdataisbestachievedthroughtheapplicationofacombinationofencryption,integrityprotectionanddatalosspreventiontechniques.Asorganizationscontinuetheirmovetowardscloudcomputingandmobileaccess,itisimportantthatpropercarebetakentolimitandreportondataexfiltrationwhilealsomitigatingtheeffectsofdatacompromise.
Theadoptionofdataencryption,bothintransitandatrest,providesmitigationagainstdatacompromise.Thisistrueifpropercarehasbeentakenintheprocessesandtechnologiesassociatedwiththeencryptionoperations.Anexampleofthisisthemanagementofcryptographickeysusedbythevariousalgorithmsthatprotectdata.Theprocessforgeneration,useanddestructionofkeysshouldbebasedonprovenprocessesasdefinedinstandardssuchasNISTSP800-57.
Careshouldalsobetakentoensurethatproductsusedwithinanenterpriseimplementwellknownandvettedcryptographicalgorithms,asidentifiedbyNIST.Re-evaluationofthealgorithmsandkeysizesusedwithintheenterpriseonanannualbasisisalsorecommendedtoensurethatorganizationsarenotfallingbehindinthestrengthofprotectionappliedtotheirdata.
Fororganizationsthataremovingdatatothecloud,itisimportanttounderstandthesecuritycontrolsappliedtodatainthecloudmulti-tenantenvironment,anddeterminethebestcourseofactionforapplicationofencryptioncontrolsandsecurityofkeys.Whenpossible,keysshouldbestoredwithinsecurecontainerssuchasHardwareSecurityModules(HSMs).
Encryptingdataprovidesalevelofassurancethatevenifdataiscompromised,itisimpracticaltoaccesstheplaintextwithoutsignificantresources,howevercontrolsshouldalsobeputinplacetomitigatethethreatofdataexfiltrationinthefirstplace.Manyattacksoccurredacrossthenetwork,whileothersinvolvedphysicaltheftoflaptopsandotherequipmentholdingsensitiveinformation.Yet,inmostcases,thevictimswerenotawarethatthesensitivedatawereleavingtheirsystemsbecausetheywerenotmonitoringdataoutflows.Themovementofdataacrossnetworkboundariesbothelectronicallyandphysicallymustbecarefullyscrutinizedtominimizeitsexposuretoattackers.
Thelossofcontroloverprotectedorsensitivedatabyorganizationsisaseriousthreattobusinessoperationsandapotentialthreattonationalsecurity.Whilesomedataareleakedorlostasaresultoftheftorespionage,thevastmajorityoftheseproblemsresultfrompoorlyunderstooddatapractices,alackofeffectivepolicyarchitectures,andusererror.
47
Datalosscanevenoccurasaresultoflegitimateactivitiessuchase-Discoveryduringlitigation,particularlywhenrecordsretentionpracticesareineffectiveornonexistent.
Datalossprevention(DLP)referstoacomprehensiveapproachcoveringpeople,processes,andsystemsthatidentify,monitor,andprotectdatainuse(e.g.,endpointactions),datainmotion(e.g.,networkactions),anddataatrest(e.g.,datastorage)throughdeepcontentinspectionandwithacentralizedmanagementframework.Overthelastseveralyears,therehasbeenanoticeableshiftinattentionandinvestmentfromsecuringthenetworktosecuringsystemswithinthenetwork,andtosecuringthedataitself.DLPcontrolsarebasedonpolicy,andincludeclassifyingsensitivedata,discoveringthatdataacrossanenterprise,enforcingcontrols,andreportingandauditingtoensurepolicycompliance.
CSC13:DataProtectionFamily CSC ControlDescription Foun-
dationalAdvanced
Network 13.1 Performanassessmentofdatatoidentifysensitiveinformationthatrequirestheapplicationofencryptionandintegritycontrols.
Y
Network 13.2 Deployapprovedharddriveencryptionsoftwaretomobiledevicesandsystemsthatholdsensitivedata. Y
Network 13.3 Deployanautomatedtoolonnetworkperimetersthatmonitorsforsensitiveinformation(e.g.,personallyidentifiableinformation),keywords,andotherdocumentcharacteristicstodiscoverunauthorizedattemptstoexfiltratedataacrossnetworkboundariesandblocksuchtransferswhilealertinginformationsecuritypersonnel.
Y
Network 13.4 Conductperiodicscansofservermachinesusingautomatedtoolstodeterminewhethersensitivedata(e.g.,personallyidentifiableinformation,health,creditcard,orclassifiedinformation)ispresentonthesystemincleartext.Thesetools,whichsearchforpatternsthatindicatethepresenceofsensitiveinformation,canhelpidentifyifabusinessortechnicalprocessisleavingbehindorotherwiseleakingsensitiveinformation.
Y
Network 13.5 Ifthereisnobusinessneedforsupportingsuchdevices,configuresystemssothattheywillnotwritedatatoUSBtokensorUSBharddrives.Ifsuchdevicesarerequired,enterprisesoftwareshouldbeusedthatcanconfiguresystemstoallowonlyspecificUSBdevices(basedonserialnumberorotheruniqueproperty)tobeaccessed,andthatcanautomaticallyencryptalldataplacedonsuchdevices.Aninventoryofallauthorizeddevicesmustbemaintained.
Y
48
Family CSC ControlDescription Foun-dational
Advanced
Network 13.6 Usenetwork-basedDLPsolutionstomonitorandcontroltheflowofdatawithinthenetwork.Anyanomaliesthatexceedthenormaltrafficpatternsshouldbenotedandappropriateactiontakentoaddressthem.
Y
Network 13.7 Monitoralltrafficleavingtheorganizationanddetectanyunauthorizeduseofencryption.Attackersoftenuseanencryptedchanneltobypassnetworksecuritydevices.Thereforeitisessentialthatorganizationsbeabletodetectrogueconnections,terminatetheconnection,andremediatetheinfectedsystem.
Y
Network 13.8 Blockaccesstoknownfiletransferandemailexfiltrationwebsites. Y
Network 13.9 Usehost-baseddatalossprevention(DLP)toenforceACLsevenwhendataiscopiedoffaserver.Inmostorganizations,accesstothedataiscontrolledbyACLsthatareimplementedontheserver.Oncethedatahavebeencopiedtoadesktopsystem,theACLsarenolongerenforcedandtheuserscansendthedatatowhomevertheywant.
Y
CSC13ProceduresandTools
Commercialtoolsareavailabletosupportenterprisemanagementofencryptionandkeymanagementwithinanenterpriseandincludetheabilitytosupportimplementationofencryptioncontrolswithincloudandmobileenvironments.
Definitionoflifecycleprocessesandrolesandresponsibilitiesassociatedwithkeymanagementshouldbeundertakenbyeachorganization.
CommercialDLPsolutionsareavailabletolookforexfiltrationattemptsanddetectothersuspiciousactivitiesassociatedwithaprotectednetworkholdingsensitiveinformation.Organizationsdeployingsuchtoolsshouldcarefullyinspecttheirlogsandfollowuponanydiscoveredattempts,eventhosethataresuccessfullyblocked,totransmitsensitiveinformationoutoftheorganizationwithoutauthorization.
49
CSC13EntityRelationshipDiagram
Network&HostBasedDLP
EncryptionSystems NetworkDevices
EndPointProtection/RemovableMedia
Control
Alerting/ReportingAnalyticsSystem
ComputingSystems
50
CSC14:ControlledAccessBasedontheNeedtoKnow
Theprocessesandtoolsusedtotrack/control/prevent/correctsecureaccesstocriticalassets(e.g.,information,resources,systems)accordingtotheformaldeterminationofwhichpersons,computers,andapplicationshaveaneedandrighttoaccessthesecriticalassetsbasedonanapprovedclassification.
WhyIsThisControlCritical?
Someorganizationsdonotcarefullyidentifyandseparatetheirmostsensitiveandcriticalassetsfromlesssensitive,publiclyaccessibleinformationontheirinternalnetworks.Inmanyenvironments,internalusershaveaccesstoallormostofthecriticalassets.Sensitiveassetsmayalsoincludesystemsthatprovidemanagementandcontrolofphysicalsystems(e.g.,SCADA).Onceattackershavepenetratedsuchanetwork,theycaneasilyfindandexfiltrateimportantinformation,causephysicaldamage,ordisruptoperationswithlittleresistance.Forexample,inseveralhigh-profilebreachesoverthepasttwoyears,attackerswereabletogainaccesstosensitivedatastoredonthesameserverswiththesamelevelofaccessasfarlessimportantdata.Therearealsoexamplesofusingaccesstothecorporatenetworktogainaccessto,thencontrolover,physicalassetsandcausedamage.
CSC14:ControlledAccessBasedontheNeedtoKnowFamily CSC ControlDescription Foun-
dationalAdvanced
Application 14.1 Segmentthenetworkbasedonthelabelorclassificationleveloftheinformationstoredontheservers.LocateallsensitiveinformationonseparatedVLANSwithfirewallfilteringtoensurethatonlyauthorizedindividualsareonlyabletocommunicatewithsystemsnecessarytofulfilltheirspecificresponsibilities.
Y
Application 14.2 Allcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
Y
Application 14.3 AllnetworkswitcheswillenablePrivateVirtualLocalAreaNetworks(VLANs)forsegmentedworkstationnetworkstolimittheabilityofdevicesonanetworktodirectlycommunicatewithotherdevicesonthesubnetandlimitanattackersabilitytolaterallymovetocompromiseneighboringsystems.
Y
51
Family CSC ControlDescription Foun-dational
Advanced
Application 14.4 Allinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
Y
Application 14.5 Sensitiveinformationstoredonsystemsshallbeencryptedatrestandrequireasecondaryauthenticationmechanism,notintegratedintotheoperatingsystem,inordertoaccesstheinformation.
Y
Application 14.6 Enforcedetailedauditloggingforaccesstononpublicdataandspecialauthenticationforsensitivedata. Y
Application 14.7 Archiveddatasetsorsystemsnotregularlyaccessedbytheorganizationshallberemovedfromtheorganization'snetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.
Y
CSC14ProceduresandTools
Itisimportantthatanorganizationunderstandwhatitssensitiveinformationis,whereitresides,andwhoneedsaccesstoit.Toderivesensitivitylevels,organizationsneedtoputtogetheralistofthekeytypesofdataandtheoverallimportancetotheorganization.Thisanalysiswouldbeusedtocreateanoveralldataclassificationschemefortheorganization.Atabaselevel,adataclassificationschemeisbrokendownintotwolevels:public(unclassified)andprivate(classified).Oncetheprivateinformationhasbeenidentified,itcanthenbefurthersubdividedbasedontheimpactitwouldhavetotheorganizationifitwerecompromised.
Oncethesensitivityofthedatahasbeenidentified,thedataneedtobetracedbacktobusinessapplicationsandthephysicalserversthathousethoseapplications.Thenetworkthenneedstobesegmentedsothatsystemsofthesamesensitivitylevelareonthesamenetworkandsegmentedfromsystemswithdifferenttrustlevels.Ifpossible,firewallsneedtocontrolaccesstoeachsegment.Ifdataareflowingoveranetworkwithalowertrustlevel,encryptionshouldbeused.
Jobrequirementsshouldbecreatedforeachusergrouptodeterminewhatinformationthegroupneedsaccesstoinordertoperformitsjobs.Basedontherequirements,accessshouldonlybegiventothesegmentsorserversthatareneededforeachjobfunction.
52
Detailedloggingshouldbeturnedonforallserversinordertotrackaccessandexaminesituationswheresomeoneisaccessingdatathattheyshouldnotbeaccessing.
CSC14SystemEntityRelationshipDiagram
HostBasedDataLossPrevention(DLP)
EncryptionSystems
NetworkDevices
Alerting/ReportingAnalyticsSystem
NetworkDeviceManagementSystem
53
CSC15:WirelessAccessControl
Theprocessesandtoolsusedtotrack/control/prevent/correctthesecurityuseofwirelesslocalareanetworks(LANS),accesspoints,andwirelessclientsystems.
WhyIsThisControlCritical?
Majortheftsofdatahavebeeninitiatedbyattackerswhohavegainedwirelessaccesstoorganizationsfromoutsidethephysicalbuilding,bypassingorganizations’securityperimetersbyconnectingwirelesslytoaccesspointsinsidetheorganization.Wirelessclientsaccompanyingtravelingofficialsareinfectedonaregularbasisthroughremoteexploitationduringairtravelorincybercafes.Suchexploitedsystemsarethenusedasbackdoorswhentheyarereconnectedtothenetworkofatargetorganization.Stillotherorganizationshavereportedthediscoveryofunauthorizedwirelessaccesspointsontheirnetworks,plantedandsometimeshiddenforunrestrictedaccesstoaninternalnetwork.Becausetheydonotrequiredirectphysicalconnections,wirelessdevicesareaconvenientvectorforattackerstomaintainlong-termaccessintoatargetenvironment.
CSC15:WirelessAccessControlFamily CSC ControlDescription Foun-
dationalAdvanced
Network 15.1 Ensurethateachwirelessdeviceconnectedtothenetworkmatchesanauthorizedconfigurationandsecurityprofile,withadocumentedowneroftheconnectionandadefinedbusinessneed.Organizationsshoulddenyaccesstothosewirelessdevicesthatdonothavesuchaconfigurationandprofile.
Y
Network 15.2 Configurenetworkvulnerabilityscanningtoolstodetectwirelessaccesspointsconnectedtothewirednetwork.Identifieddevicesshouldbereconciledagainstalistofauthorizedwirelessaccesspoints.Unauthorized(i.e.,rogue)accesspointsshouldbedeactivated.
Y
Network 15.3 Usewirelessintrusiondetectionsystems(WIDS)toidentifyroguewirelessdevicesanddetectattackattemptsandsuccessfulcompromises.InadditiontoWIDS,allwirelesstrafficshouldbemonitoredbyWIDSastrafficpassesintothewirednetwork.
Y
Network 15.4 Whereaspecificbusinessneedforwirelessaccesshasbeenidentified,configurewirelessaccessonclientmachinestoallowaccessonlytoauthorizedwirelessnetworks.Fordevicesthatdonothaveanessentialwirelessbusinesspurpose,disablewirelessaccessinthehardwareconfiguration(basicinput/outputsystemorextensiblefirmwareinterface).
Y
54
Family CSC ControlDescription Foun-dational
Advanced
Network 15.5 EnsurethatallwirelesstrafficleveragesatleastAdvancedEncryptionStandard(AES)encryptionusedwithatleastWi-FiProtectedAccess2(WPA2)protection.
Y
Network 15.6 EnsurethatwirelessnetworksuseauthenticationprotocolssuchasExtensibleAuthenticationProtocol-TransportLayerSecurity(EAP/TLS),whichprovidecredentialprotectionandmutualauthentication.
Y
Network 15.7 Disablepeer-to-peerwirelessnetworkcapabilitiesonwirelessclients. Y
Network 15.8 Disablewirelessperipheralaccessofdevices(suchasBluetooth),unlesssuchaccessisrequiredforadocumentedbusinessneed.
Y
Network 15.9 Createseparatevirtuallocalareanetworks(VLANs)forBYODsystemsorotheruntrusteddevices.InternetaccessfromthisVLANshouldgothroughatleastthesameborderascorporatetraffic.EnterpriseaccessfromthisVLANshouldbetreatedasuntrustedandfilteredandauditedaccordingly.
Y
CSC15ProceduresandTools
Effectiveorganizationsruncommercialwirelessscanning,detection,anddiscoverytoolsaswellascommercialwirelessintrusiondetectionsystems.
Additionally,thesecurityteamshouldperiodicallycapturewirelesstrafficfromwithinthebordersofafacilityandusefreeandcommercialanalysistoolstodeterminewhetherthewirelesstrafficwastransmittedusingweakerprotocolsorencryptionthantheorganizationmandates.Whendevicesrelyingonweakwirelesssecuritysettingsareidentified,theyshouldbefoundwithintheorganization’sassetinventoryandeitherreconfiguredmoresecurelyordeniedaccesstotheorganizationnetwork.
Additionally,thesecurityteamshouldemployremotemanagementtoolsonthewirednetworktopullinformationaboutthewirelesscapabilitiesanddevicesconnectedtomanagedsystems.
55
CSC15SystemEntityRelationshipDiagram
ComputingSystems
SCAPVulnerabilityScanner
ConfigurationEnforcementSystem
WirelessIntrusionDetectionSystem(WIDS)
PublicKeyInfrastructure(PKI)
NetworkAccessControl(NAC)Alerting/ReportingAnalyticsSystem
NetworkDevices
NetworkDeviceManagementSystem
56
CSC16:AccountMonitoringandControl
Activelymanagethelifecycleofsystemandapplicationaccounts–theircreation,use,dormancy,deletion–inordertominimizeopportunitiesforattackerstoleveragethem.
WhyIsThisControlCritical?
Attackersfrequentlydiscoverandexploitlegitimatebutinactiveuseraccountstoimpersonatelegitimateusers,therebymakingdiscoveryofattackerbehaviordifficultfornetworkwatchers.AccountsofcontractorsandemployeeswhohavebeenterminatedandaccountsformerlysetupforRedTeamtesting(butnotdeletedafterwards)haveoftenbeenmisusedinthisway.Additionally,somemaliciousinsidersorformeremployeeshaveaccessedaccountsleftbehindinasystemlongaftercontractexpiration,maintainingtheiraccesstoanorganization’scomputingsystemandsensitivedataforunauthorizedandsometimesmaliciouspurposes.
CSC16:AccountMonitoringandControlFamily CSC ControlDescription Foun-
dationalAdvanced
Application 16.1 Reviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner. Y
Application 16.2 Ensurethatallaccountshaveanexpirationdatethatismonitoredandenforced. Y
Application 16.3 Establishandfollowaprocessforrevokingsystemaccessbydisablingaccountsimmediatelyuponterminationofanemployeeorcontractor.Disablinginsteadofdeletingaccountsallowspreservationofaudittrails.
Y
Application 16.4 Regularlymonitortheuseofallaccounts,automaticallyloggingoffusersafterastandardperiodofinactivity. Y
Application 16.5 Configurescreenlocksonsystemstolimitaccesstounattendedworkstations. Y
Application 16.6 Monitoraccountusagetodeterminedormantaccounts,notifyingtheuseroruser’smanager.Disablesuchaccountsifnotneeded,ordocumentandmonitorexceptions(e.g.,vendormaintenanceaccountsneededforsystemrecoveryorcontinuityoperations).Requirethatmanagersmatchactiveemployeesandcontractorswitheachaccountbelongingtotheirmanagedstaff.Securityorsystemadministratorsshouldthendisableaccountsthatarenotassignedtovalidworkforcemembers.
Y
57
Family CSC ControlDescription Foun-dational
Advanced
Application 16.7 Useandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.
Y
Application 16.8 Monitorattemptstoaccessdeactivatedaccountsthroughauditlogging. Y
Application 16.9 Configureaccessforallaccountsthroughacentralizedpointofauthentication,forexampleActiveDirectoryorLDAP.Configurenetworkandsecuritydevicesforcentralizedauthenticationaswell.
Y
Application 16.10 Profileeachuser’stypicalaccountusagebydeterminingnormaltime-of-dayaccessandaccessduration.Reportsshouldbegeneratedthatindicateuserswhohaveloggedinduringunusualhoursorhaveexceededtheirnormalloginduration.Thisincludesflaggingtheuseoftheuser’scredentialsfromacomputerotherthancomputersonwhichtheusergenerallyworks.
Y
Application 16.11 Requiremulti-factorauthenticationforalluseraccountsthathaveaccesstosensitivedataorsystems.Multi-factorauthenticationcanbeachievedusingsmartcards,certificates,OneTimePassword(OTP)tokens,orbiometrics.
Y
Application 16.12 Wheremulti-factorauthenticationisnotsupported,useraccountsshallberequiredtouselongpasswordsonthesystem(longerthan14characters).
Y
Application 16.13 Ensurethatallaccountusernamesandauthenticationcredentialsaretransmittedacrossnetworksusingencryptedchannels.
Y
Application 16.14 Verifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
Y
CSCProceduresandTools
Althoughmostoperatingsystemsincludecapabilitiesforlogginginformationaboutaccountusage,thesefeaturesaresometimesdisabledbydefault.Evenwhensuchfeaturesarepresentandactive,theyoftendonotprovidefine-graineddetailaboutaccesstothesystembydefault.Securitypersonnelcanconfiguresystemstorecordmoredetailedinformationaboutaccountaccess,andusehome-grownscriptsorthird-partyloganalysistoolstoanalyzethisinformationandprofileuseraccessofvarioussystems.
58
Accountsmustalsobetrackedveryclosely.Anyaccountthatisdormantmustbedisabledandeventuallyremovedfromthesystem.Allactiveaccountsmustbetracedbacktoauthorizedusersofthesystem,anditmustbeensuredthattheirpasswordsarerobustandchangedonaregularbasis.Usersmustalsobeloggedoutofthesystemafteraperiodofnoactivitytominimizethepossibilityofanattackerusingtheirsystemtoextractinformationfromtheorganization.
CSC16SystemEntityRelationshipDiagram
ComputingSystems
AuthenticationSystem
Identity&AccessManagementSystem Workforce
Members
ConfigurationEnforcementSystem
Alerting/ReportingAnalyticsSystem
59
CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
Forallfunctionalrolesintheorganization(prioritizingthosemission-criticaltothebusinessanditssecurity),identifythespecificknowledge,skills,andabilitiesneededtosupportdefenseoftheenterprise;developandexecuteanintegratedplantoassess,identifygaps,andremediatethroughpolicy,organizationalplanning,training,andawarenessprograms.
WhyIsThisControlCritical?
Itistemptingtothinkofcyberdefenseprimarilyasatechnicalchallenge,buttheactionsofpeoplealsoplayacriticalpartinthesuccessorfailureofanenterprise.Peoplefulfillimportantfunctionsateverystageofsystemdesign,implementation,operation,use,andoversight.Examplesinclude:systemdevelopersandprogrammers(whomaynotunderstandtheopportunitytoresolverootcausevulnerabilitiesearlyinthesystemlifecycle);IToperationsprofessionals(whomaynotrecognizethesecurityimplicationsofITartifactsandlogs);endusers(whomaybesusceptibletosocialengineeringschemessuchasphishing);securityanalysts(whostruggletokeepupwithanexplosionofnewinformation);andexecutivesandsystemowners(whostruggletoquantifytherolethatcybersecurityplaysinoveralloperational/missionrisk,andhavenoreasonablewaytomakerelevantinvestmentdecisions).
Attackersareveryconsciousoftheseissuesandusethemtoplantheirexploitationsby,forexample:carefullycraftingphishingmessagesthatlooklikeroutineandexpectedtraffictoanunwaryuser;exploitingthegapsorseamsbetweenpolicyandtechnology(e.g.,policiesthathavenotechnicalenforcement);workingwithinthetimewindowofpatchingorlogreview;usingnominallynon-security-criticalsystemsasjumppointsorbots.
Nocyberdefenseapproachcaneffectivelyaddresscyberriskwithoutameanstoaddressthisfundamentalvulnerability.Conversely,empoweringpeoplewithgoodcyberdefensehabitscansignificantlyincreasereadiness.
CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGapsFamily CSC ControlDescription Foun-
dationalAdvanced
Application 17.1 PerformgapanalysistoseewhichskillsemployeesneedtoimplementtheotherControls,andwhichbehaviorsemployeesarenotadheringto,usingthisinformationtobuildabaselinetrainingandawarenessroadmapforallemployees.
Y
60
Family CSC ControlDescription Foun-dational
Advanced
Application 17.2 Delivertrainingtofilltheskillsgap.Ifpossible,usemoreseniorstafftodeliverthetraining.Asecondoptionistohaveoutsideteachersprovidetrainingonsitesotheexamplesusedwillbedirectlyrelevant.Ifyouhavesmallnumbersofpeopletotrain,usetrainingconferencesoronlinetrainingtofillthegaps.
Y
Application 17.3Implementasecurityawarenessprogramthat(1)focusesonthemethodscommonlyusedinintrusionsthatcanbeblockedthroughindividualaction,(2)isdeliveredinshortonlinemodulesconvenientforemployees(3)isupdatedfrequently(atleastannually)torepresentthelatestattacktechniques,(4)ismandatedforcompletionbyallemployeesatleastannually,(5)isreliablymonitoredforemployeecompletion,and6)includestheseniorleadershipteam’spersonalmessaging,involvementintraining,andaccountabilitythroughperformancemetrics.
Y
Application 17.4 Validateandimproveawarenesslevelsthroughperiodicteststoseewhetheremployeeswillclickonalinkfromsuspiciousemailorprovidesensitiveinformationonthetelephonewithoutfollowingappropriateproceduresforauthenticatingacaller;targetedtrainingshouldbeprovidedtothosewhofallvictimtotheexercise.
Y
Application 17.5 Usesecurityskillsassessmentsforeachofthemission-criticalrolestoidentifyskillsgaps.Usehands-on,real-worldexamplestomeasuremastery.Ifyoudonothavesuchassessments,useoneoftheavailableonlinecompetitionsthatsimulatereal-worldscenariosforeachoftheidentifiedjobsinordertomeasuremasteryofskillsmastery.
Y
CSC17ProceduresandTools
Aneffectiveenterprise-widetrainingprogramshouldtakeaholisticapproachandconsiderpolicyandtechnologyatthesametimeasthetrainingofpeople.Forexample,policiesshouldbedesignedwithtechnicalmeasurementandenforcementwhenpossible,reinforcedbytrainingtofillgaps,technicalcontrolscanbeimplementedtoboundandminimizetheopportunityforpeopletomakemistakes,andsofocusthetrainingonthingsthatcannotbemanagedtechnically.
Tobeeffectiveinbothcostandoutcome,securitytrainingshouldbeprioritized,focused,specific,andmeasurable.Akeywaytoprioritizetrainingistofocusfirstonthosejobsand
61
rolesthatarecriticaltothemissionorbusinessoutcomeoftheenterprise.Onewaytoidentifythesemission-criticaljobsistoreferencetheworkofthe2012TaskForceonCyberSkillsestablishedbytheSecretaryofHomelandSecurity:1)SystemandNetworkPenetrationTesters,2)ApplicationPenetrationTesters,3)SecurityMonitoringandEventAnalysts,4)IncidentRespondersIn-Depth,5)Counter-Intelligence/InsiderThreatAnalysts,6)RiskAssessmentEngineers,7)SecureCodersandCodeReviewers,8)SecurityEngineers/ArchitectureandDesign,9)SecurityEngineers/Operations,and10)AdvancedForensicsAnalysts.AcomprehensivetaxonomyofcybersecurityrolesisavailablethroughtheNationalCybersecurityWorkforceFramework,developedbytheNationalInstituteofStandardsandTechnology(NIST),whichmapstorolescommonlyfoundinenterprisesandgovernmentorganizations.
Generalawarenesstrainingforallusersalsoplaysanimportantrole.Buteventhistrainingshouldbetailoredtofunctionalrolesandfocusedonspecificactionsthatputtheorganizationatrisk,andmeasuredinordertodriveremediation.
Thekeytoupgradingskillsismeasurementthroughassessmentsthatshowboththeemployeeandtheemployerwhereknowledgeissufficientandwheretherearegaps.Oncethegapshavebeenidentified,thoseemployeeswhohavetherequisiteskillsandknowledgecanbecalledupontomentoremployeeswhoneedtoimprovetheirskills.Inaddition,theorganizationcandeveloptrainingplanstofillthegapsandmaintainemployeereadiness.
AfulltreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,theCybersecurityWorkforceHandbookpublishedbytheCenterforInternetSecurity(www.cisecurity.org)providesfoundationalstepstotakeinoptimizingtheworkforceforenterprisesecurity.
62
CSC17SystemEntityRelationshipDiagram
UserAssessments
EducationPlans/TrainingPrograms
WorkforceMembers
Alerting/ReportingAnalyticsSystem
63
CSC18:ApplicationSoftwareSecurity
Managethesecuritylifecycleofallin-housedevelopedandacquiredsoftwareinordertoprevent,detect,andcorrectsecurityweaknesses.
WhyIsThisControlCritical?
Attacksoftentakeadvantageofvulnerabilitiesfoundinweb-basedandotherapplicationsoftware.Vulnerabilitiescanbepresentformanyreasons,includingcodingmistakes,logicerrors,incompleterequirements,andfailuretotestforunusualorunexpectedconditions.Examplesofspecificerrorsinclude:thefailuretocheckthesizeofuserinput;failuretofilteroutunneededbutpotentiallymaliciouscharactersequencesfrominputstreams;failuretoinitializeandclearvariables;andpoormemorymanagementallowingflawsinonepartofthesoftwaretoaffectunrelated(andmoresecuritycritical)portions.Thereisafloodofpublicandprivateinformationaboutsuchvulnerabilitiesavailabletoattackersanddefendersalike,aswellasarobustmarketplacefortoolsandtechniquestoallow“weaponization”ofvulnerabilitiesintoexploits.Attackerscaninjectspecificexploits,includingbufferoverflows,SQLinjectionattacks,cross-sitescripting,cross-siterequestforgery,andclick-jackingofcodetogaincontrolovervulnerablemachines.Inoneattack,morethan1millionwebserverswereexploitedandturnedintoinfectionenginesforvisitorstothosesitesusingSQLinjection.Duringthatattack,trustedwebsitesfromstategovernmentsandotherorganizationscompromisedbyattackerswereusedtoinfecthundredsofthousandsofbrowsersthataccessedthosewebsites.Manymorewebandnon-webapplicationvulnerabilitiesarediscoveredonaregularbasis.
CSC18:ApplicationSoftwareSecurityFamily CSC ControlDescription Foun-
dationalAdvanced
Application 18.1 Forallacquiredapplicationsoftware,checkthattheversionyouareusingisstillsupportedbythevendor.Ifnot,updatetothemostcurrentversionandinstallallrelevantpatchesandvendorsecurityrecommendations.
Y
Application 18.2 Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.
Y
Dealingwithencrypted/tunne
ledtrafficrequiresmoreplanningandresources.
64
Family CSC ControlDescription Foun-dational
Advanced
Application 18.3 Forin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.
Y
Application 18.4 Testin-house-developedandthird-party-procuredwebapplicationsforcommonsecurityweaknessesusingautomatedremotewebapplicationscannerspriortodeployment,wheneverupdatesaremadetotheapplication,andonaregularrecurringbasis.Inparticular,inputvalidationandoutputencodingroutinesofapplicationsoftwareshouldbereviewedandtested.
Y
Application 18.5 Donotdisplaysystemerrormessagestoend-users(outputsanitization). Y
Application 18.6 Maintainseparateenvironmentsforproductionandnonproductionsystems.Developersshouldnottypicallyhaveunmonitoredaccesstoproductionenvironments.
Y
Application 18.7 Forapplicationsthatrelyonadatabase,usestandardhardeningconfigurationtemplates.Allsystemsthatarepartofcriticalbusinessprocessesshouldalsobetested.
Y
Application 18.8 Ensurethatallsoftwaredevelopmentpersonnelreceivetraininginwritingsecurecodefortheirspecificdevelopmentenvironment.
Y
Application 18.9 Forin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
Y
CSC18ProceduresandTools
Thesecurityofapplications(in-housedevelopedoracquired)isacomplexactivityrequiringacompleteprogramencompassingenterprise-widepolicy,technology,andtheroleofpeople.TheseareoftenbroadlydefinedorrequiredbyformalRiskManagementFrameworksandprocesses.
AcomprehensivetreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,theactionsinCSC6providespecific,high-prioritystepsthatcanimproveApplicationSoftwareSecurity.Inaddition,werecommenduseofthemanyexcellentcomprehensiveresourcesdedicatedtothistopic.Examplesinclude:theDHS“BuildSecurityIn”Program<buildsecurityin.us-cert.gov>,andTheOpenWebApplicationSecurityProject(OWASP)<www.owasp.org>.
65
CSC18SystemEntityRelationshipDiagram
CodeReview/
VulnerabilityScanner
PatchManagementSystem
WebApplicationFirewall(WAF)
WebApplicationServer
Alerting/ReportingAnalyticsSystem
66
CSC19:IncidentResponseandManagement
Protecttheorganization’sinformation,aswellasitsreputation,bydevelopingandimplementinganincidentresponseinfrastructure(e.g.,plans,definedroles,training,communications,managementoversight)forquicklydiscoveringanattackandtheneffectivelycontainingthedamage,eradicatingtheattacker’spresence,andrestoringtheintegrityofthenetworkandsystems.
WhyIsThisControlCritical?
Cyberincidentsarenowjustpartofourwayoflife.Evenlarge,well-funded,andtechnicallysophisticatedenterprisesstruggletokeepupwiththefrequencyandcomplexityofattacks.Thequestionofasuccessfulcyber-attackagainstanenterpriseisnot“if”but“when.”
Whenanincidentoccurs,itistoolatetodeveloptherightprocedures,reporting,datacollection,managementresponsibility,legalprotocols,andcommunicationsstrategythatwillallowtheenterprisetosuccessfullyunderstand,manage,andrecover.Withoutanincidentresponseplan,anorganizationmaynotdiscoveranattackinthefirstplace,or,iftheattackisdetected,theorganizationmaynotfollowgoodprocedurestocontaindamage,eradicatetheattacker’spresence,andrecoverinasecurefashion.Thus,theattackermayhaveafargreaterimpact,causingmoredamage,infectingmoresystems,andpossiblyexfiltratemoresensitivedatathanwouldotherwisebepossiblewereaneffectiveincidentresponseplaninplace.
CSC19:IncidentResponseandManagementFamily CSC ControlDescription Foun-
dationalAdvanced
Application 19.1 Ensurethattherearewrittenincidentresponseproceduresthatincludeadefinitionofpersonnelrolesforhandlingincidents.Theproceduresshoulddefinethephasesofincidenthandling.
Y
Application 19.2 Assignjobtitlesanddutiesforhandlingcomputerandnetworkincidentstospecificindividuals. Y
Application 19.3 Definemanagementpersonnelwhowillsupporttheincidenthandlingprocessbyactinginkeydecision-makingroles.
Y
Application 19.4 Deviseorganization-widestandardsforthetimerequiredforsystemadministratorsandotherpersonneltoreportanomalouseventstotheincidenthandlingteam,themechanismsforsuchreporting,andthekindofinformationthatshouldbeincludedintheincidentnotification.ThisreportingshouldalsoincludenotifyingtheappropriateCommunityEmergencyResponseTeaminaccordancewithalllegalorregulatoryrequirementsforinvolvingthatorganizationincomputerincidents.
Y
67
Family CSC ControlDescription Foun-dational
Advanced
Application 19.5 Assembleandmaintaininformationonthird-partycontactinformationtobeusedtoreportasecurityincident(e.g.,maintainanemailaddressofsecurity@organization.comorhaveawebpagehttp://organization.com/security).
Y
Application 19.6 Publishinformationforallpersonnel,includingemployeesandcontractors,regardingreportingcomputeranomaliesandincidentstotheincidenthandlingteam.Suchinformationshouldbeincludedinroutineemployeeawarenessactivities.
Y
Application 19.7 Conductperiodicincidentscenariosessionsforpersonnelassociatedwiththeincidenthandlingteamtoensurethattheyunderstandcurrentthreatsandrisks,aswellastheirresponsibilitiesinsupportingtheincidenthandlingteam.
Y
CSC19ProceduresandTools
Afterdefiningdetailedincidentresponseprocedures,theincidentresponseteamshouldengageinperiodicscenario-basedtraining,workingthroughaseriesofattackscenariosfine-tunedtothethreatsandvulnerabilitiestheorganizationfaces.Thesescenarioshelpensurethatteammembersunderstandtheirroleontheincidentresponseteamandalsohelppreparethemtohandleincidents.
AfulltreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,theactionsinCSC18providespecific,high-prioritystepsthatcanimproveenterprisesecurity,andshouldbeapartofanycomprehensiveincidentandresponseplan.
68
CSC19SystemEntityRelationshipDiagram
IncidentManagementDocumentation
WorkforceMembers
ThirdPartyAuthorities
Alerting/ReportingAnalyticsSystem
69
CSC20:PenetrationTestsandRedTeamExercises
Testtheoverallstrengthofanorganization’sdefenses(thetechnology,theprocesses,andthepeople)bysimulatingtheobjectivesandactionsofanattacker.
WhyIsThisControlCritical?
Attackersoftenexploitthegapbetweengooddefensivedesignsandintentionsandimplementationormaintenance.Examplesinclude:thetimewindowbetweenannouncementofavulnerability,theavailabilityofavendorpatch,andactualinstallationoneverymachine;well-intentionedpolicieswhichhavenoenforcementmechanism(especiallythoseintendedtorestrictriskyhumanactions);failuretoapplygoodconfigurationsandotherpracticestotheentireenterprise,ortomachinesthatcomein-and-outofthenetwork;andfailuretounderstandtheinteractionamongmultipledefensivetools,orwithnormalsystemoperationsthathavesecurityimplications.
Inaddition,successfuldefenserequiresacomprehensiveprogramoftechnicaldefenses,goodpolicyandgovernance,andappropriateactionbypeople.Inacomplexenvironmentwheretechnologyisconstantlyevolving,andnewattackertradecraftappearsregularly,organizationsshouldperiodicallytesttheirdefensestoidentifygapsandtoassesstheirreadiness.
Penetrationtestingstartsfromtheidentificationandassessmentofvulnerabilitiesthatcanbeidentifiedintheenterprise.Itcomplementsthisbydesigningandexecutingteststhatdemonstratespecificallyhowanadversarycaneithersubverttheorganization’ssecuritygoals(e.g.,theprotectionofspecificIntellectualProperty)orachievespecificadversarialobjectives(e.g.,establishmentofacovertCommandandControlinfrastructure).Theresultprovidesdeeperinsight,throughdemonstration,intothebusinessrisksofvariousvulnerabilities.
RedTeamexercisestakeacomprehensiveapproachatthefullspectrumoforganizationpolicies,processes,anddefensesinordertoimproveorganizationalreadiness,improvetrainingfordefensivepractitioners,andinspectcurrentperformancelevels.IndependentRedTeamscanprovidevaluableandobjectiveinsightsabouttheexistenceofvulnerabilitiesandtheefficacyofdefensesandmitigatingcontrolsalreadyinplaceandevenofthoseplannedforfutureimplementation.
70
CSC20:PenetrationTestsandRedTeamExercisesFamily CSC ControlDescription Foun-
dationalAdvanced
Application 20.1 Conductregularexternalandinternalpenetrationteststoidentifyvulnerabilitiesandattackvectorsthatcanbeusedtoexploitenterprisesystemssuccessfully.Penetrationtestingshouldoccurfromoutsidethenetworkperimeter(i.e.,theInternetorwirelessfrequenciesaroundanorganization)aswellasfromwithinitsboundaries(i.e.,ontheinternalnetwork)tosimulatebothoutsiderandinsiderattacks.
Y
Application 20.2 Anyuserorsystemaccountsusedtoperformpenetrationtestingshouldbecontrolledandmonitoredtomakesuretheyareonlybeingusedforlegitimatepurposes,andareremovedorrestoredtonormalfunctionaftertestingisover.
Y
Application 20.3 PerformperiodicRedTeamexercisestotestorganizationalreadinesstoidentifyandstopattacksortorespondquicklyandeffectively.
Y
Application 20.4 Includetestsforthepresenceofunprotectedsysteminformationandartifactsthatwouldbeusefultoattackers,includingnetworkdiagrams,configurationfiles,olderpenetrationtestreports,emailsordocumentscontainingpasswordsorotherinformationcriticaltosystemoperation.
Y
Application 20.5 Plancleargoalsofthepenetrationtestitselfwithblendedattacksinmind,identifyingthegoalmachineortargetasset.ManyAPT-styleattacksdeploymultiplevectors—oftensocialengineeringcombinedwithwebornetworkexploitation.RedTeammanualorautomatedtestingthatcapturespivotedandmulti-vectorattacksoffersamorerealisticassessmentofsecuritypostureandrisktocriticalassets.
Y
Application 20.6 Usevulnerabilityscanningandpenetrationtestingtoolsinconcert.Theresultsofvulnerabilityscanningassessmentsshouldbeusedasastartingpointtoguideandfocuspenetrationtestingefforts.
Y
Application 20.7 Whereverpossible,ensurethatRedTeamsresultsaredocumentedusingopen,machine-readablestandards(e.g.,SCAP).DeviseascoringmethodfordeterminingtheresultsofRedTeamexercisessothatresultscanbecomparedovertime.
Y
71
Family CSC ControlDescription Foun-dational
Advanced
Application 20.8 CreateatestbedthatmimicsaproductionenvironmentforspecificpenetrationtestsandRedTeamattacksagainstelementsthatarenottypicallytestedinproduction,suchasattacksagainstsupervisorycontrolanddataacquisitionandothercontrolsystems.
Y
CSC20ProceduresandTools
PenetrationtestingandRedTeamingonlyprovidesignificantvaluewhenbasicdefensivemeasureshavealreadybeenputintoplace,andwhentheyareperformedaspartofacomprehensive,ongoingprogramofsecuritymanagementandimprovement.TheseareoftenspecifiedandrequiredbyformalRiskManagementFrameworksandprocesses.
EachorganizationshoulddefineaclearscopeandrulesofengagementforpenetrationtestingandRedTeamanalyses.Thescopeofsuchprojectsshouldinclude,ataminimum,systemswiththeorganization’shighestvalueinformationandproductionprocessingfunctionality.Otherlower-valuesystemsmayalsobetestedtoseeiftheycanbeusedaspivotpointstocompromisehigher-valuetargets.TherulesofengagementforpenetrationtestsandRedTeamanalysesshoulddescribe,ataminimum,timesofdayfortesting,durationoftests,andtheoveralltestapproach.
AfulltreatmentofthistopicisbeyondthescopeoftheCISCriticalSecurityControls.However,theactionsinCSC20providespecific,high-prioritystepsthatcanimproveenterprisesecurity,andshouldbeapartofanycomprehensivepenetrationtestingandRedTeamprogram.
72
CSC20EntityRelationshipDiagram
PenetrationTesters
ComputingSystems
PenetrationTestingSystems
Alerting/ReportingAnalyticsSystem
73
AppendixA:EvolvingAnAttackModelfortheCISCriticalSecurityControls.
Background
Sincetheirinception,theCISCriticalSecurityControls(“theControls”)havehadabasictenetof“OffenseInformsDefense”.Thatis,knowledgeofactualattacksthathavecompromisedsystems(theBadGuys’“offense”)isthekeyfactortoinformanddeterminethevalueofdefensiveactions.Youmaynotbeabletoaffordtodoeverythingyouwantorneedtodoandsocyberdefensemustbedrivenbyprioritization–whatshouldIdofirsttogetthemostvaluefrommydefensiveresources?Webelievethatvalueisbestdeterminedbytheattacker–whataretheydoingtousnow,andwhatarethemostuseful,scalableactionswecantaketostopthem?
TheControlsreflectandknowledgeofactualattacksandeffectivedefensesgatheredfromexpertsfromeverypartoftheecosystemacrossmanysectors.Todothis,ateamreviewedandanalyzedattackdatafrommanyoftheleadingvendorthreatreportstoensuretheControlsadequatelyalignedwiththemostprevalentthreats.Wecallthisprocessa“CommunityAttackModel”fortheCISCriticalSecurityControls–thegatheringofrelevantreal-lifeinformationaboutattacksandputtingthemintocontextsotheycanbeeasilyandreliablymappedtodefensiveaction.“Community”referstothebreadthoftheparticipantsandinformationsources,andalsotothesharedlaborthatoperatesthisprocess.ButwealsoemphasizethatthesearethethreatsthattheentireCommunityfaces–thedocumented,specificsuccessesoftheAttackers.Anyonespecificcategoryofattackmightnothavehityoutoday,butitcouldjustaseasilydosotomorrow.
ACommunityApproachtoUnderstandingAttacksandThreats
TheCommunityAttackModelbeganbyvalidatingandenrichingmappingfromawell-documentedandauthoritativesourceof“reallife”data–theVerizonDataBreachInvestigationsReport(2013,2014,2015).AftertheVerizonteamdidtheirprimaryanalysis,avolunteerpanelformedbytheCenterforInternetSecurityworkedwiththemtomapthemostimportantcategoriesofattacksseenintheprioryear’sdatadirectlyintheControls(atasub-Control)level,andthismapbecameakeypartoftheVerizonDBIRRecommendations.Morerecently,wecompletedsimilarmappingsusingannualreportsworkingwithSymantecInternetSecurityReport2015andHPCyberRiskReport2015.Thisapproachallowsreadersofthesedata-drivenannualreportstoeasilyandconsistentlymapintotheControls.
Acoupleofkeypointstonoteaboutthisworkflow.
• Themappingisfromthevendor’scategoryorsummarylevelofattacks–notfromdataabouteveryindividualattack.
74
• Thedataiscreatedbythevendor’sbusinessmodel(e.g.,incidentresponse,managedsecurity,anti-malwaresensors,threatintelligence),andsoeachrepresentsanincompletebutwell-documentedsamplingoftheecosystem.
• Thecategoriesusedbythevendorsaretypicallyinnarrativeform,andnotpresentedinanystandardformortaxonomy.Recommendationsarealsotypicallyinnarrativeform,nottiedtoanyspecificdefensiveframework.Therefore,mappingfromanyonevendor’sreporttotheControlsrequiressomediscussionandanalyticjudgment.
Theuseofthisattackinformationandtheselectionofappropriatedefensiveactioncanbeseenaspartofabroader“FoundationalRiskAssessment”ofunderstandingvulnerabilities,thethreatsandtheresultingconsequences–onethatcanbeusedbyanindividualenterpriseasastartingpointforimmediate,high-valueaction,andcanalsoprovideabasisforcommonactionacrossanentirecommunity.
BuildingAnOperationalAttackModel
AsthecommunityaroundtheControlshasgrowninsizeanddiversity,andastheenvironmenthasgrownmorecomplex,wemustevolvethisModeltobemorescalable,repeatable,adaptabletodifferentcommunities,andmoreconsistentwithformalsecurityframeworks–allwithoutdisruptingthespiritofcooperationandcommongoodthathasbroughtusthisfar.
Whetheryouapproachthisproblemasanindividualenterpriseorasacommunityofenterprises,youmustcreateandoperateanongoing,repeatableprocesstofindrelevantnewinformationaboutAttackers,assesstheimplicationsforyourenvironment,makekeydecisions,andthentakeaction.Doingsowillhelpdetermineyourbestinvestmentsbothtacticallyandstrategically.
Attackers Solutions,servicesvendors
•collect,analyzeattackdata
•summarizebyclasses,categories;prioritize
•makerecommendations,publishreport
CenterforInternetSecurity
•foreachreport,mapfromclassesofproblemsintotheCSCs(sub-Controls)
•publisheachmapping
•refreshControlsasneeded
75
Ausefulmodelwillhaveanumberofessentialattributes.
• Itshouldbedrivenbydatafromauthoritative,publiclyavailablesources,butalsobeabletomakeuseofspecialized(e.g.,uniquelyapplicabletoasector)orrestricted(e.g.,encumberedbyclassificationoragreement)knowledge.
• Itshouldhaveawell-definedprocesstotranslatefromattackstoaction(controls)inawaythatsupportsprioritizationandisconsistentwithformalRiskManagementFrameworks.
• Itshouldhaveanon-going“refresh”cyclethatallowsvalidationofpriordefensivechoices,aswellasassessmentofnewinformation.
• Itshouldbelowcost,andpreferablysharedcostacrossacommunity.• Itshouldbeopenlydemonstrabletoothersandnegotiable(sinceyourriskisalways
sharedwithothers).
SotheevolutionoftheCISCriticalSecurityControlswillfollowtheaboveguidelinestocontinuallyenrichandrefreshtheControls.Itwillexpandthenumberandvarietyofthreatreports,developastandardcategorizationortaxonomyofattackstomaptootherframeworksandwilltakeadvantageofexistingavenuesforinformationsharing,suchasusingtheMulti-StateInformationSharingandAnalysisCenter(MS-ISAC).
76
AppendixB:AttackTypes
Historically,thefollowingAttackTypesweretheprimaryonesconsideredwhendevelopingtheCriticalSecurityControls.ThetypeswerealsomappedbackintotheControlsaspartofthediscussiontoensuregoodcoveragebytheControls.ThisapproachhasbeenphasedoutinfavoroftheCISCommunityAttackModel.
AttackSummaryAttackerscontinuallyscanfornew,unprotectedsystems,includingtestorexperimentalsystems,andexploitsuchsystemstogaincontrolofthem.AttackersdistributehostilecontentonInternet-accessible(andsometimesinternal)websitesthatexploitunpatchedandimproperlysecuredclientsoftwarerunningonvictimmachines.Attackerscontinuallyscanforvulnerablesoftwareandexploitittogaincontroloftargetmachines.Attackersusecurrentlyinfectedorcompromisedmachinestoidentifyandexploitothervulnerablemachinesacrossaninternalnetwork.Attackersexploitweakdefaultconfigurationsofsystemsthataremoregearedtoeaseofusethansecurity.Attackersexploitnewvulnerabilitiesonsystemsthatlackcriticalpatchesinorganizationsthatdonotknowthattheyarevulnerablebecausetheylackcontinuousvulnerabilityassessmentsandeffectiveremediation.Attackerscompromisetargetorganizationsthatdonotexercisetheirdefensestodetermineandcontinuallyimprovetheireffectiveness.Attackersusemaliciouscodetogainandmaintaincontroloftargetmachines,capturesensitivedata,andthenspreadittoothersystems,sometimeswieldingcodethatdisablesordodgessignature-basedanti-virustools.Attackersscanforremotelyaccessibleservicesontargetsystemsthatareoftenunneededforbusinessactivities,butprovideanavenueofattackandcompromiseoftheorganization.Attackersexploitweakapplicationsoftware,particularlywebapplications,throughattackvectorssuchasSQLinjection,cross-sitescripting,andsimilartools.Attackersexploitwirelessaccesspointstogainentryintoatargetorganization’sinternalnetwork,andexploitwirelessclientsystemstostealsensitiveinformation.Attackersexploitusersandsystemadministratorsviasocialengineeringscamsthatworkbecauseofalackofsecurityskillsandawareness.Attackersexploitandinfiltratethroughnetworkdeviceswhosesecurityconfigurationhasbeenweakenedovertimebygranting,forspecificshort-termbusinessneeds,supposedlytemporaryexceptionsthatareneverremoved.
77
Attackerstrickauserwithanadministrator-levelaccountintoopeningaphishing-styleemailwithanattachmentorsurfingtotheattacker’scontentonanInternetwebsite,allowingtheattacker’smaliciouscodeorexploittorunonthevictimmachinewithfulladministratorprivileges.AttackersexploitboundarysystemsonInternet-accessibleDMZnetworks,andthenpivottogaindeeperaccessoninternalnetworks.Attackersexploitpoorlydesignednetworkarchitecturesbylocatingunneededorunprotectedconnections,weakfiltering,oralackofseparationofimportantsystemsorbusinessfunctions.
Attackersoperateundetectedforextendedperiodsoftimeoncompromisedsystemsbecauseofalackofloggingandlogreview.
Attackersgainaccesstosensitivedocumentsinanorganizationthatdoesnotproperlyidentifyandprotectsensitiveinformationorseparateitfromnon-sensitiveinformation.Attackerscompromiseinactiveuseraccountsleftbehindbytemporaryworkers,contractors,andformeremployees,includingaccountsleftbehindbytheattackersthemselveswhoareformeremployees.Attackersescalatetheirprivilegesonvictimmachinesbylaunchingpasswordguessing,passwordcracking,orprivilegeescalationexploitstogainadministratorcontrolofsystems,whichisthenusedtopropagatetoothervictimmachinesacrossanenterprise.Attackersgainaccesstointernalenterprisesystemsandgatherandexfiltratesensitiveinformationwithoutdetectionbythevictimorganization.Attackerscompromisesystemsandalterimportantdata,potentiallyjeopardizingorganizationaleffectivenessviapollutedinformation.Attackersoperateundiscoveredinorganizationswithouteffectiveincident-responsecapabilities,andwhentheattackersarediscovered,theorganizationsoftencannotproperlycontaintheattack,eradicatetheattacker’spresence,orrecovertoasecureproductionstate.
78
AppendixC:TheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity
SinceitsreleaseinFebruary2014,TheNISTFrameworkforImprovingCriticalInfrastructureCybersecurityhasbecomeamajorpartofthenationalconversationaboutcybersecurityforthecriticalinfrastructure(andbeyond),andwebelieveitrepresentsanimportantsteptowardslarge-scaleandspecificimprovementsinsecurityfortheUnitedStatesandinternationally.TheCenterforInternetSecuritywasanactiveparticipantinthedevelopmentoftheFramework,andtheCISCriticalSecurityControlsarecalledoutasoneofthe“InformativeReferences”thatcanbeusedtodrivespecificimplementation.TheFrameworkistruetoitsname–“asetofprinciples,ideas,etc.thatyouusewhenyouareformingyourdecisionsandjudgments”(fromtheMacMillanDictionary)–anditprovidesawaytoorganize,conduct,anddrivetheconversationaboutsecuritygoalsandimprovements,forindividualenterprisesandacrosscommunitiesofenterprises.Butitdoesnotincludeanyspecificriskmanagementprocess,orspecifyanypriorityofaction.Those“decisionsandjudgments”arelefttotheadoptertomanagefortheirspecificsituationandcontext.
Webelievethatforthevastmajorityofenterprises,thebestapproachtosolvingtheseproblemsistotacklethemasacommunity–notenterprise-by-enterprise.ThisistheessenceoftheCISnon-profitcommunitymodel,andisembodiedinprojectsliketheCISCriticalSecurityControls,theCISSecurityConfigurationBenchmarks,andtheNationalCyberHygieneCampaign.Weneedtobandtogethertoidentifykeyactions,createinformation,sharetools,andremovebarrierssothatwecanallsucceed.
InthatspirittheCenterforInternetSecuritywillcontinuetosupporttheevolutionoftheFramework,andalsohelpourcommunityleveragethecontent,processes,andprioritiesoftheCISCriticalSecurityControlsasanactionmechanisminalignmentwiththeNISTCybersecurityFramework.
BelowisanexampleoftheworkingaidsthatCISmaintainstohelpourcommunityleveragetheFramework.ThischartshowsthemappingfromtheCriticalSecurityControls(Version6.0)intothemostrelevantNISTCSF(Version1.0)CoreFunctionsandCategories.
CybersecurityFramework(CSF)CoreCISCriticalSecurityControls(V6.0) Identify Protect Detect Respond RecoverCSC1:InventoryofAuthorizedandUnauthorizedDevices AM
CSC2:InventoryofAuthorizedandUnauthorizedSoftware AM
79
CybersecurityFramework(CSF)CoreCISCriticalSecurityControls(V6.0) Identify Protect Detect Respond RecoverCSC3:SecureConfigurationofEnduserdevices IP
CSC4:ContinuousVulnerabilityAssessmentandRemediation RA CM MI
CSC5:ControlledUseofAdministrativePrivileges AC
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs AE AN
CSC7:EmailandWebBrowserProtections PT
CSC8:MalwareDefense PT CM
CSC9:LimitationandControlofNetworkPorts,Protocols,andService
IP
CSC10:DataRecoveryCapability RP
CSC11:SecureConfigurationofNetworkDevices IP
CSC12:BoundaryDefense DP
CSC13:DataProtection DS
CSC14:ControlledAccessBasedonNeedtoKnow AC
CSC15:WirelessAccessControl AC
CSC16:AccountMonitoringandControl AC CM
CSC17:SecuritySkillsAssessmentandAppropriateTraining
AT
CSC18:ApplicationSoftwareSecurity IP
CSC19:IncidentResponseandManagement AE RP
CSC20:PenetrationTestsandRedTeamExercises IM IM
80
AppendixD:TheNationalCyberHygieneCampaign
TheNationalCampaignforCyberHygienewasdevelopedtoprovideaplain-language,accessible,andlow-costfoundationforimplementationoftheCISCriticalSecurityControls.AlthoughtheControlsalreadysimplifythedauntingchallengesofcyberdefensebycreatingcommunityprioritiesandaction,manyenterprisesarestartingfromaverybasiclevelofsecurity.
TheCampaignstartswithafewbasicquestionsthateverycorporateandgovernmentleaderoughttobeabletoanswer.
• Doweknowwhatisconnectedtooursystemsandnetworks?(CSC1)• Doweknowwhatsoftwareisrunning(ortryingtorun)onoursystemsand
networks?(CSC2)• Arewecontinuouslymanagingoursystemsusing“knowngood”configurations?
(CSC3)• Arewecontinuouslylookingforandmanaging“knownbad”software?(CSC4)• Dowelimitandtrackthepeoplewhohavetheadministrativeprivilegestochange,
bypass,orover-rideoursecuritysettings?(CSC5)
Thesequestions,andtheactionsrequiredtoanswerthem,arerepresentedin“plainlanguage”bytheTop5PrioritiesoftheCampaign:“Count,Configure,ControlPatch,Repeat”.TosupporttheCampaign,volunteershavecreateddocumentationand“toolkits”toguideimplementation.
Althoughthelanguageissimpleandcatchy,behindthesceneseachofthesequestionsisassociatedwithaprimaryControlthatprovidesanactionplan.TheCampaignisalsodesignedtobeinalignmentwiththefirst5oftheCISCriticalSecurityControls,theAustralianSignalsDirectorate’s(ASD)“TopFourStrategiestoMitigateTargetedIntrusions,andtheDHSContinuousDiagnosticandMitigation(CDM)Program.ThisprovidesastronganddefendablebasisfortheCampaignPriorities,agrowthpathformaturitybeyondthesebasicactions,andthebenefitsofalargecommunityofexperts,users,andvendors.
TheNationalCampaignforCyberHygienehasbeenjointlyadoptedbytheCenterforInternetSecurity(homeoftheMulti-StateInformationSharingandAnalysisCenter)andtheNationalGovernor’sAssociationHomelandSecurityAdvisoryCouncil(GHSAC)asafoundationalcybersecurityprogramacrossmanyState,Local,Tribal,andTerritorialgovernmentsandofferstoolkitsandresourcesforanypublicorprivateorganization.
Formoreinformation,gotowww.cisecurity.org.
81
AppendixE:CriticalGovernanceControlsandtheCISCriticalSecurityControls
Cybersecuritygovernanceisakeyresponsibilityoftheboardofdirectorsandseniorexecutives,anditmustbeanintegralpartofoverallenterprisegovernance.Becauseofitsdynamicnature,cybersecuritygovernancemustalsobealignedwithanoperationalcybersecurityframework.
Toexerciseeffectivegovernance,executivesmusthaveaclearunderstandingofwhattoexpectfromtheirinformationsecurityprogram.Theyneedtoknowhowtodirecttheimplementation,evaluatetheirownstatuswithregardtoexistingsecurityprograms,anddeterminethestrategyandobjectivesofaneffectivesecurityprogram.
HowtheCISCriticalSecurityControlsCanHelp
TheControlsareactionable,automatedactivitiesthatdetectandpreventattacksagainstyournetworkandmostimportantdata.Theysupportenterprisesecuritygovernanceprogramsbybridgingthegapfromanexecutiveviewofbusinessrisktoatechnicalviewofspecificactionsandoperationalcontrolstomanagethoserisks.Keyexecutiveconcernsaboutinformationsecurityriskscanbetranslatedintospecificprogramsforsecurityimprovement,andalsointoday-to-daysecuritytasksforfront-linepersonnel.Thisallowsbetteralignmenttop-to-bottomofcorporateriskmanagement.Also,sincetheControlsarecreatedandsupportedbyalargeindependentcommunityofpractitionersandvendors,theyprovideaspecific,supported,andopenbaselineformeasurementandnegotiationaboutsecurityimprovement–onethatisdemonstrablyinalignmentwithessentiallyallformalregulatory,governance,andoversightframeworks.FromGovernancetotheCISCriticalSecurityControlsTohelpimproveyourcompany'sabilitytomanageinformationrisks,herearesomesamplestepstohelpyoualigncorporategovernanceconcernswiththeimplementationofsecuritycontrols.Theseexamplesidentifytheprimary,butnottheonly,CISCriticalSecurityControlswhichshouldbeimplemented.Governanceitem#1:Identifyyourmostimportantinformationassetsandtheimpactonyourbusinessormissioniftheyweretobecompromised.
Informationisthelifebloodofeverymodernenterprise,andthemovement,storage,andcontrolofthatinformationisinextricablyboundtotheuseofInformationTechnology.ThereforethefollowingCISCriticalSecurityControlsaretheprimarymeanstotrackandcontrolthesystemcomponentsthatmanagetheflow,presentation,anduseofinformation.
CSC1—InventoryofAuthorizedandUnauthorizedDevices
CSC2—InventoryofAuthorizedandUnauthorizedandSoftware
82
GovernanceItem#2:Managetheknowncybervulnerabilitiesofyourinformationandmakesurethenecessarysecuritypoliciesareinplacetomanagetherisk.
Ataminimum,youshouldbeabletoidentifyandmanagethelargevolumeofknownflawsandvulnerabilitiesfoundinInformationTechnologyandprocesses.ThefollowingCISCriticalSecurityControlsaretheprimarymeanstoestablishabaselineofresponsiblepracticesthatcanbemeasured,managed,andreported.
CSC3:SecureConfigurationsofHardwareandSoftware
CSC4:ContinuousVulnerabilityAssessmentandRemediation
GovernanceItem#3:Clearlyidentifythekeythreatstoyourinformationandassesstheweaknessesinyourdefense.
Threatstoyourinformation,systems,andprocessesevolveconstantly.ThefollowingCISCriticalSecurityControlsaretheprimarymeanstoestablishabaselineofresponsiblepracticesthatcanbemeasured,managed,andreported.
CSC8:MalwareDefenses
CSC20:PenetrationTestsandRedTeamExercises
GovernanceItem#4:Confirmandcontrolwhohasaccesstothemostimportantinformation.
Ensuringthattherightpeoplehaveaccesstocorporatedataandensuringprivilegesaremanagedaccuratelycanreducetheimpactofunauthorizedaccess,bothfrominternalthreatsandexternal.ThefollowingCISCriticalSecurityControlsaretheprimarymeanstoestablishabaselineofresponsiblepracticestoidentifyneedsandmanageaccess.
CSC5:ControlledUseofAdministrativePrivileges
CSC14:ControlledAccessBasedontheNeedtoKnow
Afundamentalgoalofinformationsecurityistoreduceadverseimpactsontheorganizationtoanacceptablelevelofrisk.Therefore,acrucialmetriccomprisestheadverseimpactsofinformationsecurityincidentsexperiencedbythecompany.Aneffectivesecurityprogramwillshowatrendofimpactreduction.Quantitativemeasurescanincludetrendanalysisofimpactsovertime.
83
DevelopinganOverallGovernanceStrategy
WhiletheCISCriticalSecurityControlsprovideaneffectivewaytoplan,prioritize,andimplementprimarilytechnicalcontrolsforcyberdefense,theyarebestusedaspartofaholisticinformationgovernanceprogram–onethatalsoaddressespolicies,standards,andguidelinesthatsupporttechnicalimplementations.Forexample,conductinganinventoryofdevicesonyournetworkisanimportanttechnicalbestpractice,butanorganizationmustalsodefineandpublishpoliciesandprocessesthatclearlycommunicatetoemployeesthepurposeofthesecontrols,whatisexpectedofthemandtheroletheyplayinprotectingthecompany’sinterests.
Thefollowingtopicsprovideausefulframeworkfordevelopingyouroverallgovernancestrategy.Basedonourexperience,theseareprioritizedbasedontheirimpactinbuildingandsupportinganeffectiveinformationassuranceprogram.
ExecutiveSponsorship:Developinformationassurancecharterswithrolesandresponsibilities,steeringcommittees,andboardofdirectorbriefingstoestablishsupportandleadershipfromexecutives.
InformationAssuranceProgramManagement:Definemanagementandresourceallocationcontrols,suchasbudgeting,andprioritizationtogoverninformationassuranceprogramsunderexecutivesponsorship.
InformationAssurancePoliciesandStandardsManagement:Defineanddocumentpoliciesandstandardstoprovidedetailedguidanceregardinghowsecuritycontrolswillbecompletedtopromoteconsistencyindefense.
DataClassification:Identify,prioritizeandlabeldataassets,includinganalogorphysicalassets.
RiskManagement:Identifythoughtfulandpurposefuldefensestrategiesbasedonprioritydecisionsonhowbesttodefendvaluabledataassets.
ComplianceandLegalManagement:Addresscompliancerequirementsbasedontheregulatoryandcontractualrequirementsplacedonyourorganization.
SecurityAwarenessandEducation:Establisheducationplansforallworkforcememberstoensurethattheyhavethenecessaryskillstoprotectinformationassetsasapartoftheirresponsibilities.
AuditandAssessmentManagement:Conductauditsandassessmentstoensurethatinformationassuranceeffortsareconsistentwiththestandardsyouhavedefinedandtoassistinyoureffortstomanagerisk.
84
PersonnelandHumanResourcesManagement:Specifypersonnelandhumanresourcescontrolstomanagethewaypeopleinteractwithdataassets.People,aswellastechnologycontrols,arecriticalforthedefenseofinformationassets.
BudgetsandResourceManagement:Allocateappropriateresourcesinordertobeeffectiveatdefense.Informationassurancearchitecturesarevitalfordefense,butwithoutbudgetsandresources,suchplanswillneverbeeffective.
PhysicalSecurity:Protecttheequipment,buildings,andlocationswheredataassetsarestoredtoprovideafoundationforthelogicalsecurityofdataassets.
IncidentResponseManagement:Specifytheplannedmanagementofhowyouwillrespondinthefaceofpotentiallyadverseevents.Thisactsasacomponentofbusinesscontinuityanddisastermanagement.
BusinessContinuityandDisasterRecoveryManagement:Specifyresiliencycontrolstohelpmitigatepotentiallossesduetopotentialdisruptionstobusinessoperations.
ProcurementandVendorManagement:Partnerwithbusinessassociatesindefendingtheirdataassets.TheControlsdefinehowanorganizationalignswiththirdpartiesandvendorstoprotecttheirdataassets.
ChangeandConfigurationManagement:Assess,acceptordeny,andlogchangestosystems,especiallyconfigurationchangesinasystematicformalmannerinordertodefendtheorganization’sinformationassets.
Organizationsareencouraged(andmanyarerequired)toimplementthesegovernancecontrolsinparallelwiththetechnicalcontrolsdefinedelsewhereinthisdocument.Bothtechnicalandgovernancerelatedcontrolsshouldbeconsideredequallyimportantpillarsinthearchitectureofanorganization’sdefense.
85
AppendixF:TowardAPrivacyImpactAssessment(PIA)fortheCISCriticalSecurityControls
Introduction
Aneffectivepostureofenterprisecybersecurityneednot,and,indeed,shouldnotcompromiseindividualprivacy.Manylaws,regulations,guidelines,andrecommendationsexisttosafeguardprivacy,andenterpriseswill,inmanycases,adapttheirexistingpoliciesonprivacyastheyapplytheControls.
Ataminimum,useoftheControlsshouldconformtothegeneralprinciplesembodiedintheFairInformationPracticeprinciples(FIPs)2andinPrivacybyDesign.3AllenterprisesthatapplytheControlsshouldundertake–andmakeavailabletostakeholders–privacyimpactassessmentsofrelevantsystemstoensurethatappropriateprotectionsareinplaceastheControlsareimplemented.Everyenterpriseshouldalsoregularlyreviewtheseassessmentsasmaterialchangestoitscybersecuritypostureareadopted.TheaimistoassessandmitigatethemajorpotentialprivacyrisksassociatedwithimplementingspecificControlsaswellasevaluatetheoverallimpactoftheControlsonindividualprivacy.
ToassistenterprisesineffortstoconductaprivacyimpactassessmentwhenimplementingtheControlsandtocontributetotheestablishmentofamoregeneralreferencestandardforprivacyandtheControls,CISwillconvenetechnicalandprivacyexpertstorevieweachControlandofferrecommendationsforbestpractice.
ThefollowingframeworkwillhelpguidethiseffortandprovideapossibleoutlineforaPrivacyImpactAssessment.
PrivacyImpactAssessmentoftheCISCriticalSecurityControls
I.Overview
OutlinethepurposeofeachControlandprovidejustificationforanyactualorpotentialintersectionwithprivacy-sensitiveinformation.
• Wherepossible,identifyhowtechnologies,procedures,anddataflowsareusedtoimplementtheControl.ProvideabriefdescriptionofhowtheControlgenerally
2Seehttp://www.dhs.gov/publication/fair-information-practice-principles-fipps,andhttp://www.nist.gov/nstic/NSTIC-FIPPs.pdf.
3Seehttps://www.privacybydesign.ca.TheapproachdiscussedinthisAnnexdrawsheavilyonpublicsectorapproachesintheUnitedStates,butcanbeadaptedforanyjurisdiction.
86
collectsandstoresinformation.IdentifythetypeofdatacollectedbytheControlandthekindsofinformationthatcanbederivedfromthisdata.IndiscussinghowtheControlmightcollectandusePII,includeatypicaltransactionthatdetailsthelifecycleofthatPIIfromcollectiontodisposal.
• Describethemeasuresnecessarytoprotectprivacydataandmitigateanyrisksofunauthorizedaccessorinadvertentdisclosureofthedata.Theaimhereisnottolisteverypossiblerisktoprivacy,butrather,toprovideaholisticviewoftheriskstoprivacythatcouldarisefromimplementationoftheControl.
• Describeanypotentialad-hocorroutineinformationsharingthatwillresultfromtheimplementationoftheControlbothwithintheenterpriseandwithexternalsharingpartners.Alsodescribehowsuchexternalsharingiscompatiblewiththeoriginalcollectionoftheinformation,andwhatagreementswouldneedtobeinplacetosupportthissharing.
II.Authorities
Identifythelegalauthoritiesorenterprisepoliciesthatwouldpermitor,conversely,limitorprohibitthecollectionoruseofinformationbytheControl.
• ListthestatutoryandregulatoryauthoritiesthatwouldgovernoperationoftheControl,includingtheauthoritiestocollecttheinformationidentifiedabove.Explainhowthestatutoryandregulatoryauthoritiespermitorwouldlimitcollectionanduseoftheinformationorgoverngeographicstoragerequirements.IftheControlwouldconceivablycollectPersonallyIdentifiableInformation(PII),alsoidentifythespecificstatutoryauthoritythatwouldpermitsuchcollection.
• Wouldtheresponsibleofficeofanenterprisebeabletorelyonauthoritiesofanotherparentorganization,subsidiary,partneroragency?
• MighttheinformationcollectedbytheControlbereceivedfromaforeignuser,organizationorgovernment?Ifso,doanyinternationalagreement,contract,privacypolicyormemorandumofunderstandingexisttosupportorotherwisegovernthiscollection?
III.CharacterizingControl-RelatedInformation
IdentifythetypeofdatatheControlcollects,uses,disseminates,ormaintains.
• ForeachControl,identifyboththecategoriesoftechnologysources,logs,orindividualsfromwhominformationwouldbecollected,and,foreachcategory,listanypotentialPII,thatmightbegathered,used,orstoredtosupporttheControl.
o Relevantinformationhereincludes(butisnotlimitedto):name;dateofbirth;mailingaddress;telephonenumbers;socialsecuritynumber;e-mailaddress;mother’smaidenname;medicalrecordslocators;bankaccountnumbers;healthplanbeneficiaries;anyotheraccountnumbers;certificatesorotherlicensenumbers;vehicleidentifiers,includinglicenseplates;
87
marriagerecords;civilorcriminalhistoryinformation;medicalrecords;deviceidentifiersandserialnumbers;educationrecords;biometricidentifiers;photographicfacialimages;oranyotheruniqueidentifyingnumberorcharacteristic.
• IftheoutputoftheControl,orsystemonwhichitoperates,createsnewinformationfromdatacollected(forexample,ascoring,analysis,orreport),thismightthisnewinformationhaveprivacyimplications?Ifso,performthesameaboveanalysisonthenewlycreatedinformation.
• IftheControlusesinformationfromcommercialsourcesorpubliclyavailabledatatoenrichotherdatacollected,explainhowthisinformationmightbeused.
o Commercialdataincludesinformationfromdataaggregators(suchasLexisNexis,threatfeeds,ormalwaredatabases),orfromsocialnetworkingsourceswheretheinformationwasoriginallycollectedbyaprivateorganization.
o Publiclyavailabledataincludesinformationobtainedfromtheinternet,newsfeeds,orfromstateorlocalpublicrecords,suchascourtrecordswheretherecordsarereceiveddirectlyfromthestateorlocalagency,ratherthanfromacommercialdataaggregator.
o Identifyscenarioswiththisenricheddatamightderivedatathatcouldhaveprivacyimplications.Ifso,performthesameaboveanalysisonthenewlycreatedinformation.
• IdentifyanddiscusstheprivacyrisksforControlinformationandexplainhowtheyaremitigated.Specificrisksmaybeinherentinthesourcesormethodsofcollection.
• ConsiderthefollowingFairInformationPracticeprinciples(FIPs):o PrincipleofPurposeSpecification:ExplainhowthecollectionofPIIbythe
Controllinkstothecybersecurityneedsoftheenterprise.o PrincipleofMinimization:IsthePIIdatadirectlyrelevantandnecessaryto
accomplishthespecificpurposesoftheControl?o PrincipleofIndividualParticipation:DoestheControl,totheextentpossible
andpractical,collectPIIdirectlyfromindividuals?
IV.UsesofControl-RelatedInformation
DescribetheControl’suseofPIIorprivacyprotecteddata.DescribehowandwhytheControlusesthisdata.
• Listlikelyusesoftheinformationcollectedormaintained,bothinternalandexternaltotheenterprise.Explainhowandwhydifferentdataelementswillbeused.IfSocialSecuritynumbersarecollectedforanyreason,forexample,describewhysuchcollectionisnecessaryandhowsuchinformationwouldbeused.Describetypesofproceduresandprotectionstobeinplacetoensurethatinformationishandledappropriately,andpoliciesthatneedtobeinplacetoprovideusernotification.
• DoestheControlmakeuseoftechnologytoconductelectronicsearches,queries,oranalysesinadatabasetodiscoverorlocateapredictivepatternorananomaly?If
88
so,describewhatresultswouldbeachievedandiftherewouldbepossibilityofprivacyimplications.
• SomeControlsrequiretheprocessingoflargeamountsofinformationinresponsetouserinquiryorprogrammedfunctions.TheControlsmayhelpidentifydatathatwerepreviouslynotidentifiableandmaygeneratetheneedforadditionalresearchbyanalystsorotheremployees.SomeControlsaredesignedtoperformcomplexanalyticaltasksresultinginothertypesofdata,matching,relationalanalysis,scoring,reporting,orpatternanalysis.
• Discusstheresultsgeneratedbytheusesdescribedabove,includinglinkanalysis,scoring,orotheranalyses.Theseresultsmaybegeneratedelectronicallybytheinformationsystem,ormanuallythroughreviewbyananalyst.Wouldtheseresultspotentiallyhaveprivacyimplications?
• Arethereotherofficesordepartmentswithinorconnectedtotheenterprisethatwouldreceiveanydatagenerated?Wouldtherebeprivacyimplicationstotheiruseorcollectionofthisdata?
• ConsiderthefollowingFIPs:o PrincipleofTransparency:IsthePIAandrelatedpoliciesclearabouttheuses
ofinformationgeneratedbytheControl?o PrincipleofUseLimitation:Istheuseofinformationcontainedinthesystem
relevanttothemissionoftheControl?
V.Security
Completeasecurityplanfortheinformationsystem(s)supportingtheControl.
• IsthereappropriateguidancewhenimplementingtheControltoensurethatappropriatephysical,personnel,IT,andothersafeguardsareinplacetoprotectprivacyprotecteddataflowingtoandgeneratedfromtheControl?
• ConsiderthefollowingFairInformationPracticeprinciple:o PrincipleofSecurity:Isthesecurityappropriateandproportionatetothe
protecteddata?
VI.Notice
IdentifyifanynoticetoindividualsmustbeputinplaceregardingimplementationoftheControl,PIIcollected,therighttoconsenttousesofinformation,andtherighttodeclinetoprovideinformation(ifpracticable).
• Definehowtheenterprisemightrequirenoticetoindividualspriortothecollectionofinformation.
• Enterprisesoftenprovidewrittenororalnoticetoemployees,customers,shareholders,andotherstakeholdersbeforetheycollectinformationfromindividuals.IntheU.S.government,thatnoticemayincludeapostedprivacypolicy,aPrivacyActstatement,aPrivacyImpactAssessment,oraStatementofRecords
89
Notice(SORN)publishedintheU.S.FederalRegister.Forprivatecompanies,collectinginformationfromconsumers,publiclyavailableprivacypoliciesareused.DescribewhatnoticemightberelevanttoindividualswhoseinformationmightbecollectedbytheControl.
• Ifnoticemightnot,orcannotbeprovided,defineifoneisrequiredorhowitcanbemitigated.Forcertainlawenforcementoperations,noticemaynotbeappropriate–enterpriseswouldthenexplainhowprovidingdirectnoticetotheindividualatthetimeofcollectionwouldunderminealawenforcementmission.
• DiscusshowthenoticeprovidedcorrespondstothepurposeoftheControlandthedeclareduses.Discusshowthenoticegivenfortheinitialcollectionisconsistentwiththestateduse(s)oftheinformation.DescribehowimplementationoftheControlmitigatestherisksassociatedwithpotentiallyinsufficientnoticeandopportunitytodeclineorconsent.
• ConsiderthefollowingFIPs:o PrincipleofTransparency:WillthisControlallowsufficientnoticetobe
providedtoindividuals?o PrincipleofUseLimitation:Istheinformationusedonlyforthepurposefor
whichnoticewasprovidedeitherdirectlytoindividualsorthroughapublicnotice?Whatprocedurescanbeputinplacetoensurethatinformationisusedonlyforthepurposearticulatedinthenotice?
o PrincipleofIndividualParticipation:Willtheenterpriseberequiredtoprovidenoticetoindividualsregardingredress,includingaccessandcorrection,includingotherpurposesofnoticesuchastypesofinformationandcontrolsoversecurity,retention,disposal,etc.?
VII.DataRetention
Willtherebearequirementtodeveloparecordsretentionpolicy,subjecttoapprovalbytheappropriateenterpriseauthorities(e.g.,management,Board),togoverninformationgatheredandgeneratedbytheControl?
• ConsiderthefollowingFIPsbelowtoassistinprovidingaresponse:o PrincipleofMinimization:DoestheControlhavethecapacitytouseonlythe
informationnecessaryfordeclaredpurposes?WouldtheControlbeabletomanagePIIretainedonlyforaslongasnecessaryandrelevanttofulfillthespecifiedpurposes?
o PrincipleofDataQualityandIntegrity:DoesthePIAdescribepoliciesandproceduresrequiredbyanorganizationforhowPIIispurgedonceitisdeterminedtobenolongerrelevantandnecessary?
VIII.InformationSharing
DescribethescopeoftheinformationsharingwithinandexternaltotheenterprisethatcouldberequiredtosupporttheControl.Externalsharingencompassessharingwithother
90
businesses,vendors,privatesectorgroups,orfederal,state,local,tribal,andterritorialgovernment,aswellaswithgovernmentsorofficialagenciesofothercountries.
• Forstateorlocalgovernmentagencies,orprivatesectororganizationslistthegeneraltypesthatmightbeapplicablefortheControl,ratherthanthespecificnames.
• Describeanyagreementsthatmightberequiredforanorganizationtoconductinformationsharingaspartofnormalenterpriseoperations.
• Discusstheprivacyrisksassociatedwiththesharingofinformationoutsideoftheenterprise.Howcanthoserisksbemitigated?
• DiscusshowthesharingofinformationiscompatiblewiththestatedpurposeanduseoftheoriginalcollectionfortheControl.
IX.Redress
EnterprisesshouldhaveinplaceproceduresforindividualstoseekredressiftheybelievetheirPIImayhavebeenimproperlyorinadvertentlydisclosedormisusedthroughimplementationoftheControls.Theseproceduresmayincludeallowingthemtofilecomplaintsaboutwhatdataiscollectedorhowit’sused.
• ConsiderthefollowingissuethatfallsundertheFIPprincipleofIndividualParticipation:
o CanamechanismbeappliedbywhichanindividualcanpreventPIIobtainedforonepurposefrombeingusedforotherpurposeswithouttheindividual’sknowledge?
X.AuditingandAccountability
DescribewhattechnicalandpolicybasedsafeguardsandsecuritymeasuresmightbeneededtosupporttheControl.Includeanexaminationoftechnicalandpolicysafeguards,suchasinformationsharingprotocols,specialaccessrestrictions,andothercontrols.
• DiscusswhethertheControlallowsforself-audits,permitsthirdpartyaudits,orallowsrealtimeorforensicreviewsbyappropriateoversightagencies.
• DotheITsystemssupportingtheControlhaveautomatedtoolstoindicatewheninformationispossiblybeingmisused?
• DescribewhatrequirementsforprivacytrainingshouldbeprovidedtouserseithergenerallyorspecificallyrelevanttotheControl,includinginformationhandlingproceduresandsensitivityofinformation.DiscusshowindividualswhohaveaccesstoPIIcollectedorgeneratedbytheControlshouldbetrainedtoappropriatelyhandlethatinformation.
• Discussthetypesofprocessesandproceduresnecessarytoreviewandapproveinformationsharingagreements,newusesofControlinformation,andnewaccesstoControlinformationbyotherparties.
91
AppendixG:CategorizationfortheCISCriticalSecurityControls
Introduction
WhenwecreatedVersion6oftheCISControls,oneofthenotablechangeswasdeletionofthe“categories”foreachsub-Control(QuickWin,VisibilityandAttribution,ImprovedSecurityConfigurationandHygiene,andAdvanced).Thesehadprovedtobeproblematicforseveralreasons,andanumberofpeoplefoundthemtobemoreinconsistentthanuseful.
ButotheradopterstoldustheymissedthecategoriesandfoundthemhelpfulinprioritizingtheirControlsimplementationplans,especiallyinpresentingthoseplanstomanagement,sowewentbacktotakeanotherlookatthem.Inaddition,peopleaskedformorehelpinidentifyingsub-controlsthatweretruly“advanced”andwouldrequiresubstantialinvestmentoftimeandresources.
Thisdocumentpresentsasimplercategorizationschemeforeachsub-control,alongwithsomeexplanatoryinformationtoseparateactionsthatweconsider“Foundational”fromthosethatare“Advanced”.
Description
InVersion5oftheCISControls,eachsub-categorywasidentifiedinoneofthefollowingcategories:
• Quickwinsthatprovidesignificantriskreductionwithoutmajorfinancial,procedural,architectural,ortechnicalchangestoanenvironment,orthatprovidesuchsubstantialandimmediateriskreductionagainstverycommonattacksthatmostsecurity-awareorganizationsprioritizethesekeycontrols.
• Visibilityandattributionmeasurestoimprovetheprocess,architecture,andtechnicalcapabilitiesoforganizationstomonitortheirnetworksandcomputersystemstodetectattackattempts,locatepointsofentry,identifyalready-compromisedmachines,interruptinfiltratedattackers’activities,andgaininformationaboutthesourcesofanattack.
• Improvedinformationsecurityconfigurationandhygienetoreducethenumberandmagnitudeofsecurityvulnerabilitiesandimprovetheoperationsofnetworkedcomputersystems,withafocusonprotectingagainstpoorsecuritypracticesbysystemadministratorsandend-usersthatcouldgiveanattackeranadvantage.
• Advancedsub-controlsthatusenewtechnologiesorproceduresthatprovidemaximumsecuritybutarehardertodeployormoreexpensiveorrequiremorehighlyskilledstaffthancommoditizedsecuritysolutions.
92
ForVersion6.1,wemadethissimplerandmovedtoa2-categorysystem.Asastartingpoint,weworkedfromtheoriginalVersion5categoriessincemostofthesub-controlscarriedoverinsomeform.
• Foundational:Theseprovideessentialimprovementstotheprocess,architecture,andtechnicalcapabilitiesoforganizationstomonitortheirnetworksandcomputersystemstodetectattackattempts,locatepointsofentry,identifyalready-compromisedmachines,interruptinfiltratedattackers’activities,andgaininformationaboutthesourcesofanattack.Theyreducethenumberandmagnitudeofsecurityvulnerabilitiesandimprovetheoperationsofnetworkedcomputersystems,withafocusonprotectingagainstpoorsecuritypracticesbysystemadministratorsandend-usersthatcouldgiveanattackeranadvantage.
• Advanced:Thesearesub-controlsthatusenewtechnologiesorproceduresformaximumsecurity,butarehardertodeployormoreexpensiveorrequiremorehighlyskilledstaffthancommoditizedsecuritysolutions.
Howeveranumberofadoptersnotedthatsomeoftheindividualsub-controlscontainwording,phrases,oraninterpretationthatdidnotfallneatlyintoeithercategory.Soforeachofthose,weidentifiedaprimarycategory(FoundationalorAdvanced,shownas“Y”inonecolumnofthecharts);andthenweaddedtexttoclarifyandseparateouttheotheraspectofthesub-control.
Forexample,wemightidentifyagivensub-controlasFoundational,butthoseseekingtobuilduponthesub-controlforanAdvancedsecurityprogramnowhavesomeguidance.Thisisnotaparticularlyelegantsolution,butwewantedtoprovideusefulguidancewithoutasignificantrewriteofthesub-controls.EnterprisesadoptingtheControlsdosomethinglikethisanyway–interpreteachofthesub-controlsinthecontextoftheirspecificsituation,technicalbase,andriskmanagement–inordertocreatearoadmapofphasedimplementation.