S1 M4 - Center for Internet Security Critical Security Controls
Anti-malware solutions should be
- Automated - Centrally Managed - Maintained - and Deployed to all potential entry points
Specific Types of Vulnerabilities mentioned in the CIS Control document for Control 16 include:
- Buffer overflows; - Cross-site Scripting (XSS): inject content & code into a website to take it over; - SQL injections (uses a SQL query to Extract or Corrupt Data); - Race conditions (2 Apps share the Same Data, Race to get the Data First)
The incident response process should include
- Designation of a Key Contact; - Establishment of an Incident Response team; and - Development of Communication Plans for Notifying Impacted business units, stakeholders, and regulatory agencies. Note: It is also important to periodically carry out exercises to test the incident response process to ascertain its effectiveness and identify opportunities for improvement.
Network architecture Documentation & Diagrams should be kept up-to-date to accurately reflect the org's network Topology and layout.
- Documentation should have Critical Vendor Contact Information to increase the Likelihood that system upgrades or patches are Implemented in a Timely Manner - Comps should Monitor for End-of-life network components to make the appropriate Upgrades Prior to the End Date or Establish Mitigating Controls
To combat the respective DoS and Ransomware schemes, organizations should Establish
- Event logging - Alerting mechanisms which can be Implemented through tools such as Security Information and Event MGT (SIEM) to help Centralize and Assist in Log Analysis
Control 14: Security Awareness and Skills Training
- Guides organizations in establishing a security awareness and training program to reduce cybersecurity risk - Influence Employee Behavior in a way that makes them Conscious about the Various Tactics that can be employed by attackers to allow Unauthorized access. - Uninformed employees pose 1 of the Greatest Risks to the security of an organization and risks can originate Externally and Internally. i. Social Engineering techniques targeting enterprise workforces can lead to Significant Business Disruption, Financial Losses, and Loss of Reputation ii. Human error, Negligence, and Misuse of organizational assets can also introduce Security Issues
what can also cause data to become Unusable or Unavailable?
- Human error - Misconfigurations - Natural factors (power outages, flooding, etc.)
IT Managers must consider whether best practices and safeguards are being followed, such as Secure Design Standards and Secure Code Reviews, and Security Testing tools are Integrated into the Software Development Lifecycle (SDLC).
- It is recommended to introduce application security as Early in the SDLC as Possible because Coding changes as Development progresses becomes more Complex. - Processes should also be in place to inventory 3rd-party software components, tools, and applications. Suggested activities include: i. Ensuring Software is Up-to-date; ii. Configurations settings are Reviewed; and iii. Compensating controls are in place for Attack Mitigation.
Traffic flow monitoring, Alerting, and Detection Safeguards can also be implemented with tools such as:
- Network Intrusion Prevention Systems (NIPS) - Next-generation Firewalls (NGFW); - Data Loss Prevention (DLP) systems; and - Endpoint Detection and Response (EDR) systems
Risks can be introduced by 3rd party Service Providers that do Not hold themselves to the same security standards as other org.
- Part of the reason for this disparity in organizational standards is that there are only a few industry standards available in the Public Domain. - Examples of such standards: Shared Assessments program for the finance industry; Higher Education Community Vendor Assessment Toolkit (HECVAT) for higher education.
Control 10: Malware Defenses
- Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. - Endpoint assets & devices can be Leveraged as Both Entry Points and Targets for Malware i. Malware can cause Substantial Damage to an org by Stealing Intellectual property or Login Credentials, Destroying Data, Encrypting Data for Ransom, or Executing other Nefarious activities ii. Malware frequently relies on Insecure End-user Behavior such as Clicking links, Opening Attachments, Installing Software, or Inserting Flash Drives to infiltrate the org
Chapter 15 It is recommended that companies establish service provider MGT processes to oversee the entire service provider life cycle.
- Service providers should be assessed, and their performance and standards catalogued from Initial Engagement through Decommissioning for Adherence to Security Standards, Protocols, and Best Practices. - System & Organization Controls (SOC) audit reports can be used to assess the risks of doing business with service providers.
One common blind spot modern organizations have is the Lack of Visibility into Software-as-a-Service platforms.
- These platforms can be Hosted anywhere across the Globe and their Software Development and Review Processes usually doe Not involve their clients. - Companies using SaaS services should inquire about such practices and consider obtaining SOC reports to obtain assurance as to whether they operate according to the terms of service-level agreements.
Training should Not be reduced to an annual occurrence but should be more Frequent and include messages that resonate with Users, such as:
- the impact of recent data breaches at well-known comps; - the rise of phishing scams during tax season; or - information on phony gift rewards sent via email
Penetration testing generally begins with a discovery or observation of an org's environment, followed by scanning to locate vulnerabilities that can be used to gain access.
- then those vulnerabilities become targets, and the team of testers exploits those targets to demonstrate how an attacker can bypass controls - result are then studied, and the company revises its controls accordingly - this process can, and should be, performed at least annually for large organizations with significant cybersecurity risk.
Organizations must Continuously Identify and Remediate Insecure Default network configuration settings, Misconfigured Network settings, Insecure Protocol usage, and Outdated network Software.
- there are Commercial tools available to help fulfill this requirement by Evaluating a comp's Network Against a set of Rules to determine whether they are in Conflict. - Sanity Checks should be run every time a Significant Change is made to Firewalls, Access Controls Lists, or other filtering mechanisms in place. Note: Sanity check ensures Hardware or Software work Flawlessly.
list of controls within Control 10: Malware Defenses
10.1 Deploy & Maintain Anti-Malware Software - Asset type: Devices - Sec function: Detect - IG: 1,2,3 10.2 Configure Automatic Anti-Malware Signature Updates - Asset type: Devices - Sec function: Protect - IG: 1,2,3 10.3 Disable Autorun & Autoplay for Removable Media - Asset type: Devices - Sec function: Protect - IG: 1,2,3 10.4 Configure Automatic Anti-Malware Scanning of Removable Media - Asset type: Devices - Sec function: Detect - IG: 2,3 10.5 Enable Anti-Exploitation Features - Asset type: Devices - Sec function: Protect - IG: 2,3 10.6 Centrally Manage Anti-Malware Software - Asset type: Devices - Sec function: Protect - IG: 2,3 10.7 Use Behavior-based Anti-Malware Software - Asset type: Devices - Sec function: Detect - IG: 2,3
List of controls within Control 11: Data Recovery
11.1 Establish & Maintain Data Recovery Process - Asset type: Documentation - Sec function: Govern - IG: 1,2,3 11.2 Perform Automated Backups - Asset type: Data - Sec function: Recover - IG: 1,2,3 11.3 Protect Recovery Data - Asset type: Data - Sec function: Protect - IG: 1,2,3 11.4 Establish & Maintain an Isolated Instance of Recovery Data - Asset type: Data - Sec function: Recover - IG: 1,2,3 11.5 Test Data Recovery - Asset type: Data - Sec function: Recover - IG: 2,3
List of Controls within Control 12: Network Infrastructure Management
12.1 Ensure Network Infrastructure is Up-to-Date - Asset type: Network - Sec function: Protect - IG: 1,2,3 12.2 Establish & Maintain a Secure Network Architecture - Asset type: Network - Sec function: Protect - IG: 2,3 12.3 Securely Manage Network Infrastructure - Asset type: Network - Sec function: Protect - IG: 2,3 12.4 Establish & Maintain Architecture Diagram(s) - Asset type: Documentation - Sec function: Govern - IG: 2,3 12.5 Centralize Network Authentication, Authorization, and Auditing (AAA) - Asset type: Network - Sec function: Protect - IG: 2,3 12.6 Use of Secure Network MGT & Communication Protocols - Asset type: Network - Sec function: Protect - IG: 2,3 12.7 Ensure Remote Devices Utilize a VPN and Are Connecting to an Enterprise's AAA Infrastructure - Asset type: Devices - Sec function: Protect - IG: 2,3 12.8 Establish & Maintain Dedicated Computing Resources for All Administrative Work - Asset type: Devices - Sec function: Protect - IG: 3
List of controls within Control 13: Network Monitoring and Defense
13.1 Centralize Security Event Alerting 13.2 Deploy a Host-Based Intrusion Detection Solution 13.3 Deploy a Network Intrusion Detection Solution 13.4 Perform Traffic Filtering Between Network Segments 13.5 Manage Access Controls for Remote Assets 13.6 Collect Network Traffic Flow Logs 13.7 Deploy a Host-Based Intrusion Prevention Solution 13.8 Deploy a Network Intrusion Prevention Solution 13.9 Deploy Port-Level Access Control 13.10 Perform Application Layer Filtering 13.11 Tune Security Event Alerting Thresholds
List of controls within Control 14: Security Awareness and Skills Training
14.1 Establish & Maintain a Security Awareness Program - Asset type: Documentation - Sec function: Govern - IG: 1,2,3 14.2 Train Workforce Members to Recognize Social Engineering Attacks - Asset type: Users - Sec function: Protect - IG: 1,2,3 14.3 Train Workforce Members on Authentication Best Practices - Asset type: Users - Sec function: Protect - IG: 1,2,3 14.4 Train Workforce on Data handling Best Practices - Asset type: Users - Sec function: Protect - IG: 1,2,3 14.5 Train Workforce members on Causes of Unintentional Data Exposure - Asset type: Users - Sec function: Protect - IG: 1,2,3 14.6 Train Workforce members on Recognizing and Reporting Security Incidents - Asset type: Users - Sec function: Protect - IG: 1,2,3 14.7 Train Workforce on How to Identify and Report if their Enterprise Assets are Missing Security Updates - Asset type: Users - Sec function: Protect - IG: 1,2,3 14.8 Train Workforce on Dangers of Connecting to and Transmitting Enterprise Data over Insecure Networks - Asset type: Users - Sec function: Protect - IG: 1,2,3 14.9 Conduct Role-Specific Security Awareness and Skills Training - Asset type: Users - Sec function: Protect - IG: 2,3
List of controls within Control 15: Service Provider Management
15.1 Establish & Maintain an Inventory of Service Providers - Asset Type: Users - Sec function: Identify - IG: 1,2,3 15.2 Establish & Maintain a Service Provider Management Policy - Asset Type: Documentation - Sec function: Govern - IG: 2,3 15.3 Classify Service Providers - Asset Type: Users - Sec function: Govern - IG: 2,3 15.4 Ensure Service Provider Contracts Include Security Requirements - Asset Type: Documentation - Sec function: Govern - IG: 2,3 15.5 Assess Service Providers - Asset Type: Users - Sec function: Govern - IG: 3 15.6 Monitor Service Providers - Asset Type: Data - Sec function: Govern - IG: 3 15.7 Securely Decommission Service Provider - Asset Type: Data - Sec function: Protect - IG: 3
List of controls within Control 16: Application Software Security
16.1 Establish & Maintain a Secure Application Development Process 16.2 Establish & Maintain a Process to Accept and Address Software Vulnerabilities 16.3 Perform Root Cause Analysis on Security Vulnerabilities 16.4 Establish & Maintain an Inventory of 3rd-Party Software Components 16.5 Use Up-to-Date and Trusted 3rd-Party Software Components 16.6 Establish & Maintain a Severity Rating System and Process for Application Vulnerabilities 16.7 Use Standard Hardening Configuration Templates for Application Infrastructure 16.8 Separate Production and Non-Production Systems 16.9 Train Developers in Application Security Concepts and Secure Coding 16.10 Apply Secure Design Principles in Application Architectures 16.11 Leverage Vetted Modules or Services for Application Security Components 16.12 Implement Code-Level Security Checks 16.13 Conduct Application Penetration Testing 16.14 Conduct Threat Modeling
List of controls within Control 17: Incident Response MGT
17.1 Designate Personnel to Manage Incident Handling 17.2 Establish & Maintain Contact Information for Reporting 17.3 Establish & Maintain Enterprise Process for Reporting Incidents 17.4 Establish & Manage an Incident Response Process 17.5 Assign Key Roles & Responsibilities 17.6 Define Mechanisms for Communicating During Incident Response 17.7 Conduct Routine Incident Response Exercises 17.8 Conduct Post-Incident Reviews 17.9 Establish and Maintain Security Incident Thresholds
List of controls within Control 18: Penetration Testing
18.1 Establish and Maintain a Penetration Testing Program - Asset type: Documentation - Sec function: Govern - IG: 2,3 18.2 Perform Periodic External Penetration Tests - Asset type: Network - Sec function: Detect - IG: 2,3 18.3 Remediate Penetration Test Findings - Asset type: Network - Sec function: Protect - IG: 2,3 18.4 Validate Security Measures - Asset type: Network - Sec function: Protect - IG: 2,3 18.5 Perform Periodic Internal Penetration Tests - Asset type: Network - Sec function: Detect - IG: 2,3
Denial of Service (DoS) and Ransomware
2 common ways networks can be attacked include - Denial of Service attacks - Ransomware
Center for Internet Security (CIS) Controls [recap]
A recommended set of actions, processes, and best practices to strengthen their cybersecurity defenses - 18 controls - 153 subcategories called Safeguards
Instead of being created from scratch, many new Applications are
Aggregations of these various sources, making it Critical to Understand the Facets of each to Thwart Bad Actors.
Organizational data is a Critical resource for
Conducting business and can be Targeted by Ransomware attacks that Encrypt data and leave Criminals demanding ransom for its restoration
Which CIS Control best describes the recommendation to establish, implement, and actively manage network devices to prevent attackers from exploiting vulnerable network services and access points?
Control 12: Network Infrastructure Management
Which of the following CIS Controls most likely includes controls such as securely managing the network, ensuring the network components are up-to-date, and establishing and maintaining a secure network architecture?
Control 12: Network Infrastructure Management
Which CIS Control best describes the establishment of a program to develop and maintain policies, plans, procedures, defined roles, training, and communication to prepare, detect, and quickly react to an attack?
Control 17: Incident Response Management
Which CIS Control best describes the test of resiliency and effectiveness of enterprise assets through identifying and exploiting weaknesses in controls and simulating the objectives and actions of an individual attacking the enterprise?
Control 18: Penetration Testing
Control 15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Control 13: Network Monitoring and Defense (Overview)
Establish processes for Monitoring & Defending a comp's Network Infrastructure against Internal & External Sec threats - While network monitoring & defense software solutions may be Highly Proficient when purchased, there is still some degree of fine-tuning that is specific to a comp's Network that is Required. - There is also still the Possibility of Human Error or New Attack Schemes that were Not common at the time of the network system's inception. Note: Continuous Monitoring is Critical to Keep up with an evolving cybersecurity landscape.
Control 12: Network Infrastructure Management
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
In certain cases, laws & regulations may require notification of data breaches and impose fines for noncompliance, which makes it imperative to have programs in place to detect, contain, and eliminate threats.
Examples: - Health Insurance Portability and Accountability Act (HIPAA) - General Data Protection Regulation (GDPR)
living off the land (LoTL)
Exploit techniques that use standard system tools and packages to perform intrusions attackers use organization's Existing tools against itself to minimize getting caught - Existing tools and apps typically already have access to a wide variety of company applications, allowing the perpetrator a quick window into a comp's systems
Control 18: Penetration Testing
Helps organizations test the sophistication of their cybersecurity defense system in place by simulating actual attacks in an effort to find and exploit weaknesses
Which of the following best describes the overview of CIS Control 16: Application Software Security?
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Penetration testing in Control 18 is different than Vulnerability testing in Control 7 in that
Penetration testing seeks to go Beyond identifying weaknesses. - It attempts to exploit those weak points and see what additional damage could be done once that first point of failure is reached.
Control 17: Incident Response Management
Provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential cybersecurity attacks. When security incidents occur, their impact can be widespread throughout the org.
Control 14 (cont.) Training
Regular training is 1 of best ways to establish security awareness, Educating Staff on: - Recognizing Unusual Behavior; - Social Engineering tactics; - Best Practices for handling organizational assets and data; and - the Risks involved with using Insecure Networks and Devices - Staff should also Understand the organization's processes for reporting incidents, issues, and concerns.
Software Development Life Cycles have shortened and become more complex because
Software Apps are often Mix of Various Sources of Existing code, Libraries, and New code.
Control 13: Network Monitoring and Defense
Under CIS Critical Security Controls Version 8, Control 13 is best described as follows: Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.
Malware can come in many forms such as
Viruses Worms Spyware Adware Keyloggers Ransomware
Software Vulnerabilities may exist for various reasons like
a Flawed Design, Poor Infrastructure, Coding Errors, Poor Authentication Protocols, and the Failure to Test for Software Anomalies.
Automating the Backup process, Utilizing Off-site storage in a Different geographical location, and using Encryption are
all Recommended Practices. - these functions should be Tested at Least Once per Quarter to confirm the protocols and technology in place will work properly - recommended to restore files using a Test Bed environment
Network Infrastructure includes
both Physical & Virtual devices such as Firewalls, Gateways, Routers, Switchers, and Wireless Access Points
Control 16: Application Software Security
establishes Safeguards that Manage the entire Life Cycle of Software that is acquired, hosted, or developed in-house to Detect, Deter, and Resolve cybersecurity Weaknesses Before they are Exploited
Control 11: Data Recovery
establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets to a pre-incident state
"Red Team"
exercises focus on Specific tactics, techniques, and procedures (TTPs) to see how an org fares against certain types of attackers. Each industry is exposed to a different mix of cybersecurity risks, with some bearing more risk simply due to the nature of the business Example: health care companies and financial institutions possess Social Security numbers, banking information, credit cards, and other personal information that can be used to exploit one of their customers.
DoS attacks
involve a Perpetrator - Overwhelms a comp's network by Flooding the network with Illegitimate requests so that it is Effectively Rendered Useless.
Ransomware attacks are
situations in which an Attacker or Group of attackers: - Gain Access to a comp's system; - Block Employees from Accessing it; - Demand Payment to Regain Access; and - Threaten to Either Keep all systems blocked or Publish Sensitive Data to the Public (or Dark web) if the comp doesn't comply.
Hackers use
stolen credentials, power shell, FTP, Windows MGT Instrument (WMI) interface, and other built-in tools.
Data Value, Sensitivity, Classification & Retention requirements all factor into
the Mechanisms and Cadence that will be used for Backup & Storage methods
Some larger organizations may consider implementing a Bug Bounty program in which employees are paid for finding Flaws in company-produced or company-used Software.
these programs create camaraderie, healthy competition, and are effective ways to find software vulnerabilities.
Penetration Testing
typically performed as a Dramatic demonstration of an attack, as a way to Verify whether a comp's defenses work, and to make sure the comp has the Right Defenses in place.
