CSC 5

1
The Ciitical Secuiity Contiols

foi
Effective Cybei Befense
!"#$%&' )*+

2

"#$%&'()$*&# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ,
-.- /0 "#12#$&%3 &4 5($6&%*72' 8#' 9#8($6&%*72' :21*)2; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ <
-.- =0 "#12#$&%3 &4 5($6&%*72' 8#' 9#8($6&%*72' .&4$>8%2 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /?
-.- ,0 .2)(%2 -&#4*@(%8$*&#; 4&% A8%'>8%2 8#' .&4$>8%2 &# B&C*D2 :21*)2;E F8G$&G;E
H&%I;$8$*&#;E 8#' .2%12%; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /J
-.- ?0 -&#$*#(&(; K(D#2%8C*D*$3 5;;2;;L2#$ 8#' M2L2'*8$*&# +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ =N
-.- O0 B8D>8%2 :242#;2; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ,,
-.- P0 5GGD*)8$*&# .&4$>8%2 .2)(%*$3 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ,<
-.- N0 H*%2D2;; 5))2;; -&#$%&D +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ?,
-.- <0 :8$8 M2)&12%3 -8G8C*D*$3 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ?<
-.- J0 .2)(%*$3 .I*DD; 5;;2;;L2#$ 8#' 5GG%&G%*8$2 Q%8*#*#@ $& R*DD S8G; +++++++++++++++++++++++++++++++++++++++++++++++ O/
-.- /T0 .2)(%2 -&#4*@(%8$*&#; 4&% U2$>&%I :21*)2; ;()6 8; R*%2>8DD;E M&($2%;E 8#' .>*$)62; ++++++ O?
-.- //0 F*L*$8$*&# 8#' -&#$%&D &4 U2$>&%I V&%$;E V%&$&)&D;E 8#' .2%1*)2; ++++++++++++++++++++++++++++++++++++++++++++ O<
-.- /=0 -&#$%&DD2' 9;2 &4 5'L*#*;$%8$*12 V%*1*D2@2; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ P=
-.- /,0 W&(#'8%3 :242#;2 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ P<
-.- /?0 B8*#$2#8#)2E B&#*$&%*#@E 8#' 5#8D3;*; &4 5('*$ F&@; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ NO
-.- /O0 -&#$%&DD2' 5))2;; W8;2' &# $62 U22' $& X#&> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ <T
-.- /P0 5))&(#$ B&#*$&%*#@ 8#' -&#$%&D ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ <?
-.- /N0 :8$8 V%&$2)$*&# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ <J
-.- /<0 "#)*'2#$ M2;G&#;2 8#' B8#8@2L2#$ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ JO
-.- /J0 .2)(%2 U2$>&%I Y#@*#22%*#@ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ J<
-.- =T0 V2#2$%8$*&# Q2;$; 8#' M2' Q28L YZ2%)*;2; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /T/
5GG2#'*Z 50 5$$8)I Q3G2; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /TO

3
"#$%&'()$*&#
We aie at a fascinating point in the evolution of what we now call cybei uefense.
Nassive uata losses, theft of intellectual piopeity, cieuit caiu bieaches, iuentity theft,
thieats to oui piivacy, uenial of seivice - these have become a way of life foi all of us in
cybeispace.
Iionically, as uefenueis we have access to an extiaoiuinaiy aiiay of secuiity tools anu
technology, secuiity stanuaius, tiaining anu classes, ceitifications, vulneiability
uatabases, guiuance, best piactices, catalogs of secuiity contiols, anu countless secuiity
checklists, benchmaiks, anu iecommenuations. To help us unueistanu the thieat, we've
seen the emeigence of thieat infoimation feeus, iepoits, tools, aleit seivices, stanuaius,
anu thieat shaiing schemes. Anu to tie it all togethei, we aie suiiounueu by secuiity
iequiiements, iisk management fiamewoiks, compliance iegimes, iegulatoiy
manuates, anu so foith. Theie is no shoitage of infoimation available to secuiity
piactitioneis on how they shoulu secuie theii infiastiuctuie.
But all of this technology, infoimation, anu oveisight has become a veiitable "Fog of
Noie": competing options, piioiities, opinions, anu claims that can paialyze oi uistiact
an enteipiise fiom vital action. The thieats have evolveu, the actois have become
smaitei, anu oui useis have become moie mobile. 0ui uata is now uistiibuteu acioss
multiple locations, many of which aie not within oui oiganization's infiastiuctuie
anymoie. With moie ieliance on clouus, oui uata anu even oui applications aie
becoming moie uistiibuteu. The oiganizational netwoik is now just one of the locations
foi useis to access applications anu uata. Anu since in oui complex, inteiconnecteu
woilu, no enteipiise can think of its secuiity as a stanualone pioblem, this situation
makes collective action neaily impossible.
So how can we as a community - the community at laige, as well as within inuustiies,
sectois, paitneiships, anu coalitions - banu togethei to establish piioiity of action,
suppoit each othei, anu keep oui knowleuge anu technology cuiient in the face of a
iapiuly evolving pioblem anu an appaiently infinite numbei of possible solutions.
What aie the most ciitical aieas we neeu to auuiess, how shoulu an enteipiise take the
fiist step to matuiing theii iisk management piogiam. Rathei than chase eveiy new
exceptional thieat anu neglect the funuamentals, how can we get on tiack with a
ioaumap of funuamentals, anu guiuance to measuie anu impiove. Which uefensive
steps have the gieatest value.
These aie the kinus of issues that leu to anu now uiive the Ciitical Secuiity Contiols.
They staiteu as a giass-ioots activity to cut thiough the "Fog of Noie" anu focus on the
most funuamental anu valuable actions that eveiy enteipiise shoulu take. Anu 18D(2
heie is ueteimineu by knowleuge anu uata - the ability to pievent, aleit, anu iesponu to
the attacks that aie plaguing enteipiises touay.

4
The Ciitical Secuiity Contiols have matuieu into an inteinational community activity to
cieate, auopt, anu suppoit the Ciitical Secuiity Contiols. As a community, these
inuiviuuals anu institutions:
shaie insight into attacks anu attackeis, iuentify ioot causes, anu tianslate that
into classes of uefensive action;
uocument stoiies of auoption anu the use of tools to solve pioblems;
tiack the evolution of thieats, the capabilities of auveisaiies, anu cuiient vectois
of intiusions;
map the Contiols to iegulatoiy anu compliance fiamewoiks anu biing collective
piioiity anu focus to them;
shaie tools, woiking aius, anu tianslations; anu
iuentify common pioblems (like initial assessment, builuing implementation
ioaumaps) anu solve them as a community insteau of alone.
The activities ensuie that the Ciitical Secuiity Contiols aie not just anothei list of goou
things to uo, but a piioiitizeu, highly focuseu set of actions that have a community-wiue
suppoit netwoik to make them implementable, usable, scalable, anu compliant with all
inuustiy oi goveinment secuiity iequiiements.
!"# %"& '()%)*+, -&*.()%# '/0%(/,1 !/(23 4&%"/5/,/6# +05 '/0%()7.%/(1
The Ciitical Secuiity Contiols ieflect the combineu knowleuge of actual attacks anu
effective uefenses of expeits that incluue: eveiy pait of the ecosystem (companies,
goveinments, inuiviuuals); with eveiy iole (thieat iesponueis anu analysts,
technologists, vulneiability-finueis, tool makeis, solution pioviueis, uefenueis, useis,
policy-makeis, auuitois, etc.); anu within many sectois (goveinment, powei, uefense,
finance, tianspoitation, acauemia, consulting, secuiity, IT) who have banueu togethei to
cieate, auopt, anu suppoit the Contiols. Top expeits fiom all these oiganizations pool
theii extensive fiist-hanu knowleuge fiom uefenuing against actual cybei-attacks anu
uevelop a consensus list of the best uefensive techniques to pievent oi tiack them. This
ensuies that the Ciitical Secuiity Contiols aie the most effective anu specific set of
technical measuies available to uetect, pievent,
iesponu, anu mitigate uamage fiom the most common
to the most auvanceu of those attacks.
The Contiols aie not limiteu to blocking the initial
compiomise of systems, but also auuiess uetecting
alieauy-compiomiseu machines anu pieventing oi
uisiupting attackeis' follow-on actions. The uefenses
iuentifieu thiough these Contiols ueal with ieuucing the
initial attack suiface by haiuening uevice
configuiations, iuentifying compiomiseu machines to
auuiess long-teim thieats insiue an oiganization's
netwoik, uisiupting attackeis' commanu-anu-contiol of
The Council on CybeiSecuiity was
establisheu in 2u1S as an
inuepenuent, expeit, not-foi-piofit
oiganization with a global scope
committeu to the secuiity of an
open Inteinet. The Council is
committeu to the ongoing
uevelopment, suppoit, anu
auoption of the Ciitical Contiols; to
elevating the competencies of the
cybeisecuiity woikfoice; anu to the
uevelopment of policies that leau to
measuiable impiovements in oui
ability to opeiate safely, secuiely
anu ieliably in cybeispace. Foi
auuitional infoimation, go to
(www.counciloncybeisecuiity.oig)

5
implanteu malicious coue, anu establishing an auaptive, continuous uefense anu
iesponse capability that can be maintaineu anu impioveu.
The five ciitical tenets of an effective cybei uefense system as ieflecteu in the Ciitical
Secuiity Contiols aie:
1. ,--"'$" %'-&#.$ /"-"'$"0 0se knowleuge of actual attacks that have compiomiseu
systems to pioviue the founuation to continually leain fiom these events to builu
effective, piactical uefenses. Incluue only those contiols that can be shown to
stop known ieal-woilu attacks.
2. 1#%&#%2%342%&'0 Invest fiist in Contiols that will pioviue the gieatest iisk
ieuuction anu piotection against the most uangeious thieat actois, anu that can
be feasibly implementeu in youi computing enviionment.
S. 5"2#%6$0 Establish common metiics to pioviue a shaieu language foi executives,
IT specialists, auuitois, anu secuiity officials to measuie the effectiveness of
secuiity measuies within an oiganization so that iequiieu aujustments can be
iuentifieu anu implementeu quickly.
4. 7&'2%'8&8$ /%49'&$2%6$ 4'/ .%2%942%&'0 Caiiy out continuous measuiement to
test anu valiuate the effectiveness of cuiient secuiity measuies, anu to help
uiive the piioiity of next steps.
S. :82&.42%&'0 Automate uefenses so that oiganizations can achieve ieliable,
scalable, anu continuous measuiements of theii auheience to the Contiols anu
ielateu metiics.
8"& '()%)*+, -&*.()%# '/0%(/,1 +05 9%"&( :)12 4+0+6&;&0% <==(/+*"&1
The Ciitical Secuiity Contiols allow you to use the powei of an incieuible community to
piioiitize anu focus youi iesouices on the most valuable uefensive actions - but they
aie not a ieplacement foi compiehensive manuatoiy compliance oi iegulatoiy
schemes. The Ciitical Secuiity Contiols insteau piioiitize anu focus on a smallei
numbei of actionable contiols with high-payoff, aiming foi a "must uo fiist" philosophy.
In fact, the actions specifieu by the Ciitical Secuiity Contiols aie uemonstiably a subset
of any of the compiehensive secuiity catalogs oi Contiol lists.
Although lacking the foimality of tiauitional Risk Nanagement Fiamewoiks, it seems
ieasonable to iefei to the Ciitical Secuiity Contiols piocess as a "founuational iisk
assessment" - one that can be useu by an inuiviuual enteipiise as a staiting point foi
immeuiate, high-value action, is uemonstiably consistent with foimal iisk management
fiamewoiks, anu pioviues a basis foi common action acioss uiveise communities (e.g.,
that might be subject to uiffeient iegulatoiy oi compliance iequiiements).
The Ciitical Secuiity Contiols also pioactively align with anu leveiage ongoing woik in
secuiity stanuaius anu best piactices. Examples incluue: the Secuiity Content
Automation Piogiam (SCAP) anu Special Publication 8uu-SS (Recommenueu Secuiity
Contiols foi Feueial Infoimation Systems anu 0iganizations) sponsoieu by the National

6
Institute of Stanuaius anu Technology (NIST); the Austialian Signals Biiectoiate's "Top
SS Stiategies to Nitigate Taigeteu Cybei Intiusions"; anu the Inteinational
0iganization foi Stanuaiuization (IS0) Inteinational Electiotechnical Commission
(IEC) 27uu2:2u1S Infoimation technology Secuiity techniques Coue of piactice
foi infoimation secuiity contiols. Refeiences anu mappings to these can be founu at
www.counciloncybeisecuiity.oig
>/? %/ 6&% 1%+(%&5
The Ciitical Secuiity Contiols aie a ielatively small numbei of piioiitizeu, well-vetteu,
anu suppoiteu set of secuiity actions that oiganizations can take to assess anu impiove
theii cuiient secuiity state. It also changes the uiscussion fiom "what shoulu my
enteipiise uo" to "what shoulu we ALL be uoing" to impiove secuiity acioss a bioau
scale.
But it is not a one-size-fits-all solution, in eithei content oi piioiity. You must still
unueistanu what is ciitical to youi business, uata, systems, netwoiks, anu
infiastiuctuies, anu you must consiuei the auveisaiy actions that coulu impact youi
ability to be successful in the business oi opeiations. Anu even a ielatively small
numbei of Contiols cannot be executeu all at once, so you will neeu to uevelop a plan
foi assessment, implementation, anu piocess management.
Some of the Ciitical Secuiity Contiols, in paiticulai CSC 1 thiough CSC S, aie
founuational to success, anu shoulu be consiueieu as the fiist things to be uone. This is
the appioach taken by, foi example, the BBS Continuous Biagnostic anu Nitigation
(CBN) Piogiam, one of the paitneis in the Ciitical Secuiity Contiols.
Foi those wanting a highly focuseu anu uiiect staiting point, we have emphasizeu the
"R*%;$ R*12 [(*)I H*#;": sub-contiols that have the most immeuiate impact on
pieventing attacks. These actions aie specially noteu in the Contiols listings, anu
consist of:
1. application whitelisting (founu in CSC 2);
2. use of stanuaiu, secuie system configuiations (founu in CSC S);
S. patch application softwaie within 48 houis (founu in CSC 4);
4. patch system softwaie within 48 houis (founu in CSC 4); anu
S. ieuuceu numbei of useis with auministiative piivileges (founu in CSC S anu CSC
12).

A similai appioach is iecommenueu by oui paitneis in the Austialian Signals
Biiectoiate (ASB) with theii "Top Foui Stiategies to Nitigate Taigeteu Intiusions"
1
- a

1
hLLp://www.asd.gov.au/lnfosec/Lop-mlLlgaLlons/Lop-4-sLraLegles-explalned.hLm

7
well-iegaiueu anu uemonstiably effective set of cybei-uefense actions that map veiy
closely into the Ciitical Secuiity Contiols anu the 'Fiist Five Quick Wins".
Anothei appioach is to leain fiom othei enteipiises that aie pait of the Ciitical Secuiity
Contiols community. 0se Cases of auoption, samples of Initial Assessment
methouologies, mappings to foimal Risk Nanagement Fiamewoiks, pointeis to
assessment tools, anu many othei woiking aius aie available fiom the Council on
CybeiSecuiity (www.counciloncybeisecuiity.com).
-%(.*%.(& /@ %"& '()%)*+, -&*.()%# '/0%(/,1 A/*.;&0%
The piesentation of each Ciitical Secuiity Contiol in this uocument incluues:
A uesciiption of the impoitance of the Contiol in blocking oi iuentifying
piesence of attacks anu an explanation of how attackeis actively exploit the
absence of this contiol.
Listing of the specific actions that oiganizations aie taking to implement,
automate, anu measuie effectiveness of this contiol. The sub-contiols aie
gioupeu into foui categoiies:
o ;8%6< =%'$ that pioviue significant iisk ieuuction without majoi financial,
pioceuuial, aichitectuial, oi technical changes to an enviionment, oi that
pioviue such substantial anu immeuiate iisk ieuuction against veiy
common attacks that most secuiity-awaie oiganizations piioiitize these
key contiols.
o !%$%>%?%2@ 4'/ 422#%>82%&' ."4$8#"$ to impiove the piocess, aichitectuie,
anu technical capabilities of oiganizations to monitoi theii netwoiks anu
computei systems to uetect attack attempts, locate points of entiy,
iuentify alieauy-compiomiseu machines, inteiiupt infiltiateu attackeis'
activities, anu gain infoimation about the souices of an attack.
o A.B#&C"/ %'-&#.42%&' $"68#%2@ 6&'-%98#42%&' 4'/ D@9%"'" to ieuuce the
numbei anu magnituue of secuiity vulneiabilities anu impiove the
opeiations of netwoikeu computei systems, with a focus on piotecting
against pooi secuiity piactices by system auministiatois anu enu-useis
that coulu give an attackei an auvantage.
o :/C4'6"/ $8>E6&'2#&?$ that use new technologies oi pioceuuies that
pioviue maximum secuiity but aie haiuei to ueploy oi moie expensive oi
iequiie moie highly skilleu staff than commouitizeu secuiity solutions.
Pioceuuies anu tools that enable implementation anu automation.
Netiics anu tests to assess implementation status anu effectiveness.
Sample entity ielationship uiagiams that show components of implementation.

8
-.- /0 "#12#$&%3 &4 5($6&%*72' 8#' 9#8($6&%*72' :21*)2;
Actlvely moooqe (loveototy, ttock, ooJ cottect) oll botJwote Jevlces oo tbe
oetwotk so tbot ooly ootbotlzeJ Jevlces ote qlveo occess, ooJ ooootbotlzeJ ooJ
oomoooqeJ Jevlces ote foooJ ooJ pteveoteJ ftom qololoq occess.
!"# B1 8")1 '/0%(/, '()%)*+,C
Attackeis, who can be locateu anywheie in the woilu, aie continuously scanning the
auuiess space of taiget oiganizations, waiting foi new anu unpiotecteu systems to be
attacheu to the netwoik. Attackeis also look foi uevices (especially laptops) which
come anu go off of the enteipiise's netwoik, anu so get out of synch with patches oi
secuiity upuates. Attacks can take auvantage of new haiuwaie that is installeu on the
netwoik one evening but not configuieu anu patcheu with appiopiiate secuiity upuates
until the following uay. Even uevices that aie not visible fiom the Inteinet can be useu
by attackeis who have alieauy gaineu inteinal access anu aie hunting foi inteinal jump
points oi victims. Auuitional systems that connect to the enteipiise's netwoik (e.g.,
uemonstiation systems, tempoiaiy test systems, guest netwoiks) shoulu also be
manageu caiefully anuoi isolateu in oiuei to pievent auveisaiial access fiom affecting
the secuiity of enteipiise opeiations.
As new technology continues to come out, BY0B (biing youi own uevice) wheie
employees biing peisonal uevices into woik anu connect them to the netwoik is
becoming veiy common. These uevices coulu alieauy be compiomiseu anu be useu to
infect inteinal iesouices.
Nanageu contiol of all uevices also plays a ciitical iole in planning anu executing
system backup anu iecoveiy.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 1-1 Beploy an automateu asset inventoiy uiscoveiy tool anu use it
to builu a pieliminaiy asset inventoiy of systems connecteu to
an oiganization's public anu piivate netwoik(s). Both active
tools that scan thiough netwoik auuiess ianges anu passive
tools that iuentify hosts baseu on analyzing theii tiaffic
shoulu be employeu.
Quick win
CSC 1-2 Beploy uynamic host configuiation piotocol (BBCP) seivei
logging, anu utilize a system to impiove the asset inventoiy
anu help uetect unknown systems thiough this BBCP
infoimation.
Quick win
CSC 1-S Ensuie that all equipment acquisitions automatically upuate
the inventoiy system as new, appioveu uevices aie connecteu
Quick win

9
to the netwoik.
CSC 1-4 Naintain an asset inventoiy of all systems connecteu to the
netwoik anu the netwoik uevices themselves, iecoiuing at
least the netwoik auuiesses, machine name(s), puipose of
each system, an asset ownei iesponsible foi each uevice, anu
the uepaitment associateu with each uevice. The inventoiy
shoulu incluue eveiy system that has an Inteinet piotocol (IP)
auuiess on the netwoik, incluuing but not limiteu to uesktops,
laptops, seiveis, netwoik equipment (iouteis, switches,
fiiewalls, etc.), piinteis, stoiage aiea netwoiks, voice 0vei-IP
telephones, multi-homeu auuiesses, viitual auuiesses, etc.
The asset inventoiy cieateu must also incluue uata on
whethei the uevice is a poitable anuoi peisonal uevice.
Bevices such as mobile phones, tablets, laptops, anu othei
poitable electionic uevices that stoie oi piocess uata must be
iuentifieu, iegaiuless of whethei they aie attacheu to the
oiganization's netwoik.
visibility
Attiibution
CSC 1-S Beploy netwoik level authentication via 8u2.1x to limit anu
contiol which uevices can be connecteu to the netwoik. The
8u2.1x must be tieu into the inventoiy uata to ueteimine
authoiizeu veisus unauthoiizeu systems.
Configuiation
Bygiene
CSC 1-6 Beploy netwoik access contiol (NAC) to monitoi authoiizeu
systems so if attacks occui, the impact can be iemeuiateu by
moving the untiusteu system to a viitual local aiea netwoik
that has minimal access.
Configuiation
Bygiene
CSC 1-7 0tilize client ceitificates to valiuate anu authenticate systems
piioi to connecting to the piivate netwoik.
Auvanceu

'-' D E(/*&5.(&1 +05 8//,1
This Contiol iequiies both technical anu pioceuuial actions, uniteu in a piocess that
accounts foi anu manages the inventoiy of haiuwaie anu all associateu infoimation
thioughout its life-cycle. It links to the business by establishing infoimationasset
owneis who aie iesponsible foi each component of a business piocess that incluues
infoimation, softwaie, anu haiuwaie. 0iganizations can use laige-scale, compiehensive
enteipiise piouucts to maintain IT asset inventoiies. 0theis use moie mouest tools to
gathei the uata by sweeping the netwoik, anu manage the iesults sepaiately in a
uatabase.
Naintaining a cuiient anu accuiate view of IT assets is an ongoing anu uynamic
piocess. 0iganizations can actively scan on a iegulai basis, senuing a vaiiety of
uiffeient packet types to iuentify uevices connecteu to the netwoik. Befoie such
scanning can take place, oiganizations shoulu veiify that they have auequate banuwiuth
foi such peiiouic scans by consulting loau histoiy anu capacities foi theii netwoiks. In

10
conuucting inventoiy scans, scanning tools coulu senu tiauitional ping packets (ICNP
Echo Request) looking foi ping iesponses to iuentify a system at a given IP auuiess.
Because some systems block inbounu ping packets, in auuition to tiauitional pings,
scanneis can also iuentify uevices on the netwoik using tiansmission contiol piotocol
(TCP) synchionize (SYN) oi acknowleuge (ACK) packets. 0nce they have iuentifieu IP
auuiesses of uevices on the netwoik, some scanneis pioviue iobust fingeipiinting
featuies to ueteimine the opeiating system type of the uiscoveieu machine.
In auuition to active scanning tools that sweep the netwoik, othei asset iuentification
tools passively listen on netwoik inteifaces looking foi uevices to announce theii
piesence by senuing tiaffic. Such passive tools can be connecteu to switch span poits at
ciitical places in the netwoik to view all uata flowing thiough such switches,
maximizing the chance of iuentifying systems communicating thiough those switches.
Nany oiganizations also pull infoimation fiom netwoik assets such as switches anu
iouteis iegaiuing the machines connecteu to the netwoik. 0sing secuiely authenticateu
anu enciypteu netwoik management piotocols, tools can ietiieve NAC auuiesses anu
othei infoimation fiom netwoik uevices that can be ieconcileu with the oiganization's
asset inventoiy of seiveis, woikstations, laptops, anu othei uevices. 0nce NAC
auuiesses aie confiimeu, switches shoulu implement 8u2.1x anu NAC to only allow
authoiizeu systems that aie piopeily configuieu to connect to the netwoik.
Wiieless uevices (anu wiieu laptops) may peiiouically join a netwoik anu then
uisappeai, making the inventoiy of cuiiently available systems chuin significantly.
Likewise, viitual machines can be uifficult to tiack in asset inventoiies when they aie
shut uown oi pauseu. Auuitionally, iemote machines accessing the netwoik using
viitual piivate netwoik (vPN) technology may appeai on the netwoik foi a time, anu
then be uisconnecteu fiom it. Whethei physical oi viitual, each machine using an IP
auuiess shoulu be incluueu in an oiganization's asset inventoiy.
'-' D F@@&*%)G&0&11 4&%()*1
In oiuei to test the effectiveness of the automateu implementation of this contiol,
oiganizations shoulu measuie the following:
1. Bow long uoes it take to uetect new uevices auueu to the oiganization's netwoik
(time in minutes).
2. Bow long uoes it take the scanneis to aleit the oiganization's auministiatois
that an unauthoiizeu uevice is on the netwoik (time in minutes).
S. Bow long uoes it take to isolateiemove unauthoiizeu uevices fiom the
oiganization's netwoik (time in minutes).
4. Aie the scanneis able to iuentify the location, uepaitment, anu othei ciitical
uetails about the unauthoiizeu system that is uetecteu (yes oi no).

11
'-' D <.%/;+%)/0 4&%()*1
In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations
shoulu gathei the following infoimation with automateu technical sensois:
1. Bow many unauthoiizeu uevices aie piesently on the oiganization's netwoik
(by business unit).
2. Bow long, on aveiage, uoes it take to iemove unauthoiizeu uevices fiom the
oiganization's netwoik (by business unit).
S. What is the peicentage of systems on the oiganization's netwoik that aie not
utilizing Netwoik Access Contiol (NAC) to authenticate to the oiganization's
netwoik (by business unit).
4. What is the peicentage of systems on the oiganization's netwoik that aie not
utilizing Netwoik Access Contiol (NAC) with client ceitificates to authenticate to
the oiganization's netwoik (by business unit).
'-' D F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol 1 on a peiiouic basis, the evaluation team
will connect haiueneu test systems to at least 1u locations on the netwoik, incluuing a
selection of subnets associateu with uemilitaiizeu zones (BNZs), woikstations, anu
seiveis. Two of the systems must be incluueu in the asset inventoiy uatabase, while the
othei systems aie not. The evaluation team must then veiify that the systems geneiate
an aleit oi e-mail notice iegaiuing the newly connecteu systems within 24 houis of the
test machines being connecteu to the netwoik. The evaluation team must veiify that the
system pioviues uetails of the location of all the test machines connecteu to the
netwoik. Foi those test machines incluueu in the asset inventoiy, the team must also
veiify that the system pioviues infoimation about the asset ownei.
'-' D -#1%&; F0%)%# :&,+%)/01")= A)+6(+;
0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the
goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the
contiols, anu iuentify wheie potential failuies in the system might occui.

12

A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi
iegulate the behavioi of othei uevices oi systems. In this case, we aie examining
haiuwaie uevices on the oiganization's netwoik. These systems shoulu be able to
iuentify if new systems aie intiouuceu into the enviionment that have not been
authoiizeu by enteipiise peisonnel. The following list of the steps in the above uiagiam
shows how the entities woik togethei to meet the business goal uefineu in this contiol.
The list also uelineates each of the piocess steps in oiuei to help iuentify potential
failuie points in the oveiall contiol.
Step 1: Active device scanner scans network systems
Step 2: Passive device scanner captures system information
Step 3: Active scanner reports to inventory database
Step 4: Passive scanner reports to inventory database
Step 5: Inventory database stored offline
Step 6: Inventory database initiates alert system
Step 7: Alert system notifies security defenders
Step 8: Security defenders monitor and secure inventory database
Step 9: Security defenders update secure inventory database

13
Step 10: Network access control continuously monitors network
Step 11: Network access control checks and provides updates to the asset inventory
database.

14
-.- =0 "#12#$&%3 &4 5($6&%*72' 8#' 9#8($6&%*72' .&4$>8%2
Actlvely moooqe (loveototy, ttock, ooJ cottect) oll softwote oo tbe oetwotk so
tbot ooly ootbotlzeJ softwote ls lostolleJ ooJ coo execote, ooJ tbot
ooootbotlzeJ ooJ oomoooqeJ softwote ls foooJ ooJ pteveoteJ ftom lostollotloo
ot execotloo.
!"# B1 8")1 '/0%(/, '()%)*+,C
Attackeis continuously scan taiget oiganizations looking foi vulneiable veisions of
softwaie that can be iemotely exploiteu. Some attackeis also uistiibute hostile web
pages, uocument files, meuia files, anu othei content via theii own web pages oi
otheiwise tiustwoithy thiiu-paity sites. When unsuspecting victims access this content
with a vulneiable biowsei oi othei client-siue piogiam, attackeis compiomise theii
machines, often installing backuooi piogiams anu bots that give the attackei long-teim
contiol of the system. Some sophisticateu attackeis may use zeio-uay exploits, which
take auvantage of pieviously unknown vulneiabilities foi which no patch has yet been
ieleaseu by the softwaie venuoi. Without piopei knowleuge oi contiol of the softwaie
ueployeu in an oiganization, uefenueis cannot piopeily secuie theii assets.
Pooily contiolleu machines aie moie likely to be eithei iunning softwaie that is
unneeueu foi business puiposes, intiouucing potential secuiity flaws, oi iunning
malwaie intiouuceu by an attackei aftei a system is compiomiseu. 0nce a single
machine has been exploiteu, attackeis often use it as a staging point foi collecting
sensitive infoimation fiom the compiomiseu system anu fiom othei systems connecteu
to it. In auuition, compiomiseu machines aie useu as a launching point foi movement
thioughout the netwoik anu paitneiing netwoiks. In this way, attackeis may quickly
tuin one compiomiseu machine into many. 0iganizations that uo not have complete
softwaie inventoiies aie unable to finu systems iunning vulneiable oi malicious
softwaie to mitigate pioblems oi ioot out attackeis.
Nanageu contiol of all softwaie also plays a ciitical iole in planning anu executing
system backup anu iecoveiy.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
IB # Besciiption Categoiy
CSC 2-1 Beploy application whitelisting technology that allows
systems to iun softwaie only if it is incluueu on the whitelist
anu pievents execution of all othei softwaie on the system.
The whitelist may be veiy extensive (as is available fiom
commeicial whitelist venuois), so that useis aie not
inconvenienceu when using common softwaie. 0i, foi some
special-puipose systems (which iequiie only a small numbei
;8%6< =%' F,'"
&- 2D" GH%#$2
H%C"IJ

15
of piogiams to achieve theii neeueu business functionality),
the whitelist may be quite naiiow. When piotecting systems
with customizeu softwaie that may be seen as uifficult to
whitelist, use item 8 below (isolating the custom softwaie in a
viitual opeiating system that uoes not ietain infections.).
CSC 2-2 Bevise a list of authoiizeu softwaie anu veision that is
iequiieu in the enteipiise foi each type of system, incluuing
seiveis, woikstations, anu laptops of vaiious kinus anu uses.
This list shoulu be monitoieu by file integiity checking tools to
valiuate that the authoiizeu softwaie has not been mouifieu.
Quick win
CSC 2-S Peifoim iegulai scanning foi unauthoiizeu softwaie anu
geneiate aleits when it is uiscoveieu on a system. A stiict
change-contiol piocess shoulu also be implementeu to contiol
any changes oi installation of softwaie to any systems on the
netwoik. This incluues aleiting when uniecognizeu binaiies
(executable files, BLL's anu othei libiaiies, etc.) aie founu on a
system, even insiue of compiesseu aichives. This incluues
checking foi uniecognizeu oi alteieu veisions of softwaie by
compaiing file hash values (attackeis often utilize alteieu
veisions of known softwaie to peipetiate attacks, anu file
hash compaiisons will ieveal the compiomiseu softwaie
components).
Quick win
CSC 2-4 Beploy softwaie inventoiy tools thioughout the oiganization
coveiing each of the opeiating system types in use, incluuing
seiveis, woikstations, anu laptops. The softwaie inventoiy
system shoulu tiack the veision of the unueilying opeiating
system as well as the applications installeu on it. Fuitheimoie,
the tool shoulu iecoiu not only the type of softwaie installeu
on each system, but also its veision numbei anu patch level.
visibility
Attiibution
CSC 2-S The softwaie inventoiy systems must be integiateu with the
haiuwaie asset inventoiy so that all uevices anu associateu
softwaie aie tiackeu fiom a single location.
visibility
Attiibution
CSC 2-6 Bangeious file types (e.g., .exe, .zip, .msi) shoulu be closely
monitoieu anuoi blockeu.
Configuiation
Bygiene
CSC 2-7 viitual machines anuoi aii-gappeu systems shoulu be useu
to isolate anu iun applications that aie iequiieu foi business
opeiations but baseu on highei iisk shoulu not be installeu
within a netwoikeu enviionment.
Auvanceu
CSC 2-8 Configuie client woikstations with non-peisistent, viitualizeu
opeiating enviionments that can be quickly anu easily
iestoieu to a tiusteu snapshot on a peiiouic basis.
Auvanceu
CSC 2-9 Beploy softwaie that only pioviues signeu softwaie IB tags. A
softwaie iuentification tag is an XNL file that is installeu
alongsiue softwaie anu uniquely iuentifies the softwaie,
pioviuing uata foi softwaie inventoiy anu asset management.
Auvanceu

16

'-' H E(/*&5.(&1 +05 8//,1
Whitelisting can be implementeu using commeicial whitelisting tools oi application
execution tools that come with anti-viius suites anu with Winuows. Commeicial
softwaie anu asset inventoiy tools aie wiuely available anu in use in many enteipiises
touay. The best of these tools pioviue an inventoiy check of hunuieus of common
applications useu in enteipiises, pulling infoimation about the patch level of each
installeu piogiam to ensuie that it is the latest veision anu leveiaging stanuaiuizeu
application names, such as those founu in the common platfoim enumeiation
specification.
Featuies that implement whitelists of piogiams alloweu to iun aie incluueu in many
mouein enupoint secuiity suites. Noieovei, commeicial solutions aie incieasingly
bunuling togethei anti-viius, anti-spywaie, peisonal fiiewall, anu host-baseu intiusion
uetection systems (IBS) anu intiusion pievention systems (IPS), along with application
white anu black listing. In paiticulai, most enupoint secuiity solutions can look at the
name, file system location, anuoi ciyptogiaphic hash of a given executable to
ueteimine whethei the application shoulu be alloweu to iun on the piotecteu machine.
The most effective of these tools offei custom whitelists baseu on executable path, hash,
oi iegulai expiession matching. Some even incluue a giay list function that allows
auministiatois to uefine iules foi execution of specific piogiams only by ceitain useis
anu at ceitain times of uay.
'-' H F@@&*%)G&0&11 4&%()*1
1. Bow long uoes it take to uetect new softwaie installeu on systems in the
oiganization (time in minutes).
that an unauthoiizeu softwaie application is on a system (time in minutes).
S. Bow long uoes it take to aleit that a new softwaie application has been
uiscoveieu (time in minutes).
uetails about the unauthoiizeu softwaie that is uetecteu (yes oi no).
'-' H <.%/;+%)/0 4&%()*1

17
1. Bow many unauthoiizeu softwaie applications aie piesently locateu on business
systems within the oiganization (by business unit).
2. Bow long, on aveiage, uoes it take to iemove unauthoiizeu applications fiom
business systems within the oiganization (by business unit).
S. What is the peicentage of the oiganization's business systems that aie not
iunning softwaie whitelisting softwaie that blocks unauthoiizeu softwaie
applications (by business unit).
4. Bow many softwaie applications have been iecently blockeu fiom executing by
the oiganization's softwaie whitelisting softwaie (by business unit).
'-' H F@@&*%)G&0&11 8&1%
must move a benign softwaie test piogiam that is not incluueu in the authoiizeu
softwaie list to 1u systems on the netwoik. Two of the systems must be incluueu in the
asset inventoiy uatabase, while the othei systems uo not neeu to be incluueu. The
evaluation team must then veiify that the systems geneiate an aleit oi e-mail notice
iegaiuing the new softwaie within 24 houis. The team must also veiify that the aleit oi
e-mail is ieceiveu within one auuitional houi inuicating that the softwaie has been
blockeu oi quaiantineu. The evaluation team must veiify that the system pioviues
uetails of the location of each machine with this new test softwaie, incluuing
infoimation about the asset ownei. The evaluation team must then veiify that the
softwaie is blockeu by attempting to execute it anu veiifying that the softwaie is not
alloweu to iun.
0n systems wheie blocking is not alloweu oi blocking functionality is not available, the
team must veiify that the execution of unauthoiizeu softwaie is uetecteu anu iesults in
a notification to aleit the secuiity team that unauthoiizeu softwaie is being useu.
'-' H -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

18

A contiol system is a uevice oi set of uevices to manage, commanu, uiiect, oi iegulate
the behavioi of othei uevices oi systems. In this case, we aie examining softwaie
installeu on the oiganization's netwoik systems. These systems shoulu be able to
iuentify if new softwaie is intiouuceu to the enviionment that has not been authoiizeu
by enteipiise peisonnel. The following list of the steps in the above uiagiam shows how
the entities woik togethei to meet the business goal uefineu in this contiol. The list also
uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in
the oveiall contiol.
Step 1: Active device scanner
Step 2: Active scanner reports to inventory database
Step 3: Inventory database compares to inventory baseline
Step 4: Inventory database initiates alerting system
Step 5: Alert system notifies security defenders
Step 6: Security defenders monitor and secure inventory database
Step 7: Security defenders update software inventory database
Step 8: Whitelisting tool continuously monitors all systems on the network
Step 9: Whitelisting checks and makes updates to the software inventory database.

19
-.- ,0 .2)(%2 -&#4*@(%8$*&#; 4&% A8%'>8%2 8#' .&4$>8%2 &# B&C*D2
:21*)2;E F8G$&G;E H&%I;$8$*&#;E 8#' .2%12%;
stobllsb, lmplemeot, ooJ octlvely moooqe (ttock, tepott oo, cottect) tbe
secotlty cooflqototloo of loptops, setvets, ooJ wotkstotloos osloq o tlqotoos
cooflqototloo moooqemeot ooJ cbooqe coottol ptocess lo otJet to pteveot
ottockets ftom exploltloq voloetoble setvlces ooJ settloqs.
!"# B1 8")1 '/0%(/, '()%)*+,C
As ueliveieu by manufactuieis anu ieselleis, the uefault configuiations foi opeiating
systems anu applications aie noimally geaieu to ease-of-ueployment anu ease-of-use -
not secuiity. Basic contiols, open seivices anu poits, uefault accounts oi passwoius,
oluei (vulneiable) piotocols, pie-installation of unneeueu softwaie; all can be
exploitable in theii uefault state.
Beveloping configuiation settings with goou secuiity piopeities is a complex task
beyonu the ability of inuiviuual useis, iequiiing analysis of potentially hunuieus oi
thousanus of options in oiuei to make goou choices. Even if a stiong initial
configuiation is uevelopeu anu installeu, it must be continually manageu to avoiu
secuiity "uecay" as softwaie is upuateu oi patcheu, new secuiity vulneiabilities aie
iepoiteu, anu configuiations aie "tweakeu" to allow the installation of new softwaie oi
suppoit new opeiational iequiiements. If not, attackeis will finu oppoitunities to
exploit both netwoik-accessible seivices anu client softwaie.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC S-1 Establish anu ensuie the use of stanuaiu secuie
configuiations of youi opeiating systems. Stanuaiuizeu
images shoulu iepiesent haiueneu veisions of the unueilying
opeiating system anu the applications installeu on the system.
Baiuening typically incluues: iemoval of unnecessaiy
accounts (incluuing seivice accounts), uisabling oi iemoval of
unnecessaiy seivices, configuiing non-executable stacks anu
heaps, applying patches, closing open anu unuseu netwoik
poits, implementing intiusion uetection systems anuoi
intiusion pievention systems, anu use of host-baseu fiiewalls.
These images shoulu be valiuateu anu iefiesheu on a iegulai
basis to upuate theii secuiity configuiation in light of iecent
vulneiabilities anu attack vectois.
;8%6< =%' F,'"
&- 2D" GH%#$2
H%C"IJ
CSC S-2 Implement automateu patching tools anu piocesses foi both
applications anu foi opeiating system softwaie. When
outuateu systems can no longei be patcheu, upuate to the
;8%6< =%' F,'"
&- 2D" GH%#$2
H%C"IJ

20
latest veision of application softwaie. Remove outuateu,
oluei, anu unuseu softwaie fiom the system.
CSC S-S Limit auministiative piivileges to veiy few useis who have
both the knowleuge necessaiy to auministei the opeiating
system anu a business neeu to mouify the configuiation of the
unueilying opeiating system. This will help pievent
installation of unauthoiizeu softwaie anu othei abuses of
auministiatoi piivileges.
;8%6< =%' F,'"
&- 2D" GH%#$2
H%C"IJ
CSC S-4 Follow stiict configuiation management, builuing a secuie
image that is useu to builu all new systems that aie ueployeu
in the enteipiise. Any existing system that becomes
compiomiseu shoulu be ie-imageu with the secuie builu.
Regulai upuates oi exceptions to this image shoulu be
integiateu into the oiganization's change management
piocesses. Images shoulu be cieateu foi woikstations,
seiveis, anu othei system types useu by the oiganization.
;8%6< =%'
CSC S-S Stoie the mastei images on secuiely configuieu seiveis,
valiuateu with integiity checking tools capable of continuous
inspection, anu change management to ensuie that only
authoiizeu changes to the images aie possible. Alteinatively,
these mastei images can be stoieu in offline machines, aii-
gappeu fiom the piouuction netwoik, with images copieu via
secuie meuia to move them between the image stoiage
seiveis anu the piouuction netwoik.
;8%6< =%'
CSC S-6 Negotiate contiacts to buy systems configuieu secuiely out of
the box using stanuaiuizeu images, which shoulu be ueviseu
to avoiu extianeous softwaie that woulu inciease theii attack
suiface anu susceptibility to vulneiabilities.
!%$%>%?%2@K
:22#%>82%&'
CSC S-7 Bo all iemote auministiation of seiveis, woikstation, netwoik
uevices, anu similai equipment ovei secuie channels.
Piotocols such as telnet, vNC, RBP, oi otheis that uo not
actively suppoit stiong enciyption shoulu only be useu if they
aie peifoimeu ovei a seconuaiy enciyption channel, such as
SSL oi IPSEC.
7&'-%98#42%&'K
L@9%"'"
CSC S-8 0tilize file integiity checking tools to ensuie that ciitical
system files (incluuing sensitive system anu application
executables, libiaiies, anu configuiations) have not been
alteieu. All alteiations to such files shoulu be automatically
iepoiteu secuiity peisonnel. The iepoiting system shoulu
have the ability to account foi ioutine anu expecteu changes,
highlighting unusual oi unexpecteu alteiations.
Foi investigative suppoit, the iepoiting system shoulu be able
to show the histoiy of configuiation changes ovei time anu
iuentify who maue the change (incluuing the oiiginal loggeu-
7&'-%98#42%&'K
L@9%"'"

21
in account in the event of a usei IB switch, such as with the su
oi sudo commanu). These integiity checks shoulu also
iuentify suspicious system alteiations such as ownei anu
peimissions changes to files oi uiiectoiies; the use of
alteinate uata stieams which coulu be useu to hiue malicious
activities; as well as uetecting the intiouuction of extia files
into key system aieas (which coulu inuicate malicious
payloaus left by attackeis oi auuitional files inappiopiiately
auueu uuiing batch uistiibution piocesses).
CSC S-9 Implement anu test an automateu configuiation monitoiing
system that measuies all secuie configuiation elements that
can be measuieu thiough iemote testing using featuies such
as those incluueu with tools compliant with Secuiity Content
Automation Piotocol (SCAP), anu aleits when unauthoiizeu
changes occui. This incluues uetecting new listening poits,
new auministiative useis, changes to gioup anu local policy
objects, (wheie applicable), anu new seivices iunning on a
system.
:/C4'6"/
CSC S-1u Beploy system configuiation management tools, such as
Active Biiectoiy uioup Policy 0bjects foi Niciosoft Winuows
systems oi Puppet foi 0NIX systems that will automatically
enfoice anu ieueploy configuiation settings to systems at
iegulaily scheuuleu inteivals. They shoulu be capable of
tiiggeiing ieueployment of configuiation settings on a
scheuuleu, manual, oi event-uiiven basis.
7&'-%98#42%&'K
L@9%"'"

'-' I E(/*&5.(&1 +05 8//,1
Rathei than stait fiom sciatch ueveloping a secuiity baseline foi each softwaie system,
oiganizations shoulu stait fiom publicly uevelopeu, vetteu, anu suppoiteu secuiity
benchmaiks, secuiity guiues, oi checklists. Excellent iesouices incluue:
The Centei foi Inteinet Secuiity Benchmaiks Piogiam (www.cisecuiity.oig)
The NIST National Checklist Piogiam (checklists.nist.gov)

0iganizations shoulu augment oi aujust these baselines to satisfy local policies anu
iequiiements, but ueviations anu iationale shoulu be uocumenteu to facilitate latei
ieviews oi auuits.
Foi a complex enteipiise, the establishment of a single secuiity baseline configuiation
(foi example, a single installation image foi all woikstations acioss the entiie
enteipiise) is sometimes not piactical oi ueemeu unacceptable. It is likely that you will
neeu to suppoit uiffeient stanuaiuizeu images, baseu on the piopei haiuening to

22
auuiess iisks anu neeueu functionality of the intenueu ueployment (example, a web
seivei in the BNZ vs. an email oi othei application seivei in the inteinal netwoik). The
numbei of vaiiations shoulu be kept to a minimum in oiuei to bettei unueistanu anu
manage the secuiity piopeities of each, but oiganizations then must be piepaieu to
manage multiple baselines.
Commeicial anuoi fiee configuiation management tools can then be employeu to
measuie the settings of opeiating systems anu applications of manageu machines to
look foi ueviations fiom the stanuaiu image configuiations. Typical configuiation
management tools use some combination of: an agent installeu on each manageu
system, oi agentless inspection of systems by iemotely logging in to each manageu
machine using auministiatoi cieuentials. Auuitionally, a hybiiu appioach is sometimes
useu wheieby a iemote session is initiateu, a tempoiaiy oi uynamic agent is ueployeu
on the taiget system foi the scan, anu then the agent is iemoveu.
'-' I F@@&*%)G&0&11 4&%()*1
1. Bow long uoes it take to uetect configuiation changes to a netwoik system (time
in minutes).
that an unauthoiizeu configuiation change has occuiieu (time in minutes).
S. Bow long uoes it take to blockquaiantine unauthoiizeu changes on netwoik
systems (time in minutes).
uetails about the systems wheie unauthoiizeu changes occuiieu (yes oi no).
S. Aie the scanneis able to tiiggei uiffeient notifications woikflows baseu on the
seveiity of the configuiation vaiiance uetecteu.
Foi all of the above, consiuei that system piioiity, seivice level commitments, system
iole, anu othei factois may uiive vaiying objectives foi scan fiequency anu aleit time
fiames on uiffeient systems. Ensuie that the iationale foi these classifications is cleai,
consistent, uocumenteu, anu consistently applieu. veiify that taiget uetection anu
notification iesults aie aligneu with seivice level commitments anu policies foi each
class of system.
'-' I <.%/;+%)/0 4&%()*1
In oiuei to automate the collection of ielevant uata fiom these systems, the
oiganization shoulu gathei the following infoimation with automateu technical
sensois:

23
1. What is the peicentage of business systems that aie not cuiiently configuieu
with a secuiity configuiation that matches the oiganization's appioveu
configuiation stanuaiu (by business unit).
2. What is the peicentage of business systems whose secuiity configuiation is not
enfoiceu by the oiganization's technical configuiation management applications
(by business unit).
S. What is the peicentage of business systems that aie not up to uate with the latest
available opeiating system softwaie secuiity patches (by business unit).
4. What is the peicentage of business systems that aie not up to uate with the latest
available business softwaie application secuiity patches (by business unit).
S. What is the peicentage of business systems not piotecteu by file integiity
assessment softwaie applications (by business unit).
6. What is the peicentage of unauthoiizeu oi unuocumenteu changes with secuiity
impact (by business unit).
'-' I F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol S on a peiiouic basis, an evaluation team
must move a benign test system that uoes not contain the official haiueneu image, but
that uoes contain auuitional seivices, poits, anu configuiation file changes, onto the
netwoik. This must be peifoimeu on 1u uiffeient ianuom segments using eithei ieal oi
viitual systems. The evaluation team must then veiify that the systems geneiate an
aleit iegaiuing the changes to the softwaie within the taiget seivice winuow, oi within
24 houis - whichevei is less. It is impoitant that the evaluation team veiify that all
unauthoiizeu changes have been uetecteu. The team must also veiify that the aleit oi e-
mail is ieceiveu within one auuitional houi inuicating that the softwaie has been
blockeu oi quaiantineu. The evaluation team must veiify that the system pioviues
uetails of the location of each machine with the unauthoiizeu changes, incluuing
infoimation about the asset ownei.
The evaluation team must also intiouuce unuocumenteu out-of-banu configuiation
settings anu binaiies using ieal oi viitual systems on 1u ianuom segments. The test
shoulu incluue making a non-peisistent change, in which a change is intiouuceu to the
piimaiy piogiam location (bin, Piogiam Files, etc.), left in place foi Su-6u minutes,
then ieveiteu to the oiiginal configuiation.
The evaluation team must veiify that all configuiation changes anu binaiies aie
uetecteu, anu that theie is a iecoiu of the non-peisistent changes mentioneu above.
The uetection uata shoulu incluue the natuie of the change maue (auuition, iemoval,
alteiation, ownei, peimissions, contents, etc.), as well as the usei account that maue the
change.

24
The evaluation team must also veiify that unauthoiizeu softwaie is blockeu by
attempting to execute it anu veiifying that it is not alloweu to iun. 0n systems wheie
blocking is not alloweu oi blocking functionality is not available, the team must veiify
that the execution of unauthoiizeu softwaie is uetecteu anu iesults in a notification to
aleit the secuiity team that unauthoiizeu softwaie is being useu.
In auuition to these tests, the following tests must be peifoimeu:
1. File integiity checking tools must be iun on a iegulai basis. Any changes to
ciitical opeiating system, seivices, anu configuiation files must be checkeu on an
houily basis. Any changes must be uetecteu anu eithei blockeu oi tiiggei an
aleit that follows the above notification piocess.

2. Betection softwaie must uetect the uisabling of system logging, as well as the
tiuncation, mouification oi ueletion of log files. Note that giowth of logs shoulu
not tiiggei notifications, but suspicious changes associateu with malicious
activities shoulu; examples incluue ueletion oi tiuncation of logs, mouification of
past log events, ownei oi peimission changes, etc. Any inappiopiiate changes to
logs must tiiggei an aleit that follows the above notification piocess.
S. System scanning tools that check foi softwaie veision, patch levels, anu
configuiation files must be iun on a uaily basis. Any changes must be uetecteu
anu eithei blockeu oi tiiggei an aleit that follows the above notification piocess.
'-' I -#1%&; F0%)%# :&,+%)/01")= A)+6(+;
Organizations will find that by diagramming the entities necessary to fully meet the goals
defined in this control, it will be easier to identify how to implement them, test the controls,
and identify where potential failures in the system might occur. As with any configurations,
all changes must be approved and managed by a change control process.

25

A control system is a device or set of devices to manage, command, direct, or regulate the
behavior of other devices or systems. In this case, we are examining the devices, software,
and entities used to manage and implement consistent configuration settings to workstations,
laptops, and servers on the network. The following list of the steps in the above diagram
shows how the entities work together to meet the business goal defined in this control. The
list also delineates each of the process steps in order to help identify potential failure points
in the overall control.
Step 1: Secured system images applied to computer systems
Step 2: Secured system images stored in a secure manner
Step 3: Configuration management system validates and checks system images
Step 4: Configuration policy enforcement system actively scans production systems for
misconfigurations or deviations from baselines
Step 5: File integrity assessment systems monitor critical system binaries and data sets
Step 6: Whitelisting tool monitors systems configurations and software

26
Step 7: SCAP configuration scanner validates configurations
Step 8: File integrity assessment system sends deviations to alerting system
Step 9: Whitelisting tool sends deviations to alerting system
Step 10: SCAP configuration scanner sends deviations to alerting system
Step 11 and 12: Management reports document configuration status.

27
-.- ?0 -&#$*#(&(; K(D#2%8C*D*$3 5;;2;;L2#$ 8#' M2L2'*8$*&#
cootloooosly ocpolte, ossess, ooJ toke octloo oo oew lofotmotloo lo otJet to
lJeotlfy voloetobllltles, temeJlote, ooJ mlolmlze tbe wloJow of oppottoolty fot
ottockets.
!"# B1 8")1 '/0%(/, '()%)*+,C
Cybei uefenueis must opeiate in a constant stieam of new infoimation: softwaie
upuates, patches, secuiity auvisoiies, thieat bulletins, etc. 0nueistanuing anu managing
vulneiabilities has become a continuous activity, iequiiing significant time, attention,
anu iesouices.
Attackeis have access to the same infoimation, anu can take auvantage of gaps between
the appeaiance of new knowleuge anu iemeuiation. Foi example, when new
vulneiabilities aie iepoiteu by ieseaicheis, a iace staits among all paities, incluuing:
attackeis (to "weaponize", ueploy an attack, exploit); venuois (to uevelop, ueploy
patches oi signatuies anu upuates), anu uefenueis (to assess iisk, iegiession-test
patches, install).
0iganizations that uo not scan foi vulneiabilities anu pioactively auuiess uiscoveieu
flaws face a significant likelihoou of having theii computei systems compiomiseu.
Befenueis face paiticulai challenges in scaling iemeuiation acioss an entiie enteipiise,
anu piioiitizing actions with conflicting piioiities, anu sometimes-unceitain siue
effects.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 4-1 Run automateu vulneiability scanning tools against all
systems on the netwoik on a weekly oi moie fiequent basis
anu uelivei piioiitizeu lists of the most ciitical vulneiabilities
to each iesponsible system auministiatoi along with iisk
scoies that compaie the effectiveness of system
auministiatois anu uepaitments in ieuucing iisk. 0se a SCAP-
valiuateu vulneiability scannei that looks foi both coue-baseu
vulneiabilities (such as those uesciibeu by Common
vulneiabilities anu Exposuies entiies) anu configuiation-
baseu vulneiabilities (as enumeiateu by the Common
Configuiation Enumeiation Pioject).
;8%6< =%'
FM8BB&#2$ 2D"
GH%#$2 H%C"IJ
CSC 4-2 Coiielate event logs with infoimation fiom vulneiability scans
to fulfill two goals. Fiist, peisonnel shoulu veiify that the
activity of the iegulai vulneiability scanning tools themselves
is loggeu. Seconu, peisonnel shoulu be able to coiielate attack
;8%6< =%'

28
uetection events with eailiei vulneiability scanning iesults to
ueteimine whethei the given exploit was useu against a taiget
known to be vulneiable.
CSC 4-S Peifoim vulneiability scanning in authenticateu moue eithei
with agents iunning locally on each enu system to analyze the
secuiity configuiation oi with iemote scanneis that aie given
auministiative iights on the system being testeu. 0se a
ueuicateu account foi authenticateu vulneiability scans, which
shoulu not be useu foi any othei auministiative activities anu
shoulu be tieu to specific machines at specific IP auuiesses.
Ensuie that only authoiizeu employees have access to the
vulneiability management usei inteiface anu that ioles aie
applieu to each usei.
;8%6< =%'
CSC 4-4 Subsciibe to vulneiability intelligence seivices in oiuei to stay
awaie of emeiging exposuies, anu use the infoimation gaineu
fiom this subsciiption to upuate the oiganization's
vulneiability scanning activities on at least a monthly basis.
Alteinatively, ensuie that the vulneiability scanning tools you
use aie iegulaily upuateu with all ielevant impoitant secuiity
vulneiabilities.
;8%6< =%'
CSC 4-S Beploy automateu patch management tools anu softwaie
upuate tools foi opeiating system anu softwaieapplications
on all systems foi which such tools aie available anu safe.
Patches shoulu be applieu to all systems, even systems that
aie piopeily aii gappeu.
!%$%>%?%2@K
:22#%>82%&'
CSC 4-6 Caiefully monitoi logs associateu with any scanning activity
anu associateu auministiatoi accounts to ensuie that all
scanning activity anu associateu access via the piivilegeu
account is limiteu to the timefiames of legitimate scans.
!%$%>%?%2@K
:22#%>82%&'
CSC 4-7 Compaie the iesults fiom back-to-back vulneiability scans to
veiify that vulneiabilities weie auuiesseu eithei by patching,
implementing a compensating contiol, oi uocumenting anu
accepting a ieasonable business iisk. Such acceptance of
business iisks foi existing vulneiabilities shoulu be
peiiouically ievieweu to ueteimine if newei compensating
contiols oi subsequent patches can auuiess vulneiabilities
that weie pieviously accepteu, oi if conuitions have changeu,
incieasing the iisk.
7&'-%98#42%&'K
L@9%"'"
CSC 4-8 Neasuie the uelay in patching new vulneiabilities anu ensuie
that the uelay is equal to oi less than the benchmaiks set foith
by the oiganization. Alteinative counteimeasuies shoulu be
consiueieu if patches aie not available.
7&'-%98#42%&'K
L@9%"'"
CSC 4-9 Evaluate ciitical patches in a test enviionment befoie pushing
them into piouuction on enteipiise systems. If such patches
bieak ciitical business applications on test machines, the
7&'-%98#42%&'K
L@9%"'"

29
oiganization must uevise othei mitigating contiols that block
exploitation on systems wheie the patch cannot be ueployeu
because of its impact on business functionality.
CSC 4-1u Establish a piocess to iisk-iate vulneiabilities baseu on the
exploitability anu potential impact of the vulneiability, anu
segmenteu by appiopiiate gioups of assets (example, BNZ
seiveis, inteinal netwoik seiveis, uesktops, laptops). Apply
patches foi the iiskiest vulneiabilities fiist. A phaseu iollout
can be useu to minimize the impact to the oiganization.
Establish expecteu patching timelines baseu on the iisk iating
level.
7&'-%98#42%&'K
L@9%"'"

'-' J E(/*&5.(&1 +05 8//,1
A laige numbei of vulneiability scanning tools aie available to evaluate the secuiity
configuiation of systems. Some enteipiises have also founu commeicial seivices using
iemotely manageu scanning appliances to be effective. To help stanuaiuize the
uefinitions of uiscoveieu vulneiabilities in multiple uepaitments of an oiganization oi
even acioss oiganizations, it is piefeiable to use vulneiability scanning tools that
measuie secuiity flaws anu map them to vulneiabilities anu issues categoiizeu using
one oi moie of the following inuustiy-iecognizeu vulneiability, configuiation, anu
platfoim classification schemes anu languages: CvE, CCE, 0vAL, CPE, CvSS, anuoi
XCCBF.
Auvanceu vulneiability scanning tools can be configuieu with usei cieuentials to log in
to scanneu systems anu peifoim moie compiehensive scans than can be achieveu
without login cieuentials. The fiequency of scanning activities, howevei, shoulu
inciease as the uiveisity of an oiganization's systems incieases to account foi the
vaiying patch cycles of each venuoi.
In auuition to the scanning tools that check foi vulneiabilities anu misconfiguiations
acioss the netwoik, vaiious fiee anu commeicial tools can evaluate secuiity settings
anu configuiations of local machines on which they aie installeu. Such tools can pioviue
fine-giaineu insight into unauthoiizeu changes in configuiation oi the inauveitent
intiouuction of secuiity weaknesses by auministiatois.
Effective oiganizations link theii vulneiability scanneis with pioblem-ticketing systems
that automatically monitoi anu iepoit piogiess on fixing pioblems, anu that make
unmitigateu ciitical vulneiabilities visible to highei levels of management to ensuie the
pioblems aie solveu.
The most effective vulneiability scanning tools compaie the iesults of the cuiient scan
with pievious scans to ueteimine how the vulneiabilities in the enviionment have

30
changeu ovei time. Secuiity peisonnel use these featuies to conuuct vulneiability
tienuing fiom month to month.
As vulneiabilities ielateu to unpatcheu systems aie uiscoveieu by scanning tools,
secuiity peisonnel shoulu ueteimine anu uocument the amount of time that elapses
between the public ielease of a patch foi the system anu the occuiience of the
vulneiability scan. If this time winuow exceeus the oiganization's benchmaiks foi
ueployment of the given patch's ciiticality level, secuiity peisonnel shoulu note the
uelay anu ueteimine if a ueviation was foimally uocumenteu foi the system anu its
patch. If not, the secuiity team shoulu woik with management to impiove the patching
piocess.
Auuitionally, some automateu patching tools may not uetect oi install ceitain patches
uue to an eiioi by the venuoi oi auministiatoi. Because of this, all patch checks shoulu
ieconcile system patches with a list of patches each venuoi has announceu on its
website.
'-' J F@@&*%)G&0&11 4&%()*1
1. Bow long uoes it take vulneiability scanning systems, if they uetect
unauthoiizeu uevices on the netwoik, to geneiate an aleit (time in minutes).
2. Bow long aftei a scan successfully completes uoes it take to geneiate an aleit
inuicating that it completeu (time in minutes).
S. If a scan uoes not complete, how long uoes it take to geneiate an aleit that the
scan faileu to iun (time in minutes).
4. Bow long uoes it take automateu patch management tools to aleit oi senu e-mail
to auministiative peisonnel iegaiuing the successful installation of new patches
(time in minutes).
Foi all of the above, consiuei that system piioiity, seivice level commitments, system
iole, anu othei factois may uiive vaiying objectives foi scan fiequency anu aleit time
fiames on uiffeient systems. Ensuie that the iationale foi these classifications is cleai,
consistent, uocumenteu, anu consistently applieu. veiify that taiget uetection anu
notification iesults aie aligneu with seivice level commitments anu policies foi each
class of system.
'-' J <.%/;+%)/0 4&%()*1

31
1. What is the peicentage of the oiganization's business systems that have not
iecently been scanneu by the oiganization's appioveu, SCAP compliant,
vulneiability management system (by business unit).
2. What is the aveiage SCAP vulneiability scoie of each of the oiganization's
business systems (by business unit).
S. What is the total SCAP vulneiability scoie of each of the oiganization's business
systems (by business unit).
4. Bow long uoes it take, on aveiage, to completely ueploy opeiating system
softwaie upuates to a business system (by business unit).
S. Bow long uoes it take, on aveiage, to completely ueploy application softwaie
upuates to a business system (by business unit).
'-' J F@@&*%)G&0&11 8&1%
must veiify that scanning tools have successfully completeu theii weekly oi uaily scans
foi the pievious Su cycles of scanning by ieviewing aichiveu aleits anu iepoits to
ensuie that the scan was completeu. If a scan coulu not be completeu in that timefiame,
the evaluation team must veiify that an aleit oi e-mail was geneiateu inuicating that
the scan uiu not finish.
'-' J -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

32

the behavioi of othei uevices oi systems. In this case, the vulneiability scanneis,
management system, patch management systems, anu configuiation baselines all woik
togethei to auuiess an oiganization's vulneiability management anu iemeuiation
stiategy. The following list of the steps in the above uiagiam shows how the entities
woik togethei to meet the business goal uefineu in this contiol. The list also uelineates
each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall
contiol.
Step 1: Vulnerability intelligence service provides inputs to vulnerability scanner
Step 2: Vulnerability scanners scan production systems
Step 3: Vulnerability scanners report detected vulnerabilities to a vulnerability management
system (VMS)
Step 4: The VMS compares production systems to configuration baselines
Step 5: The VMS sends information to log management correlation system
Step 6: The VMS produces reports for management
Step 7: A patch management system applies software updates to production systems.

33
-.- O0 B8D>8%2 :242#;2;
coottol tbe lostollotloo, spteoJ, ooJ execotloo of mollcloos coJe ot moltlple
polots lo tbe eotetptlse, wblle optlmlzloq tbe ose of ootomotloo to eooble toplJ
opJotloq of Jefeose, Joto qotbetloq, ooJ cottectlve octloo.
!"# B1 8")1 '/0%(/, '()%)*+,C
Nalicious softwaie is an integial anu uangeious aspect of Inteinet thieats, anu can be
uesigneu to attack youi systems, uevices, oi youi uata. It can be fast-moving, fast-
changing, anu entei thiough any numbei of points like enu-usei uevices, e-mail
attachments, web pages, clouu seivices, usei actions, anu iemovable meuia. Nouein
malwaie can be uesigneu to avoiu uefenses, oi to attack oi uisable them.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
Nalwaie uefenses must be able to opeiate in this uynamic enviionment thiough laige-
scale automation, iapiu upuating, anu integiation with piocesses like Inciuent
Response. They must also be ueployeu at multiple possible points-of-attack to uetect,
stop the movement of, oi contiol the execution of malicious softwaie. Enteipiise
enupoint secuiity suites pioviue auministiative featuies to veiify that all uefenses aie
active anu cuiient on eveiy manageu system.
": \ :2;)%*G$*&# -8$2@&%3
CSC S-1 Employ automateu tools to continuously monitoi
woikstations, seiveis, anu mobile uevices with anti-viius,
anti-spywaie, peisonal fiiewalls, anu host-baseu IPS
functionality. All malwaie uetection events shoulu be sent to
enteipiise anti-malwaie auministiation tools anu event log
seiveis.
;8%6< =%'
CSC S-2 Employ anti-malwaie softwaie that offeis a iemote, clouu-
baseu centializeu infiastiuctuie that compiles infoimation on
file ieputations oi have auministiatois manually push upuates
to all machines. Aftei applying an upuate, automateu systems
shoulu veiify that each system has ieceiveu its signatuie
upuate.
;8%6< =%'
CSC S-S Configuie laptops, woikstations, anu seiveis so that they will
not auto-iun content fiom iemovable meuia, like 0SB tokens
(i.e., "thumb uiives"), 0SB haiu uiives, CBsBvBs, FiieWiie
uevices, exteinal seiial auvanceu technology attachment
uevices, anu mounteu netwoik shaies,.
;8%6< =%'
CSC S-4 Configuie systems so that they automatically conuuct an anti-
malwaie scan of iemovable meuia when inseiteu.
;8%6< =%'
CSC S-S Scan anu block all e-mail attachments enteiing the ;8%6< =%'

34
oiganization's e-mail gateway if they contain malicious coue
oi file types that aie unnecessaiy foi the oiganization's
business. This scanning shoulu be uone befoie the e-mail is
placeu in the usei's inbox. This incluues e-mail content
filteiing anu web content filteiing.
CSC S-6 Enable anti-exploitation featuies such as Bata Execution
Pievention (BEP), Auuiess Space Layout Ranuomization
(ASLR), viitualizationcontaineiization, etc. Foi incieaseu
piotection, ueploy capabilities such as Enhanceu Nitigation
Expeiience Toolkit (ENET) that can be configuieu to apply
these piotections to a bioauei set of applications anu
executables.
;8%6< =%'
CSC S-7 Limit use of exteinal uevices to those that have a business
neeu. Nonitoi foi use anu attempteu use of exteinal uevices.
;8%6< =%'
CSC S-8 Ensuie that automateu monitoiing tools use behavioi-baseu
anomaly uetection to complement tiauitional signatuie-baseu
uetection.
!%$%>%?%2@K
:22#%>82%&'
CSC S-9 0se netwoik-baseu anti-malwaie tools to iuentify executables
in all netwoik tiaffic anu use techniques othei than signatuie-
baseu uetection to iuentify anu filtei out malicious content
befoie it aiiives at the enupoint.
!%$%>%?%2@K
:22#%>82%&'
CSC S-1u Implement an inciuent iesponse piocess that allows the IT
suppoit oiganization to supply the secuiity team with
samples of malwaie iunning on coipoiate systems that uo not
appeai to be iecognizeu by the enteipiise's anti-malwaie
softwaie. Samples shoulu be pioviueu to the secuiity venuoi
foi "out-of-banu" signatuie cieation anu latei ueployeu to the
enteipiise by system auministiatois.
:/C4'6"/
CSC S-11 Enable uomain name system (BNS) queiy logging to uetect
hostname lookup foi known malicious C2 uomains.
:/C4'6"/

'-' K E(/*&5.(&1 +05 8//,1
To ensuie anti-viius signatuies aie up to uate, oiganizations use automation. They use
the built-in auministiative featuies of enteipiise enupoint secuiity suites to veiify that
anti-viius, anti-spywaie, anu host-baseu IBS featuies aie active on eveiy manageu
system. They iun automateu assessments uaily anu ieview the iesults to finu anu
mitigate systems that have ueactivateu such piotections, as well as systems that uo not
have the latest malwaie uefinitions.
Some enteipiises ueploy fiee oi commeicial honeypot anu "taipit" tools to iuentify
attackeis in theii enviionment. Secuiity peisonnel shoulu continuously monitoi these
tools to ueteimine whethei tiaffic is uiiecteu to them anu account logins aie attempteu.
When they iuentify such events, these peisonnel shoulu gathei the souice auuiess fiom

35
which this tiaffic oiiginates anu othei uetails associateu with the attack foi follow-on
investigation.
'-' K F@@&*%)G&0&11 4&%()*1
1. Bow long uoes it take the system to iuentify any malicious softwaie that is
installeu, attempteu to be installeu, executeu, oi attempteu to be executeu on a
computei system (time in minutes).
2. Bow long uoes it take the system to senu e-mail notification to a list of enteipiise
peisonnel via theii centializeu anti-malwaie console oi event log system aftei
malicious coue has been iuentifieu (time in minutes).
S. Boes the system have the ability to block installation, pievent execution, oi
quaiantine malicious softwaie (yes oi no).
4. Boes the system have the ability to iuentify the business unit in the oiganization
wheie the malicious softwaie was iuentifieu (yes oi no).
S. Bow long uoes it take the oiganization to completely iemove the malicious coue
fiom the system aftei it has been iuentifieu (time in minutes).
'-' K <.%/;+%)/0 4&%()*1
1. Bow many instances of malicious coue have been uetecteu within a peiiou of
time by host baseu anti-malwaie systems (by business unit).
2. Bow many instances of malicious coue that weie uetecteu within a peiiou of
time weie automatically iemeuiateu by the oiganization's host baseu anti-
malwaie systems (by business unit).
S. Bow many instances of malicious coue have been uetecteu within a peiiou of
time by netwoik baseu anti-malwaie systems (by business unit).
4. Bow many instances of malicious coue that weie uetecteu within a peiiou of
time weie automatically iemeuiateu by the oiganization's netwoik baseu anti-
malwaie systems (by business unit).
S. Peicentage of applications on a system that aie not utilizing application
sanuboxing piouucts (by business unit).
6. Peicentage of systems with anti-malwaie systems ueployeu, enableu, anu up-to-
uate (by business unit).

36
'-' K F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol S on a peiiouic basis, the evaluation team
must move a benign softwaie test piogiam that appeais to be malwaie (such as an
EICAR file oi benign hackei tools), but that is not incluueu in the official authoiizeu
softwaie list, to 1u systems on the netwoik via a netwoik shaie. The selection of these
systems must be as ianuom as possible anu incluue a cioss-section of the oiganization's
systems anu locations. The evaluation team must then veiify that the systems geneiate
an aleit oi e-mail notice iegaiuing the benign malwaie within one houi. The team must
also veiify that the aleit oi e-mail inuicating that the softwaie has been blockeu oi
quaiantineu is ieceiveu within one houi. The evaluation team must veiify that the
system pioviues uetails of the location of each machine with this new test file, incluuing
infoimation about the asset ownei. The team must then veiify that the file is blockeu by
attempting to execute oi open it anu veiifying that it is not alloweu to be accesseu.
0nce this test has been peifoimeu tiansfeiiing the files to oiganization systems via
iemovable meuia, the same test must be iepeateu, but this time tiansfeiiing the benign
malwaie to 1u systems via e-mail insteau. The oiganization must expect the same
notification iesults as noteu with the iemovable meuia test.
'-' K -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

37
the behavioi of othei uevices oi systems. In this case, we aie examining anti-malwaie
systems anu thieat vectois such as iemovable meuia. The following list of the steps in
the above uiagiam shows how the entities woik togethei to meet the business goal
uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help
iuentify potential failuie points in the oveiall contiol.
Step 1: Anti-malware systems analyze production systems and removable media
Step 2: Removable media is analyzed when connected to production systems
Step 3: Email/web and network proxy devices analyze all incoming and outgoing traffic
Step 4: Network access control monitors all systems connected to the network
Step 5: Intrusion/network monitoring systems perform continuous monitoring looking for
signs of malware.

38
-.- P0 5GGD*)8$*&# .&4$>8%2 .2)(%*$3
Moooqe tbe secotlty llfecycle of oll lo-boose JevelopeJ ooJ ocpolteJ softwote lo
otJet to pteveot, Jetect, ooJ cottect secotlty weokoesses.
!"# B1 8")1 '/0%(/, '()%)*+,C
Attacks often take auvantage of vulneiabilities founu in web-baseu anu othei
application softwaie. vulneiabilities can be piesent foi many ieasons, incluuing couing
mistakes, logic eiiois, incomplete iequiiements, anu failuie to test foi unusual oi
unexpecteu conuitions. Examples of specific eiiois incluue: the failuie to check the size
of usei input; failuie to filtei out unneeueu but potentially malicious chaiactei
sequences fiom input stieams; failuie to initialize anu cleai vaiiables; anu pooi
memoiy management allowing flaws in one pait of the softwaie to affect unielateu
(anu moie secuiity ciitical) poitions. Theie is a floou of public anu piivate infoimation
about such vulneiabilities available to attackeis anu uefenueis alike, as well as a iobust
maiketplace foi tools anu techniques to allow "weaponization" of vulneiabilities into
exploits. Attackeis can inject specific exploits, incluuing buffei oveiflows, SQL injection
attacks, cioss-site sciipting, cioss-site iequest foigeiy, anu click-jacking of coue to gain
contiol ovei vulneiable machines. In one attack, moie than 1 million web seiveis weie
exploiteu anu tuineu into infection engines foi visitois to those sites using SQL
injection. Buiing that attack, tiusteu websites fiom state goveinments anu othei
oiganizations compiomiseu by attackeis weie useu to infect hunuieus of thousanus of
biowseis that accesseu those websites. Nany moie web anu non-web application
vulneiabilities aie uiscoveieu on a iegulai basis.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 6-1
FNOPJ
Foi all acquiieu application softwaie, check that the veision
you aie using is still suppoiteu by the venuoi. If not, upuate to
the most cuiient veision anu install all ielevant patches anu
venuoi secuiity iecommenuations.
;8%6< P%'
CSC 6-2 Piotect web applications by ueploying web application
fiiewalls (WAFs) that inspect all tiaffic flowing to the web
application foi common web application attacks, incluuing but
not limiteu to cioss-site sciipting, SQL injection, commanu
injection, anu uiiectoiy tiaveisal attacks. Foi applications that
aie not web-baseu, specific application fiiewalls shoulu be
ueployeu if such tools aie available foi the given application
type. If the tiaffic is enciypteu, the uevice shoulu eithei sit
behinu the enciyption oi be capable of ueciypting the tiaffic
piioi to analysis. If neithei option is appiopiiate, a host-baseu
web application fiiewall shoulu be ueployeu.
;8%6< P%'

39
CSC 6-S Foi in-house uevelopeu softwaie, ensuie that explicit eiioi
checking is peifoimeu anu uocumenteu foi all input, incluuing
foi size, uata type, anu acceptable ianges oi foimats.
!%$%>%?%2@K
:22#%>82%&'
CSC 6-4 Test in-house-uevelopeu anu thiiu-paity-piocuieu web
applications foi common secuiity weaknesses using
automateu iemote web application scanneis piioi to
ueployment, whenevei upuates aie maue to the application,
anu on a iegulai iecuiiing basis. Incluue tests foi application
behavioi unuei uenial-of-seivice oi iesouice exhaustion
attacks.
!%$%>%?%2@K
:22#%>82%&'
CSC 6-S Bo not uisplay system eiioi messages to enu-useis (output
sanitization).
!%$%>%?%2@K
:22#%>82%&'
CSC 6-6 Naintain sepaiate enviionments foi piouuction anu
nonpiouuction systems. Bevelopeis shoulu not typically have
unmonitoieu access to piouuction enviionments.
!%$%>%?%2@K
:22#%>82%&'
CSC 6-7 Test in-house-uevelopeu web anu othei application softwaie
foi couing eiiois anu potential vulneiabilities piioi to
ueployment using automateu static coue analysis softwaie, as
well as manual testing anu inspection. In paiticulai, input
valiuation anu output encouing ioutines of application
softwaie shoulu be ievieweu anu testeu.
7&'-%98#42%&'K
L@9%"'"
CSC 6-8
FNOPJ
Foi acquiieu application softwaie, examine the piouuct
secuiity piocess of the venuoi (histoiy of vulneiabilities,
customei notification, patchingiemeuiation) as pait of the
oveiall enteipiise iisk management piocess.
7&'-%98#42%&'K
L@9%"'"
CSC 6-9 Foi applications that iely on a uatabase, use stanuaiu
haiuening configuiation templates. All systems that aie pait
of ciitical business piocesses shoulu also be testeu.
7&'-%98#42%&'K
L@9%"'"
CSC 6-1u Ensuie that all softwaie uevelopment peisonnel ieceive
tiaining in wiiting secuie coue foi theii specific uevelopment
enviionment.
7&'-%98#42%&'K
L@9%"'"
CSC 6-11 Foi in-house uevelopeu applications, ensuie that uevelopment
aitifacts (sample uata anu sciipts; unuseu libiaiies,
components, uebug coue; oi tools) aie not incluueu in the
ueployeu softwaie, oi accessible in the piouuction
enviionment.
7&'-%98#42%&'K
L@9%"'"

'-' L E(/*&5.(&1 +05 8//,1
The secuiity of applications (in-house uevelopeu oi acquiieu) is a complex activity
iequiiing a complete piogiam encompassing enteipiise-wiue policy, technology, anu
the iole of people. These aie often bioauly uefineu oi iequiieu by foimal Risk
Nanagement Fiamewoiks anu piocesses.

40
A compiehensive tieatment of this topic is beyonu the scope of the Ciitical Secuiity
Contiols. Bowevei, the actions in CSC 6 pioviue specific, high-piioiity steps that can
impiove Application Softwaie Secuiity. In auuition, we iecommenu use of the many
excellent compiehensive iesouices ueuicateu to this topic. Examples incluue: the BBS
"Builu Secuiity In" Piogiam < builusecuiityin.us-ceit.gov >, anu The 0pen Web
Application Secuiity Pioject (0WASP) < www.owasp.oig >.
'-' L F@@&*%)G&0&11 4&%()*1
1. Can the application system uetect attacks & block them within 24 houis of being
uetecteu (yes oi no).
2. Aie all Inteinet facing applications scanneu by web application vulneiability
scanneis at least weekly (yes oi no).
S. Bow long uoes it take foi aleits to be geneiateu & sent to system auministiatois
that a vulneiability scan has oi has not completeu (time in minutes).
4. Aie all vulneiabilities uetecteu by the scanning tools fixeu oi iemeuiateu within
1S uays of uetection (yes oi no).
'-' L <.%/;+%)/0 4&%()*1
1. What peicentage of the oiganization's custom applications have not been
iecently scanneu by an application secuiity coue scannei (by business unit).
2. What peicentage of the oiganization's uatabase systems have not been iecently
scanneu by a uatabase specific vulneiability scannei (by business unit).
S. What is the aggiegate vulneiability iating foi all application anu uatabase
system in the oiganization (by business unit).
'-' L F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol 6 on a monthly basis, an evaluation team
must use a web application vulneiability scannei to test foi each ielevant type of flaw
iuentifieu in the iegulaily upuateu list of the "2S Nost Bangeious Piogiamming Eiiois"
by NITRE anu the SANS Institute. The scannei must be configuieu to assess all of the
oiganization's Inteinet-accessible web applications to iuentify such eiiois. The
evaluation team must veiify that the scan is uetecteu within 24 houis anu that an aleit
is geneiateu.

41
In auuition to the web application vulneiability scannei, the evaluation team must also
iun static coue analysis tools anu uatabase configuiation ieview tools against Inteinet-
accessible applications to iuentify secuiity flaws on a monthly basis.
The evaluation team must veiify that all high-iisk vulneiabilities iuentifieu by the
automateu vulneiability scanning tools oi static coue analysis tools have been
iemeuiateu oi auuiesseu thiough a compensating contiol (such as a web application
fiiewall) within 1S uays of uiscoveiy.
The evaluation team must veiify that application vulneiability scanning tools have
successfully completeu theii iegulai scans foi the pievious Su cycles of scanning by
ieviewing aichiveu aleits anu iepoits to ensuie that the scan was completeu. If a scan
was not completeu successfully, the system must aleit oi senu e-mail to enteipiise
auministiative peisonnel inuicating what happeneu. If a scan coulu not be completeu in
that timefiame, the evaluation team must veiify that an aleit oi e-mail was geneiateu
inuicating that the scan uiu not finish.
'-' L -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

iegulate the behavioi of othei uevices oi systems. In this case, we aie examining the
piocess of monitoiing applications anu using tools that enfoice a secuiity style when
ueveloping applications.
The following list of the steps in the above uiagiam shows how the entities woik
togethei to meet the business goal uefineu in this contiol. The list also uelineates each
of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall
contiol.

42
Step 1: Web application firewalls protect connections to internal web applications
Step 2: Software applications securely connect to database systems
Step 3: Code analysis and vulnerability scanning tools scan application systems and
database systems.

43
-.- N0 H*%2D2;; 5))2;; -&#$%&D
1be ptocesses ooJ tools oseJ to ttock/coottol/pteveot/cottect tbe secotlty ose
of wlteless locol oteo oetwotks (lAN5), occess polots, ooJ wlteless clleot
systems.
!"# B1 8")1 '/0%(/, '()%)*+,C
Najoi thefts of uata have been initiateu by attackeis who have gaineu wiieless access to
oiganizations fiom outsiue the physical builuing, bypassing oiganizations' secuiity
peiimeteis by connecting wiielessly to access points insiue the oiganization. Wiieless
clients accompanying tiaveling officials aie infecteu on a iegulai basis thiough iemote
exploitation uuiing aii tiavel oi in cybei cafes. Such exploiteu systems aie then useu as
back uoois when they aie ieconnecteu to the netwoik of a taiget oiganization. Still
othei oiganizations have iepoiteu the uiscoveiy of unauthoiizeu wiieless access points
on theii netwoiks, planteu anu sometimes hiuuen foi uniestiicteu access to an inteinal
netwoik. Because they uo not iequiie uiiect physical connections, wiieless uevices aie
a convenient vectoi foi attackeis to maintain long-teim access into a taiget
enviionment.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 7-1 Ensuie that each wiieless uevice connecteu to the netwoik
matches an authoiizeu configuiation anu secuiity piofile, with
a uocumenteu ownei of the connection anu a uefineu business
neeu. 0iganizations shoulu ueny access to those wiieless
uevices that uo not have such a configuiation anu piofile.
;8%6< =%'
CSC 7-2 Configuie netwoik vulneiability scanning tools to uetect
wiieless access points connecteu to the wiieu netwoik.
Iuentifieu uevices shoulu be ieconcileu against a list of
authoiizeu wiieless access points. 0nauthoiizeu (i.e., iogue)
access points shoulu be ueactivateu.
;8%6< =%'
CSC 7-S 0se wiieless intiusion uetection systems (WIBS) to iuentify
iogue wiieless uevices anu uetect attack attempts anu
successful compiomises. In auuition to WIBS, all wiieless
tiaffic shoulu be monitoieu by WIBS as tiaffic passes into the
wiieu netwoik.
!%$%>%?%2@K
:22#%>82%&'
CSC 7-4 Wheie a specific business neeu foi wiieless access has been
iuentifieu, configuie wiieless access on client machines to
allow access only to authoiizeu wiieless netwoiks.
7&'-%98#42%&'K
L@9%"'"
CSC 7-S Foi uevices that uo not have an essential wiieless business
puipose, uisable wiieless access in the haiuwaie
configuiation (basic inputoutput system oi extensible
7&'-%98#42%&'K
L@9%"'"

44
fiimwaie inteiface), with passwoiu piotections to lowei the
possibility that the usei will oveiiiue such configuiations.
CSC 7-6 Ensuie that all wiieless tiaffic leveiages at least Auvanceu
Enciyption Stanuaiu (AES) enciyption useu with at least Wi-
Fi Piotecteu Access 2 (WPA2) piotection.
7&'-%98#42%&'K
L@9%"'"
CSC 7-7 Ensuie that wiieless netwoiks use authentication piotocols
such as Extensible Authentication Piotocol-Tianspoit Layei
Secuiity (EAPTLS), which pioviue cieuential piotection anu
mutual authentication.
7&'-%98#42%&'K
L@9%"'"
CSC 7-8 Bisable peei-to-peei wiieless netwoik capabilities on wiieless
clients, unless such functionality meets a uocumenteu
business neeu.
7&'-%98#42%&'K
L@9%"'"
CSC 7-9 Bisable wiieless peiipheial access of uevices (such as
Bluetooth), unless such access is iequiieu foi a uocumenteu
business neeu.
7&'-%98#42%&'K
L@9%"'"
CSC 7-1u Cieate sepaiate viitual local aiea netwoiks (vLANs) foi BY0B
systems oi othei untiusteu uevices. Inteinet access fiom this
vLAN shoulu go thiough at least the same boiuei as coipoiate
tiaffic. Enteipiise access fiom this vLAN shoulu be tieateu as
untiusteu anu filteieu anu auuiteu accoiuingly.
Configuration/
Hygiene

'-' M E(/*&5.(&1 +05 8//,1
Effective oiganizations iun commeicial wiieless scanning, uetection, anu uiscoveiy
tools as well as commeicial wiieless intiusion uetection systems.
Auuitionally, the secuiity team shoulu peiiouically captuie wiieless tiaffic fiom within
the boiueis of a facility anu use fiee anu commeicial analysis tools to ueteimine
whethei the wiieless tiaffic was tiansmitteu using weakei piotocols oi enciyption than
the oiganization manuates. When uevices ielying on weak wiieless secuiity settings aie
iuentifieu, they shoulu be founu within the oiganization's asset inventoiy anu eithei
ieconfiguieu moie secuiely oi uenieu access to the oiganization netwoik.
Auuitionally, the secuiity team shoulu employ iemote management tools on the wiieu
netwoik to pull infoimation about the wiieless capabilities anu uevices connecteu to
manageu systems.
'-' M F@@&*%)G&0&11 4&%()*1

45
1. Aie systems capable of iuentifying unauthoiizeu wiieless uevices oi
configuiations when they aie within iange of the oiganization's systems oi
connecteu to theii netwoiks (yes oi no).
2. Bow long uoes it take to geneiate aleits about unauthoiizeu wiieless uevices
that aie uetecteu (time in minutes).
S. Bow long uoes it take foi unauthoiizeu wiieless uevices to be blockeu fiom
connecting oi isolateu fiom the netwoik (time in minutes).
4. Aie auuitional aleits geneiateu eveiy 24 houis aftei the initial aleit until the
system is isolateu oi iemoveu fiom the netwoik (yes oi no).
S. Is the system able to iuentify the location, uepaitment, anu othei uetails of
wheie authoiizeu anu unauthoiizeu wiieless uevices aie pluggeu into the
netwoik (yes oi no).
'-' M <.%/;+%)/0 4&%()*1
1. Bow many iogue wiieless access points have been uiscoveieu iecently in the
oiganization (by business unit). This shoulu incluue non-peisistent, tempoiaiy
anu tiansient access points.
2. What is the aveiage time that it takes to iemove iogue access points fiom the
oiganization's netwoik (by business unit).
S. Bow many wiieless access points oi clients have been uiscoveieu using an
unauthoiizeu wiieless configuiation iecently in the oiganization (by business
unit).
'-' M F@@&*%)G&0&11 8&1%
must configuie 1u unauthoiizeu but haiueneu wiieless clients anu wiieless access
points to the oiganization's netwoik anu attempt to connect them to its wiieless
netwoiks. In the case of wiieless access points, these access points must not be uiiectly
connecteu to the oiganization's tiusteu netwoik. Insteau, they must simply be
configuieu to act as a wiieless gateway without physically connecting to a wiieu
netwoik inteiface. In the case of scanning foi wiieless access points fiom a wiieu
inteiface, the connecteu access point must have the wiieless iauio uisableu foi the
uuiation of the test. These systems must be configuieu to test each of the following
scenaiios:
A wiieless client with an unauthoiizeu seivice set iuentifiei configuieu on it.
A wiieless client with impiopei enciyption configuieu.
A wiieless client with impiopei authentication configuieu.

46
A wiieless access point with impiopei enciyption configuieu.
A wiieless access point with impiopei authentication configuieu.
A completely iogue wiieless access point using an unauthoiizeu configuiation.
When any of the above-noteu systems attempt to connect to the wiieless netwoik, an
aleit must be geneiateu anu enteipiise staff must iesponu to the aleits to isolate the
uetecteu uevice oi iemove the uevice fiom the netwoik.
'-' M -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

configuiation anu management of wiieless uevices, wiieless IBSscanneis, wiieless
uevice management systems, anu vulneiability scanneis. The following list of the steps
in the above uiagiam shows how the entities woik togethei to meet the business goal
Step 1: Hardened configurations applied to wireless devices
Step 2: Hardened configurations managed by a configuration management system
Step 3: Configuration management system manages the configurations on wireless devices
Step 4: Wireless IDS monitor usage of wireless communications

47
Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities
Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.

48
-.- <0 :8$8 M2)&12%3 -8G8C*D*$3
1be ptocesses ooJ tools oseJ to ptopetly bock op ctltlcol lofotmotloo wltb o
ptoveo metboJoloqy fot tlmely tecovety of lt.
!"# B1 8")1 '/0%(/, '()%)*+,C
When attackeis compiomise machines, they often make significant changes to
configuiations anu softwaie. Sometimes attackeis also make subtle alteiations of uata
stoieu on compiomiseu machines, potentially jeopaiuizing oiganizational effectiveness
with polluteu infoimation. When the attackeis aie uiscoveieu, it can be extiemely
uifficult foi oiganizations without a tiustwoithy uata iecoveiy capability to iemove all
aspects of the attackei's piesence on the machine.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 8-1 Ensuie that each system is automatically backeu up on at least
a weekly basis, anu moie often foi systems stoiing sensitive
infoimation. To help ensuie the ability to iapiuly iestoie a
system fiom backup, the opeiating system, application
softwaie, anu uata on a machine shoulu each be incluueu in
the oveiall backup pioceuuie. These thiee components of a
system uo not have to be incluueu in the same backup file oi
use the same backup softwaie. Theie shoulu be multiple
backups ovei time, so that in the event of malwaie infection,
iestoiation can be fiom a veision that is believeu to pieuate
the oiiginal infection. All backup policies shoulu be compliant
with any iegulatoiy oi official iequiiements.
;8%6< =%'
CSC 8-2 Test uata on backup meuia on a iegulai basis by peifoiming a
uata iestoiation piocess to ensuie that the backup is piopeily
woiking.
;8%6< =%'
CSC 8-S Ensuie that backups aie piopeily piotecteu via physical
secuiity oi enciyption when they aie stoieu, as well as when
they aie moveu acioss the netwoik. This incluues iemote
backups anu clouu seivices.
7&'-%98#42%&'K
L@9%"'"
CSC 8-4
FNOPJ
Ensuie that key systems have at least one backup uestination
that is not continuously auuiessable thiough opeiating
system calls. This will mitigate the iisk of attacks like
CiyptoLockei which seek to enciypt oi uamage uata on all
auuiessable uata shaies, incluuing backup uestinations.

49

'-' N E(/*&5.(&1 +05 8//,1
0nce pei quaitei (oi whenevei new backup equipment is puichaseu), a testing team
shoulu evaluate a ianuom sample of system backups by attempting to iestoie them on a
test beu enviionment. The iestoieu systems shoulu be veiifieu to ensuie that the
opeiating system, application, anu uata fiom the backup aie all intact anu functional.
In the event of malwaie infection, iestoiation pioceuuies shoulu use a veision of the
backup which is believeu to pieuate the oiiginal infection.
'-' N F@@&*%)G&0&11 4&%()*1
Peicentage of systems with cuiient backups within theii taiget fiequency
(taigets can vaiy by system iole, type, anu ciiticality)
'-' N <.%/;+%)/0 4&%()*1
None
'-' N F@@&*%)G&0&11 8&1%
The evaluation team shoulu iuentify S systems in the enviionment anu iestoie to a test
system (physical oi viitual) using the most iecent backup. veiify that the system has
been iestoieu piopeily by compaiing the iestoie iesults to the oiiginal system.
'-' N -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

50

iegulate the behavioi of othei uevices oi systems. In this case, we aie examining an
oiganization's capability to iestoie systems in the event that uata neeu to be iestoieu
because of a uata loss oi bieach of a system. While backups aie ceitainly an impoitant
pait of this piocess, the ability to iestoie uata is the ciitical component. The following
list of the steps in the above uiagiam shows how the entities woik togethei to meet the
business goal uefineu in this contiol. The list also uelineates each of the piocess steps in
oiuei to help iuentify potential failuie points in the oveiall contiol.
Step 1: Production business systems backed up on a regular basis to authorized
organizational backup systems
Step 2: Backups created are stored offline at secure storage facilities.

51
-.- J0 .2)(%*$3 .I*DD; 5;;2;;L2#$ 8#' 5GG%&G%*8$2 Q%8*#*#@ $& R*DD S8G;
lot oll fooctloool toles lo tbe otqoolzotloo (ptlotltlzloq tbose mlssloo-ctltlcol to
tbe bosloess ooJ lts secotlty), lJeotlfy tbe speclflc koowleJqe, skllls, ooJ
obllltles oeeJeJ to soppott Jefeose of tbe eotetptlse, Jevelop ooJ execote oo
loteqtoteJ ploo to ossess, lJeotlfy qops, ooJ temeJlote tbtooqb pollcy,
otqoolzotloool ploooloq, ttololoq, ooJ owoteoess ptoqtoms.
!"# B1 8")1 '/0%(/, '()%)*+,C
It is tempting to think of cybei uefense piimaiily as a technical challenge, but the
actions of people also play a ciitical pait in the success oi failuie of an enteipiise.
People fulfill impoitant functions at eveiy stage of system uesign, implementation,
opeiation, use, anu oveisight. Examples incluue: the actions of enu useis (who can fall
piey to social engineeiing schemes such as phishing); IT opeiations (who may not
iecognize the secuiity implications of IT aitifacts anu logs); secuiity analysts (who
stiuggle to keep up with an explosion of new infoimation); system uevelopeis anu
piogiammeis (who uon't unueistanu the oppoitunity to iesolve ioot cause
vulneiabilities eaily in the system life-cycle); anu executives anu system owneis (who
stiuggle to quantify the iole that cybeisecuiity plays in oveiall opeiationalmission
iisk, anu have no ieasonable way to make ielevant investment uecisions).
Attackeis aie veiy conscious of these issues anu use them to plan theii exploitations by,
foi example: caiefully ciafting phishing messages that look like ioutine anu expecteu
tiaffic to an unwaiy usei; exploiting the gaps oi seams between policy anu technology
(e.g., policies that have no technical enfoicement); woiking within the time winuow of
patching oi log ieview; using nominally non-secuiity-ciitical systems as jump points oi
bots.
No cybei uefense appioach can begin to auuiess cybei iisk without a means to auuiess
this funuamental vulneiability. Conveisely, empoweiing people with goou cybei
uefense habits can significantly inciease ieauiness.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 9-1 Peifoim gap analysis to see which skills employees neeu anu
which behaviois employees aie not auheiing to, using this
infoimation to builu a baseline tiaining anu awaieness
ioaumap foi all employees.
;8%6< =%'
CSC 9-2 Belivei tiaining to fill the skills gap. If possible, use moie
senioi staff to uelivei the tiaining. A seconu option is to have
outsiue teacheis pioviue tiaining onsite so the examples useu
will be uiiectly ielevant. If you have small numbeis of people
;8%6< =%'

52
to tiain, use tiaining confeiences oi online tiaining to fill the
gaps.
CSC 9-S Implement an online secuiity awaieness piogiam that (1)
focuses only on the methous commonly useu in intiusions that
can be blockeu thiough inuiviuual action, (2) is ueliveieu in
shoit online mouules convenient foi employees (S) is upuateu
fiequently (at least annually) to iepiesent the latest attack
techniques, (4) is manuateu foi completion by all employees
at least annually, anu (S) is ieliably monitoieu foi employee
completion.
;8%6< =%'
CSC 9-4 valiuate anu impiove awaieness levels thiough peiiouic tests
to see whethei employees will click on a link fiom suspicious
e-mail oi pioviue sensitive infoimation on the telephone
without following appiopiiate pioceuuies foi authenticating a
callei; taigeteu tiaining shoulu be pioviueu to those who fall
victim to the exeicise.
!%$%>%?%2@K
L@9%"'"
CSC 9-S 0se secuiity skills assessments foi each of the mission-ciitical
ioles to iuentify skills gaps. 0se hanus-on, ieal-woilu
examples to measuie masteiy. If you uo not have such
assessments, use one of the available online competitions that
simulate ieal-woilu scenaiios foi each of the iuentifieu jobs in
oiuei to measuie skills masteiy.
7&'-%98#42%&'K
L@9%"'"

'-' O E(/*&5.(&1 +05 8//,1
An effective enteipiise-wiue tiaining piogiam shoulu take a holistic appioach anu
consiuei policy anu technology at the same time as the tiaining of people. Foi example,
policies shoulu be uesigneu with technical measuiement anu enfoicement when
possible, ieinfoiceu by tiaining to fill gaps; technical contiols can be implementeu to
bounu anu minimize the oppoitunity foi people to make mistakes, anu so focus the
tiaining on things that cannot be manageu technically.
To be effective in both cost anu outcome, secuiity tiaining shoulu be piioiitizeu,
focuseu, anu specific (foi example, using a S.N.A.R.T. metiics piogiam). A key way to
piioiitize tiaining is to focus fiist on those jobs anu ioles that aie 6#%2%64? to the mission
oi business outcome of the enteipiise. 0ne way to iuentify these mission-ciitical jobs is
to iefeience the list piepaieu by the Council on CybeiSecuiity (which builus upon the
woik of the 2u12 Task Foice on Cybei Skills establisheu by the Secietaiy of Bomelanu
Secuiity): 1) System anu Netwoik Penetiation Testeis, 2) Application Penetiation
Testeis, S) Secuiity Nonitoiing anu Event Analysts, 4) Inciuent Responueis In-Bepth, S)
Countei-IntelligenceInsiuei Thieat Analysts, 6) Risk Assessment Engineeis, 7) Secuie
Coueis anu Coue Revieweis, 8) Secuiity EngineeisAichitectuie anu Besign, 9) Secuiity
Engineeis0peiations, anu 1u) Auvanceu Foiensics Analysts. The Council has valiuateu
this list as consistent with the bioauei NIST National Initiative on Cybeisecuiity

53
Euucation (NICE) fiamewoik, anu with the neeus of many enteipiises in goveinment
anu inuustiy. Tiaining foi these mission ciitical ioles shoulu be supplementeu with
founuational secuiity tiaining foi all useis.
< www.counciloncybeisecuiity.oigpiactice-aieaspeople >.
ueneial awaieness tiaining foi all useis also plays an impoitant iole. But even this
tiaining shoulu be tailoieu to functional ioles anu focuseu on specific actions that put
the oiganization at iisk, anu measuieu in oiuei to uiive iemeuiation.
The key to upgiauing skills is measuiement thiough assessments that show both the
employee anu the employei wheie knowleuge is sufficient anu wheie theie aie gaps.
0nce the gaps have been iuentifieu, those employees who have the iequisite skills anu
knowleuge can be calleu upon to mentoi employees who neeu to impiove theii skills. In
auuition, the oiganization can uevelop tiaining plans to fill the gaps anu maintain
employee ieauiness.
A full tieatment of this topic is beyonu the scope of the Ciitical Secuiity Contiols.
Bowevei, the actions in CSC 9 pioviue specific, high-piioiity steps that can impiove
enteipiise secuiity, anu shoulu be a pait of any compiehensive secuiity tiaining
piogiam.
'/0%(/, O F@@&*%)G&0&11 4&%()*1
1. Paiticipation iate foi online tiaining couises - peicentage of staff completing
secuiity tiaining (by business unit)
2. Aveiage scoies of online tests, compaieu to baseline (pievious tests, inuustiy
uata if available, etc.) by business unit
S. Aveiage scoies of peiiouic tests (e.g. click iates foi test phishing emails) by
business unit
4. Inuiviuual scoies on skill assessment tests foi inuiviuual mission ciitical ioles by
business unit
5. Retention (oi job opening fill iate) of mission ciitical ioles (oigunit metiic)
'-' O <.%/;+%)/0 4&%()*1
None
'-' O F@@&*%)G&0&11 8&1%
None

54
-.- /T0 .2)(%2 -&#4*@(%8$*&#; 4&% U2$>&%I :21*)2; ;()6 8; R*%2>8DD;E
M&($2%;E 8#' .>*$)62;
stobllsb, lmplemeot, ooJ octlvely moooqe (ttock, tepott oo, cottect) tbe
secotlty cooflqototloo of oetwotk loftosttoctote Jevlces osloq o tlqotoos
cooflqototloo moooqemeot ooJ cbooqe coottol ptocess lo otJet to pteveot
ottockets ftom exploltloq voloetoble setvlces ooJ settloqs.
!"# B1 8")1 '/0%(/, '()%)*+,C
As delivered from manufacturers and resellers, the default configurations for network
infrastructure devices are geared for ease-of-deployment and ease-of-use - not security. Open
services and ports, default accounts (including service accounts) or passwords, support for
older (vulnerable) protocols, pre-installation of unneeded software; all can be exploitable in
their default state.
Attackers take advantage of network devices becoming less securely configured over time as
users demand exceptions for specific business needs. Sometimes the exceptions are deployed
and then left undone when they are no longer applicable to the business needs. In some cases,
the security risk of the exception is neither properly analyzed nor measured against the
associated business need and can change over time. Attackers search for vulnerable default
settings, electronic holes in firewalls, routers, and switches and use those to penetrate
defenses. They exploit flaws in these devices to gain access to networks, redirect traffic on a
network, and intercept information while in transmission. Through such actions, the attacker
gains access to sensitive data, alters important information, or even uses a compromised
machine to pose as another trusted system on the network.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 1u-1 Compaie fiiewall, ioutei, anu switch configuiation against
stanuaiu secuie configuiations uefineu foi each type of
netwoik uevice in use in the oiganization. The secuiity
configuiation of such uevices shoulu be uocumenteu,
ievieweu, anu appioveu by an oiganization change contiol
boaiu. Any ueviations fiom the stanuaiu configuiation oi
upuates to the stanuaiu configuiation shoulu be
uocumenteu anu appioveu in a change contiol system.
;8%6< =%'
CSC 1u-2 All new configuiation iules beyonu a baseline-haiueneu
configuiation that allow tiaffic to flow thiough netwoik
secuiity uevices, such as fiiewalls anu netwoik-baseu IPS,
shoulu be uocumenteu anu iecoiueu in a configuiation
management system, with a specific business ieason foi
each change, a specific inuiviuual's name iesponsible foi
7&'-%98#42%&'K
L@9%"'"

55
that business neeu, anu an expecteu uuiation of the neeu.
CSC 1u-S 0se automateu tools to veiify stanuaiu uevice
configuiations anu uetect changes. All alteiations to such
files shoulu be automatically iepoiteu to secuiity
peisonnel.
7&'-%98#42%&'K
L@9%"'"
CSC 1u-4 Nanage netwoik uevices using two-factoi authentication
anu enciypteu sessions.
7&'-%98#42%&'K
L@9%"'"
CSC 1u-S Install the latest stable veision of any secuiity-ielateu
upuates.
7&'-%98#42%&'K
L@9%"'"
CSC 1u-6 Nanage the netwoik infiastiuctuie acioss netwoik
connections that aie sepaiateu fiom the business use of
that netwoik, ielying on sepaiate vLANs oi, piefeiably, on
entiiely uiffeient physical connectivity foi management
sessions foi netwoik uevices.
Auvanceu

'-' DP E(/*&5.(&1 +05 8//,1
Some oiganizations use commeicial tools that evaluate the iule set of netwoik filteiing
uevices to ueteimine whethei they aie consistent oi in conflict, pioviuing an automateu
sanity check of netwoik filteis anu seaich foi eiiois in iule sets oi access contiols lists
(ACLs) that may allow unintenueu seivices thiough the uevice. Such tools shoulu be iun
each time significant changes aie maue to fiiewall iule sets, ioutei ACLs, oi othei
filteiing technologies.
'-' DP F@@&*%)G&0&11 4&%()*1
1. Bow long uoes it take to uetect configuiation changes to a netwoik system (time
in minutes).
that an unauthoiizeu configuiation change has occuiieu (time in minutes).
S. Bow long uoes it take to blockquaiantine unauthoiizeu changes on netwoik
systems (time in minutes).
uetails about the systems wheie unauthoiizeu changes occuiieu (yes oi no).
'-' DP <.%/;+%)/0 4&%()*1

56
1. What is the peicentage of netwoik uevices that aie not cuiiently configuieu with
a secuiity configuiation that matches the oiganization's appioveu configuiation
stanuaiu (by business unit).
2. What is the peicentage of netwoik uevices whose secuiity configuiation is not
enfoiceu by the oiganization's technical configuiation management applications
(by business unit).
S. What is the peicentage of netwoik uevices that aie not up to uate with the latest
available opeiating system softwaie secuiity patches (by business unit).
4. What is the peicentage of netwoik uevices uo not iequiie two-factoi
authentication to auministei the uevice (by business unit).
'-' DP F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol 1u on a peiiouic basis, an evaluation team
must make a change to each type of netwoik uevice pluggeu into the netwoik. At a
minimum, iouteis, switches, anu fiiewalls neeu to be testeu. If they exist, IPS, IBS, anu
othei netwoik uevices must be incluueu. Backups must be maue piioi to making any
changes to ciitical netwoik uevices. It is ciitical that changes not impact oi weaken the
secuiity of the uevice. Acceptable changes incluue but aie not limiteu to making a
comment oi auuing a uuplicate entiy in the configuiation. The change must be
peifoimeu twice foi each ciitical uevice. The evaluation team must then veiify that the
systems geneiate an aleit oi e-mail notice iegaiuing the changes to the uevice within 24
houis. It is impoitant that the evaluation team veiify that all unauthoiizeu changes have
been uetecteu, the account making the changes has been iecoiueu, anu the changes
have iesulteu in an aleit oi e-mail notification. The evaluation team must veiify that the
system pioviues uetails of the location of each uevice, incluuing infoimation about the
asset ownei. While the 24-houi timefiame iepiesents the cuiient metiic to help
oiganizations impiove theii state of secuiity, in the futuie oiganizations shoulu stiive
foi even moie iapiu aleiting anu isolation, with notification about unauthoiizeu
configuiation changes in netwoik uevices sent within two minutes.
If appiopiiate, an auuitional test must be peifoimeu on a uaily basis to ensuie that
othei piotocols such as IPv6 aie being filteieu piopeily.
'/0%(/, DP -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

57

iegulate the behavioi of othei uevices oi systems. In this case we aie examining the
netwoik uevices, test lab netwoik uevices, configuiation systems, anu configuiation
management uevices. The following list of the steps in the uiagiam above shows how
the entities woik togethei to meet the business goal uefineu in this contiol. The list also
Step 1: Hardened device configurations applied to production devices
Step 2: Hardened device configuration stored in a secure configuration management system
Step 3: Management network system validates configurations on production network devices
Step 4: Patch management system applies tested software updates to production network
devices
Step 5: Two-factor authentication system required for administrative access to production
devices
Step 6: Proxy/firewall/network monitoring systems analyze all connections to production
network devices.

58
-.- //0 F*L*$8$*&# 8#' -&#$%&D &4 U2$>&%I V&%$;E V%&$&)&D;E 8#' .2%1*)2;
Moooqe (ttock/coottol/cottect) tbe ooqoloq opetotloool ose of potts, ptotocols,
ooJ setvlces oo oetwotkeJ Jevlces lo otJet to mlolmlze wloJows of voloetoblllty
ovolloble to ottockets.
!"# B1 8")1 '/0%(/, '()%)*+,C
Attackeis seaich foi iemotely accessible netwoik seivices that aie vulneiable to
exploitation. Common examples incluue pooily configuieu web seiveis, mail seiveis,
file anu piint seivices, anu uomain name system (BNS) seiveis installeu by uefault on a
vaiiety of uiffeient uevice types, often without a business neeu foi the given seivice.
Nany softwaie packages automatically install seivices anu tuin them on as pait of the
installation of the main softwaie package without infoiming a usei oi auministiatoi
that the seivices have been enableu. Attackeis scan foi such issues anu attempt to
exploit these seivices, often attempting uefault usei IBs anu passwoius oi wiuely
available exploitation coue.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 11-1 Ensuie that only poits, piotocols, anu seivices with
valiuateu business neeus aie iunning on each system.
;8%6< =%'
CSC 11-2 Apply host-baseu fiiewalls oi poit filteiing tools on enu
systems, with a uefault-ueny iule that uiops all tiaffic
except those seivices anu poits that aie explicitly
alloweu.
;8%6< =%'
CSC 11-S Peifoim automateu poit scans on a iegulai basis
against all key seiveis anu compaieu to a known
effective baseline. If a change that is not listeu on the
oiganization's appioveu baseline is uiscoveieu, an aleit
shoulu be geneiateu anu ievieweu.
;8%6< =%'
CSC 11-4 Keep all seivices up to uate anu uninstall anu iemove
any unnecessaiy components fiom the system.
;8%6< =%'
CSC 11-S veiify any seivei that is visible fiom the Inteinet oi an
untiusteu netwoik, anu if it is not iequiieu foi business
puiposes, move it to an inteinal vLAN anu give it a
piivate auuiess.
!%$%>%?%2@K
:22#%>82%&'
CSC 11-6 0peiate ciitical seivices on sepaiate physical oi logical
host machines, such as BNS, file, mail, web, anu
uatabase seiveis.
7&'-%98#42%&'K
L@9%"'"
CSC 11-7 Place application fiiewalls in fiont of any ciitical
seiveis to veiify anu valiuate the tiaffic going to the
seivei. Any unauthoiizeu seivices oi tiaffic shoulu be
:/C4'6"/

59
blockeu anu an aleit geneiateu.
'-' DD E(/*&5.(&1 +05 8//,1
Poit scanning tools aie useu to ueteimine which seivices aie listening on the netwoik
foi a iange of taiget systems. In auuition to ueteimining which poits aie open, effective
poit scanneis can be configuieu to iuentify the veision of the piotocol anu seivice
listening on each uiscoveieu open poit. This list of seivices anu theii veisions aie
compaieu against an inventoiy of seivices iequiieu by the oiganization foi each seivei
anu woikstation in an asset management system. Recently auueu featuies in these poit
scanneis aie being useu to ueteimine the changes in seivices offeieu by scanneu
machines on the netwoik since the pievious scan, helping secuiity peisonnel iuentify
uiffeiences ovei time.
'-' DD F@@&*%)G&0&11 4&%()*1
1. Bow long uoes it take systems to iuentify any new unauthoiizeu listening
netwoik poits that aie installeu on netwoik systems (time in minutes).
2. Bow long uoes it take foi aleits to be geneiateu about new seivices being
installeu (time in minutes).
S. Aie aleits then sent eveiy 24 houis until the listening netwoik poit has been
uisableu oi it has been authoiizeu by change management (yes oi no).
4. Bo aleits inuicate the location, uepaitment, anu othei uetails about the system
wheie authoiizeu anu unauthoiizeu netwoik poits aie iunning (yes oi no).
'-' DD <.%/;+%)/0 4&%()*1
In oiuei to automate the collection of ielevant uata fiom these systems, oiganization
1. What is the peicentage of the oiganization's systems that aie not cuiiently
iunning a host baseu fiiewall (by business unit).
2. Bow many unauthoiizeu seivices aie cuiiently iunning on the oiganization's
business systems (by business unit).
S. Bow many ueviations fiom appioveu seivice baselines have been uiscoveieu
iecently on the oiganization's business systems (by business unit).

60
'-' DD F@@&*%)G&0&11 8&1%
must install haiueneu test seivices with netwoik listeneis on 1u locations on the
netwoik, incluuing a selection of subnets associateu with BNZs, woikstations, anu
seiveis. The selection of these systems must be as ianuom as possible anu incluue a
cioss-section of the oiganization's systems anu locations. The evaluation team must
then veiify that the systems geneiate an aleit oi e-mail notice iegaiuing the newly
installeu seivices within 24 houis of the seivices being installeu on the netwoik. The
team must veiify that the system pioviues uetails of the location of all of the systems
wheie test seivices have been installeu.
'-' DD -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

iegulate the behavioi of othei uevices oi systems. In this case, we aie examining how
active scanning systems gathei infoimation on netwoik uevices anu evaluate that uata
against the authoiizeu seivice baseline uatabase. The following list of the steps in the
above uiagiam shows how the entities woik togethei to meet the business goal uefineu
in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify
potential failuie points in the oveiall contiol.
Step 1: Active scanner analyzes production systems for unauthorized ports, protocols, and
services
Step 2: System baselines regularly updated based on necessary/required services

61
Step 3: Active scanner validates which ports, protocols, and services are blocked or allowed
by the application firewall
Step 4: Active scanner validates which ports, protocols, and services are accessible on
business systems protected with host-based firewalls.

62
-.- /=0 -&#$%&DD2' 9;2 &4 5'L*#*;$%8$*12 V%*1*D2@2;
1be ptocesses ooJ tools oseJ to ttock/coottol/pteveot/cottect tbe ose,
osslqomeot, ooJ cooflqototloo of oJmlolsttotlve ptlvlleqes oo compotets,
oetwotks, ooJ oppllcotloos.
!"# B1 8")1 '/0%(/, '()%)*+,C
The misuse of auministiative piivileges is a piimaiy methou foi attackeis to spieau
insiue a taiget enteipiise. Two veiy common attackei techniques take auvantage of
uncontiolleu auministiative piivileges. In the fiist, a woikstation usei iunning as a
piivilegeu usei, is fooleu into opening a malicious e-mail attachment, uownloauing anu
opening a file fiom a malicious website, oi simply suifing to a website hosting attackei
content that can automatically exploit biowseis. The file oi exploit contains executable
coue that iuns on the victim's machine eithei automatically oi by tiicking the usei into
executing the attackei's content. If the victim usei's account has auministiative
piivileges, the attackei can take ovei the victim's machine completely anu install
keystioke loggeis, sniffeis, anu iemote contiol softwaie to finu auministiative
passwoius anu othei sensitive uata. Similai attacks occui with e-mail. An
auministiatoi inauveitently opens an e-mail that contains an infecteu attachment anu
this is useu to obtain a pivot point within the netwoik that is useu to attack othei
systems.
The seconu common technique useu by attackeis is elevation of piivileges by guessing
oi ciacking a passwoiu foi an auministiative usei to gain access to a taiget machine. If
auministiative piivileges aie loosely anu wiuely uistiibuteu, oi iuentical to passwoius
useu on less ciitical systems, the attackei has a much easiei time gaining full contiol of
systems, because theie aie many moie accounts that can act as avenues foi the attackei
to compiomise auministiative piivileges.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 12-1 Ninimize auministiative piivileges anu only use
auministiative accounts when they aie iequiieu.
Implement focuseu auuiting on the use of
auministiative piivilegeu functions anu monitoi foi
anomalous behavioi.
;8%6< =%' F,'"
&- 2D" GH%#$2
H%C"IJ
CSC 12-2 0se automateu tools to inventoiy all auministiative
accounts anu valiuate that each peison with
auministiative piivileges on uesktops, laptops, anu
seiveis is authoiizeu by a senioi executive.
;8%6< =%'
CSC 12-S Configuie all auministiative passwoius to be complex
anu contain letteis, numbeis, anu special chaiacteis
;8%6< =%'

63
inteimixeu, anu with no uictionaiy woius piesent in the
passwoiu. Pass phiases containing multiple uictionaiy
woius, along with special chaiacteis, aie acceptable if
they aie of a ieasonable length.
CSC 12-4 Befoie ueploying any new uevices in a netwoikeu
enviionment, change all uefault passwoius foi
applications, opeiating systems, iouteis, fiiewalls,
wiieless access points, anu othei systems to have
values consistent with auministiation-level accounts.
;8%6< =%'
CSC 12-S Ensuie that all seivice accounts have long anu uifficult-
to-guess passwoius that aie changeu on a peiiouic
basis, as is uone foi tiauitional usei anu auministiative
passwoius.
;8%6< =%'
CSC 12-6 Passwoius shoulu be hasheu oi enciypteu in stoiage.
Passwoius that aie hasheu shoulu be salteu anu follow
guiuance pioviueu in NIST SP 8uu-1S2 oi similai
guiuance. Files containing these enciypteu oi hasheu
passwoius iequiieu foi systems to authenticate useis
shoulu be ieauable only with supei-usei piivileges.
;8%6< =%'
CSC 12-7 0tilize access contiol lists to ensuie that auministiative
accounts aie useu only foi system auministiation
activities, anu not foi ieauing e-mail, composing
uocuments, oi suifing the Inteinet. Web biowseis anu
e-mail clients especially must be configuieu to nevei
iun as auministiatoi.
;8%6< =%'
CSC 12-8 Thiough policy anu usei awaieness, iequiie that
auministiatois establish unique, uiffeient passwoius
foi theii auministiative anu non-auministiative
accounts. Each peison iequiiing auministiative access
shoulu be given hishei own sepaiate account. 0seis
shoulu only use the Winuows "auministiatoi" oi 0NIX
"ioot" accounts in emeigency situations. Bomain
auministiation accounts shoulu be useu when iequiieu
foi system auministiation insteau of local
auministiative accounts.
;8%6< =%'
CSC 12-9 Configuie opeiating systems so that passwoius cannot
be ie-useu within a timefiame of six months.
;8%6< =%'
CSC 12-1u Configuie systems to issue a log entiy anu aleit when
an account is auueu to oi iemoveu fiom a uomain
auministiatois' gioup, oi when a new local
auministiatoi account is auueu on a system.
!%$%>%?%2@K
:22#%>82%&'
CSC 12-11
FNOPJ
Configuie systems to issue a log entiy anu aleit when
unsuccessful login to an auministiative account is
attempteu.
!%$%>%?%2@K
:22#%>82%&'
CSC 12-12 0se multifactoi authentication foi all auministiative 7&'-%98#42%&'K

64
access, incluuing uomain auministiative access. Nulti-
factoi authentication can incluue a vaiiety of
techniques, to incluue the use of smait caius with
ceitificates, 0ne Time Passwoiu (0TP) tokens, anu
biometiics.
L@9%"'"
CSC 12-1S
FNOPJ
When using ceitificates to enable multi-factoi
ceitificate-baseu authentication, ensuie that the piivate
keys aie piotecteu using stiong passwoius oi aie
stoieu in tiusteu, secuie haiuwaie tokens.
7&'-%98#42%&'K
L@9%"'"
CSC 12-14 Block access to a machine (eithei iemotely oi locally)
foi auministiatoi-level accounts. Insteau,
auministiatois shoulu be iequiieu to access a system
using a fully loggeu anu non-auministiative account.
Then, once loggeu on to the machine without
auministiative piivileges, the auministiatoi shoulu
tiansition to auministiative piivileges using tools such
as Suuo on Linux0NIX, RunAs on Winuows, anu othei
similai facilities foi othei types of systems. 0seis
woulu use theii own auministiative accounts anu entei
a passwoiu each time that is uiffeient than theii usei
account.
7&'-%98#42%&'K
L@9%"'"

'-' DH E(/*&5.(&1 +05 8//,1
Built-in opeiating system featuies can extiact lists of accounts with supei-usei
piivileges, both locally on inuiviuual systems anu on oveiall uomain contiolleis. To
veiify that useis with high-piivilegeu accounts uo not use such accounts foi uay-to-uay
web suifing anu e-mail ieauing, secuiity peisonnel shoulu peiiouically gathei a list of
iunning piocesses to ueteimine whethei any biowseis oi e-mail ieaueis aie iunning
with high piivileges. Such infoimation gatheiing can be sciipteu, with shoit shell sciipts
seaiching foi a uozen oi moie uiffeient biowseis, e-mail ieaueis, anu uocument euiting
piogiams iunning with high piivileges on machines. Some legitimate system
auministiation activity may iequiie the execution of such piogiams ovei the shoit
teim, but long-teim oi fiequent use of such piogiams with auministiative piivileges
coulu inuicate that an auministiatoi is not auheiing to this contiol.
To enfoice the iequiiement foi stiong passwoius, built-in opeiating system featuies foi
minimum passwoiu length can be configuieu to pievent useis fiom choosing shoit
passwoius. To enfoice passwoiu complexity (iequiiing passwoius to be a stiing of
pseuuo-ianuom chaiacteis), built-in opeiating system settings oi thiiu-paity passwoiu
complexity enfoicement tools can be applieu.

65
'/0%(/, DH F@@&*%)G&0&11 4&%()*1
1. Boes the system iepoit on log-in to auministiative accounts.
2. Boes the system iepoit on the elevation to auministiative access, to incluue
tiaceability to the usei account that peifoimeu the elevation.
S. Boes the system pioviue an inventoiy of all auministiative accounts.
4. Boes the system iepoit on the auuition of new auministiative accounts.
S. Boes the system allow limitations to be placeu on the use of auministiative
accounts, to incluue not allowing web biowseis anu email clients to iun as
auministiatoi.
6. Boes the system pievent auministiative accounts fiom logging into machines,
eithei locally oi iemotely, insteau iequiiing elevation of piivileges once loggeu
in with a usei account.
7. Boes the system iequiie stiong passwoius foi all auministiative accounts anu
uoes the system iequiie upuate of auministiatoi passwoius on a iegulai basis.
8. Boes the system auuit all attempts to gain access to passwoiu files within the
system.
9. Boes the system comply with passwoiu policies uetaileu in the contiol (yes oi
no).
1u. Bow long uoes it take foi auministiatois to be notifieu about usei accounts
being auueu to supei usei gioups (time in minutes).
11. Aie auuitional aleits geneiateu eveiy 24 houis until the usei account has been
iemoveu fiom oi authoiizeu to be a pait of the supei usei gioup (yes oi no).
'-' DH <.%/;+%)/0 4&%()*1
1. Bow many unauthoiizeu elevateu opeiating system accounts (local
auministiatoiioot) aie cuiiently configuieu on the oiganization's systems (by
business unit).
2. Bow many unauthoiizeu elevateu application accounts aie cuiiently configuieu
on the oiganization's systems (by business unit).
S. What peicentage of the oiganization's elevateu accounts uo not cuiiently auheie
to the oiganization's passwoiu stanuaiu (by business unit).
4. What peicentage of the oiganization's elevateu accounts uo not iequiie two-
factoi authentication (by business unit).
S. Bow many attempts to upgiaue an account to auministiative piivileges have
been uetecteu on the oiganization's systems iecently (by business unit).
6. Bow many attempts to gain access to passwoiu files within the system have

66
been uetecteu on the oiganization's systems iecently (by business unit).

'/0%(/, DH F@@&*%)G&0&11 8&1%
must attempt a vaiiety of techniques to gain access anu exploit auministiative accounts
within the system. Each of the following tests must be peifoimeu at least thiee times:
Attempt to gain access to a cioss section of uevices within the system, using
uefault auministiative passwoius.
Attempt to log-in iemotely to machines using auministiative accounts uiiectly.
veiify that this is uisalloweu by policy.
Attempt to log-in uiiectly to a woikstation oi seivei with ioot oi auministiatoi
accounts. veiify that this is uisalloweu by policy.
Attempt to gain access to passwoiu files within the system using unauthoiizeu
accounts. veiify that access is uisalloweu anu that attempts aie loggeu anu
iepoiteu.
Attempt to elevate to a piivilegeu account on the system. veiify that the
auministiatoi passwoiu is iequiieu to peifoim the elevation anu that the
elevation is loggeu anu iepoiteu by the system. veiify that tiaceability within
the auuit logs is pioviueu to uetail the usei account that peifoimeu the elevation.
Attempt to configuie weak auministiatoi passwoius that aie non-compliant
with establisheu policy. veiify that the system uoes not allow weak passwoius
to be useu.
Attempt to ie-use an auministiatoi passwoiu that was pieviously useu foi the
account. veiify that the system iequiies unique new passwoius uuiing each
upuate.

Each of these tests must be peifoimeu fiom multiple, wiuely uistiibuteu systems on the
oiganization's netwoik in oiuei to test the effectiveness of auministiatoi contiols.
'-' DH -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

67

components of usei account piovisioning anu usei authentication. The following list of
the steps in the above uiagiam shows how the entities woik togethei to meet the
business goal uefineu in this contiol. The list also uelineates each of the piocess steps in
oiuei to help iuentify potential failuie points in the oveiall contiol.
Step 1: Production systems use proper authentication systems
Step 2: Standard and administrative user accounts use proper authentication systems
Step 3: Standard and administrative user accounts properly managed via group
memberships
Step 4: Administrative access to systems properly logged via log management systems
Step 5: Password assessment system validates the strength of the authentication systems.

Standard
User Accounts
Production Business
Systems with ACLs
Authentication
Systems
Administrative
User Accounts
Log Management
System / SIEM
User Groups
3
3
1
2
2
4
Password Assessment
System
5

68
-.- /,0 W&(#'8%3 :242#;2
uetect/pteveot/cottect tbe flow of lofotmotloo ttoosfettloq oetwotks of
Jlffeteot ttost levels wltb o focos oo secotlty-Jomoqloq Joto.
!"# B1 8")1 '/0%(/, '()%)*+,C
Attackeis focus on exploiting systems that they can ieach acioss the Inteinet, incluuing
not only BNZ systems but also woikstation anu laptop computeis that pull content
fiom the Inteinet thiough netwoik bounuaiies. Thieats such as oiganizeu ciime gioups
anu nation-states use configuiation anu aichitectuial weaknesses founu on peiimetei
systems, netwoik uevices, anu Inteinet-accessing client machines to gain initial access
into an oiganization. Then, with a base of opeiations on these machines, attackeis often
pivot to get ueepei insiue the bounuaiy to steal oi change infoimation oi to set up a
peisistent piesence foi latei attacks against inteinal hosts. Auuitionally, many attacks
occui between business paitnei netwoiks, sometimes iefeiieu to as extianets, as
attackeis hop fiom one oiganization's netwoik to anothei, exploiting vulneiable
systems on extianet peiimeteis.
To contiol the flow of tiaffic thiough netwoik boiueis anu police content by looking foi
attacks anu eviuence of compiomiseu machines, bounuaiy uefenses shoulu be multi-
layeieu, ielying on fiiewalls, pioxies, BNZ peiimetei netwoiks, anu netwoik-baseu IPS
anu IBS. It is also ciitical to filtei both inbounu anu outbounu tiaffic.
It shoulu be noteu that bounuaiy lines between inteinal anu exteinal netwoiks aie
uiminishing as a iesult of incieaseu inteiconnectivity within anu between oiganizations
as well as the iapiu iise in ueployment of wiieless technologies. These bluiiing lines
sometimes allow attackeis to gain access insiue netwoiks while bypassing bounuaiy
systems. Bowevei, even with this bluiiing of bounuaiies, effective secuiity
ueployments still iely on caiefully configuieu bounuaiy uefenses that sepaiate
netwoiks with uiffeient thieat levels, sets of useis, anu levels of contiol. Anu uespite
the bluiiing of inteinal anu exteinal netwoiks, effective multi-layeieu uefenses of
peiimetei netwoiks help lowei the numbei of successful attacks, allowing secuiity
peisonnel to focus on attackeis who have ueviseu methous to bypass bounuaiy
iestiictions.

69
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 1S-1 Beny communications with (oi limit uata flow to) known
malicious IP auuiesses (black lists), oi limit access only
to tiusteu sites (whitelists). Tests can be peiiouically
caiiieu out by senuing packets fiom bogon souice IP
auuiesses (non-ioutable oi otheiwise unuseu IP
auuiesses) into the netwoik to veiify that they aie not
tiansmitteu thiough netwoik peiimeteis. Lists of bogon
auuiesses aie publicly available on the Inteinet fiom
vaiious souices, anu inuicate a seiies of IP auuiesses
that shoulu not be useu foi legitimate tiaffic tiaveising
the Inteinet.
;8%6< =%'
CSC 1S-2 0n BNZ netwoiks, configuie monitoiing systems (which
may be built in to the IBS sensois oi ueployeu as a
sepaiate technology) to iecoiu at least packet heauei
infoimation, anu piefeiably full packet heauei anu
payloaus of the tiaffic uestineu foi oi passing thiough
the netwoik boiuei. This tiaffic shoulu be sent to a
piopeily configuieu Secuiity Infoimation Event
Nanagement (SIEN) oi log analytics system so that
events can be coiielateu fiom all uevices on the
netwoik. .
;8%6< =%'
CSC 1S-S To lowei the chance of spoofeu e-mail messages,
implement the Senuei Policy Fiamewoik (SPF) by
ueploying SPF iecoius in BNS anu enabling ieceivei-siue
veiification in mail seiveis.
!%$%>%?%2@K
:22#%>82%&'
CSC 1S-4 Beploy netwoik-baseu IBS sensois on Inteinet anu
extianet BNZ systems anu netwoiks that look foi
unusual attack mechanisms anu uetect compiomise of
these systems. These netwoik-baseu IBS sensois may
uetect attacks thiough the use of signatuies, netwoik
behavioi analysis, oi othei mechanisms to analyze
tiaffic.
!%$%>%?%2@K
:22#%>82%&'
CSC 1S-S Netwoik-baseu IPS uevices shoulu be ueployeu to
complement IBS by blocking known bau signatuie oi
behavioi of attacks. As attacks become automateu,
methous such as IBS typically uelay the amount of time
it takes foi someone to ieact to an attack. A piopeily
configuieu netwoik-baseu IPS can pioviue automation
to block bau tiaffic. When evaluating netwoik-baseu IPS
piouucts, incluue those using techniques othei than
signatuie-baseu uetection (such as viitual machine oi
sanubox-baseu appioaches) foi consiueiation.
!%$%>%?%2@K
:22#%>82%&'

70
CSC 1S-6 Besign anu implement netwoik peiimeteis so that all
outgoing web, file tiansfei piotocol (FTP), anu secuie
shell tiaffic to the Inteinet must pass thiough at least
one pioxy on a BNZ netwoik. The pioxy shoulu suppoit
logging inuiviuual TCP sessions; blocking specific 0RLs,
uomain names, anu IP auuiesses to implement a black
list; anu applying whitelists of alloweu sites that can be
accesseu thiough the pioxy while blocking all othei
sites. 0iganizations shoulu foice outbounu tiaffic to the
Inteinet thiough an authenticateu pioxy seivei on the
enteipiise peiimetei. Pioxies can also be useu to
enciypt all tiaffic leaving an oiganization.
!%$%>%?%2@K
:22#%>82%&'
CSC 1S-7 Requiie all iemote login access (incluuing vPN, uial-up,
anu othei foims of access that allow login to inteinal
systems) to use two-factoi authentication.
!%$%>%?%2@K
:22#%>82%&'
CSC 1S-8 All enteipiise uevices iemotely logging into the inteinal
netwoik shoulu be manageu by the enteipiise, with
iemote contiol of theii configuiation, installeu softwaie,
anu patch levels. Foi thiiu-paity uevices (e.g.,
subcontiactoisvenuois), publish minimum secuiity
stanuaius foi access to the enteipiise netwoik anu
peifoim a secuiity scan befoie allowing access.
7&'-%98#42%&'K
L@9%"'"
CSC 1S-9 Peiiouically scan foi back-channel connections to the
Inteinet that bypass the BNZ, incluuing unauthoiizeu
vPN connections anu uual-homeu hosts connecteu to the
enteipiise netwoik anu to othei netwoiks via wiieless,
uial-up mouems, oi othei mechanisms.
7&'-%98#42%&'K
L@9%"'"
CSC 1S-1u To limit access by an insiuei, untiusteu
subcontiactoivenuoi, oi malwaie spieauing on an
inteinal netwoik, uevise inteinal netwoik segmentation
schemes to limit tiaffic to only those seivices neeueu foi
business use acioss the oiganization's inteinal netwoik.
7&'-%98#42%&'K
L@9%"'"
CSC 1S-12 To minimize the impact of an attackei pivoting between
compiomiseu systems, only allow BNZ systems to
communicate with piivate netwoik systems via
application pioxies oi application-awaie fiiewalls ovei
appioveu channels.
:/C4'6"/
CSC 1S-1S To help iuentify coveit channels exfiltiating uata
thiough a fiiewall, configuie the built-in fiiewall session
tiacking mechanisms incluueu in many commeicial
fiiewalls to iuentify TCP sessions that last an unusually
long time foi the given oiganization anu fiiewall uevice,
aleiting peisonnel about the souice anu uestination
auuiesses associateu with these long sessions.
:/C4'6"/
CSC 1S-14 Beploy NetFlow collection anu analysis to BNZ netwoik 7&'-%98#42%&'K

71
flows to uetect anomalous activity. L@9%"'"

'-' DI E(/*&5.(&1 +05 8//,1
The bounuaiy uefenses incluueu in this contiol builu on Ciitical Contiol 1u. The
auuitional iecommenuations heie focus on impioving the oveiall aichitectuie anu
implementation of both Inteinet anu inteinal netwoik bounuaiy points. Inteinal
netwoik segmentation is cential to this contiol because once insiue a netwoik, many
intiuueis attempt to taiget the most sensitive machines. 0sually, inteinal netwoik
piotection is not set up to uefenu against an inteinal attackei. Setting up even a basic
level of secuiity segmentation acioss the netwoik anu piotecting each segment with a
pioxy anu a fiiewall will gieatly ieuuce an intiuuei's access to the othei paits of the
netwoik.
0ne element of this contiol can be implementeu using fiee oi commeicial IBS anu
sniffeis to look foi attacks fiom exteinal souices uiiecteu at BNZ anu inteinal systems,
as well as attacks oiiginating fiom inteinal systems against the BNZ oi Inteinet.
Secuiity peisonnel shoulu iegulaily test these sensois by launching vulneiability-
scanning tools against them to veiify that the scannei tiaffic tiiggeis an appiopiiate
aleit. The captuieu packets of the IBS sensois shoulu be ievieweu using an automateu
sciipt each uay to ensuie that log volumes aie within expecteu paiameteis anu that the
logs aie foimatteu piopeily anu have not been coiiupteu.
Auuitionally, packet sniffeis shoulu be ueployeu on BNZs to look foi Bypeitext Tiansfei
Piotocol (BTTP) tiaffic that bypasses BTTP pioxies. By sampling tiaffic iegulaily, such
as ovei a thiee-houi peiiou once a week, infoimation secuiity peisonnel can seaich foi
BTTP tiaffic that is neithei souiceu by noi uestineu foi a BNZ pioxy, implying that the
iequiiement foi pioxy use is being bypasseu.
To iuentify back-channel connections that bypass appioveu BNZs, netwoik secuiity
peisonnel can establish an Inteinet-accessible system to use as a ieceivei foi testing
outbounu access. This system is configuieu with a fiee oi commeicial packet sniffei.
Then, secuiity peisonnel can connect a senuing test system to vaiious points on the
oiganization's inteinal netwoik, senuing easily iuentifiable tiaffic to the sniffing
ieceivei on the Inteinet. These packets can be geneiateu using fiee oi commeicial tools
with a payloau that contains a custom file useu foi the test. When the packets aiiive at
the ieceivei system, the souice auuiess of the packets shoulu be veiifieu against
acceptable BNZ auuiesses alloweu foi the oiganization. If souice auuiesses aie
uiscoveieu that aie not incluueu in legitimate, iegisteieu BNZs, moie uetail can be
gatheieu by using a traceroute tool to ueteimine the path that packets take fiom the
senuei to the ieceivei system.

72
'-' DI F@@&*%)G&0&11 4&%()*1
1. Aie all unauthoiizeu packets enteiing oi leaving the netwoik uetecteu (yes oi
no).
2. Bo all netwoik connections to the Inteinet, business paitneis, oi othei thiiu
paities cuiiently utilize inbounu & outbounu netwoik filteis, anu Intiusion
Betection Systems (IBS) (yes oi no).
S. Bow long uoes it take befoie unauthoiizeu netwoik packets aie aleiteu on when
passing thiough peiimetei systems (time in minutes).
4. Bow long uoes it take to apply configuiation changes to block unauthoiizeu
tiaffic passing thiough peiimetei systems (time in minutes).
'-' DI <.%/;+%)/0 4&%()*1
1. What peicentage of the oiganization's iemote access useis aie not iequiieu to
use two-factoi authentication to iemotely access the oiganization's netwoik (by
business unit).
2. What peicentage of iemote business systems aie not manageu using the same
secuiity stanuaius as inteinal netwoik systems (by business unit).
S. What peicentage of the oiganization's inteinal systems aie not on ueuicateu
viitual LANs (vLANs) that aie segmenteu with access contiol lists (by business
unit).
4. Bow many events of inteiest have been uiscoveieu iecently on the
oiganization's netwoik thiough analysis of NetFlow configuieu on netwoik
uevices (by business unit).
'-' DI F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol 1S on a peiiouic basis, an evaluation team
must test bounuaiy uevices by senuing packets fiom outsiue any tiusteu netwoik to
ensuie that only authoiizeu packets aie alloweu thiough the bounuaiy. All othei
packets must be uioppeu. In auuition, unauthoiizeu packets must be sent fiom a
tiusteu netwoik to an untiusteu netwoik to make suie egiess filteiing is functioning
piopeily. The evaluation team must then veiify that the systems geneiate an aleit oi e-
mail notice iegaiuing the unauthoiizeu packets within 24 houis. It is impoitant that the
evaluation team veiify that all unauthoiizeu packets have been uetecteu. The evaluation
team must also veiify that the aleit oi e-mail inuicating that the unauthoiizeu tiaffic is

73
now being blockeu is ieceiveu within one houi. The evaluation team must veiify that
the system pioviues uetails of the location of each machine with this new test softwaie,
incluuing infoimation about the asset ownei. It is also impoitant that the evaluation
team test to ensuie that the uevice fails in a state wheie it uoes not foiwaiu tiaffic when
it ciashes oi becomes flooueu.
'-' DI -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

iegulate the behavioi of othei uevices oi systems. In this case we aie examining the
netwoik bounuaiy uevices anu the suppoiting systems such as authentication seiveis,
two-factoi authentication systems, netwoik monitoiing systems, anu netwoik pioxy
uevices. The following list of the steps in the above uiagiam shows how the entities
woik togethei to meet the business goal uefineu in this contiol. The list also uelineates
each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall
contiol.
Step 1: Hardened device configurations applied to production devices

74
Step 2: Two-factor authentication systems required for administrative access to production
devices
Step 3: Production network devices send events to log management and correlation system
Step 4: Network monitoring system analyzes network traffic
Step 5: Network monitoring system sends events to log management and correlation system
Step 6: Outbound traffic passes through and is examined by network proxy devices
Step 7: Network systems scanned for potential weaknesses.

75
-.- /?0 B8*#$2#8#)2E B&#*$&%*#@E 8#' 5#8D3;*; &4 5('*$ F&@;
collect, moooqe, ooJ ooolyze ooJlt loqs of eveots tbot coolJ belp Jetect,
ooJetstooJ, ot tecovet ftom oo ottock.
!"# B1 8")1 '/0%(/, '()%)*+,C
Beficiencies in secuiity logging anu analysis allow attackeis to hiue theii location,
malicious softwaie, anu activities on victim machines. Even if the victims know that
theii systems have been compiomiseu, without piotecteu anu complete logging iecoius
they aie blinu to the uetails of the attack anu to subsequent actions taken by the
attackeis. Without soliu auuit logs, an attack may go unnoticeu inuefinitely anu the
paiticulai uamages uone may be iiieveisible.
Sometimes logging iecoius aie the only eviuence of a successful attack. Nany
oiganizations keep auuit iecoius foi compliance puiposes, but attackeis iely on the fact
that such oiganizations iaiely look at the auuit logs, so they uo not know that theii
systems have been compiomiseu. Because of pooi oi nonexistent log analysis
piocesses, attackeis sometimes contiol victim machines foi months oi yeais without
anyone in the taiget oiganization knowing, even though the eviuence of the attack has
been iecoiueu in unexamineu log files.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 14-1 Incluue at least two synchionizeu time souices (i.e.,
Netwoik Time Piotocol - NTP) fiom which all seiveis anu
netwoik equipment ietiieve time infoimation on a iegulai
basis so that timestamps in logs aie consistent, anu aie set
to 0TC (Cooiuinate 0niveisal Time).
;8%6< =%'
CSC 14-2 valiuate auuit log settings foi each haiuwaie uevice anu
the softwaie installeu on it, ensuiing that logs incluue a
uate, timestamp, souice auuiesses, uestination auuiesses,
anu vaiious othei useful elements of each packet anuoi
tiansaction. Systems shoulu iecoiu logs in a stanuaiuizeu
foimat such as syslog entiies oi those outlineu by the
Common Event Expiession initiative. If systems cannot
geneiate logs in a stanuaiuizeu foimat, log noimalization
tools can be ueployeu to conveit logs into such a foimat.
;8%6< =%'

76
CSC 14-S Ensuie that all systems that stoie logs have auequate
stoiage space foi the logs geneiateu on a iegulai basis, so
that log files will not fill up between log iotation inteivals.
The logs must be aichiveu anu uigitally signeu on a
peiiouic basis.
;8%6< =%'
CSC 14-4 Bevelop a log ietention policy to make suie that the logs
aie kept foi a sufficient peiiou of time. 0iganizations aie
often compiomiseu foi seveial months without uetection.
The logs must be kept foi a longei peiiou of time than it
takes an oiganization to uetect an attack so they can
accuiately ueteimine what occuiieu.
;8%6< =%'
CSC 14-S Bave secuiity peisonnel anuoi system auministiatois
iun biweekly iepoits that iuentify anomalies in logs. They
shoulu then actively ieview the anomalies, uocumenting
theii finuings.
;8%6< =%'
CSC 14-6 Configuie netwoik bounuaiy uevices, incluuing fiiewalls,
netwoik-baseu IPS, anu inbounu anu outbounu pioxies, to
veibosely log all tiaffic (both alloweu anu blockeu)
aiiiving at the uevice.
!%$%>%?%2@K
:22#%>82%&'
CSC 14-7 Foi all seiveis, ensuie that logs aie wiitten to wiite-only
uevices oi to ueuicateu logging seiveis iunning on
sepaiate machines fiom the hosts geneiating the event
logs, loweiing the chance that an attackei can manipulate
logs stoieu locally on compiomiseu machines.
!%$%>%?%2@K
:22#%>82%&'
CSC 14-8 Beploy a SIEN (Secuiity Inciuent anu Event Nanagement)
oi log analytic tools foi log aggiegation anu consoliuation
fiom multiple machines anu foi log coiielation anu
analysis. 0sing the SIEN tool, system auministiatois anu
secuiity peisonnel shoulu uevise piofiles of common
events fiom given systems so that they can tune uetection
to focus on unusual activity, avoiu false positives, moie
iapiuly iuentify anomalies, anu pievent oveiwhelming
analysts with insignificant aleits.
!%$%>%?%2@K
:22#%>82%&'
CSC 14-9 Nonitoi foi seivice cieation events anu enable piocess
tiacking logs. 0n Winuows systems, many attackeis use
PsExec functionality to spieau fiom system to system.
Cieation of a seivice is an unusual event anu shoulu be
monitoieu closely. Piocess tiacking is valuable foi
inciuent hanuling.
:/C4'6"/

77
CSC 14-1u
FNOPJ
Ensuie that the log collection system uoes not lose events
uuiing peak activity, anu that the system uetects anu
aleits if event loss occuis (such as when volume exceeus
the capacity of a log collection system). This incluues
ensuiing that the log collection system can accommouate
inteimittent oi iestiicteu-banuwiuth connectivity thiough
the use of hanushaking flow contiol.
:/C4'6"/

'-' DJ E(/*&5.(&1 +05 8//,1
Nost fiee anu commeicial opeiating systems, netwoik seivices, anu fiiewall
technologies offei logging capabilities. Such logging shoulu be activateu, with logs sent
to centializeu logging seiveis. Fiiewalls, pioxies, anu iemote access systems (vPN, uial-
up, etc.) shoulu all be configuieu foi veibose logging, stoiing all the infoimation
available foi logging in the event a follow-up investigation is iequiieu. Fuitheimoie,
opeiating systems, especially those of seiveis, shoulu be configuieu to cieate access
contiol logs when a usei attempts to access iesouices without the appiopiiate
piivileges. To evaluate whethei such logging is in place, an oiganization shoulu
peiiouically scan thiough its logs anu compaie them with the asset inventoiy
assembleu as pait of Ciitical Contiol 1 in oiuei to ensuie that each manageu item
actively connecteu to the netwoik is peiiouically geneiating logs.
Analytical piogiams such as SINSEN solutions foi ieviewing logs can pioviue value,
but the capabilities employeu to analyze auuit logs aie quite extensive, even incluuing,
impoitantly, just a cuisoiy examination by a peison. Actual coiielation tools can make
auuit logs fai moie useful foi subsequent manual inspection. Such tools can be quite
helpful in iuentifying subtle attacks. Bowevei, these tools aie neithei a panacea noi a
ieplacement foi skilleu infoimation secuiity peisonnel anu system auministiatois.
Even with automateu log analysis tools, human expeitise anu intuition aie often
iequiieu to iuentify anu unueistanu attacks.
'-' DJ F@@&*%)G&0&11 4&%()*1
1. Boes each system log appiopiiately to a cential log management system (yes oi
no).
2. Boes each log event geneiateu incluue a uate, timestamp, souice auuiess,
uestination auuiess anu othei uetails about the packet (yes oi no).
S. If a system fails to log piopeily, how long uoes it take foi an aleit about the
failuie to be sent (time in minutes).

78
4. If a system fails to log piopeily, how long uoes it take foi enteipiise peisonnel to
ieceive the aleit about the failuie (time in minutes).
'-' DJ <.%/;+%)/0 4&%()*1
1. What peicentage of the oiganization's systems uo not cuiiently have
compiehensive logging enableu in accoiuance with the oiganization's stanuaiu
(by business unit).
2. What peicentage of the oiganization's systems aie not cuiiently configuieu to
centialize theii logs to a cential log management system (by business unit).
S. Bow many anomalies events of inteiest have been uiscoveieu in the
oiganization's logs iecently (by business unit).
'-' DJ F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol 14 on a peiiouic basis, an evaluation team
must ieview the secuiity logs of vaiious netwoik uevices, seiveis, anu hosts. At a
minimum the following uevices must be testeu: two iouteis, two fiiewalls, two
switches, 1u seiveis, anu 1u client systems. The testing team shoulu use tiaffic-
geneiating tools to senu packets thiough the systems unuei analysis to veiify that the
tiaffic is loggeu. This analysis is uone by cieating contiolleu, benign events anu
ueteimining if the infoimation is piopeily iecoiueu in the logs with key infoimation,
incluuing a uate, timestamp, souice auuiess, uestination auuiess, anu othei uetails
about the packet. The evaluation team must veiify that the system geneiates auuit logs
anu, if not, an aleit oi e-mail notice iegaiuing the faileu logging must be sent within 24
houis. It is impoitant that the team veiify that all activity has been uetecteu. The
evaluation team must veiify that the system pioviues uetails of the location of each
machine, incluuing infoimation about the asset ownei.
'-' DJ -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

79

iegulate the behavioi of othei uevices oi systems. In this case, we aie examining auuit
logs, the cential log uatabase system, the cential time system, anu log analysts. The
following list of the steps in the above uiagiam shows how the entities woik togethei to
meet the business goal uefineu in this contiol. The list also uelineates each of the
piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol.
Step 1: Production systems generate logs and send them to a centrally managed log database
system
Step 2: Production systems and log database system pulls synchronize time with central time
management systems
Step 3: Logs analyzed by a log analysis system
Step 4: Log analysts examine data generated by log analysis system.

80
-.- /O0 -&#$%&DD2' 5))2;; W8;2' &# $62 U22' $& X#&>
1be ptocesses ooJ tools oseJ to ttock/coottol/pteveot/cottect secote occess to
ctltlcol ossets (e.q., lofotmotloo, tesootces, systems) occotJloq to tbe fotmol
Jetetmlootloo of wblcb petsoos, compotets, ooJ oppllcotloos bove o oeeJ ooJ
tlqbt to occess tbese ctltlcol ossets boseJ oo oo opptoveJ closslflcotloo.
!"# B1 8")1 '/0%(/, '()%)*+,C
Some oiganizations uo not caiefully iuentify anu sepaiate theii most sensitive anu
ciitical assets fiom less sensitive, publicly accessible infoimation on theii inteinal
netwoiks. In many enviionments, inteinal useis have access to all oi most of the ciitical
assets. Sensitive assets may also incluue systems that pioviue management anu contiol
of physical systems (e.g., SCABA). 0nce attackeis have penetiateu such a netwoik, they
can easily finu anu exfiltiate impoitant infoimation, cause physical uamage, oi uisiupt
opeiations with little iesistance. Foi example, in seveial high-piofile bieaches ovei the
past two yeais, attackeis weie able to gain access to sensitive uata stoieu on the same
seiveis with the same level of access as fai less impoitant uata. Theie aie also examples
of using access to the coipoiate netwoik to gain access to, then contiol ovei, physical
assets anu cause uamage.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 1S-1 Locate any sensitive infoimation on sepaiateu vLANS
with fiiewall filteiing. All communication of sensitive
infoimation ovei less-tiusteu netwoiks shoulu be
enciypteu.
;8%6< =%'
CSC 1S-S Enfoice uetaileu auuit logging foi access to nonpublic
uata anu special authentication foi sensitive uata.
!%$%>%?%2@K
:22#%>82%&'
CSC 1S-4 Segment the netwoik baseu on the tiust levels of the
infoimation stoieu on the seiveis. Whenevei
infoimation flows ovei a netwoik with a lowei tiust
level, the infoimation shoulu be enciypteu.
7&'-%98#42%&'K
L@9%"'"
CSC 1S-S 0se host-baseu uata loss pievention (BLP) to enfoice
ACLs even when uata is copieu off a seivei. In most
oiganizations, access to the uata is contiolleu by ACLs
that aie implementeu on the seivei. 0nce the uata have
been copieu to a uesktop system, the ACLs aie no longei
enfoiceu anu the useis can senu the uata to whomevei
they want.
:/C4'6"/

81
'-' DK E(/*&5.(&1 +05 8//,1
It is impoitant that an oiganization unueistanu what its sensitive infoimation is, wheie
it iesiues, anu who neeus access to it. To ueiive sensitivity levels, oiganizations neeu to
put togethei a list of the key types of uata anu the oveiall impoitance to the
oiganization. This analysis woulu be useu to cieate an oveiall uata classification scheme
foi the oiganization. At a base level, a uata classification scheme is bioken uown into
two levels: public (unclassifieu) anu piivate (classifieu). 0nce the piivate infoimation
has been iuentifieu, it can then be fuithei subuiviueu baseu on the impact it woulu have
to the oiganization if it weie compiomiseu.
0nce the sensitivity of the uata has been iuentifieu, the uata neeu to be tiaceu back to
business applications anu the physical seiveis that house those applications. The
netwoik then neeus to be segmenteu so that systems of the same sensitivity level aie on
the same netwoik anu segmenteu fiom systems with uiffeient tiust levels. If possible,
fiiewalls neeu to contiol access to each segment. If uata aie flowing ovei a netwoik
with a lowei tiust level, enciyption shoulu be useu.
}ob iequiiements shoulu be cieateu foi each usei gioup to ueteimine what infoimation
the gioup neeus access to in oiuei to peifoim its jobs. Baseu on the iequiiements,
access shoulu only be given to the segments oi seiveis that aie neeueu foi each job
function. Betaileu logging shoulu be tuineu on foi all seiveis in oiuei to tiack access
anu examine situations wheie someone is accessing uata that they shoulu not be
accessing.
'-' DK F@@&*%)G&0&11 4&%()*1
1. Can the system uetect all attempts by useis to access files on local systems oi
netwoik-accessible file shaies without the appiopiiate piivileges (yes oi no).
2. Bow long uoes it take the system to geneiate an aleit oi e-mail foi
auministiative peisonnel of a usei inappiopiiately accessing the file shaies
(time in minutes).
'-' DK <.%/;+%)/0 4&%()*1
1. What peicentage of the oiganization's uata sets have not been classifieu in
accoiuance with the oiganization's uata classification stanuaius (by business
unit).

82
2. What peicentage of sensitive uata sets aie not configuieu to iequiie logging of
access to the uata set (by business unit).
S. What peicentage of the oiganization's business systems aie not utilizing host
baseu Bata Loss Pievention (BLP) softwaie applications (by business unit).
'-' DK F@@&*%)G&0&11 8&1%
To evaluate the implementation of Contiol 1S on a peiiouic basis, the evaluation team
must cieate two test accounts each on 1u iepiesentative systems in the enteipiise: five
seivei machines anu five client systems. Foi each system evaluateu, one account must
have limiteu piivileges, while the othei must have piivileges necessaiy to cieate files on
the systems. The evaluation team must then veiify that the non-piivilegeu account is
unable to access the files cieateu foi the othei account on the system. The team must
also veiify that an aleit oi e-mail is geneiateu baseu on the attempteu unsuccessful
access within 24 houis. 0pon completion of the test, these accounts must be iemoveu.
'-' DK -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

iegulate the behavioi of othei uevices oi systems. In this case, the uata classification
system anu peimission baseline is the bluepiint foi how authentication anu access of
uata is contiolleu. The following list of the steps in the above uiagiam shows how the
entities woik togethei to meet the business goal uefineu in this contiol. The list also

83
Step 1: An appropriate data classification system and permissions baseline applied to
production data systems
Step 2: Access appropriately logged to a log management system
Step 3: Proper access control applied to portable media/USB drives
Step 4: Active scanner validates, checks access, and checks data classification
Step 5: Host-based encryption and data-loss prevention validates and checks all access
requests.

84
-.- /P0 5))&(#$ B&#*$&%*#@ 8#' -&#$%&D
Actlvely moooqe tbe llfe-cycle of system ooJ oppllcotloo occooots - tbelt
cteotloo, ose, Jotmoocy, Jeletloo - lo otJet to mlolmlze oppottooltles fot
ottockets to levetoqe tbem.
!"# B1 8")1 '/0%(/, '()%)*+,C
Attackeis fiequently uiscovei anu exploit legitimate but inactive usei accounts to
impeisonate legitimate useis, theieby making uiscoveiy of attackei behavioi uifficult
foi netwoik watcheis. Accounts of contiactois anu employees who have been
teiminateu anu accounts foimeily set up foi Reu Team testing (but not ueleteu
afteiwaius) have often been misuseu in this way. Auuitionally, some malicious insiueis
oi foimei employees have accesseu accounts left behinu in a system long aftei contiact
expiiation, maintaining theii access to an oiganization's computing system anu
sensitive uata foi unauthoiizeu anu sometimes malicious puiposes.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 16-1 Review all system accounts anu uisable any account that
cannot be associateu with a business piocess anu ownei.
;8%6< =%'
CSC 16-2 Ensuie that all accounts have an expiiation uate
associateu with the account.
;8%6< =%'
CSC 16-S Ensuie that systems automatically cieate a iepoit that
incluues a list of lockeu-out accounts, uisableu accounts,
accounts with passwoius that exceeu the maximum
passwoiu age, anu accounts with passwoius that nevei
expiie. This list shoulu be sent to the associateu system
auministiatoi in a secuie fashion.
;8%6< =%'
CSC 16-4 Establish anu follow a piocess foi ievoking system
access by uisabling accounts immeuiately upon
teimination of an employee oi contiactoi. Bisabling
insteau of ueleting accounts allows pieseivation of auuit
tiails.
;8%6< =%'
CSC 16-S Regulaily monitoi the use of all accounts, automatically
logging off useis aftei a stanuaiu peiiou of inactivity.
;8%6< =%'
CSC 16-6
FNOPJ
Configuie scieen locks on systems to limit access to
unattenueu woikstations.
;8%6< =%'
CSC 16-7 Nonitoi account usage to ueteimine uoimant accounts,
notifying the usei oi usei's managei. Bisable such
accounts if not neeueu, oi uocument anu monitoi
exceptions (e.g., venuoi maintenance accounts neeueu
;8%6< =%'

85
foi system iecoveiy oi continuity opeiations).
CSC 16-8 Requiie that all non-auministiatoi accounts have stiong
passwoius that contain letteis, numbeis, anu special
chaiacteis, be changeu at least eveiy 9u uays, have a
minimal age of one uay, anu not be alloweu to use the
pievious 1S passwoius as a new passwoiu. These
values can be aujusteu baseu on the specific business
neeus of the oiganization.
;8%6< =%'
CSC 16-9 0se anu configuie account lockouts such that aftei a set
numbei of faileu login attempts the account is lockeu foi
a stanuaiu peiiou of time.
;8%6< =%'
CSC 16-1u Requiie that manageis match active employees anu
contiactois with each account belonging to theii
manageu staff. Secuiity oi system auministiatois shoulu
then uisable accounts that aie not assigneu to active
employees oi contiactois.
!%$%>%?%2@K
:22#%>82%&'
CSC 16-11 Nonitoi attempts to access ueactivateu accounts
thiough auuit logging.
!%$%>%?%2@K
:22#%>82%&'
CSC 16-12
FNOPJ
Configuie access foi all accounts thiough a centializeu
point of authentication, foi example Active Biiectoiy oi
LBAP. Configuie netwoik anu secuiity uevices foi
centializeu authentication as well.
7&'-%98#42%&'K
L@9%"'"
CSC 16-1S Piofile each usei's typical account usage by ueteimining
noimal time-of-uay access anu access uuiation. Repoits
shoulu be geneiateu that inuicate useis who have loggeu
in uuiing unusual houis oi have exceeueu theii noimal
login uuiation. This incluues flagging the use of the
usei's cieuentials fiom a computei othei than
computeis on which the usei geneially woiks.
7&'-%98#42%&'K
L@9%"'"
CSC 16-14
FNOPJ
Requiie multi-factoi authentication foi accounts that
have access to sensitive uata oi systems. Nulti-factoi
authentication can be achieveu using Smait caius with
ceitificates, 0ne Time Passwoiu (0TP) tokens, oi
biometiics.
:/C4'6"/
CSC 16-1S
FNOPJ
Foi authenticateu access to web seivices within an
enteipiise, ensuie that account useinames anu
passwoius aie passeu ovei an enciypteu channel anu
associateu passwoiu hash files aie stoieu secuiely if a
centializeu seivice is not employeu.
:/C4'6"/
CSC 16-16
FNOPJ
Configuie all systems to use enciypteu channels foi the
tiansmission of passwoius ovei a netwoik.
:/C4'6"/
CSC 16-17
FNOPJ
veiify that all passwoiu files aie enciypteu oi hasheu
anu that these files cannot be accesseu without ioot oi
auministiatoi piivileges. Auuit all access to passwoiu
:/C4'6"/

86
files in the system.

'-' E(/*&5.(&1 +05 8//,1
Although most opeiating systems incluue capabilities foi logging infoimation about
account usage, these featuies aie sometimes uisableu by uefault. Even when such
featuies aie piesent anu active, they often uo not pioviue fine-giaineu uetail about
access to the system by uefault. Secuiity peisonnel can configuie systems to iecoiu
moie uetaileu infoimation about account access, anu use home-giown sciipts oi thiiu-
paity log analysis tools to analyze this infoimation anu piofile usei access of vaiious
systems.
Accounts must also be tiackeu veiy closely. Any account that is uoimant must be
uisableu anu eventually iemoveu fiom the system. All active accounts must be tiaceu
back to authoiizeu useis of the system, anu it must be ensuieu that theii passwoius aie
iobust anu changeu on a iegulai basis. 0seis must also be loggeu out of the system
aftei a peiiou of no activity to minimize the possibility of an attackei using theii system
to extiact infoimation fiom the oiganization.
'/0%(/, DL F@@&*%)G&0&11 4&%()*1
1. Boes the system auuit anu iepoit on valiu anu invaliu log-ins to usei accounts.
2. Boes the system auuit anu iepoit on valiu anu invaliu log-ins to netwoik anu
secuiity uevice usei accounts.
S. Boes the system lock useis out aftei five (S) invaliu attempts.
4. Bo usei account passwoius expiie at least eveiy 9u uays.
S. Boes the system iepoit on uoimant accounts that have not been useu foi a
configuiable peiiou of time.
6. Bow long uoes it take to senu an aleit oi e-mail to auministiative peisonnel that
the compaiison iepoit has been cieateu (time in minutes).
'/0%(/, DL <.%/;+%)/0 4&%()*1
In oiuei to automate the monitoiing anu contiol of usei accounts, oiganizations shoulu
gathei the following infoimation with automateu technical sensois:
1. Bow many invaliu attempts to access usei accounts have been uetecteu within a
peiiou of time.
2. Bow many accounts have been lockeu out within a peiiou of time.
S. Bow many attempts to gain access to passwoiu files in the system have been

87
uetecteu within a peiiou of time.
4. Peifoim authoiizeu passwoiu ciacking against passwoiu files anu iuentify the
numbei of auministiatoi account passwoius that aie ciackeu uuiing the
attempt. Remeuiate any compiomiseu passwoius immeuiately.
S. Is an automateu list of usei accounts on the system cieateu uaily & compaieu to
a baseline (yes oi no).
6. Bow long uoes it take to senu an aleit oi e-mail to auministiative peisonnel that
the compaiison iepoit has been cieateu (time in minutes).
'-' DL F@@&*%)G&0&11 8&1%
must attempt a vaiiety of techniques to gain access to usei accounts within the system.
Each of the following tests must be peifoimeu at least thiee times:
1. Attempt to configuie weak usei account passwoius that aie non-compliant with
establisheu policy. veiify that the system uoes not allow weak passwoius to be
useu.
2. Attempt to ie-use a usei account passwoiu that was pieviously useu foi the
account. veiify that the system iequiies unique new passwoius uuiing each
upuate.
S. Attempt to captuie passwoius by monitoiing netwoik tiaffic to seivei
iesouices. Remeuiate any instances wheie passwoius aie tiansmitteu in cleai
text.
4. Attempt to gain access to passwoiu files stoieu on the system. If successful,
iuentify whethei passwoius aie ciyptogiaphically secuieu.
oiganization's netwoik in oiuei to test the effectiveness of usei account contiols.
'-' DL -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

88

iegulate the behavioi of othei uevices oi systems. In this case, we aie examining usei
accounts anu how they inteiact with the uata systems anu the log management systems.
Anothei key component of these systems is the iepoits geneiateu foi management of
usei accounts.
The following list of the steps in the above uiagiam shows how the entities woik
togethei to meet the business goal uefineu in this contiol. It also uelineates each of the
piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol.
Step 1: User accounts are properly managed on production systems
Step 2: User accounts are assigned proper permissions to production data sets
Step 3: User account access is logged to log management system
Step 4: Log management systems generate user account and access reports for management
Step 5: Account baseline information is sent to log management system
Step 6: Critical information is properly protected and encrypted for each user account.

89
-.- /N0 :8$8 V%&$2)$*&#
1be ptocesses ooJ tools oseJ to pteveot Joto exfllttotloo, mltlqote tbe effects of
exfllttoteJ Joto, ooJ eosote tbe ptlvocy ooJ loteqtlty of seosltlve lofotmotloo.
!"# B1 8")1 '/0%(/, '()%)*+,C
Bata iesiues in many places. Piotection of that uata is best achieveu thiough the
application of a combination of enciyption, integiity piotection anu uata loss
pievention techniques. As oiganizations continue theii move towaius clouu computing
anu mobile access, it is impoitant that piopei caie be taken to limit anu iepoit on uata
exfiltiation while also mitigating the effects of uata compiomise.
The auoption of uata enciyption, both in tiansit anu at iest, pioviues mitigation against
uata compiomise. This is tiue if piopei caie has been taken in the piocesses anu
technologies associateu with the enciyption opeiations. An example of this is the
management of ciyptogiaphic keys useu by the vaiious algoiithms that piotect uata.
The piocess foi geneiation, use anu uestiuction of keys shoulu be baseu on pioven
piocesses as uefineu in stanuaius such as NIST SP 8uu-S7.
Caie shoulu also be taken to ensuie that piouucts useu within an enteipiise implement
well known anu vetteu ciyptogiaphic algoiithms, as iuentifieu by NIST. Re-evaluation
of the algoiithms anu key sizes useu within the enteipiise on an annual basis is also
iecommenueu to ensuie that oiganizations aie not falling behinu in the stiength of
piotection applieu to theii uata.
Foi oiganizations that aie moving uata to the clouu, it is impoitant foi oiganizations to
unueistanu the secuiity contiols applieu to uata in the clouu multi-tenant enviionment,
anu ueteimine the best couise of action foi application of enciyption contiols anu
secuiity of keys. When possible, keys shoulu be stoieu within secuie containeis such as
Baiuwaie Secuiity Nouules (BSNs).
Enciypting uata pioviues a level of assuiance that even if uata is compiomiseu, it is
impiactical to access the plaintext without significant iesouices, howevei contiols
shoulu also be put in place to mitigate the thieat of uata exfiltiation in the fiist place.
Nany attacks occuiieu acioss the netwoik, while otheis involveu physical theft of
laptops anu othei equipment holuing sensitive infoimation. Yet, in most cases, the
victims weie not awaie that the sensitive uata weie leaving theii systems because they
weie not monitoiing uata outflows. The movement of uata acioss netwoik bounuaiies
both electionically anu physically must be caiefully sciutinizeu to minimize its
exposuie to attackeis.
The loss of contiol ovei piotecteu oi sensitive uata by oiganizations is a seiious thieat
to business opeiations anu a potential thieat to national secuiity. While some uata aie
leakeu oi lost as a iesult of theft oi espionage, the vast majoiity of these pioblems

90
iesult fiom pooily unueistoou uata piactices, a lack of effective policy aichitectuies,
anu usei eiioi. Bata loss can even occui as a iesult of legitimate activities such as e-
Biscoveiy uuiing litigation, paiticulaily when iecoius ietention piactices aie
ineffective oi nonexistent.
Bata loss pievention (BLP) iefeis to a compiehensive appioach coveiing people,
piocesses, anu systems that iuentify, monitoi, anu piotect uata in use (e.g., enupoint
actions), uata in motion (e.g., netwoik actions), anu uata at iest (e.g., uata stoiage)
thiough ueep content inspection anu with a centializeu management fiamewoik. 0vei
the last seveial yeais, theie has been a noticeable shift in attention anu investment fiom
secuiing the netwoik to secuiing systems within the netwoik, anu to secuiing the uata
itself. BLP contiols aie baseu on policy, anu incluue classifying sensitive uata,
uiscoveiing that uata acioss an enteipiise, enfoicing contiols, anu iepoiting anu
auuiting to ensuie policy compliance.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 17-1 Beploy appioveu haiu uiive enciyption softwaie to
mobile uevices anu systems that holu sensitive uata.
;8%6< =%'
CSC 17-2
FNOPJ
veiify that ciyptogiaphic uevices anu softwaie aie
configuieu to use publicly-vetteu algoiithms.
;8%6< =%'
CSC 17-S
FNOPJ
Peifoim an assessment of uata to iuentify sensitive
infoimation that iequiies the application of enciyption
anu integiity contiols
;8%6< =%'
CSC 17-4
FNOPJ
Review clouu pioviuei secuiity piactices foi uata
piotection.
;8%6< P%'
CSC 17-S Beploy an automateu tool on netwoik peiimeteis that
monitois foi ceitain sensitive infoimation (i.e.,
peisonally iuentifiable infoimation), keywoius, anu othei
uocument chaiacteiistics to uiscovei unauthoiizeu
attempts to exfiltiate uata acioss netwoik bounuaiies
anu block such tiansfeis while aleiting infoimation
secuiity peisonnel.
!%$%>%?%2@K
:22#%>82%&'
CSC 17-6 Conuuct peiiouic scans of seivei machines using
automateu tools to ueteimine whethei sensitive uata (i.e.,
peisonally iuentifiable infoimation, health, cieuit caiu,
anu classifieu infoimation) is piesent on the system in
cleai text. These tools, which seaich foi patteins that
inuicate the piesence of sensitive infoimation, can help
iuentify if a business oi technical piocess is leaving
behinu oi otheiwise leaking sensitive infoimation.
!%$%>%?%2@K
:22#%>82%&'
CSC 17-7 Nove uata between netwoiks using secuie, 7&'-%98#42%&'K

91
authenticateu, anu enciypteu mechanisms. L@9%"'"
CSC 17-8 If theie is no business neeu foi suppoiting such uevices,
configuie systems so that they will not wiite uata to 0SB
tokens oi 0SB haiu uiives. If such uevices aie iequiieu,
enteipiise softwaie shoulu be useu that can configuie
systems to allow only specific 0SB uevices (baseu on
seiial numbei oi othei unique piopeity) to be accesseu,
anu that can automatically enciypt all uata placeu on
such uevices. An inventoiy of all authoiizeu uevices must
be maintaineu.
7&'-%98#42%&'K
L@9%"'"
CSC 17-9 0se netwoik-baseu BLP solutions to monitoi anu contiol
the flow of uata within the netwoik. Any anomalies that
exceeu the noimal tiaffic patteins shoulu be noteu anu
appiopiiate action taken to auuiess them.
7&'-%98#42%&'K
L@9%"'"
CSC 17-1u
FNOPJ
0nly allow appioveu Ceitificate Authoiities (CAs) to
issue ceitificates within the enteipiise; Review anu veiify
each CAs Ceitificate Piactices Statement (CPS) anu
Ceitificate Policy (CP).
7&'-%98#42%&'K
L@9%"'"
CSC 17-11
FNOPJ
Peifoim an annual ieview of algoiithms anu key lengths
in use foi piotection of sensitive uata.
7&'-%98#42%&'K
L@9%"'"
CSC 17-12 Nonitoi all tiaffic leaving the oiganization anu uetect any
unauthoiizeu use of enciyption. Attackeis often use an
enciypteu channel to bypass netwoik secuiity uevices.
Theiefoie it is essential that oiganizations be able to
uetect iogue connections, teiminate the connection, anu
iemeuiate the infecteu system.
:/C4'6"/
CSC 17-1S Block access to known file tiansfei anu e-mail exfiltiation
websites.
:/C4'6"/
CSC 17-14
FNOPJ
Befine ioles anu iesponsibilities ielateu to management
of enciyption keys within the enteipiise; uefine
piocesses foi lifecycle.
:/C4'6"/
CSC 17-1S
FNOPJ
Wheie applicable, implement Baiuwaie Secuiity
Nouules (BSNs) foi piotection of piivate keys (e.g., foi
sub CAs) oi Key Enciyption Keys.
:/C4'6"/

'-' DM E(/*&5.(&1 +05 8//,1
Commeicial tools aie available to suppoit enteipiise management of enciyption anu
key management within an enteipiise anu incluue the ability to suppoit
implementation of enciyption contiols within clouu anu mobile enviionments.
Befinition of lifecycle piocesses anu ioles anu iesponsibilities associateu with key
management shoulu be unueitaken by each oiganization.

92
Commeicial BLP solutions aie available to look foi exfiltiation attempts anu uetect
othei suspicious activities associateu with a piotecteu netwoik holuing sensitive
infoimation. 0iganizations ueploying such tools shoulu caiefully inspect theii logs anu
follow up on any uiscoveieu attempts, even those that aie successfully blockeu, to
tiansmit sensitive infoimation out of the oiganization without authoiization.
'-' DM F@@&*%)G&0&11 4&%()*1
1. Boes the system iuentify anu iepoit on unauthoiizeu uata being exfiltiateu,
whethei via netwoik file tiansfeis oi iemovable meuia.
2. Boes the system iuentify the attachment of unenciypteu 0SB tokens anu iequiie
enciyption of tokens.
S. Boes the system stoie ciyptogiaphic key mateiial secuiely.
4. Boes the system use only NIST appioveu enciyption algoiithms.
S. Within one houi of a uata exfiltiation event oi attempt, enteipiise
auministiative peisonnel must be aleiteu by the appiopiiate monitoiing system.
6. Bo aleits notifying of uata exfiltiation also note the system anu location wheie
the event oi attempt occuiieu.
7. Aie the systems able to iuentify the location, uepaitment, anu othei ciitical
uetails about wheie the sensitive uata oiiginateu fiom (yes oi no).
8. Bow long uoes it take befoie a uata leakage iisk has been iemeuiateu fiom the
time it was uetecteu (time in minutes).
'-' DM <.%/;+%)/0 4&%()*1
In oiuei to automate the piotection of uata using ciyptogiaphy anu BLP functions,
oiganizations shoulu gathei the following infoimation with automateu technical
sensois:
1. Bow many unauthoiizeu uata exfiltiation attempts have been uetecteu within a
peiiou of time by BLP softwaie.
2. Bow many plaintext instances of sensitive uata have been uetecteu within a
peiiou by automateu scanning softwaie.
S. Bow many attempts to access known file tiansfei anu e-mail exfiltiation
websites have been uetecteu within a peiiou of time.
'-' DM F@@&*%)G&0&11 8&1%
must attempt to move test uata sets that tiiggei BLP systems but uo not contain
sensitive uata outsiue of the tiusteu computing enviionment via both netwoik file

93
tiansfeis anu iemovable meuia. Each of the following tests must be peifoimeu at least
thiee times:
Attempt to tiansfei laige uata sets acioss netwoik bounuaiies fiom an inteinal
system.
Attempt to tiansfei plaintext test uata sets of peisonally iuentifiable infoimation
(that tiiggei BLP systems but uo not contain sensitive uata) acioss netwoik
bounuaiies fiom an inteinal system (using multiple keywoius specific to the
business).
Attempt to tiansfei enciypteu test uata sets acioss netwoik bounuaiies fiom an
inteinal system to iuentify if the exfiltiation is iepoiteu.
Attempt to maintain a peisistent netwoik connection foi at least 1u houis acioss
netwoik bounuaiies between an inteinal anu exteinal system, even though little
uata may be exchangeu.
Attempt to maintain a netwoik connection acioss netwoik bounuaiies using an
anomalous seivice poit numbei between an inteinal anu exteinal system.
Inseit a 0SB token into an oiganization system anu attempt to tiansfei example
test uata to the 0SB uevice.

oiganization's netwoik in oiuei to test the effectiveness of the monitoiing systems.
0nce each of these events has occuiieu, the time it takes foi enteipiise staff to iesponu
to the event must be iecoiueu.

'-' DM F0%)%# :&,+%)/01")= A)+6(+;
0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals
uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols,
anu iuentify wheie potential failuies in the system might occui.

94

A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate
the behavioi of othei uevices oi systems. In this case, we aie examining the flow of
infoimation in anu out of the oiganization in an attempt to limit potential uata loss via
netwoik oi iemovable meuia souices. The following list of the steps in the above uiagiam
shows how the entities woik togethei to meet the business goal uefineu in this contiol. It
also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in
Step 1: Data encryption system ensures that appropriate hard disks are encrypted
Step 2: Sensitive network traffic encrypted
Step 3: Data connections monitored at the networks perimeter by monitoring systems
Step 4: Stored data scanned to identify where sensitive information is stored
Step 5: Offline media encrypted.

95
-.- /<0 "#)*'2#$ M2;G&#;2 8#' B8#8@2L2#$
ltotect tbe otqoolzotloos lofotmotloo, os well os lts tepototloo, by Jeveloploq ooJ
lmplemeotloq oo loclJeot tespoose loftosttoctote (e.q., ploos, JefloeJ toles,
ttololoq, commoolcotloos, moooqemeot ovetslqbt) fot polckly Jlscovetloq oo ottock
ooJ tbeo effectlvely cootololoq tbe Jomoqe, etoJlcotloq tbe ottockets pteseoce,
ooJ testotloq tbe loteqtlty of tbe oetwotk ooJ systems.
!"# B1 8")1 '/0%(/, '()%)*+,C
Cybei inciuents aie now just pait of oui way of life. Even laige, well-funueu, anu technically
sophisticateu enteipiises stiuggle to keep up with the fiequency anu complexity of attacks.
The question of a successful cybei-attack against an enteipiise is not "if" but "when".
When an inciuent occuis, it is too late to uevelop the iight pioceuuies, iepoiting, uata
collection, management iesponsibility, legal piotocols, anu communications stiategy that
will allow the enteipiise to successfully unueistanu, manage, anu iecovei. Without an
inciuent iesponse plan, an oiganization may not uiscovei an attack in the fiist place, oi, if
the attack is uetecteu, the oiganization may not follow goou pioceuuies to contain uamage,
eiauicate the attackei's piesence, anu iecovei in a secuie fashion. Thus, the attackei may
have a fai gieatei impact, causing moie uamage, infecting moie systems, anu possibly
exfiltiate moie sensitive uata than woulu otheiwise be possible weie an effective inciuent
iesponse plan in place.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 18-1 Ensuie that theie aie wiitten inciuent iesponse pioceuuies
that incluue a uefinition of peisonnel ioles foi hanuling
inciuents. The pioceuuies shoulu uefine the phases of
inciuent hanuling.
;8%6< =%'
CSC 18-2 Assign job titles anu uuties foi hanuling computei anu
netwoik inciuents to specific inuiviuuals.
;8%6< =%'
CSC 18-S Befine management peisonnel who will suppoit the
inciuent hanuling piocess by acting in key uecision-making
ioles.
;8%6< =%'
CSC 18-4 Bevise oiganization-wiue stanuaius foi the time iequiieu
foi system auministiatois anu othei peisonnel to iepoit
anomalous events to the inciuent hanuling team, the
mechanisms foi such iepoiting, anu the kinu of infoimation
that shoulu be incluueu in the inciuent notification. This
iepoiting shoulu also incluue notifying the appiopiiate
Community Emeigency Response Team in accoiuance with
all legal oi iegulatoiy iequiiements foi involving that
;8%6< =%'

96
oiganization in computei inciuents.
CSC 18-S Assemble anu maintain infoimation on thiiu-paity contact
infoimation to be useu to iepoit a secuiity inciuent (i.e.,
maintain an e-mail auuiess of secuiityoiganization.com oi
have a web page http:oiganization.comsecuiity).
;8%6< =%'
CSC 18-6 Publish infoimation foi all peisonnel, incluuing employees
anu contiactois, iegaiuing iepoiting computei anomalies
anu inciuents to the inciuent hanuling team. Such
infoimation shoulu be incluueu in ioutine employee
awaieness activities.
;8%6< =%'
CSC 18-7 Conuuct peiiouic inciuent scenaiio sessions foi peisonnel
associateu with the inciuent hanuling team to ensuie that
they unueistanu cuiient thieats anu iisks, as well as theii
iesponsibilities in suppoiting the inciuent hanuling team.
7&'-%98#42%&'K
L@9%"'"

'-' DN E(/*&5.(&1 +05 8//,1
Aftei uefining uetaileu inciuent iesponse pioceuuies, the inciuent iesponse team shoulu
engage in peiiouic scenaiio-baseu tiaining, woiking thiough a seiies of attack scenaiios
fine-tuneu to the thieats anu vulneiabilities the oiganization faces. These scenaiios help
ensuie that team membeis unueistanu theii iole on the inciuent iesponse team anu also
help piepaie them to hanule inciuents.
A full tieatment of this topic is beyonu the scope of the Ciitical Secuiity Contiols. Bowevei,
the actions in CSC 18 pioviue specific, high-piioiity steps that can impiove enteipiise
secuiity, anu shoulu be a pait of any compiehensive inciuent anu iesponse plan.
'-' DN F@@&*%)G&0&11 4&%()*1
None
'-' DN <.%/;+%)/0 4&%()*1
None
'-' DN F@@&*%)G&0&11 8&1%
None

97
'/0%(/, DN -#1%&; F0%)%# :&,+%)/01")= A)+6(+;

the behavioi of othei uevices oi systems. In this case, we aie examining the inciuent
hanuling piocess anu how piepaieu oiganizations aie in the event that an inciuent occuis.
The following list of the steps in the above uiagiam shows how the entities woik togethei
to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess
steps in oiuei to help iuentify potential failuie points in the oveiall contiol.
Step 1: Incident handling policies and procedures educate workforce members as to their
responsibilities during an incident
Step 2: Some workforce members designated as incident handlers
Step 3: Incident handling policies and procedures educate management as to their
responsibilities during an incident
Step 4: Incident handlers participate in incident handling scenario tests
Step 5: Incident handlers report incidents to management
Step 6: The organizations management reports incidents to outside law enforcement and the
appropriate computer emergency response team, if necessary.

98
-.- /J0 .2)(%2 U2$>&%I Y#@*#22%*#@
Moke secotlty oo lobeteot otttlbote of tbe eotetptlse by speclfyloq, Jeslqoloq, ooJ
bollJloq-lo feototes tbot ollow blqb cooflJeoce systems opetotloos wblle Jeoyloq ot
mlolmlzloq oppottooltles fot ottockets. .
!"# B1 8")1 '/0%(/, '()%)*+,C
System oi secuiity uesigneis iaiely get to stait fiom sciatch anu builu in all of the secuiity
featuies they might want. Anu even if they uiu, systems constantly evolve, new business
impeiatives appeai, attackeis uevelop new techniques, anu new technologies emeige to
complicate the secuiity pioblem. In such an enviionment, attackeis take auvantage of
missing secuiity featuies, time gaps in ueploying new uefenses oi moving infoimation, anu
the "seams" between uefensive contiols. Befenueis aie quickly oveiwhelmeu with new
opeiational iequiiements, managing tools anu changes, new infoimation, anu "fiie-
fighting".
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 19-1 Besign the netwoik using a minimum of a thiee-tiei
aichitectuie (BNZ, miuulewaie, anu piivate netwoik). Any
system accessible fiom the Inteinet shoulu be on the BNZ,
but BNZ systems shoulu nevei contain sensitive uata. Any
system with sensitive uata shoulu iesiue on the piivate
netwoik anu nevei be uiiectly accessible fiom the Inteinet.
BNZ systems shoulu communicate with piivate netwoik
systems thiough an application pioxy iesiuing on the
miuulewaie tiei.
;8%6< =%'
CSC 19-2 To suppoit iapiu iesponse anu shunning of uetecteu attacks,
engineei the netwoik aichitectuie anu its coiiesponuing
systems foi iapiu ueployment of new access contiol lists,
iules, signatuies, blocks, blackholes, anu othei uefensive
measuies.
7&'-%98#42%&'K
L@9%"'"
CSC 19-S Beploy uomain name systems (BNS) in a hieiaichical,
stiuctuieu fashion, with all inteinal netwoik client machines
configuieu to senu iequests to intianet BNS seiveis, not to
BNS seiveis locateu on the Inteinet. These inteinal BNS
seiveis shoulu be configuieu to foiwaiu iequests they
cannot iesolve to BNS seiveis locateu on a piotecteu BNZ.
These BNZ seiveis, in tuin, shoulu be the only BNS seiveis
alloweu to senu iequests to the Inteinet.
!%$%>%?%2@K
:22#%>82%&'
CSC 19-4 Segment the enteipiise netwoik into multiple, sepaiate tiust
zones to pioviue moie gianulai contiol of system access anu
7&'-%98#42%&'K
L@9%"'"

99
auuitional intianet bounuaiy uefenses.

'-' DO E(/*&5.(&1 +05 8//,1
To help ensuie a consistent, uefensible netwoik, the aichitectuie of each netwoik shoulu
be baseu on a template that uesciibes the netwoik's oveiall layout anu the seivices it
pioviues. 0iganizations shoulu piepaie uiagiams foi each of theii netwoiks that show
netwoik components such as iouteis, fiiewalls, anu switches, along with significant seiveis
anu gioups of client machines.
Although the Ciitical Secuiity Contiols oveiall pioviue many specific, high-piioiity steps
that will impiove enteipiise secuiity, a compiehensive tieatment of Secuie Netwoik
Engineeiing is beyonu the scope of this uocument. In CSC 19, we uesciibe capabilities that
shoulu be built-in to any secuiity aichitectuie.
'-' DO F@@&*%)G&0&11 4&%()*1
None
'-' DO <.%/;+%)/0 4&%()*1
None
'-' DO F@@&*%)G&0&11 8&1%
none
'-' DO F0%)%# :&,+%)/01")= A)+6(+;

100

the behavioi of othei uevices oi systems. In this case, we aie examining the netwoik
engineeiing piocess anu evaluating the contiols that woik togethei in oiuei to cieate a
secuie anu iobust netwoik aichitectuie. The following list of the steps in the above
uiagiam shows how the entities woik togethei to meet the business goal uefineu in this
contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential
failuie points in the oveiall contiol.
Step 1: Network engineering policies and procedures dictate how network systems function to
include dynamic host configuration protocol (DHCP) servers
Step 2: DHCP servers provide IP addresses to systems on the network
Step 3: Network devices perform DNS lookups to internal DNS servers
Step 4: Internal DNS servers perform DNS lookups to external DNS servers
Step 5: Network engineering policies and procedures dictate how a central network management
system functions
Step 6: Central network management systems configure network devices.

101
-.- =T0 V2#2$%8$*&# Q2;$; 8#' M2' Q28L YZ2%)*;2;
1est tbe ovetoll stteoqtb of oo otqoolzotloos Jefeoses (tbe tecbooloqy, tbe
ptocesses, ooJ tbe people) by slmolotloq tbe objectlves ooJ octloos of oo ottocket.
!"# B1 8")1 '/0%(/, '()%)*+,C
Attackeis often exploit the gap between goou uefensive uesigns anu intentions anu
implementation oi maintenance. Examples incluue: the time winuow between
announcement of a vulneiability, the availability of a venuoi patch, anu actual installation
on eveiy machine; well-intentioneu policies which have no enfoicement mechanism
(especially those intenueu to iestiict iisky human actions); failuie to apply goou
configuiations anu othei piactices to the entiie enteipiise, oi to machines that come in-
anu-out of the netwoik; anu failuie to unueistanu the inteiaction among multiple uefensive
tools, oi with noimal system opeiations that have secuiity implications.
In auuition, successful uefense iequiies a compiehensive piogiam of technical uefenses,
goou policy anu goveinance, anu appiopiiate action by people. In a complex enviionment
wheie technology is constantly evolving, anu new attackei tiaueciaft appeais iegulaily,
oiganizations shoulu peiiouically test theii uefenses to iuentify gaps anu to assess theii
ieauiness.
Penetiation testing staits fiom the iuentification anu assessment of vulneiabilities that can
be iuentifieu in the enteipiise. It complements this by uesigning anu executing tests that
uemonstiate specifically how an auveisaiy can eithei subveit the oiganization's secuiity
goals (e.g., the piotection of specific Intellectual Piopeity) oi achieve specific auveisaiial
objectives (e.g., establishment of a coveit Commanu anu Contiol infiastiuctuie). The iesult
pioviues ueepei insight, thiough uemonstiation, into the business iisks of vaiious
vulneiabilities.
Reu Team exeicises take a compiehensive appioach at the full spectium of oiganization
policies, piocesses, anu uefenses in oiuei to impiove oiganizational ieauiness, impiove
tiaining foi uefensive piactitioneis, anu inspect cuiient peifoimance levels. Inuepenuent
Reu Teams can pioviue valuable anu objective insights about the existence of
vulneiabilities anu the efficacy of uefenses anu mitigating contiols alieauy in place anu
even of those planneu foi futuie implementation.
>/? %/ B;=,&;&0% 8")1 '/0%(/,
": \ :2;)%*G$*&# -8$2@&%3
CSC 2u-1 Conuuct iegulai exteinal anu inteinal penetiation tests to
iuentify vulneiabilities anu attack vectois that can be useu to
exploit enteipiise systems successfully. Penetiation testing
shoulu occui fiom outsiue the netwoik peiimetei (i.e., the
;8%6< =%'

102
Inteinet oi wiieless fiequencies aiounu an oiganization) as
well as fiom within its bounuaiies (i.e., on the inteinal
netwoik) to simulate both outsiuei anu insiuei attacks.
CSC 2u-2 Any usei oi system accounts useu to peifoim penetiation
testing, shoulu be contiolleu anu monitoieu to make suie
they aie only being useu foi legitimate puiposes, anu aie
iemoveu oi iestoieu to noimal function aftei testing is ovei.
;8%6< =%'
CSC 2u-S Peifoim peiiouic Reu Team exeicises to test oiganizational
ieauiness to iuentify anu stop attacks oi to iesponu quickly
anu effectively.
!%$%>%?%2@K
:22#%>82%&'
CSC 2u-4 Incluue tests foi the piesence of unpiotecteu system
infoimation anu aitifacts that woulu be useful to attackeis,
incluuing netwoik uiagiams, configuiation files, oluei
penetiation test iepoits, e-mails oi uocuments containing
passwoius oi othei infoimation ciitical to system opeiation.
!%$%>%?%2@K
:22#%>82%&'
CSC 2u-S Plan cleai goals of the penetiation test itself with blenueu
attacks in minu, iuentifying the goal machine oi taiget asset.
Nany APT-style attacks ueploy multiple vectoisoften social
engineeiing combineu with web oi netwoik exploitation.
Reu Team manual oi automateu testing that captuies pivoteu
anu multi-vectoi attacks offeis a moie iealistic assessment of
secuiity postuie anu iisk to ciitical assets.
!%$%>%?%2@K
:22#%>82%&'
CSC 2u-6 0se vulneiability scanning anu penetiation testing tools in
conceit. The iesults of vulneiability scanning assessments
shoulu be useu as a staiting point to guiue anu focus
penetiation testing effoits.
7&'-%98#42%&'K
L@9%"'"
CSC2u-7 Bevise a scoiing methou foi ueteimining the iesults of Reu
Team exeicises so that iesults can be compaieu ovei time.
:/C4'6"/
CSC 2u-8 Cieate a test beu that mimics a piouuction enviionment foi
specific penetiation tests anu Reu Team attacks against
elements that aie not typically testeu in piouuction, such as
attacks against supeivisoiy contiol anu uata acquisition anu
othei contiol systems.
:/C4'6"/

'-' HP E(/*&5.(&1 +05 8//,1
Penetiation testing anu Reu Teaming only pioviue significant value when basic uefensive
measuies have alieauy been put into place, anu when they aie peifoimeu as pait of a
compiehensive, ongoing piogiam of secuiity management anu impiovement. These aie
often specifieu anu iequiieu by foimal Risk Nanagement Fiamewoiks anu piocesses.
Each oiganization shoulu uefine a cleai scope anu iules of engagement foi penetiation
testing anu Reu Team analyses. The scope of such piojects shoulu incluue, at a minimum,
systems with the oiganization's highest value infoimation anu piouuction piocessing

103
functionality. 0thei lowei-value systems may also be testeu to see if they can be useu as
pivot points to compiomise highei-value taigets. The iules of engagement foi penetiation
tests anu Reu Team analyses shoulu uesciibe, at a minimum, times of uay foi testing,
uuiation of tests, anu the oveiall test appioach.
A full tieatment of this topic is beyonu the scope of the Ciitical Secuiity Contiols. Bowevei,
the actions in CSC 2u pioviue specific, high-piioiity steps that can impiove enteipiise
secuiity, anu shoulu be a pait of any compiehensive penetiation testing anu Reu Team
piogiam.
'-' HP F@@&*%)G&0&11 4&%()*1
None
'-' HP <.%/;+%)/0 4&%()*1
None
'-' HP F@@&*%)G&0&11 8&1%
None
'-' HP F0%)%# :&,+%)/01")= A)+6(+;

104
the behavioi of othei uevices oi systems. In this case, we aie examining ieu team anu
penetiation exeicises anu how those effoits can be valuable to enteipiise peisonnel when
iuentifying which vulneiabilities aie piesent in the oiganization. The following list of the
steps in the above uiagiam shows how the entities woik togethei to meet the business goal
Step 1: Penetration testers perform penetration tests of production systems
Step 2: Automated pen-testing tools perform penetration tests of production systems
Step 3: Automated pen-testing tools inform penetration tester of vulnerabilities discovered
Step 4: Penetration testers perform more extensive penetration tests of test lab systems
Step 5: Auditors evaluate and inspect the work performed by automated pen-testing tools
Step 6: Auditors evaluate and inspect the work performed by penetration testers
Step 7: Penetration testers generate reports and statistics about the vulnerabilities that have
been discovered.

105
5GG2#'*Z 50 5$$8)I Q3G2;
The following Attack Types were the primary ones considered when developing the Critical
Security Controls. Each is listed with the most relevant and direct Critical Security Controls (by
number) to help block, detect, or manage this problem.
Attack Summary
Critical
Security
Control
Attackers continually scan for new, unprotected systems, including test or
experimental systems, and exploit such systems to gain control of them.
1
Attackers distribute hostile content on Internet-accessible (and sometimes internal)
websites that exploit unpatched and improperly secured client software running on
victim machines.
2, 3
Attackers continually scan for vulnerable software and exploit it to gain control of
target machines.
2, 4
Attackers use currently infected or compromised machines to identify and exploit
other vulnerable machines across an internal network.
2, 10
Attackers exploit weak default configurations of systems that are more geared to
ease of use than security.
3, 10
Attackers exploit new vulnerabilities on systems that lack critical patches in
organizations that do not know that they are vulnerable because they lack
continuous vulnerability assessments and effective remediation.
4, 5
Attackers compromise target organizations that do not exercise their defenses to
determine and continually improve their effectiveness.
4, 5, 11, 20
Attackers use malicious code to gain and maintain control of target machines,
capture sensitive data, and then spread it to other systems, sometimes wielding
code that disables or dodges signature-based anti-virus tools.
5, 15, 17
Attackers scan for remotely accessible services on target systems that are often
unneeded for business activities, but provide an avenue of attack and compromise
of the organization.
5, 10, 11
Attackers exploit weak application software, particularly web applications,
through attack vectors such as SQL injection, cross-site scripting, and similar
tools.
6, 20
Attackers exploit wireless access points to gain entry into a target organizations
internal network, and exploit wireless client systems to steal sensitive information.
7
Attackers exploit users and system administrators via social engineering scams
that work because of a lack of security skills and awareness.
9, 12, 16
Attackers exploit and infiltrate through network devices whose security
configuration has been weakened over time by granting, for specific short-term
business needs, supposedly temporary exceptions that are never removed.
10, 13

106
Attackers trick a user with an administrator-level account into opening a phishing-
style e-mail with an attachment or surfing to the attackers content on an Internet
website, allowing the attackers malicious code or exploit to run on the victim
machine with full administrator privileges.
9, 12
Attackers exploit boundary systems on Internet-accessible DMZ networks, and
then pivot to gain deeper access on internal networks.
13, 19
Attackeis exploit pooily uesigneu netwoik aichitectuies by locating
unneeueu oi unpiotecteu connections, weak filteiing, oi a lack of sepaiation
of impoitant systems oi business functions.
13, 19
Attackeis opeiate unuetecteu foi extenueu peiious of time on compiomiseu
systems because of a lack of logging anu log ieview.
14
Attackeis gain access to sensitive uocuments in an oiganization that uoes not
piopeily iuentify anu piotect sensitive infoimation oi sepaiate it fiom non-
sensitive infoimation.
15, 17
Attackeis compiomise inactive usei accounts left behinu by tempoiaiy
woikeis, contiactois, anu foimei employees, incluuing accounts left behinu
by the attackeis themselves who aie foimei employees.
16
Attackeis escalate theii piivileges on victim machines by launching passwoiu
guessing, passwoiu ciacking, oi piivilege escalation exploits to gain
auministiatoi contiol of systems, which is then useu to piopagate to othei
victim machines acioss an enteipiise.
12, 16
Attackeis gain access to inteinal enteipiise systems anu gathei anu exfiltiate
sensitive infoimation without uetection by the victim oiganization.
17
Attackeis compiomise systems anu altei impoitant uata, potentially
jeopaiuizing oiganizational effectiveness via polluteu infoimation.
15, 17
Attackeis opeiate unuiscoveieu in oiganizations without effective inciuent-
iesponse capabilities, anu when the attackeis aie uiscoveieu, the
oiganizations often cannot piopeily contain the attack, eiauicate the
attackei's piesence, oi iecovei to a secuie piouuction state.
18

CSC 5

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSC 5

Uploaded by

Copyright:

Available Formats

1

The Ciitical Secuiity Contiols

You might also like