S1 M3 - Center for Internet Security Critical Security Controls: Part 1
Control 06 Protocols should be put in place for Granting Access and Revoking access based on Job Duties, Roles, and Responsibilities.
- Access control models, such as Role-Based Access Control (RBAC) or Policy-based Access Control (PBAC) can be utilized - Accounts with Administrator access or Remote access, Additional Controls such as Multifactor Authentication (MFA) and Privileged Account MGT (PAM) can be used = additional sec layer
Control 02: Inventory and Control of Software Assets Software within scope
- Operating systems - Programming software & Library - Business Applications - Drivers - Open-source software - Application Programming Interface (API) - some forms of Firmware
Control 01 Companies should also focus on Potential for External devices to connect to a company's network through means (guest network) even if they are segregated from the core network
- Other scenarios when External Devices connect to a company's core network: Temporary access granted to Auditors and Permanent Access given to Managed Service Providers (MSPs) to manage a company's IT operations
Control 01: Inventory and Control of Enterprise Assets
- actively track & manage All IT Assets connected to a company's IT Infrastructure Physically or Virtually within a Cloud environment - allows companies to Know the Totality of IT assets that should be Monitored and Protected - Using an IT inventory list will allow organizations to Track Various Data Points for company assets
CIS Controls Overview
- controls are Task-focused & organized by activities - 18 CIS Controls to reflect shifts in the Cybersecurity Ecosystem to Cloud computing, Remote work, and Visualization - Each Control has recommendations prescribed to achieve the control objective (Recommendations = Safeguards)
Control 01 Having a Comprehensive View of Company Assets will also give Visibility into how data Flows throughout an organization
- knowing Which Devices contain Sensitive information can help IT managers Prioritize the Security and Maintenance for those Example: Knowing servers & laptops that store employee records should be closely monitored for needed updates, cyber threats, and other irregularities so that Unauthorized access is Prevented.
Control 02: Inventory and Control of Software Assets
- provides Recommendations for org to Track & Actively manage All Software Apps so that only Authorized Software is Installed on comp devices - Guidance on finding Unmanaged and Unauthorized Software already Installed to remove or remediate
Control 01 One Challenge organization face is Portable End-user devices that Periodically connect to a company's network and then disappear
makes it Difficult for org to have a Holistic view of its Inventory when devices are Off, Paused, or Otherwise Disconnected from the corp network
Control 09: Email and Web Browser Protections
provides recommendations on how to detect and protect against cybercrime attempted through email or the internet by directly engaging employees Note: Email clients and Web browsers provide attackers direct access to users that make them vulnerable to Social Engineering tactics and delivering malicious payloads.
Enterprise log management process (Event Logs)
should address the Entire Life Cycle of Audit Logs beginning with log collection and ending with log disposal
Control 05: Account Management Administrator accounts
should be Restricted to specific use cases - End-users requiring administrator privileges should have Separate Accounts to run administrative actions to Lower the Risk of a user's account being compromised
Audit logs may be captured from a Variety of Connection Methods
whether directly to a comp's network via a Hard-wired connection, Wirelessly, or using a VPN
Control 04: Secure Configuration of Enterprise Assets and Software Security Hardening Security Tools
Security Hardening can be incorp. into adjusting Target Security Configurations so that they are continuously "hardened" against new forms of attack Improvements: - Removing any Unused or Unnecessary software - Closing network ports that are openly exposed to the Internet - Changing default passwords - Turning off non-essential services Security Tools (firewalls, intrusion detection/prevention systems, data loss prevention systems, and mobile device-management software) can be used to Secure Networks and End-user Devices - org with multiple types of Environments or Data Classification levels may have several security Baselines - target configuration levels implemented, should be Continuously Monitored for Deviations & necessary Updates
SSO
Single Sign-On common and convenient form of authentication let users use a single login to securely authenticate across multiple apps & can be enhanced using multifactor authentication (MFA)
Control 06 Comprehensive Solution, ideally Centralized for Provisioning and De-provisioning (aka "hiring & firing") employee access should be in place
Sophisticated methods all access to all applications across the org to be Cut Off Synchronously within minutes of initiating such a change in the system.
Control 07: Continuous Vulnerability Management Organizations must remain Proactive in
- scanning - monitoring - managing vulnerabilities to reduce the window of opportunity for attackers to capitalize on them - As new vulnerabilities discovered, they should be assessed for their Likelihood of Exploitation and Impact if they occur to rank & prioritize - Preferable to use Vulnerability Scanning tools that map vulnerabilities to industry-recognized publications such as Common Vulnerabilities & Exposures (CVE), Common Configuration Enumeration (CCE), Open Vulnerability and Assessment Language (OVAL)...
Control 02: Inventory and Control of Software Assets Maintaining a software inventory list keeps the company Informed on:
- whether the Most Current Software Patches are Installed - Apps reaching End-of-life support are Renewed or Transitioned out - any Additional Safeguards needed are in place to Compensate for Software related Risks
List of controls within Control 03: Data Protection
3.1 Establish and Maintain a Data Classification Scheme - Asset type: Data - Security Function: Govern - Implementation group(s): IG1, IG2, IG3 3.2 Establish & Maintain a Data Inventory - Asset type: Data - Security Function: Identify - Implementation group(s): IG1, IG2, IG3 3.3 Configure Data Access Control Lists - Asset type: Data - Security Function: Protect - Implementation group(s): IG1, IG2, IG3 3.4 Enforce Data Retention - Asset type: Data - Security Function: Protect - Implementation group(s): IG1, IG2, IG3 3.5 Securely Dispose of Data - Asset type: Data - Security Function: Protect - Implementation group(s): IG1, IG2, IG3 3.6 Encrypt data on End-User-Devices - Asset type: Data - Security Function: Protect - Implementation group(s): IG1, IG2, IG3 3.7 Establish and Maintain a Data Classification Scheme - Asset type: Data - Security Function: Identify - Implementation group(s): IG2, IG3 3.8 Document Data Flows - Asset type: Data - Security Function: Identify - Implementation group(s): IG2, IG3 3.9 Encrypt Data on Removable Media - Asset type: Data - Security Function: Identify - Implementation group(s): IG2, IG3 3.10 Encrypt Sensitive Data in Transit - Asset type: Data - Security Function: Protect - Implementation group(s): IG2, IG3 3.11 Encrypt Sensitive Data at Rest - Asset type: Data - Security Function: Protect - Implementation group(s): IG2, IG3 3.12 Segment Data Processing and Storage based on Sensitivity - Asset type: Data - Security Function: Protect - Implementation group(s): IG2, IG3 3.13 Deploy a Data Loss Prevention Solution - Asset type: Data - Security Function: Protect - Implementation group(s): IG3 3.14 Log Sensitive Data Access - Asset type: Data - Security Function: Detect - Implementation group(s): IG3
List of controls within Control 04: Secure Configuration of Enterprise Assets and Software
4.1 Establish & Maintain a Secure Configuration Process - Asset Type: Documentation - Security Function: Govern - Implementation Group(s): IG1, IG2, IG3 4.2 Establish & Maintain a Secure Configuration Process for Network Infrastructure - Asset Type: Documentation - Security Function: Govern - Implementation Group(s): IG1, IG2, IG3 4.3 Configure Automatic Session Locking on Enterprise Assets - Asset Type: Devices - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 4.4 Implement & Manage a Firewall on Serves - Asset Type: Devices - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 4.5 Implement & Manage a Firewall on End-User Devices - Asset Type: Devices - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 4.6 Securely Manage Enterprise Assets & Software - Asset Type: Devices - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 4.7 Manage Default Accounts on Enterprise Assets and Software - Asset Type: Users - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software - Asset Type: Devices - Security Function: Protect - Implementation Group(s): IG2, IG3 4.9 Configure Trust DNS Servers on Enterprise Assets - Asset Type: Devices - Security Function: Protect - Implementation Group(s): IG2, IG3 4.10 Enforce Automatic Device Lockout on Portable End-user Devices - Asset Type: Devices - Security Function: Protect - Implementation Group(s): IG2, IG3 4.11 Enforce Remote Wipe Capability on Portable End-user Devices - Asset Type: Data - Security Function: Protect - Implementation Group(s): IG2, IG3 4.12 Separate Enterprise Workspaces on Mobile End-user Devices - Asset Type: Data - Security Function: Protect - Implementation Group(s): IG3
List of controls within Control 05: Account Management
5.1 Establish & Maintain an Inventory of Accounts - Asset type: Users - Security Function: Identify - Implementation Group(s): IG1, IG2, IG3 5.2 Use Unique Passwords - Asset type: Users - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 5.3 Disable Dormant Accounts - Asset type: Users - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts - Asset type: Users - Security Function: Protect - Implementation Group(s): IG1, IG2, IG3 5.5 Establish and Maintain an Inventory of Service Accounts - Asset type: Users - Security Function: Identify - Implementation Group(s): IG2, IG3 5.6 Centralize Account Management - Asset type: Users - Security Function: Govern - Implementation Group(s): IG2, IG3
List of controls within Control 06: Access Control Management
6.1 Establish an Access Granting Process 6.2 Establish an Access Revoking Process 6.3 Require MFA for Externally Exposed Apps 6.4 Require MFA for Remote Network Access 6.5 Require MFA for Administrative Access 6.6 Establish & Maintain an Inventory of Authentication & Authorization Systems 6.7 Centralize Access Control 6.8 Define & Maintain Role-Based Access Control
List of controls within Control 07: Continuous Vulnerability Management
7.1 Establish & Maintain a Vulnerability MGT Process 7.2 Establish & Maintain a Remediation Process 7.3 Perform Automated Operating System Patch MGT 7.4 Perform Automated Application Patch MGT 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets 7.6 Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets 7.7 Remediate Detected Vulnerabilities
List of controls within Control 08: Audit Log MGT
8.1 Establish & Maintain an Audit Log MGT Process 8.2 Collect Audit Logs 8.3 Ensure Adequate Audit Log Storage 8.4 Standardize Time Synchronization 8.5 Collect Detailed Audit Logs 8.6 Collect DNS Query Audit Logs 8.7 Collect URL Request Audit Logs 8.8 Collect Command-Line Audit Logs 8.9 Centralize Audit Logs 8.10 Retain Audit Logs 8.11 Conduct Audit Log Reviews 8.12 Collect Service Provider Logs
list of controls within Control 09: Email and Web Browser Protections
9.1 Ensure use of Only Fully Supported Browsers and Email Clients - Asset type: Software - Sec Function: Protect - IG: IG1 to IG3 9.2 Use DNS Filtering services - Asset type: Device - Sec Function: Protect - IG: IG1 to IG3 9.3 Maintain and Enforce Network-Based URL Filters - Asset type: Network - Sec Function: Protect - IG: IG2, IG3 9.4 Restrict Unnecessary or Unauthorized Browser and Email Client Extensions - Asset type: Software - Sec Function: Protect - IG: IG2, IG3 9.5 Implement Domain-based Message Authentication Reporting and Conformance - Asset type: Network - Sec Function: Protect - IG: IG2, IG3 9.6 Block Unnecessary File types - Asset type: Network - Sec Function: Protect - IG: IG2, IG3 9.7 Deploy and Maintain Email Servers Anti-Malware Protections - Asset type: Network - Sec Function: Protect - IG: IG3
Zero-day exploit
An exploit that takes advantage of a software vulnerability that hasn't yet become public, and is known only to the hacker who discovered it. Zero-day exploits are particularly dangerous because the vulnerability is exploited before the software developer has the opportunity to provide a solution for it.
Design Principles
CIS controls were designed with following Principles: [3 C's] - Context: Enhancement to the Scope and Practical Applicability of Safeguards through Incorporation of Examples & explanations - Coexistence: Alignment with evolving industry Standards and Frameworks, including NIST's CSF 2.0 framework - Consistency: Disruption to Control Users are Minimized, limiting the Impact on Implementation groups
CIS
Center for Internet Security Controls a recommended Set of Actions & Best Practices that can be Adopted and Implemented by organizations to Strengthen their Cybersecurity Defenses. - first developed in 2008 by an International Consortium and have evolved - currently supported by the SANS Institute (SysAdmin, Audit, Network, and Security) which provides i. training ii. administer certification iii. perform research - Each iteration of control updates involves experts (SMEs) across industries, entity-type (government v. public companies), and job roles (from Operators to Policy Makers)
According to the Center for Internet Security (CIS), which of the following controls underscores the criticality of regular review of the cyberenvironment to identify weaknesses in order to help deter attackers?
Continuous vulnerability management The Center for Internet Security (CIS) Controls are a recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses. This continuous vulnerability management control assists organizations in continuously identifying and tracking vulnerabilities within their infrastructure so that an organization can remediate and eliminate weak points or opportunities for bad actors.
Which CIS Control best describes the recommendation to actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise?
Control 01: Inventory and Control of Enterprise Assets (keywords: "totality of assets that need to be monitored and protected within the enterprise")
Which CIS Control best describes the development processes and technical controls needed to identify, classify, securely handle, retain, and dispose of data?
Control 03: Data Protection
Which CIS Control best describes use of processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software?
Control 05: Account Management
Which CIS Control best describes using processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software?
Control 06: Access Control Management
Which CIS Control best describes the development of a plan to access and track vulnerabilities on all enterprise assets periodically within the enterprise's infrastructure to reduce the opportunity of attacks while monitoring industry sources for new threat information?
Control 07: Continuous Vulnerability Management Under CIS Critical Security Controls Version 8, Control 07 is best described as follows: Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
List of Safeguards within Control 01
Control: 1.1 Establish & Maintain Detailed Asset Inventory - Asset Type: Devices - Security Function: Identify - Implementation Group(s): IG1, IG2, IG3 1.2 Address Unauthorized Assets - Asset Type: Devices - Security Function: Respond - Implementation Group(s): IG1, IG2, IG3 1.3 Utilize an Active Discovery Tool - Asset Type: Devices - Security Function: Detect - Implementation Group(s): IG2, IG3 1.4 Use DHCP Logging to Update company Inventory -- Helps detect which devices are Active on the network - Asset Type: Devices - Security Function: Identify - Implementation Group(s): IG2, IG3 1.5 Use a Passive Asset Discovery Tool -- Identifies devices connected to a company's network - Asset Type: Devices - Security Function: Detect - Implementation Group(s): IG3
List of Controls for Control 02: Inventory and Control of Software Assets
Control: 2.1 Establish and Maintain a Software Inventory - Asset type: Software - Security Function: Identify - Implementation group(s): IG1, IG2, IG3 2.2 Ensure Authorized Software is Currently Supported - Asset type: Software - Security Function: Identify - Implementation group(s): IG1, IG2, IG3 2.3 Address Unauthorized Software - Asset type: Software - Security Function: Respond - Implementation group(s): IG1, IG2, IG3 2.4 Utilize Automated Software Inventory Tools - Asset type: Software - Security Function: Detect - Implementation group(s): IG2, IG3 2.5 Allowlist Authorized Software to Ensure only authorized software can be accessed or executed - Asset type: Software - Security Function: Protect - Implementation group(s): IG2, IG3 2.6 Allowlist Authorized Libraries to Ensure only Specific files can be loaded into a system process - Asset type: Software - Security Function: Protect - Implementation group(s): IG2, IG3 2.7 Allowlist Authorized Scripts to ensure only authorized Scripts, or Lines of code can be executed - Asset type: Software - Security Function: Protect - Implementation group(s): IG3
Control 07: Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Control 03: Data Protection
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Control 08: Audit Log Management
Establish an Enterprise Log MGT Process so org can be Alerted and Recover from an Attack in real time, or near real time, using log collection and analytic features - 2 log Categories which are frequently configured Independently 1. System logs: provide a List of Events such as Start and End times, Points of Restoration, and System Crashes 2. Audit logs: tied to a Specific User, recording when a person Logs In or Out, Accesses a File, or Opens an app.
Organizations should be notified when
Failed user attempts are made to connect to resources without the appropriate privileges.
Control 05: Account Management
Outlines Best Practices for comps to manage Credentials & Authorization for user accounts, privileged user accounts and service accounts for comp Hardware & Software. - Accounts must be Inventoried & Tracked so that appropriate controls may be applied i. Centralized acct mgt tools & services can be utilized for Consolidated acct mgt across the org ii. should Develop and Communicate an Acceptable use policy and acct safety Guidelines iii. Credentials should be treated as Highly sensitive information, & formal training should be provided to Educate users on acct safety best practices and org's acct security policies iv. include PW requirements, Controls for Inactivity, and acct Lockout Policies
3 Implementation Groups
The Implementation of the CIS Controls can be tailored to an organization's size by using 1 of 3 IGs IG1 IG2 IG3 These are Self-Assessed categories that Identify a Sub-set of the CIS Controls which are Critical for companies to Adopt, given their Size
It is recommended that Policies and Tools be put in place to enforce URL filtering, Block certain file types, and Restrict options such as ability for users to install add-ons.
URL blocking can be done through Domain Name System (DNS) Filtering, which effectively Blocks users from accessing certain domains on Blacklist.
Event Logs
critical to Incident Response & Facilitate Processes for Legal matters: - eDiscovery - Accountability for Auditing - Lessons learned for process improvement - Data Retention for Compliance Requirements
Control 04: Secure Configuration of Enterprise Assets and Software
establish & maintain Secure Baseline Configurations for their Enterprise Assets including - servers - network devices - mobile and portable end-user devices - non-computing assets such as Internet of Things (IoT) devices - operating systems - other corporately managed hardware or software Note: default configurations may present Vulnerabilities that can be Exploited, allowing Unauthorized users to Gain Access to an org's Core Network - public available security standards (CIS Benchmarks Program or NIST National Checklist Program Repository) can be used by organizations as a Starting point for asset reconfiguration
Control 06: Access Control Management
expands on Account Management (Control 05) by Specifying the Type of Access that user accounts should have - Ideally: Org users should Only have the necessary Privileges required for their Job role - Org should follow the Principles of "Least Privilege" and "Need-to-Know" role assignment These methodologies assist with the goal that users only have access to Systems, Services, and data needed to perform their job duties. - Accounts that do Not follow these principles pose a Security Risk to the org by allowing Unauthorized access.
IG1
for Small or Med-sized organizations that have a Limited Cybersec Defense mechanism in place in terms of Personnel or IT assets. Main focus is to keep the company Operational because: - their Cybersec expertise is Limited; - data being used is Not sensitive (Not collecting PII or PHI); - company canNot sustain Long periods of Downtime Note: IG1 is similar to concept of NIST CSF Tier 1 (Partial) and Tier 2 (Risk-Informed) think: "Small business construction company that builds houses"
IG2
includes IG1 for companies that have IT staff who Support Multiple Departments that have Various Risk Profiles - organizations typically have Sensitive Client Data, can Tolerate Short Interruptions in Service - 1 of the Biggest Concerns for these entities is Loss of Trust in the event of Data Breach Note: similar to Tier 3 (Repeatable) Example - think "midsize construction company that builds roads for government agencies and larger clients"
IG3
includes IG1 and IG2 - have Security Experts in All of Domains within Cybersec like Penetration testing, Risk MGT, and Application Sec - Data Assets under MGT at these comps include those that are Sensitive and likely Subject to Compliance with Standards or Regulatory Oversight. - Attacks on these orgs can cause Significant Damage to comp and Public welfare. Note: similar to Tier 4 (Adaptive) Example: think "large construction company that builds dams and water treatment plants for government or very large clients"
