TheCISCriticalSecurityControls
for
EffectiveCyberDefense
Version6.1
TheCenterforInternetSecurity
CriticalSecurityControlsforEffectiveCyberDefense
Version6.1
August31,2016
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-NoDerivatives4.0
InternationalPublicLicense(thelinkcanbefoundathttps://creativecommons.org/licenses/by-ncnd/4.0/legalcode
TofurtherclarifytheCreativeCommonslicenserelatedtotheCISCriticalSecurityControlscontent,youare
authorizedtocopyandredistributethecontentasaframeworkforusebyyou,withinyourorganizationand
outsideofyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiven
toCIS,and(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCIS
CriticalSecurityControls,youmaynotdistributethemodifiedmaterials.UsersoftheCISCriticalSecurity
Controlsframeworkarealsorequiredtoreferto(http://www.cisecurity.org/critical-controls.cfm)when
referringtotheCISCriticalSecurityControlsinordertoensurethatusersareemployingthemostuptodate
guidance.CommercialuseoftheCISCriticalSecurityControlsissubjecttothepriorapprovalofTheCenter
forInternetSecurity.
i
TheCISCriticalSecurityControlsforEffectiveCyberDefense
Introduction
CSC1:InventoryofAuthorizedandUnauthorizedDevices
CSC2:InventoryofAuthorizedandUnauthorizedSoftware
CSC3:SecureConfigurationsforHardwareandSoftwareonMobileDevices,Laptops,
Workstations,andServers
CSC4:ContinuousVulnerabilityAssessmentandRemediation
CSC5:ControlledUseofAdministrativePrivileges
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs
6
10
13
17
21
24
27
CSC7:EmailandWebBrowserProtections
CSC8:MalwareDefenses
CSC9:LimitationandControlofNetworkPorts,Protocols,andServices
CSC10:DataRecoveryCapability
CSC11:SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches
31
34
36
38
41
CSC12:BoundaryDefense
CSC13:DataProtection
CSC14:ControlledAccessBasedontheNeedtoKnow
46
50
53
CSC15:WirelessAccessControl
CSC16:AccountMonitoringandControl
CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
56
59
63
CSC18:ApplicationSoftwareSecurity
CSC19:IncidentResponseandManagement
CSC20:PenetrationTestsandRedTeamExercises
AppendixA:EvolvingAnAttackModelfortheCISCriticalSecurityControls.
1
ii
66
69
73
AppendixB:AttackTypes
AppendixC:TheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity
AppendixD:TheNationalCyberHygieneCampaign
AppendixE:CriticalGovernanceControlsandtheCISCriticalSecurityControls
AppendixF:TowardAPrivacyImpactAssessment(PIA)fortheCISCriticalSecurityControls
AppendixG:CategorizationfortheCISCriticalSecurityControls
iii
76
78
80
81
85
91
Introduction
Weareatafascinatingpointintheevolutionofwhatwenowcallcyberdefense.Massive
datalosses,theftofintellectualproperty,creditcardbreaches,identitytheft,threatstoour
privacy,denialofservice–thesehavebecomeawayoflifeforallofusincyberspace.
Ironically,asdefenderswehaveaccesstoanextraordinaryarrayofsecuritytoolsand
technology,securitystandards,trainingandclasses,certifications,vulnerabilitydatabases,
guidance,bestpractices,catalogsofsecuritycontrols,andcountlesssecuritychecklists,
benchmarks,andrecommendations.Tohelpusunderstandthethreat,we’veseenthe
emergenceofthreatinformationfeeds,reports,tools,alertservices,standards,andthreat
sharingframeworks.Totopitalloff,wearesurroundedbysecurityrequirements,risk
managementframeworks,complianceregimes,regulatorymandates,andsoforth.Thereis
noshortageofinformationavailabletosecuritypractitionersonwhattheyshoulddoto
securetheirinfrastructure.
Butallofthistechnology,information,andoversighthasbecomeaveritable“FogofMore”:
competingoptions,priorities,opinions,andclaimsthatcanparalyzeordistractan
enterprisefromvitalaction.Businesscomplexityisgrowing,dependenciesareexpanding,
usersarebecomingmoremobile,andthethreatsareevolving.Newtechnologybringsus
greatbenefits,butitalsomeansthatourdataandapplicationsarenowdistributedacross
multiplelocations,manyofwhicharenotwithinourorganization’sinfrastructure.Inthis
complex,interconnectedworld,noenterprisecanthinkofitssecurityasastandalone
problem.
Sohowcanweasacommunity–thecommunity-at-large,aswellaswithinindustries,
sectors,partnerships,andcoalitions–bandtogethertoestablishpriorityofaction,support
eachother,andkeepourknowledgeandtechnologycurrentinthefaceofarapidly
evolvingproblemandanapparentlyinfinitenumberofpossiblesolutions?Whatarethe
mostcriticalareasweneedtoaddressandhowshouldanenterprisetakethefirststepto
maturetheirriskmanagementprogram?Ratherthanchaseeverynewexceptionalthreat
andneglectthefundamentals,howcanwegetontrackwitharoadmapoffundamentals,
andguidancetomeasureandimprove? Whichdefensivestepshavethegreatestvalue?
ThesearethekindsofissuesthatledtoandnowdrivetheCISCriticalSecurityControls.
Theystartedasagrass-rootsactivitytocutthroughthe“FogofMore”andfocusonthe
mostfundamentalandvaluableactionsthateveryenterpriseshouldtake.Andvaluehere
isdeterminedbyknowledgeanddata–theabilitytoprevent,alert,andrespondtothe
attacksthatareplaguingenterprisestoday.
LedbytheCenterforInternetSecurity(CIS),theCISCriticalSecurityControls(“the
Controls”)havebeenmaturedbyaninternationalcommunityofindividualsand
institutionsthat:
1
•
•
•
•
•
•
shareinsightintoattacksandattackers,identifyrootcauses,andtranslatethatinto
classesofdefensiveaction;
documentstoriesofadoptionandsharetoolstosolveproblems;
tracktheevolutionofthreats,thecapabilitiesofadversaries,andcurrentvectorsof
intrusions;
maptheControlstoregulatoryandcomplianceframeworksandbringcollective
priorityandfocustothem;
sharetools,workingaids,andtranslations;and
identifycommonproblems(likeinitialassessmentandimplementationroadmaps)
andsolvethemasacommunityinsteadofalone.
TheseactivitiesensurethattheControlsarenotjust
anotherlistofgoodthingstodo,butaprioritized,
highlyfocusedsetofactionsthathaveacommunity
supportnetworktomakethemimplementable,usable,
scalable,andcompliantwithallindustryorgovernment
securityrequirements.
WhytheCISCriticalSecurityControlsWork:
MethodologyandContributors
TheCenterforInternetSecurity,Inc.
(CIS)isa501c3nonprofit
organizationwhosemissionisto
identify,develop,validate,promote,
andsustainbestpracticesincyber
security;deliverworld-classcyber
securitysolutionstopreventand
rapidlyrespondtocyberincidents;
andbuildandleadcommunitiesto
enableanenvironmentoftrustin
cyberspace.
TheCISCriticalSecurityControlsareinformedbyactual Foradditionalinformation,goto
<http://www.cisecurity.org/>
attacksandeffectivedefensesandreflectthecombined
knowledgeofexpertsfromeverypartoftheecosystem
(companies,governments,individuals);witheveryrole(threatrespondersandanalysts,
technologists,vulnerability-finders,toolmakers,solutionproviders,defenders,users,
policy-makers,auditors,etc.);andwithinmanysectors(government,power,defense,
finance,transportation,academia,consulting,security,IT)whohavebandedtogetherto
create,adopt,andsupporttheControls.Topexpertsfromorganizationspooledtheir
extensivefirst-handknowledgefromdefendingagainstactualcyber-attackstoevolvethe
consensuslistofControls,representingthebestdefensivetechniquestopreventortrack
them.ThisensuresthattheControlsarethemosteffectiveandspecificsetoftechnical
measuresavailabletodetect,prevent,respond,andmitigatedamagefromthemost
commontothemostadvancedofthoseattacks.
TheControlsarenotlimitedtoblockingtheinitialcompromiseofsystems,butalsoaddress
detectingalready-compromisedmachinesandpreventingordisruptingattackers’followonactions.ThedefensesidentifiedthroughtheseControlsdealwithreducingtheinitial
attacksurfacebyhardeningdeviceconfigurations,identifyingcompromisedmachinesto
addresslong-termthreatsinsideanorganization’snetwork,disruptingattackers’
command-and-controlofimplantedmaliciouscode,andestablishinganadaptive,
continuousdefenseandresponsecapabilitythatcanbemaintainedandimproved.
ThefivecriticaltenetsofaneffectivecyberdefensesystemasreflectedintheCISCritical
SecurityControlsare:
2
Offenseinformsdefense:Useknowledgeofactualattacksthathave
compromisedsystemstoprovidethefoundationtocontinuallylearnfrom
theseeventstobuildeffective,practicaldefenses.Includeonlythosecontrols
thatcanbeshowntostopknownreal-worldattacks.
Prioritization:InvestfirstinControlsthatwillprovidethegreatestrisk
reductionandprotectionagainstthemostdangerousthreatactorsandthat
canbefeasiblyimplementedinyourcomputingenvironment.
Metrics:Establishcommonmetricstoprovideasharedlanguagefor
executives,ITspecialists,auditors,andsecurityofficialstomeasurethe
effectivenessofsecuritymeasureswithinanorganizationsothatrequired
adjustmentscanbeidentifiedandimplementedquickly.
Continuousdiagnosticsandmitigation:Carryoutcontinuousmeasurementto
testandvalidatetheeffectivenessofcurrentsecuritymeasuresandtohelp
drivethepriorityofnextsteps.
Automation:Automatedefensessothatorganizationscanachievereliable,
scalable,andcontinuousmeasurementsoftheiradherencetotheControls
andrelatedmetrics.
HowtoGetStarted
TheCISCriticalSecurityControlsarearelativelysmallnumberofprioritized,well-vetted,
andsupportedsecurityactionsthatorganizationscantaketoassessandimprovetheir
currentsecuritystate.Theyalsochangethediscussionfrom“whatshouldmyenterprise
do”to“whatshouldweALLbedoing”toimprovesecurityacrossabroadscale.
Butthisisnotaone-size-fits-allsolution,ineithercontentorpriority.Youmuststill
understandwhatiscriticaltoyourbusiness,data,systems,networks,andinfrastructures,
andyoumustconsidertheadversaryactionsthatcouldimpactyourabilitytobesuccessful
inthebusinessoroperations.EvenarelativelysmallnumberofControlscannotbe
executedallatonce,soyouwillneedtodevelopaplanforassessment,implementation,
andprocessmanagement.
ControlsCSC1throughCSC5areessentialtosuccessandshouldbeconsideredamongthe
veryfirstthingstobedone.Werefertotheseas“FoundationalCyberHygiene”–thebasic
thingsthatyoumustdotocreateastrongfoundationforyourdefense.Thisistheapproach
takenby,forexample,theDHSContinuousDiagnosticandMitigation(CDM)Program,one
ofthepartnersintheCISCriticalSecurityControls.Asimilarapproachisrecommendedby
ourpartnersintheAustralianSignalsDirectorate(ASD)withtheir“TopFourStrategiesto
3
MitigateTargetedIntrusions”1–awell-regardedanddemonstrablyeffectivesetofcyberdefenseactionsthatmapverycloselyintotheCISCriticalSecurityControls.Thisalso
closelycorrespondstothemessageoftheUSCERT(ComputerEmergencyReadiness
Team).
Foraplain-language,accessible,andlow-costapproachtotheseideas,considertheCenter
forInternetSecurity’s“NationalCyberHygieneCampaign”.(AppendixDand
www.cisecurity.org)
ThisVersionoftheCISCriticalSecurityControls
TheControlsweredevelopedbasedonspecificknowledgeofthethreatenvironmentas
wellasthecurrenttechnologiesinthemarketplaceuponwhichourcommunicationsand
datarely.OneofthekeybenefitsoftheControlsisthattheyarenotstatic;theyareupdated
regularlyandaretailoredtoaddressthesecurityissuesoftheday.Thisversionofthe
Controlsreflectsdeliberationandconsiderationtoensurethateverycontrolandsubcontrolisaccurate,essential,conciseandrelevant.
Changesfromversion5.1toVersion6.0includethefollowing:
•
Re-orderingsothat“ControlledUseofAdministrativePrivileges”ishigherin
priority(itmovedfromControl#12toControls#5)
• DeletionofControl#19“SecureNetworkEngineering”
• NewControl#7“EmailandWebBrowserProtections”
• Newcategorizationschemebasedon“families”ofControlsandremovalofthe
“quickwin”categories.
• Eachsub-ControlisgroupedintooneofthreeFamilies:
o System
o Network
o Application
• NewappendicesontheNISTCybersecurityFramework,theNationalHygiene
CampaignforCyberHygieneandsecuritygovernance.
ChangesfromVersion6.0toVersion6.1includethefollowing:
•
•
•
Eachsub-Controlisidentifiedaseither“Foundational”or“Advanced”asanaidto
prioritizationandplanning.ThisreplacestheoriginalschemefoundinVersion5
butdroppedinVersion6.0.SeeAppendixGforadetailedexplanation.
Correctionofafewminortyposorformattingerrors.
NochangewasmadetothewordingororderingofanyControlorsub-Control.
1
http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm
4
Inadditiontotechnicalcontent,theControlshaveanewhomeandnewname.In2015,the
CenterforInternetSecurityintegratedwiththeCouncilonCybersecurity,sotheyarenow
referredtoasthe“CISCriticalSecurityControls.”
OtherResources
ThetruepoweroftheControlsisnotaboutcreatingthebestlistofthingstodo,it’sabout
harnessingtheexperienceofacommunityofindividualsandenterprisesthatmake
securityimprovementsthroughprioritization,sharingideas,andcollectiveaction.
Tosupportthis,theCenterforInternetSecurityactsasacatalystandclearinghousetohelp
usalllearnfromeachother.PleasecontacttheCenterforInternetSecurityforthe
followingkindsofworkingaidsandothersupportmaterials:
•
•
•
•
MappingsfromtheControlstoaverywidevarietyforformalRiskManagement
Frameworks(likeFISMA,ISO,etc.).
UseCasesofenterpriseadoption
PointerstovendorwhitepapersandothermaterialsthatsupporttheControls.
DocumentationonalignmentwiththeNISTCybersecurityFramework.
StructureoftheCISCriticalSecurityControlsDocument
ThepresentationofeachControlinthisdocumentincludesthefollowingelements:
•
•
•
•
AdescriptionoftheimportanceoftheControl(WhyisThisControlCritical)in
blockingoridentifyingpresenceofattacksandanexplanationofhowattackers
activelyexploittheabsenceofthiscontrol.
Achartofthespecificactions(“sub-controls”)thatorganizationsaretakingto
implement,automate,andmeasureeffectivenessofthiscontrol.
ProceduresandToolsthatenableimplementationandautomation.
SampleEntityRelationshipDiagramsthatshowcomponentsofimplementation.
Inadditiontothisdocument,westronglyrecommend“AMeasurementCompaniontothe
CISCriticalSecurityControls”,availablefromtheCenterforInternetSecurity.
Acknowledgements
TheCenterforInternetSecuritywouldliketothankthemanysecurityexpertswho
volunteeredtheirtimeandtalenttosupporttheControlseffort.Manyoftheindividuals
whoworkedonthisversioncontinuetolendtheirexpertiseyearafteryear.Weare
extremelygratefulfortheirtimeandexpertise.SpecialrecognitionalsogoestoTheSANS
Institute,amajorcontributortotheeffort.
5
CSC1:InventoryofAuthorizedandUnauthorizedDevices
Activelymanage(inventory,track,andcorrect)allhardwaredevicesonthe
networksothatonlyauthorizeddevicesaregivenaccess,andunauthorizedand
unmanageddevicesarefoundandpreventedfromgainingaccess.
WhyIsThisControlCritical?
Attackers,whocanbelocatedanywhereintheworld,arecontinuouslyscanningthe
addressspaceoftargetorganizations,waitingfornewandunprotectedsystemstobe
attachedtothenetwork.Attackersalsolookfordevices(especiallylaptops)whichcome
andgooffoftheenterprise’snetwork,andsogetoutofsynchwithpatchesorsecurity
updates.Attackscantakeadvantageofnewhardwarethatisinstalledonthenetworkone
eveningbutnotconfiguredandpatchedwithappropriatesecurityupdatesuntilthe
followingday.EvendevicesthatarenotvisiblefromtheInternetcanbeusedbyattackers
whohavealreadygainedinternalaccessandarehuntingforinternaljumppointsor
victims.Additionalsystemsthatconnecttotheenterprise’snetwork(e.g.,demonstration
systems,temporarytestsystems,guestnetworks)shouldalsobemanagedcarefullyand/or
isolatedinordertopreventadversarialaccessfromaffectingthesecurityofenterprise
operations.
Asnewtechnologycontinuestocomeout,BYOD(bringyourowndevice)—where
employeesbringpersonaldevicesintoworkandconnectthemtotheenterprisenetwork
—isbecomingverycommon.Thesedevicescouldalreadybecompromisedandbeusedto
infectinternalresources.
Managedcontrolofalldevicesalsoplaysacriticalroleinplanningandexecutingsystem
backupandrecovery.
CSC1:InventoryofAuthorizedandUnauthorizedDevices
Family
CSC
ControlDescription
System
1.1
Deployanautomatedassetinventorydiscoverytoolanduseit
tobuildapreliminaryinventoryofsystemsconnectedtoan
organization’spublicandprivatenetwork(s).Bothactivetools
thatscanthroughIPv4orIPv6networkaddressrangesand
passivetoolsthatidentifyhostsbasedonanalyzingtheirtraffic
shouldbeemployed.
System
1.2
Iftheorganizationisdynamicallyassigningaddressesusing
DHCP,thendeploydynamichostconfigurationprotocol(DHCP)
serverlogging,andusethisinformationtoimprovetheasset
inventoryandhelpdetectunknownsystems.
6
Foun-
dational
Advanced
Useamixof
activeand
passivetools,
andapplyas
partofa
continuous
monitoring
program.
Y
Y
Family
CSC
ControlDescription
System
1.3
Ensurethatallequipmentacquisitionsautomaticallyupdatethe
inventorysystemasnew,approveddevicesareconnectedto
thenetwork.
System
System
System
1.4
1.5
1.6
Foun-
dational
Y
Maintainanassetinventoryofallsystemsconnectedtothe
networkandthenetworkdevicesthemselves,recordingatleast
thenetworkaddresses,machinename(s),purposeofeach
system,anassetownerresponsibleforeachdevice,andthe
departmentassociatedwitheachdevice.Theinventoryshould
includeeverysystemthathasanInternetprotocol(IP)address
onthenetwork,includingbutnotlimitedtodesktops,laptops,
servers,networkequipment(routers,switches,firewalls,etc.),
printers,storageareanetworks,VoiceOver-IPtelephones,
multi-homedaddresses,virtualaddresses,etc.Theasset
inventorycreatedmustalsoincludedataonwhetherthedevice
isaportableand/orpersonaldevice.Devicessuchasmobile
phones,tablets,laptops,andotherportableelectronicdevices
thatstoreorprocessdatamustbeidentified,regardlessof
whethertheyareattachedtotheorganization’snetwork.
Y
Deploynetworklevelauthenticationvia802.1xtolimitand
controlwhichdevicescanbeconnectedtothenetwork.The
802.1xmustbetiedintotheinventorydatatodetermine
authorizedversusunauthorizedsystems.
Useclientcertificatestovalidateandauthenticatesystems
priortoconnectingtotheprivatenetwork.
Advanced
Y
Authentication
mechanisms
areclosely
coupledto
management
ofhardware
inventory
Y
CSC1ProceduresandTools
ThisControlrequiresbothtechnicalandproceduralactions,unitedinaprocessthat
accountsforandmanagestheinventoryofhardwareandallassociatedinformation
throughoutitslifecycle.Itlinkstobusinessgovernancebyestablishinginformation/asset
ownerswhoareresponsibleforeachcomponentofabusinessprocessthatincludes
information,software,andhardware.Organizationscanuselarge-scale,comprehensive
enterpriseproductstomaintainITassetinventories.Othersusemoremodesttoolsto
gatherthedatabysweepingthenetwork,andmanagetheresultsseparatelyinadatabase.
MaintainingacurrentandaccurateviewofITassetsisanongoinganddynamicprocess.
Organizationscanactivelyscanonaregularbasis,sendingavarietyofdifferentpacket
typestoidentifydevicesconnectedtothenetwork.Beforesuchscanningcantakeplace,
organizationsshouldverifythattheyhaveadequatebandwidthforsuchperiodicscansby
7
consultingloadhistoryandcapacitiesfortheirnetworks.Inconductinginventoryscans,
scanningtoolscouldsendtraditionalpingpackets(ICMPEchoRequest)lookingforping
responsestoidentifyasystematagivenIPaddress.Becausesomesystemsblockinbound
pingpackets,inadditiontotraditionalpings,scannerscanalsoidentifydevicesonthe
networkusingtransmissioncontrolprotocol(TCP)synchronize(SYN)oracknowledge
(ACK)packets.OncetheyhaveidentifiedIPaddressesofdevicesonthenetwork,some
scannersproviderobustfingerprintingfeaturestodeterminetheoperatingsystemtypeof
thediscoveredmachine.
Inadditiontoactivescanningtoolsthatsweepthenetwork,otherassetidentificationtools
passivelylistenonnetworkinterfacesfordevicestoannouncetheirpresencebysending
traffic.Suchpassivetoolscanbeconnectedtoswitchspanportsatcriticalplacesinthe
networktoviewalldataflowingthroughsuchswitches,maximizingthechanceof
identifyingsystemscommunicatingthroughthoseswitches.
Manyorganizationsalsopullinformationfromnetworkassetssuchasswitchesand
routersregardingthemachinesconnectedtothenetwork.Usingsecurelyauthenticated
andencryptednetworkmanagementprotocols,toolscanretrieveMACaddressesand
otherinformationfromnetworkdevicesthatcanbereconciledwiththeorganization’s
assetinventoryofservers,workstations,laptops,andotherdevices.OnceMACaddresses
areconfirmed,switchesshouldimplement802.1xandNACtoonlyallowauthorized
systemsthatareproperlyconfiguredtoconnecttothenetwork.
Wirelessdevices(andwiredlaptops)mayperiodicallyjoinanetworkandthendisappear,
makingtheinventoryofcurrentlyavailablesystemsverydynamic.Likewise,virtual
machinescanbedifficulttotrackinassetinventorieswhentheyareshutdownorpaused.
Additionally,remotemachinesaccessingthenetworkusingvirtualprivatenetwork(VPN)
technologymayappearonthenetworkforatime,andthenbedisconnectedfromit.
Whetherphysicalorvirtual,eachmachineusinganIPaddressshouldbeincludedinan
organization’sassetinventory.
8
CSC1SystemEntityRelationshipDiagram
NetworkLevel
Authentication(NLA)
PublicKey
Infrastructure(PKI)
AssetInventory
Database
Alerting/ReportingAnalyticsSystem
ActiveDevice
Discovery
PassiveDevice
Discovery
9
ComputingSystems
CSC2:InventoryofAuthorizedandUnauthorizedSoftware
Activelymanage(inventory,track,andcorrect)allsoftwareonthenetworksothat
onlyauthorizedsoftwareisinstalledandcanexecute,andthatunauthorizedand
unmanagedsoftwareisfoundandpreventedfrominstallationorexecution.
WhyIsThisControlCritical?
Attackerscontinuouslyscantargetorganizationslookingforvulnerableversionsof
softwarethatcanberemotelyexploited.Someattackersalsodistributehostilewebpages,
documentfiles,mediafiles,andothercontentviatheirownwebpagesorotherwise
trustworthythird-partysites.Whenunsuspectingvictimsaccessthiscontentwitha
vulnerablebrowserorotherclient-sideprogram,attackerscompromisetheirmachines,
ofteninstallingbackdoorprogramsandbotsthatgivetheattackerlong-termcontrolofthe
system.Somesophisticatedattackersmayusezero-dayexploits,whichtakeadvantageof
previouslyunknownvulnerabilitiesforwhichnopatchhasyetbeenreleasedbythe
softwarevendor.Withoutproperknowledgeorcontrolofthesoftwaredeployedinan
organization,defenderscannotproperlysecuretheirassets.
Poorlycontrolledmachinesaremorelikelytobeeitherrunningsoftwarethatisunneeded
forbusinesspurposes(introducingpotentialsecurityflaws),orrunningmalware
introducedbyanattackerafterasystemiscompromised.Onceasinglemachinehasbeen
exploited,attackersoftenuseitasastagingpointforcollectingsensitiveinformationfrom
thecompromisedsystemandfromothersystemsconnectedtoit.Inaddition,
compromisedmachinesareusedasalaunchingpointformovementthroughoutthe
networkandpartneringnetworks.Inthisway,attackersmayquicklyturnone
compromisedmachineintomany.Organizationsthatdonothavecompletesoftware
inventoriesareunabletofindsystemsrunningvulnerableormalicioussoftwareto
mitigateproblemsorrootoutattackers.
Managedcontrolofallsoftwarealsoplaysacriticalroleinplanningandexecutingsystem
backupandrecovery.
CSC2:InventoryofAuthorizedandUnauthorizedSoftware
ControlDescription
Foun-
dational
Family
CSC
System
2.1
Devisealistofauthorizedsoftwareandversionthatis
requiredintheenterpriseforeachtypeofsystem,
includingservers,workstations,andlaptopsofvarious
kindsanduses.Thislistshouldbemonitoredbyfile
integritycheckingtoolstovalidatethattheauthorized
softwarehasnotbeenmodified.
10
Y
Advanced
Fileintegrity
isverifiedas
partofa
continuous
monitoring
program.
Family
CSC
ControlDescription
System
2.2
Deployapplicationwhitelistingthatallowssystemsto
runsoftwareonlyifitisincludedonthewhitelistand
preventsexecutionofallothersoftwareonthesystem.
Thewhitelistmaybeveryextensive(asisavailablefrom
commercialwhitelistvendors),sothatusersarenot
inconveniencedwhenusingcommonsoftware.Or,for
somespecial-purposesystems(whichrequireonlya
smallnumberofprogramstoachievetheirneeded
businessfunctionality),thewhitelistmaybequite
narrow.
System
System
2.3
2.4
Deploysoftwareinventorytoolsthroughoutthe
organizationcoveringeachoftheoperatingsystem
typesinuse,includingservers,workstations,and
laptops.Thesoftwareinventorysystemshouldtrackthe
versionoftheunderlyingoperatingsystemaswellasthe
applicationsinstalledonit.Thesoftwareinventory
systemsmustbetiedintothehardwareassetinventory
soalldevicesandassociatedsoftwarearetrackedfrom
asinglelocation.
Virtualmachinesand/orair-gappedsystemsshouldbe
usedtoisolateandrunapplicationsthatarerequiredfor
businessoperationsbutbasedonhigherriskshouldnot
beinstalledwithinanetworkedenvironment.
Foun-
dational
Advanced
Y
Whitelist
application
libraries
(suchas
DLLs)in
additionto
executable
binaries
(suchas
EXEsand
MSIs.
Y
Hardware
andsoftware
inventory
management
areclosely
coupled,and
managed
centrally.
Y
CSC2ProceduresandTools
Whitelistingcanbeimplementedusingacombinationofcommercialwhitelistingtools,
policiesorapplicationexecutiontoolsthatcomewithanti-virussuitesandwithWindows.
Commercialsoftwareandassetinventorytoolsarewidelyavailableandinuseinmany
enterprisestoday.Thebestofthesetoolsprovideaninventorycheckofhundredsof
commonapplicationsusedinenterprises,pullinginformationaboutthepatchlevelofeach
installedprogramtoensurethatitisthelatestversionandleveragingstandardized
applicationnames,suchasthosefoundinthecommonplatformenumerationspecification.
Featuresthatimplementwhitelistsareincludedinmanymodernendpointsecuritysuites.
Moreover,commercialsolutionsareincreasinglybundlingtogetheranti-virus,antispyware,personalfirewall,andhost-basedintrusiondetectionsystems(IDS)andintrusion
preventionsystems(IPS),alongwithapplicationwhiteandblacklisting.Inparticular,most
endpointsecuritysolutionscanlookatthename,filesystemlocation,and/or
cryptographichashofagivenexecutabletodeterminewhethertheapplicationshouldbe
allowedtorunontheprotectedmachine.Themosteffectiveofthesetoolsoffercustom
whitelistsbasedonexecutablepath,hash,orregularexpressionmatching.Someeven
11
includeagraylistfunctionthatallowsadministratorstodefinerulesforexecutionof
specificprogramsonlybycertainusersandatcertaintimesofday.
CSC2SystemEntityRelationshipDiagram
AssetInventory
Database
Software
Whitelisting
Alerting/ReportingAnalyticsSystem
OSVirtualization
System
Software
InventoryTool
ComputingSystems
12
CSC3:SecureConfigurationsforHardwareandSoftwareonMobileDevices,
Laptops,Workstations,andServers
Establish,implement,andactivelymanage(track,reporton,correct)thesecurity
configurationoflaptops,servers,andworkstationsusingarigorousconfiguration
managementandchangecontrolprocessinordertopreventattackersfrom
exploitingvulnerableservicesandsettings.
WhyIsThisControlCritical?
Asdeliveredbymanufacturersandresellers,thedefaultconfigurationsforoperating
systemsandapplicationsarenormallygearedtoease-of-deploymentandease-of-use–not
security.Basiccontrols,openservicesandports,defaultaccountsorpasswords,older
(vulnerable)protocols,pre-installationofunneededsoftware;allcanbeexploitableintheir
defaultstate.
Developingconfigurationsettingswithgoodsecuritypropertiesisacomplextaskbeyond
theabilityofindividualusers,requiringanalysisofpotentiallyhundredsorthousandsof
optionsinordertomakegoodchoices(theProceduresandToolsectionbelowprovides
resourcesforsecureconfigurations).Evenifastronginitialconfigurationisdevelopedand
installed,itmustbecontinuallymanagedtoavoidsecurity“decay”assoftwareisupdated
orpatched,newsecurityvulnerabilitiesarereported,andconfigurationsare“tweaked”to
allowtheinstallationofnewsoftwareorsupportnewoperationalrequirements.Ifnot,
attackerswillfindopportunitiestoexploitbothnetwork-accessibleservicesandclient
software.
CSC3:SecureConfigurationsforHardwareandSoftware
Family
CSC
ControlDescription
System
3.1
System
3.2
Foun-
dational
Advanced
Establishstandardsecureconfigurationsofoperatingsystems
andsoftwareapplications.Standardizedimagesshould
representhardenedversionsoftheunderlyingoperatingsystem
andtheapplicationsinstalledonthesystem.Theseimages
shouldbevalidatedandrefreshedonaregularbasistoupdate
theirsecurityconfigurationinlightofrecentvulnerabilitiesand
attackvectors.
Y
Followstrictconfigurationmanagement,buildingasecureimage
thatisusedtobuildallnewsystemsthataredeployedinthe
enterprise.Anyexistingsystemthatbecomescompromised
shouldbere-imagedwiththesecurebuild.Regularupdatesor
exceptionstothisimageshouldbeintegratedintothe
organization’schangemanagementprocesses.Imagesshould
becreatedforworkstations,servers,andothersystemtypes
usedbytheorganization.
Y
13
Family
CSC
ControlDescription
System
3.3
Storethemasterimagesonsecurelyconfiguredservers,
validatedwithintegritycheckingtoolscapableofcontinuous
inspection,andchangemanagementtoensurethatonly
authorizedchangestotheimagesarepossible.Alternatively,
thesemasterimagescanbestoredinofflinemachines,airgappedfromtheproductionnetwork,withimagescopiedvia
securemediatomovethembetweentheimagestorageservers
andtheproductionnetwork.
Y
Fileintegrityof
masterimages
areverifiedas
partofa
continuous
monitoring
program.
Performallremoteadministrationofservers,workstation,
networkdevices,andsimilarequipmentoversecurechannels.
Protocolssuchastelnet,VNC,RDP,orothersthatdonotactively
supportstrongencryptionshouldonlybeusediftheyare
performedoverasecondaryencryptionchannel,suchasSSL,TLS
orIPSEC.
Y
Y
Fileintegrityof
criticalsystem
filesareverified
aspartofa
continuous
monitoring
program.
Y
System
System
System
3.4
3.5
3.6
Usefileintegritycheckingtoolstoensurethatcriticalsystem
files(includingsensitivesystemandapplicationexecutables,
libraries,andconfigurations)havenotbeenaltered.The
reportingsystemshould:havetheabilitytoaccountforroutine
andexpectedchanges;highlightandalertonunusualor
unexpectedalterations;showthehistoryofconfiguration
changesovertimeandidentifywhomadethechange(including
theoriginallogged-inaccountintheeventofauserIDswitch,
suchaswiththesuorsudocommand).Theseintegritychecks
shouldidentifysuspicioussystemalterationssuchas:ownerand
permissionschangestofilesordirectories;theuseofalternate
datastreamswhichcouldbeusedtohidemaliciousactivities;
andtheintroductionofextrafilesintokeysystemareas(which
couldindicatemaliciouspayloadsleftbyattackersoradditional
filesinappropriatelyaddedduringbatchdistributionprocesses).
Implementandtestanautomatedconfigurationmonitoring
systemthatverifiesallremotelytestablesecureconfiguration
elements,andalertswhenunauthorizedchangesoccur.This
includesdetectingnewlisteningports,newadministrativeusers,
changestogroupandlocalpolicyobjects(whereapplicable),
andnewservicesrunningonasystem.Wheneverpossibleuse
toolscompliantwiththeSecurityContentAutomationProtocol
(SCAP)inordertostreamlinereportingandintegration.
14
Foun-
dational
Advanced
Family
CSC
ControlDescription
System
3.7
Deploysystemconfigurationmanagementtools,suchasActive
DirectoryGroupPolicyObjectsforMicrosoftWindowssystems
orPuppetforUNIXsystemsthatwillautomaticallyenforceand
redeployconfigurationsettingstosystemsatregularly
scheduledintervals.Theyshouldbecapableoftriggering
redeploymentofconfigurationsettingsonascheduled,manual,
orevent-drivenbasis.
Foun-
dational
Advanced
Y
CSC3ProceduresandTools
Ratherthanstartfromscratchdevelopingasecuritybaselineforeachsoftwaresystem,
organizationsshouldstartfrompubliclydeveloped,vetted,andsupportedsecurity
benchmarks,securityguides,orchecklists.Excellentresourcesinclude:
•
•
TheCenterforInternetSecurityBenchmarksProgram(www.cisecurity.org)
TheNISTNationalChecklistProgram(checklists.nist.gov)
Organizationsshouldaugmentoradjustthesebaselinestosatisfylocalpoliciesand
requirements,butdeviationsandrationaleshouldbedocumentedtofacilitatelater
reviewsoraudits.
Foracomplexenterprise,theestablishmentofasinglesecuritybaselineconfiguration(for
example,asingleinstallationimageforallworkstationsacrosstheentireenterprise)is
sometimesnotpracticalordeemedunacceptable.Itislikelythatyouwillneedtosupport
differentstandardizedimages,basedontheproperhardeningtoaddressrisksandneeded
functionalityoftheintendeddeployment(example,awebserverintheDMZvs.anemailor
otherapplicationserverintheinternalnetwork).Thenumberofvariationsshouldbekept
toaminimuminordertobetterunderstandandmanagethesecuritypropertiesofeach,
butorganizationsthenmustbepreparedtomanagemultiplebaselines.
Commercialand/orfreeconfigurationmanagementtoolscanthenbeemployedtomeasure
thesettingsofoperatingsystemsandapplicationsofmanagedmachinestolookfor
deviationsfromthestandardimageconfigurations.Typicalconfigurationmanagement
toolsusesomecombinationofanagentinstalledoneachmanagedsystem,oragentless
inspectionofsystemsbyremotelyloggingintoeachmanagedmachineusingadministrator
credentials.Additionally,ahybridapproachissometimesusedwherebyaremotesession
isinitiated,atemporaryordynamicagentisdeployedonthetargetsystemforthescan,
andthentheagentisremoved.
15
CSC3SystemEntityRelationshipDiagram
FileIntegrity
Assessment(FIA)
SystemImages
&Baselines
Alerting/ReportingAnalyticsSystem
Configuration
EnforcementSystem
SCAPConfiguration
Scanner
ComputingSystems
16
CSC4:ContinuousVulnerabilityAssessmentandRemediation
Continuouslyacquire,assess,andtakeactiononnewinformationinorderto
identifyvulnerabilities,remediate,andminimizethewindowofopportunityfor
attackers.
WhyIsThisControlCritical?
Cyberdefendersmustoperateinaconstantstreamofnewinformation:softwareupdates,
patches,securityadvisories,threatbulletins,etc.Understandingandmanaging
vulnerabilitieshasbecomeacontinuousactivity,requiringsignificanttime,attention,and
resources.
Attackershaveaccesstothesameinformationandcantakeadvantageofgapsbetweenthe
appearanceofnewknowledgeandremediation.Forexample,whenresearchersreport
newvulnerabilities,aracestartsamongallparties,including:attackers(to“weaponize”,
deployanattack,exploit);vendors(todevelop,deploypatchesorsignaturesandupdates),
anddefenders(toassessrisk,regression-testpatches,install).
Organizationsthatdonotscanforvulnerabilitiesandproactivelyaddressdiscoveredflaws
faceasignificantlikelihoodofhavingtheircomputersystemscompromised.Defenders
faceparticularchallengesinscalingremediationacrossanentireenterprise,and
prioritizingactionswithconflictingpriorities,andsometimes-uncertainsideeffects.
CSC4:ContinuousVulnerabilityAssessmentandRemediation
Family
CSC
ControlDescription
System
4.1
Runautomatedvulnerabilityscanningtoolsagainstallsystems
onthenetworkonaweeklyormorefrequentbasisanddeliver
prioritizedlistsofthemostcriticalvulnerabilitiestoeach
responsiblesystemadministratoralongwithriskscoresthat
comparetheeffectivenessofsystemadministratorsand
departmentsinreducingrisk.UseaSCAP-validatedvulnerability
scannerthatlooksforbothcode-basedvulnerabilities(suchas
thosedescribedbyCommonVulnerabilitiesandExposures
entries)andconfiguration-basedvulnerabilities(asenumerated
bytheCommonConfigurationEnumerationProject).
Y
Vulnerabilityrisk
scoringis
centrally
measuredand
managed,and
integratedinto
actionplanning.
Correlateeventlogswithinformationfromvulnerabilityscansto
fulfilltwogoals.First,personnelshouldverifythattheactivityof
theregularvulnerabilityscanningtoolsisitselflogged.Second,
personnelshouldbeabletocorrelateattackdetectionevents
withpriorvulnerabilityscanningresultstodeterminewhether
thegivenexploitwasusedagainstatargetknowntobe
vulnerable.
Y
System
4.2
17
Foun-
dational
Advanced
Family
CSC
ControlDescription
System
4.3
Performvulnerabilityscanninginauthenticatedmodeeither
withagentsrunninglocallyoneachendsystemtoanalyzethe
securityconfigurationorwithremotescannersthataregiven
administrativerightsonthesystembeingtested.Usea
dedicatedaccountforauthenticatedvulnerabilityscans,which
shouldnotbeusedforanyotheradministrativeactivitiesand
shouldbetiedtospecificmachinesatspecificIPaddresses.
Ensurethatonlyauthorizedemployeeshaveaccesstothe
vulnerabilitymanagementuserinterfaceandthatrolesare
appliedtoeachuser.
Subscribetovulnerabilityintelligenceservicesinordertostay
awareofemergingexposures,andusetheinformationgained
fromthissubscriptiontoupdatetheorganization’svulnerability
scanningactivitiesonatleastamonthlybasis.Alternatively,
ensurethatthevulnerabilityscanningtoolsyouuseareregularly
updatedwithallrelevantimportantsecurityvulnerabilities.
System
System
System
System
System
4.4
4.5
4.6
4.7
4.8
Foun-
dational
Advanced
Y
Y
Deployautomatedpatchmanagementtoolsandsoftware
updatetoolsforoperatingsystemandsoftware/applicationson
allsystemsforwhichsuchtoolsareavailableandsafe.Patches
shouldbeappliedtoallsystems,evensystemsthatareproperly
airgapped.
Y
Monitorlogsassociatedwithanyscanningactivityand
associatedadministratoraccountstoensurethatthisactivityis
limitedtothetimeframesoflegitimatescans.
Y
Y
Comparetheresultsfromback-to-backvulnerabilityscansto
verifythatvulnerabilitieswereaddressed,eitherbypatching,
implementingacompensatingcontrol,ordocumentingand
acceptingareasonablebusinessrisk.Suchacceptanceof
businessrisksforexistingvulnerabilitiesshouldbeperiodically
reviewedtodetermineifnewercompensatingcontrolsor
subsequentpatchescanaddressvulnerabilitiesthatwere
previouslyaccepted,orifconditionshavechanged,increasing
therisk.
Establishaprocesstorisk-ratevulnerabilitiesbasedonthe
exploitabilityandpotentialimpactofthevulnerability,and
segmentedbyappropriategroupsofassets(example,DMZ
servers,internalnetworkservers,desktops,laptops).Apply
patchesfortheriskiestvulnerabilitiesfirst.Aphasedrolloutcan
beusedtominimizetheimpacttotheorganization.Establish
expectedpatchingtimelinesbasedontheriskratinglevel.
18
Y
CSC4ProceduresandTools
Alargenumberofvulnerabilityscanningtoolsareavailabletoevaluatethesecurity
configurationofsystems.Someenterpriseshavealsofoundcommercialservicesusing
remotelymanagedscanningappliancestobeeffective.Tohelpstandardizethedefinitions
ofdiscoveredvulnerabilitiesinmultipledepartmentsofanorganizationorevenacross
organizations,itispreferabletousevulnerabilityscanningtoolsthatmeasuresecurity
flawsandmapthemtovulnerabilitiesandissuescategorizedusingoneormoreofthe
followingindustry-recognizedvulnerability,configuration,andplatformclassification
schemesandlanguages:CVE,CCE,OVAL,CPE,CVSS,and/orXCCDF.
Advancedvulnerabilityscanningtoolscanbeconfiguredwithusercredentialstologinto
scannedsystemsandperformmorecomprehensivescansthancanbeachievedwithout
logincredentials.Thefrequencyofscanningactivities,however,shouldincreaseasthe
diversityofanorganization’ssystemsincreasestoaccountforthevaryingpatchcyclesof
eachvendor.
Inadditiontothescanningtoolsthatcheckforvulnerabilitiesandmisconfigurationsacross
thenetwork,variousfreeandcommercialtoolscanevaluatesecuritysettingsand
configurationsoflocalmachinesonwhichtheyareinstalled.Suchtoolscanprovidefinegrainedinsightintounauthorizedchangesinconfigurationortheinadvertentintroduction
ofsecurityweaknessesbyadministrators.
Effectiveorganizationslinktheirvulnerabilityscannerswithproblem-ticketingsystems
thatautomaticallymonitorandreportprogressonfixingproblems,andthatmake
unmitigatedcriticalvulnerabilitiesvisibletohigherlevelsofmanagementtoensurethe
problemsaresolved.
Themosteffectivevulnerabilityscanningtoolscomparetheresultsofthecurrentscanwith
previousscanstodeterminehowthevulnerabilitiesintheenvironmenthavechangedover
time.Securitypersonnelusethesefeaturestoconductvulnerabilitytrendingfrommonth
tomonth.
Asvulnerabilitiesrelatedtounpatchedsystemsarediscoveredbyscanningtools,security
personnelshoulddetermineanddocumenttheamountoftimethatelapsesbetweenthe
publicreleaseofapatchforthesystemandtheoccurrenceofthevulnerabilityscan.Ifthis
timewindowexceedstheorganization’sbenchmarksfordeploymentofthegivenpatch’s
criticalitylevel,securitypersonnelshouldnotethedelayanddetermineifadeviationwas
formallydocumentedforthesystemanditspatch.Ifnot,thesecurityteamshouldwork
withmanagementtoimprovethepatchingprocess.
Additionally,someautomatedpatchingtoolsmaynotdetectorinstallcertainpatchesdue
toanerrorbythevendororadministrator.Becauseofthis,allpatchchecksshould
reconcilesystempatcheswithalistofpatcheseachvendorhasannouncedonitswebsite.
19
CSC4SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
Patch
Management
SCAPVulnerability
Scanner
ComputingSystems
20
CSC5:ControlledUseofAdministrativePrivileges
Theprocessesandtoolsusedtotrack/control/prevent/correcttheuse,assignment,
andconfigurationofadministrativeprivilegesoncomputers,networks,and
applications.
WhyIsThisControlCritical?
Themisuseofadministrativeprivilegesisaprimarymethodforattackerstospreadinside
atargetenterprise.Twoverycommonattackertechniquestakeadvantageofuncontrolled
administrativeprivileges.Inthefirst,aworkstationuserrunningasaprivilegeduser,is
fooledintoopeningamaliciousemailattachment,downloadingandopeningafilefroma
maliciouswebsite,orsimplysurfingtoawebsitehostingattackercontentthatcan
automaticallyexploitbrowsers.Thefileorexploitcontainsexecutablecodethatrunson
thevictim’smachineeitherautomaticallyorbytrickingtheuserintoexecutingthe
attacker’scontent.Ifthevictimuser’saccounthasadministrativeprivileges,theattacker
cantakeoverthevictim’smachinecompletelyandinstallkeystrokeloggers,sniffers,and
remotecontrolsoftwaretofindadministrativepasswordsandothersensitivedata.Similar
attacksoccurwithemail.Anadministratorinadvertentlyopensanemailthatcontainsan
infectedattachmentandthisisusedtoobtainapivotpointwithinthenetworkthatisused
toattackothersystems.
Thesecondcommontechniqueusedbyattackersiselevationofprivilegesbyguessingor
crackingapasswordforanadministrativeusertogainaccesstoatargetmachine.If
administrativeprivilegesarelooselyandwidelydistributed,oridenticaltopasswordsused
onlesscriticalsystems,theattackerhasamucheasiertimegainingfullcontrolofsystems,
becausetherearemanymoreaccountsthatcanactasavenuesfortheattackerto
compromiseadministrativeprivileges.
CSC5:ControlledUseofAdministrativePrivileges
Family
CSC
ControlDescription
System
5.1
Minimizeadministrativeprivilegesandonlyuseadministrative
accountswhentheyarerequired.Implementfocusedauditing
ontheuseofadministrativeprivilegedfunctionsandmonitor
foranomalousbehavior.
System
System
5.2
5.3
Useautomatedtoolstoinventoryalladministrativeaccounts
andvalidatethateachpersonwithadministrativeprivilegeson
desktops,laptops,andserversisauthorizedbyasenior
executive.
Beforedeployinganynewdevicesinanetworkedenvironment,
changealldefaultpasswordsforapplications,operating
systems,routers,firewalls,wirelessaccesspoints,andother
systemstohavevaluesconsistentwithadministration-level
accounts.
21
Foun-
dational
Advanced
Y
Y
Y
Family
CSC
ControlDescription
System
5.4
Configuresystemstoissuealogentryandalertwhenan
accountisaddedtoorremovedfromadomainadministrators’
group,orwhenanewlocaladministratoraccountisaddedona
system.
Configuresystemstoissuealogentryandalertonany
unsuccessfullogintoanadministrativeaccount.
System
5.5
System
5.6
System
System
System
5.7
5.8
5.9
Foun-
dational
Advanced
Y
Y
Usemulti-factorauthenticationforalladministrativeaccess,
includingdomainadministrativeaccess.Multi-factor
authenticationcanincludeavarietyoftechniques,toinclude
theuseofsmartcards,certificates,OneTimePassword(OTP)
tokens,biometrics,orothersimilarauthenticationmethods.
Y
Wheremulti-factorauthenticationisnotsupported,user
accountsshallberequiredtouselongpasswordsonthesystem
(longerthan14characters).
Y
Administratorsshouldberequiredtoaccessasystemusinga
fullyloggedandnon-administrativeaccount.Then,oncelogged
ontothemachinewithoutadministrativeprivileges,the
administratorshouldtransitiontoadministrativeprivileges
usingtoolssuchasSudoonLinux/UNIX,RunAsonWindows,
andothersimilarfacilitiesforothertypesofsystems.
Y
Administratorsshalluseadedicatedmachineforall
administrativetasksortasksrequiringelevatedaccess.This
machineshallbeisolatedfromtheorganization'sprimary
networkandnotbeallowedInternetaccess.Thismachineshall
notbeusedforreadingemail,composingdocuments,orsurfing
theInternet.
Y
CSC5ProceduresandTools
Built-inoperatingsystemfeaturescanextractlistsofaccountswithsuper-userprivileges,
bothlocallyonindividualsystemsandonoveralldomaincontrollers.Toverifythatusers
withhigh-privilegedaccountsdonotusesuchaccountsforday-to-daywebsurfingand
emailreading,securitypersonnelshouldperiodicallygatheralistofrunningprocessesto
determinewhetheranybrowsersoremailreadersarerunningwithhighprivileges.Such
informationgatheringcanbescripted,withshortshellscriptssearchingforadozenor
moredifferentbrowsers,emailreaders,anddocumenteditingprogramsrunningwithhigh
privilegesonmachines.Somelegitimatesystemadministrationactivitymayrequirethe
executionofsuchprogramsovertheshortterm,butlong-termorfrequentuseofsuch
programswithadministrativeprivilegescouldindicatethatanadministratorisnot
adheringtothiscontrol.
22
Toenforcetherequirementforstrongpasswords,built-inoperatingsystemfeaturesfor
minimumpasswordlengthcanbeconfiguredtopreventusersfromchoosingshort
passwords.Toenforcepasswordcomplexity(requiringpasswordstobeastringofpseudorandomcharacters),built-inoperatingsystemsettingsorthird-partypasswordcomplexity
enforcementtoolscanbeapplied.
CSC5SystemEntityRelationshipDiagram
Identity&Access
ManagementSystem
Alerting/ReportingAnalyticsSystem
Authentication
System
Dedicated
AdministrationSystems
Workforce
Members
ComputingSystems
23
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs
Collect,manage,andanalyzeauditlogsofeventsthatcouldhelpdetect,
understand,orrecoverfromanattack.
WhyIsThisControlCritical?
Deficienciesinsecurityloggingandanalysisallowattackerstohidetheirlocation,
malicioussoftware,andactivitiesonvictimmachines.Evenifthevictimsknowthattheir
systemshavebeencompromised,withoutprotectedandcompleteloggingrecordstheyare
blindtothedetailsoftheattackandtosubsequentactionstakenbytheattackers.Without
solidauditlogs,anattackmaygounnoticedindefinitelyandtheparticulardamagesdone
maybeirreversible.
Sometimesloggingrecordsaretheonlyevidenceofasuccessfulattack.Manyorganizations
keepauditrecordsforcompliancepurposes,butattackersrelyonthefactthatsuch
organizationsrarelylookattheauditlogs,sotheydonotknowthattheirsystemshave
beencompromised.Becauseofpoorornonexistentloganalysisprocesses,attackers
sometimescontrolvictimmachinesformonthsoryearswithoutanyoneinthetarget
organizationknowing,eventhoughtheevidenceoftheattackhasbeenrecordedin
unexaminedlogfiles.
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs
Family
CSC
ControlDescription
System
6.1
System
System
System
6.2
6.3
6.4
Foun-
dational
Advanced
Includeatleasttwosynchronizedtimesourcesfromwhichall
serversandnetworkequipmentretrievetimeinformationona
regularbasissothattimestampsinlogsareconsistent.
Y
Validateauditlogsettingsforeachhardwaredeviceandthe
softwareinstalledonit,ensuringthatlogsincludeadate,
timestamp,sourceaddresses,destinationaddresses,and
variousotherusefulelementsofeachpacketand/or
transaction.Systemsshouldrecordlogsinastandardized
formatsuchassyslogentriesorthoseoutlinedbytheCommon
EventExpressioninitiative.Ifsystemscannotgeneratelogsina
standardizedformat,lognormalizationtoolscanbedeployed
toconvertlogsintosuchaformat.
Y
Ensurethatallsystemsthatstorelogshaveadequatestorage
spaceforthelogsgeneratedonaregularbasis,sothatlogfiles
willnotfillupbetweenlogrotationintervals.Thelogsmustbe
archivedanddigitallysignedonaperiodicbasis.
Y
Havesecuritypersonneland/orsystemadministratorsrun
biweeklyreportsthatidentifyanomaliesinlogs.Theyshould
thenactivelyreviewtheanomalies,documentingtheirfindings.
Y
24
Family
CSC
ControlDescription
System
6.5
Configurenetworkboundarydevices,includingfirewalls,
network-basedIPS,andinboundandoutboundproxies,to
verboselylogalltraffic(bothallowedandblocked)arrivingat
thedevice.
DeployaSIEM(SecurityInformationandEventManagement)
orloganalytictoolsforlogaggregationandconsolidationfrom
multiplemachinesandforlogcorrelationandanalysis.Using
theSIEMtool,systemadministratorsandsecuritypersonnel
shoulddeviseprofilesofcommoneventsfromgivensystemsso
thattheycantunedetectiontofocusonunusualactivity,avoid
falsepositives,morerapidlyidentifyanomalies,andprevent
overwhelminganalystswithinsignificantalerts.
System
6.6
Foun-
dational
Advanced
Y
Y
CSC6ProceduresandTools
Mostfreeandcommercialoperatingsystems,networkservices,andfirewalltechnologies
offerloggingcapabilities.Suchloggingshouldbeactivated,withlogssenttocentralized
loggingservers.Firewalls,proxies,andremoteaccesssystems(VPN,dial-up,etc.)shouldall
beconfiguredforverboselogging,storingalltheinformationavailableforlogginginthe
eventafollow-upinvestigationisrequired.Furthermore,operatingsystems,especially
thoseofservers,shouldbeconfiguredtocreateaccesscontrollogswhenauserattemptsto
accessresourceswithouttheappropriateprivileges.Toevaluatewhethersuchloggingisin
place,anorganizationshouldperiodicallyscanthroughitslogsandcomparethemwiththe
assetinventoryassembledaspartofCriticalControl1inordertoensurethateach
manageditemactivelyconnectedtothenetworkisperiodicallygeneratinglogs.
AnalyticalprogramssuchasSIM/SEMsolutionsforreviewinglogscanprovidevalue,but
thecapabilitiesemployedtoanalyzeauditlogsarequiteextensive,evenincluding,
importantly,justacursoryexaminationbyaperson.Actualcorrelationtoolscanmake
auditlogsfarmoreusefulforsubsequentmanualinspection.Suchtoolscanbequitehelpful
inidentifyingsubtleattacks.However,thesetoolsareneitherapanaceanorareplacement
forskilledinformationsecuritypersonnelandsystemadministrators.Evenwithautomated
loganalysistools,humanexpertiseandintuitionareoftenrequiredtoidentifyand
understandattacks.
25
CSC6SystemEntityRelationshipDiagram
NetworkTime
Protocol(NTP)System
Alerting/ReportingAnalyticsSystem
ComputingSystems
26
CSC7:EmailandWebBrowserProtections
Minimizetheattacksurfaceandtheopportunitiesforattackerstomanipulate
humanbehaviorthoughtheirinteractionwithwebbrowsersandemailsystems.
WhyIsThisControlCritical?
Webbrowsersandemailclientsareverycommonpointsofentryandattackbecauseof
theirhightechnicalcomplexityandflexibility,andtheirdirectinteractionwithusersand
withtheothersystemsandwebsites.Contentcanbecraftedtoenticeorspoofusersinto
takingactionsthatgreatlyincreaseriskandallowintroductionofmaliciouscode,lossof
valuabledata,andotherattacks.
CSC7:EmailandWebBrowserProtections
Family
CSC
ControlDescription
System
7.1
Ensurethatonlyfullysupportedwebbrowsersandemail
clientsareallowedtoexecuteintheorganization,ideallyonly
usingthelatestversionofthebrowsersprovidedbythevendor
inordertotakeadvantageofthelatestsecurityfunctionsand
fixes.
Uninstallordisableanyunnecessaryorunauthorizedbrowser
oremailclientpluginsoradd-onapplications.Eachpluginshall
utilizeapplication/URLwhitelistingandonlyallowtheuseof
theapplicationforpre-approveddomains.
System
System
System
System
7.2
7.3
7.4
7.5
Foun-
dational
Advanced
Y
Y
Limittheuseofunnecessaryscriptinglanguagesinallweb
browsersandemailclients.Thisincludestheuseoflanguages
suchasActiveXandJavaScriptonsystemswhereitis
unnecessarytosupportsuchcapabilities.
Y
LogallURLrequestsfromeachoftheorganization'ssystems,
whetheronsiteoramobiledevice,inordertoidentify
potentiallymaliciousactivityandassistincidenthandlerswith
identifyingpotentiallycompromisedsystems.
Y
Includemobile
devices.
Deploytwoseparatebrowserconfigurationstoeachsystem.
Oneconfigurationshoulddisabletheuseofallplugins,
unnecessaryscriptinglanguages,andgenerallybeconfigured
withlimitedfunctionalityandbeusedforgeneralweb
browsing.Theotherconfigurationshallallowformorebrowser
functionalitybutshouldonlybeusedtoaccessspecific
websitesthatrequiretheuseofsuchfunctionality.
Y
27
Family
CSC
ControlDescription
System
7.6
TheorganizationshallmaintainandenforcenetworkbasedURL
filtersthatlimitasystem'sabilitytoconnecttowebsitesnot
approvedbytheorganization.Theorganizationshallsubscribe
toURLcategorizationservicestoensurethattheyareup-todatewiththemostrecentwebsitecategorydefinitions
available.Uncategorizedsitesshallbeblockedbydefault.This
filteringshallbeenforcedforeachoftheorganization's
systems,whethertheyarephysicallyatanorganization's
facilitiesornot.
Tolowerthechanceofspoofedemailmessages,implementthe
SenderPolicyFramework(SPF)bydeployingSPFrecordsinDNS
andenablingreceiver-sideverificationinmailservers.
System
System
7.7
7.8
Scanandblockallemailattachmentsenteringthe
organization'semailgatewayiftheycontainmaliciouscodeor
filetypesthatareunnecessaryfortheorganization'sbusiness.
Thisscanningshouldbedonebeforetheemailisplacedinthe
user'sinbox.Thisincludesemailcontentfilteringandweb
contentfiltering.
Foun-
dational
Advanced
Y
Y
Y
CSC7ProceduresandTools
WebBrowser
Mostwebbrowserstodayhavebasicsecurityfeatures,butitisnotadequatetorelyonone
aspectofsecurity.Awebserverismadeupoflayersthatprovidemultipleavenuesof
attack.Thefoundationofanywebbrowseristheoperatingsystemandthesecretto
ensuringthatitremainssecureissimple:keepitupdatedwiththelatestsecuritypatches.
Ensurethatyourpatchesareup-to-dateandinstalledproperly,asanyserverrunningold
patcheswillbecomeavictim.
Updateanysoftwarecomponentsthatrunonawebserver.Anythingthatisnon-essential,
suchasDNSserversandremoteadministrationtoolslikeVNCorRemoteDesktop,should
bedisabledorremoved.Ifremoteadministrationtoolsareessential,however,thenavoid
usingdefaultpasswordsoranythingthatcanbeeasilyguessed.Thisisnotonlyapplicable
forremoteaccesstools,butuseraccounts,switchesandroutersaswell.
Aflexiblefirewallisoneofthestrongestformsofdefenseagainstsecuritybreaches.When
awebserveristargetedtheattackwillattempttouploadhackingtoolsormalware
immediately,soastotakeadvantageofthesecuritybreachbeforeitisfixed.Withouta
goodanti-viruspackage,abreachinsecuritycangounnoticedforasignificantamountof
time.
28
Cybercriminalscanexploitcookiesinmaliciousways.Changingyourbrowsersettingsto
blockthirdpartycookieswillhelpreducethisrisk.Theautocompleteorautofillfeature
saveskeystrokesbystoringinformationyourecentlytyped.However,autocompletefor
logininformationposesabigriskifyourlaptopislostorstolen.Andrestrictingadd-onsto
anabsoluteminimumwillreducetheattacksurface.Add-onscanharbormalwareand
increasethepossibilitiesforattackingyourbrowser.Configureyourbrowserstoprevent
themfrominstallingadd-onswithoutaprompt.
Mostpopularbrowsersemployadatabaseofphishingand/ormalwaresitestoprotect
againstthemostcommonthreats.Makesurethatyouandyourusersenablecontentfilters.
Andturnonthepopupblockers.Popupsarenotonlyannoying,theyalsocanhost
embeddedmalwaredirectlyorlureusersintoclickingonsomethingusingsocial
engineeringtricks.Besurethatyourselectedbrowserhaspopupblockingenabled
Email
Emailrepresentsonethemostinteractivewayshumansworkwithcomputers,
encouragingtherightbehaviorisjustasimportantasthetechnicalsettings.
Passwordscontainingcommonwordsorphrasesareeasytocrack.Ensurecomplex
passwordsarecreated;acombinationofletters,numbersandspecialcharactersiscomplex
enough.Passwordsshouldbechangedonaregularbasis,every45-60days.
Implementingtwo-factorauthenticationisanotherwaytoensuretheuserisauthentic,
reducingtheattacksurface.Usingaspam-filteringtoolreducesthenumberofmalicious
emailsthatcomeintoyournetwork.InitiatingaSenderPolicyFrameworktoverifythatthe
domainanemailiscomingfromisauthentic,helpsreduceSpamandPhishingactivities.
Installinganencryptiontooltosecureemailandcommunicationsaddsanotherlayerof
userandnetworkedbasedsecurity.
29
CSC7SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
Configuration
EnforcementSystem
URL/EmailFiltering
ProxySystem
NetworkDevices
30
CSC8:MalwareDefenses
Controltheinstallation,spread,andexecutionofmaliciouscodeatmultiplepoints
intheenterprise,whileoptimizingtheuseofautomationtoenablerapidupdating
ofdefense,datagathering,andcorrectiveaction.
WhyIsThisControlCritical?
MalicioussoftwareisanintegralanddangerousaspectofInternetthreats,andcanbe
designedtoattackyoursystems,devices,oryourdata.Itcanbefast-moving,fast-changing,
andenterthroughanynumberofpointslikeend-userdevices,emailattachments,web
pages,cloudservices,useractions,andremovablemedia.Modernmalwarecanbedesigned
toavoiddefenses,ortoattackordisablethem.
Malwaredefensesmustbeabletooperateinthisdynamicenvironmentthroughlarge-scale
automation,rapidupdating,andintegrationwithprocesseslikeIncidentResponse.They
mustalsobedeployedatmultiplepossiblepoints-of-attacktodetect,stopthemovement
of,orcontroltheexecutionofmalicioussoftware.Enterpriseendpointsecuritysuites
provideadministrativefeaturestoverifythatalldefensesareactiveandcurrentonevery
managedsystem.
CSC8:MalwareDefenses
Family
CSC
ControlDescription
System
8.1
System
System
8.2
8.3
Foun-
dational
Advanced
Employautomatedtoolstocontinuouslymonitorworkstations,
servers,andmobiledeviceswithanti-virus,anti-spyware,
personalfirewalls,andhost-basedIPSfunctionality.Allmalware
detectioneventsshouldbesenttoenterpriseanti-malware
administrationtoolsandeventlogservers.
Y
Employanti-malwaresoftwarethatoffersacentralized
infrastructurethatcompilesinformationonfilereputationsor
haveadministratorsmanuallypushupdatestoallmachines.
Afterapplyinganupdate,automatedsystemsshouldverifythat
eachsystemhasreceiveditssignatureupdate.
Y
Y
Activelymonitor
theuseof
externaldevices
(inadditionto
logging).
Limituseofexternaldevicestothosewithanapproved,
documentedbusinessneed.Monitorforuseandattempteduse
ofexternaldevices.Configurelaptops,workstations,and
serverssothattheywillnotauto-runcontentfromremovable
media,likeUSBtokens(i.e.,“thumbdrives”),USBharddrives,
CDs/DVDs,FireWiredevices,externalserialadvanced
technologyattachmentdevices,andmountednetworkshares.
Configuresystemssothattheyautomaticallyconductanantimalwarescanofremovablemediawheninserted.
31
Family
CSC
ControlDescription
System
8.4
System
System
8.5
8.6
Foun-
dational
Advanced
Enableanti-exploitationfeaturessuchasDataExecution
Prevention(DEP),AddressSpaceLayoutRandomization(ASLR),
virtualization/containerization,etc.Forincreasedprotection,
deploycapabilitiessuchasEnhancedMitigationExperience
Toolkit(EMET)thatcanbeconfiguredtoapplythese
protectionstoabroadersetofapplicationsandexecutables.
Y
Usenetwork-basedanti-malwaretoolstoidentifyexecutables
inallnetworktrafficandusetechniquesotherthansignaturebaseddetectiontoidentifyandfilteroutmaliciouscontent
beforeitarrivesattheendpoint.
Y
Enabledomainnamesystem(DNS)queryloggingtodetect
hostnamelookupforknownmaliciousC2domains.
Y
CSC8ProceduresandTools
Toensureanti-virussignaturesareuptodate,organizationsuseautomation.Theyusethe
built-inadministrativefeaturesofenterpriseendpointsecuritysuitestoverifythatantivirus,anti-spyware,andhost-basedIDSfeaturesareactiveoneverymanagedsystem.They
runautomatedassessmentsdailyandreviewtheresultstofindandmitigatesystemsthat
havedeactivatedsuchprotections,aswellassystemsthatdonothavethelatestmalware
definitions.
Someenterprisesdeployfreeorcommercialhoneypotand“tarpit”toolstoidentify
attackersintheirenvironment.Securitypersonnelshouldcontinuouslymonitorthesetools
todeterminewhethertrafficisdirectedtothemandaccountloginsareattempted.When
theyidentifysuchevents,thesepersonnelshouldgatherthesourceaddressfromwhich
thistrafficoriginatesandotherdetailsassociatedwiththeattackforfollow-on
investigation.
32
CSC8SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
EndPointProtection
Software/EMET
NetworkMalware
Detection
ComputingSystems
33
CSC9:LimitationandControlofNetworkPorts,Protocols,andServices
Manage(track/control/correct)theongoingoperationaluseofports,protocols,
andservicesonnetworkeddevicesinordertominimizewindowsofvulnerability
availabletoattackers.
WhyIsThisControlCritical?
Attackerssearchforremotelyaccessiblenetworkservicesthatarevulnerableto
exploitation.Commonexamplesincludepoorlyconfiguredwebservers,mailservers,file
andprintservices,anddomainnamesystem(DNS)serversinstalledbydefaultonavariety
ofdifferentdevicetypes,oftenwithoutabusinessneedforthegivenservice.Many
softwarepackagesautomaticallyinstallservicesandturnthemonaspartoftheinstallation
ofthemainsoftwarepackagewithoutinformingauseroradministratorthattheservices
havebeenenabled.Attackersscanforsuchissuesandattempttoexploittheseservices,
oftenattemptingdefaultuserIDsandpasswordsorwidelyavailableexploitationcode.
CSC9:LimitationandControlofNetworkPorts
Family
CSC
System
9.1
System
9.2
System
System
9.3
9.4
System
9.5
System
9.6
ControlDescription
Foun-
dational
Advanced
Ensurethatonlyports,protocols,andserviceswithvalidated
businessneedsarerunningoneachsystem.
Y
Applyhost-basedfirewallsorportfilteringtoolsonend
systems,withadefault-denyrulethatdropsalltrafficexcept
thoseservicesandportsthatareexplicitlyallowed.
Y
Performautomatedportscansonaregularbasisagainstallkey
serversandcomparetoaknowneffectivebaseline.Ifachange
thatisnotlistedontheorganization’sapprovedbaselineis
discovered,analertshouldbegeneratedandreviewed.
Y
Y
Y
Y
VerifyanyserverthatisvisiblefromtheInternetoran
untrustednetwork,andifitisnotrequiredforbusiness
purposes,moveittoaninternalVLANandgiveitaprivate
address.
Operatecriticalservicesonseparatephysicalorlogicalhost
machines,suchasDNS,file,mail,web,anddatabaseservers.
Placeapplicationfirewallsinfrontofanycriticalserversto
verifyandvalidatethetrafficgoingtotheserver.Any
unauthorizedservicesortrafficshouldbeblockedandanalert
generated.
34
CSC9ProceduresandTools
Portscanningtoolsareusedtodeterminewhichservicesarelisteningonthenetworkfora
rangeoftargetsystems.Inadditiontodeterminingwhichportsareopen,effectiveport
scannerscanbeconfiguredtoidentifytheversionoftheprotocolandservicelisteningon
eachdiscoveredopenport.Thislistofservicesandtheirversionsarecomparedagainstan
inventoryofservicesrequiredbytheorganizationforeachserverandworkstationinan
assetmanagementsystem.Recentlyaddedfeaturesintheseportscannersarebeingused
todeterminethechangesinservicesofferedbyscannedmachinesonthenetworksincethe
previousscan,helpingsecuritypersonnelidentifydifferencesovertime.
CSC9SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
Host/Application
FirewallSystems
SCAPVulnerability
Scanner
ComputingSystems
35
CSC10:DataRecoveryCapability
Theprocessesandtoolsusedtoproperlybackupcriticalinformationwithaproven
methodologyfortimelyrecoveryofit.
WhyIsThisControlCritical?
Whenattackerscompromisemachines,theyoftenmakesignificantchangesto
configurationsandsoftware.Sometimesattackersalsomakesubtlealterationsofdata
storedoncompromisedmachines,potentiallyjeopardizingorganizationaleffectiveness
withpollutedinformation.Whentheattackersarediscovered,itcanbeextremelydifficult
fororganizationswithoutatrustworthydatarecoverycapabilitytoremoveallaspectsof
theattacker’spresenceonthemachine.
CSC10:DataRecoveryCapability
Family
CSC
ControlDescription
Foun-
dational
Advanced
Y
System 10.2 Testdataonbackupmediaonaregularbasisbyperforminga
datarestorationprocesstoensurethatthebackupisproperly
working.
Y
System 10.3 Ensurethatbackupsareproperlyprotectedviaphysicalsecurity
orencryptionwhentheyarestored,aswellaswhentheyare
movedacrossthenetwork.Thisincludesremotebackupsand
cloudservices.
Y
System 10.4 Ensurethatkeysystemshaveatleastonebackupdestination
thatisnotcontinuouslyaddressablethroughoperatingsystem
calls.ThiswillmitigatetheriskofattackslikeCryptoLocker
whichseektoencryptordamagedataonalladdressabledata
shares,includingbackupdestinations.
Y
System 10.1 Ensurethateachsystemisautomaticallybackeduponatleasta
weeklybasis,andmoreoftenforsystemsstoringsensitive
information.Tohelpensuretheabilitytorapidlyrestorea
systemfrombackup,theoperatingsystem,applicationsoftware,
anddataonamachineshouldeachbeincludedintheoverall
backupprocedure.Thesethreecomponentsofasystemdonot
havetobeincludedinthesamebackupfileorusethesame
backupsoftware.Thereshouldbemultiplebackupsovertime,
sothatintheeventofmalwareinfection,restorationcanbe
fromaversionthatisbelievedtopredatetheoriginalinfection.
Allbackuppoliciesshouldbecompliantwithanyregulatoryor
officialrequirements.
36
CSC10ProceduresandTools
Onceperquarter(orwhenevernewbackupequipmentispurchased),atestingteam
shouldevaluatearandomsampleofsystembackupsbyattemptingtorestorethemona
testbedenvironment.Therestoredsystemsshouldbeverifiedtoensurethattheoperating
system,application,anddatafromthebackupareallintactandfunctional.
Intheeventofmalwareinfection,restorationproceduresshoulduseaversionofthe
backupthatisbelievedtopredatetheoriginalinfection.
CSC10SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
DataBackup
System
Offsite/Offline
Backups
ComputingSystems
37
CSC11:SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,
andSwitches
Establish,implement,andactivelymanage(track,reporton,correct)thesecurity
configurationofnetworkinfrastructuredevicesusingarigorousconfiguration
managementandchangecontrolprocessinordertopreventattackersfrom
exploitingvulnerableservicesandsettings.
WhyIsThisControlCritical?
Asdeliveredfrommanufacturersandresellers,thedefaultconfigurationsfornetwork
infrastructuredevicesaregearedforease-of-deploymentandease-of-use–notsecurity.
Openservicesandports,defaultaccounts(includingserviceaccounts)orpasswords,
supportforolder(vulnerable)protocols,pre-installationofunneededsoftware;allcanbe
exploitableintheirdefaultstate.
Attackerstakeadvantageofnetworkdevicesbecominglesssecurelyconfiguredovertime
asusersdemandexceptionsforspecificbusinessneeds.Sometimestheexceptionsare
deployedandthenleftundonewhentheyarenolongerapplicabletothebusinessneeds.In
somecases,thesecurityriskoftheexceptionisneitherproperlyanalyzednormeasured
againsttheassociatedbusinessneedandcanchangeovertime.Attackerssearchfor
vulnerabledefaultsettings,electronicholesinfirewalls,routers,andswitchesanduse
thosetopenetratedefenses.Theyexploitflawsinthesedevicestogainaccesstonetworks,
redirecttrafficonanetwork,andinterceptinformationwhileintransmission.Through
suchactions,theattackergainsaccesstosensitivedata,altersimportantinformation,or
evenusesacompromisedmachinetoposeasanothertrustedsystemonthenetwork.
CSC11:SecureConfigurationsforNetworkDevices
Family
CSC
ControlDescription
Network 11.1 Comparefirewall,router,andswitchconfigurationagainst
standardsecureconfigurationsdefinedforeachtypeof
networkdeviceinuseintheorganization.Thesecurity
configurationofsuchdevicesshouldbedocumented,
reviewed,andapprovedbyanorganizationchangecontrol
board.Anydeviationsfromthestandardconfigurationor
updatestothestandardconfigurationshouldbedocumented
andapprovedinachangecontrolsystem.
38
Foun-
dational
Advanced
Y
Family
CSC
ControlDescription
Foun-
dational
Advanced
Y
Network 11.3 Useautomatedtoolstoverifystandarddeviceconfigurations
anddetectchanges.Allalterationstosuchfilesshouldbe
loggedandautomaticallyreportedtosecuritypersonnel.
Y
Network 11.4 Managenetworkdevicesusingtwo-factorauthenticationand
encryptedsessions.
Y
Network 11.5 Installthelateststableversionofanysecurity-related
updatesonallnetworkdevices.
Y
Network 11.6 Networkengineersshalluseadedicatedmachineforall
administrativetasksortasksrequiringelevatedaccess.This
machineshallbeisolatedfromtheorganization'sprimary
networkandnotbeallowedInternetaccess.Thismachine
shallnotbeusedforreadingemail,composingdocuments,or
surfingtheInternet.
Y
Network 11.7 Managethenetworkinfrastructureacrossnetwork
connectionsthatareseparatedfromthebusinessuseofthat
network,relyingonseparateVLANsor,preferably,onentirely
differentphysicalconnectivityformanagementsessionsfor
networkdevices.
Y
Network 11.2 Allnewconfigurationrulesbeyondabaseline-hardened
configurationthatallowtraffictoflowthroughnetwork
securitydevices,suchasfirewallsandnetwork-basedIPS,
shouldbedocumentedandrecordedinaconfiguration
managementsystem,withaspecificbusinessreasonforeach
change,aspecificindividual’snameresponsibleforthat
businessneed,andanexpecteddurationoftheneed.
CSC11ProceduresandTools
Someorganizationsusecommercialtoolsthatevaluatetherulesetofnetworkfiltering
devicestodeterminewhethertheyareconsistentorinconflict,providinganautomated
sanitycheckofnetworkfiltersandsearchforerrorsinrulesetsoraccesscontrolslists
(ACLs)thatmayallowunintendedservicesthroughthedevice.Suchtoolsshouldberun
eachtimesignificantchangesaremadetofirewallrulesets,routerACLs,orotherfiltering
technologies.
39
CSC11SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
NetworkDevice
ManagementSystem
Authentication
System
Dedicated
AdministrationSystems
40
NetworkDevices
CSC12:BoundaryDefense
Detect/prevent/correcttheflowofinformationtransferringnetworksofdifferent
trustlevelswithafocusonsecurity-damagingdata.
WhyIsThisControlCritical?
AttackersfocusonexploitingsystemsthattheycanreachacrosstheInternet,includingnot
onlyDMZsystemsbutalsoworkstationandlaptopcomputersthatpullcontentfromthe
Internetthroughnetworkboundaries.Threatssuchasorganizedcrimegroupsandnationstatesuseconfigurationandarchitecturalweaknessesfoundonperimetersystems,
networkdevices,andInternet-accessingclientmachinestogaininitialaccessintoan
organization.Then,withabaseofoperationsonthesemachines,attackersoftenpivotto
getdeeperinsidetheboundarytostealorchangeinformationortosetupapersistent
presenceforlaterattacksagainstinternalhosts.Additionally,manyattacksoccurbetween
businesspartnernetworks,sometimesreferredtoasextranets,asattackershopfromone
organization’snetworktoanother,exploitingvulnerablesystemsonextranetperimeters.
Tocontroltheflowoftrafficthroughnetworkbordersandpolicecontentbylookingfor
attacksandevidenceofcompromisedmachines,boundarydefensesshouldbemultilayered,relyingonfirewalls,proxies,DMZperimeternetworks,andnetwork-basedIPSand
IDS.Itisalsocriticaltofilterbothinboundandoutboundtraffic.
Itshouldbenotedthatboundarylinesbetweeninternalandexternalnetworksare
diminishingasaresultofincreasedinterconnectivitywithinandbetweenorganizationsas
wellastherapidriseindeploymentofwirelesstechnologies.Theseblurringlines
sometimesallowattackerstogainaccessinsidenetworkswhilebypassingboundary
systems.However,evenwiththisblurringofboundaries,effectivesecuritydeployments
stillrelyoncarefullyconfiguredboundarydefensesthatseparatenetworkswithdifferent
threatlevels,setsofusers,andlevelsofcontrol.Anddespitetheblurringofinternaland
externalnetworks,effectivemulti-layereddefensesofperimeternetworkshelplowerthe
numberofsuccessfulattacks,allowingsecuritypersonneltofocusonattackerswhohave
devisedmethodstobypassboundaryrestrictions.
41
Family
CSC12:BoundaryDefense
CSC
ControlDescription
Network 12.1 Denycommunicationswith(orlimitdataflowto)known
maliciousIPaddresses(blacklists),orlimitaccessonlyto
trustedsites(whitelists).Testscanbeperiodicallycarriedout
bysendingpacketsfrombogonsourceIPaddresses(nonroutableorotherwiseunusedIPaddresses)intothenetwork
toverifythattheyarenottransmittedthroughnetwork
perimeters.Listsofbogonaddressesarepubliclyavailableon
theInternetfromvarioussources,andindicateaseriesofIP
addressesthatshouldnotbeusedforlegitimatetraffic
traversingtheInternet.
Network 12.2 OnDMZnetworks,configuremonitoringsystems(whichmay
bebuiltintotheIDSsensorsordeployedasaseparate
technology)torecordatleastpacketheaderinformation,and
preferablyfullpacketheaderandpayloadsofthetraffic
destinedfororpassingthroughthenetworkborder.This
trafficshouldbesenttoaproperlyconfiguredSecurity
InformationEventManagement(SIEM)orloganalyticssystem
sothateventscanbecorrelatedfromalldevicesonthe
network.
Network 12.3 Deploynetwork-basedIDSsensorsonInternetandextranet
DMZsystemsandnetworksthatlookforunusualattack
mechanismsanddetectcompromiseofthesesystems.These
network-basedIDSsensorsmaydetectattacksthroughtheuse
ofsignatures,networkbehavioranalysis,orothermechanisms
toanalyzetraffic.
Network 12.4 Network-basedIPSdevicesshouldbedeployedto
complementIDSbyblockingknownbadsignaturesorthe
behaviorofpotentialattacks.Asattacksbecomeautomated,
methodssuchasIDStypicallydelaytheamountoftimeit
takesforsomeonetoreacttoanattack.Aproperlyconfigured
network-basedIPScanprovideautomationtoblockbad
traffic.Whenevaluatingnetwork-basedIPSproducts,include
thoseusingtechniquesotherthansignature-baseddetection
(suchasvirtualmachineorsandbox-basedapproaches)for
consideration.
42
Foun-
dational
Advanced
Y
Y
Y
Y
Family
CSC
ControlDescription
Network 12.5 Designandimplementnetworkperimeterssothatalloutgoing
networktraffictotheInternetmustpassthroughatleastone
applicationlayerfilteringproxyserver.Theproxyshould
supportdecryptingnetworktraffic,loggingindividualTCP
sessions,blockingspecificURLs,domainnames,andIP
addressestoimplementablacklist,andapplyingwhitelistsof
allowedsitesthatcanbeaccessedthroughtheproxywhile
blockingallothersites.Organizationsshouldforceoutbound
traffictotheInternetthroughanauthenticatedproxyserver
ontheenterpriseperimeter.
Network 12.6 Requireallremoteloginaccess(includingVPN,dial-up,and
otherformsofaccessthatallowlogintointernalsystems)to
usetwo-factorauthentication.
Network 12.7 Allenterprisedevicesremotelyloggingintotheinternal
networkshouldbemanagedbytheenterprise,withremote
controloftheirconfiguration,installedsoftware,andpatch
levels.Forthird-partydevices(e.g.,subcontractors/vendors),
publishminimumsecuritystandardsforaccesstothe
enterprisenetworkandperformasecurityscanbefore
allowingaccess.
Network 12.8 Periodicallyscanforback-channelconnectionstotheInternet
thatbypasstheDMZ,includingunauthorizedVPNconnections
anddual-homedhostsconnectedtotheenterprisenetwork
andtoothernetworksviawireless,dial-upmodems,orother
mechanisms.
Network 12.9 DeployNetFlowcollectionandanalysistoDMZnetworkflows
todetectanomalousactivity.
Network 12.1
0
Tohelpidentifycovertchannelsexfiltratingdatathrougha
firewall,configurethebuilt-infirewallsessiontracking
mechanismsincludedinmanycommercialfirewallstoidentify
TCPsessionsthatlastanunusuallylongtimeforthegiven
organizationandfirewalldevice,alertingpersonnelaboutthe
sourceanddestinationaddressesassociatedwiththeselong
sessions.
Foun-
dational
Advanced
Y
Y
Y
Y
Y
Y
CSC12ProceduresandTools
TheboundarydefensesincludedinthiscontrolbuildonCriticalControl10.Theadditional
recommendationsherefocusonimprovingtheoverallarchitectureandimplementationof
bothInternetandinternalnetworkboundarypoints.Internalnetworksegmentationis
centraltothiscontrolbecauseonceinsideanetwork,manyintrudersattempttotargetthe
mostsensitivemachines.Usually,internalnetworkprotectionisnotsetuptodefend
againstaninternalattacker.Settingupevenabasiclevelofsecuritysegmentationacross
43
thenetworkandprotectingeachsegmentwithaproxyandafirewallwillgreatlyreducean
intruder’saccesstotheotherpartsofthenetwork.
OneelementofthiscontrolcanbeimplementedusingfreeorcommercialIDSandsniffers
tolookforattacksfromexternalsourcesdirectedatDMZandinternalsystems,aswellas
attacksoriginatingfrominternalsystemsagainsttheDMZorInternet.Securitypersonnel
shouldregularlytestthesesensorsbylaunchingvulnerability-scanningtoolsagainstthem
toverifythatthescannertraffictriggersanappropriatealert.Thecapturedpacketsofthe
IDSsensorsshouldbereviewedusinganautomatedscripteachdaytoensurethatlog
volumesarewithinexpectedparametersandthatthelogsareformattedproperlyandhave
notbeencorrupted.
Additionally,packetsniffersshouldbedeployedonDMZstolookforHypertextTransfer
Protocol(HTTP)trafficthatbypassesHTTPproxies.Bysamplingtrafficregularly,suchas
overathree-hourperiodonceaweek,informationsecuritypersonnelcansearchforHTTP
trafficthatisneithersourcedbynordestinedforaDMZproxy,implyingthatthe
requirementforproxyuseisbeingbypassed.
Toidentifyback-channelconnectionsthatbypassapprovedDMZs,networksecurity
personnelcanestablishanInternet-accessiblesystemtouseasareceiverfortesting
outboundaccess.Thissystemisconfiguredwithafreeorcommercialpacketsniffer.Then,
securitypersonnelcanconnectasendingtestsystemtovariouspointsonthe
organization’sinternalnetwork,sendingeasilyidentifiabletraffictothesniffingreceiver
ontheInternet.Thesepacketscanbegeneratedusingfreeorcommercialtoolswitha
payloadthatcontainsacustomfileusedforthetest.Whenthepacketsarriveatthe
receiversystem,thesourceaddressofthepacketsshouldbeverifiedagainstacceptable
DMZaddressesallowedfortheorganization.Ifsourceaddressesarediscoveredthatare
notincludedinlegitimate,registeredDMZs,moredetailcanbegatheredbyusinga
traceroutetooltodeterminethepaththatpacketstakefromthesendertothereceiver
system.
44
CSC12SystemEntityRelationshipDiagram
NetworkMonitoring
Systems(IDS&IPS)
NetworkDevice
ManagementSystem
Alerting/ReportingAnalyticsSystem
Authentication
System
ApplicationFirewall/
ProxySystem
Configuration
EnforcementSystem
45
NetworkDevices
CSC13:DataProtection
Theprocessesandtoolsusedtopreventdataexfiltration,mitigatetheeffectsof
exfiltrateddata,andensuretheprivacyandintegrityofsensitiveinformation.
WhyIsThisControlCritical?
Dataresidesinmanyplaces.Protectionofthatdataisbestachievedthroughthe
applicationofacombinationofencryption,integrityprotectionanddatalossprevention
techniques.Asorganizationscontinuetheirmovetowardscloudcomputingandmobile
access,itisimportantthatpropercarebetakentolimitandreportondataexfiltration
whilealsomitigatingtheeffectsofdatacompromise.
Theadoptionofdataencryption,bothintransitandatrest,providesmitigationagainst
datacompromise.Thisistrueifpropercarehasbeentakenintheprocessesand
technologiesassociatedwiththeencryptionoperations.Anexampleofthisisthe
managementofcryptographickeysusedbythevariousalgorithmsthatprotectdata.The
processforgeneration,useanddestructionofkeysshouldbebasedonprovenprocessesas
definedinstandardssuchasNISTSP800-57.
Careshouldalsobetakentoensurethatproductsusedwithinanenterpriseimplement
wellknownandvettedcryptographicalgorithms,asidentifiedbyNIST.Re-evaluationof
thealgorithmsandkeysizesusedwithintheenterpriseonanannualbasisisalso
recommendedtoensurethatorganizationsarenotfallingbehindinthestrengthof
protectionappliedtotheirdata.
Fororganizationsthataremovingdatatothecloud,itisimportanttounderstandthe
securitycontrolsappliedtodatainthecloudmulti-tenantenvironment,anddeterminethe
bestcourseofactionforapplicationofencryptioncontrolsandsecurityofkeys.When
possible,keysshouldbestoredwithinsecurecontainerssuchasHardwareSecurity
Modules(HSMs).
Encryptingdataprovidesalevelofassurancethatevenifdataiscompromised,itis
impracticaltoaccesstheplaintextwithoutsignificantresources,howevercontrolsshould
alsobeputinplacetomitigatethethreatofdataexfiltrationinthefirstplace.Manyattacks
occurredacrossthenetwork,whileothersinvolvedphysicaltheftoflaptopsandother
equipmentholdingsensitiveinformation.Yet,inmostcases,thevictimswerenotaware
thatthesensitivedatawereleavingtheirsystemsbecausetheywerenotmonitoringdata
outflows.Themovementofdataacrossnetworkboundariesbothelectronicallyand
physicallymustbecarefullyscrutinizedtominimizeitsexposuretoattackers.
Thelossofcontroloverprotectedorsensitivedatabyorganizationsisaseriousthreatto
businessoperationsandapotentialthreattonationalsecurity.Whilesomedataareleaked
orlostasaresultoftheftorespionage,thevastmajorityoftheseproblemsresultfrom
poorlyunderstooddatapractices,alackofeffectivepolicyarchitectures,andusererror.
46
Datalosscanevenoccurasaresultoflegitimateactivitiessuchase-Discoveryduring
litigation,particularlywhenrecordsretentionpracticesareineffectiveornonexistent.
Datalossprevention(DLP)referstoacomprehensiveapproachcoveringpeople,processes,
andsystemsthatidentify,monitor,andprotectdatainuse(e.g.,endpointactions),datain
motion(e.g.,networkactions),anddataatrest(e.g.,datastorage)throughdeepcontent
inspectionandwithacentralizedmanagementframework.Overthelastseveralyears,
therehasbeenanoticeableshiftinattentionandinvestmentfromsecuringthenetworkto
securingsystemswithinthenetwork,andtosecuringthedataitself.DLPcontrolsare
basedonpolicy,andincludeclassifyingsensitivedata,discoveringthatdataacrossan
enterprise,enforcingcontrols,andreportingandauditingtoensurepolicycompliance.
CSC13:DataProtection
Family
CSC
ControlDescription
Network 13.1 Performanassessmentofdatatoidentifysensitive
informationthatrequirestheapplicationofencryptionand
integritycontrols.
Network 13.2 Deployapprovedharddriveencryptionsoftwaretomobile
devicesandsystemsthatholdsensitivedata.
Network 13.3 Deployanautomatedtoolonnetworkperimetersthat
monitorsforsensitiveinformation(e.g.,personally
identifiableinformation),keywords,andotherdocument
characteristicstodiscoverunauthorizedattemptstoexfiltrate
dataacrossnetworkboundariesandblocksuchtransfers
whilealertinginformationsecuritypersonnel.
Network 13.4 Conductperiodicscansofservermachinesusingautomated
toolstodeterminewhethersensitivedata(e.g.,personally
identifiableinformation,health,creditcard,orclassified
information)ispresentonthesystemincleartext.These
tools,whichsearchforpatternsthatindicatethepresenceof
sensitiveinformation,canhelpidentifyifabusinessor
technicalprocessisleavingbehindorotherwiseleaking
sensitiveinformation.
Network 13.5 Ifthereisnobusinessneedforsupportingsuchdevices,
configuresystemssothattheywillnotwritedatatoUSB
tokensorUSBharddrives.Ifsuchdevicesarerequired,
enterprisesoftwareshouldbeusedthatcanconfigure
systemstoallowonlyspecificUSBdevices(basedonserial
numberorotheruniqueproperty)tobeaccessed,andthat
canautomaticallyencryptalldataplacedonsuchdevices.An
inventoryofallauthorizeddevicesmustbemaintained.
47
Foun-
dational
Advanced
Y
Y
Y
Y
Y
Family
CSC
ControlDescription
Network 13.6 Usenetwork-basedDLPsolutionstomonitorandcontrolthe
flowofdatawithinthenetwork.Anyanomaliesthatexceed
thenormaltrafficpatternsshouldbenotedandappropriate
actiontakentoaddressthem.
Network 13.7 Monitoralltrafficleavingtheorganizationanddetectany
unauthorizeduseofencryption.Attackersoftenusean
encryptedchanneltobypassnetworksecuritydevices.
Thereforeitisessentialthatorganizationsbeabletodetect
rogueconnections,terminatetheconnection,andremediate
theinfectedsystem.
Network 13.8 Blockaccesstoknownfiletransferandemailexfiltration
websites.
Network 13.9 Usehost-baseddatalossprevention(DLP)toenforceACLs
evenwhendataiscopiedoffaserver.Inmostorganizations,
accesstothedataiscontrolledbyACLsthatareimplemented
ontheserver.Oncethedatahavebeencopiedtoadesktop
system,theACLsarenolongerenforcedandtheuserscan
sendthedatatowhomevertheywant.
Foun-
dational
Advanced
Y
Y
Y
Y
CSC13ProceduresandTools
Commercialtoolsareavailabletosupportenterprisemanagementofencryptionandkey
managementwithinanenterpriseandincludetheabilitytosupportimplementationof
encryptioncontrolswithincloudandmobileenvironments.
Definitionoflifecycleprocessesandrolesandresponsibilitiesassociatedwithkey
managementshouldbeundertakenbyeachorganization.
CommercialDLPsolutionsareavailabletolookforexfiltrationattemptsanddetectother
suspiciousactivitiesassociatedwithaprotectednetworkholdingsensitiveinformation.
Organizationsdeployingsuchtoolsshouldcarefullyinspecttheirlogsandfollowuponany
discoveredattempts,eventhosethataresuccessfullyblocked,totransmitsensitive
informationoutoftheorganizationwithoutauthorization.
48
CSC13EntityRelationshipDiagram
EndPointProtection/
RemovableMedia
Control
Alerting/ReportingAnalyticsSystem
Network&HostBased
DLP
Encryption
Systems
ComputingSystems
49
NetworkDevices
CSC14:ControlledAccessBasedontheNeedtoKnow
Theprocessesandtoolsusedtotrack/control/prevent/correctsecureaccessto
criticalassets(e.g.,information,resources,systems)accordingtotheformal
determinationofwhichpersons,computers,andapplicationshaveaneedandright
toaccessthesecriticalassetsbasedonanapprovedclassification.
WhyIsThisControlCritical?
Someorganizationsdonotcarefullyidentifyandseparatetheirmostsensitiveandcritical
assetsfromlesssensitive,publiclyaccessibleinformationontheirinternalnetworks.In
manyenvironments,internalusershaveaccesstoallormostofthecriticalassets.Sensitive
assetsmayalsoincludesystemsthatprovidemanagementandcontrolofphysicalsystems
(e.g.,SCADA).Onceattackershavepenetratedsuchanetwork,theycaneasilyfindand
exfiltrateimportantinformation,causephysicaldamage,ordisruptoperationswithlittle
resistance.Forexample,inseveralhigh-profilebreachesoverthepasttwoyears,attackers
wereabletogainaccesstosensitivedatastoredonthesameserverswiththesamelevelof
accessasfarlessimportantdata.Therearealsoexamplesofusingaccesstothecorporate
networktogainaccessto,thencontrolover,physicalassetsandcausedamage.
CSC14:ControlledAccessBasedontheNeedtoKnow
Family
Application
Application
Application
CSC
ControlDescription
14.1 Segmentthenetworkbasedonthelabelor
classificationleveloftheinformationstoredonthe
servers.Locateallsensitiveinformationonseparated
VLANSwithfirewallfilteringtoensurethatonly
authorizedindividualsareonlyabletocommunicate
withsystemsnecessarytofulfilltheirspecific
responsibilities.
14.2 Allcommunicationofsensitiveinformationoverlesstrustednetworksshouldbeencrypted.Whenever
informationflowsoveranetworkwithalowertrust
level,theinformationshouldbeencrypted.
14.3 AllnetworkswitcheswillenablePrivateVirtualLocal
AreaNetworks(VLANs)forsegmentedworkstation
networkstolimittheabilityofdevicesonanetworkto
directlycommunicatewithotherdevicesonthe
subnetandlimitanattackersabilitytolaterallymove
tocompromiseneighboringsystems.
50
Foun-
dational
Advanced
Y
Y
Y
Family
Application
Application
CSC
ControlDescription
14.4 Allinformationstoredonsystemsshallbeprotected
withfilesystem,networkshare,claims,application,or
databasespecificaccesscontrollists.Thesecontrols
willenforcetheprinciplethatonlyauthorized
individualsshouldhaveaccesstotheinformation
basedontheirneedtoaccesstheinformationasa
partoftheirresponsibilities.
14.5 Sensitiveinformationstoredonsystemsshallbe
encryptedatrestandrequireasecondary
authenticationmechanism,notintegratedintothe
operatingsystem,inordertoaccesstheinformation.
Foun-
dational
Advanced
Y
Y
Application
14.6 Enforcedetailedauditloggingforaccesstononpublic
dataandspecialauthenticationforsensitivedata.
Y
Application
14.7 Archiveddatasetsorsystemsnotregularlyaccessed
bytheorganizationshallberemovedfromthe
organization'snetwork.Thesesystemsshallonlybe
usedasstandalonesystems(disconnectedfromthe
network)bythebusinessunitneedingtooccasionally
usethesystemorcompletelyvirtualizedandpowered
offuntilneeded.
Y
CSC14ProceduresandTools
Itisimportantthatanorganizationunderstandwhatitssensitiveinformationis,whereit
resides,andwhoneedsaccesstoit.Toderivesensitivitylevels,organizationsneedtoput
togetheralistofthekeytypesofdataandtheoverallimportancetotheorganization.This
analysiswouldbeusedtocreateanoveralldataclassificationschemefortheorganization.
Atabaselevel,adataclassificationschemeisbrokendownintotwolevels:public
(unclassified)andprivate(classified).Oncetheprivateinformationhasbeenidentified,it
canthenbefurthersubdividedbasedontheimpactitwouldhavetotheorganizationifit
werecompromised.
Oncethesensitivityofthedatahasbeenidentified,thedataneedtobetracedbackto
businessapplicationsandthephysicalserversthathousethoseapplications.Thenetwork
thenneedstobesegmentedsothatsystemsofthesamesensitivitylevelareonthesame
networkandsegmentedfromsystemswithdifferenttrustlevels.Ifpossible,firewallsneed
tocontrolaccesstoeachsegment.Ifdataareflowingoveranetworkwithalowertrust
level,encryptionshouldbeused.
Jobrequirementsshouldbecreatedforeachusergrouptodeterminewhatinformationthe
groupneedsaccesstoinordertoperformitsjobs.Basedontherequirements,access
shouldonlybegiventothesegmentsorserversthatareneededforeachjobfunction.
51
Detailedloggingshouldbeturnedonforallserversinordertotrackaccessandexamine
situationswheresomeoneisaccessingdatathattheyshouldnotbeaccessing.
CSC14SystemEntityRelationshipDiagram
NetworkDevice
ManagementSystem
Alerting/ReportingAnalyticsSystem
Encryption
Systems
HostBasedDataLoss
Prevention(DLP)
NetworkDevices
52
CSC15:WirelessAccessControl
Theprocessesandtoolsusedtotrack/control/prevent/correctthesecurityuseof
wirelesslocalareanetworks(LANS),accesspoints,andwirelessclientsystems.
WhyIsThisControlCritical?
Majortheftsofdatahavebeeninitiatedbyattackerswhohavegainedwirelessaccessto
organizationsfromoutsidethephysicalbuilding,bypassingorganizations’security
perimetersbyconnectingwirelesslytoaccesspointsinsidetheorganization.Wireless
clientsaccompanyingtravelingofficialsareinfectedonaregularbasisthroughremote
exploitationduringairtravelorincybercafes.Suchexploitedsystemsarethenusedas
backdoorswhentheyarereconnectedtothenetworkofatargetorganization.Stillother
organizationshavereportedthediscoveryofunauthorizedwirelessaccesspointsontheir
networks,plantedandsometimeshiddenforunrestrictedaccesstoaninternalnetwork.
Becausetheydonotrequiredirectphysicalconnections,wirelessdevicesareaconvenient
vectorforattackerstomaintainlong-termaccessintoatargetenvironment.
CSC15:WirelessAccessControl
Family
CSC
ControlDescription
Network 15.1 Ensurethateachwirelessdeviceconnectedtothenetwork
matchesanauthorizedconfigurationandsecurityprofile,
withadocumentedowneroftheconnectionandadefined
businessneed.Organizationsshoulddenyaccesstothose
wirelessdevicesthatdonothavesuchaconfigurationand
profile.
Network 15.2 Configurenetworkvulnerabilityscanningtoolstodetect
wirelessaccesspointsconnectedtothewirednetwork.
Identifieddevicesshouldbereconciledagainstalistof
authorizedwirelessaccesspoints.Unauthorized(i.e.,rogue)
accesspointsshouldbedeactivated.
Network 15.3 Usewirelessintrusiondetectionsystems(WIDS)toidentify
roguewirelessdevicesanddetectattackattemptsand
successfulcompromises.InadditiontoWIDS,allwireless
trafficshouldbemonitoredbyWIDSastrafficpassesintothe
wirednetwork.
Network 15.4 Whereaspecificbusinessneedforwirelessaccesshasbeen
identified,configurewirelessaccessonclientmachinesto
allowaccessonlytoauthorizedwirelessnetworks.For
devicesthatdonothaveanessentialwirelessbusiness
purpose,disablewirelessaccessinthehardware
configuration(basicinput/outputsystemorextensible
firmwareinterface).
53
Foun-
dational
Advanced
Y
Y
Y
Y
Family
CSC
ControlDescription
Foun-
dational
Advanced
Y
Network 15.6 Ensurethatwirelessnetworksuseauthenticationprotocols
suchasExtensibleAuthenticationProtocol-TransportLayer
Security(EAP/TLS),whichprovidecredentialprotectionand
mutualauthentication.
Y
Network 15.7 Disablepeer-to-peerwirelessnetworkcapabilitiesonwireless
clients.
Y
Y
Y
Network 15.5 EnsurethatallwirelesstrafficleveragesatleastAdvanced
EncryptionStandard(AES)encryptionusedwithatleastWi-Fi
ProtectedAccess2(WPA2)protection.
Network 15.8 Disablewirelessperipheralaccessofdevices(suchas
Bluetooth),unlesssuchaccessisrequiredforadocumented
businessneed.
Network 15.9 Createseparatevirtuallocalareanetworks(VLANs)forBYOD
systemsorotheruntrusteddevices.Internetaccessfromthis
VLANshouldgothroughatleastthesameborderas
corporatetraffic.EnterpriseaccessfromthisVLANshouldbe
treatedasuntrustedandfilteredandauditedaccordingly.
CSC15ProceduresandTools
Effectiveorganizationsruncommercialwirelessscanning,detection,anddiscoverytoolsas
wellascommercialwirelessintrusiondetectionsystems.
Additionally,thesecurityteamshouldperiodicallycapturewirelesstrafficfromwithinthe
bordersofafacilityandusefreeandcommercialanalysistoolstodeterminewhetherthe
wirelesstrafficwastransmittedusingweakerprotocolsorencryptionthanthe
organizationmandates.Whendevicesrelyingonweakwirelesssecuritysettingsare
identified,theyshouldbefoundwithintheorganization’sassetinventoryandeither
reconfiguredmoresecurelyordeniedaccesstotheorganizationnetwork.
Additionally,thesecurityteamshouldemployremotemanagementtoolsonthewired
networktopullinformationaboutthewirelesscapabilitiesanddevicesconnectedto
managedsystems.
54
CSC15SystemEntityRelationshipDiagram
Configuration
EnforcementSystem
ComputingSystems
PublicKey
Infrastructure(PKI)
NetworkDevice
ManagementSystem
NetworkAccess
Control(NAC)
Alerting/ReportingAnalyticsSystem
WirelessIntrusion
DetectionSystem(WIDS)
SCAPVulnerability
Scanner
55
NetworkDevices
CSC16:AccountMonitoringandControl
Activelymanagethelifecycleofsystemandapplicationaccounts–theircreation,
use,dormancy,deletion–inordertominimizeopportunitiesforattackersto
leveragethem.
WhyIsThisControlCritical?
Attackersfrequentlydiscoverandexploitlegitimatebutinactiveuseraccountsto
impersonatelegitimateusers,therebymakingdiscoveryofattackerbehaviordifficultfor
networkwatchers.Accountsofcontractorsandemployeeswhohavebeenterminatedand
accountsformerlysetupforRedTeamtesting(butnotdeletedafterwards)haveoften
beenmisusedinthisway.Additionally,somemaliciousinsidersorformeremployeeshave
accessedaccountsleftbehindinasystemlongaftercontractexpiration,maintainingtheir
accesstoanorganization’scomputingsystemandsensitivedataforunauthorizedand
sometimesmaliciouspurposes.
CSC16:AccountMonitoringandControl
Family
CSC
ControlDescription
Foun-
dational
Advanced
Application
16.1
Reviewallsystemaccountsanddisableanyaccountthat
cannotbeassociatedwithabusinessprocessandowner.
Y
Application
16.2
Ensurethatallaccountshaveanexpirationdatethatis
monitoredandenforced.
Y
Application
16.3
Establishandfollowaprocessforrevokingsystemaccess
bydisablingaccountsimmediatelyuponterminationof
anemployeeorcontractor.Disablinginsteadofdeleting
accountsallowspreservationofaudittrails.
Y
Application
16.4
Regularlymonitortheuseofallaccounts,automatically
loggingoffusersafterastandardperiodofinactivity.
Y
Application
16.5
Configurescreenlocksonsystemstolimitaccessto
unattendedworkstations.
Y
Application
16.6
Monitoraccountusagetodeterminedormantaccounts,
notifyingtheuseroruser’smanager.Disablesuch
accountsifnotneeded,ordocumentandmonitor
exceptions(e.g.,vendormaintenanceaccountsneeded
forsystemrecoveryorcontinuityoperations).Require
thatmanagersmatchactiveemployeesandcontractors
witheachaccountbelongingtotheirmanagedstaff.
Securityorsystemadministratorsshouldthendisable
accountsthatarenotassignedtovalidworkforce
members.
Y
56
Family
CSC
ControlDescription
Foun-
dational
Advanced
Application
16.7
Useandconfigureaccountlockoutssuchthatafteraset
numberoffailedloginattemptstheaccountislockedfor
astandardperiodoftime.
Y
Application
16.8
Monitorattemptstoaccessdeactivatedaccountsthrough
auditlogging.
Y
Application
16.9
Configureaccessforallaccountsthroughacentralized
pointofauthentication,forexampleActiveDirectoryor
LDAP.Configurenetworkandsecuritydevicesfor
centralizedauthenticationaswell.
Y
Y
Y
Y
Y
Y
Application
Application
Application
Application
Application
16.10 Profileeachuser’stypicalaccountusagebydetermining
normaltime-of-dayaccessandaccessduration.Reports
shouldbegeneratedthatindicateuserswhohavelogged
induringunusualhoursorhaveexceededtheirnormal
loginduration.Thisincludesflaggingtheuseoftheuser’s
credentialsfromacomputerotherthancomputerson
whichtheusergenerallyworks.
16.11 Requiremulti-factorauthenticationforalluseraccounts
thathaveaccesstosensitivedataorsystems.Multi-factor
authenticationcanbeachievedusingsmartcards,
certificates,OneTimePassword(OTP)tokens,or
biometrics.
16.12 Wheremulti-factorauthenticationisnotsupported,user
accountsshallberequiredtouselongpasswordsonthe
system(longerthan14characters).
16.13 Ensurethatallaccountusernamesandauthentication
credentialsaretransmittedacrossnetworksusing
encryptedchannels.
16.14 Verifythatallauthenticationfilesareencryptedor
hashedandthatthesefilescannotbeaccessedwithout
rootoradministratorprivileges.Auditallaccessto
passwordfilesinthesystem.
CSCProceduresandTools
Althoughmostoperatingsystemsincludecapabilitiesforlogginginformationabout
accountusage,thesefeaturesaresometimesdisabledbydefault.Evenwhensuchfeatures
arepresentandactive,theyoftendonotprovidefine-graineddetailaboutaccesstothe
systembydefault.Securitypersonnelcanconfiguresystemstorecordmoredetailed
informationaboutaccountaccess,andusehome-grownscriptsorthird-partyloganalysis
toolstoanalyzethisinformationandprofileuseraccessofvarioussystems.
57
Accountsmustalsobetrackedveryclosely.Anyaccountthatisdormantmustbedisabled
andeventuallyremovedfromthesystem.Allactiveaccountsmustbetracedbackto
authorizedusersofthesystem,anditmustbeensuredthattheirpasswordsarerobustand
changedonaregularbasis.Usersmustalsobeloggedoutofthesystemafteraperiodofno
activitytominimizethepossibilityofanattackerusingtheirsystemtoextractinformation
fromtheorganization.
CSC16SystemEntityRelationshipDiagram
Identity&Access
ManagementSystem
Alerting/ReportingAnalyticsSystem
Authentication
System
Configuration
EnforcementSystem
Workforce
Members
58
ComputingSystems
CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
Forallfunctionalrolesintheorganization(prioritizingthosemission-criticaltothe
businessanditssecurity),identifythespecificknowledge,skills,andabilities
neededtosupportdefenseoftheenterprise;developandexecuteanintegrated
plantoassess,identifygaps,andremediatethroughpolicy,organizational
planning,training,andawarenessprograms.
WhyIsThisControlCritical?
Itistemptingtothinkofcyberdefenseprimarilyasatechnicalchallenge,buttheactionsof
peoplealsoplayacriticalpartinthesuccessorfailureofanenterprise.Peoplefulfill
importantfunctionsateverystageofsystemdesign,implementation,operation,use,and
oversight.Examplesinclude:systemdevelopersandprogrammers(whomaynot
understandtheopportunitytoresolverootcausevulnerabilitiesearlyinthesystemlife
cycle);IToperationsprofessionals(whomaynotrecognizethesecurityimplicationsofIT
artifactsandlogs);endusers(whomaybesusceptibletosocialengineeringschemessuch
asphishing);securityanalysts(whostruggletokeepupwithanexplosionofnew
information);andexecutivesandsystemowners(whostruggletoquantifytherolethat
cybersecurityplaysinoveralloperational/missionrisk,andhavenoreasonablewayto
makerelevantinvestmentdecisions).
Attackersareveryconsciousoftheseissuesandusethemtoplantheirexploitationsby,for
example:carefullycraftingphishingmessagesthatlooklikeroutineandexpectedtrafficto
anunwaryuser;exploitingthegapsorseamsbetweenpolicyandtechnology(e.g.,policies
thathavenotechnicalenforcement);workingwithinthetimewindowofpatchingorlog
review;usingnominallynon-security-criticalsystemsasjumppointsorbots.
Nocyberdefenseapproachcaneffectivelyaddresscyberriskwithoutameanstoaddress
thisfundamentalvulnerability.Conversely,empoweringpeoplewithgoodcyberdefense
habitscansignificantlyincreasereadiness.
CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
Family
CSC
ControlDescription
Application
17.1
Performgapanalysistoseewhichskillsemployeesneed
toimplementtheotherControls,andwhichbehaviors
employeesarenotadheringto,usingthisinformationto
buildabaselinetrainingandawarenessroadmapforall
employees.
59
Foun-
dational
Advanced
Y
Family
CSC
ControlDescription
Application
17.2
Delivertrainingtofilltheskillsgap.Ifpossible,usemore
seniorstafftodeliverthetraining.Asecondoptionisto
haveoutsideteachersprovidetrainingonsitesothe
examplesusedwillbedirectlyrelevant.Ifyouhavesmall
numbersofpeopletotrain,usetrainingconferencesor
onlinetrainingtofillthegaps.
Application
Application
Application
17.3
17.4
17.5
Implementasecurityawarenessprogramthat(1)
focusesonthemethodscommonlyusedinintrusions
thatcanbeblockedthroughindividualaction,(2)is
deliveredinshortonlinemodulesconvenientfor
employees(3)isupdatedfrequently(atleastannually)
torepresentthelatestattacktechniques,(4)is
mandatedforcompletionbyallemployeesatleast
annually,(5)isreliablymonitoredforemployee
completion,and6)includestheseniorleadershipteam’s
personalmessaging,involvementintraining,and
accountabilitythroughperformancemetrics.
Validateandimproveawarenesslevelsthroughperiodic
teststoseewhetheremployeeswillclickonalinkfrom
suspiciousemailorprovidesensitiveinformationonthe
telephonewithoutfollowingappropriateproceduresfor
authenticatingacaller;targetedtrainingshouldbe
providedtothosewhofallvictimtotheexercise.
Usesecurityskillsassessmentsforeachofthemissioncriticalrolestoidentifyskillsgaps.Usehands-on,realworldexamplestomeasuremastery.Ifyoudonothave
suchassessments,useoneoftheavailableonline
competitionsthatsimulatereal-worldscenariosforeach
oftheidentifiedjobsinordertomeasuremasteryof
skillsmastery.
Foun-
dational
Advanced
Y
Y
Y
Y
CSC17ProceduresandTools
Aneffectiveenterprise-widetrainingprogramshouldtakeaholisticapproachandconsider
policyandtechnologyatthesametimeasthetrainingofpeople.Forexample,policies
shouldbedesignedwithtechnicalmeasurementandenforcementwhenpossible,
reinforcedbytrainingtofillgaps,technicalcontrolscanbeimplementedtoboundand
minimizetheopportunityforpeopletomakemistakes,andsofocusthetrainingonthings
thatcannotbemanagedtechnically.
Tobeeffectiveinbothcostandoutcome,securitytrainingshouldbeprioritized,focused,
specific,andmeasurable.Akeywaytoprioritizetrainingistofocusfirstonthosejobsand
60
rolesthatarecriticaltothemissionorbusinessoutcomeoftheenterprise.Onewayto
identifythesemission-criticaljobsistoreferencetheworkofthe2012TaskForceon
CyberSkillsestablishedbytheSecretaryofHomelandSecurity:1)SystemandNetwork
PenetrationTesters,2)ApplicationPenetrationTesters,3)SecurityMonitoringandEvent
Analysts,4)IncidentRespondersIn-Depth,5)Counter-Intelligence/InsiderThreat
Analysts,6)RiskAssessmentEngineers,7)SecureCodersandCodeReviewers,8)Security
Engineers/ArchitectureandDesign,9)SecurityEngineers/Operations,and10)Advanced
ForensicsAnalysts.Acomprehensivetaxonomyofcybersecurityrolesisavailablethrough
theNationalCybersecurityWorkforceFramework,developedbytheNationalInstituteof
StandardsandTechnology(NIST),whichmapstorolescommonlyfoundinenterprisesand
governmentorganizations.
Generalawarenesstrainingforallusersalsoplaysanimportantrole.Buteventhistraining
shouldbetailoredtofunctionalrolesandfocusedonspecificactionsthatputthe
organizationatrisk,andmeasuredinordertodriveremediation.
Thekeytoupgradingskillsismeasurementthroughassessmentsthatshowboththe
employeeandtheemployerwhereknowledgeissufficientandwheretherearegaps.Once
thegapshavebeenidentified,thoseemployeeswhohavetherequisiteskillsand
knowledgecanbecalledupontomentoremployeeswhoneedtoimprovetheirskills.In
addition,theorganizationcandeveloptrainingplanstofillthegapsandmaintainemployee
readiness.
AfulltreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,
theCybersecurityWorkforceHandbookpublishedbytheCenterforInternetSecurity
(www.cisecurity.org)providesfoundationalstepstotakeinoptimizingtheworkforcefor
enterprisesecurity.
61
CSC17SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
UserAssessments
EducationPlans/
TrainingPrograms
Workforce
Members
62
CSC18:ApplicationSoftwareSecurity
Managethesecuritylifecycleofallin-housedevelopedandacquiredsoftwarein
ordertoprevent,detect,andcorrectsecurityweaknesses.
WhyIsThisControlCritical?
Attacksoftentakeadvantageofvulnerabilitiesfoundinweb-basedandotherapplication
software.Vulnerabilitiescanbepresentformanyreasons,includingcodingmistakes,logic
errors,incompleterequirements,andfailuretotestforunusualorunexpectedconditions.
Examplesofspecificerrorsinclude:thefailuretocheckthesizeofuserinput;failureto
filteroutunneededbutpotentiallymaliciouscharactersequencesfrominputstreams;
failuretoinitializeandclearvariables;andpoormemorymanagementallowingflawsin
onepartofthesoftwaretoaffectunrelated(andmoresecuritycritical)portions.Thereisa
floodofpublicandprivateinformationaboutsuchvulnerabilitiesavailabletoattackersand
defendersalike,aswellasarobustmarketplacefortoolsandtechniquestoallow
“weaponization”ofvulnerabilitiesintoexploits.Attackerscaninjectspecificexploits,
includingbufferoverflows,SQLinjectionattacks,cross-sitescripting,cross-siterequest
forgery,andclick-jackingofcodetogaincontrolovervulnerablemachines.Inoneattack,
morethan1millionwebserverswereexploitedandturnedintoinfectionenginesfor
visitorstothosesitesusingSQLinjection.Duringthatattack,trustedwebsitesfromstate
governmentsandotherorganizationscompromisedbyattackerswereusedtoinfect
hundredsofthousandsofbrowsersthataccessedthosewebsites.Manymorewebandnonwebapplicationvulnerabilitiesarediscoveredonaregularbasis.
CSC18:ApplicationSoftwareSecurity
Family
CSC
ControlDescription
Application
18.1
Forallacquiredapplicationsoftware,checkthatthe
versionyouareusingisstillsupportedbythevendor.If
not,updatetothemostcurrentversionandinstallall
relevantpatchesandvendorsecurityrecommendations.
Application
18.2
Protectwebapplicationsbydeployingwebapplication
firewalls(WAFs)thatinspectalltrafficflowingtothe
webapplicationforcommonwebapplicationattacks,
includingbutnotlimitedtocross-sitescripting,SQL
injection,commandinjection,anddirectorytraversal
attacks.Forapplicationsthatarenotweb-based,specific
applicationfirewallsshouldbedeployedifsuchtoolsare
availableforthegivenapplicationtype.Ifthetrafficis
encrypted,thedeviceshouldeithersitbehindthe
encryptionorbecapableofdecryptingthetrafficprior
toanalysis.Ifneitheroptionisappropriate,ahostbasedwebapplicationfirewallshouldbedeployed.
63
Foun-
dational
Advanced
Y
Y
Dealingwith
encrypted/tunne
ledtraffic
requiresmore
planningand
resources.
Family
CSC
ControlDescription
Application
18.3
Forin-housedevelopedsoftware,ensurethatexplicit
errorcheckingisperformedanddocumentedforall
input,includingforsize,datatype,andacceptable
rangesorformats.
Testin-house-developedandthird-party-procuredweb
applicationsforcommonsecurityweaknessesusing
automatedremotewebapplicationscannerspriorto
deployment,wheneverupdatesaremadetothe
application,andonaregularrecurringbasis.In
particular,inputvalidationandoutputencodingroutines
ofapplicationsoftwareshouldbereviewedandtested.
Donotdisplaysystemerrormessagestoend-users
(outputsanitization).
Application
18.4
Application
18.5
Application
18.6
Application
Application
Application
18.7
18.8
18.9
Foun-
dational
Advanced
Y
Y
Y
Maintainseparateenvironmentsforproductionand
nonproductionsystems.Developersshouldnottypically
haveunmonitoredaccesstoproductionenvironments.
Y
Forapplicationsthatrelyonadatabase,usestandard
hardeningconfigurationtemplates.Allsystemsthatare
partofcriticalbusinessprocessesshouldalsobetested.
Y
Ensurethatallsoftwaredevelopmentpersonnelreceive
traininginwritingsecurecodefortheirspecific
developmentenvironment.
Y
Forin-housedevelopedapplications,ensurethat
developmentartifacts(sampledataandscripts;unused
libraries,components,debugcode;ortools)arenot
includedinthedeployedsoftware,oraccessibleinthe
productionenvironment.
Y
CSC18ProceduresandTools
Thesecurityofapplications(in-housedevelopedoracquired)isacomplexactivity
requiringacompleteprogramencompassingenterprise-widepolicy,technology,andthe
roleofpeople.TheseareoftenbroadlydefinedorrequiredbyformalRiskManagement
Frameworksandprocesses.
AcomprehensivetreatmentofthistopicisbeyondthescopeoftheCriticalSecurity
Controls.However,theactionsinCSC6providespecific,high-prioritystepsthatcan
improveApplicationSoftwareSecurity.Inaddition,werecommenduseofthemany
excellentcomprehensiveresourcesdedicatedtothistopic.Examplesinclude:theDHS
“BuildSecurityIn”Program<buildsecurityin.us-cert.gov>,andTheOpenWebApplication
SecurityProject(OWASP)<www.owasp.org>.
64
CSC18SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
PatchManagement
System
CodeReview/
VulnerabilityScanner
65
WebApplication
Server
WebApplication
Firewall(WAF)
CSC19:IncidentResponseandManagement
Protecttheorganization’sinformation,aswellasitsreputation,bydevelopingand
implementinganincidentresponseinfrastructure(e.g.,plans,definedroles,
training,communications,managementoversight)forquicklydiscoveringanattack
andtheneffectivelycontainingthedamage,eradicatingtheattacker’spresence,
andrestoringtheintegrityofthenetworkandsystems.
WhyIsThisControlCritical?
Cyberincidentsarenowjustpartofourwayoflife.Evenlarge,well-funded,andtechnically
sophisticatedenterprisesstruggletokeepupwiththefrequencyandcomplexityofattacks.
Thequestionofasuccessfulcyber-attackagainstanenterpriseisnot“if”but“when.”
Whenanincidentoccurs,itistoolatetodeveloptherightprocedures,reporting,data
collection,managementresponsibility,legalprotocols,andcommunicationsstrategythat
willallowtheenterprisetosuccessfullyunderstand,manage,andrecover.Withoutan
incidentresponseplan,anorganizationmaynotdiscoveranattackinthefirstplace,or,if
theattackisdetected,theorganizationmaynotfollowgoodprocedurestocontaindamage,
eradicatetheattacker’spresence,andrecoverinasecurefashion.Thus,theattackermay
haveafargreaterimpact,causingmoredamage,infectingmoresystems,andpossibly
exfiltratemoresensitivedatathanwouldotherwisebepossiblewereaneffectiveincident
responseplaninplace.
CSC19:IncidentResponseandManagement
Family
Application
Application
Application
Application
CSC
ControlDescription
19.1 Ensurethattherearewrittenincidentresponse
proceduresthatincludeadefinitionofpersonnelrolesfor
handlingincidents.Theproceduresshoulddefinethe
phasesofincidenthandling.
19.2 Assignjobtitlesanddutiesforhandlingcomputerand
networkincidentstospecificindividuals.
19.3 Definemanagementpersonnelwhowillsupportthe
incidenthandlingprocessbyactinginkeydecision-making
roles.
19.4 Deviseorganization-widestandardsforthetimerequired
forsystemadministratorsandotherpersonneltoreport
anomalouseventstotheincidenthandlingteam,the
mechanismsforsuchreporting,andthekindof
informationthatshouldbeincludedintheincident
notification.Thisreportingshouldalsoincludenotifying
theappropriateCommunityEmergencyResponseTeamin
accordancewithalllegalorregulatoryrequirementsfor
involvingthatorganizationincomputerincidents.
66
Foun-
dational
Advanced
Y
Y
Y
Y
Family
Application
Application
Application
CSC
ControlDescription
19.5 Assembleandmaintaininformationonthird-partycontact
informationtobeusedtoreportasecurityincident(e.g.,
[email protected]
orhaveawebpagehttp://organization.com/security).
19.6 Publishinformationforallpersonnel,includingemployees
andcontractors,regardingreportingcomputeranomalies
andincidentstotheincidenthandlingteam.Such
informationshouldbeincludedinroutineemployee
awarenessactivities.
19.7 Conductperiodicincidentscenariosessionsforpersonnel
associatedwiththeincidenthandlingteamtoensurethat
theyunderstandcurrentthreatsandrisks,aswellastheir
responsibilitiesinsupportingtheincidenthandlingteam.
Foun-
dational
Advanced
Y
Y
Y
CSC19ProceduresandTools
Afterdefiningdetailedincidentresponseprocedures,theincidentresponseteamshould
engageinperiodicscenario-basedtraining,workingthroughaseriesofattackscenarios
fine-tunedtothethreatsandvulnerabilitiestheorganizationfaces.Thesescenarioshelp
ensurethatteammembersunderstandtheirroleontheincidentresponseteamandalso
helppreparethemtohandleincidents.
AfulltreatmentofthistopicisbeyondthescopeoftheCriticalSecurityControls.However,
theactionsinCSC18providespecific,high-prioritystepsthatcanimproveenterprise
security,andshouldbeapartofanycomprehensiveincidentandresponseplan.
67
CSC19SystemEntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
ThirdParty
Authorities
IncidentManagement
Documentation
Workforce
Members
68
CSC20:PenetrationTestsandRedTeamExercises
Testtheoverallstrengthofanorganization’sdefenses(thetechnology,the
processes,andthepeople)bysimulatingtheobjectivesandactionsofanattacker.
WhyIsThisControlCritical?
Attackersoftenexploitthegapbetweengooddefensivedesignsandintentionsand
implementationormaintenance.Examplesinclude:thetimewindowbetween
announcementofavulnerability,theavailabilityofavendorpatch,andactualinstallation
oneverymachine;well-intentionedpolicieswhichhavenoenforcementmechanism
(especiallythoseintendedtorestrictriskyhumanactions);failuretoapplygood
configurationsandotherpracticestotheentireenterprise,ortomachinesthatcomeinand-outofthenetwork;andfailuretounderstandtheinteractionamongmultipledefensive
tools,orwithnormalsystemoperationsthathavesecurityimplications.
Inaddition,successfuldefenserequiresacomprehensiveprogramoftechnicaldefenses,
goodpolicyandgovernance,andappropriateactionbypeople.Inacomplexenvironment
wheretechnologyisconstantlyevolving,andnewattackertradecraftappearsregularly,
organizationsshouldperiodicallytesttheirdefensestoidentifygapsandtoassesstheir
readiness.
Penetrationtestingstartsfromtheidentificationandassessmentofvulnerabilitiesthatcan
beidentifiedintheenterprise.Itcomplementsthisbydesigningandexecutingteststhat
demonstratespecificallyhowanadversarycaneithersubverttheorganization’ssecurity
goals(e.g.,theprotectionofspecificIntellectualProperty)orachievespecificadversarial
objectives(e.g.,establishmentofacovertCommandandControlinfrastructure).Theresult
providesdeeperinsight,throughdemonstration,intothebusinessrisksofvarious
vulnerabilities.
RedTeamexercisestakeacomprehensiveapproachatthefullspectrumoforganization
policies,processes,anddefensesinordertoimproveorganizationalreadiness,improve
trainingfordefensivepractitioners,andinspectcurrentperformancelevels.Independent
RedTeamscanprovidevaluableandobjectiveinsightsabouttheexistenceof
vulnerabilitiesandtheefficacyofdefensesandmitigatingcontrolsalreadyinplaceand
evenofthoseplannedforfutureimplementation.
69
CSC20:PenetrationTestsandRedTeamExercises
Family
CSC
ControlDescription
Application
20.1
Conductregularexternalandinternalpenetrationteststo
identifyvulnerabilitiesandattackvectorsthatcanbe
usedtoexploitenterprisesystemssuccessfully.
Penetrationtestingshouldoccurfromoutsidethe
networkperimeter(i.e.,theInternetorwireless
frequenciesaroundanorganization)aswellasfrom
withinitsboundaries(i.e.,ontheinternalnetwork)to
simulatebothoutsiderandinsiderattacks.
Anyuserorsystemaccountsusedtoperformpenetration
testingshouldbecontrolledandmonitoredtomakesure
theyareonlybeingusedforlegitimatepurposes,andare
removedorrestoredtonormalfunctionaftertestingis
over.
PerformperiodicRedTeamexercisestotest
organizationalreadinesstoidentifyandstopattacksorto
respondquicklyandeffectively.
Application
Application
Application
Application
Application
Application
20.2
20.3
20.4
20.5
20.6
20.7
Includetestsforthepresenceofunprotectedsystem
informationandartifactsthatwouldbeusefulto
attackers,includingnetworkdiagrams,configurationfiles,
olderpenetrationtestreports,emailsordocuments
containingpasswordsorotherinformationcriticalto
systemoperation.
Plancleargoalsofthepenetrationtestitselfwithblended
attacksinmind,identifyingthegoalmachineortarget
asset.ManyAPT-styleattacksdeploymultiplevectors—
oftensocialengineeringcombinedwithwebornetwork
exploitation.RedTeammanualorautomatedtesting
thatcapturespivotedandmulti-vectorattacksoffersa
morerealisticassessmentofsecuritypostureandriskto
criticalassets.
Usevulnerabilityscanningandpenetrationtestingtools
inconcert.Theresultsofvulnerabilityscanning
assessmentsshouldbeusedasastartingpointtoguide
andfocuspenetrationtestingefforts.
Whereverpossible,ensurethatRedTeamsresultsare
documentedusingopen,machine-readablestandards
(e.g.,SCAP).Deviseascoringmethodfordeterminingthe
resultsofRedTeamexercisessothatresultscanbe
comparedovertime.
70
Foun-
dational
Advanced
Y
Y
Y
Y
Y
Y
Y
Family
CSC
Application
20.8
ControlDescription
Createatestbedthatmimicsaproductionenvironment
forspecificpenetrationtestsandRedTeamattacks
againstelementsthatarenottypicallytestedin
production,suchasattacksagainstsupervisorycontrol
anddataacquisitionandothercontrolsystems.
Foun-
dational
Advanced
Y
CSC20ProceduresandTools
PenetrationtestingandRedTeamingonlyprovidesignificantvaluewhenbasicdefensive
measureshavealreadybeenputintoplace,andwhentheyareperformedaspartofa
comprehensive,ongoingprogramofsecuritymanagementandimprovement.Theseare
oftenspecifiedandrequiredbyformalRiskManagementFrameworksandprocesses.
Eachorganizationshoulddefineaclearscopeandrulesofengagementforpenetration
testingandRedTeamanalyses.Thescopeofsuchprojectsshouldinclude,ataminimum,
systemswiththeorganization’shighestvalueinformationandproductionprocessing
functionality.Otherlower-valuesystemsmayalsobetestedtoseeiftheycanbeusedas
pivotpointstocompromisehigher-valuetargets.Therulesofengagementforpenetration
testsandRedTeamanalysesshoulddescribe,ataminimum,timesofdayfortesting,
durationoftests,andtheoveralltestapproach.
AfulltreatmentofthistopicisbeyondthescopeoftheCISCriticalSecurityControls.
However,theactionsinCSC20providespecific,high-prioritystepsthatcanimprove
enterprisesecurity,andshouldbeapartofanycomprehensivepenetrationtestingandRed
Teamprogram.
71
CSC20EntityRelationshipDiagram
Alerting/ReportingAnalyticsSystem
Penetration
Testers
PenetrationTesting
Systems
ComputingSystems
72
AppendixA:EvolvingAnAttackModelfortheCISCriticalSecurityControls.
Background
Sincetheirinception,theCISCriticalSecurityControls(“theControls”)havehadabasic
tenetof“OffenseInformsDefense”.Thatis,knowledgeofactualattacksthathave
compromisedsystems(theBadGuys’“offense”)isthekeyfactortoinformanddetermine
thevalueofdefensiveactions.Youmaynotbeabletoaffordtodoeverythingyouwantor
needtodoandsocyberdefensemustbedrivenbyprioritization–whatshouldIdofirstto
getthemostvaluefrommydefensiveresources?Webelievethatvalueisbestdetermined
bytheattacker–whataretheydoingtousnow,andwhatarethemostuseful,scalable
actionswecantaketostopthem?
TheControlsreflectandknowledgeofactualattacksandeffectivedefensesgatheredfrom
expertsfromeverypartoftheecosystemacrossmanysectors.Todothis,ateamreviewed
andanalyzedattackdatafrommanyoftheleadingvendorthreatreportstoensurethe
Controlsadequatelyalignedwiththemostprevalentthreats.Wecallthisprocessa
“CommunityAttackModel”fortheCISCriticalSecurityControls–thegatheringof
relevantreal-lifeinformationaboutattacksandputtingthemintocontextsotheycanbe
easilyandreliablymappedtodefensiveaction.“Community”referstothebreadthofthe
participantsandinformationsources,andalsotothesharedlaborthatoperatesthis
process.ButwealsoemphasizethatthesearethethreatsthattheentireCommunityfaces–
thedocumented,specificsuccessesoftheAttackers.Anyonespecificcategoryofattack
mightnothavehityoutoday,butitcouldjustaseasilydosotomorrow.
ACommunityApproachtoUnderstandingAttacksandThreats
TheCommunityAttackModelbeganbyvalidatingandenrichingmappingfromawelldocumentedandauthoritativesourceof“reallife”data–theVerizonDataBreach
InvestigationsReport(2013,2014,2015).AftertheVerizonteamdidtheirprimary
analysis,avolunteerpanelformedbytheCenterforInternetSecurityworkedwiththemto
mapthemostimportantcategoriesofattacksseenintheprioryear’sdatadirectlyinthe
Controls(atasub-Control)level,andthismapbecameakeypartoftheVerizonDBIR
Recommendations.Morerecently,wecompletedsimilarmappingsusingannualreports
workingwithSymantecInternetSecurityReport2015andHPCyberRiskReport2015.
Thisapproachallowsreadersofthesedata-drivenannualreportstoeasilyandconsistently
mapintotheControls.
Acoupleofkeypointstonoteaboutthisworkflow.
•
Themappingisfromthevendor’scategoryorsummarylevelofattacks–notfrom
dataabouteveryindividualattack.
73
•
•
Thedataiscreatedbythevendor’sbusinessmodel(e.g.,incidentresponse,
managedsecurity,anti-malwaresensors,threatintelligence),andsoeach
representsanincompletebutwell-documentedsamplingoftheecosystem.
Thecategoriesusedbythevendorsaretypicallyinnarrativeform,andnot
presentedinanystandardformortaxonomy.Recommendationsarealsotypically
innarrativeform,nottiedtoanyspecificdefensiveframework.Therefore,mapping
fromanyonevendor’sreporttotheControlsrequiressomediscussionandanalytic
judgment.
Attackers
Solutions,services
vendors
•collect,analyzeattack
data
•summarizebyclasses,
categories;prioritize
•make
recommendations,
publishreport
CenterforInternet
Security
•foreachreport,
mapfromclasses
ofproblemsinto
theCSCs(subControls)
•publisheach
mapping
•refreshControlsas
needed
Theuseofthisattackinformationandtheselectionofappropriatedefensiveactioncanbe
seenaspartofabroader“FoundationalRiskAssessment”ofunderstanding
vulnerabilities,thethreatsandtheresultingconsequences–onethatcanbeusedbyan
individualenterpriseasastartingpointforimmediate,high-valueaction,andcanalso
provideabasisforcommonactionacrossanentirecommunity.
BuildingAnOperationalAttackModel
AsthecommunityaroundtheControlshasgrowninsizeanddiversity,andasthe
environmenthasgrownmorecomplex,wemustevolvethisModeltobemorescalable,
repeatable,adaptabletodifferentcommunities,andmoreconsistentwithformalsecurity
frameworks–allwithoutdisruptingthespiritofcooperationandcommongoodthathas
broughtusthisfar.
Whetheryouapproachthisproblemasanindividualenterpriseorasacommunityof
enterprises,youmustcreateandoperateanongoing,repeatableprocesstofindrelevant
newinformationaboutAttackers,assesstheimplicationsforyourenvironment,makekey
decisions,andthentakeaction.Doingsowillhelpdetermineyourbestinvestmentsboth
tacticallyandstrategically.
74
Ausefulmodelwillhaveanumberofessentialattributes.
•
Itshouldbedrivenbydatafromauthoritative,publiclyavailablesources,butalsobe
abletomakeuseofspecialized(e.g.,uniquelyapplicabletoasector)orrestricted
(e.g.,encumberedbyclassificationoragreement)knowledge.
• Itshouldhaveawell-definedprocesstotranslatefromattackstoaction(controls)
inawaythatsupportsprioritizationandisconsistentwithformalRiskManagement
Frameworks.
• Itshouldhaveanon-going“refresh”cyclethatallowsvalidationofpriordefensive
choices,aswellasassessmentofnewinformation.
• Itshouldbelowcost,andpreferablysharedcostacrossacommunity.
• Itshouldbeopenlydemonstrabletoothersandnegotiable(sinceyourriskisalways
sharedwithothers).
SotheevolutionoftheCISCriticalSecurityControlswillfollowtheaboveguidelinesto
continuallyenrichandrefreshtheControls.Itwillexpandthenumberandvarietyofthreat
reports,developastandardcategorizationortaxonomyofattackstomaptoother
frameworksandwilltakeadvantageofexistingavenuesforinformationsharing,suchas
usingtheMulti-StateInformationSharingandAnalysisCenter(MS-ISAC).
75
AppendixB:AttackTypes
Historically,thefollowingAttackTypesweretheprimaryonesconsideredwhen
developingtheCriticalSecurityControls.Thetypeswerealsomappedbackintothe
ControlsaspartofthediscussiontoensuregoodcoveragebytheControls.Thisapproach
hasbeenphasedoutinfavoroftheCISCommunityAttackModel.
AttackSummary
Attackerscontinuallyscanfornew,unprotectedsystems,includingtestorexperimental
systems,andexploitsuchsystemstogaincontrolofthem.
AttackersdistributehostilecontentonInternet-accessible(andsometimesinternal)
websitesthatexploitunpatchedandimproperlysecuredclientsoftwarerunningon
victimmachines.
Attackerscontinuallyscanforvulnerablesoftwareandexploitittogaincontroloftarget
machines.
Attackersusecurrentlyinfectedorcompromisedmachinestoidentifyandexploitother
vulnerablemachinesacrossaninternalnetwork.
Attackersexploitweakdefaultconfigurationsofsystemsthataremoregearedtoeaseof
usethansecurity.
Attackersexploitnewvulnerabilitiesonsystemsthatlackcriticalpatchesin
organizationsthatdonotknowthattheyarevulnerablebecausetheylackcontinuous
vulnerabilityassessmentsandeffectiveremediation.
Attackerscompromisetargetorganizationsthatdonotexercisetheirdefensesto
determineandcontinuallyimprovetheireffectiveness.
Attackersusemaliciouscodetogainandmaintaincontroloftargetmachines,capture
sensitivedata,andthenspreadittoothersystems,sometimeswieldingcodethatdisables
ordodgessignature-basedanti-virustools.
Attackersscanforremotelyaccessibleservicesontargetsystemsthatareoftenunneeded
forbusinessactivities,butprovideanavenueofattackandcompromiseofthe
organization.
Attackersexploitweakapplicationsoftware,particularlywebapplications,through
attackvectorssuchasSQLinjection,cross-sitescripting,andsimilartools.
Attackersexploitwirelessaccesspointstogainentryintoatargetorganization’sinternal
network,andexploitwirelessclientsystemstostealsensitiveinformation.
Attackersexploitusersandsystemadministratorsviasocialengineeringscamsthatwork
becauseofalackofsecurityskillsandawareness.
Attackersexploitandinfiltratethroughnetworkdeviceswhosesecurityconfigurationhas
beenweakenedovertimebygranting,forspecificshort-termbusinessneeds,supposedly
temporaryexceptionsthatareneverremoved.
76
Attackerstrickauserwithanadministrator-levelaccountintoopeningaphishing-style
emailwithanattachmentorsurfingtotheattacker’scontentonanInternetwebsite,
allowingtheattacker’smaliciouscodeorexploittorunonthevictimmachinewithfull
administratorprivileges.
AttackersexploitboundarysystemsonInternet-accessibleDMZnetworks,andthenpivot
togaindeeperaccessoninternalnetworks.
Attackersexploitpoorlydesignednetworkarchitecturesbylocatingunneededor
unprotectedconnections,weakfiltering,oralackofseparationofimportantsystemsor
businessfunctions.
Attackersoperateundetectedforextendedperiodsoftimeoncompromisedsystems
becauseofalackofloggingandlogreview.
Attackersgainaccesstosensitivedocumentsinanorganizationthatdoesnotproperly
identifyandprotectsensitiveinformationorseparateitfromnon-sensitiveinformation.
Attackerscompromiseinactiveuseraccountsleftbehindbytemporaryworkers,
contractors,andformeremployees,includingaccountsleftbehindbytheattackers
themselveswhoareformeremployees.
Attackersescalatetheirprivilegesonvictimmachinesbylaunchingpasswordguessing,
passwordcracking,orprivilegeescalationexploitstogainadministratorcontrolof
systems,whichisthenusedtopropagatetoothervictimmachinesacrossanenterprise.
Attackersgainaccesstointernalenterprisesystemsandgatherandexfiltratesensitive
informationwithoutdetectionbythevictimorganization.
Attackerscompromisesystemsandalterimportantdata,potentiallyjeopardizing
organizationaleffectivenessviapollutedinformation.
Attackersoperateundiscoveredinorganizationswithouteffectiveincident-response
capabilities,andwhentheattackersarediscovered,theorganizationsoftencannot
properlycontaintheattack,eradicatetheattacker’spresence,orrecovertoasecure
productionstate.
77
AppendixC:TheNISTFrameworkforImprovingCriticalInfrastructure
Cybersecurity
SinceitsreleaseinFebruary2014,TheNISTFrameworkforImprovingCritical
InfrastructureCybersecurityhasbecomeamajorpartofthenationalconversationabout
cybersecurityforthecriticalinfrastructure(andbeyond),andwebelieveitrepresentsan
importantsteptowardslarge-scaleandspecificimprovementsinsecurityfortheUnited
Statesandinternationally.TheCenterforInternetSecuritywasanactiveparticipantinthe
developmentoftheFramework,andtheCISCriticalSecurityControlsarecalledoutasone
ofthe“InformativeReferences”thatcanbeusedtodrivespecificimplementation.
TheFrameworkistruetoitsname–“asetofprinciples,ideas,etc.thatyouusewhenyou
areformingyourdecisionsandjudgments”(fromtheMacMillanDictionary)–andit
providesawaytoorganize,conduct,anddrivetheconversationaboutsecuritygoalsand
improvements,forindividualenterprisesandacrosscommunitiesofenterprises.Butit
doesnotincludeanyspecificriskmanagementprocess,orspecifyanypriorityofaction.
Those“decisionsandjudgments”arelefttotheadoptertomanagefortheirspecific
situationandcontext.
Webelievethatforthevastmajorityofenterprises,thebestapproachtosolvingthese
problemsistotacklethemasacommunity–notenterprise-by-enterprise.Thisisthe
essenceoftheCISnon-profitcommunitymodel,andisembodiedinprojectsliketheCIS
CriticalSecurityControls,theCISSecurityConfigurationBenchmarks,andtheNational
CyberHygieneCampaign.Weneedtobandtogethertoidentifykeyactions,create
information,sharetools,andremovebarrierssothatwecanallsucceed.
InthatspirittheCenterforInternetSecuritywillcontinuetosupporttheevolutionofthe
Framework,andalsohelpourcommunityleveragethecontent,processes,andprioritiesof
theCISCriticalSecurityControlsasanactionmechanisminalignmentwiththeNIST
CybersecurityFramework.
BelowisanexampleoftheworkingaidsthatCISmaintainstohelpourcommunityleverage
theFramework.ThischartshowsthemappingfromtheCriticalSecurityControls(Version
6.0)intothemostrelevantNISTCSF(Version1.0)CoreFunctionsandCategories.
CISCriticalSecurityControls
(V6.0)
CSC1:InventoryofAuthorized
andUnauthorizedDevices
CSC2:InventoryofAuthorized
andUnauthorizedSoftware
CybersecurityFramework(CSF)Core
Identify
Protect
Detect
Respond
Recover
AM
AM
78
CISCriticalSecurityControls
(V6.0)
CSC3:SecureConfigurationof
Enduserdevices
CSC4:ContinuousVulnerability
AssessmentandRemediation
CSC5:ControlledUseof
AdministrativePrivileges
CSC6:Maintenance,Monitoring,
andAnalysisofAuditLogs
CSC7:EmailandWebBrowser
Protections
Identify
Protect
Detect
Respond
Recover
IP
RA
CM
MI
AC
AE
AN
PT
CSC8:MalwareDefense
PT
CM
CSC9:LimitationandControlof
NetworkPorts,Protocols,and
Service
IP
CSC10:DataRecoveryCapability
RP
CSC11:SecureConfigurationof
NetworkDevices
IP
CSC12:BoundaryDefense
DP
CSC13:DataProtection
DS
CSC14:ControlledAccessBased
onNeedtoKnow
AC
CSC15:WirelessAccessControl
AC
AC
CM
AT
IP
AE
RP
IM
IM
CSC16:AccountMonitoringand
Control
CSC17:SecuritySkills
AssessmentandAppropriate
Training
CSC18:ApplicationSoftware
Security
CSC19:IncidentResponseand
Management
CSC20:PenetrationTestsand
RedTeamExercises
CybersecurityFramework(CSF)Core
79
AppendixD:TheNationalCyberHygieneCampaign
TheNationalCampaignforCyberHygienewasdevelopedtoprovideaplain-language,
accessible,andlow-costfoundationforimplementationoftheCISCriticalSecurityControls.
AlthoughtheControlsalreadysimplifythedauntingchallengesofcyberdefensebycreating
communityprioritiesandaction,manyenterprisesarestartingfromaverybasiclevelof
security.
TheCampaignstartswithafewbasicquestionsthateverycorporateandgovernment
leaderoughttobeabletoanswer.
•
•
•
•
•
Doweknowwhatisconnectedtooursystemsandnetworks?(CSC1)
Doweknowwhatsoftwareisrunning(ortryingtorun)onoursystemsand
networks?(CSC2)
Arewecontinuouslymanagingoursystemsusing“knowngood”configurations?
(CSC3)
Arewecontinuouslylookingforandmanaging“knownbad”software?(CSC4)
Dowelimitandtrackthepeoplewhohavetheadministrativeprivilegestochange,
bypass,orover-rideoursecuritysettings?(CSC5)
Thesequestions,andtheactionsrequiredtoanswerthem,arerepresentedin“plain
language”bytheTop5PrioritiesoftheCampaign:“Count,Configure,ControlPatch,
Repeat”.TosupporttheCampaign,volunteershavecreateddocumentationand“toolkits”
toguideimplementation.
Althoughthelanguageissimpleandcatchy,behindthesceneseachofthesequestionsis
associatedwithaprimaryControlthatprovidesanactionplan.TheCampaignisalso
designedtobeinalignmentwiththefirst5oftheCISCriticalSecurityControls,the
AustralianSignalsDirectorate’s(ASD)“TopFourStrategiestoMitigateTargetedIntrusions,
andtheDHSContinuousDiagnosticandMitigation(CDM)Program.Thisprovidesastrong
anddefendablebasisfortheCampaignPriorities,agrowthpathformaturitybeyondthese
basicactions,andthebenefitsofalargecommunityofexperts,users,andvendors.
TheNationalCampaignforCyberHygienehasbeenjointlyadoptedbytheCenterfor
InternetSecurity(homeoftheMulti-StateInformationSharingandAnalysisCenter)and
theNationalGovernor’sAssociationHomelandSecurityAdvisoryCouncil(GHSAC)asa
foundationalcybersecurityprogramacrossmanyState,Local,Tribal,andTerritorial
governmentsandofferstoolkitsandresourcesforanypublicorprivateorganization.
Formoreinformation,gotowww.cisecurity.org.
80
AppendixE:CriticalGovernanceControlsandtheCISCriticalSecurityControls
Cybersecuritygovernanceisakeyresponsibilityoftheboardofdirectorsandsenior
executives,anditmustbeanintegralpartofoverallenterprisegovernance.Becauseofits
dynamicnature,cybersecuritygovernancemustalsobealignedwithanoperational
cybersecurityframework.
Toexerciseeffectivegovernance,executivesmusthaveaclearunderstandingofwhatto
expectfromtheirinformationsecurityprogram.Theyneedtoknowhowtodirectthe
implementation,evaluatetheirownstatuswithregardtoexistingsecurityprograms,and
determinethestrategyandobjectivesofaneffectivesecurityprogram.
HowtheCISCriticalSecurityControlsCanHelp
TheControlsareactionable,automatedactivitiesthatdetectandpreventattacksagainst
yournetworkandmostimportantdata.Theysupportenterprisesecuritygovernance
programsbybridgingthegapfromanexecutiveviewofbusinessrisktoatechnicalviewof
specificactionsandoperationalcontrolstomanagethoserisks.Keyexecutiveconcerns
aboutinformationsecurityriskscanbetranslatedintospecificprogramsforsecurity
improvement,andalsointoday-to-daysecuritytasksforfront-linepersonnel.Thisallows
betteralignmenttop-to-bottomofcorporateriskmanagement.Also,sincetheControlsare
createdandsupportedbyalargeindependentcommunityofpractitionersandvendors,
theyprovideaspecific,supported,andopenbaselineformeasurementandnegotiation
aboutsecurityimprovement–onethatisdemonstrablyinalignmentwithessentiallyall
formalregulatory,governance,andoversightframeworks.
FromGovernancetotheCISCriticalSecurityControls
Tohelpimproveyourcompany'sabilitytomanageinformationrisks,herearesome
samplestepstohelpyoualigncorporategovernanceconcernswiththeimplementationof
securitycontrols.Theseexamplesidentifytheprimary,butnottheonly,CISCritical
SecurityControlswhichshouldbeimplemented.
Governanceitem#1:Identifyyourmostimportantinformationassetsandtheimpacton
yourbusinessormissioniftheyweretobecompromised.
Informationisthelifebloodofeverymodernenterprise,andthemovement,storage,
andcontrolofthatinformationisinextricablyboundtotheuseofInformation
Technology.ThereforethefollowingCISCriticalSecurityControlsaretheprimary
meanstotrackandcontrolthesystemcomponentsthatmanagetheflow,
presentation,anduseofinformation.
CSC2—InventoryofAuthorizedandUnauthorizedandSoftware
CSC1—InventoryofAuthorizedandUnauthorizedDevices
81
GovernanceItem#2:Managetheknowncybervulnerabilitiesofyourinformationand
makesurethenecessarysecuritypoliciesareinplacetomanagetherisk.
Ataminimum,youshouldbeabletoidentifyandmanagethelargevolumeofknown
flawsandvulnerabilitiesfoundinInformationTechnologyandprocesses.The
followingCISCriticalSecurityControlsaretheprimarymeanstoestablisha
baselineofresponsiblepracticesthatcanbemeasured,managed,andreported.
CSC3:SecureConfigurationsofHardwareandSoftware
CSC4:ContinuousVulnerabilityAssessmentandRemediation
GovernanceItem#3:Clearlyidentifythekeythreatstoyourinformationandassessthe
weaknessesinyourdefense.
Threatstoyourinformation,systems,andprocessesevolveconstantly.The
followingCISCriticalSecurityControlsaretheprimarymeanstoestablisha
baselineofresponsiblepracticesthatcanbemeasured,managed,andreported.
CSC8:MalwareDefenses
CSC20:PenetrationTestsandRedTeamExercises
GovernanceItem#4:Confirmandcontrolwhohasaccesstothemostimportant
information.
Ensuringthattherightpeoplehaveaccesstocorporatedataandensuringprivileges
aremanagedaccuratelycanreducetheimpactofunauthorizedaccess,bothfrom
internalthreatsandexternal.ThefollowingCISCriticalSecurityControlsarethe
primarymeanstoestablishabaselineofresponsiblepracticestoidentifyneedsand
manageaccess.
CSC14:ControlledAccessBasedontheNeedtoKnow
CSC5:ControlledUseofAdministrativePrivileges
Afundamentalgoalofinformationsecurityistoreduceadverseimpactsonthe
organizationtoanacceptablelevelofrisk.Therefore,acrucialmetriccomprisesthe
adverseimpactsofinformationsecurityincidentsexperiencedbythecompany.An
effectivesecurityprogramwillshowatrendofimpactreduction.Quantitativemeasures
canincludetrendanalysisofimpactsovertime.
82
DevelopinganOverallGovernanceStrategy
WhiletheCISCriticalSecurityControlsprovideaneffectivewaytoplan,prioritize,and
implementprimarilytechnicalcontrolsforcyberdefense,theyarebestusedaspartofa
holisticinformationgovernanceprogram–onethatalsoaddressespolicies,standards,and
guidelinesthatsupporttechnicalimplementations.Forexample,conductinganinventory
ofdevicesonyournetworkisanimportanttechnicalbestpractice,butanorganization
mustalsodefineandpublishpoliciesandprocessesthatclearlycommunicatetoemployees
thepurposeofthesecontrols,whatisexpectedofthemandtheroletheyplayinprotecting
thecompany’sinterests.
Thefollowingtopicsprovideausefulframeworkfordevelopingyouroverallgovernance
strategy.Basedonourexperience,theseareprioritizedbasedontheirimpactinbuilding
andsupportinganeffectiveinformationassuranceprogram.
ExecutiveSponsorship:Developinformationassurancecharterswithrolesand
responsibilities,steeringcommittees,andboardofdirectorbriefingstoestablish
supportandleadershipfromexecutives.
InformationAssuranceProgramManagement:Definemanagementandresource
allocationcontrols,suchasbudgeting,andprioritizationtogoverninformation
assuranceprogramsunderexecutivesponsorship.
InformationAssurancePoliciesandStandardsManagement:Defineand
documentpoliciesandstandardstoprovidedetailedguidanceregardinghow
securitycontrolswillbecompletedtopromoteconsistencyindefense.
DataClassification:Identify,prioritizeandlabeldataassets,includinganalogor
physicalassets.
RiskManagement:Identifythoughtfulandpurposefuldefensestrategiesbasedon
prioritydecisionsonhowbesttodefendvaluabledataassets.
ComplianceandLegalManagement:Addresscompliancerequirementsbasedon
theregulatoryandcontractualrequirementsplacedonyourorganization.
SecurityAwarenessandEducation:Establisheducationplansforallworkforce
memberstoensurethattheyhavethenecessaryskillstoprotectinformationassets
asapartoftheirresponsibilities.
AuditandAssessmentManagement:Conductauditsandassessmentstoensure
thatinformationassuranceeffortsareconsistentwiththestandardsyouhave
definedandtoassistinyoureffortstomanagerisk.
83
PersonnelandHumanResourcesManagement:Specifypersonnelandhuman
resourcescontrolstomanagethewaypeopleinteractwithdataassets.People,as
wellastechnologycontrols,arecriticalforthedefenseofinformationassets.
BudgetsandResourceManagement:Allocateappropriateresourcesinorderto
beeffectiveatdefense.Informationassurancearchitecturesarevitalfordefense,
butwithoutbudgetsandresources,suchplanswillneverbeeffective.
PhysicalSecurity:Protecttheequipment,buildings,andlocationswheredata
assetsarestoredtoprovideafoundationforthelogicalsecurityofdataassets.
IncidentResponseManagement:Specifytheplannedmanagementofhowyou
willrespondinthefaceofpotentiallyadverseevents.Thisactsasacomponentof
businesscontinuityanddisastermanagement.
BusinessContinuityandDisasterRecoveryManagement:Specifyresiliency
controlstohelpmitigatepotentiallossesduetopotentialdisruptionstobusiness
operations.
ProcurementandVendorManagement:Partnerwithbusinessassociatesin
defendingtheirdataassets.TheControlsdefinehowanorganizationalignswith
thirdpartiesandvendorstoprotecttheirdataassets.
ChangeandConfigurationManagement:Assess,acceptordeny,andlogchanges
tosystems,especiallyconfigurationchangesinasystematicformalmannerinorder
todefendtheorganization’sinformationassets.
Organizationsareencouraged(andmanyarerequired)toimplementthesegovernance
controlsinparallelwiththetechnicalcontrolsdefinedelsewhereinthisdocument.Both
technicalandgovernancerelatedcontrolsshouldbeconsideredequallyimportantpillars
inthearchitectureofanorganization’sdefense.
84
AppendixF:TowardAPrivacyImpactAssessment(PIA)fortheCISCritical
SecurityControls
Introduction
Aneffectivepostureofenterprisecybersecurityneednot,and,indeed,shouldnot
compromiseindividualprivacy.Manylaws,regulations,guidelines,andrecommendations
existtosafeguardprivacy,andenterpriseswill,inmanycases,adapttheirexistingpolicies
onprivacyastheyapplytheControls.
Ataminimum,useoftheControlsshouldconformtothegeneralprinciplesembodiedin
theFairInformationPracticeprinciples(FIPs)2andinPrivacybyDesign.3Allenterprises
thatapplytheControlsshouldundertake–andmakeavailabletostakeholders–privacy
impactassessmentsofrelevantsystemstoensurethatappropriateprotectionsareinplace
astheControlsareimplemented.Everyenterpriseshouldalsoregularlyreviewthese
assessmentsasmaterialchangestoitscybersecuritypostureareadopted.Theaimisto
assessandmitigatethemajorpotentialprivacyrisksassociatedwithimplementingspecific
ControlsaswellasevaluatetheoverallimpactoftheControlsonindividualprivacy.
Toassistenterprisesineffortstoconductaprivacyimpactassessmentwhenimplementing
theControlsandtocontributetotheestablishmentofamoregeneralreferencestandard
forprivacyandtheControls,CISwillconvenetechnicalandprivacyexpertstorevieweach
Controlandofferrecommendationsforbestpractice.
Thefollowingframeworkwillhelpguidethiseffortandprovideapossibleoutlinefora
PrivacyImpactAssessment.
PrivacyImpactAssessmentoftheCISCriticalSecurityControls
I.Overview
OutlinethepurposeofeachControlandprovidejustificationforanyactualorpotential
intersectionwithprivacy-sensitiveinformation.
•
Wherepossible,identifyhowtechnologies,procedures,anddataflowsareusedto
implementtheControl.ProvideabriefdescriptionofhowtheControlgenerally
2
Seehttp://www.dhs.gov/publication/fair-information-practice-principles-fipps,and
http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.
3
Seehttps://www.privacybydesign.ca.TheapproachdiscussedinthisAnnexdrawsheavilyon
publicsectorapproachesintheUnitedStates,butcanbeadaptedforanyjurisdiction.
85
•
•
collectsandstoresinformation.IdentifythetypeofdatacollectedbytheControl
andthekindsofinformationthatcanbederivedfromthisdata.Indiscussinghow
theControlmightcollectandusePII,includeatypicaltransactionthatdetailsthe
lifecycleofthatPIIfromcollectiontodisposal.
Describethemeasuresnecessarytoprotectprivacydataandmitigateanyrisksof
unauthorizedaccessorinadvertentdisclosureofthedata.Theaimhereisnottolist
everypossiblerisktoprivacy,butrather,toprovideaholisticviewoftherisksto
privacythatcouldarisefromimplementationoftheControl.
Describeanypotentialad-hocorroutineinformationsharingthatwillresultfrom
theimplementationoftheControlbothwithintheenterpriseandwithexternal
sharingpartners.Alsodescribehowsuchexternalsharingiscompatiblewiththe
originalcollectionoftheinformation,andwhatagreementswouldneedtobein
placetosupportthissharing.
II.Authorities
Identifythelegalauthoritiesorenterprisepoliciesthatwouldpermitor,conversely,limitor
prohibitthecollectionoruseofinformationbytheControl.
•
•
•
Listthestatutoryandregulatoryauthoritiesthatwouldgovernoperationofthe
Control,includingtheauthoritiestocollecttheinformationidentifiedabove.
Explainhowthestatutoryandregulatoryauthoritiespermitorwouldlimit
collectionanduseoftheinformationorgoverngeographicstoragerequirements.If
theControlwouldconceivablycollectPersonallyIdentifiableInformation(PII),also
identifythespecificstatutoryauthoritythatwouldpermitsuchcollection.
Wouldtheresponsibleofficeofanenterprisebeabletorelyonauthoritiesof
anotherparentorganization,subsidiary,partneroragency?
MighttheinformationcollectedbytheControlbereceivedfromaforeignuser,
organizationorgovernment?Ifso,doanyinternationalagreement,contract,
privacypolicyormemorandumofunderstandingexisttosupportorotherwise
governthiscollection?
III.CharacterizingControl-RelatedInformation
IdentifythetypeofdatatheControlcollects,uses,disseminates,ormaintains.
•
ForeachControl,identifyboththecategoriesoftechnologysources,logs,or
individualsfromwhominformationwouldbecollected,and,foreachcategory,list
anypotentialPII,thatmightbegathered,used,orstoredtosupporttheControl.
o Relevantinformationhereincludes(butisnotlimitedto):name;dateof
birth;mailingaddress;telephonenumbers;socialsecuritynumber;e-mail
address;mother’smaidenname;medicalrecordslocators;bankaccount
numbers;healthplanbeneficiaries;anyotheraccountnumbers;certificates
orotherlicensenumbers;vehicleidentifiers,includinglicenseplates;
86
•
•
•
•
marriagerecords;civilorcriminalhistoryinformation;medicalrecords;
deviceidentifiersandserialnumbers;educationrecords;biometric
identifiers;photographicfacialimages;oranyotheruniqueidentifying
numberorcharacteristic.
IftheoutputoftheControl,orsystemonwhichitoperates,createsnewinformation
fromdatacollected(forexample,ascoring,analysis,orreport),thismightthisnew
informationhaveprivacyimplications?Ifso,performthesameaboveanalysison
thenewlycreatedinformation.
IftheControlusesinformationfromcommercialsourcesorpubliclyavailabledata
toenrichotherdatacollected,explainhowthisinformationmightbeused.
o Commercialdataincludesinformationfromdataaggregators(suchasLexis
Nexis,threatfeeds,ormalwaredatabases),orfromsocialnetworking
sourceswheretheinformationwasoriginallycollectedbyaprivate
organization.
o Publiclyavailabledataincludesinformationobtainedfromtheinternet,news
feeds,orfromstateorlocalpublicrecords,suchascourtrecordswherethe
recordsarereceiveddirectlyfromthestateorlocalagency,ratherthanfrom
acommercialdataaggregator.
o Identifyscenarioswiththisenricheddatamightderivedatathatcouldhave
privacyimplications.Ifso,performthesameaboveanalysisonthenewly
createdinformation.
IdentifyanddiscusstheprivacyrisksforControlinformationandexplainhowthey
aremitigated.Specificrisksmaybeinherentinthesourcesormethodsofcollection.
ConsiderthefollowingFairInformationPracticeprinciples(FIPs):
o PrincipleofPurposeSpecification:ExplainhowthecollectionofPIIbythe
Controllinkstothecybersecurityneedsoftheenterprise.
o PrincipleofMinimization:IsthePIIdatadirectlyrelevantandnecessaryto
accomplishthespecificpurposesoftheControl?
o PrincipleofIndividualParticipation:DoestheControl,totheextentpossible
andpractical,collectPIIdirectlyfromindividuals?
IV.UsesofControl-RelatedInformation
DescribetheControl’suseofPIIorprivacyprotecteddata.DescribehowandwhytheControl
usesthisdata.
•
•
Listlikelyusesoftheinformationcollectedormaintained,bothinternaland
externaltotheenterprise.Explainhowandwhydifferentdataelementswillbe
used.IfSocialSecuritynumbersarecollectedforanyreason,forexample,describe
whysuchcollectionisnecessaryandhowsuchinformationwouldbeused.Describe
typesofproceduresandprotectionstobeinplacetoensurethatinformationis
handledappropriately,andpoliciesthatneedtobeinplacetoprovideuser
notification.
DoestheControlmakeuseoftechnologytoconductelectronicsearches,queries,or
analysesinadatabasetodiscoverorlocateapredictivepatternorananomaly?If
87
•
•
•
•
so,describewhatresultswouldbeachievedandiftherewouldbepossibilityof
privacyimplications.
SomeControlsrequiretheprocessingoflargeamountsofinformationinresponse
touserinquiryorprogrammedfunctions.TheControlsmayhelpidentifydatathat
werepreviouslynotidentifiableandmaygeneratetheneedforadditionalresearch
byanalystsorotheremployees.SomeControlsaredesignedtoperformcomplex
analyticaltasksresultinginothertypesofdata,matching,relationalanalysis,
scoring,reporting,orpatternanalysis.
Discusstheresultsgeneratedbytheusesdescribedabove,includinglinkanalysis,
scoring,orotheranalyses.Theseresultsmaybegeneratedelectronicallybythe
informationsystem,ormanuallythroughreviewbyananalyst.Wouldtheseresults
potentiallyhaveprivacyimplications?
Arethereotherofficesordepartmentswithinorconnectedtotheenterprisethat
wouldreceiveanydatagenerated?Wouldtherebeprivacyimplicationstotheiruse
orcollectionofthisdata?
ConsiderthefollowingFIPs:
o PrincipleofTransparency:IsthePIAandrelatedpoliciesclearabouttheuses
ofinformationgeneratedbytheControl?
o PrincipleofUseLimitation:Istheuseofinformationcontainedinthesystem
relevanttothemissionoftheControl?
V.Security
Completeasecurityplanfortheinformationsystem(s)supportingtheControl.
•
•
IsthereappropriateguidancewhenimplementingtheControltoensurethat
appropriatephysical,personnel,IT,andothersafeguardsareinplacetoprotect
privacyprotecteddataflowingtoandgeneratedfromtheControl?
ConsiderthefollowingFairInformationPracticeprinciple:
o PrincipleofSecurity:Isthesecurityappropriateandproportionatetothe
protecteddata?
VI.Notice
Identifyifanynoticetoindividualsmustbeputinplaceregardingimplementationofthe
Control,PIIcollected,therighttoconsenttousesofinformation,andtherighttodeclineto
provideinformation(ifpracticable).
•
•
Definehowtheenterprisemightrequirenoticetoindividualspriortothecollection
ofinformation.
Enterprisesoftenprovidewrittenororalnoticetoemployees,customers,
shareholders,andotherstakeholdersbeforetheycollectinformationfrom
individuals.IntheU.S.government,thatnoticemayincludeapostedprivacypolicy,
aPrivacyActstatement,aPrivacyImpactAssessment,oraStatementofRecords
88
•
•
•
Notice(SORN)publishedintheU.S.FederalRegister.Forprivatecompanies,
collectinginformationfromconsumers,publiclyavailableprivacypoliciesareused.
Describewhatnoticemightberelevanttoindividualswhoseinformationmightbe
collectedbytheControl.
Ifnoticemightnot,orcannotbeprovided,defineifoneisrequiredorhowitcanbe
mitigated.Forcertainlawenforcementoperations,noticemaynotbeappropriate–
enterpriseswouldthenexplainhowprovidingdirectnoticetotheindividualatthe
timeofcollectionwouldunderminealawenforcementmission.
DiscusshowthenoticeprovidedcorrespondstothepurposeoftheControlandthe
declareduses.Discusshowthenoticegivenfortheinitialcollectionisconsistent
withthestateduse(s)oftheinformation.Describehowimplementationofthe
Controlmitigatestherisksassociatedwithpotentiallyinsufficientnoticeand
opportunitytodeclineorconsent.
ConsiderthefollowingFIPs:
o PrincipleofTransparency:WillthisControlallowsufficientnoticetobe
providedtoindividuals?
o PrincipleofUseLimitation:Istheinformationusedonlyforthepurposefor
whichnoticewasprovidedeitherdirectlytoindividualsorthroughapublic
notice?Whatprocedurescanbeputinplacetoensurethatinformationis
usedonlyforthepurposearticulatedinthenotice?
o PrincipleofIndividualParticipation:Willtheenterpriseberequiredto
providenoticetoindividualsregardingredress,includingaccessand
correction,includingotherpurposesofnoticesuchastypesofinformation
andcontrolsoversecurity,retention,disposal,etc.?
VII.DataRetention
Willtherebearequirementtodeveloparecordsretentionpolicy,subjecttoapprovalbythe
appropriateenterpriseauthorities(e.g.,management,Board),togoverninformation
gatheredandgeneratedbytheControl?
•
ConsiderthefollowingFIPsbelowtoassistinprovidingaresponse:
o PrincipleofMinimization:DoestheControlhavethecapacitytouseonlythe
informationnecessaryfordeclaredpurposes?WouldtheControlbeableto
managePIIretainedonlyforaslongasnecessaryandrelevanttofulfillthe
specifiedpurposes?
o PrincipleofDataQualityandIntegrity:DoesthePIAdescribepoliciesand
proceduresrequiredbyanorganizationforhowPIIispurgedonceitis
determinedtobenolongerrelevantandnecessary?
VIII.InformationSharing
Describethescopeoftheinformationsharingwithinandexternaltotheenterprisethatcould
berequiredtosupporttheControl.Externalsharingencompassessharingwithother
89
businesses,vendors,privatesectorgroups,orfederal,state,local,tribal,andterritorial
government,aswellaswithgovernmentsorofficialagenciesofothercountries.
•
•
•
•
Forstateorlocalgovernmentagencies,orprivatesectororganizationslistthe
generaltypesthatmightbeapplicablefortheControl,ratherthanthespecific
names.
Describeanyagreementsthatmightberequiredforanorganizationtoconduct
informationsharingaspartofnormalenterpriseoperations.
Discusstheprivacyrisksassociatedwiththesharingofinformationoutsideofthe
enterprise.Howcanthoserisksbemitigated?
Discusshowthesharingofinformationiscompatiblewiththestatedpurposeand
useoftheoriginalcollectionfortheControl.
IX.Redress
Enterprisesshouldhaveinplaceproceduresforindividualstoseekredressiftheybelievetheir
PIImayhavebeenimproperlyorinadvertentlydisclosedormisusedthroughimplementation
oftheControls.Theseproceduresmayincludeallowingthemtofilecomplaintsaboutwhat
dataiscollectedorhowit’sused.
•
ConsiderthefollowingissuethatfallsundertheFIPprincipleofIndividual
Participation:
o CanamechanismbeappliedbywhichanindividualcanpreventPIIobtained
foronepurposefrombeingusedforotherpurposeswithouttheindividual’s
knowledge?
X.AuditingandAccountability
Describewhattechnicalandpolicybasedsafeguardsandsecuritymeasuresmightbeneeded
tosupporttheControl.Includeanexaminationoftechnicalandpolicysafeguards,suchas
informationsharingprotocols,specialaccessrestrictions,andothercontrols.
•
•
•
•
DiscusswhethertheControlallowsforself-audits,permitsthirdpartyaudits,or
allowsrealtimeorforensicreviewsbyappropriateoversightagencies.
DotheITsystemssupportingtheControlhaveautomatedtoolstoindicatewhen
informationispossiblybeingmisused?
Describewhatrequirementsforprivacytrainingshouldbeprovidedtouserseither
generallyorspecificallyrelevanttotheControl,includinginformationhandling
proceduresandsensitivityofinformation.Discusshowindividualswhohaveaccess
toPIIcollectedorgeneratedbytheControlshouldbetrainedtoappropriately
handlethatinformation.
Discussthetypesofprocessesandproceduresnecessarytoreviewandapprove
informationsharingagreements,newusesofControlinformation,andnewaccess
toControlinformationbyotherparties.
90
AppendixG:CategorizationfortheCISCriticalSecurityControls
Introduction
WhenwecreatedVersion6oftheCISControls,oneofthenotablechangeswasdeletionof
the“categories”foreachsub-Control(QuickWin,VisibilityandAttribution,Improved
SecurityConfigurationandHygiene,andAdvanced).Thesehadprovedtobeproblematicfor
severalreasons,andanumberofpeoplefoundthemtobemoreinconsistentthanuseful.
Butotheradopterstoldustheymissedthecategoriesandfoundthemhelpfulin
prioritizingtheirControlsimplementationplans,especiallyinpresentingthoseplansto
management,sowewentbacktotakeanotherlookatthem.Inaddition,peopleaskedfor
morehelpinidentifyingsub-controlsthatweretruly“advanced”andwouldrequire
substantialinvestmentoftimeandresources.
Thisdocumentpresentsasimplercategorizationschemeforeachsub-control,alongwith
someexplanatoryinformationtoseparateactionsthatweconsider“Foundational”from
thosethatare“Advanced”.
Description
InVersion5oftheCISControls,eachsub-categorywasidentifiedinoneofthefollowing
categories:
•
•
•
•
Quickwinsthatprovidesignificantriskreductionwithoutmajorfinancial,
procedural,architectural,ortechnicalchangestoanenvironment,orthatprovide
suchsubstantialandimmediateriskreductionagainstverycommonattacksthat
mostsecurity-awareorganizationsprioritizethesekeycontrols.
Visibilityandattributionmeasurestoimprovetheprocess,architecture,and
technicalcapabilitiesoforganizationstomonitortheirnetworksandcomputer
systemstodetectattackattempts,locatepointsofentry,identifyalreadycompromisedmachines,interruptinfiltratedattackers’activities,andgain
informationaboutthesourcesofanattack.
Improvedinformationsecurityconfigurationandhygienetoreducethenumber
andmagnitudeofsecurityvulnerabilitiesandimprovetheoperationsofnetworked
computersystems,withafocusonprotectingagainstpoorsecuritypracticesby
systemadministratorsandend-usersthatcouldgiveanattackeranadvantage.
Advancedsub-controlsthatusenewtechnologiesorproceduresthatprovide
maximumsecuritybutarehardertodeployormoreexpensiveorrequiremore
highlyskilledstaffthancommoditizedsecuritysolutions.
91
ForVersion6.1,wemadethissimplerandmovedtoa2-categorysystem.Asastarting
point,weworkedfromtheoriginalVersion5categoriessincemostofthesub-controls
carriedoverinsomeform.
•
•
Foundational:Theseprovideessentialimprovementstotheprocess,architecture,
andtechnicalcapabilitiesoforganizationstomonitortheirnetworksandcomputer
systemstodetectattackattempts,locatepointsofentry,identifyalreadycompromisedmachines,interruptinfiltratedattackers’activities,andgain
informationaboutthesourcesofanattack.Theyreducethenumberandmagnitude
ofsecurityvulnerabilitiesandimprovetheoperationsofnetworkedcomputer
systems,withafocusonprotectingagainstpoorsecuritypracticesbysystem
administratorsandend-usersthatcouldgiveanattackeranadvantage.
Advanced:Thesearesub-controlsthatusenewtechnologiesorproceduresfor
maximumsecurity,butarehardertodeployormoreexpensiveorrequiremore
highlyskilledstaffthancommoditizedsecuritysolutions.
Howeveranumberofadoptersnotedthatsomeoftheindividualsub-controlscontain
wording,phrases,oraninterpretationthatdidnotfallneatlyintoeithercategory.Sofor
eachofthose,weidentifiedaprimarycategory(FoundationalorAdvanced,shownas“Y”in
onecolumnofthecharts);andthenweaddedtexttoclarifyandseparateouttheother
aspectofthesub-control.
Forexample,wemightidentifyagivensub-controlasFoundational,butthoseseekingto
builduponthesub-controlforanAdvancedsecurityprogramnowhavesomeguidance.
Thisisnotaparticularlyelegantsolution,butwewantedtoprovideusefulguidance
withoutasignificantrewriteofthesub-controls.EnterprisesadoptingtheControlsdo
somethinglikethisanyway–interpreteachofthesub-controlsinthecontextoftheir
specificsituation,technicalbase,andriskmanagement–inordertocreatearoadmapof
phasedimplementation.
92