The CIS Critical Security Controls for Effective Cyber Defense

TheCISCriticalSecurityControlsfor

EffectiveCyberDefenseVersion6.1

i

TheCenterforInternetSecurityCriticalSecurityControlsforEffectiveCyberDefense

Version6.1August31,2016

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-NoDerivatives4.0InternationalPublicLicense(thelinkcanbefoundathttps://creativecommons.org/licenses/by-nc-nd/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtotheCISCriticalSecurityControlscontent,youareauthorizedtocopyandredistributethecontentasaframeworkforusebyyou,withinyourorganizationandoutsideofyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,and(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISCriticalSecurityControls,youmaynotdistributethemodifiedmaterials.UsersoftheCISCriticalSecurityControlsframeworkarealsorequiredtoreferto(http://www.cisecurity.org/critical-controls.cfm)whenreferringtotheCISCriticalSecurityControlsinordertoensurethatusersareemployingthemostuptodateguidance.CommercialuseoftheCISCriticalSecurityControlsissubjecttothepriorapprovalofTheCenterforInternetSecurity.

ii

TheCISCriticalSecurityControlsforEffectiveCyberDefense

Introduction 1

CSC1:InventoryofAuthorizedandUnauthorizedDevices 6

CSC2:InventoryofAuthorizedandUnauthorizedSoftware 10

CSC3:SecureConfigurationsforHardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers 13

CSC4:ContinuousVulnerabilityAssessmentandRemediation 17

CSC5:ControlledUseofAdministrativePrivileges 21

CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs 24

CSC7:EmailandWebBrowserProtections 27

CSC8:MalwareDefenses 31

CSC9:LimitationandControlofNetworkPorts,Protocols,andServices 34

CSC10:DataRecoveryCapability 36

CSC11:SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches 38

CSC12:BoundaryDefense 41

CSC13:DataProtection 46

CSC14:ControlledAccessBasedontheNeedtoKnow 50

CSC15:WirelessAccessControl 53

CSC16:AccountMonitoringandControl 56

CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps 59

CSC18:ApplicationSoftwareSecurity 63

CSC19:IncidentResponseandManagement 66

CSC20:PenetrationTestsandRedTeamExercises 69

AppendixA:EvolvingAnAttackModelfortheCISCriticalSecurityControls. 73

iii

AppendixB:AttackTypes 76

AppendixC:TheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity 78

AppendixD:TheNationalCyberHygieneCampaign 80

AppendixE:CriticalGovernanceControlsandtheCISCriticalSecurityControls 81

AppendixF:TowardAPrivacyImpactAssessment(PIA)fortheCISCriticalSecurityControls 85

AppendixG:CategorizationfortheCISCriticalSecurityControls 91

1

Introduction

Weareatafascinatingpointintheevolutionofwhatwenowcallcyberdefense.Massivedatalosses,theftofintellectualproperty,creditcardbreaches,identitytheft,threatstoourprivacy,denialofservice–thesehavebecomeawayoflifeforallofusincyberspace.

Ironically,asdefenderswehaveaccesstoanextraordinaryarrayofsecuritytoolsandtechnology,securitystandards,trainingandclasses,certifications,vulnerabilitydatabases,guidance,bestpractices,catalogsofsecuritycontrols,andcountlesssecuritychecklists,benchmarks,andrecommendations.Tohelpusunderstandthethreat,we’veseentheemergenceofthreatinformationfeeds,reports,tools,alertservices,standards,andthreatsharingframeworks.Totopitalloff,wearesurroundedbysecurityrequirements,riskmanagementframeworks,complianceregimes,regulatorymandates,andsoforth.Thereisnoshortageofinformationavailabletosecuritypractitionersonwhattheyshoulddotosecuretheirinfrastructure.

Butallofthistechnology,information,andoversighthasbecomeaveritable“FogofMore”:competingoptions,priorities,opinions,andclaimsthatcanparalyzeordistractanenterprisefromvitalaction.Businesscomplexityisgrowing,dependenciesareexpanding,usersarebecomingmoremobile,andthethreatsareevolving.Newtechnologybringsusgreatbenefits,butitalsomeansthatourdataandapplicationsarenowdistributedacrossmultiplelocations,manyofwhicharenotwithinourorganization’sinfrastructure.Inthiscomplex,interconnectedworld,noenterprisecanthinkofitssecurityasastandaloneproblem.

Sohowcanweasacommunity–thecommunity-at-large,aswellaswithinindustries,sectors,partnerships,andcoalitions–bandtogethertoestablishpriorityofaction,supporteachother,andkeepourknowledgeandtechnologycurrentinthefaceofarapidlyevolvingproblemandanapparentlyinfinitenumberofpossiblesolutions?Whatarethemostcriticalareasweneedtoaddressandhowshouldanenterprisetakethefirststeptomaturetheirriskmanagementprogram?Ratherthanchaseeverynewexceptionalthreatandneglectthefundamentals,howcanwegetontrackwitharoadmapoffundamentals,andguidancetomeasureandimprove? Whichdefensivestepshavethegreatestvalue?

ThesearethekindsofissuesthatledtoandnowdrivetheCISCriticalSecurityControls.Theystartedasagrass-rootsactivitytocutthroughthe“FogofMore”andfocusonthemostfundamentalandvaluableactionsthateveryenterpriseshouldtake.Andvaluehereisdeterminedbyknowledgeanddata–theabilitytoprevent,alert,andrespondtotheattacksthatareplaguingenterprisestoday.

LedbytheCenterforInternetSecurity(CIS),theCISCriticalSecurityControls(“theControls”)havebeenmaturedbyaninternationalcommunityofindividualsandinstitutionsthat:

2

• shareinsightintoattacksandattackers,identifyrootcauses,andtranslatethatintoclassesofdefensiveaction;

• documentstoriesofadoptionandsharetoolstosolveproblems;• tracktheevolutionofthreats,thecapabilitiesofadversaries,andcurrentvectorsof

intrusions;• maptheControlstoregulatoryandcomplianceframeworksandbringcollective

priorityandfocustothem;• sharetools,workingaids,andtranslations;and• identifycommonproblems(likeinitialassessmentandimplementationroadmaps)

andsolvethemasacommunityinsteadofalone.

TheseactivitiesensurethattheControlsarenotjustanotherlistofgoodthingstodo,butaprioritized,highlyfocusedsetofactionsthathaveacommunitysupportnetworktomakethemimplementable,usable,scalable,andcompliantwithallindustryorgovernmentsecurityrequirements.

WhytheCISCriticalSecurityControlsWork:MethodologyandContributors

TheCISCriticalSecurityControlsareinformedbyactualattacksandeffectivedefensesandreflectthecombinedknowledgeofexpertsfromeverypartoftheecosystem(companies,governments,individuals);witheveryrole(threatrespondersandanalysts,technologists,vulnerability-finders,toolmakers,solutionproviders,defenders,users,policy-makers,auditors,etc.);andwithinmanysectors(government,power,defense,finance,transportation,academia,consulting,security,IT)whohavebandedtogethertocreate,adopt,andsupporttheControls.Topexpertsfromorganizationspooledtheirextensivefirst-handknowledgefromdefendingagainstactualcyber-attackstoevolvetheconsensuslistofControls,representingthebestdefensivetechniquestopreventortrackthem.ThisensuresthattheControlsarethemosteffectiveandspecificsetoftechnicalmeasuresavailabletodetect,prevent,respond,andmitigatedamagefromthemostcommontothemostadvancedofthoseattacks.

TheControlsarenotlimitedtoblockingtheinitialcompromiseofsystems,butalsoaddressdetectingalready-compromisedmachinesandpreventingordisruptingattackers’follow-onactions.ThedefensesidentifiedthroughtheseControlsdealwithreducingtheinitialattacksurfacebyhardeningdeviceconfigurations,identifyingcompromisedmachinestoaddresslong-termthreatsinsideanorganization’snetwork,disruptingattackers’command-and-controlofimplantedmaliciouscode,andestablishinganadaptive,continuousdefenseandresponsecapabilitythatcanbemaintainedandimproved.

ThefivecriticaltenetsofaneffectivecyberdefensesystemasreflectedintheCISCriticalSecurityControlsare:

TheCenterforInternetSecurity,Inc.(CIS)isa501c3nonprofitorganizationwhosemissionistoidentify,develop,validate,promote,andsustainbestpracticesincybersecurity;deliverworld-classcybersecuritysolutionstopreventandrapidlyrespondtocyberincidents;andbuildandleadcommunitiestoenableanenvironmentoftrustincyberspace.

Foradditionalinformation,goto<http://www.cisecurity.org/>

3

Offenseinformsdefense:Useknowledgeofactualattacksthathavecompromisedsystemstoprovidethefoundationtocontinuallylearnfromtheseeventstobuildeffective,practicaldefenses.Includeonlythosecontrolsthatcanbeshowntostopknownreal-worldattacks.Prioritization:InvestfirstinControlsthatwillprovidethegreatestriskreductionandprotectionagainstthemostdangerousthreatactorsandthatcanbefeasiblyimplementedinyourcomputingenvironment.Metrics:Establishcommonmetricstoprovideasharedlanguageforexecutives,ITspecialists,auditors,andsecurityofficialstomeasuretheeffectivenessofsecuritymeasureswithinanorganizationsothatrequiredadjustmentscanbeidentifiedandimplementedquickly.Continuousdiagnosticsandmitigation:Carryoutcontinuousmeasurementtotestandvalidatetheeffectivenessofcurrentsecuritymeasuresandtohelpdrivethepriorityofnextsteps.Automation:Automatedefensessothatorganizationscanachievereliable,scalable,andcontinuousmeasurementsoftheiradherencetotheControlsandrelatedmetrics.

HowtoGetStarted

TheCISCriticalSecurityControlsarearelativelysmallnumberofprioritized,well-vetted,andsupportedsecurityactionsthatorganizationscantaketoassessandimprovetheircurrentsecuritystate.Theyalsochangethediscussionfrom“whatshouldmyenterprisedo”to“whatshouldweALLbedoing”toimprovesecurityacrossabroadscale.

Butthisisnotaone-size-fits-allsolution,ineithercontentorpriority.Youmuststillunderstandwhatiscriticaltoyourbusiness,data,systems,networks,andinfrastructures,andyoumustconsidertheadversaryactionsthatcouldimpactyourabilitytobesuccessfulinthebusinessoroperations.EvenarelativelysmallnumberofControlscannotbeexecutedallatonce,soyouwillneedtodevelopaplanforassessment,implementation,andprocessmanagement.

ControlsCSC1throughCSC5areessentialtosuccessandshouldbeconsideredamongtheveryfirstthingstobedone.Werefertotheseas“FoundationalCyberHygiene”–thebasicthingsthatyoumustdotocreateastrongfoundationforyourdefense.Thisistheapproachtakenby,forexample,theDHSContinuousDiagnosticandMitigation(CDM)Program,oneofthepartnersintheCISCriticalSecurityControls.AsimilarapproachisrecommendedbyourpartnersintheAustralianSignalsDirectorate(ASD)withtheir“TopFourStrategiesto

4

MitigateTargetedIntrusions”1–awell-regardedanddemonstrablyeffectivesetofcyber-defenseactionsthatmapverycloselyintotheCISCriticalSecurityControls.ThisalsocloselycorrespondstothemessageoftheUSCERT(ComputerEmergencyReadinessTeam).

Foraplain-language,accessible,andlow-costapproachtotheseideas,considertheCenterforInternetSecurity’s“NationalCyberHygieneCampaign”.(AppendixDandwww.cisecurity.org)

ThisVersionoftheCISCriticalSecurityControls

TheControlsweredevelopedbasedonspecificknowledgeofthethreatenvironmentaswellasthecurrenttechnologiesinthemarketplaceuponwhichourcommunicationsanddatarely.OneofthekeybenefitsoftheControlsisthattheyarenotstatic;theyareupdatedregularlyandaretailoredtoaddressthesecurityissuesoftheday.ThisversionoftheControlsreflectsdeliberationandconsiderationtoensurethateverycontrolandsub-controlisaccurate,essential,conciseandrelevant.

Changesfromversion5.1toVersion6.0includethefollowing:

• Re-orderingsothat“ControlledUseofAdministrativePrivileges”ishigherinpriority(itmovedfromControl#12toControls#5)

• DeletionofControl#19“SecureNetworkEngineering”• NewControl#7“EmailandWebBrowserProtections”• Newcategorizationschemebasedon“families”ofControlsandremovalofthe

“quickwin”categories.• Eachsub-ControlisgroupedintooneofthreeFamilies:

o Systemo Networko Application

• NewappendicesontheNISTCybersecurityFramework,theNationalHygieneCampaignforCyberHygieneandsecuritygovernance.

ChangesfromVersion6.0toVersion6.1includethefollowing:

• Eachsub-Controlisidentifiedaseither“Foundational”or“Advanced”asanaidtoprioritizationandplanning.ThisreplacestheoriginalschemefoundinVersion5butdroppedinVersion6.0.SeeAppendixGforadetailedexplanation.

• Correctionofafewminortyposorformattingerrors.• NochangewasmadetothewordingororderingofanyControlorsub-Control.

1http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm

5

Inadditiontotechnicalcontent,theControlshaveanewhomeandnewname.In2015,theCenterforInternetSecurityintegratedwiththeCouncilonCybersecurity,sotheyarenowreferredtoasthe“CISCriticalSecurityControls.”

OtherResources

ThetruepoweroftheControlsisnotaboutcreatingthebestlistofthingstodo,it’saboutharnessingtheexperienceofacommunityofindividualsandenterprisesthatmakesecurityimprovementsthroughprioritization,sharingideas,andcollectiveaction.

Tosupportthis,theCenterforInternetSecurityactsasacatalystandclearinghousetohelpusalllearnfromeachother.PleasecontacttheCenterforInternetSecurityforthefollowingkindsofworkingaidsandothersupportmaterials:

• MappingsfromtheControlstoaverywidevarietyforformalRiskManagementFrameworks(likeFISMA,ISO,etc.).

• UseCasesofenterpriseadoption• PointerstovendorwhitepapersandothermaterialsthatsupporttheControls.• DocumentationonalignmentwiththeNISTCybersecurityFramework.

StructureoftheCISCriticalSecurityControlsDocument

ThepresentationofeachControlinthisdocumentincludesthefollowingelements:

• AdescriptionoftheimportanceoftheControl(WhyisThisControlCritical)inblockingoridentifyingpresenceofattacksandanexplanationofhowattackersactivelyexploittheabsenceofthiscontrol.

• Achartofthespecificactions(“sub-controls”)thatorganizationsaretakingtoimplement,automate,andmeasureeffectivenessofthiscontrol.

• ProceduresandToolsthatenableimplementationandautomation.• SampleEntityRelationshipDiagramsthatshowcomponentsofimplementation.

Inadditiontothisdocument,westronglyrecommend“AMeasurementCompaniontotheCISCriticalSecurityControls”,availablefromtheCenterforInternetSecurity.

Acknowledgements

TheCenterforInternetSecuritywouldliketothankthemanysecurityexpertswhovolunteeredtheirtimeandtalenttosupporttheControlseffort.Manyoftheindividualswhoworkedonthisversioncontinuetolendtheirexpertiseyearafteryear.Weareextremelygratefulfortheirtimeandexpertise.SpecialrecognitionalsogoestoTheSANSInstitute,amajorcontributortotheeffort.

6

CSC1:InventoryofAuthorizedandUnauthorizedDevices

Activelymanage(inventory,track,andcorrect)allhardwaredevicesonthenetworksothatonlyauthorizeddevicesaregivenaccess,andunauthorizedandunmanageddevicesarefoundandpreventedfromgainingaccess.

WhyIsThisControlCritical?

Attackers,whocanbelocatedanywhereintheworld,arecontinuouslyscanningtheaddressspaceoftargetorganizations,waitingfornewandunprotectedsystemstobeattachedtothenetwork.Attackersalsolookfordevices(especiallylaptops)whichcomeandgooffoftheenterprise’snetwork,andsogetoutofsynchwithpatchesorsecurityupdates.Attackscantakeadvantageofnewhardwarethatisinstalledonthenetworkoneeveningbutnotconfiguredandpatchedwithappropriatesecurityupdatesuntilthefollowingday.EvendevicesthatarenotvisiblefromtheInternetcanbeusedbyattackerswhohavealreadygainedinternalaccessandarehuntingforinternaljumppointsorvictims.Additionalsystemsthatconnecttotheenterprise’snetwork(e.g.,demonstrationsystems,temporarytestsystems,guestnetworks)shouldalsobemanagedcarefullyand/orisolatedinordertopreventadversarialaccessfromaffectingthesecurityofenterpriseoperations.

Asnewtechnologycontinuestocomeout,BYOD(bringyourowndevice)—whereemployeesbringpersonaldevicesintoworkandconnectthemtotheenterprisenetwork—isbecomingverycommon.Thesedevicescouldalreadybecompromisedandbeusedtoinfectinternalresources.

Managedcontrolofalldevicesalsoplaysacriticalroleinplanningandexecutingsystembackupandrecovery.

CSC1:InventoryofAuthorizedandUnauthorizedDevicesFamily CSC ControlDescription Foun-

dationalAdvanced

System 1.1 Deployanautomatedassetinventorydiscoverytoolanduseittobuildapreliminaryinventoryofsystemsconnectedtoanorganization’spublicandprivatenetwork(s).BothactivetoolsthatscanthroughIPv4orIPv6networkaddressrangesandpassivetoolsthatidentifyhostsbasedonanalyzingtheirtrafficshouldbeemployed.

Y

Useamixofactiveand

passivetools,andapplyaspartofacontinuousmonitoringprogram.

System 1.2 IftheorganizationisdynamicallyassigningaddressesusingDHCP,thendeploydynamichostconfigurationprotocol(DHCP)serverlogging,andusethisinformationtoimprovetheassetinventoryandhelpdetectunknownsystems.

Y

7

Family CSC ControlDescription Foun-dational

Advanced

System 1.3 Ensurethatallequipmentacquisitionsautomaticallyupdatetheinventorysystemasnew,approveddevicesareconnectedtothenetwork.

Y

System 1.4 Maintainanassetinventoryofallsystemsconnectedtothenetworkandthenetworkdevicesthemselves,recordingatleastthenetworkaddresses,machinename(s),purposeofeachsystem,anassetownerresponsibleforeachdevice,andthedepartmentassociatedwitheachdevice.TheinventoryshouldincludeeverysystemthathasanInternetprotocol(IP)addressonthenetwork,includingbutnotlimitedtodesktops,laptops,servers,networkequipment(routers,switches,firewalls,etc.),printers,storageareanetworks,VoiceOver-IPtelephones,multi-homedaddresses,virtualaddresses,etc.Theassetinventorycreatedmustalsoincludedataonwhetherthedeviceisaportableand/orpersonaldevice.Devicessuchasmobilephones,tablets,laptops,andotherportableelectronicdevicesthatstoreorprocessdatamustbeidentified,regardlessofwhethertheyareattachedtotheorganization’snetwork.

Y

System 1.5 Deploynetworklevelauthenticationvia802.1xtolimitandcontrolwhichdevicescanbeconnectedtothenetwork.The802.1xmustbetiedintotheinventorydatatodetermineauthorizedversusunauthorizedsystems. Y

Authenticationmechanismsarecloselycoupledto

managementofhardwareinventory

System 1.6 Useclientcertificatestovalidateandauthenticatesystemspriortoconnectingtotheprivatenetwork.

Y

CSC1ProceduresandTools

ThisControlrequiresbothtechnicalandproceduralactions,unitedinaprocessthataccountsforandmanagestheinventoryofhardwareandallassociatedinformationthroughoutitslifecycle.Itlinkstobusinessgovernancebyestablishinginformation/assetownerswhoareresponsibleforeachcomponentofabusinessprocessthatincludesinformation,software,andhardware.Organizationscanuselarge-scale,comprehensiveenterpriseproductstomaintainITassetinventories.Othersusemoremodesttoolstogatherthedatabysweepingthenetwork,andmanagetheresultsseparatelyinadatabase.

MaintainingacurrentandaccurateviewofITassetsisanongoinganddynamicprocess.Organizationscanactivelyscanonaregularbasis,sendingavarietyofdifferentpackettypestoidentifydevicesconnectedtothenetwork.Beforesuchscanningcantakeplace,organizationsshouldverifythattheyhaveadequatebandwidthforsuchperiodicscansby

8

consultingloadhistoryandcapacitiesfortheirnetworks.Inconductinginventoryscans,scanningtoolscouldsendtraditionalpingpackets(ICMPEchoRequest)lookingforpingresponsestoidentifyasystematagivenIPaddress.Becausesomesystemsblockinboundpingpackets,inadditiontotraditionalpings,scannerscanalsoidentifydevicesonthenetworkusingtransmissioncontrolprotocol(TCP)synchronize(SYN)oracknowledge(ACK)packets.OncetheyhaveidentifiedIPaddressesofdevicesonthenetwork,somescannersproviderobustfingerprintingfeaturestodeterminetheoperatingsystemtypeofthediscoveredmachine.

Inadditiontoactivescanningtoolsthatsweepthenetwork,otherassetidentificationtoolspassivelylistenonnetworkinterfacesfordevicestoannouncetheirpresencebysendingtraffic.Suchpassivetoolscanbeconnectedtoswitchspanportsatcriticalplacesinthenetworktoviewalldataflowingthroughsuchswitches,maximizingthechanceofidentifyingsystemscommunicatingthroughthoseswitches.

Manyorganizationsalsopullinformationfromnetworkassetssuchasswitchesandroutersregardingthemachinesconnectedtothenetwork.Usingsecurelyauthenticatedandencryptednetworkmanagementprotocols,toolscanretrieveMACaddressesandotherinformationfromnetworkdevicesthatcanbereconciledwiththeorganization’sassetinventoryofservers,workstations,laptops,andotherdevices.OnceMACaddressesareconfirmed,switchesshouldimplement802.1xandNACtoonlyallowauthorizedsystemsthatareproperlyconfiguredtoconnecttothenetwork.

Wirelessdevices(andwiredlaptops)mayperiodicallyjoinanetworkandthendisappear,makingtheinventoryofcurrentlyavailablesystemsverydynamic.Likewise,virtualmachinescanbedifficulttotrackinassetinventorieswhentheyareshutdownorpaused.Additionally,remotemachinesaccessingthenetworkusingvirtualprivatenetwork(VPN)technologymayappearonthenetworkforatime,andthenbedisconnectedfromit.Whetherphysicalorvirtual,eachmachineusinganIPaddressshouldbeincludedinanorganization’sassetinventory.

9

CSC1SystemEntityRelationshipDiagram

AssetInventoryDatabase

PublicKeyInfrastructure(PKI)

ComputingSystems

NetworkLevelAuthentication(NLA)

PassiveDeviceDiscovery

ActiveDeviceDiscovery

Alerting/ReportingAnalyticsSystem

10

CSC2:InventoryofAuthorizedandUnauthorizedSoftware

Activelymanage(inventory,track,andcorrect)allsoftwareonthenetworksothatonlyauthorizedsoftwareisinstalledandcanexecute,andthatunauthorizedandunmanagedsoftwareisfoundandpreventedfrominstallationorexecution.


Attackerscontinuouslyscantargetorganizationslookingforvulnerableversionsofsoftwarethatcanberemotelyexploited.Someattackersalsodistributehostilewebpages,documentfiles,mediafiles,andothercontentviatheirownwebpagesorotherwisetrustworthythird-partysites.Whenunsuspectingvictimsaccessthiscontentwithavulnerablebrowserorotherclient-sideprogram,attackerscompromisetheirmachines,ofteninstallingbackdoorprogramsandbotsthatgivetheattackerlong-termcontrolofthesystem.Somesophisticatedattackersmayusezero-dayexploits,whichtakeadvantageofpreviouslyunknownvulnerabilitiesforwhichnopatchhasyetbeenreleasedbythesoftwarevendor.Withoutproperknowledgeorcontrolofthesoftwaredeployedinanorganization,defenderscannotproperlysecuretheirassets.

Poorlycontrolledmachinesaremorelikelytobeeitherrunningsoftwarethatisunneededforbusinesspurposes(introducingpotentialsecurityflaws),orrunningmalwareintroducedbyanattackerafterasystemiscompromised.Onceasinglemachinehasbeenexploited,attackersoftenuseitasastagingpointforcollectingsensitiveinformationfromthecompromisedsystemandfromothersystemsconnectedtoit.Inaddition,compromisedmachinesareusedasalaunchingpointformovementthroughoutthenetworkandpartneringnetworks.Inthisway,attackersmayquicklyturnonecompromisedmachineintomany.Organizationsthatdonothavecompletesoftwareinventoriesareunabletofindsystemsrunningvulnerableormalicioussoftwaretomitigateproblemsorrootoutattackers.

Managedcontrolofallsoftwarealsoplaysacriticalroleinplanningandexecutingsystembackupandrecovery.

CSC2:InventoryofAuthorizedandUnauthorizedSoftwareFamily CSC ControlDescription Foun-

dationalAdvanced

System 2.1 Devisealistofauthorizedsoftwareandversionthatisrequiredintheenterpriseforeachtypeofsystem,includingservers,workstations,andlaptopsofvariouskindsanduses.Thislistshouldbemonitoredbyfileintegritycheckingtoolstovalidatethattheauthorizedsoftwarehasnotbeenmodified.

Y

Fileintegrityisverifiedaspartofacontinuousmonitoringprogram.

11


Advanced

System 2.2 Deployapplicationwhitelistingthatallowssystemstorunsoftwareonlyifitisincludedonthewhitelistandpreventsexecutionofallothersoftwareonthesystem.Thewhitelistmaybeveryextensive(asisavailablefromcommercialwhitelistvendors),sothatusersarenotinconveniencedwhenusingcommonsoftware.Or,forsomespecial-purposesystems(whichrequireonlyasmallnumberofprogramstoachievetheirneededbusinessfunctionality),thewhitelistmaybequitenarrow.

Y

Whitelistapplicationlibraries(suchasDLLs)inadditiontoexecutablebinaries(suchasEXEsandMSIs.

System 2.3 Deploysoftwareinventorytoolsthroughouttheorganizationcoveringeachoftheoperatingsystemtypesinuse,includingservers,workstations,andlaptops.Thesoftwareinventorysystemshouldtracktheversionoftheunderlyingoperatingsystemaswellastheapplicationsinstalledonit.Thesoftwareinventorysystemsmustbetiedintothehardwareassetinventorysoalldevicesandassociatedsoftwarearetrackedfromasinglelocation.

Y

Hardwareandsoftwareinventory

managementarecloselycoupled,andmanagedcentrally.

System 2.4 Virtualmachinesand/orair-gappedsystemsshouldbeusedtoisolateandrunapplicationsthatarerequiredforbusinessoperationsbutbasedonhigherriskshouldnotbeinstalledwithinanetworkedenvironment.

Y


Whitelistingcanbeimplementedusingacombinationofcommercialwhitelistingtools,policiesorapplicationexecutiontoolsthatcomewithanti-virussuitesandwithWindows.Commercialsoftwareandassetinventorytoolsarewidelyavailableandinuseinmanyenterprisestoday.Thebestofthesetoolsprovideaninventorycheckofhundredsofcommonapplicationsusedinenterprises,pullinginformationaboutthepatchlevelofeachinstalledprogramtoensurethatitisthelatestversionandleveragingstandardizedapplicationnames,suchasthosefoundinthecommonplatformenumerationspecification.

Featuresthatimplementwhitelistsareincludedinmanymodernendpointsecuritysuites.Moreover,commercialsolutionsareincreasinglybundlingtogetheranti-virus,anti-spyware,personalfirewall,andhost-basedintrusiondetectionsystems(IDS)andintrusionpreventionsystems(IPS),alongwithapplicationwhiteandblacklisting.Inparticular,mostendpointsecuritysolutionscanlookatthename,filesystemlocation,and/orcryptographichashofagivenexecutabletodeterminewhethertheapplicationshouldbeallowedtorunontheprotectedmachine.Themosteffectiveofthesetoolsoffercustomwhitelistsbasedonexecutablepath,hash,orregularexpressionmatching.Someeven

12

includeagraylistfunctionthatallowsadministratorstodefinerulesforexecutionofspecificprogramsonlybycertainusersandatcertaintimesofday.


AssetInventoryDatabase

ComputingSystems

SoftwareInventoryTool

SoftwareWhitelisting

OSVirtualizationSystem


13

CSC3:SecureConfigurationsforHardwareandSoftwareonMobileDevices,Laptops,Workstations,andServers

Establish,implement,andactivelymanage(track,reporton,correct)thesecurityconfigurationoflaptops,servers,andworkstationsusingarigorousconfigurationmanagementandchangecontrolprocessinordertopreventattackersfromexploitingvulnerableservicesandsettings.


Asdeliveredbymanufacturersandresellers,thedefaultconfigurationsforoperatingsystemsandapplicationsarenormallygearedtoease-of-deploymentandease-of-use–notsecurity.Basiccontrols,openservicesandports,defaultaccountsorpasswords,older(vulnerable)protocols,pre-installationofunneededsoftware;allcanbeexploitableintheirdefaultstate.

Developingconfigurationsettingswithgoodsecuritypropertiesisacomplextaskbeyondtheabilityofindividualusers,requiringanalysisofpotentiallyhundredsorthousandsofoptionsinordertomakegoodchoices(theProceduresandToolsectionbelowprovidesresourcesforsecureconfigurations).Evenifastronginitialconfigurationisdevelopedandinstalled,itmustbecontinuallymanagedtoavoidsecurity“decay”assoftwareisupdatedorpatched,newsecurityvulnerabilitiesarereported,andconfigurationsare“tweaked”toallowtheinstallationofnewsoftwareorsupportnewoperationalrequirements.Ifnot,attackerswillfindopportunitiestoexploitbothnetwork-accessibleservicesandclientsoftware.

CSC3:SecureConfigurationsforHardwareandSoftwareFamily CSC ControlDescription Foun-

dationalAdvanced

System 3.1 Establishstandardsecureconfigurationsofoperatingsystemsandsoftwareapplications.Standardizedimagesshouldrepresenthardenedversionsoftheunderlyingoperatingsystemandtheapplicationsinstalledonthesystem.Theseimagesshouldbevalidatedandrefreshedonaregularbasistoupdatetheirsecurityconfigurationinlightofrecentvulnerabilitiesandattackvectors.

Y

System 3.2 Followstrictconfigurationmanagement,buildingasecureimagethatisusedtobuildallnewsystemsthataredeployedintheenterprise.Anyexistingsystemthatbecomescompromisedshouldbere-imagedwiththesecurebuild.Regularupdatesorexceptionstothisimageshouldbeintegratedintotheorganization’schangemanagementprocesses.Imagesshouldbecreatedforworkstations,servers,andothersystemtypesusedbytheorganization.

Y

14


Advanced

System 3.3 Storethemasterimagesonsecurelyconfiguredservers,validatedwithintegritycheckingtoolscapableofcontinuousinspection,andchangemanagementtoensurethatonlyauthorizedchangestotheimagesarepossible.Alternatively,thesemasterimagescanbestoredinofflinemachines,air-gappedfromtheproductionnetwork,withimagescopiedviasecuremediatomovethembetweentheimagestorageserversandtheproductionnetwork.

Y

Fileintegrityofmasterimagesareverifiedas

partofacontinuousmonitoringprogram.

System 3.4 Performallremoteadministrationofservers,workstation,networkdevices,andsimilarequipmentoversecurechannels.Protocolssuchastelnet,VNC,RDP,orothersthatdonotactivelysupportstrongencryptionshouldonlybeusediftheyareperformedoverasecondaryencryptionchannel,suchasSSL,TLSorIPSEC.

Y

System 3.5 Usefileintegritycheckingtoolstoensurethatcriticalsystemfiles(includingsensitivesystemandapplicationexecutables,libraries,andconfigurations)havenotbeenaltered.Thereportingsystemshould:havetheabilitytoaccountforroutineandexpectedchanges;highlightandalertonunusualorunexpectedalterations;showthehistoryofconfigurationchangesovertimeandidentifywhomadethechange(includingtheoriginallogged-inaccountintheeventofauserIDswitch,suchaswiththesuorsudocommand).Theseintegritychecksshouldidentifysuspicioussystemalterationssuchas:ownerandpermissionschangestofilesordirectories;theuseofalternatedatastreamswhichcouldbeusedtohidemaliciousactivities;andtheintroductionofextrafilesintokeysystemareas(whichcouldindicatemaliciouspayloadsleftbyattackersoradditionalfilesinappropriatelyaddedduringbatchdistributionprocesses).

Y

Fileintegrityofcriticalsystemfilesareverifiedaspartofacontinuousmonitoringprogram.

System 3.6 Implementandtestanautomatedconfigurationmonitoringsystemthatverifiesallremotelytestablesecureconfigurationelements,andalertswhenunauthorizedchangesoccur.Thisincludesdetectingnewlisteningports,newadministrativeusers,changestogroupandlocalpolicyobjects(whereapplicable),andnewservicesrunningonasystem.WheneverpossibleusetoolscompliantwiththeSecurityContentAutomationProtocol(SCAP)inordertostreamlinereportingandintegration.

Y

15


Advanced

System 3.7 Deploysystemconfigurationmanagementtools,suchasActiveDirectoryGroupPolicyObjectsforMicrosoftWindowssystemsorPuppetforUNIXsystemsthatwillautomaticallyenforceandredeployconfigurationsettingstosystemsatregularlyscheduledintervals.Theyshouldbecapableoftriggeringredeploymentofconfigurationsettingsonascheduled,manual,orevent-drivenbasis.

Y


Ratherthanstartfromscratchdevelopingasecuritybaselineforeachsoftwaresystem,organizationsshouldstartfrompubliclydeveloped,vetted,andsupportedsecuritybenchmarks,securityguides,orchecklists.Excellentresourcesinclude:

• TheCenterforInternetSecurityBenchmarksProgram(www.cisecurity.org)• TheNISTNationalChecklistProgram(checklists.nist.gov)

Organizationsshouldaugmentoradjustthesebaselinestosatisfylocalpoliciesandrequirements,butdeviationsandrationaleshouldbedocumentedtofacilitatelaterreviewsoraudits.

Foracomplexenterprise,theestablishmentofasinglesecuritybaselineconfiguration(forexample,asingleinstallationimageforallworkstationsacrosstheentireenterprise)issometimesnotpracticalordeemedunacceptable.Itislikelythatyouwillneedtosupportdifferentstandardizedimages,basedontheproperhardeningtoaddressrisksandneededfunctionalityoftheintendeddeployment(example,awebserverintheDMZvs.anemailorotherapplicationserverintheinternalnetwork).Thenumberofvariationsshouldbekepttoaminimuminordertobetterunderstandandmanagethesecuritypropertiesofeach,butorganizationsthenmustbepreparedtomanagemultiplebaselines.

Commercialand/orfreeconfigurationmanagementtoolscanthenbeemployedtomeasurethesettingsofoperatingsystemsandapplicationsofmanagedmachinestolookfordeviationsfromthestandardimageconfigurations.Typicalconfigurationmanagementtoolsusesomecombinationofanagentinstalledoneachmanagedsystem,oragentlessinspectionofsystemsbyremotelyloggingintoeachmanagedmachineusingadministratorcredentials.Additionally,ahybridapproachissometimesusedwherebyaremotesessionisinitiated,atemporaryordynamicagentisdeployedonthetargetsystemforthescan,andthentheagentisremoved.

16


ComputingSystems

FileIntegrityAssessment(FIA)

SystemImages&Baselines

SCAPConfigurationScanner

ConfigurationEnforcementSystem


17

CSC4:ContinuousVulnerabilityAssessmentandRemediation

Continuouslyacquire,assess,andtakeactiononnewinformationinordertoidentifyvulnerabilities,remediate,andminimizethewindowofopportunityforattackers.


Cyberdefendersmustoperateinaconstantstreamofnewinformation:softwareupdates,patches,securityadvisories,threatbulletins,etc.Understandingandmanagingvulnerabilitieshasbecomeacontinuousactivity,requiringsignificanttime,attention,andresources.

Attackershaveaccesstothesameinformationandcantakeadvantageofgapsbetweentheappearanceofnewknowledgeandremediation.Forexample,whenresearchersreportnewvulnerabilities,aracestartsamongallparties,including:attackers(to“weaponize”,deployanattack,exploit);vendors(todevelop,deploypatchesorsignaturesandupdates),anddefenders(toassessrisk,regression-testpatches,install).

Organizationsthatdonotscanforvulnerabilitiesandproactivelyaddressdiscoveredflawsfaceasignificantlikelihoodofhavingtheircomputersystemscompromised.Defendersfaceparticularchallengesinscalingremediationacrossanentireenterprise,andprioritizingactionswithconflictingpriorities,andsometimes-uncertainsideeffects.

CSC4:ContinuousVulnerabilityAssessmentandRemediationFamily CSC ControlDescription Foun-

dationalAdvanced

System 4.1 Runautomatedvulnerabilityscanningtoolsagainstallsystemsonthenetworkonaweeklyormorefrequentbasisanddeliverprioritizedlistsofthemostcriticalvulnerabilitiestoeachresponsiblesystemadministratoralongwithriskscoresthatcomparetheeffectivenessofsystemadministratorsanddepartmentsinreducingrisk.UseaSCAP-validatedvulnerabilityscannerthatlooksforbothcode-basedvulnerabilities(suchasthosedescribedbyCommonVulnerabilitiesandExposuresentries)andconfiguration-basedvulnerabilities(asenumeratedbytheCommonConfigurationEnumerationProject).

Y

Vulnerabilityriskscoringiscentrally

measuredandmanaged,andintegratedintoactionplanning.

System 4.2 Correlateeventlogswithinformationfromvulnerabilityscanstofulfilltwogoals.First,personnelshouldverifythattheactivityoftheregularvulnerabilityscanningtoolsisitselflogged.Second,personnelshouldbeabletocorrelateattackdetectioneventswithpriorvulnerabilityscanningresultstodeterminewhetherthegivenexploitwasusedagainstatargetknowntobevulnerable.

Y

18


Advanced

System 4.3 Performvulnerabilityscanninginauthenticatedmodeeitherwithagentsrunninglocallyoneachendsystemtoanalyzethesecurityconfigurationorwithremotescannersthataregivenadministrativerightsonthesystembeingtested.Useadedicatedaccountforauthenticatedvulnerabilityscans,whichshouldnotbeusedforanyotheradministrativeactivitiesandshouldbetiedtospecificmachinesatspecificIPaddresses.Ensurethatonlyauthorizedemployeeshaveaccesstothevulnerabilitymanagementuserinterfaceandthatrolesareappliedtoeachuser.

Y

System 4.4 Subscribetovulnerabilityintelligenceservicesinordertostayawareofemergingexposures,andusetheinformationgainedfromthissubscriptiontoupdatetheorganization’svulnerabilityscanningactivitiesonatleastamonthlybasis.Alternatively,ensurethatthevulnerabilityscanningtoolsyouuseareregularlyupdatedwithallrelevantimportantsecurityvulnerabilities.

Y

System 4.5 Deployautomatedpatchmanagementtoolsandsoftwareupdatetoolsforoperatingsystemandsoftware/applicationsonallsystemsforwhichsuchtoolsareavailableandsafe.Patchesshouldbeappliedtoallsystems,evensystemsthatareproperlyairgapped.

Y

System 4.6 Monitorlogsassociatedwithanyscanningactivityandassociatedadministratoraccountstoensurethatthisactivityislimitedtothetimeframesoflegitimatescans.

Y

System 4.7 Comparetheresultsfromback-to-backvulnerabilityscanstoverifythatvulnerabilitieswereaddressed,eitherbypatching,implementingacompensatingcontrol,ordocumentingandacceptingareasonablebusinessrisk.Suchacceptanceofbusinessrisksforexistingvulnerabilitiesshouldbeperiodicallyreviewedtodetermineifnewercompensatingcontrolsorsubsequentpatchescanaddressvulnerabilitiesthatwerepreviouslyaccepted,orifconditionshavechanged,increasingtherisk.

Y

System 4.8 Establishaprocesstorisk-ratevulnerabilitiesbasedontheexploitabilityandpotentialimpactofthevulnerability,andsegmentedbyappropriategroupsofassets(example,DMZservers,internalnetworkservers,desktops,laptops).Applypatchesfortheriskiestvulnerabilitiesfirst.Aphasedrolloutcanbeusedtominimizetheimpacttotheorganization.Establishexpectedpatchingtimelinesbasedontheriskratinglevel.

Y

19


Alargenumberofvulnerabilityscanningtoolsareavailabletoevaluatethesecurityconfigurationofsystems.Someenterpriseshavealsofoundcommercialservicesusingremotelymanagedscanningappliancestobeeffective.Tohelpstandardizethedefinitionsofdiscoveredvulnerabilitiesinmultipledepartmentsofanorganizationorevenacrossorganizations,itispreferabletousevulnerabilityscanningtoolsthatmeasuresecurityflawsandmapthemtovulnerabilitiesandissuescategorizedusingoneormoreofthefollowingindustry-recognizedvulnerability,configuration,andplatformclassificationschemesandlanguages:CVE,CCE,OVAL,CPE,CVSS,and/orXCCDF.

Advancedvulnerabilityscanningtoolscanbeconfiguredwithusercredentialstologintoscannedsystemsandperformmorecomprehensivescansthancanbeachievedwithoutlogincredentials.Thefrequencyofscanningactivities,however,shouldincreaseasthediversityofanorganization’ssystemsincreasestoaccountforthevaryingpatchcyclesofeachvendor.

Inadditiontothescanningtoolsthatcheckforvulnerabilitiesandmisconfigurationsacrossthenetwork,variousfreeandcommercialtoolscanevaluatesecuritysettingsandconfigurationsoflocalmachinesonwhichtheyareinstalled.Suchtoolscanprovidefine-grainedinsightintounauthorizedchangesinconfigurationortheinadvertentintroductionofsecurityweaknessesbyadministrators.

Effectiveorganizationslinktheirvulnerabilityscannerswithproblem-ticketingsystemsthatautomaticallymonitorandreportprogressonfixingproblems,andthatmakeunmitigatedcriticalvulnerabilitiesvisibletohigherlevelsofmanagementtoensuretheproblemsaresolved.

Themosteffectivevulnerabilityscanningtoolscomparetheresultsofthecurrentscanwithpreviousscanstodeterminehowthevulnerabilitiesintheenvironmenthavechangedovertime.Securitypersonnelusethesefeaturestoconductvulnerabilitytrendingfrommonthtomonth.

Asvulnerabilitiesrelatedtounpatchedsystemsarediscoveredbyscanningtools,securitypersonnelshoulddetermineanddocumenttheamountoftimethatelapsesbetweenthepublicreleaseofapatchforthesystemandtheoccurrenceofthevulnerabilityscan.Ifthistimewindowexceedstheorganization’sbenchmarksfordeploymentofthegivenpatch’scriticalitylevel,securitypersonnelshouldnotethedelayanddetermineifadeviationwasformallydocumentedforthesystemanditspatch.Ifnot,thesecurityteamshouldworkwithmanagementtoimprovethepatchingprocess.

Additionally,someautomatedpatchingtoolsmaynotdetectorinstallcertainpatchesduetoanerrorbythevendororadministrator.Becauseofthis,allpatchchecksshouldreconcilesystempatcheswithalistofpatcheseachvendorhasannouncedonitswebsite.

20


ComputingSystems

SCAPVulnerabilityScanner

PatchManagement


21

CSC5:ControlledUseofAdministrativePrivileges

Theprocessesandtoolsusedtotrack/control/prevent/correcttheuse,assignment,andconfigurationofadministrativeprivilegesoncomputers,networks,andapplications.


Themisuseofadministrativeprivilegesisaprimarymethodforattackerstospreadinsideatargetenterprise.Twoverycommonattackertechniquestakeadvantageofuncontrolledadministrativeprivileges.Inthefirst,aworkstationuserrunningasaprivilegeduser,isfooledintoopeningamaliciousemailattachment,downloadingandopeningafilefromamaliciouswebsite,orsimplysurfingtoawebsitehostingattackercontentthatcanautomaticallyexploitbrowsers.Thefileorexploitcontainsexecutablecodethatrunsonthevictim’smachineeitherautomaticallyorbytrickingtheuserintoexecutingtheattacker’scontent.Ifthevictimuser’saccounthasadministrativeprivileges,theattackercantakeoverthevictim’smachinecompletelyandinstallkeystrokeloggers,sniffers,andremotecontrolsoftwaretofindadministrativepasswordsandothersensitivedata.Similarattacksoccurwithemail.Anadministratorinadvertentlyopensanemailthatcontainsaninfectedattachmentandthisisusedtoobtainapivotpointwithinthenetworkthatisusedtoattackothersystems.

Thesecondcommontechniqueusedbyattackersiselevationofprivilegesbyguessingorcrackingapasswordforanadministrativeusertogainaccesstoatargetmachine.Ifadministrativeprivilegesarelooselyandwidelydistributed,oridenticaltopasswordsusedonlesscriticalsystems,theattackerhasamucheasiertimegainingfullcontrolofsystems,becausetherearemanymoreaccountsthatcanactasavenuesfortheattackertocompromiseadministrativeprivileges.

CSC5:ControlledUseofAdministrativePrivilegesFamily CSC ControlDescription Foun-

dationalAdvanced

System 5.1 Minimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

Y

System 5.2 Useautomatedtoolstoinventoryalladministrativeaccountsandvalidatethateachpersonwithadministrativeprivilegesondesktops,laptops,andserversisauthorizedbyaseniorexecutive.

Y

System 5.3 Beforedeployinganynewdevicesinanetworkedenvironment,changealldefaultpasswordsforapplications,operatingsystems,routers,firewalls,wirelessaccesspoints,andothersystemstohavevaluesconsistentwithadministration-levelaccounts.

Y

22


Advanced

System 5.4 Configuresystemstoissuealogentryandalertwhenanaccountisaddedtoorremovedfromadomainadministrators’group,orwhenanewlocaladministratoraccountisaddedonasystem.

Y

System 5.5 Configuresystemstoissuealogentryandalertonanyunsuccessfullogintoanadministrativeaccount. Y

System 5.6 Usemulti-factorauthenticationforalladministrativeaccess,includingdomainadministrativeaccess.Multi-factorauthenticationcanincludeavarietyoftechniques,toincludetheuseofsmartcards,certificates,OneTimePassword(OTP)tokens,biometrics,orothersimilarauthenticationmethods.

Y

System 5.7 Wheremulti-factorauthenticationisnotsupported,useraccountsshallberequiredtouselongpasswordsonthesystem(longerthan14characters).

Y

System 5.8 Administratorsshouldberequiredtoaccessasystemusingafullyloggedandnon-administrativeaccount.Then,onceloggedontothemachinewithoutadministrativeprivileges,theadministratorshouldtransitiontoadministrativeprivilegesusingtoolssuchasSudoonLinux/UNIX,RunAsonWindows,andothersimilarfacilitiesforothertypesofsystems.

Y

System 5.9 Administratorsshalluseadedicatedmachineforalladministrativetasksortasksrequiringelevatedaccess.Thismachineshallbeisolatedfromtheorganization'sprimarynetworkandnotbeallowedInternetaccess.Thismachineshallnotbeusedforreadingemail,composingdocuments,orsurfingtheInternet.

Y


Built-inoperatingsystemfeaturescanextractlistsofaccountswithsuper-userprivileges,bothlocallyonindividualsystemsandonoveralldomaincontrollers.Toverifythatuserswithhigh-privilegedaccountsdonotusesuchaccountsforday-to-daywebsurfingandemailreading,securitypersonnelshouldperiodicallygatheralistofrunningprocessestodeterminewhetheranybrowsersoremailreadersarerunningwithhighprivileges.Suchinformationgatheringcanbescripted,withshortshellscriptssearchingforadozenormoredifferentbrowsers,emailreaders,anddocumenteditingprogramsrunningwithhighprivilegesonmachines.Somelegitimatesystemadministrationactivitymayrequiretheexecutionofsuchprogramsovertheshortterm,butlong-termorfrequentuseofsuchprogramswithadministrativeprivilegescouldindicatethatanadministratorisnotadheringtothiscontrol.

23

Toenforcetherequirementforstrongpasswords,built-inoperatingsystemfeaturesforminimumpasswordlengthcanbeconfiguredtopreventusersfromchoosingshortpasswords.Toenforcepasswordcomplexity(requiringpasswordstobeastringofpseudo-randomcharacters),built-inoperatingsystemsettingsorthird-partypasswordcomplexityenforcementtoolscanbeapplied.


ComputingSystems

AuthenticationSystem

Identity&AccessManagementSystem Workforce

Members


DedicatedAdministrationSystems

24

CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs

Collect,manage,andanalyzeauditlogsofeventsthatcouldhelpdetect,understand,orrecoverfromanattack.


Deficienciesinsecurityloggingandanalysisallowattackerstohidetheirlocation,malicioussoftware,andactivitiesonvictimmachines.Evenifthevictimsknowthattheirsystemshavebeencompromised,withoutprotectedandcompleteloggingrecordstheyareblindtothedetailsoftheattackandtosubsequentactionstakenbytheattackers.Withoutsolidauditlogs,anattackmaygounnoticedindefinitelyandtheparticulardamagesdonemaybeirreversible.

Sometimesloggingrecordsaretheonlyevidenceofasuccessfulattack.Manyorganizationskeepauditrecordsforcompliancepurposes,butattackersrelyonthefactthatsuchorganizationsrarelylookattheauditlogs,sotheydonotknowthattheirsystemshavebeencompromised.Becauseofpoorornonexistentloganalysisprocesses,attackerssometimescontrolvictimmachinesformonthsoryearswithoutanyoneinthetargetorganizationknowing,eventhoughtheevidenceoftheattackhasbeenrecordedinunexaminedlogfiles.

CSC6:Maintenance,Monitoring,andAnalysisofAuditLogsFamily CSC ControlDescription Foun-

dationalAdvanced

System 6.1 Includeatleasttwosynchronizedtimesourcesfromwhichallserversandnetworkequipmentretrievetimeinformationonaregularbasissothattimestampsinlogsareconsistent.

Y

System 6.2 Validateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

Y

System 6.3 Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.

Y

System 6.4 Havesecuritypersonneland/orsystemadministratorsrunbiweeklyreportsthatidentifyanomaliesinlogs.Theyshouldthenactivelyreviewtheanomalies,documentingtheirfindings.

Y

25


Advanced

System 6.5 Configurenetworkboundarydevices,includingfirewalls,network-basedIPS,andinboundandoutboundproxies,toverboselylogalltraffic(bothallowedandblocked)arrivingatthedevice.

Y

System 6.6 DeployaSIEM(SecurityInformationandEventManagement)orloganalytictoolsforlogaggregationandconsolidationfrommultiplemachinesandforlogcorrelationandanalysis.UsingtheSIEMtool,systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystemssothattheycantunedetectiontofocusonunusualactivity,avoidfalsepositives,morerapidlyidentifyanomalies,andpreventoverwhelminganalystswithinsignificantalerts.

Y


Mostfreeandcommercialoperatingsystems,networkservices,andfirewalltechnologiesofferloggingcapabilities.Suchloggingshouldbeactivated,withlogssenttocentralizedloggingservers.Firewalls,proxies,andremoteaccesssystems(VPN,dial-up,etc.)shouldallbeconfiguredforverboselogging,storingalltheinformationavailableforloggingintheeventafollow-upinvestigationisrequired.Furthermore,operatingsystems,especiallythoseofservers,shouldbeconfiguredtocreateaccesscontrollogswhenauserattemptstoaccessresourceswithouttheappropriateprivileges.Toevaluatewhethersuchloggingisinplace,anorganizationshouldperiodicallyscanthroughitslogsandcomparethemwiththeassetinventoryassembledaspartofCriticalControl1inordertoensurethateachmanageditemactivelyconnectedtothenetworkisperiodicallygeneratinglogs.

AnalyticalprogramssuchasSIM/SEMsolutionsforreviewinglogscanprovidevalue,butthecapabilitiesemployedtoanalyzeauditlogsarequiteextensive,evenincluding,importantly,justacursoryexaminationbyaperson.Actualcorrelationtoolscanmakeauditlogsfarmoreusefulforsubsequentmanualinspection.Suchtoolscanbequitehelpfulinidentifyingsubtleattacks.However,thesetoolsareneitherapanaceanorareplacementforskilledinformationsecuritypersonnelandsystemadministrators.Evenwithautomatedloganalysistools,humanexpertiseandintuitionareoftenrequiredtoidentifyandunderstandattacks.

26


ComputingSystems

NetworkTimeProtocol(NTP)System


27

CSC7:EmailandWebBrowserProtections

Minimizetheattacksurfaceandtheopportunitiesforattackerstomanipulatehumanbehaviorthoughtheirinteractionwithwebbrowsersandemailsystems.


Webbrowsersandemailclientsareverycommonpointsofentryandattackbecauseoftheirhightechnicalcomplexityandflexibility,andtheirdirectinteractionwithusersandwiththeothersystemsandwebsites.Contentcanbecraftedtoenticeorspoofusersintotakingactionsthatgreatlyincreaseriskandallowintroductionofmaliciouscode,lossofvaluabledata,andotherattacks.

CSC7:EmailandWebBrowserProtectionsFamily CSC ControlDescription Foun-

dationalAdvanced

System 7.1 Ensurethatonlyfullysupportedwebbrowsersandemailclientsareallowedtoexecuteintheorganization,ideallyonlyusingthelatestversionofthebrowsersprovidedbythevendorinordertotakeadvantageofthelatestsecurityfunctionsandfixes.

Y

System 7.2 Uninstallordisableanyunnecessaryorunauthorizedbrowseroremailclientpluginsoradd-onapplications.Eachpluginshallutilizeapplication/URLwhitelistingandonlyallowtheuseoftheapplicationforpre-approveddomains.

Y

System 7.3 Limittheuseofunnecessaryscriptinglanguagesinallwebbrowsersandemailclients.ThisincludestheuseoflanguagessuchasActiveXandJavaScriptonsystemswhereitisunnecessarytosupportsuchcapabilities.

Y

System 7.4 LogallURLrequestsfromeachoftheorganization'ssystems,whetheronsiteoramobiledevice,inordertoidentifypotentiallymaliciousactivityandassistincidenthandlerswithidentifyingpotentiallycompromisedsystems.

Y Includemobiledevices.

System 7.5 Deploytwoseparatebrowserconfigurationstoeachsystem.Oneconfigurationshoulddisabletheuseofallplugins,unnecessaryscriptinglanguages,andgenerallybeconfiguredwithlimitedfunctionalityandbeusedforgeneralwebbrowsing.Theotherconfigurationshallallowformorebrowserfunctionalitybutshouldonlybeusedtoaccessspecificwebsitesthatrequiretheuseofsuchfunctionality.

Y

28


Advanced

System 7.6 TheorganizationshallmaintainandenforcenetworkbasedURLfiltersthatlimitasystem'sabilitytoconnecttowebsitesnotapprovedbytheorganization.TheorganizationshallsubscribetoURLcategorizationservicestoensurethattheyareup-to-datewiththemostrecentwebsitecategorydefinitionsavailable.Uncategorizedsitesshallbeblockedbydefault.Thisfilteringshallbeenforcedforeachoftheorganization'ssystems,whethertheyarephysicallyatanorganization'sfacilitiesornot.

Y

System 7.7 Tolowerthechanceofspoofedemailmessages,implementtheSenderPolicyFramework(SPF)bydeployingSPFrecordsinDNSandenablingreceiver-sideverificationinmailservers.

Y

System 7.8 Scanandblockallemailattachmentsenteringtheorganization'semailgatewayiftheycontainmaliciouscodeorfiletypesthatareunnecessaryfortheorganization'sbusiness.Thisscanningshouldbedonebeforetheemailisplacedintheuser'sinbox.Thisincludesemailcontentfilteringandwebcontentfiltering.

Y


WebBrowser

Mostwebbrowserstodayhavebasicsecurityfeatures,butitisnotadequatetorelyononeaspectofsecurity.Awebserverismadeupoflayersthatprovidemultipleavenuesofattack.Thefoundationofanywebbrowseristheoperatingsystemandthesecrettoensuringthatitremainssecureissimple:keepitupdatedwiththelatestsecuritypatches.Ensurethatyourpatchesareup-to-dateandinstalledproperly,asanyserverrunningoldpatcheswillbecomeavictim.

Updateanysoftwarecomponentsthatrunonawebserver.Anythingthatisnon-essential,suchasDNSserversandremoteadministrationtoolslikeVNCorRemoteDesktop,shouldbedisabledorremoved.Ifremoteadministrationtoolsareessential,however,thenavoidusingdefaultpasswordsoranythingthatcanbeeasilyguessed.Thisisnotonlyapplicableforremoteaccesstools,butuseraccounts,switchesandroutersaswell.

Aflexiblefirewallisoneofthestrongestformsofdefenseagainstsecuritybreaches.Whenawebserveristargetedtheattackwillattempttouploadhackingtoolsormalwareimmediately,soastotakeadvantageofthesecuritybreachbeforeitisfixed.Withoutagoodanti-viruspackage,abreachinsecuritycangounnoticedforasignificantamountoftime.

29

Cybercriminalscanexploitcookiesinmaliciousways.Changingyourbrowsersettingstoblockthirdpartycookieswillhelpreducethisrisk.Theautocompleteorautofillfeaturesaveskeystrokesbystoringinformationyourecentlytyped.However,autocompleteforlogininformationposesabigriskifyourlaptopislostorstolen.Andrestrictingadd-onstoanabsoluteminimumwillreducetheattacksurface.Add-onscanharbormalwareandincreasethepossibilitiesforattackingyourbrowser.Configureyourbrowserstopreventthemfrominstallingadd-onswithoutaprompt.

Mostpopularbrowsersemployadatabaseofphishingand/ormalwaresitestoprotectagainstthemostcommonthreats.Makesurethatyouandyourusersenablecontentfilters.Andturnonthepopupblockers.Popupsarenotonlyannoying,theyalsocanhostembeddedmalwaredirectlyorlureusersintoclickingonsomethingusingsocialengineeringtricks.Besurethatyourselectedbrowserhaspopupblockingenabled

EmailEmailrepresentsonethemostinteractivewayshumansworkwithcomputers,encouragingtherightbehaviorisjustasimportantasthetechnicalsettings.

Passwordscontainingcommonwordsorphrasesareeasytocrack.Ensurecomplexpasswordsarecreated;acombinationofletters,numbersandspecialcharactersiscomplexenough.Passwordsshouldbechangedonaregularbasis,every45-60days.

Implementingtwo-factorauthenticationisanotherwaytoensuretheuserisauthentic,reducingtheattacksurface.Usingaspam-filteringtoolreducesthenumberofmaliciousemailsthatcomeintoyournetwork.InitiatingaSenderPolicyFrameworktoverifythatthedomainanemailiscomingfromisauthentic,helpsreduceSpamandPhishingactivities.Installinganencryptiontooltosecureemailandcommunicationsaddsanotherlayerofuserandnetworkedbasedsecurity.

30


NetworkDevices

Alerting/ReportingAnalyticsSystem ConfigurationEnforcementSystem

URL/EmailFilteringProxySystem

31

CSC8:MalwareDefenses

Controltheinstallation,spread,andexecutionofmaliciouscodeatmultiplepointsintheenterprise,whileoptimizingtheuseofautomationtoenablerapidupdatingofdefense,datagathering,andcorrectiveaction.


MalicioussoftwareisanintegralanddangerousaspectofInternetthreats,andcanbedesignedtoattackyoursystems,devices,oryourdata.Itcanbefast-moving,fast-changing,andenterthroughanynumberofpointslikeend-userdevices,emailattachments,webpages,cloudservices,useractions,andremovablemedia.Modernmalwarecanbedesignedtoavoiddefenses,ortoattackordisablethem.

Malwaredefensesmustbeabletooperateinthisdynamicenvironmentthroughlarge-scaleautomation,rapidupdating,andintegrationwithprocesseslikeIncidentResponse.Theymustalsobedeployedatmultiplepossiblepoints-of-attacktodetect,stopthemovementof,orcontroltheexecutionofmalicioussoftware.Enterpriseendpointsecuritysuitesprovideadministrativefeaturestoverifythatalldefensesareactiveandcurrentoneverymanagedsystem.

CSC8:MalwareDefensesFamily CSC ControlDescription Foun-

dationalAdvanced

System 8.1 Employautomatedtoolstocontinuouslymonitorworkstations,servers,andmobiledeviceswithanti-virus,anti-spyware,personalfirewalls,andhost-basedIPSfunctionality.Allmalwaredetectioneventsshouldbesenttoenterpriseanti-malwareadministrationtoolsandeventlogservers.

Y

System 8.2 Employanti-malwaresoftwarethatoffersacentralizedinfrastructurethatcompilesinformationonfilereputationsorhaveadministratorsmanuallypushupdatestoallmachines.Afterapplyinganupdate,automatedsystemsshouldverifythateachsystemhasreceiveditssignatureupdate.

Y

System 8.3 Limituseofexternaldevicestothosewithanapproved,documentedbusinessneed.Monitorforuseandattempteduseofexternaldevices.Configurelaptops,workstations,andserverssothattheywillnotauto-runcontentfromremovablemedia,likeUSBtokens(i.e.,“thumbdrives”),USBharddrives,CDs/DVDs,FireWiredevices,externalserialadvancedtechnologyattachmentdevices,andmountednetworkshares.Configuresystemssothattheyautomaticallyconductananti-malwarescanofremovablemediawheninserted.

Y

Activelymonitortheuseof

externaldevices(inadditionto

logging).

32


Advanced

System 8.4 Enableanti-exploitationfeaturessuchasDataExecutionPrevention(DEP),AddressSpaceLayoutRandomization(ASLR),virtualization/containerization,etc.Forincreasedprotection,deploycapabilitiessuchasEnhancedMitigationExperienceToolkit(EMET)thatcanbeconfiguredtoapplytheseprotectionstoabroadersetofapplicationsandexecutables.

Y

System 8.5 Usenetwork-basedanti-malwaretoolstoidentifyexecutablesinallnetworktrafficandusetechniquesotherthansignature-baseddetectiontoidentifyandfilteroutmaliciouscontentbeforeitarrivesattheendpoint.

Y

System 8.6 Enabledomainnamesystem(DNS)queryloggingtodetecthostnamelookupforknownmaliciousC2domains. Y


Toensureanti-virussignaturesareuptodate,organizationsuseautomation.Theyusethebuilt-inadministrativefeaturesofenterpriseendpointsecuritysuitestoverifythatanti-virus,anti-spyware,andhost-basedIDSfeaturesareactiveoneverymanagedsystem.Theyrunautomatedassessmentsdailyandreviewtheresultstofindandmitigatesystemsthathavedeactivatedsuchprotections,aswellassystemsthatdonothavethelatestmalwaredefinitions.

Someenterprisesdeployfreeorcommercialhoneypotand“tarpit”toolstoidentifyattackersintheirenvironment.Securitypersonnelshouldcontinuouslymonitorthesetoolstodeterminewhethertrafficisdirectedtothemandaccountloginsareattempted.Whentheyidentifysuchevents,thesepersonnelshouldgatherthesourceaddressfromwhichthistrafficoriginatesandotherdetailsassociatedwiththeattackforfollow-oninvestigation.

33


ComputingSystems

NetworkMalwareDetection

EndPointProtectionSoftware/EMET


34

CSC9:LimitationandControlofNetworkPorts,Protocols,andServices

Manage(track/control/correct)theongoingoperationaluseofports,protocols,andservicesonnetworkeddevicesinordertominimizewindowsofvulnerabilityavailabletoattackers.


Attackerssearchforremotelyaccessiblenetworkservicesthatarevulnerabletoexploitation.Commonexamplesincludepoorlyconfiguredwebservers,mailservers,fileandprintservices,anddomainnamesystem(DNS)serversinstalledbydefaultonavarietyofdifferentdevicetypes,oftenwithoutabusinessneedforthegivenservice.Manysoftwarepackagesautomaticallyinstallservicesandturnthemonaspartoftheinstallationofthemainsoftwarepackagewithoutinformingauseroradministratorthattheserviceshavebeenenabled.Attackersscanforsuchissuesandattempttoexploittheseservices,oftenattemptingdefaultuserIDsandpasswordsorwidelyavailableexploitationcode.

CSC9:LimitationandControlofNetworkPortsFamily CSC ControlDescription Foun-

dationalAdvanced

System 9.1 Ensurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem. Y

System 9.2 Applyhost-basedfirewallsorportfilteringtoolsonendsystems,withadefault-denyrulethatdropsalltrafficexceptthoseservicesandportsthatareexplicitlyallowed.

Y

System 9.3 Performautomatedportscansonaregularbasisagainstallkeyserversandcomparetoaknowneffectivebaseline.Ifachangethatisnotlistedontheorganization’sapprovedbaselineisdiscovered,analertshouldbegeneratedandreviewed.

Y

System 9.4 VerifyanyserverthatisvisiblefromtheInternetoranuntrustednetwork,andifitisnotrequiredforbusinesspurposes,moveittoaninternalVLANandgiveitaprivateaddress.

Y

System 9.5 Operatecriticalservicesonseparatephysicalorlogicalhostmachines,suchasDNS,file,mail,web,anddatabaseservers. Y

System 9.6 Placeapplicationfirewallsinfrontofanycriticalserverstoverifyandvalidatethetrafficgoingtotheserver.Anyunauthorizedservicesortrafficshouldbeblockedandanalertgenerated.

Y

35


Portscanningtoolsareusedtodeterminewhichservicesarelisteningonthenetworkforarangeoftargetsystems.Inadditiontodeterminingwhichportsareopen,effectiveportscannerscanbeconfiguredtoidentifytheversionoftheprotocolandservicelisteningoneachdiscoveredopenport.Thislistofservicesandtheirversionsarecomparedagainstaninventoryofservicesrequiredbytheorganizationforeachserverandworkstationinanassetmanagementsystem.Recentlyaddedfeaturesintheseportscannersarebeingusedtodeterminethechangesinservicesofferedbyscannedmachinesonthenetworksincethepreviousscan,helpingsecuritypersonnelidentifydifferencesovertime.


ComputingSystems


Host/ApplicationFirewallSystems


36

CSC10:DataRecoveryCapability

Theprocessesandtoolsusedtoproperlybackupcriticalinformationwithaprovenmethodologyfortimelyrecoveryofit.


Whenattackerscompromisemachines,theyoftenmakesignificantchangestoconfigurationsandsoftware.Sometimesattackersalsomakesubtlealterationsofdatastoredoncompromisedmachines,potentiallyjeopardizingorganizationaleffectivenesswithpollutedinformation.Whentheattackersarediscovered,itcanbeextremelydifficultfororganizationswithoutatrustworthydatarecoverycapabilitytoremoveallaspectsoftheattacker’spresenceonthemachine.

CSC10:DataRecoveryCapabilityFamily CSC ControlDescription Foun-

dationalAdvanced

System 10.1 Ensurethateachsystemisautomaticallybackeduponatleastaweeklybasis,andmoreoftenforsystemsstoringsensitiveinformation.Tohelpensuretheabilitytorapidlyrestoreasystemfrombackup,theoperatingsystem,applicationsoftware,anddataonamachineshouldeachbeincludedintheoverallbackupprocedure.Thesethreecomponentsofasystemdonothavetobeincludedinthesamebackupfileorusethesamebackupsoftware.Thereshouldbemultiplebackupsovertime,sothatintheeventofmalwareinfection,restorationcanbefromaversionthatisbelievedtopredatetheoriginalinfection.Allbackuppoliciesshouldbecompliantwithanyregulatoryorofficialrequirements.

Y

System 10.2 Testdataonbackupmediaonaregularbasisbyperformingadatarestorationprocesstoensurethatthebackupisproperlyworking.

Y

System 10.3 Ensurethatbackupsareproperlyprotectedviaphysicalsecurityorencryptionwhentheyarestored,aswellaswhentheyaremovedacrossthenetwork.Thisincludesremotebackupsandcloudservices.

Y

System 10.4 Ensurethatkeysystemshaveatleastonebackupdestinationthatisnotcontinuouslyaddressablethroughoperatingsystemcalls.ThiswillmitigatetheriskofattackslikeCryptoLockerwhichseektoencryptordamagedataonalladdressabledatashares,includingbackupdestinations.

Y

37


Onceperquarter(orwhenevernewbackupequipmentispurchased),atestingteamshouldevaluatearandomsampleofsystembackupsbyattemptingtorestorethemonatestbedenvironment.Therestoredsystemsshouldbeverifiedtoensurethattheoperatingsystem,application,anddatafromthebackupareallintactandfunctional.

Intheeventofmalwareinfection,restorationproceduresshoulduseaversionofthebackupthatisbelievedtopredatetheoriginalinfection.


ComputingSystems

DataBackupSystem

Offsite/OfflineBackups


38

CSC11:SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches

Establish,implement,andactivelymanage(track,reporton,correct)thesecurityconfigurationofnetworkinfrastructuredevicesusingarigorousconfigurationmanagementandchangecontrolprocessinordertopreventattackersfromexploitingvulnerableservicesandsettings.


Asdeliveredfrommanufacturersandresellers,thedefaultconfigurationsfornetworkinfrastructuredevicesaregearedforease-of-deploymentandease-of-use–notsecurity.Openservicesandports,defaultaccounts(includingserviceaccounts)orpasswords,supportforolder(vulnerable)protocols,pre-installationofunneededsoftware;allcanbeexploitableintheirdefaultstate.

Attackerstakeadvantageofnetworkdevicesbecominglesssecurelyconfiguredovertimeasusersdemandexceptionsforspecificbusinessneeds.Sometimestheexceptionsaredeployedandthenleftundonewhentheyarenolongerapplicabletothebusinessneeds.Insomecases,thesecurityriskoftheexceptionisneitherproperlyanalyzednormeasuredagainsttheassociatedbusinessneedandcanchangeovertime.Attackerssearchforvulnerabledefaultsettings,electronicholesinfirewalls,routers,andswitchesandusethosetopenetratedefenses.Theyexploitflawsinthesedevicestogainaccesstonetworks,redirecttrafficonanetwork,andinterceptinformationwhileintransmission.Throughsuchactions,theattackergainsaccesstosensitivedata,altersimportantinformation,orevenusesacompromisedmachinetoposeasanothertrustedsystemonthenetwork.

CSC11:SecureConfigurationsforNetworkDevicesFamily CSC ControlDescription Foun-

dationalAdvanced

Network 11.1 Comparefirewall,router,andswitchconfigurationagainststandardsecureconfigurationsdefinedforeachtypeofnetworkdeviceinuseintheorganization.Thesecurityconfigurationofsuchdevicesshouldbedocumented,reviewed,andapprovedbyanorganizationchangecontrolboard.Anydeviationsfromthestandardconfigurationorupdatestothestandardconfigurationshouldbedocumentedandapprovedinachangecontrolsystem.

Y

39


Advanced

Network 11.2 Allnewconfigurationrulesbeyondabaseline-hardenedconfigurationthatallowtraffictoflowthroughnetworksecuritydevices,suchasfirewallsandnetwork-basedIPS,shouldbedocumentedandrecordedinaconfigurationmanagementsystem,withaspecificbusinessreasonforeachchange,aspecificindividual’snameresponsibleforthatbusinessneed,andanexpecteddurationoftheneed.

Y

Network 11.3 Useautomatedtoolstoverifystandarddeviceconfigurationsanddetectchanges.Allalterationstosuchfilesshouldbeloggedandautomaticallyreportedtosecuritypersonnel.

Y

Network 11.4 Managenetworkdevicesusingtwo-factorauthenticationandencryptedsessions. Y

Network 11.5 Installthelateststableversionofanysecurity-relatedupdatesonallnetworkdevices. Y

Network 11.6 Networkengineersshalluseadedicatedmachineforalladministrativetasksortasksrequiringelevatedaccess.Thismachineshallbeisolatedfromtheorganization'sprimarynetworkandnotbeallowedInternetaccess.Thismachineshallnotbeusedforreadingemail,composingdocuments,orsurfingtheInternet.

Y

Network 11.7 Managethenetworkinfrastructureacrossnetworkconnectionsthatareseparatedfromthebusinessuseofthatnetwork,relyingonseparateVLANsor,preferably,onentirelydifferentphysicalconnectivityformanagementsessionsfornetworkdevices.

Y


Someorganizationsusecommercialtoolsthatevaluatetherulesetofnetworkfilteringdevicestodeterminewhethertheyareconsistentorinconflict,providinganautomatedsanitycheckofnetworkfiltersandsearchforerrorsinrulesetsoraccesscontrolslists(ACLs)thatmayallowunintendedservicesthroughthedevice.Suchtoolsshouldberuneachtimesignificantchangesaremadetofirewallrulesets,routerACLs,orotherfilteringtechnologies.

40


NetworkDeviceManagementSystem

NetworkDevices


DedicatedAdministrationSystems


41

CSC12:BoundaryDefense

Detect/prevent/correcttheflowofinformationtransferringnetworksofdifferenttrustlevelswithafocusonsecurity-damagingdata.


AttackersfocusonexploitingsystemsthattheycanreachacrosstheInternet,includingnotonlyDMZsystemsbutalsoworkstationandlaptopcomputersthatpullcontentfromtheInternetthroughnetworkboundaries.Threatssuchasorganizedcrimegroupsandnation-statesuseconfigurationandarchitecturalweaknessesfoundonperimetersystems,networkdevices,andInternet-accessingclientmachinestogaininitialaccessintoanorganization.Then,withabaseofoperationsonthesemachines,attackersoftenpivottogetdeeperinsidetheboundarytostealorchangeinformationortosetupapersistentpresenceforlaterattacksagainstinternalhosts.Additionally,manyattacksoccurbetweenbusinesspartnernetworks,sometimesreferredtoasextranets,asattackershopfromoneorganization’snetworktoanother,exploitingvulnerablesystemsonextranetperimeters.

Tocontroltheflowoftrafficthroughnetworkbordersandpolicecontentbylookingforattacksandevidenceofcompromisedmachines,boundarydefensesshouldbemulti-layered,relyingonfirewalls,proxies,DMZperimeternetworks,andnetwork-basedIPSandIDS.Itisalsocriticaltofilterbothinboundandoutboundtraffic.

Itshouldbenotedthatboundarylinesbetweeninternalandexternalnetworksarediminishingasaresultofincreasedinterconnectivitywithinandbetweenorganizationsaswellastherapidriseindeploymentofwirelesstechnologies.Theseblurringlinessometimesallowattackerstogainaccessinsidenetworkswhilebypassingboundarysystems.However,evenwiththisblurringofboundaries,effectivesecuritydeploymentsstillrelyoncarefullyconfiguredboundarydefensesthatseparatenetworkswithdifferentthreatlevels,setsofusers,andlevelsofcontrol.Anddespitetheblurringofinternalandexternalnetworks,effectivemulti-layereddefensesofperimeternetworkshelplowerthenumberofsuccessfulattacks,allowingsecuritypersonneltofocusonattackerswhohavedevisedmethodstobypassboundaryrestrictions.

42

CSC12:BoundaryDefenseFamily CSC ControlDescription Foun-

dationalAdvanced

Network 12.1 Denycommunicationswith(orlimitdataflowto)knownmaliciousIPaddresses(blacklists),orlimitaccessonlytotrustedsites(whitelists).TestscanbeperiodicallycarriedoutbysendingpacketsfrombogonsourceIPaddresses(non-routableorotherwiseunusedIPaddresses)intothenetworktoverifythattheyarenottransmittedthroughnetworkperimeters.ListsofbogonaddressesarepubliclyavailableontheInternetfromvarioussources,andindicateaseriesofIPaddressesthatshouldnotbeusedforlegitimatetraffictraversingtheInternet.

Y

Network 12.2 OnDMZnetworks,configuremonitoringsystems(whichmaybebuiltintotheIDSsensorsordeployedasaseparatetechnology)torecordatleastpacketheaderinformation,andpreferablyfullpacketheaderandpayloadsofthetrafficdestinedfororpassingthroughthenetworkborder.ThistrafficshouldbesenttoaproperlyconfiguredSecurityInformationEventManagement(SIEM)orloganalyticssystemsothateventscanbecorrelatedfromalldevicesonthenetwork.

Y

Network 12.3 Deploynetwork-basedIDSsensorsonInternetandextranetDMZsystemsandnetworksthatlookforunusualattackmechanismsanddetectcompromiseofthesesystems.Thesenetwork-basedIDSsensorsmaydetectattacksthroughtheuseofsignatures,networkbehavioranalysis,orothermechanismstoanalyzetraffic.

Y

Network 12.4 Network-basedIPSdevicesshouldbedeployedtocomplementIDSbyblockingknownbadsignaturesorthebehaviorofpotentialattacks.Asattacksbecomeautomated,methodssuchasIDStypicallydelaytheamountoftimeittakesforsomeonetoreacttoanattack.Aproperlyconfigurednetwork-basedIPScanprovideautomationtoblockbadtraffic.Whenevaluatingnetwork-basedIPSproducts,includethoseusingtechniquesotherthansignature-baseddetection(suchasvirtualmachineorsandbox-basedapproaches)forconsideration.

Y

43


Advanced

Network 12.5 DesignandimplementnetworkperimeterssothatalloutgoingnetworktraffictotheInternetmustpassthroughatleastoneapplicationlayerfilteringproxyserver.Theproxyshouldsupportdecryptingnetworktraffic,loggingindividualTCPsessions,blockingspecificURLs,domainnames,andIPaddressestoimplementablacklist,andapplyingwhitelistsofallowedsitesthatcanbeaccessedthroughtheproxywhileblockingallothersites.OrganizationsshouldforceoutboundtraffictotheInternetthroughanauthenticatedproxyserverontheenterpriseperimeter.

Y

Network 12.6 Requireallremoteloginaccess(includingVPN,dial-up,andotherformsofaccessthatallowlogintointernalsystems)tousetwo-factorauthentication.

Y

Network 12.7 Allenterprisedevicesremotelyloggingintotheinternalnetworkshouldbemanagedbytheenterprise,withremotecontroloftheirconfiguration,installedsoftware,andpatchlevels.Forthird-partydevices(e.g.,subcontractors/vendors),publishminimumsecuritystandardsforaccesstotheenterprisenetworkandperformasecurityscanbeforeallowingaccess.

Y

Network 12.8 Periodicallyscanforback-channelconnectionstotheInternetthatbypasstheDMZ,includingunauthorizedVPNconnectionsanddual-homedhostsconnectedtotheenterprisenetworkandtoothernetworksviawireless,dial-upmodems,orothermechanisms.

Y

Network 12.9 DeployNetFlowcollectionandanalysistoDMZnetworkflowstodetectanomalousactivity. Y

Network 12.10

Tohelpidentifycovertchannelsexfiltratingdatathroughafirewall,configurethebuilt-infirewallsessiontrackingmechanismsincludedinmanycommercialfirewallstoidentifyTCPsessionsthatlastanunusuallylongtimeforthegivenorganizationandfirewalldevice,alertingpersonnelaboutthesourceanddestinationaddressesassociatedwiththeselongsessions.

Y


TheboundarydefensesincludedinthiscontrolbuildonCriticalControl10.TheadditionalrecommendationsherefocusonimprovingtheoverallarchitectureandimplementationofbothInternetandinternalnetworkboundarypoints.Internalnetworksegmentationiscentraltothiscontrolbecauseonceinsideanetwork,manyintrudersattempttotargetthemostsensitivemachines.Usually,internalnetworkprotectionisnotsetuptodefendagainstaninternalattacker.Settingupevenabasiclevelofsecuritysegmentationacross

44

thenetworkandprotectingeachsegmentwithaproxyandafirewallwillgreatlyreduceanintruder’saccesstotheotherpartsofthenetwork.

OneelementofthiscontrolcanbeimplementedusingfreeorcommercialIDSandsnifferstolookforattacksfromexternalsourcesdirectedatDMZandinternalsystems,aswellasattacksoriginatingfrominternalsystemsagainsttheDMZorInternet.Securitypersonnelshouldregularlytestthesesensorsbylaunchingvulnerability-scanningtoolsagainstthemtoverifythatthescannertraffictriggersanappropriatealert.ThecapturedpacketsoftheIDSsensorsshouldbereviewedusinganautomatedscripteachdaytoensurethatlogvolumesarewithinexpectedparametersandthatthelogsareformattedproperlyandhavenotbeencorrupted.

Additionally,packetsniffersshouldbedeployedonDMZstolookforHypertextTransferProtocol(HTTP)trafficthatbypassesHTTPproxies.Bysamplingtrafficregularly,suchasoverathree-hourperiodonceaweek,informationsecuritypersonnelcansearchforHTTPtrafficthatisneithersourcedbynordestinedforaDMZproxy,implyingthattherequirementforproxyuseisbeingbypassed.

Toidentifyback-channelconnectionsthatbypassapprovedDMZs,networksecuritypersonnelcanestablishanInternet-accessiblesystemtouseasareceiverfortestingoutboundaccess.Thissystemisconfiguredwithafreeorcommercialpacketsniffer.Then,securitypersonnelcanconnectasendingtestsystemtovariouspointsontheorganization’sinternalnetwork,sendingeasilyidentifiabletraffictothesniffingreceiverontheInternet.Thesepacketscanbegeneratedusingfreeorcommercialtoolswithapayloadthatcontainsacustomfileusedforthetest.Whenthepacketsarriveatthereceiversystem,thesourceaddressofthepacketsshouldbeverifiedagainstacceptableDMZaddressesallowedfortheorganization.Ifsourceaddressesarediscoveredthatarenotincludedinlegitimate,registeredDMZs,moredetailcanbegatheredbyusingatraceroutetooltodeterminethepaththatpacketstakefromthesendertothereceiversystem.

45


NetworkDevices

NetworkMonitoringSystems(IDS&IPS)




ApplicationFirewall/ProxySystem


46

CSC13:DataProtection

Theprocessesandtoolsusedtopreventdataexfiltration,mitigatetheeffectsofexfiltrateddata,andensuretheprivacyandintegrityofsensitiveinformation.


Dataresidesinmanyplaces.Protectionofthatdataisbestachievedthroughtheapplicationofacombinationofencryption,integrityprotectionanddatalosspreventiontechniques.Asorganizationscontinuetheirmovetowardscloudcomputingandmobileaccess,itisimportantthatpropercarebetakentolimitandreportondataexfiltrationwhilealsomitigatingtheeffectsofdatacompromise.

Theadoptionofdataencryption,bothintransitandatrest,providesmitigationagainstdatacompromise.Thisistrueifpropercarehasbeentakenintheprocessesandtechnologiesassociatedwiththeencryptionoperations.Anexampleofthisisthemanagementofcryptographickeysusedbythevariousalgorithmsthatprotectdata.Theprocessforgeneration,useanddestructionofkeysshouldbebasedonprovenprocessesasdefinedinstandardssuchasNISTSP800-57.

Careshouldalsobetakentoensurethatproductsusedwithinanenterpriseimplementwellknownandvettedcryptographicalgorithms,asidentifiedbyNIST.Re-evaluationofthealgorithmsandkeysizesusedwithintheenterpriseonanannualbasisisalsorecommendedtoensurethatorganizationsarenotfallingbehindinthestrengthofprotectionappliedtotheirdata.

Fororganizationsthataremovingdatatothecloud,itisimportanttounderstandthesecuritycontrolsappliedtodatainthecloudmulti-tenantenvironment,anddeterminethebestcourseofactionforapplicationofencryptioncontrolsandsecurityofkeys.Whenpossible,keysshouldbestoredwithinsecurecontainerssuchasHardwareSecurityModules(HSMs).

Encryptingdataprovidesalevelofassurancethatevenifdataiscompromised,itisimpracticaltoaccesstheplaintextwithoutsignificantresources,howevercontrolsshouldalsobeputinplacetomitigatethethreatofdataexfiltrationinthefirstplace.Manyattacksoccurredacrossthenetwork,whileothersinvolvedphysicaltheftoflaptopsandotherequipmentholdingsensitiveinformation.Yet,inmostcases,thevictimswerenotawarethatthesensitivedatawereleavingtheirsystemsbecausetheywerenotmonitoringdataoutflows.Themovementofdataacrossnetworkboundariesbothelectronicallyandphysicallymustbecarefullyscrutinizedtominimizeitsexposuretoattackers.

Thelossofcontroloverprotectedorsensitivedatabyorganizationsisaseriousthreattobusinessoperationsandapotentialthreattonationalsecurity.Whilesomedataareleakedorlostasaresultoftheftorespionage,thevastmajorityoftheseproblemsresultfrompoorlyunderstooddatapractices,alackofeffectivepolicyarchitectures,andusererror.

47

Datalosscanevenoccurasaresultoflegitimateactivitiessuchase-Discoveryduringlitigation,particularlywhenrecordsretentionpracticesareineffectiveornonexistent.

Datalossprevention(DLP)referstoacomprehensiveapproachcoveringpeople,processes,andsystemsthatidentify,monitor,andprotectdatainuse(e.g.,endpointactions),datainmotion(e.g.,networkactions),anddataatrest(e.g.,datastorage)throughdeepcontentinspectionandwithacentralizedmanagementframework.Overthelastseveralyears,therehasbeenanoticeableshiftinattentionandinvestmentfromsecuringthenetworktosecuringsystemswithinthenetwork,andtosecuringthedataitself.DLPcontrolsarebasedonpolicy,andincludeclassifyingsensitivedata,discoveringthatdataacrossanenterprise,enforcingcontrols,andreportingandauditingtoensurepolicycompliance.

CSC13:DataProtectionFamily CSC ControlDescription Foun-

dationalAdvanced

Network 13.1 Performanassessmentofdatatoidentifysensitiveinformationthatrequirestheapplicationofencryptionandintegritycontrols.

Y

Network 13.2 Deployapprovedharddriveencryptionsoftwaretomobiledevicesandsystemsthatholdsensitivedata. Y

Network 13.3 Deployanautomatedtoolonnetworkperimetersthatmonitorsforsensitiveinformation(e.g.,personallyidentifiableinformation),keywords,andotherdocumentcharacteristicstodiscoverunauthorizedattemptstoexfiltratedataacrossnetworkboundariesandblocksuchtransferswhilealertinginformationsecuritypersonnel.

Y

Network 13.4 Conductperiodicscansofservermachinesusingautomatedtoolstodeterminewhethersensitivedata(e.g.,personallyidentifiableinformation,health,creditcard,orclassifiedinformation)ispresentonthesystemincleartext.Thesetools,whichsearchforpatternsthatindicatethepresenceofsensitiveinformation,canhelpidentifyifabusinessortechnicalprocessisleavingbehindorotherwiseleakingsensitiveinformation.

Y

Network 13.5 Ifthereisnobusinessneedforsupportingsuchdevices,configuresystemssothattheywillnotwritedatatoUSBtokensorUSBharddrives.Ifsuchdevicesarerequired,enterprisesoftwareshouldbeusedthatcanconfiguresystemstoallowonlyspecificUSBdevices(basedonserialnumberorotheruniqueproperty)tobeaccessed,andthatcanautomaticallyencryptalldataplacedonsuchdevices.Aninventoryofallauthorizeddevicesmustbemaintained.

Y

48


Advanced

Network 13.6 Usenetwork-basedDLPsolutionstomonitorandcontroltheflowofdatawithinthenetwork.Anyanomaliesthatexceedthenormaltrafficpatternsshouldbenotedandappropriateactiontakentoaddressthem.

Y

Network 13.7 Monitoralltrafficleavingtheorganizationanddetectanyunauthorizeduseofencryption.Attackersoftenuseanencryptedchanneltobypassnetworksecuritydevices.Thereforeitisessentialthatorganizationsbeabletodetectrogueconnections,terminatetheconnection,andremediatetheinfectedsystem.

Y

Network 13.8 Blockaccesstoknownfiletransferandemailexfiltrationwebsites. Y

Network 13.9 Usehost-baseddatalossprevention(DLP)toenforceACLsevenwhendataiscopiedoffaserver.Inmostorganizations,accesstothedataiscontrolledbyACLsthatareimplementedontheserver.Oncethedatahavebeencopiedtoadesktopsystem,theACLsarenolongerenforcedandtheuserscansendthedatatowhomevertheywant.

Y


Commercialtoolsareavailabletosupportenterprisemanagementofencryptionandkeymanagementwithinanenterpriseandincludetheabilitytosupportimplementationofencryptioncontrolswithincloudandmobileenvironments.

Definitionoflifecycleprocessesandrolesandresponsibilitiesassociatedwithkeymanagementshouldbeundertakenbyeachorganization.

CommercialDLPsolutionsareavailabletolookforexfiltrationattemptsanddetectothersuspiciousactivitiesassociatedwithaprotectednetworkholdingsensitiveinformation.Organizationsdeployingsuchtoolsshouldcarefullyinspecttheirlogsandfollowuponanydiscoveredattempts,eventhosethataresuccessfullyblocked,totransmitsensitiveinformationoutoftheorganizationwithoutauthorization.

49

CSC13EntityRelationshipDiagram

Network&HostBasedDLP

EncryptionSystems NetworkDevices

EndPointProtection/RemovableMedia

Control


ComputingSystems

50

CSC14:ControlledAccessBasedontheNeedtoKnow

Theprocessesandtoolsusedtotrack/control/prevent/correctsecureaccesstocriticalassets(e.g.,information,resources,systems)accordingtotheformaldeterminationofwhichpersons,computers,andapplicationshaveaneedandrighttoaccessthesecriticalassetsbasedonanapprovedclassification.


Someorganizationsdonotcarefullyidentifyandseparatetheirmostsensitiveandcriticalassetsfromlesssensitive,publiclyaccessibleinformationontheirinternalnetworks.Inmanyenvironments,internalusershaveaccesstoallormostofthecriticalassets.Sensitiveassetsmayalsoincludesystemsthatprovidemanagementandcontrolofphysicalsystems(e.g.,SCADA).Onceattackershavepenetratedsuchanetwork,theycaneasilyfindandexfiltrateimportantinformation,causephysicaldamage,ordisruptoperationswithlittleresistance.Forexample,inseveralhigh-profilebreachesoverthepasttwoyears,attackerswereabletogainaccesstosensitivedatastoredonthesameserverswiththesamelevelofaccessasfarlessimportantdata.Therearealsoexamplesofusingaccesstothecorporatenetworktogainaccessto,thencontrolover,physicalassetsandcausedamage.

CSC14:ControlledAccessBasedontheNeedtoKnowFamily CSC ControlDescription Foun-

dationalAdvanced

Application 14.1 Segmentthenetworkbasedonthelabelorclassificationleveloftheinformationstoredontheservers.LocateallsensitiveinformationonseparatedVLANSwithfirewallfilteringtoensurethatonlyauthorizedindividualsareonlyabletocommunicatewithsystemsnecessarytofulfilltheirspecificresponsibilities.

Y

Application 14.2 Allcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

Y

Application 14.3 AllnetworkswitcheswillenablePrivateVirtualLocalAreaNetworks(VLANs)forsegmentedworkstationnetworkstolimittheabilityofdevicesonanetworktodirectlycommunicatewithotherdevicesonthesubnetandlimitanattackersabilitytolaterallymovetocompromiseneighboringsystems.

Y

51


Advanced

Application 14.4 Allinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

Y

Application 14.5 Sensitiveinformationstoredonsystemsshallbeencryptedatrestandrequireasecondaryauthenticationmechanism,notintegratedintotheoperatingsystem,inordertoaccesstheinformation.

Y

Application 14.6 Enforcedetailedauditloggingforaccesstononpublicdataandspecialauthenticationforsensitivedata. Y

Application 14.7 Archiveddatasetsorsystemsnotregularlyaccessedbytheorganizationshallberemovedfromtheorganization'snetwork.Thesesystemsshallonlybeusedasstandalonesystems(disconnectedfromthenetwork)bythebusinessunitneedingtooccasionallyusethesystemorcompletelyvirtualizedandpoweredoffuntilneeded.

Y


Itisimportantthatanorganizationunderstandwhatitssensitiveinformationis,whereitresides,andwhoneedsaccesstoit.Toderivesensitivitylevels,organizationsneedtoputtogetheralistofthekeytypesofdataandtheoverallimportancetotheorganization.Thisanalysiswouldbeusedtocreateanoveralldataclassificationschemefortheorganization.Atabaselevel,adataclassificationschemeisbrokendownintotwolevels:public(unclassified)andprivate(classified).Oncetheprivateinformationhasbeenidentified,itcanthenbefurthersubdividedbasedontheimpactitwouldhavetotheorganizationifitwerecompromised.

Oncethesensitivityofthedatahasbeenidentified,thedataneedtobetracedbacktobusinessapplicationsandthephysicalserversthathousethoseapplications.Thenetworkthenneedstobesegmentedsothatsystemsofthesamesensitivitylevelareonthesamenetworkandsegmentedfromsystemswithdifferenttrustlevels.Ifpossible,firewallsneedtocontrolaccesstoeachsegment.Ifdataareflowingoveranetworkwithalowertrustlevel,encryptionshouldbeused.

Jobrequirementsshouldbecreatedforeachusergrouptodeterminewhatinformationthegroupneedsaccesstoinordertoperformitsjobs.Basedontherequirements,accessshouldonlybegiventothesegmentsorserversthatareneededforeachjobfunction.

52

Detailedloggingshouldbeturnedonforallserversinordertotrackaccessandexaminesituationswheresomeoneisaccessingdatathattheyshouldnotbeaccessing.


HostBasedDataLossPrevention(DLP)

EncryptionSystems

NetworkDevices



53

CSC15:WirelessAccessControl

Theprocessesandtoolsusedtotrack/control/prevent/correctthesecurityuseofwirelesslocalareanetworks(LANS),accesspoints,andwirelessclientsystems.


Majortheftsofdatahavebeeninitiatedbyattackerswhohavegainedwirelessaccesstoorganizationsfromoutsidethephysicalbuilding,bypassingorganizations’securityperimetersbyconnectingwirelesslytoaccesspointsinsidetheorganization.Wirelessclientsaccompanyingtravelingofficialsareinfectedonaregularbasisthroughremoteexploitationduringairtravelorincybercafes.Suchexploitedsystemsarethenusedasbackdoorswhentheyarereconnectedtothenetworkofatargetorganization.Stillotherorganizationshavereportedthediscoveryofunauthorizedwirelessaccesspointsontheirnetworks,plantedandsometimeshiddenforunrestrictedaccesstoaninternalnetwork.Becausetheydonotrequiredirectphysicalconnections,wirelessdevicesareaconvenientvectorforattackerstomaintainlong-termaccessintoatargetenvironment.

CSC15:WirelessAccessControlFamily CSC ControlDescription Foun-

dationalAdvanced

Network 15.1 Ensurethateachwirelessdeviceconnectedtothenetworkmatchesanauthorizedconfigurationandsecurityprofile,withadocumentedowneroftheconnectionandadefinedbusinessneed.Organizationsshoulddenyaccesstothosewirelessdevicesthatdonothavesuchaconfigurationandprofile.

Y

Network 15.2 Configurenetworkvulnerabilityscanningtoolstodetectwirelessaccesspointsconnectedtothewirednetwork.Identifieddevicesshouldbereconciledagainstalistofauthorizedwirelessaccesspoints.Unauthorized(i.e.,rogue)accesspointsshouldbedeactivated.

Y

Network 15.3 Usewirelessintrusiondetectionsystems(WIDS)toidentifyroguewirelessdevicesanddetectattackattemptsandsuccessfulcompromises.InadditiontoWIDS,allwirelesstrafficshouldbemonitoredbyWIDSastrafficpassesintothewirednetwork.

Y

Network 15.4 Whereaspecificbusinessneedforwirelessaccesshasbeenidentified,configurewirelessaccessonclientmachinestoallowaccessonlytoauthorizedwirelessnetworks.Fordevicesthatdonothaveanessentialwirelessbusinesspurpose,disablewirelessaccessinthehardwareconfiguration(basicinput/outputsystemorextensiblefirmwareinterface).

Y

54


Advanced

Network 15.5 EnsurethatallwirelesstrafficleveragesatleastAdvancedEncryptionStandard(AES)encryptionusedwithatleastWi-FiProtectedAccess2(WPA2)protection.

Y

Network 15.6 EnsurethatwirelessnetworksuseauthenticationprotocolssuchasExtensibleAuthenticationProtocol-TransportLayerSecurity(EAP/TLS),whichprovidecredentialprotectionandmutualauthentication.

Y

Network 15.7 Disablepeer-to-peerwirelessnetworkcapabilitiesonwirelessclients. Y

Network 15.8 Disablewirelessperipheralaccessofdevices(suchasBluetooth),unlesssuchaccessisrequiredforadocumentedbusinessneed.

Y

Network 15.9 Createseparatevirtuallocalareanetworks(VLANs)forBYODsystemsorotheruntrusteddevices.InternetaccessfromthisVLANshouldgothroughatleastthesameborderascorporatetraffic.EnterpriseaccessfromthisVLANshouldbetreatedasuntrustedandfilteredandauditedaccordingly.

Y


Effectiveorganizationsruncommercialwirelessscanning,detection,anddiscoverytoolsaswellascommercialwirelessintrusiondetectionsystems.

Additionally,thesecurityteamshouldperiodicallycapturewirelesstrafficfromwithinthebordersofafacilityandusefreeandcommercialanalysistoolstodeterminewhetherthewirelesstrafficwastransmittedusingweakerprotocolsorencryptionthantheorganizationmandates.Whendevicesrelyingonweakwirelesssecuritysettingsareidentified,theyshouldbefoundwithintheorganization’sassetinventoryandeitherreconfiguredmoresecurelyordeniedaccesstotheorganizationnetwork.

Additionally,thesecurityteamshouldemployremotemanagementtoolsonthewirednetworktopullinformationaboutthewirelesscapabilitiesanddevicesconnectedtomanagedsystems.

55


ComputingSystems



WirelessIntrusionDetectionSystem(WIDS)

PublicKeyInfrastructure(PKI)

NetworkAccessControl(NAC)Alerting/ReportingAnalyticsSystem

NetworkDevices


56

CSC16:AccountMonitoringandControl

Activelymanagethelifecycleofsystemandapplicationaccounts–theircreation,use,dormancy,deletion–inordertominimizeopportunitiesforattackerstoleveragethem.


Attackersfrequentlydiscoverandexploitlegitimatebutinactiveuseraccountstoimpersonatelegitimateusers,therebymakingdiscoveryofattackerbehaviordifficultfornetworkwatchers.AccountsofcontractorsandemployeeswhohavebeenterminatedandaccountsformerlysetupforRedTeamtesting(butnotdeletedafterwards)haveoftenbeenmisusedinthisway.Additionally,somemaliciousinsidersorformeremployeeshaveaccessedaccountsleftbehindinasystemlongaftercontractexpiration,maintainingtheiraccesstoanorganization’scomputingsystemandsensitivedataforunauthorizedandsometimesmaliciouspurposes.

CSC16:AccountMonitoringandControlFamily CSC ControlDescription Foun-

dationalAdvanced

Application 16.1 Reviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner. Y

Application 16.2 Ensurethatallaccountshaveanexpirationdatethatismonitoredandenforced. Y

Application 16.3 Establishandfollowaprocessforrevokingsystemaccessbydisablingaccountsimmediatelyuponterminationofanemployeeorcontractor.Disablinginsteadofdeletingaccountsallowspreservationofaudittrails.

Y

Application 16.4 Regularlymonitortheuseofallaccounts,automaticallyloggingoffusersafterastandardperiodofinactivity. Y

Application 16.5 Configurescreenlocksonsystemstolimitaccesstounattendedworkstations. Y

Application 16.6 Monitoraccountusagetodeterminedormantaccounts,notifyingtheuseroruser’smanager.Disablesuchaccountsifnotneeded,ordocumentandmonitorexceptions(e.g.,vendormaintenanceaccountsneededforsystemrecoveryorcontinuityoperations).Requirethatmanagersmatchactiveemployeesandcontractorswitheachaccountbelongingtotheirmanagedstaff.Securityorsystemadministratorsshouldthendisableaccountsthatarenotassignedtovalidworkforcemembers.

Y

57


Advanced

Application 16.7 Useandconfigureaccountlockoutssuchthatafterasetnumberoffailedloginattemptstheaccountislockedforastandardperiodoftime.

Y

Application 16.8 Monitorattemptstoaccessdeactivatedaccountsthroughauditlogging. Y

Application 16.9 Configureaccessforallaccountsthroughacentralizedpointofauthentication,forexampleActiveDirectoryorLDAP.Configurenetworkandsecuritydevicesforcentralizedauthenticationaswell.

Y

Application 16.10 Profileeachuser’stypicalaccountusagebydeterminingnormaltime-of-dayaccessandaccessduration.Reportsshouldbegeneratedthatindicateuserswhohaveloggedinduringunusualhoursorhaveexceededtheirnormalloginduration.Thisincludesflaggingtheuseoftheuser’scredentialsfromacomputerotherthancomputersonwhichtheusergenerallyworks.

Y

Application 16.11 Requiremulti-factorauthenticationforalluseraccountsthathaveaccesstosensitivedataorsystems.Multi-factorauthenticationcanbeachievedusingsmartcards,certificates,OneTimePassword(OTP)tokens,orbiometrics.

Y

Application 16.12 Wheremulti-factorauthenticationisnotsupported,useraccountsshallberequiredtouselongpasswordsonthesystem(longerthan14characters).

Y

Application 16.13 Ensurethatallaccountusernamesandauthenticationcredentialsaretransmittedacrossnetworksusingencryptedchannels.

Y

Application 16.14 Verifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.

Y

CSCProceduresandTools

Althoughmostoperatingsystemsincludecapabilitiesforlogginginformationaboutaccountusage,thesefeaturesaresometimesdisabledbydefault.Evenwhensuchfeaturesarepresentandactive,theyoftendonotprovidefine-graineddetailaboutaccesstothesystembydefault.Securitypersonnelcanconfiguresystemstorecordmoredetailedinformationaboutaccountaccess,andusehome-grownscriptsorthird-partyloganalysistoolstoanalyzethisinformationandprofileuseraccessofvarioussystems.

58

Accountsmustalsobetrackedveryclosely.Anyaccountthatisdormantmustbedisabledandeventuallyremovedfromthesystem.Allactiveaccountsmustbetracedbacktoauthorizedusersofthesystem,anditmustbeensuredthattheirpasswordsarerobustandchangedonaregularbasis.Usersmustalsobeloggedoutofthesystemafteraperiodofnoactivitytominimizethepossibilityofanattackerusingtheirsystemtoextractinformationfromtheorganization.


ComputingSystems


Identity&AccessManagementSystem Workforce

Members



59

CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps

Forallfunctionalrolesintheorganization(prioritizingthosemission-criticaltothebusinessanditssecurity),identifythespecificknowledge,skills,andabilitiesneededtosupportdefenseoftheenterprise;developandexecuteanintegratedplantoassess,identifygaps,andremediatethroughpolicy,organizationalplanning,training,andawarenessprograms.


Itistemptingtothinkofcyberdefenseprimarilyasatechnicalchallenge,buttheactionsofpeoplealsoplayacriticalpartinthesuccessorfailureofanenterprise.Peoplefulfillimportantfunctionsateverystageofsystemdesign,implementation,operation,use,andoversight.Examplesinclude:systemdevelopersandprogrammers(whomaynotunderstandtheopportunitytoresolverootcausevulnerabilitiesearlyinthesystemlifecycle);IToperationsprofessionals(whomaynotrecognizethesecurityimplicationsofITartifactsandlogs);endusers(whomaybesusceptibletosocialengineeringschemessuchasphishing);securityanalysts(whostruggletokeepupwithanexplosionofnewinformation);andexecutivesandsystemowners(whostruggletoquantifytherolethatcybersecurityplaysinoveralloperational/missionrisk,andhavenoreasonablewaytomakerelevantinvestmentdecisions).

Attackersareveryconsciousoftheseissuesandusethemtoplantheirexploitationsby,forexample:carefullycraftingphishingmessagesthatlooklikeroutineandexpectedtraffictoanunwaryuser;exploitingthegapsorseamsbetweenpolicyandtechnology(e.g.,policiesthathavenotechnicalenforcement);workingwithinthetimewindowofpatchingorlogreview;usingnominallynon-security-criticalsystemsasjumppointsorbots.

Nocyberdefenseapproachcaneffectivelyaddresscyberriskwithoutameanstoaddressthisfundamentalvulnerability.Conversely,empoweringpeoplewithgoodcyberdefensehabitscansignificantlyincreasereadiness.

CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGapsFamily CSC ControlDescription Foun-

dationalAdvanced

Application 17.1 PerformgapanalysistoseewhichskillsemployeesneedtoimplementtheotherControls,andwhichbehaviorsemployeesarenotadheringto,usingthisinformationtobuildabaselinetrainingandawarenessroadmapforallemployees.

Y

60


Advanced

Application 17.2 Delivertrainingtofilltheskillsgap.Ifpossible,usemoreseniorstafftodeliverthetraining.Asecondoptionistohaveoutsideteachersprovidetrainingonsitesotheexamplesusedwillbedirectlyrelevant.Ifyouhavesmallnumbersofpeopletotrain,usetrainingconferencesoronlinetrainingtofillthegaps.

Y

Application 17.3Implementasecurityawarenessprogramthat(1)focusesonthemethodscommonlyusedinintrusionsthatcanbeblockedthroughindividualaction,(2)isdeliveredinshortonlinemodulesconvenientforemployees(3)isupdatedfrequently(atleastannually)torepresentthelatestattacktechniques,(4)ismandatedforcompletionbyallemployeesatleastannually,(5)isreliablymonitoredforemployeecompletion,and6)includestheseniorleadershipteam’spersonalmessaging,involvementintraining,andaccountabilitythroughperformancemetrics.

Y

Application 17.4 Validateandimproveawarenesslevelsthroughperiodicteststoseewhetheremployeeswillclickonalinkfromsuspiciousemailorprovidesensitiveinformationonthetelephonewithoutfollowingappropriateproceduresforauthenticatingacaller;targetedtrainingshouldbeprovidedtothosewhofallvictimtotheexercise.

Y

Application 17.5 Usesecurityskillsassessmentsforeachofthemission-criticalrolestoidentifyskillsgaps.Usehands-on,real-worldexamplestomeasuremastery.Ifyoudonothavesuchassessments,useoneoftheavailableonlinecompetitionsthatsimulatereal-worldscenariosforeachoftheidentifiedjobsinordertomeasuremasteryofskillsmastery.

Y


Aneffectiveenterprise-widetrainingprogramshouldtakeaholisticapproachandconsiderpolicyandtechnologyatthesametimeasthetrainingofpeople.Forexample,policiesshouldbedesignedwithtechnicalmeasurementandenforcementwhenpossible,reinforcedbytrainingtofillgaps,technicalcontrolscanbeimplementedtoboundandminimizetheopportunityforpeopletomakemistakes,andsofocusthetrainingonthingsthatcannotbemanagedtechnically.

Tobeeffectiveinbothcostandoutcome,securitytrainingshouldbeprioritized,focused,specific,andmeasurable.Akeywaytoprioritizetrainingistofocusfirstonthosejobsand

61

rolesthatarecriticaltothemissionorbusinessoutcomeoftheenterprise.Onewaytoidentifythesemission-criticaljobsistoreferencetheworkofthe2012TaskForceonCyberSkillsestablishedbytheSecretaryofHomelandSecurity:1)SystemandNetworkPenetrationTesters,2)ApplicationPenetrationTesters,3)SecurityMonitoringandEventAnalysts,4)IncidentRespondersIn-Depth,5)Counter-Intelligence/InsiderThreatAnalysts,6)RiskAssessmentEngineers,7)SecureCodersandCodeReviewers,8)SecurityEngineers/ArchitectureandDesign,9)SecurityEngineers/Operations,and10)AdvancedForensicsAnalysts.AcomprehensivetaxonomyofcybersecurityrolesisavailablethroughtheNationalCybersecurityWorkforceFramework,developedbytheNationalInstituteofStandardsandTechnology(NIST),whichmapstorolescommonlyfoundinenterprisesandgovernmentorganizations.

Generalawarenesstrainingforallusersalsoplaysanimportantrole.Buteventhistrainingshouldbetailoredtofunctionalrolesandfocusedonspecificactionsthatputtheorganizationatrisk,andmeasuredinordertodriveremediation.

Thekeytoupgradingskillsismeasurementthroughassessmentsthatshowboththeemployeeandtheemployerwhereknowledgeissufficientandwheretherearegaps.Oncethegapshavebeenidentified,thoseemployeeswhohavetherequisiteskillsandknowledgecanbecalledupontomentoremployeeswhoneedtoimprovetheirskills.Inaddition,theorganizationcandeveloptrainingplanstofillthegapsandmaintainemployeereadiness.

AfulltreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,theCybersecurityWorkforceHandbookpublishedbytheCenterforInternetSecurity(www.cisecurity.org)providesfoundationalstepstotakeinoptimizingtheworkforceforenterprisesecurity.

62


UserAssessments

EducationPlans/TrainingPrograms

WorkforceMembers


63

CSC18:ApplicationSoftwareSecurity

Managethesecuritylifecycleofallin-housedevelopedandacquiredsoftwareinordertoprevent,detect,andcorrectsecurityweaknesses.


Attacksoftentakeadvantageofvulnerabilitiesfoundinweb-basedandotherapplicationsoftware.Vulnerabilitiescanbepresentformanyreasons,includingcodingmistakes,logicerrors,incompleterequirements,andfailuretotestforunusualorunexpectedconditions.Examplesofspecificerrorsinclude:thefailuretocheckthesizeofuserinput;failuretofilteroutunneededbutpotentiallymaliciouscharactersequencesfrominputstreams;failuretoinitializeandclearvariables;andpoormemorymanagementallowingflawsinonepartofthesoftwaretoaffectunrelated(andmoresecuritycritical)portions.Thereisafloodofpublicandprivateinformationaboutsuchvulnerabilitiesavailabletoattackersanddefendersalike,aswellasarobustmarketplacefortoolsandtechniquestoallow“weaponization”ofvulnerabilitiesintoexploits.Attackerscaninjectspecificexploits,includingbufferoverflows,SQLinjectionattacks,cross-sitescripting,cross-siterequestforgery,andclick-jackingofcodetogaincontrolovervulnerablemachines.Inoneattack,morethan1millionwebserverswereexploitedandturnedintoinfectionenginesforvisitorstothosesitesusingSQLinjection.Duringthatattack,trustedwebsitesfromstategovernmentsandotherorganizationscompromisedbyattackerswereusedtoinfecthundredsofthousandsofbrowsersthataccessedthosewebsites.Manymorewebandnon-webapplicationvulnerabilitiesarediscoveredonaregularbasis.

CSC18:ApplicationSoftwareSecurityFamily CSC ControlDescription Foun-

dationalAdvanced

Application 18.1 Forallacquiredapplicationsoftware,checkthattheversionyouareusingisstillsupportedbythevendor.Ifnot,updatetothemostcurrentversionandinstallallrelevantpatchesandvendorsecurityrecommendations.

Y

Application 18.2 Protectwebapplicationsbydeployingwebapplicationfirewalls(WAFs)thatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,includingbutnotlimitedtocross-sitescripting,SQLinjection,commandinjection,anddirectorytraversalattacks.Forapplicationsthatarenotweb-based,specificapplicationfirewallsshouldbedeployedifsuchtoolsareavailableforthegivenapplicationtype.Ifthetrafficisencrypted,thedeviceshouldeithersitbehindtheencryptionorbecapableofdecryptingthetrafficpriortoanalysis.Ifneitheroptionisappropriate,ahost-basedwebapplicationfirewallshouldbedeployed.

Y

Dealingwithencrypted/tunne

ledtrafficrequiresmoreplanningandresources.

64


Advanced

Application 18.3 Forin-housedevelopedsoftware,ensurethatexpliciterrorcheckingisperformedanddocumentedforallinput,includingforsize,datatype,andacceptablerangesorformats.

Y

Application 18.4 Testin-house-developedandthird-party-procuredwebapplicationsforcommonsecurityweaknessesusingautomatedremotewebapplicationscannerspriortodeployment,wheneverupdatesaremadetotheapplication,andonaregularrecurringbasis.Inparticular,inputvalidationandoutputencodingroutinesofapplicationsoftwareshouldbereviewedandtested.

Y

Application 18.5 Donotdisplaysystemerrormessagestoend-users(outputsanitization). Y

Application 18.6 Maintainseparateenvironmentsforproductionandnonproductionsystems.Developersshouldnottypicallyhaveunmonitoredaccesstoproductionenvironments.

Y

Application 18.7 Forapplicationsthatrelyonadatabase,usestandardhardeningconfigurationtemplates.Allsystemsthatarepartofcriticalbusinessprocessesshouldalsobetested.

Y

Application 18.8 Ensurethatallsoftwaredevelopmentpersonnelreceivetraininginwritingsecurecodefortheirspecificdevelopmentenvironment.

Y

Application 18.9 Forin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

Y


Thesecurityofapplications(in-housedevelopedoracquired)isacomplexactivityrequiringacompleteprogramencompassingenterprise-widepolicy,technology,andtheroleofpeople.TheseareoftenbroadlydefinedorrequiredbyformalRiskManagementFrameworksandprocesses.

AcomprehensivetreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,theactionsinCSC6providespecific,high-prioritystepsthatcanimproveApplicationSoftwareSecurity.Inaddition,werecommenduseofthemanyexcellentcomprehensiveresourcesdedicatedtothistopic.Examplesinclude:theDHS“BuildSecurityIn”Program<buildsecurityin.us-cert.gov>,andTheOpenWebApplicationSecurityProject(OWASP)<www.owasp.org>.

65


CodeReview/

VulnerabilityScanner

PatchManagementSystem

WebApplicationFirewall(WAF)

WebApplicationServer


66

CSC19:IncidentResponseandManagement

Protecttheorganization’sinformation,aswellasitsreputation,bydevelopingandimplementinganincidentresponseinfrastructure(e.g.,plans,definedroles,training,communications,managementoversight)forquicklydiscoveringanattackandtheneffectivelycontainingthedamage,eradicatingtheattacker’spresence,andrestoringtheintegrityofthenetworkandsystems.


Cyberincidentsarenowjustpartofourwayoflife.Evenlarge,well-funded,andtechnicallysophisticatedenterprisesstruggletokeepupwiththefrequencyandcomplexityofattacks.Thequestionofasuccessfulcyber-attackagainstanenterpriseisnot“if”but“when.”

Whenanincidentoccurs,itistoolatetodeveloptherightprocedures,reporting,datacollection,managementresponsibility,legalprotocols,andcommunicationsstrategythatwillallowtheenterprisetosuccessfullyunderstand,manage,andrecover.Withoutanincidentresponseplan,anorganizationmaynotdiscoveranattackinthefirstplace,or,iftheattackisdetected,theorganizationmaynotfollowgoodprocedurestocontaindamage,eradicatetheattacker’spresence,andrecoverinasecurefashion.Thus,theattackermayhaveafargreaterimpact,causingmoredamage,infectingmoresystems,andpossiblyexfiltratemoresensitivedatathanwouldotherwisebepossiblewereaneffectiveincidentresponseplaninplace.

CSC19:IncidentResponseandManagementFamily CSC ControlDescription Foun-

dationalAdvanced

Application 19.1 Ensurethattherearewrittenincidentresponseproceduresthatincludeadefinitionofpersonnelrolesforhandlingincidents.Theproceduresshoulddefinethephasesofincidenthandling.

Y

Application 19.2 Assignjobtitlesanddutiesforhandlingcomputerandnetworkincidentstospecificindividuals. Y

Application 19.3 Definemanagementpersonnelwhowillsupporttheincidenthandlingprocessbyactinginkeydecision-makingroles.

Y

Application 19.4 Deviseorganization-widestandardsforthetimerequiredforsystemadministratorsandotherpersonneltoreportanomalouseventstotheincidenthandlingteam,themechanismsforsuchreporting,andthekindofinformationthatshouldbeincludedintheincidentnotification.ThisreportingshouldalsoincludenotifyingtheappropriateCommunityEmergencyResponseTeaminaccordancewithalllegalorregulatoryrequirementsforinvolvingthatorganizationincomputerincidents.

Y

67


Advanced

Application 19.5 Assembleandmaintaininformationonthird-partycontactinformationtobeusedtoreportasecurityincident(e.g.,maintainanemailaddressofsecurity@organization.comorhaveawebpagehttp://organization.com/security).

Y

Application 19.6 Publishinformationforallpersonnel,includingemployeesandcontractors,regardingreportingcomputeranomaliesandincidentstotheincidenthandlingteam.Suchinformationshouldbeincludedinroutineemployeeawarenessactivities.

Y

Application 19.7 Conductperiodicincidentscenariosessionsforpersonnelassociatedwiththeincidenthandlingteamtoensurethattheyunderstandcurrentthreatsandrisks,aswellastheirresponsibilitiesinsupportingtheincidenthandlingteam.

Y


Afterdefiningdetailedincidentresponseprocedures,theincidentresponseteamshouldengageinperiodicscenario-basedtraining,workingthroughaseriesofattackscenariosfine-tunedtothethreatsandvulnerabilitiestheorganizationfaces.Thesescenarioshelpensurethatteammembersunderstandtheirroleontheincidentresponseteamandalsohelppreparethemtohandleincidents.

AfulltreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,theactionsinCSC18providespecific,high-prioritystepsthatcanimproveenterprisesecurity,andshouldbeapartofanycomprehensiveincidentandresponseplan.

68


IncidentManagementDocumentation

WorkforceMembers

ThirdPartyAuthorities


69

CSC20:PenetrationTestsandRedTeamExercises

Testtheoverallstrengthofanorganization’sdefenses(thetechnology,theprocesses,andthepeople)bysimulatingtheobjectivesandactionsofanattacker.


Attackersoftenexploitthegapbetweengooddefensivedesignsandintentionsandimplementationormaintenance.Examplesinclude:thetimewindowbetweenannouncementofavulnerability,theavailabilityofavendorpatch,andactualinstallationoneverymachine;well-intentionedpolicieswhichhavenoenforcementmechanism(especiallythoseintendedtorestrictriskyhumanactions);failuretoapplygoodconfigurationsandotherpracticestotheentireenterprise,ortomachinesthatcomein-and-outofthenetwork;andfailuretounderstandtheinteractionamongmultipledefensivetools,orwithnormalsystemoperationsthathavesecurityimplications.

Inaddition,successfuldefenserequiresacomprehensiveprogramoftechnicaldefenses,goodpolicyandgovernance,andappropriateactionbypeople.Inacomplexenvironmentwheretechnologyisconstantlyevolving,andnewattackertradecraftappearsregularly,organizationsshouldperiodicallytesttheirdefensestoidentifygapsandtoassesstheirreadiness.

Penetrationtestingstartsfromtheidentificationandassessmentofvulnerabilitiesthatcanbeidentifiedintheenterprise.Itcomplementsthisbydesigningandexecutingteststhatdemonstratespecificallyhowanadversarycaneithersubverttheorganization’ssecuritygoals(e.g.,theprotectionofspecificIntellectualProperty)orachievespecificadversarialobjectives(e.g.,establishmentofacovertCommandandControlinfrastructure).Theresultprovidesdeeperinsight,throughdemonstration,intothebusinessrisksofvariousvulnerabilities.

RedTeamexercisestakeacomprehensiveapproachatthefullspectrumoforganizationpolicies,processes,anddefensesinordertoimproveorganizationalreadiness,improvetrainingfordefensivepractitioners,andinspectcurrentperformancelevels.IndependentRedTeamscanprovidevaluableandobjectiveinsightsabouttheexistenceofvulnerabilitiesandtheefficacyofdefensesandmitigatingcontrolsalreadyinplaceandevenofthoseplannedforfutureimplementation.

70

CSC20:PenetrationTestsandRedTeamExercisesFamily CSC ControlDescription Foun-

dationalAdvanced

Application 20.1 Conductregularexternalandinternalpenetrationteststoidentifyvulnerabilitiesandattackvectorsthatcanbeusedtoexploitenterprisesystemssuccessfully.Penetrationtestingshouldoccurfromoutsidethenetworkperimeter(i.e.,theInternetorwirelessfrequenciesaroundanorganization)aswellasfromwithinitsboundaries(i.e.,ontheinternalnetwork)tosimulatebothoutsiderandinsiderattacks.

Y

Application 20.2 Anyuserorsystemaccountsusedtoperformpenetrationtestingshouldbecontrolledandmonitoredtomakesuretheyareonlybeingusedforlegitimatepurposes,andareremovedorrestoredtonormalfunctionaftertestingisover.

Y

Application 20.3 PerformperiodicRedTeamexercisestotestorganizationalreadinesstoidentifyandstopattacksortorespondquicklyandeffectively.

Y

Application 20.4 Includetestsforthepresenceofunprotectedsysteminformationandartifactsthatwouldbeusefultoattackers,includingnetworkdiagrams,configurationfiles,olderpenetrationtestreports,emailsordocumentscontainingpasswordsorotherinformationcriticaltosystemoperation.

Y

Application 20.5 Plancleargoalsofthepenetrationtestitselfwithblendedattacksinmind,identifyingthegoalmachineortargetasset.ManyAPT-styleattacksdeploymultiplevectors—oftensocialengineeringcombinedwithwebornetworkexploitation.RedTeammanualorautomatedtestingthatcapturespivotedandmulti-vectorattacksoffersamorerealisticassessmentofsecuritypostureandrisktocriticalassets.

Y

Application 20.6 Usevulnerabilityscanningandpenetrationtestingtoolsinconcert.Theresultsofvulnerabilityscanningassessmentsshouldbeusedasastartingpointtoguideandfocuspenetrationtestingefforts.

Y

Application 20.7 Whereverpossible,ensurethatRedTeamsresultsaredocumentedusingopen,machine-readablestandards(e.g.,SCAP).DeviseascoringmethodfordeterminingtheresultsofRedTeamexercisessothatresultscanbecomparedovertime.

Y

71


Advanced

Application 20.8 CreateatestbedthatmimicsaproductionenvironmentforspecificpenetrationtestsandRedTeamattacksagainstelementsthatarenottypicallytestedinproduction,suchasattacksagainstsupervisorycontrolanddataacquisitionandothercontrolsystems.

Y


PenetrationtestingandRedTeamingonlyprovidesignificantvaluewhenbasicdefensivemeasureshavealreadybeenputintoplace,andwhentheyareperformedaspartofacomprehensive,ongoingprogramofsecuritymanagementandimprovement.TheseareoftenspecifiedandrequiredbyformalRiskManagementFrameworksandprocesses.

EachorganizationshoulddefineaclearscopeandrulesofengagementforpenetrationtestingandRedTeamanalyses.Thescopeofsuchprojectsshouldinclude,ataminimum,systemswiththeorganization’shighestvalueinformationandproductionprocessingfunctionality.Otherlower-valuesystemsmayalsobetestedtoseeiftheycanbeusedaspivotpointstocompromisehigher-valuetargets.TherulesofengagementforpenetrationtestsandRedTeamanalysesshoulddescribe,ataminimum,timesofdayfortesting,durationoftests,andtheoveralltestapproach.

AfulltreatmentofthistopicisbeyondthescopeoftheCISCriticalSecurityControls.However,theactionsinCSC20providespecific,high-prioritystepsthatcanimproveenterprisesecurity,andshouldbeapartofanycomprehensivepenetrationtestingandRedTeamprogram.

72

CSC20EntityRelationshipDiagram

PenetrationTesters

ComputingSystems

PenetrationTestingSystems


73

AppendixA:EvolvingAnAttackModelfortheCISCriticalSecurityControls.

Background

Sincetheirinception,theCISCriticalSecurityControls(“theControls”)havehadabasictenetof“OffenseInformsDefense”.Thatis,knowledgeofactualattacksthathavecompromisedsystems(theBadGuys’“offense”)isthekeyfactortoinformanddeterminethevalueofdefensiveactions.Youmaynotbeabletoaffordtodoeverythingyouwantorneedtodoandsocyberdefensemustbedrivenbyprioritization–whatshouldIdofirsttogetthemostvaluefrommydefensiveresources?Webelievethatvalueisbestdeterminedbytheattacker–whataretheydoingtousnow,andwhatarethemostuseful,scalableactionswecantaketostopthem?

TheControlsreflectandknowledgeofactualattacksandeffectivedefensesgatheredfromexpertsfromeverypartoftheecosystemacrossmanysectors.Todothis,ateamreviewedandanalyzedattackdatafrommanyoftheleadingvendorthreatreportstoensuretheControlsadequatelyalignedwiththemostprevalentthreats.Wecallthisprocessa“CommunityAttackModel”fortheCISCriticalSecurityControls–thegatheringofrelevantreal-lifeinformationaboutattacksandputtingthemintocontextsotheycanbeeasilyandreliablymappedtodefensiveaction.“Community”referstothebreadthoftheparticipantsandinformationsources,andalsotothesharedlaborthatoperatesthisprocess.ButwealsoemphasizethatthesearethethreatsthattheentireCommunityfaces–thedocumented,specificsuccessesoftheAttackers.Anyonespecificcategoryofattackmightnothavehityoutoday,butitcouldjustaseasilydosotomorrow.

ACommunityApproachtoUnderstandingAttacksandThreats

TheCommunityAttackModelbeganbyvalidatingandenrichingmappingfromawell-documentedandauthoritativesourceof“reallife”data–theVerizonDataBreachInvestigationsReport(2013,2014,2015).AftertheVerizonteamdidtheirprimaryanalysis,avolunteerpanelformedbytheCenterforInternetSecurityworkedwiththemtomapthemostimportantcategoriesofattacksseenintheprioryear’sdatadirectlyintheControls(atasub-Control)level,andthismapbecameakeypartoftheVerizonDBIRRecommendations.Morerecently,wecompletedsimilarmappingsusingannualreportsworkingwithSymantecInternetSecurityReport2015andHPCyberRiskReport2015.Thisapproachallowsreadersofthesedata-drivenannualreportstoeasilyandconsistentlymapintotheControls.

Acoupleofkeypointstonoteaboutthisworkflow.

• Themappingisfromthevendor’scategoryorsummarylevelofattacks–notfromdataabouteveryindividualattack.

74

• Thedataiscreatedbythevendor’sbusinessmodel(e.g.,incidentresponse,managedsecurity,anti-malwaresensors,threatintelligence),andsoeachrepresentsanincompletebutwell-documentedsamplingoftheecosystem.

• Thecategoriesusedbythevendorsaretypicallyinnarrativeform,andnotpresentedinanystandardformortaxonomy.Recommendationsarealsotypicallyinnarrativeform,nottiedtoanyspecificdefensiveframework.Therefore,mappingfromanyonevendor’sreporttotheControlsrequiressomediscussionandanalyticjudgment.

Theuseofthisattackinformationandtheselectionofappropriatedefensiveactioncanbeseenaspartofabroader“FoundationalRiskAssessment”ofunderstandingvulnerabilities,thethreatsandtheresultingconsequences–onethatcanbeusedbyanindividualenterpriseasastartingpointforimmediate,high-valueaction,andcanalsoprovideabasisforcommonactionacrossanentirecommunity.

BuildingAnOperationalAttackModel

AsthecommunityaroundtheControlshasgrowninsizeanddiversity,andastheenvironmenthasgrownmorecomplex,wemustevolvethisModeltobemorescalable,repeatable,adaptabletodifferentcommunities,andmoreconsistentwithformalsecurityframeworks–allwithoutdisruptingthespiritofcooperationandcommongoodthathasbroughtusthisfar.

Whetheryouapproachthisproblemasanindividualenterpriseorasacommunityofenterprises,youmustcreateandoperateanongoing,repeatableprocesstofindrelevantnewinformationaboutAttackers,assesstheimplicationsforyourenvironment,makekeydecisions,andthentakeaction.Doingsowillhelpdetermineyourbestinvestmentsbothtacticallyandstrategically.

Attackers Solutions,servicesvendors

•collect,analyzeattackdata

•summarizebyclasses,categories;prioritize

•makerecommendations,publishreport

CenterforInternetSecurity

•foreachreport,mapfromclassesofproblemsintotheCSCs(sub-Controls)

•publisheachmapping

•refreshControlsasneeded

75

Ausefulmodelwillhaveanumberofessentialattributes.

• Itshouldbedrivenbydatafromauthoritative,publiclyavailablesources,butalsobeabletomakeuseofspecialized(e.g.,uniquelyapplicabletoasector)orrestricted(e.g.,encumberedbyclassificationoragreement)knowledge.

• Itshouldhaveawell-definedprocesstotranslatefromattackstoaction(controls)inawaythatsupportsprioritizationandisconsistentwithformalRiskManagementFrameworks.

• Itshouldhaveanon-going“refresh”cyclethatallowsvalidationofpriordefensivechoices,aswellasassessmentofnewinformation.

• Itshouldbelowcost,andpreferablysharedcostacrossacommunity.• Itshouldbeopenlydemonstrabletoothersandnegotiable(sinceyourriskisalways

sharedwithothers).

SotheevolutionoftheCISCriticalSecurityControlswillfollowtheaboveguidelinestocontinuallyenrichandrefreshtheControls.Itwillexpandthenumberandvarietyofthreatreports,developastandardcategorizationortaxonomyofattackstomaptootherframeworksandwilltakeadvantageofexistingavenuesforinformationsharing,suchasusingtheMulti-StateInformationSharingandAnalysisCenter(MS-ISAC).

76

AppendixB:AttackTypes

Historically,thefollowingAttackTypesweretheprimaryonesconsideredwhendevelopingtheCriticalSecurityControls.ThetypeswerealsomappedbackintotheControlsaspartofthediscussiontoensuregoodcoveragebytheControls.ThisapproachhasbeenphasedoutinfavoroftheCISCommunityAttackModel.

AttackSummaryAttackerscontinuallyscanfornew,unprotectedsystems,includingtestorexperimentalsystems,andexploitsuchsystemstogaincontrolofthem.AttackersdistributehostilecontentonInternet-accessible(andsometimesinternal)websitesthatexploitunpatchedandimproperlysecuredclientsoftwarerunningonvictimmachines.Attackerscontinuallyscanforvulnerablesoftwareandexploitittogaincontroloftargetmachines.Attackersusecurrentlyinfectedorcompromisedmachinestoidentifyandexploitothervulnerablemachinesacrossaninternalnetwork.Attackersexploitweakdefaultconfigurationsofsystemsthataremoregearedtoeaseofusethansecurity.Attackersexploitnewvulnerabilitiesonsystemsthatlackcriticalpatchesinorganizationsthatdonotknowthattheyarevulnerablebecausetheylackcontinuousvulnerabilityassessmentsandeffectiveremediation.Attackerscompromisetargetorganizationsthatdonotexercisetheirdefensestodetermineandcontinuallyimprovetheireffectiveness.Attackersusemaliciouscodetogainandmaintaincontroloftargetmachines,capturesensitivedata,andthenspreadittoothersystems,sometimeswieldingcodethatdisablesordodgessignature-basedanti-virustools.Attackersscanforremotelyaccessibleservicesontargetsystemsthatareoftenunneededforbusinessactivities,butprovideanavenueofattackandcompromiseoftheorganization.Attackersexploitweakapplicationsoftware,particularlywebapplications,throughattackvectorssuchasSQLinjection,cross-sitescripting,andsimilartools.Attackersexploitwirelessaccesspointstogainentryintoatargetorganization’sinternalnetwork,andexploitwirelessclientsystemstostealsensitiveinformation.Attackersexploitusersandsystemadministratorsviasocialengineeringscamsthatworkbecauseofalackofsecurityskillsandawareness.Attackersexploitandinfiltratethroughnetworkdeviceswhosesecurityconfigurationhasbeenweakenedovertimebygranting,forspecificshort-termbusinessneeds,supposedlytemporaryexceptionsthatareneverremoved.

77

Attackerstrickauserwithanadministrator-levelaccountintoopeningaphishing-styleemailwithanattachmentorsurfingtotheattacker’scontentonanInternetwebsite,allowingtheattacker’smaliciouscodeorexploittorunonthevictimmachinewithfulladministratorprivileges.AttackersexploitboundarysystemsonInternet-accessibleDMZnetworks,andthenpivottogaindeeperaccessoninternalnetworks.Attackersexploitpoorlydesignednetworkarchitecturesbylocatingunneededorunprotectedconnections,weakfiltering,oralackofseparationofimportantsystemsorbusinessfunctions.

Attackersoperateundetectedforextendedperiodsoftimeoncompromisedsystemsbecauseofalackofloggingandlogreview.

Attackersgainaccesstosensitivedocumentsinanorganizationthatdoesnotproperlyidentifyandprotectsensitiveinformationorseparateitfromnon-sensitiveinformation.Attackerscompromiseinactiveuseraccountsleftbehindbytemporaryworkers,contractors,andformeremployees,includingaccountsleftbehindbytheattackersthemselveswhoareformeremployees.Attackersescalatetheirprivilegesonvictimmachinesbylaunchingpasswordguessing,passwordcracking,orprivilegeescalationexploitstogainadministratorcontrolofsystems,whichisthenusedtopropagatetoothervictimmachinesacrossanenterprise.Attackersgainaccesstointernalenterprisesystemsandgatherandexfiltratesensitiveinformationwithoutdetectionbythevictimorganization.Attackerscompromisesystemsandalterimportantdata,potentiallyjeopardizingorganizationaleffectivenessviapollutedinformation.Attackersoperateundiscoveredinorganizationswithouteffectiveincident-responsecapabilities,andwhentheattackersarediscovered,theorganizationsoftencannotproperlycontaintheattack,eradicatetheattacker’spresence,orrecovertoasecureproductionstate.

78

AppendixC:TheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity

SinceitsreleaseinFebruary2014,TheNISTFrameworkforImprovingCriticalInfrastructureCybersecurityhasbecomeamajorpartofthenationalconversationaboutcybersecurityforthecriticalinfrastructure(andbeyond),andwebelieveitrepresentsanimportantsteptowardslarge-scaleandspecificimprovementsinsecurityfortheUnitedStatesandinternationally.TheCenterforInternetSecuritywasanactiveparticipantinthedevelopmentoftheFramework,andtheCISCriticalSecurityControlsarecalledoutasoneofthe“InformativeReferences”thatcanbeusedtodrivespecificimplementation.TheFrameworkistruetoitsname–“asetofprinciples,ideas,etc.thatyouusewhenyouareformingyourdecisionsandjudgments”(fromtheMacMillanDictionary)–anditprovidesawaytoorganize,conduct,anddrivetheconversationaboutsecuritygoalsandimprovements,forindividualenterprisesandacrosscommunitiesofenterprises.Butitdoesnotincludeanyspecificriskmanagementprocess,orspecifyanypriorityofaction.Those“decisionsandjudgments”arelefttotheadoptertomanagefortheirspecificsituationandcontext.

Webelievethatforthevastmajorityofenterprises,thebestapproachtosolvingtheseproblemsistotacklethemasacommunity–notenterprise-by-enterprise.ThisistheessenceoftheCISnon-profitcommunitymodel,andisembodiedinprojectsliketheCISCriticalSecurityControls,theCISSecurityConfigurationBenchmarks,andtheNationalCyberHygieneCampaign.Weneedtobandtogethertoidentifykeyactions,createinformation,sharetools,andremovebarrierssothatwecanallsucceed.

InthatspirittheCenterforInternetSecuritywillcontinuetosupporttheevolutionoftheFramework,andalsohelpourcommunityleveragethecontent,processes,andprioritiesoftheCISCriticalSecurityControlsasanactionmechanisminalignmentwiththeNISTCybersecurityFramework.

BelowisanexampleoftheworkingaidsthatCISmaintainstohelpourcommunityleveragetheFramework.ThischartshowsthemappingfromtheCriticalSecurityControls(Version6.0)intothemostrelevantNISTCSF(Version1.0)CoreFunctionsandCategories.

CybersecurityFramework(CSF)CoreCISCriticalSecurityControls(V6.0) Identify Protect Detect Respond RecoverCSC1:InventoryofAuthorizedandUnauthorizedDevices AM

CSC2:InventoryofAuthorizedandUnauthorizedSoftware AM

79

CybersecurityFramework(CSF)CoreCISCriticalSecurityControls(V6.0) Identify Protect Detect Respond RecoverCSC3:SecureConfigurationofEnduserdevices IP

CSC4:ContinuousVulnerabilityAssessmentandRemediation RA CM MI

CSC5:ControlledUseofAdministrativePrivileges AC

CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs AE AN

CSC7:EmailandWebBrowserProtections PT

CSC8:MalwareDefense PT CM

CSC9:LimitationandControlofNetworkPorts,Protocols,andService

IP

CSC10:DataRecoveryCapability RP

CSC11:SecureConfigurationofNetworkDevices IP

CSC12:BoundaryDefense DP

CSC13:DataProtection DS

CSC14:ControlledAccessBasedonNeedtoKnow AC

CSC15:WirelessAccessControl AC

CSC16:AccountMonitoringandControl AC CM

CSC17:SecuritySkillsAssessmentandAppropriateTraining

AT

CSC18:ApplicationSoftwareSecurity IP

CSC19:IncidentResponseandManagement AE RP

CSC20:PenetrationTestsandRedTeamExercises IM IM

80

AppendixD:TheNationalCyberHygieneCampaign

TheNationalCampaignforCyberHygienewasdevelopedtoprovideaplain-language,accessible,andlow-costfoundationforimplementationoftheCISCriticalSecurityControls.AlthoughtheControlsalreadysimplifythedauntingchallengesofcyberdefensebycreatingcommunityprioritiesandaction,manyenterprisesarestartingfromaverybasiclevelofsecurity.

TheCampaignstartswithafewbasicquestionsthateverycorporateandgovernmentleaderoughttobeabletoanswer.

• Doweknowwhatisconnectedtooursystemsandnetworks?(CSC1)• Doweknowwhatsoftwareisrunning(ortryingtorun)onoursystemsand

networks?(CSC2)• Arewecontinuouslymanagingoursystemsusing“knowngood”configurations?

(CSC3)• Arewecontinuouslylookingforandmanaging“knownbad”software?(CSC4)• Dowelimitandtrackthepeoplewhohavetheadministrativeprivilegestochange,

bypass,orover-rideoursecuritysettings?(CSC5)

Thesequestions,andtheactionsrequiredtoanswerthem,arerepresentedin“plainlanguage”bytheTop5PrioritiesoftheCampaign:“Count,Configure,ControlPatch,Repeat”.TosupporttheCampaign,volunteershavecreateddocumentationand“toolkits”toguideimplementation.

Althoughthelanguageissimpleandcatchy,behindthesceneseachofthesequestionsisassociatedwithaprimaryControlthatprovidesanactionplan.TheCampaignisalsodesignedtobeinalignmentwiththefirst5oftheCISCriticalSecurityControls,theAustralianSignalsDirectorate’s(ASD)“TopFourStrategiestoMitigateTargetedIntrusions,andtheDHSContinuousDiagnosticandMitigation(CDM)Program.ThisprovidesastronganddefendablebasisfortheCampaignPriorities,agrowthpathformaturitybeyondthesebasicactions,andthebenefitsofalargecommunityofexperts,users,andvendors.

TheNationalCampaignforCyberHygienehasbeenjointlyadoptedbytheCenterforInternetSecurity(homeoftheMulti-StateInformationSharingandAnalysisCenter)andtheNationalGovernor’sAssociationHomelandSecurityAdvisoryCouncil(GHSAC)asafoundationalcybersecurityprogramacrossmanyState,Local,Tribal,andTerritorialgovernmentsandofferstoolkitsandresourcesforanypublicorprivateorganization.

Formoreinformation,gotowww.cisecurity.org.

81

AppendixE:CriticalGovernanceControlsandtheCISCriticalSecurityControls

Cybersecuritygovernanceisakeyresponsibilityoftheboardofdirectorsandseniorexecutives,anditmustbeanintegralpartofoverallenterprisegovernance.Becauseofitsdynamicnature,cybersecuritygovernancemustalsobealignedwithanoperationalcybersecurityframework.

Toexerciseeffectivegovernance,executivesmusthaveaclearunderstandingofwhattoexpectfromtheirinformationsecurityprogram.Theyneedtoknowhowtodirecttheimplementation,evaluatetheirownstatuswithregardtoexistingsecurityprograms,anddeterminethestrategyandobjectivesofaneffectivesecurityprogram.

HowtheCISCriticalSecurityControlsCanHelp

TheControlsareactionable,automatedactivitiesthatdetectandpreventattacksagainstyournetworkandmostimportantdata.Theysupportenterprisesecuritygovernanceprogramsbybridgingthegapfromanexecutiveviewofbusinessrisktoatechnicalviewofspecificactionsandoperationalcontrolstomanagethoserisks.Keyexecutiveconcernsaboutinformationsecurityriskscanbetranslatedintospecificprogramsforsecurityimprovement,andalsointoday-to-daysecuritytasksforfront-linepersonnel.Thisallowsbetteralignmenttop-to-bottomofcorporateriskmanagement.Also,sincetheControlsarecreatedandsupportedbyalargeindependentcommunityofpractitionersandvendors,theyprovideaspecific,supported,andopenbaselineformeasurementandnegotiationaboutsecurityimprovement–onethatisdemonstrablyinalignmentwithessentiallyallformalregulatory,governance,andoversightframeworks.FromGovernancetotheCISCriticalSecurityControlsTohelpimproveyourcompany'sabilitytomanageinformationrisks,herearesomesamplestepstohelpyoualigncorporategovernanceconcernswiththeimplementationofsecuritycontrols.Theseexamplesidentifytheprimary,butnottheonly,CISCriticalSecurityControlswhichshouldbeimplemented.Governanceitem#1:Identifyyourmostimportantinformationassetsandtheimpactonyourbusinessormissioniftheyweretobecompromised.

Informationisthelifebloodofeverymodernenterprise,andthemovement,storage,andcontrolofthatinformationisinextricablyboundtotheuseofInformationTechnology.ThereforethefollowingCISCriticalSecurityControlsaretheprimarymeanstotrackandcontrolthesystemcomponentsthatmanagetheflow,presentation,anduseofinformation.

CSC1—InventoryofAuthorizedandUnauthorizedDevices

CSC2—InventoryofAuthorizedandUnauthorizedandSoftware

82

GovernanceItem#2:Managetheknowncybervulnerabilitiesofyourinformationandmakesurethenecessarysecuritypoliciesareinplacetomanagetherisk.

Ataminimum,youshouldbeabletoidentifyandmanagethelargevolumeofknownflawsandvulnerabilitiesfoundinInformationTechnologyandprocesses.ThefollowingCISCriticalSecurityControlsaretheprimarymeanstoestablishabaselineofresponsiblepracticesthatcanbemeasured,managed,andreported.

CSC3:SecureConfigurationsofHardwareandSoftware

CSC4:ContinuousVulnerabilityAssessmentandRemediation

GovernanceItem#3:Clearlyidentifythekeythreatstoyourinformationandassesstheweaknessesinyourdefense.

Threatstoyourinformation,systems,andprocessesevolveconstantly.ThefollowingCISCriticalSecurityControlsaretheprimarymeanstoestablishabaselineofresponsiblepracticesthatcanbemeasured,managed,andreported.

CSC8:MalwareDefenses

CSC20:PenetrationTestsandRedTeamExercises

GovernanceItem#4:Confirmandcontrolwhohasaccesstothemostimportantinformation.

Ensuringthattherightpeoplehaveaccesstocorporatedataandensuringprivilegesaremanagedaccuratelycanreducetheimpactofunauthorizedaccess,bothfrominternalthreatsandexternal.ThefollowingCISCriticalSecurityControlsaretheprimarymeanstoestablishabaselineofresponsiblepracticestoidentifyneedsandmanageaccess.

CSC5:ControlledUseofAdministrativePrivileges

CSC14:ControlledAccessBasedontheNeedtoKnow

Afundamentalgoalofinformationsecurityistoreduceadverseimpactsontheorganizationtoanacceptablelevelofrisk.Therefore,acrucialmetriccomprisestheadverseimpactsofinformationsecurityincidentsexperiencedbythecompany.Aneffectivesecurityprogramwillshowatrendofimpactreduction.Quantitativemeasurescanincludetrendanalysisofimpactsovertime.

83

DevelopinganOverallGovernanceStrategy

WhiletheCISCriticalSecurityControlsprovideaneffectivewaytoplan,prioritize,andimplementprimarilytechnicalcontrolsforcyberdefense,theyarebestusedaspartofaholisticinformationgovernanceprogram–onethatalsoaddressespolicies,standards,andguidelinesthatsupporttechnicalimplementations.Forexample,conductinganinventoryofdevicesonyournetworkisanimportanttechnicalbestpractice,butanorganizationmustalsodefineandpublishpoliciesandprocessesthatclearlycommunicatetoemployeesthepurposeofthesecontrols,whatisexpectedofthemandtheroletheyplayinprotectingthecompany’sinterests.

Thefollowingtopicsprovideausefulframeworkfordevelopingyouroverallgovernancestrategy.Basedonourexperience,theseareprioritizedbasedontheirimpactinbuildingandsupportinganeffectiveinformationassuranceprogram.

ExecutiveSponsorship:Developinformationassurancecharterswithrolesandresponsibilities,steeringcommittees,andboardofdirectorbriefingstoestablishsupportandleadershipfromexecutives.

InformationAssuranceProgramManagement:Definemanagementandresourceallocationcontrols,suchasbudgeting,andprioritizationtogoverninformationassuranceprogramsunderexecutivesponsorship.

InformationAssurancePoliciesandStandardsManagement:Defineanddocumentpoliciesandstandardstoprovidedetailedguidanceregardinghowsecuritycontrolswillbecompletedtopromoteconsistencyindefense.

DataClassification:Identify,prioritizeandlabeldataassets,includinganalogorphysicalassets.

RiskManagement:Identifythoughtfulandpurposefuldefensestrategiesbasedonprioritydecisionsonhowbesttodefendvaluabledataassets.

ComplianceandLegalManagement:Addresscompliancerequirementsbasedontheregulatoryandcontractualrequirementsplacedonyourorganization.

SecurityAwarenessandEducation:Establisheducationplansforallworkforcememberstoensurethattheyhavethenecessaryskillstoprotectinformationassetsasapartoftheirresponsibilities.

AuditandAssessmentManagement:Conductauditsandassessmentstoensurethatinformationassuranceeffortsareconsistentwiththestandardsyouhavedefinedandtoassistinyoureffortstomanagerisk.

84

PersonnelandHumanResourcesManagement:Specifypersonnelandhumanresourcescontrolstomanagethewaypeopleinteractwithdataassets.People,aswellastechnologycontrols,arecriticalforthedefenseofinformationassets.

BudgetsandResourceManagement:Allocateappropriateresourcesinordertobeeffectiveatdefense.Informationassurancearchitecturesarevitalfordefense,butwithoutbudgetsandresources,suchplanswillneverbeeffective.

PhysicalSecurity:Protecttheequipment,buildings,andlocationswheredataassetsarestoredtoprovideafoundationforthelogicalsecurityofdataassets.

IncidentResponseManagement:Specifytheplannedmanagementofhowyouwillrespondinthefaceofpotentiallyadverseevents.Thisactsasacomponentofbusinesscontinuityanddisastermanagement.

BusinessContinuityandDisasterRecoveryManagement:Specifyresiliencycontrolstohelpmitigatepotentiallossesduetopotentialdisruptionstobusinessoperations.

ProcurementandVendorManagement:Partnerwithbusinessassociatesindefendingtheirdataassets.TheControlsdefinehowanorganizationalignswiththirdpartiesandvendorstoprotecttheirdataassets.

ChangeandConfigurationManagement:Assess,acceptordeny,andlogchangestosystems,especiallyconfigurationchangesinasystematicformalmannerinordertodefendtheorganization’sinformationassets.

Organizationsareencouraged(andmanyarerequired)toimplementthesegovernancecontrolsinparallelwiththetechnicalcontrolsdefinedelsewhereinthisdocument.Bothtechnicalandgovernancerelatedcontrolsshouldbeconsideredequallyimportantpillarsinthearchitectureofanorganization’sdefense.

85

AppendixF:TowardAPrivacyImpactAssessment(PIA)fortheCISCriticalSecurityControls

Introduction

Aneffectivepostureofenterprisecybersecurityneednot,and,indeed,shouldnotcompromiseindividualprivacy.Manylaws,regulations,guidelines,andrecommendationsexisttosafeguardprivacy,andenterpriseswill,inmanycases,adapttheirexistingpoliciesonprivacyastheyapplytheControls.

Ataminimum,useoftheControlsshouldconformtothegeneralprinciplesembodiedintheFairInformationPracticeprinciples(FIPs)2andinPrivacybyDesign.3AllenterprisesthatapplytheControlsshouldundertake–andmakeavailabletostakeholders–privacyimpactassessmentsofrelevantsystemstoensurethatappropriateprotectionsareinplaceastheControlsareimplemented.Everyenterpriseshouldalsoregularlyreviewtheseassessmentsasmaterialchangestoitscybersecuritypostureareadopted.TheaimistoassessandmitigatethemajorpotentialprivacyrisksassociatedwithimplementingspecificControlsaswellasevaluatetheoverallimpactoftheControlsonindividualprivacy.

ToassistenterprisesineffortstoconductaprivacyimpactassessmentwhenimplementingtheControlsandtocontributetotheestablishmentofamoregeneralreferencestandardforprivacyandtheControls,CISwillconvenetechnicalandprivacyexpertstorevieweachControlandofferrecommendationsforbestpractice.

ThefollowingframeworkwillhelpguidethiseffortandprovideapossibleoutlineforaPrivacyImpactAssessment.

PrivacyImpactAssessmentoftheCISCriticalSecurityControls

I.Overview

OutlinethepurposeofeachControlandprovidejustificationforanyactualorpotentialintersectionwithprivacy-sensitiveinformation.

• Wherepossible,identifyhowtechnologies,procedures,anddataflowsareusedtoimplementtheControl.ProvideabriefdescriptionofhowtheControlgenerally

2Seehttp://www.dhs.gov/publication/fair-information-practice-principles-fipps,andhttp://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

3Seehttps://www.privacybydesign.ca.TheapproachdiscussedinthisAnnexdrawsheavilyonpublicsectorapproachesintheUnitedStates,butcanbeadaptedforanyjurisdiction.

86

collectsandstoresinformation.IdentifythetypeofdatacollectedbytheControlandthekindsofinformationthatcanbederivedfromthisdata.IndiscussinghowtheControlmightcollectandusePII,includeatypicaltransactionthatdetailsthelifecycleofthatPIIfromcollectiontodisposal.

• Describethemeasuresnecessarytoprotectprivacydataandmitigateanyrisksofunauthorizedaccessorinadvertentdisclosureofthedata.Theaimhereisnottolisteverypossiblerisktoprivacy,butrather,toprovideaholisticviewoftheriskstoprivacythatcouldarisefromimplementationoftheControl.

• Describeanypotentialad-hocorroutineinformationsharingthatwillresultfromtheimplementationoftheControlbothwithintheenterpriseandwithexternalsharingpartners.Alsodescribehowsuchexternalsharingiscompatiblewiththeoriginalcollectionoftheinformation,andwhatagreementswouldneedtobeinplacetosupportthissharing.

II.Authorities

Identifythelegalauthoritiesorenterprisepoliciesthatwouldpermitor,conversely,limitorprohibitthecollectionoruseofinformationbytheControl.

• ListthestatutoryandregulatoryauthoritiesthatwouldgovernoperationoftheControl,includingtheauthoritiestocollecttheinformationidentifiedabove.Explainhowthestatutoryandregulatoryauthoritiespermitorwouldlimitcollectionanduseoftheinformationorgoverngeographicstoragerequirements.IftheControlwouldconceivablycollectPersonallyIdentifiableInformation(PII),alsoidentifythespecificstatutoryauthoritythatwouldpermitsuchcollection.

• Wouldtheresponsibleofficeofanenterprisebeabletorelyonauthoritiesofanotherparentorganization,subsidiary,partneroragency?

• MighttheinformationcollectedbytheControlbereceivedfromaforeignuser,organizationorgovernment?Ifso,doanyinternationalagreement,contract,privacypolicyormemorandumofunderstandingexisttosupportorotherwisegovernthiscollection?

III.CharacterizingControl-RelatedInformation

IdentifythetypeofdatatheControlcollects,uses,disseminates,ormaintains.

• ForeachControl,identifyboththecategoriesoftechnologysources,logs,orindividualsfromwhominformationwouldbecollected,and,foreachcategory,listanypotentialPII,thatmightbegathered,used,orstoredtosupporttheControl.

o Relevantinformationhereincludes(butisnotlimitedto):name;dateofbirth;mailingaddress;telephonenumbers;socialsecuritynumber;e-mailaddress;mother’smaidenname;medicalrecordslocators;bankaccountnumbers;healthplanbeneficiaries;anyotheraccountnumbers;certificatesorotherlicensenumbers;vehicleidentifiers,includinglicenseplates;

87

marriagerecords;civilorcriminalhistoryinformation;medicalrecords;deviceidentifiersandserialnumbers;educationrecords;biometricidentifiers;photographicfacialimages;oranyotheruniqueidentifyingnumberorcharacteristic.

• IftheoutputoftheControl,orsystemonwhichitoperates,createsnewinformationfromdatacollected(forexample,ascoring,analysis,orreport),thismightthisnewinformationhaveprivacyimplications?Ifso,performthesameaboveanalysisonthenewlycreatedinformation.

• IftheControlusesinformationfromcommercialsourcesorpubliclyavailabledatatoenrichotherdatacollected,explainhowthisinformationmightbeused.

o Commercialdataincludesinformationfromdataaggregators(suchasLexisNexis,threatfeeds,ormalwaredatabases),orfromsocialnetworkingsourceswheretheinformationwasoriginallycollectedbyaprivateorganization.

o Publiclyavailabledataincludesinformationobtainedfromtheinternet,newsfeeds,orfromstateorlocalpublicrecords,suchascourtrecordswheretherecordsarereceiveddirectlyfromthestateorlocalagency,ratherthanfromacommercialdataaggregator.

o Identifyscenarioswiththisenricheddatamightderivedatathatcouldhaveprivacyimplications.Ifso,performthesameaboveanalysisonthenewlycreatedinformation.

• IdentifyanddiscusstheprivacyrisksforControlinformationandexplainhowtheyaremitigated.Specificrisksmaybeinherentinthesourcesormethodsofcollection.

• ConsiderthefollowingFairInformationPracticeprinciples(FIPs):o PrincipleofPurposeSpecification:ExplainhowthecollectionofPIIbythe

Controllinkstothecybersecurityneedsoftheenterprise.o PrincipleofMinimization:IsthePIIdatadirectlyrelevantandnecessaryto

accomplishthespecificpurposesoftheControl?o PrincipleofIndividualParticipation:DoestheControl,totheextentpossible

andpractical,collectPIIdirectlyfromindividuals?

IV.UsesofControl-RelatedInformation

DescribetheControl’suseofPIIorprivacyprotecteddata.DescribehowandwhytheControlusesthisdata.

• Listlikelyusesoftheinformationcollectedormaintained,bothinternalandexternaltotheenterprise.Explainhowandwhydifferentdataelementswillbeused.IfSocialSecuritynumbersarecollectedforanyreason,forexample,describewhysuchcollectionisnecessaryandhowsuchinformationwouldbeused.Describetypesofproceduresandprotectionstobeinplacetoensurethatinformationishandledappropriately,andpoliciesthatneedtobeinplacetoprovideusernotification.

• DoestheControlmakeuseoftechnologytoconductelectronicsearches,queries,oranalysesinadatabasetodiscoverorlocateapredictivepatternorananomaly?If

88

so,describewhatresultswouldbeachievedandiftherewouldbepossibilityofprivacyimplications.

• SomeControlsrequiretheprocessingoflargeamountsofinformationinresponsetouserinquiryorprogrammedfunctions.TheControlsmayhelpidentifydatathatwerepreviouslynotidentifiableandmaygeneratetheneedforadditionalresearchbyanalystsorotheremployees.SomeControlsaredesignedtoperformcomplexanalyticaltasksresultinginothertypesofdata,matching,relationalanalysis,scoring,reporting,orpatternanalysis.

• Discusstheresultsgeneratedbytheusesdescribedabove,includinglinkanalysis,scoring,orotheranalyses.Theseresultsmaybegeneratedelectronicallybytheinformationsystem,ormanuallythroughreviewbyananalyst.Wouldtheseresultspotentiallyhaveprivacyimplications?

• Arethereotherofficesordepartmentswithinorconnectedtotheenterprisethatwouldreceiveanydatagenerated?Wouldtherebeprivacyimplicationstotheiruseorcollectionofthisdata?

• ConsiderthefollowingFIPs:o PrincipleofTransparency:IsthePIAandrelatedpoliciesclearabouttheuses

ofinformationgeneratedbytheControl?o PrincipleofUseLimitation:Istheuseofinformationcontainedinthesystem

relevanttothemissionoftheControl?

V.Security

Completeasecurityplanfortheinformationsystem(s)supportingtheControl.

• IsthereappropriateguidancewhenimplementingtheControltoensurethatappropriatephysical,personnel,IT,andothersafeguardsareinplacetoprotectprivacyprotecteddataflowingtoandgeneratedfromtheControl?

• ConsiderthefollowingFairInformationPracticeprinciple:o PrincipleofSecurity:Isthesecurityappropriateandproportionatetothe

protecteddata?

VI.Notice

IdentifyifanynoticetoindividualsmustbeputinplaceregardingimplementationoftheControl,PIIcollected,therighttoconsenttousesofinformation,andtherighttodeclinetoprovideinformation(ifpracticable).

• Definehowtheenterprisemightrequirenoticetoindividualspriortothecollectionofinformation.

• Enterprisesoftenprovidewrittenororalnoticetoemployees,customers,shareholders,andotherstakeholdersbeforetheycollectinformationfromindividuals.IntheU.S.government,thatnoticemayincludeapostedprivacypolicy,aPrivacyActstatement,aPrivacyImpactAssessment,oraStatementofRecords

89

Notice(SORN)publishedintheU.S.FederalRegister.Forprivatecompanies,collectinginformationfromconsumers,publiclyavailableprivacypoliciesareused.DescribewhatnoticemightberelevanttoindividualswhoseinformationmightbecollectedbytheControl.

• Ifnoticemightnot,orcannotbeprovided,defineifoneisrequiredorhowitcanbemitigated.Forcertainlawenforcementoperations,noticemaynotbeappropriate–enterpriseswouldthenexplainhowprovidingdirectnoticetotheindividualatthetimeofcollectionwouldunderminealawenforcementmission.

• DiscusshowthenoticeprovidedcorrespondstothepurposeoftheControlandthedeclareduses.Discusshowthenoticegivenfortheinitialcollectionisconsistentwiththestateduse(s)oftheinformation.DescribehowimplementationoftheControlmitigatestherisksassociatedwithpotentiallyinsufficientnoticeandopportunitytodeclineorconsent.

• ConsiderthefollowingFIPs:o PrincipleofTransparency:WillthisControlallowsufficientnoticetobe

providedtoindividuals?o PrincipleofUseLimitation:Istheinformationusedonlyforthepurposefor

whichnoticewasprovidedeitherdirectlytoindividualsorthroughapublicnotice?Whatprocedurescanbeputinplacetoensurethatinformationisusedonlyforthepurposearticulatedinthenotice?

o PrincipleofIndividualParticipation:Willtheenterpriseberequiredtoprovidenoticetoindividualsregardingredress,includingaccessandcorrection,includingotherpurposesofnoticesuchastypesofinformationandcontrolsoversecurity,retention,disposal,etc.?

VII.DataRetention

Willtherebearequirementtodeveloparecordsretentionpolicy,subjecttoapprovalbytheappropriateenterpriseauthorities(e.g.,management,Board),togoverninformationgatheredandgeneratedbytheControl?

• ConsiderthefollowingFIPsbelowtoassistinprovidingaresponse:o PrincipleofMinimization:DoestheControlhavethecapacitytouseonlythe

informationnecessaryfordeclaredpurposes?WouldtheControlbeabletomanagePIIretainedonlyforaslongasnecessaryandrelevanttofulfillthespecifiedpurposes?

o PrincipleofDataQualityandIntegrity:DoesthePIAdescribepoliciesandproceduresrequiredbyanorganizationforhowPIIispurgedonceitisdeterminedtobenolongerrelevantandnecessary?

VIII.InformationSharing

DescribethescopeoftheinformationsharingwithinandexternaltotheenterprisethatcouldberequiredtosupporttheControl.Externalsharingencompassessharingwithother

90

businesses,vendors,privatesectorgroups,orfederal,state,local,tribal,andterritorialgovernment,aswellaswithgovernmentsorofficialagenciesofothercountries.

• Forstateorlocalgovernmentagencies,orprivatesectororganizationslistthegeneraltypesthatmightbeapplicablefortheControl,ratherthanthespecificnames.

• Describeanyagreementsthatmightberequiredforanorganizationtoconductinformationsharingaspartofnormalenterpriseoperations.

• Discusstheprivacyrisksassociatedwiththesharingofinformationoutsideoftheenterprise.Howcanthoserisksbemitigated?

• DiscusshowthesharingofinformationiscompatiblewiththestatedpurposeanduseoftheoriginalcollectionfortheControl.

IX.Redress

EnterprisesshouldhaveinplaceproceduresforindividualstoseekredressiftheybelievetheirPIImayhavebeenimproperlyorinadvertentlydisclosedormisusedthroughimplementationoftheControls.Theseproceduresmayincludeallowingthemtofilecomplaintsaboutwhatdataiscollectedorhowit’sused.

• ConsiderthefollowingissuethatfallsundertheFIPprincipleofIndividualParticipation:

o CanamechanismbeappliedbywhichanindividualcanpreventPIIobtainedforonepurposefrombeingusedforotherpurposeswithouttheindividual’sknowledge?

X.AuditingandAccountability

DescribewhattechnicalandpolicybasedsafeguardsandsecuritymeasuresmightbeneededtosupporttheControl.Includeanexaminationoftechnicalandpolicysafeguards,suchasinformationsharingprotocols,specialaccessrestrictions,andothercontrols.

• DiscusswhethertheControlallowsforself-audits,permitsthirdpartyaudits,orallowsrealtimeorforensicreviewsbyappropriateoversightagencies.

• DotheITsystemssupportingtheControlhaveautomatedtoolstoindicatewheninformationispossiblybeingmisused?

• DescribewhatrequirementsforprivacytrainingshouldbeprovidedtouserseithergenerallyorspecificallyrelevanttotheControl,includinginformationhandlingproceduresandsensitivityofinformation.DiscusshowindividualswhohaveaccesstoPIIcollectedorgeneratedbytheControlshouldbetrainedtoappropriatelyhandlethatinformation.

• Discussthetypesofprocessesandproceduresnecessarytoreviewandapproveinformationsharingagreements,newusesofControlinformation,andnewaccesstoControlinformationbyotherparties.

91

AppendixG:CategorizationfortheCISCriticalSecurityControls

Introduction

WhenwecreatedVersion6oftheCISControls,oneofthenotablechangeswasdeletionofthe“categories”foreachsub-Control(QuickWin,VisibilityandAttribution,ImprovedSecurityConfigurationandHygiene,andAdvanced).Thesehadprovedtobeproblematicforseveralreasons,andanumberofpeoplefoundthemtobemoreinconsistentthanuseful.

ButotheradopterstoldustheymissedthecategoriesandfoundthemhelpfulinprioritizingtheirControlsimplementationplans,especiallyinpresentingthoseplanstomanagement,sowewentbacktotakeanotherlookatthem.Inaddition,peopleaskedformorehelpinidentifyingsub-controlsthatweretruly“advanced”andwouldrequiresubstantialinvestmentoftimeandresources.

Thisdocumentpresentsasimplercategorizationschemeforeachsub-control,alongwithsomeexplanatoryinformationtoseparateactionsthatweconsider“Foundational”fromthosethatare“Advanced”.

Description

InVersion5oftheCISControls,eachsub-categorywasidentifiedinoneofthefollowingcategories:

• Quickwinsthatprovidesignificantriskreductionwithoutmajorfinancial,procedural,architectural,ortechnicalchangestoanenvironment,orthatprovidesuchsubstantialandimmediateriskreductionagainstverycommonattacksthatmostsecurity-awareorganizationsprioritizethesekeycontrols.

• Visibilityandattributionmeasurestoimprovetheprocess,architecture,andtechnicalcapabilitiesoforganizationstomonitortheirnetworksandcomputersystemstodetectattackattempts,locatepointsofentry,identifyalready-compromisedmachines,interruptinfiltratedattackers’activities,andgaininformationaboutthesourcesofanattack.

• Improvedinformationsecurityconfigurationandhygienetoreducethenumberandmagnitudeofsecurityvulnerabilitiesandimprovetheoperationsofnetworkedcomputersystems,withafocusonprotectingagainstpoorsecuritypracticesbysystemadministratorsandend-usersthatcouldgiveanattackeranadvantage.

• Advancedsub-controlsthatusenewtechnologiesorproceduresthatprovidemaximumsecuritybutarehardertodeployormoreexpensiveorrequiremorehighlyskilledstaffthancommoditizedsecuritysolutions.

92

ForVersion6.1,wemadethissimplerandmovedtoa2-categorysystem.Asastartingpoint,weworkedfromtheoriginalVersion5categoriessincemostofthesub-controlscarriedoverinsomeform.

• Foundational:Theseprovideessentialimprovementstotheprocess,architecture,andtechnicalcapabilitiesoforganizationstomonitortheirnetworksandcomputersystemstodetectattackattempts,locatepointsofentry,identifyalready-compromisedmachines,interruptinfiltratedattackers’activities,andgaininformationaboutthesourcesofanattack.Theyreducethenumberandmagnitudeofsecurityvulnerabilitiesandimprovetheoperationsofnetworkedcomputersystems,withafocusonprotectingagainstpoorsecuritypracticesbysystemadministratorsandend-usersthatcouldgiveanattackeranadvantage.

• Advanced:Thesearesub-controlsthatusenewtechnologiesorproceduresformaximumsecurity,butarehardertodeployormoreexpensiveorrequiremorehighlyskilledstaffthancommoditizedsecuritysolutions.

Howeveranumberofadoptersnotedthatsomeoftheindividualsub-controlscontainwording,phrases,oraninterpretationthatdidnotfallneatlyintoeithercategory.Soforeachofthose,weidentifiedaprimarycategory(FoundationalorAdvanced,shownas“Y”inonecolumnofthecharts);andthenweaddedtexttoclarifyandseparateouttheotheraspectofthesub-control.

Forexample,wemightidentifyagivensub-controlasFoundational,butthoseseekingtobuilduponthesub-controlforanAdvancedsecurityprogramnowhavesomeguidance.Thisisnotaparticularlyelegantsolution,butwewantedtoprovideusefulguidancewithoutasignificantrewriteofthesub-controls.EnterprisesadoptingtheControlsdosomethinglikethisanyway–interpreteachofthesub-controlsinthecontextoftheirspecificsituation,technicalbase,andriskmanagement–inordertocreatearoadmapofphasedimplementation.

Documents

The CIS Critical Security Controls for Effective Cyber Defense