Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

CIS CONTROL #1 Inventory of Authorized and Unauthorized Devices: Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized

CIS CONTROL #1 Inventory of Authorized and Unauthorized Devices: Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

The theme of the control is fairly simple; You should be able to see what is on your network, know which systems belong to whom, and use this information to prevent unauthorized users from connecting to the network. High maturity organizations often address the automation and management sections of this control

In short, you must create a network device inventory. All devices on your network need to be identified, authorized, have their software patched if its not up-to-date, or deleted from the network if the device is unauthorized. This process needs to happen for all devices already on the network, and for every device that attaches itself to the network in the future. This monitoring must be done for virtual devices too.

How to implement it:

There are numerous effective ways to implement the Inventory of Authorized and Unauthorized Devices control. Many of them will also significantly improve the implementation of other controls relating to network access, asset configuration, and system management. Successful implementations often focus on bridging existing system inventory or configuration management services and device-based network access control. The inventory management portion is usually based on software or endpoint management services such as SCCM, while access control can leverage existing network technology to limit device access to networks.

Robust implementation of DHCP logging and management will effectively address sections 1.1, 1.2, and 1.4 of Critical Control #1. Deploying DHCP logging and using the outputs to establish awareness of what is currently connected to the network is an extremely good first step to full implementation. Tracking DHCP activity has an additional impact on the IT support and management side of the organization, as well; it serves as a sort of early warning system for network mis configuration and management issues. For organizations with a SIEM solution or centralized audit repository, ingested DHCP logs can allow correlation with other security and network events. Correlating the logs against additional system information from tools like SCCM or event monitoring services can also assist with inventory tracking and automated inventory management, which has added benefits on the financial and operations management side of the shop, as well.

CIS Control #2. It reads as follows:

Inventory of Authorized and Unauthorized Software Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Software Security Risks On almost every computer in your facility, there are hundreds if not thousands of software programs that may or may not be necessary to the business interests of your company. The fact that these programs exist on the hard drive may not be a problem in itself, unless storage space is a problem, or unless they pose a security risk that could damage your entire operation. Every computer connected to the network, and every piece of software on it, if compromised with malware, ransom ware, viruses, or any other kind of malicious programming, becomes an attack vector to your entire system.

The theme of the control is fairly simple: You should be able to see what software is on your systems, who installed it, and what it does. You should be able use this information to prevent unauthorized software from being installed on endpoints.

Software isnt perfect. Much of it is vulnerable to compromise. Hackers and attackers use black-hat targeting techniques to find ways of infiltrating your network to gain access and information. The authors of the software know this and regularly publish patches and updates to help you maintain the security of their products. But if you dont know about all of the software running on your computers, and what version of the software is in use, how will you know what patches and updates to apply? This confusion is the complicated issue that our engineers address daily in support of Critical Security Control #2.

How to implement it:

Many of the methods used to implement the inventory of authorized and unauthorized software will also significantly improve the implementation of other controls relating to network access, asset configuration, and system management (Controls 1,6,10, 14, 15, 17 and 19). Specifically, Local Administrator access and install rights should not be granted for most users. This limitation also assists with other critical controls that deal with access and authentication. Limiting who can install software also limits who can click ok on installations that include malware, adware and other unwanted code. The added bonus to successful removal of admin rights is the lowering of the shadow IT footprint in most organizations, contributing to better internal communication and security awareness.

Once installation rights have been limited, any whitelisting or blacklisting processes should be done in stages, typically starting with a list of unauthorized applications (a blacklist), and finishing with a list of authorized applications that make up the whitelist. This can be rolled out as an authorized software policy first, and followed up with scanning, removal and then, central inventory control. Successful implementations of software inventory control often focus on bridging system configuration management services and software blacklisting and whitelisting. The inventory management portion is usually based on a software inventory tool or endpoint management services such as SCCM, Footprints, or GPO and local policy controls on windows.

Beyond administrator and installation rights limiting, and blacklisting, some form of integrity checking and management should be set up. This is possible using only OS-based tools in most cases, and Microsoft includes integrity management tools in Windows 10. Typically, OS level integrity management tools rely on limiting installation based on a list of trusted actors (Installers, sources, etc). In more comprehensive cases, such as some endpoint protection services, there are heuristic and behavior based tools that monitor critical application libraries and paths for change. Since integrity management is intrinsically tied to malware prevention and data protection, implementing this section of the control actually assists with Controls 8,9 and 14: Browser and e-mail configuration, Malware Defenses and Data Protection.

CIS 3

Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

. All The Other Things

Everything above talks about the first sub-control, which is the secure config itself. There are several more things this control covers, such as:

Follow strict configuration management processes for all changes to your secure builds.

Create master images (gold images) that are secure, and store those in a safe and secure location so they can't be altered

Perform remote administration only over secure channels, and use a separate administration network if possible.

Use file integrity checking tools or application whitelisting tools to ensure your images are not being altered without authorization.

Verify your testable configurations and automate this as much as possible run your vulnerability scanner against your gold image on a regular frequency and use SCAP to streamline reporting and integration.

Deploy configuration management tools (SCCM, Puppet/Chef, Casper) to enforce your secure configurations once they are deployed.

As you can see there's quite a bit to getting your systems and applications secured, as well as having processes to support the ongoing care and feeding of your secure configs. This is a foundational control, so it's important to get right and keep going with continual improvement. Putting the required time and effort into this will yield you a lot of return, simply because your exposure will have shrunk significantly, and allow you to focus on the more advanced security measures without worrying about some Powershell script kiddie popping your box because of insecure telnet. Oh, by the way, you should probably disable telnet.

CIS Control #4: Continuous Vulnerability Assessment and Remediation

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Thats a mouthful. But an important mouthful. Put another way, we must always be on guard to lessen the likelihood of an attack. You have to strengthen whats weak and see to it that your enemy has little to no chance to enter your system. To do this, you need a constant flow of new, up-to-date security information specifically addressing your systems access and endpoints. You must shrink your vulnerabilities, making the target smaller.

Shrink the Attack Surface We use Digital Defenses Frontline to decrease your attack surface. Frontline is a vulnerability management solution with supplementary services that scan, analyze, and score the potential attack vectors on your network.

Its not enough, however, to simply scan and spew mountains of unintelligible systems data in the form of tabular reports. The analysis and scoring must produce intelligent reporting that can be both acted upon and briefed to executives. The process itself needs to be automate-able. You must be able to test your defenses. You must also maintain your standards of compliance. These are not options, they are crucial must-haves.

Scanning Powered by DDI NIRV, Frontline uses the industrys best scanning engine. What is different with Frontline is the accuracy the point-in-time accuracy that Frontline software delivers. Cutting through the network noise, Frontline finds the new attack techniques, critical flaws, and zero-day vulnerabilities that other engines miss.

Analysis What you require from Frontlines analysis is actionable intelligence. And that is what you get. With other programs, it is not only possible but quite common to generate mountains of vulnerability assessment data, only to be lost in the weeds and not know what to do with the almost incomprehensible and often misleading results. With Frontline you always get the answer to the question: Which assets are at risk, and what should I do about their vulnerabilities?

Risk Scoring The entire scanning and analysis process boils down to this question: What is my organizations security posture? Frontlines risk scoring gives you that answer clearly. You get a dynamically updated Host Security Scorecard which visually provides the information you want in a direct and easy-to-understand manner. You can brief executives with this informative display. And you can act on real-time information as it changes. You are in control.

Automated Workflow A seamless workflow, from identification to remediation, is the goal of effective vulnerability management. Frontline integrates into SIEMs such as IBM QRadar, ZenDesk and ServiceNow, as well as other security workflow management platforms. This process is not a mere matter of passive data uploads. Features include:

Per vulnerability remediation solution/recommendations with associated CVE and vendor patch links

Seamless management of host and vulnerability findings

Comprehensive description and solutions for vulnerability remediation

Industry standard REST API with JSON output

Filterable export from Frontline VM based on criteria

Scheduled data push/pull to destination platform(s)

o best understand how to integrate each section of this control into your security program, we're going to break them up into the logical groupings I described in the previous section (scanning, logs, new threats and exposures, risk rating, and remediation).

A large part of vulnerability assessment and remediation has to do with scanning, as proven by the fact that two sections directly pertain to scanning and two others indirectly reference it by discussing monitoring scanning logs and correlating logs to ongoing scans. The frequency of scanning will largely depend on how mature your organization is from a security standpoint and how easily it can adopt a comprehensive vulnerability management program. Section 4.1 specifically states that vulnerability scanning should occur weekly, but we know that that is not always possible due to various circumstances. This may mean monthly for organizations without a well-defined vulnerability management process or weekly for those that are better established. Either way, when performing these scans it is important to have both an internal and external scan perspective. This means that scans on machines that are internally-facing only should have authenticated scans performed on them and outward-facing devices should have both authenticated and unauthenticated scans performed.

Another point to remember about performing authenticated scans is that the administrative account being used for scans should not be tied to any particular user. Since these credentials will have administrative access to all devices being scanned, we want to decrease the risk of them getting compromised. This is also why it is important to ensure all of your scanning activities are being logged, monitored, and stored.

Depending on the type of scan you are running, your vulnerability scanner should be generating at least some attack detection events. It is important that your security team is able to (1) see that these events are being generated and (2) can match them to scan logs in order to determine whether the exploit was used against a target known to be vulnerable instead of being part of an actual attack. Additionally, scan logs and alerts should be generated and stored to track when and where the administrative credentials were being used. This way, we can determine that the credentials are only being used during scans on devices for which the use of those credentials has been approved.

CIS control 5 Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Getting to 100% Risk Mitigation Implementing these five controls reduces your risk of cyberattack by 85%, but the job isnt done with just these five steps. Implementing the full suite of 20 CIS Security Controls reduces your risk by 94%. This process is a concerted effort best done with a dedicated NCSi team, and not with an ad-hoc, piecemeal approach, which can leave security holes in your network. NCSi supports your organization throughout the entire process, adding value to your implementation and bringing your risk mitigation ever closer to 100%.

State-of-the-art tools, highly skilled engineers, international industry-wide standards, and a business philosophy that puts your organizations security at the heart of everything we do, makes NCSi a natural partner for implementing both short and long-term security strategies and endpoint management. Follow our articles on the CIS Security Tools and Controls to learn more about how your organization can harden its systems against attacks, malware, and ransom ware.

How to implement it

There's a lot of different ways to implement restrictions on admin privilege.

Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Getting to 100% Risk Mitigation Implementing these five controls reduces your risk of cyberattack by 85%, but the job isnt done with just these five steps. Implementing the full suite of 20 CIS Security Controls reduces your risk by 94%. This process is a concerted effort best done with a dedicated NCSi team, and not with an ad-hoc, piecemeal approach, which can leave security holes in your network. NCSi supports your organization throughout the entire process, adding value to your implementation and bringing your risk mitigation ever closer to 100%.

State-of-the-art tools, highly skilled engineers, international industry-wide standards, and a business philosophy that puts your organizations security at the heart of everything we do, makes NCSi a natural partner for implementing both short and long-term security strategies and endpoint management. Follow our articles on the CIS Security Tools and Controls to learn more about how your organization can harden its systems against attacks, malware, and ransom ware.

How to implement it

There's a lot of different ways to implement restrictions on admin privilege. You are first going to have to deal with the political issues of why to do this.

Review the two readings included in the "CIS Controls". Research one of the main areas of control you believe to be the one of the most difficult areas to implement security controls and why. Please support your conclusions with alternative research.

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image_2

Step: 3

blur-text-image_3

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Database Systems On GPUs In Databases

Authors: Johns Paul ,Shengliang Lu ,Bingsheng He

1st Edition

1680838482, 978-1680838480

More Books

Students also viewed these Databases questions

Question

why do consumers often fail to seek out higher yields on deposits ?

Answered: 1 week ago

Question

explain what is meant by redundancy

Answered: 1 week ago