CIS 20 CSCs: Flying Below the Radar

Introduction

If you take a traditional approach to the implementation of the Center for Internet Security's top 20 Critical Security Controls (CIS 20 CSCs) you could really be missing a trick.

By looking at your business from the perspective of an attacker, even the application of the Basic CIS CSCs can make a significant difference to reducing your risks:

An attacker's perspective

There have been numerous studies and models (Cyber Kill Chain, Cognitive Attack Loop, Mitre Att&ck, etc.) that have been created that clearly demonstrate the attackers' Tactics, Techniques & Protocols (TTPs) that might be used against an organisation.

In addition, we can appreciate that these attackers are opportunists that are driven by the following 3 things:

1. Inquisitiveness. They want to know what is within your organisation.
2. Challenge. Anyone that has seen a professional penetration tester in action will appreciate the 'buzz' that they get from being able to find chinks in their target's armour.
3. Reward. Whether your attacker is a state sponsored threat actor, an organised criminal group or the 'script kidding', they all seek a reward - be that political, monetary or kudos (aka Bragging Rights).

Consequently, being opportunists they start with carrying out reconnaissance to try and identify the starting point they need to start unpicking your defences.

Changing your perspective

Knowing that your attackers start with reconnaissance, wouldn't it make sense for the security industry to change from the reactive (traditional) approach and to proactively apply the attackers' TTPs.

1. Inventory & Control of Hardware Assets.

"Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access".

• Have you looked at your assets, from the internet, to see what assets are publicly visible?
• Do these public-facing assets interface with sensitive data?
• Do these public-facing assets provide a connection into your business?
• Do you carry out asset/data discovery scans?

2. Inventory and Control of Software Assets

"Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution".

• Have you 'locked down' the use of software on your public-facing assets, to prevent the attacker from being able to malicious software to be installed?
• Do you know what software/scripts are permitted?
• Can you easily detect unauthorised software/scripts?

3. Continuous Vulnerability Management

"Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers".

• Do you prioritize your public-facing assets, to ensure that any vulnerabilities are identified and remediated against, in a timely manner?
• Is you vulnerability management effectively reducing the attack surface and opportunities for the cyber attacker?

4. Controlled Use of Administrative Privileges

"The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications".

• The more convenient it is for your 'Super Users', it will be even more convenient for your attacker.
• Do you strictly limit the use of 'Super User' (Administrative accounts) to only those that are explicitly approved and required, for legitimate business reasons?
• The greater the number of 'Power Keys' that you have in circulation, the greater the risks of compromise.
• Are the issue and use of the 'Power Keys' made subject to strict change control, approval and risk assessments?

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

"Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings".

• Have you 'locked down' your public-facing assets, to ensure that all the default settings have been changed and the assets securely configured to ensure that only the Services, Ports and Protocols (SPPs) that are enabled, are the ones needed for the asset to carry out its role?
• Do you ensure that any changes to these public-facing assets are subject to change control, approval and risk assessments?
• Do you automate the periodic auditing of your public-facing assets, to ensure that the settings have not been altered, without undergoing the change management process? (For example, the use of Titania's Nipper & Paws can assist you with this process).

6. Maintenance, Monitoring and Analysis of Audit Logs

"Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack".

• How quickly can you identify, analyse and respond to ABNORMAL activities?
• Do you periodically check the audit logs of events, from your public-facing assets?
• Are you able to quickly identify potential malicious activity occurring against your public-facing assets?

Recommendation

If you have not already done so, why not carry out a recon of your business and apply the Basic CIS CSC to your public-facing assets, to get an idea of just how many opportunities you might be providing to your attackers and just how great your public-facing attack surface against is?

Remember, that no matter what type of business you are, if you have a digital footprint it may providing the opening that your attacker is looking for.

• Do you understand the risks from your Digital Footprint?

Conclusion

You only need to look at a map of the internet, to appreciate just how many opportunities that may be presented to today's cyber criminals. It just takes the attackers to identify one of these opportunities, which they have the skills to exploit for them to launch an attack.

Within most businesses, the use of mobile or remote working technologies (as well the use of business information systems) has exploded of the last decade. However, the traditional approach to defending an organisation fails to address the need to prioritise the defensive efforts. As a result, it can often feel like you are keeping attempting to keep the plates spinning, on top of a growing line of poles.

Once you've mastered keeping the public-facing plates spinning, you can then look to prioritise those high-risk internal business assets.