WHY IS THIS CIS CONTROL CRITICAL?
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise.
Enterprises cannot defend what they do not know they have. Managed control of all enterprise assets also plays a critical role in security monitoring, incident response, system backup, and recovery. Enterprises should know what data is critical to them, and proper asset management will help identify those enterprise assets that hold or manage this critical data, so that appropriate security controls can be applied.
External attackers are continuously scanning the internet address space of target enterprises, premise-based or in the cloud, identifying possibly unprotected assets attached to an enterprise’s network. Attackers can take advantage of new assets that are installed, yet not securely configured and patched. Internally, unidentified assets can also have weak security configurations that can make them vulnerable to web- or email-based malware; and, adversaries can leverage weak security configurations for traversing the network, once they are inside.
Additional assets that connect to the enterprise’s network (e.g., demonstration systems, temporary test systems, guest networks) should be identified and/or isolated in order to prevent adversarial access from affecting the security of enterprise operations.
Large, complex, dynamic enterprises understandably struggle with the challenge of managing intricate, fast-changing environments. However, attackers have shown the ability, patience, and willingness to “inventory and control” our enterprise assets at very large scale in order to support their opportunities.
Another challenge is that portable end-user devices will periodically join a network and then disappear, making the inventory of currently available assets very dynamic. Likewise, cloud environments and virtual machines can be difficult to track in asset inventories when they are shut down or paused.
WHY IS THIS CIS CONTROL CRITICAL?
Inventory and Control of Enterprise Assets
CIS Control 1:
Jack Danahy
SVP, Strategy and Security Alert Logic
Have a question? Ask Jack!
Opportunities
in the Cloud
LISTEN NOW
CLICK FOR TRANSCRIPT
“Control number three in the CSC is really about vulnerability. But there’s actually an even earlier control, which is related, which talks about the inventory and control of hardware and software assets. Those are two of the first CIS Controls that you’d want to take a look at, because oftentimes what happens is that vulnerability management, they end up being focused only on what people think about those critical servers, those critical systems, or the exec’s laptops, or specifically set of instances inside the cloud that I care about.
But in reality, the systems which are much more likely to be out of date and ignored, neglected and likely to be breached tend to be something else. They tend to be those systems which are not necessarily as tightly related to the critical core, highly visible company function. So, one of the first things for you to consider as you’re thinking about this controls and about vulnerability management is first thing you want to do is understand everything that’s out there. ”
X
DOWNLOAD NOW
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
close x
close x
Control 1 >
Control 2 >
Control 3 >
Control 4 >
Control 5 >
Control 6 >
Inventory and
Control Chart
Basic Cyber Hygiene
Inventory and Control of Software Assets
CIS Control 2:
WHY IS THIS CIS CONTROL CRITICAL?
A complete software inventory is a critical foundation for preventing attacks. Attackers continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website or attachment with a vulnerable browser, an attacker can often install backdoor programs and bots that give the attacker long-term control of the system. Attackers can also use this access to move laterally through the network. One of the key defenses against these attacks is updating and patching software. However, without a complete inventory of software assets, an enterprise cannot determine if they have vulnerable software, or if there are potential licensing violations.
Even if a patch is not yet available, a complete software inventory list allows an enterprise to guard against known attacks until the patch is released. Some sophisticated attackers use “zero-day exploits,” which take advantage of previously unknown vulnerabilities that have yet to have a patch released from the software vendor. Depending on the severity of the exploit, an enterprise can implement temporary mitigation measures to guard against attacks until the patch is released.
Management of software assets is also important to identify unnecessary security risks. An enterprise should review its software inventory to identify any enterprise assets running software that is not needed for business purposes. For example, an enterprise asset may come installed with default software that creates a potential security risk and provides no benefit to the enterprise. It is critical to inventory, understand, assess, and manage all software connected to an enterprise’s infrastructure.
WHY IS THIS CIS CONTROL CRITICAL?
Inventory and
Control Chart
close x
close x
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
CIS Control 3:
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
Data is no longer only contained within an enterprise’s border; it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services that might have it anywhere in the world. In addition to sensitive data an enterprise holds related to finances, intellectual property, and customer data, there also might be numerous international regulations for protection of personal data. Data privacy has become increasingly important, and enterprises are learning that privacy is about the appropriate use and management of data, not just encryption. Data must be appropriately managed through its entire life cycle. These privacy rules can be complicated for multi-national enterprises of any size; however, there are fundamentals that can apply to all.
Once attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their environment because they are not monitoring data outflows.
While many attacks occur on the network, others involve physical theft of portable end-user devices, attacks on service providers or other partners holding sensitive data. Other sensitive enterprise assets may also include non-computing devices that provide management and control of physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems.
The enterprise’s loss of control over protected or sensitive data is a serious and often reportable business impact. While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error. The adoption of data encryption, both in transit and at rest, can provide mitigation against data compromise, and, even more important, it is a regulatory requirement for most controlled data.
WHY IS THIS CIS CONTROL CRITICAL?
Inventory and
Control Chart
close x
close x
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Secure Configuration of Enterprise Assets and Software
CIS Control 4:
WHY IS THIS CIS CONTROL CRITICAL?
As delivered from manufacturers and resellers, the default configurations for enterprise assets and software are normally geared towards ease-of-deployment and ease-ofuse rather than security. Basic controls, open services and ports, default accounts or passwords, pre-configured Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of unnecessary software can all be exploitable if left in their default state. Further, these security configuration updates need to be managed and maintained over the life cycle of enterprise assets and software. Configuration updates need to be tracked and approved through configuration management workflow process to maintain a record that can be reviewed for compliance, leveraged for incident response, and to support audits. This CIS Control is important to on-premises devices, as well as remote devices, network devices, and cloud environments.
Service providers play a key role in modern infrastructures, especially for smaller enterprises. They often are not set up by default in the most secure configuration to provide flexibility for their customers to apply their own security policies. Therefore, the presence of default accounts or passwords, excessive access, or unnecessary services are common in default configurations. These could introduce weaknesses that are under the responsibility of the enterprise that is using the software, rather than the service provider. This extends to ongoing management and updates, as some Platform as a Service (PaaS) only extend to the operating system, so patching and updating hosted applications are under the responsibility of the enterprise.
Even after a strong initial configuration is developed and applied, it must be continually managed to avoid degrading security as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked,” to allow the installation of new software or to support new operational requirements.
WHY IS THIS CIS CONTROL CRITICAL?
Inventory and
Control Chart
close x
close x
DOWNLOAD NOW
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
Jessica Bartley
Director IT Security & Business Intelligence
Have a question? Ask Jessica!
LISTEN NOW
CLICK FOR TRANSCRIPT
Opportunities
in the Cloud
“One of the things that I would say about this control is in our environment, we have placed significant focus in this area, and this has been one of the most important areas, not just for understanding what’s occurring in the environment for forensics purposes to be able to track or hunt something down, but also to garner more real-time alerting on situations that aren’t occurring in the environment.
If I would say from a technology perspective, one of the key areas and I’ll talk about another one next, but this is one of the key areas where we have gotten tremendous benefit out of investing in some technology or assistance in this area.
And a key thing that I want to point out, for small and mid-sized or emerging-enterprise organizations, there are a Jack mentioned, various different solutions available. Oftentimes, when people look at a control like this, they think, wow, this is too big. It’s difficult to do. I don’t even want to look at it. I don’t know that I could manage a tool like this. They often thing about an all-out SIEM type solution. And what I would say is that start with at least the basics here.
We oftentimes go into organizations that do not even have logging configured on their systems, for the system to directly capture the log. And while that is not the end state that we like to see companies get to, we like to see them get to that centralized point where the logs are being sent off of that system. At least having logging on that system turned on, we oftentimes even see that it’s not turned on, that can at least help. The challenge with that, companies quickly run into is the fact that the logs build in size, quickly and can overwhelm, or they have to purge the logs after a short period of time.
And that’s where centralizing comes into play. But this by far can be one of the biggest areas of where an organization can get insight into what’s going on it its environment, is by implementing this type of logging. ”
X
Account Management
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
CIS Control 5:
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
It is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through “hacking” the environment. There are many ways to covertly obtain access to user accounts, including: weak passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test accounts, shared accounts that have not been changed in months or years, service accounts embedded in applications for scripts, a user having the same password as one they use for an online account that has been compromised (in a public password dump), social engineering a user to give their password, or using malware to capture passwords or tokens in memory or over the network.
Administrative, or highly privileged, accounts are a particular target, because they allow attackers to add other accounts, or make changes to assets that could make them more vulnerable to other attacks. Service accounts are also sensitive, as they are often shared among teams, internal and external to the enterprise, and sometimes not known about, only to be revealed in standard account management audits.
Finally, account logging and monitoring is a critical component of security operations. While account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is important in the development of a comprehensive Identity and Access Management (IAM) program.
WHY IS THIS CIS CONTROL CRITICAL?
Inventory and
Control Chart
close x
close x
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
CIS Control 6:
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on managing what access these accounts have, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. Accounts should only have the minimal authorization needed for the role. Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal.
There are some user activities that pose greater risk to an enterprise, either because they are accessed from untrusted networks, or performing administrator functions that allow the ability to add, change, or remove other accounts, or make configuration changes to operating systems or applications to make them less secure. This also enforces the importance of using MFA and Privileged Access Management (PAM) tools.
Some users have access to enterprise assets or data they do not need for their role; this might be due to an immature process that gives all users all access, or lingering access as users change roles within the enterprise over time. Local administrator privileges to users’ laptops is also an issue, as any malicious code installed or downloaded by the user can have greater impact on the enterprise asset running as administrator. User, administrator, and service account access should be based on enterprise role and need.
WHY IS THIS CIS CONTROL CRITICAL?
Inventory and
Control Chart
close x
close x
Home /
Home /
Controls 1-6 /
Controls 1-6 /
Controls 7-18
Controls 7-18
Home
Controls 1-6
Controls 7-18
CIS Controls 1-6
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
Cyber defenders are constantly being challenged from attackers who are looking for vulnerabilities within their infrastructure to exploit and gain access. Defenders must have timely threat information available to them about: software updates, patches, security advisories, threat bulletins, etc., and they should regularly review their environment to identify these vulnerabilities before the attackers do. Understanding and managing vulnerabilities is a continuous activity, requiring focus of time, attention, and resources.
Attackers have access to the same information and can often take advantage of vulnerabilities more quickly than an enterprise can remediate. While there is a gap in time from a vulnerability being known to when it is patched, defenders can prioritize which vulnerabilities are most impactful to the enterprise, or likely to be exploited first due to ease of use. For example, when researchers or the community report new vulnerabilities, vendors have to develop and deploy patches, indicators of compromise (IOCs), and updates. Defenders need to assess the risk of the new vulnerability to the enterprise, regression-test patches, and install the patch.
There is never perfection in this process. Attackers might be using an exploit to a vulnerability that is not known within the security community. They might have developed an exploit to this vulnerability referred to as a “zero-day” exploit. Once the vulnerability is known in the community, the process mentioned above starts. Therefore, defenders must keep in mind that an exploit might already exist when the vulnerability is widely socialized. Sometimes vulnerabilities might be known within a closed community (e.g., vendor still developing a fix) for weeks, months, or years before it is disclosed publicly. Defenders have to be aware that there might always be vulnerabilities they cannot remediate, and therefore need to use other controls to mitigate.
WHY IS THIS CIS CONTROL CRITICAL?
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Continuous Vulnerability Management
CIS Control 7:
close x
close x
Control 18 >
Control 16 >
Control 15>
Control 14 >
Control 13 >
Control 12 >
Control 10 >
Control 9 >
Control 8 >
Control 7 >
Controls 7-18
Home
Controls 1-6
Controls 7-18
Control 11 >
Control 17 >
Inventory and
Control Chart
Home /
Home /
Controls 1-6 /
Controls 1-6 /
Controls 7-18
Controls 7-18
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
Log collection and analysis is critical for an enterprise’s ability to detect malicious activity quickly. Sometimes audit records are the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing.
There are two types of logs that are generally treated and often configured independently: system logs and audit logs. System logs typically provide system-level events that show various system process start/end times, crashes, etc. These are native to systems, and take less configuration to turn on. Audit logs typically include user-level events—when a user logged in, accessed a file, etc.—and take more planning and effort to set up.
Logging records are also critical for incident response. After an attack has been detected, log analysis can help enterprises understand the extent of an attack. Complete logging records can show, for example, when and how the attack occurred, what information was accessed, and if data was exfiltrated. Retention of logs is also critical in case a follow-up investigation is required or if an attack remained undetected for a long period of time.
WHY IS THIS CIS CONTROL CRITICAL?
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Audit Log Management
CIS Control 8:
Inventory and
Control Chart
close x
close x
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
Web browsers and email clients are very common points of entry for attackers because of their direct interaction with users inside an enterprise. Content can be crafted to entice or spoof users into disclosing credentials, providing sensitive data, or providing an open channel to allow attackers to gain access, thus increasing risk to the enterprise. Since email and web are the main means that users interact with external and untrusted users and environments, these are prime targets for both malicious code and social engineering. Additionally, as enterprises move to web-based email, or mobile email access, users no longer use traditional full-featured email clients, which provide embedded security controls like connection encryption, strong authentication, and phishing reporting buttons.
WHY IS THIS CIS CONTROL CRITICAL?
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
Email and Web Browser Protections
CIS Control 9:
Inventory and
Control Chart
close x
close x
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
Applications provide a human-friendly interface to allow users to access and manage data in a way that is aligned to business functions. They also minimize the need for users to deal directly with complex (and potentially error-prone) system functions, like logging into a database to insert or modify files. Enterprises use applications to manage their most sensitive data and control access to system resources. Therefore, an attacker can use the application itself to compromise the data, instead of an elaborate network and system hacking sequence that attempts to bypass network security controls and sensors. This is why protecting user credentials (specifically application credentials) defined in CIS Control 6 is so important.
Lacking credentials, application flaws are the attack vector of choice. However, today’s applications are developed, operated, and maintained in a highly complex, diverse, and dynamic environment. Applications run on multiple platforms: web, mobile, cloud, etc., with application architectures that are more complex than legacy client-server or database-web server structures. Development life cycles have become shorter, transitioning from months or years in long waterfall methodologies, to DevOps cycles with frequent code updates. Also, applications are rarely created from scratch, and are often “assembled” from a complex mix of development frameworks, libraries, existing code, and new code. There are also modern and evolving data protection regulations dealing with user privacy.
These may require compliance to regional or sector-specific data protection requirements. These factors make traditional approaches to security, like control (of processes, code sources, run-time environment, etc.), inspection, and testing, much more challenging. Also, the risk that an application vulnerability introduces might not be understood, except in a specific operational setting or context.
Application vulnerabilities can be present for many reasons: insecure design, insecure infrastructure, coding mistakes, weak authentication, and failure to test for unusual or unexpected conditions. Attackers can exploit specific vulnerabilities, including buffer overflows, exposure to Structured Query Language (SQL) injection, cross-site scripting, cross-site request forgery, and click-jacking of code to gain access to sensitive data, or take control over vulnerable assets within the infrastructure as a launching point for further attacks.
WHY IS THIS CIS CONTROL CRITICAL?
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Application Software Security
Inventory and
Control Chart
close x
close x
WHY IS THIS CIS CONTROL CRITICAL?
Malicious software (sometimes categorized as viruses or Trojans) is an integral and dangerous aspect of internet threats. They can have many purposes, from capturing credentials, stealing data, identifying other targets within the network, and encrypting or destroying data. Malware is ever-evolving and adaptive, as modern variants leverage machine learning techniques. Malware enters an enterprise through vulnerabilities within the enterprise on end-user devices, email attachments, webpages, cloud services, mobile devices, and removable media.
Malware often relies on insecure end-user behavior, such as clicking links, opening attachments, installing software or profiles, or inserting Universal Serial Bus (USB) flash drives. Modern malware is designed to avoid, deceive, or disable defenses.
Malware defenses must be able to operate in this dynamic environment through automation, timely and rapid updating, and integration with other processes like vulnerability management and incident response. They must be deployed at all possible entry points and enterprise assets to detect, prevent spread, or control the execution of malicious software or code.
WHY IS THIS CIS CONTROL CRITICAL?
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Malware Defenses
CIS Control 10:
Inventory and
Control Chart
close x
close x
WHY IS THIS CIS CONTROL CRITICAL?
In the cybersecurity triad—Confidentiality, Integrity, and Availability (CIA)—the availability of data is, in some cases, more critical than its confidentiality. Enterprises need many types of data to make business decisions, and when that data is not available or is untrusted, then it could impact the enterprise. An easy example is weather information to a transportation enterprise.
When attackers compromise assets, they make changes to configurations, add accounts, and often add software or scripts. These changes are not always easy to identify, as attackers might have corrupted or replaced trusted applications with malicious versions, or the changes might appear to be standard-looking account names. Configuration changes can include adding or changing registry entries, opening ports, turning off security services, deleting logs, or other malicious actions that make a system insecure. These actions do not have to be malicious; human error can cause each of these as well. Therefore, it is important to have an ability to have recent backups or mirrors to recover enterprise assets and data back to a known trusted state.
There has been an exponential rise in ransomware over the last few years. It is not a new threat, though it has become more commercialized and organized as a reliable method for attackers to make money. If an attacker encrypts an enterprise’s data and demands ransom for its restoration, having a recent backup to recover to a known, trusted state can be helpful. However, as ransomware has evolved, it has also become an extortion technique, where data is exfiltrated before being encrypted, and the attacker asks for payment to restore the enterprise’s data, as well as to keep it from being sold or publicized. In this case, restoration would only solve the issue of restoring systems to a trusted state and continuing operations. Leveraging the guidance within the CIS Controls will help reduce the risk of ransomware through improved cyber hygiene, as attackers usually use older or basic exploits on insecure systems.
WHY IS THIS CIS CONTROL CRITICAL?
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Data Recovery
CIS Control 11:
Inventory and
Control Chart
close x
close x
CIS Control 16:
WHY IS THIS CIS CONTROL CRITICAL?
Secure network infrastructure is an essential defense against attacks. This includes an appropriate security architecture, addressing vulnerabilities that are, often times, introduced with default settings, monitoring for changes, and reassessment of current configurations. Network infrastructure includes devices such as physical and virtualized gateways, firewalls, wireless access points, routers, and switches.
Default configurations for network devices are geared for ease-of-deployment and ease-of-use—not security. Potential default vulnerabilities include open services and ports, default accounts and passwords (including service accounts), support for older vulnerable protocols, and pre-installation of unneeded software. Attackers search for vulnerable default settings, gaps or inconsistencies in firewall rule sets, routers, and switches and use those holes to penetrate defenses. They exploit flaws in these devices to gain access to networks, redirect traffic on a network, and intercept data while in transmission.
Network security is a constantly changing environment that necessitates regular re-evaluation of architecture diagrams, configurations, access controls, and allowed traffic flows. Attackers take advantage of network device configurations becoming less secure over time as users demand exceptions for specific business needs. Sometimes the exceptions are deployed, but not removed when they are no longer applicable to the business’s needs. In some cases, the security risk of an exception is neither properly analyzed nor measured against the associated business need and can change over time.
WHY IS THIS CIS CONTROL CRITICAL?
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
Network Infrastructure Management
CIS Control 12:
Inventory and
Control Chart
close x
close x
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
We cannot rely on network defenses to be perfect. Adversaries continue to evolve and mature, as they share, or sell, information among their community on exploits and bypasses to security controls. Even if security tools work “as advertised,” it takes an understanding of the enterprise risk posture to configure, tune, and log them to be effective. Often, misconfigurations due to human error or lack of knowledge of tool capabilities give enterprises a false sense of security.
Security tools can only be effective if they are supporting a process of continuous monitoring that allows staff the ability to be alerted and respond to security incidents quickly. Enterprises that adopt a purely technology-driven approach will also experience more false positives, due to their over-reliance on alerts from tools. Identifying and responding to these threats requires visibility into all threat vectors of the infrastructure and leveraging humans in the process of detection, analysis, and response. It is critical for large or heavily targeted enterprises to have a security operations capability to prevent, detect, and quickly respond to cyber threats before they can impact the enterprise. This process will generate activity reports and metrics that will help enhance security policies, and support regulatory compliance for many enterprises.
As we have seen many times in the press, enterprises have been compromised for weeks, months, or years before discovery. The primary benefit of having comprehensive situational awareness is to increase the speed of detection and response. This is critical to respond quickly when malware is discovered, credentials are stolen, or when sensitive data is compromised to reduce impact to the enterprise.
Through good situational awareness (i.e., security operations), enterprises will identify and catalog Tactics, Techniques, and Procedures (TTPs) of attackers, including their IOCs that will help the enterprise become more proactive in identifying future threats or incidents. Recovery can be achieved faster when the response has access to complete information about the environment and enterprise structure to develop efficient response strategies.
WHY IS THIS CIS CONTROL CRITICAL?
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
Network Monitoring and Defense
CIS Control 13:
Inventory and
Control Chart
close x
close x
WHY IS THIS CIS CONTROL CRITICAL?
The actions of people play a critical part in the success or failure of an enterprise’s security program. It is easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise, than to find a network exploit to do it directly.
Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords, or using the same password they use on public sites.
No security program can effectively address cyber risk without a means to address this fundamental human vulnerability. Users at every level of the enterprise have different risks. For example: executives manage more sensitive data; system administrators have the ability to control access to systems and applications; and users in finance, human resources, and contracts all have access to different types of sensitive data that can make them targets.
The training should be updated regularly. This will increase the culture of security and discourage risky workarounds.
WHY IS THIS CIS CONTROL CRITICAL?
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Security Awareness and Skills Training
CIS Control 14:
Inventory and
Control Chart
close x
close x
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
A comprehensive cybersecurity program includes protections, detections, response, and recovery capabilities. Often, the final two get overlooked in immature enterprises, or the response technique to compromised systems is just to re-image them to original state, and move on. The primary goal of incident response is to identify threats on the enterprise, respond to them before they can spread, and remediate them before they can cause harm. Without understanding the full scope of an incident, how it happened, and what can be done to prevent it from happening again, defenders will just be in a perpetual “whack-a-mole” pattern.
We cannot expect our protections to be effective 100% of the time. When an incident occurs, if an enterprise does not have a documented plan—even with good people—it is almost impossible to know the right investigative procedures, reporting, data collection, management responsibility, legal protocols, and communications strategy that will allow the enterprise to successfully understand, manage, and recover.
Along with detection, containment, and eradication, communication to stakeholders is key. If we are to reduce the probability of material impact due to a cyber event, the enterprise’s leadership must know what potential impact there could be, so that they can help prioritize remediation or restoration decisions that best support the enterprise. These business decisions could be based on regulatory compliance, disclosure rules, service-level agreements with partners or customers, revenue, or mission impacts.
Dwell time from when an attack happens to when it is identified can be days, weeks, or months. The longer the attacker is in the enterprise’s infrastructure, the more embedded they become and they will develop more ways to maintain persistent access for when they are eventually discovered. With the rise of ransomware, which is a stable moneymaker for attackers, this dwell time is critical, especially with modern tactics of stealing data before encrypting it for ransom.
WHY IS THIS CIS CONTROL CRITICAL?
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Incident Response Management
CIS Control 17:
Inventory and
Control Chart
close x
close x
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
In our modern, connected world, enterprises rely on vendors and partners to help manage their data or rely on third-party infrastructure for core applications or functions.
There have been numerous examples where third-party breaches have significantly impacted an enterprise; for example, as early as the late 2000s, payment cards were compromised after attackers infiltrated smaller third-party vendors in the retail industry. More recent examples include ransomware attacks that impact an enterprise indirectly, due to one of their service providers being locked down, causing disruption to business. Or worse, if directly connected, a ransomware attack could encrypt data on the main enterprise.
Most data security and privacy regulations require their protection extend to third-party service providers, such as with Health Insurance Portability and Accountability Act (HIPAA) Business Associate agreements in healthcare, Federal Financial Institutions Examination Council (FFIEC) requirements for the financial industry, and the United Kingdom (U.K.) Cyber Essentials. Third-party trust is a core Governance Risk and Compliance (GRC) function, as risks that are not managed within the enterprise are transferred to entities outside the enterprise.
While reviewing the security of third-parties has been a task performed for decades, there is not a universal standard for assessing security; and, many service providers are being audited by their customers multiple times a month, causing impacts to their own productivity. This is because every enterprise has a different “checklist” or set of standards to grade the service provider. There are only a few industry standards, such as in finance, with the Shared Assessments program, or in higher education, with their Higher Education Community Vendor Assessment Toolkit (HECVAT). Insurance companies selling cybersecurity policies also have their own measurements.
WHY IS THIS CIS CONTROL CRITICAL?
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Service Provider Management
CIS Control 15:
Inventory and
Control Chart
close x
close x
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
DOWNLOAD NOW
WHY IS THIS CIS CONTROL CRITICAL?
A successful defensive posture requires a comprehensive program of effective policies and governance, strong technical defenses, combined with appropriate action from people. However, it is rarely perfect. In a complex environment where technology is constantly evolving and new attacker tradecraft appears regularly, enterprises should periodically test their controls to identify gaps and to assess their resiliency. This test may be from external network, internal network, application, system, or device perspective. It may include social engineering of users, or physical access control bypasses. Often, penetration tests are performed for specific purposes:
Independent penetration testing can provide valuable and objective insights about the existence of vulnerabilities in enterprise assets and humans, and the efficacy of defenses and mitigating controls to protect against adverse impacts to the enterprise. They are part of a comprehensive, ongoing program of security management and improvement. They can also reveal process weaknesses, such as incomplete or inconsistent configuration management, or end-user training. Penetration testing differs from vulnerability testing, described in CIS Control 7. Vulnerability testing just checks for presence of known, insecure enterprise assets, and stops there.
Penetration testing differs from vulnerability testing, described in CIS Control 7. Vulnerability testing just checks for presence of known, insecure enterprise assets, and stops there. Penetration testing goes further to exploit those weaknesses to see how far an attacker could get, and what business process or data might be impacted through exploitation of that vulnerability. This is an important detail, and often penetration testing and vulnerability testing are incorrectly used interchangeably. Vulnerability testing is exclusively automated scanning with sometimes manual validation of false positives, whereas penetration testing requires more human involvement and analysis, sometimes supported through the use of custom tools or scripts. However, vulnerability testing is often a starting point for a penetration test.
Another common term is “Red Team” exercises. These are similar to penetration tests in that vulnerabilities are exploited; however, the difference is the focus. Red Teams simulate specific attacker TTPs to evaluate how an enterprise’s environment would withstand an attack from a specific adversary, or category of adversaries.
WHY IS THIS CIS CONTROL CRITICAL?
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
Penetration Testing
CIS Control 18:
Inventory and
Control Chart
close x
close x
• As a “dramatic” demonstration of an attack, usually to convince decision-makers of their enterprise’s weaknesses
• As a means to test the correct operation of enterprise defenses (“verification”)
• To test that the enterprise has built the right defenses in the first place (“validation”)
DOWNLOAD NOW
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
Jessica Bartley
Director IT Security & Business Intelligence
Have a question? Ask Jessica!
LISTEN NOW
CLICK FOR TRANSCRIPT
Opportunities
in the Cloud
“Historically, a lot of the antivirus solutions worked purely based on signatures. And I think if you’ve read much in security news over the last chunk of years, antivirus type systems have switched over to what we often talk about as being next generation antivirus. And these types of tools are often able to detect and alert on different behaviors that are occurring in the environment that maybe outside the norm. And they’re shifting, these tools have shifted from just being able to alert on a specific signature of a specific piece of malware, which was a never-ending battle to try to keep up with, to actually doing more in the way of monitoring and alerting on abnormal scenarios in the environment to be able to tell you that something different occurred. And then if it were something that a typical profile of an attacker was spotted to be able to alert and identify on that.
But even if you are not able to step into a full next-gen AV type tool, a key thing that I would recommend and as we’ve seen in the ransomware example that I gave, many organizations have at least a very basic or have more of the basis antivirus tool, and those are still good products. They’re not up to the level of what those next generation products are or the advanced malware products are, but they’re still products that can give some insight into what’s going on. And in the ransomware example that I gave, the standard AV product had alerted and had tried to contain and remove that piece of malware multiple times.
The act of having somebody in your organization or something that you partner with that can keep an eye and have eyes on those tools to ensure that action is actually taken that’s appropriate when something is detected. And that’s often the situation where we still see organizations kind of fall down. Again, it’s putting in the tool, or a lot of them will even pay to put in Next Gen or the advanced malware protection type tool, and then they forget the part about the monitoring, and they forget the part of keeping the eyes on the screen. And then ultimately, it’s rendering that investment of limited value.
And the good thing about some of the more advanced tools today as well is that they can not only detect, but they also have modules where you can actually block and prevent an action from occurring. And ultimately, you can configure them that if it detects something that appears to be a malicious action in the environment, it can actually isolate that system or prevent that action from continuing in the environment. And again, this is a scenario where there’s a lot that can be done if you’ve just got the standard AV tool, as long as you’re keeping eyes on monitoring it."
X
DOWNLOAD NOW
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
Katie McCullough
Chief Information Security Officer
Have a question? Ask Katie!
LISTEN NOW
CLICK FOR TRANSCRIPT
CLICK FOR TRANSCRIPT
Opportunities
in the Cloud
“When we talk about data recovery, certainly data recovery plays a role in any kind of IT system. It is not a special security. This is where we have a win where we can really collaborate with the rest of the IT team, because everybody wants their backups. Again, most of the sub controls associated with us are just good hygiene around your backups. Making sure everything is backed up and that it’s accessible that you’re testing those backups.
The challenges we see with things like ransomware is if you’ve let any of the indicators compromised set in your environment for four months or years, you’ve just jeopardized your data that you’ve backed up. So, you’ve got to be aware of that and be prepared for that. Again, there’s other controls if you’re restoring, if you do have other things in place that once you’ve identified that there’s ransomware, you can still stop potentially some of that data from being retriggered if it’s restored. But ultimately, you want to make sure your data is encrypted."
X
DOWNLOAD NOW
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
Jack Danahy
SVP, Strategy and Security Alert Logic
Have a question? Ask Jack!
Opportunities
in the Cloud
LISTEN NOW
CLICK FOR TRANSCRIPT
“Things are very different now than they were 10 or even 20 years ago when some of us started out in this industry Firewalls and strongly protected perimeters provided us a means through which we could identify inside from outside, and a lot of the security technologies that exist today, are still sort of predicted on that inside and outside. And originally with this control rose, the discussion is how to do I manage things at that boundary so it can have more control over what comes into my network and what stays on the outside, with the implicit understanding being that security on the inside is going to be different than security on the outside. And I’m going to try to keep more than that out.
And one of the things that’s happened over the last number of years, even before the advent of the cloud providers taking over so much of people’s infrastructure, was that the perimeter began to dissolve – we talk about it as the rapid de-perimterization. But the idea is that the logical perimeter now exists between me and the app on you.
I’m sure that all of you have organizations that you deal with, whether partners or customers, where they’re reaching much more deeply inside what would have ordinarily been your internal structures. You want to think about boundary defense in the context of the way in which you’re sharing data and you’re trying to provide access to the data, to your partners into your company. And so, number one, if things are too wide open, it’s obviously the easiest for me as an organization they should say, “Hey everybody, come get what you need.” But that clearly is a problem because it allows people on the outside to get unauthorized access and misconfigured buckets and highly privileged users get access to things that they really shouldn’t have. It just opens up an enormously wide and pretty porous threat surface.
The second thing is, if I have relatively porous external protections, it provides access to a lot of internal systems which may not have necessarily been developed or be maintained with the same rigor as the patch management will happen from an organization like Microsoft, who are going to have a patch strategy and do a good job trying to make sure that I understand what should be patched. Very few internally developed proprietary applications, small spreads for the post are going to have that same control and that same rigor. And by not understanding that boundary, by not limiting either logically or the network perspective access, I’m going to be exposing a lot of weaknesses. And we saw some of this recently. Number one, try to create a logical boundary between the different kinds of network uses that we’ll see. Katie did a great job describing it earlier. How do I do a good job of breaking this thing down so that I make sure that the networks contain only the things that are necessary?"
X
DOWNLOAD NOW
Download the Full Report
Working on security proactively enables you to operate from a position of strength and avoid potential business harm. LEARN MORE about aligning with the CIS Controls best practices in your organization in this informative ebook.
Katie McCullough
Chief Information Security Officer
Have a question? Ask Katie!
LISTEN NOW
CLICK FOR TRANSCRIPT
CLICK FOR TRANSCRIPT
Opportunities
in the Cloud
““This is the final “uh-oh” control. But in some ways, it’s the control I love best because it has the tool that I love the best, which is a checklist. Something that you can create on your own, right? Most of us have some kind of incident, whether it’s due to availability of systems or whatever, have an incident plan, but it’s just like the age-old discussion where you want to work that muscle plenty of times before you actually have to use it, because you don’t want to be creating it in the moment.
So, I highly encourage, it does not have to be detailed, but just walk through from the moment of what it’s going to look like when you detect something, whether it’s through alerting or an admin being on a server and seeing something odd. What are they doing to report that? When you have an end user report something, who is that information going to so that they can best assess it? And then once you’ve assessed something, what is your communication plan?
All organizations have multiple layers. What are you doing to involve your leadership team? What are you doing to involve legal? A lot of situations we get involved in has regulated data, and you’re going to want your legal team involved because there are special protocols you’re going to want to follow to help limit any kind of damage or concern in those situations. Does HR have to be involved? And then a big one for us is our customers. What is going to be your customer communication? Be prepared for that. Don’t wait till the last minute to understand how that’s all going to play out.
So, think through your communication and notification. Put it in a checklist so you’re just running through that checklist. At OneNeck in TDS, we go through a yearly crisis communication plan where we pull all of our leadership into a room, and we go through an exercise of, here’s the scenario, what are we doing? And we walk through it. We spend nearly half a day walking through it. We get all sorts of after-action feedback, so it’s an incredibly important part to get it documented and then tested on a regular basis. Make sure it includes things like your communication and notification. Make sure it includes things like what data is going to be critical to collect and understand in those situations. Again, we’ve got a full checklist, from what logs are we looking at? What users were on the systems? Were there any immediate changes in privileges? Were there any anomalies in the event logs? What services are active on a server that appears to be compromised? Don’t leave that questions about what data you’re going to ask your system administrators and network administrators to gather.
It can be a quick checklist. This is the data we want. Here’s where we want it sent. Here’s who we need to notify. And then always know who you can engage with if things get bad. Don’t be worrying about contracts and statements of work in the last minute. Kind of understand one of your vendors are available to help with that, because sometimes these can get out of control. If you potentially get in a situation where you’re having to restore from scratch, you’re going to need some extra help, and you don’t want to delay that, if you’ve got vendors at the ready to do that. And what I encourage our customers to do is please involve us in your testing and your security incident plan, so that we can understand the roles that they’re expecting us to play, and that they’re going to take on.
Again, we’ve got a checklist that we run down. It’s not 10 pages. It’s a couple pages, and it’s always edited for different customers on what activities they’re going to look for us to do with things like data recovery and analysis in those types of activities versus what they’re going to do. And a lot of times that comes down to certainly the communication protocols that they’re going to handle. I can’t encourage you enough, have a plan, especially be prepared with any kind of communications you’re going to have to do.
Make sure you’ve identified the key administrative tasks that you’re going to ask your teams to perform. Known who all in terms of your vendors that potentially need to be involved in it, either as a result of an activity or to help resolve the activity. And practice it at least yearly, even if it’s just an hour to get a few key folks in a room. I guarantee you, you’re going to uncover things, and it’s a very worthwhile exercise."
X
