3 "#$%&'()$*&# We aie at a fascinating point in the evolution of what we now call cybei uefense. Nassive uata losses, theft of intellectual piopeity, cieuit caiu bieaches, iuentity theft, thieats to oui piivacy, uenial of seivice - these have become a way of life foi all of us in cybeispace. Iionically, as uefenueis we have access to an extiaoiuinaiy aiiay of secuiity tools anu technology, secuiity stanuaius, tiaining anu classes, ceitifications, vulneiability uatabases, guiuance, best piactices, catalogs of secuiity contiols, anu countless secuiity checklists, benchmaiks, anu iecommenuations. To help us unueistanu the thieat, we've seen the emeigence of thieat infoimation feeus, iepoits, tools, aleit seivices, stanuaius, anu thieat shaiing schemes. Anu to tie it all togethei, we aie suiiounueu by secuiity iequiiements, iisk management fiamewoiks, compliance iegimes, iegulatoiy manuates, anu so foith. Theie is no shoitage of infoimation available to secuiity piactitioneis on how they shoulu secuie theii infiastiuctuie. But all of this technology, infoimation, anu oveisight has become a veiitable "Fog of Noie": competing options, piioiities, opinions, anu claims that can paialyze oi uistiact an enteipiise fiom vital action. The thieats have evolveu, the actois have become smaitei, anu oui useis have become moie mobile. 0ui uata is now uistiibuteu acioss multiple locations, many of which aie not within oui oiganization's infiastiuctuie anymoie. With moie ieliance on clouus, oui uata anu even oui applications aie becoming moie uistiibuteu. The oiganizational netwoik is now just one of the locations foi useis to access applications anu uata. Anu since in oui complex, inteiconnecteu woilu, no enteipiise can think of its secuiity as a stanualone pioblem, this situation makes collective action neaily impossible. So how can we as a community - the community at laige, as well as within inuustiies, sectois, paitneiships, anu coalitions - banu togethei to establish piioiity of action, suppoit each othei, anu keep oui knowleuge anu technology cuiient in the face of a iapiuly evolving pioblem anu an appaiently infinite numbei of possible solutions. What aie the most ciitical aieas we neeu to auuiess, how shoulu an enteipiise take the fiist step to matuiing theii iisk management piogiam. Rathei than chase eveiy new exceptional thieat anu neglect the funuamentals, how can we get on tiack with a ioaumap of funuamentals, anu guiuance to measuie anu impiove. Which uefensive steps have the gieatest value. These aie the kinus of issues that leu to anu now uiive the Ciitical Secuiity Contiols. They staiteu as a giass-ioots activity to cut thiough the "Fog of Noie" anu focus on the most funuamental anu valuable actions that eveiy enteipiise shoulu take. Anu 18D(2 heie is ueteimineu by knowleuge anu uata - the ability to pievent, aleit, anu iesponu to the attacks that aie plaguing enteipiises touay.
4 The Ciitical Secuiity Contiols have matuieu into an inteinational community activity to cieate, auopt, anu suppoit the Ciitical Secuiity Contiols. As a community, these inuiviuuals anu institutions: shaie insight into attacks anu attackeis, iuentify ioot causes, anu tianslate that into classes of uefensive action; uocument stoiies of auoption anu the use of tools to solve pioblems; tiack the evolution of thieats, the capabilities of auveisaiies, anu cuiient vectois of intiusions; map the Contiols to iegulatoiy anu compliance fiamewoiks anu biing collective piioiity anu focus to them; shaie tools, woiking aius, anu tianslations; anu iuentify common pioblems (like initial assessment, builuing implementation ioaumaps) anu solve them as a community insteau of alone. The activities ensuie that the Ciitical Secuiity Contiols aie not just anothei list of goou things to uo, but a piioiitizeu, highly focuseu set of actions that have a community-wiue suppoit netwoik to make them implementable, usable, scalable, anu compliant with all inuustiy oi goveinment secuiity iequiiements. !"# %"& '()%)*+, -&*.()%# '/0%(/,1 !/(23 4&%"/5/,/6# +05 '/0%()7.%/(1 The Ciitical Secuiity Contiols ieflect the combineu knowleuge of actual attacks anu effective uefenses of expeits that incluue: eveiy pait of the ecosystem (companies, goveinments, inuiviuuals); with eveiy iole (thieat iesponueis anu analysts, technologists, vulneiability-finueis, tool makeis, solution pioviueis, uefenueis, useis, policy-makeis, auuitois, etc.); anu within many sectois (goveinment, powei, uefense, finance, tianspoitation, acauemia, consulting, secuiity, IT) who have banueu togethei to cieate, auopt, anu suppoit the Contiols. Top expeits fiom all these oiganizations pool theii extensive fiist-hanu knowleuge fiom uefenuing against actual cybei-attacks anu uevelop a consensus list of the best uefensive techniques to pievent oi tiack them. This ensuies that the Ciitical Secuiity Contiols aie the most effective anu specific set of technical measuies available to uetect, pievent, iesponu, anu mitigate uamage fiom the most common to the most auvanceu of those attacks. The Contiols aie not limiteu to blocking the initial compiomise of systems, but also auuiess uetecting alieauy-compiomiseu machines anu pieventing oi uisiupting attackeis' follow-on actions. The uefenses iuentifieu thiough these Contiols ueal with ieuucing the initial attack suiface by haiuening uevice configuiations, iuentifying compiomiseu machines to auuiess long-teim thieats insiue an oiganization's netwoik, uisiupting attackeis' commanu-anu-contiol of The Council on CybeiSecuiity was establisheu in 2u1S as an inuepenuent, expeit, not-foi-piofit oiganization with a global scope committeu to the secuiity of an open Inteinet. The Council is committeu to the ongoing uevelopment, suppoit, anu auoption of the Ciitical Contiols; to elevating the competencies of the cybeisecuiity woikfoice; anu to the uevelopment of policies that leau to measuiable impiovements in oui ability to opeiate safely, secuiely anu ieliably in cybeispace. Foi auuitional infoimation, go to (www.counciloncybeisecuiity.oig)
5 implanteu malicious coue, anu establishing an auaptive, continuous uefense anu iesponse capability that can be maintaineu anu impioveu. The five ciitical tenets of an effective cybei uefense system as ieflecteu in the Ciitical Secuiity Contiols aie: 1. ,--"'$" %'-&#.$ /"-"'$"0 0se knowleuge of actual attacks that have compiomiseu systems to pioviue the founuation to continually leain fiom these events to builu effective, piactical uefenses. Incluue only those contiols that can be shown to stop known ieal-woilu attacks. 2. 1#%&#%2%342%&'0 Invest fiist in Contiols that will pioviue the gieatest iisk ieuuction anu piotection against the most uangeious thieat actois, anu that can be feasibly implementeu in youi computing enviionment. S. 5"2#%6$0 Establish common metiics to pioviue a shaieu language foi executives, IT specialists, auuitois, anu secuiity officials to measuie the effectiveness of secuiity measuies within an oiganization so that iequiieu aujustments can be iuentifieu anu implementeu quickly. 4. 7&'2%'8&8$ /%49'&$2%6$ 4'/ .%2%942%&'0 Caiiy out continuous measuiement to test anu valiuate the effectiveness of cuiient secuiity measuies, anu to help uiive the piioiity of next steps. S. :82&.42%&'0 Automate uefenses so that oiganizations can achieve ieliable, scalable, anu continuous measuiements of theii auheience to the Contiols anu ielateu metiics. 8"& '()%)*+, -&*.()%# '/0%(/,1 +05 9%"&( :)12 4+0+6&;&0% <==(/+*"&1 The Ciitical Secuiity Contiols allow you to use the powei of an incieuible community to piioiitize anu focus youi iesouices on the most valuable uefensive actions - but they aie not a ieplacement foi compiehensive manuatoiy compliance oi iegulatoiy schemes. The Ciitical Secuiity Contiols insteau piioiitize anu focus on a smallei numbei of actionable contiols with high-payoff, aiming foi a "must uo fiist" philosophy. In fact, the actions specifieu by the Ciitical Secuiity Contiols aie uemonstiably a subset of any of the compiehensive secuiity catalogs oi Contiol lists. Although lacking the foimality of tiauitional Risk Nanagement Fiamewoiks, it seems ieasonable to iefei to the Ciitical Secuiity Contiols piocess as a "founuational iisk assessment" - one that can be useu by an inuiviuual enteipiise as a staiting point foi immeuiate, high-value action, is uemonstiably consistent with foimal iisk management fiamewoiks, anu pioviues a basis foi common action acioss uiveise communities (e.g., that might be subject to uiffeient iegulatoiy oi compliance iequiiements). The Ciitical Secuiity Contiols also pioactively align with anu leveiage ongoing woik in secuiity stanuaius anu best piactices. Examples incluue: the Secuiity Content Automation Piogiam (SCAP) anu Special Publication 8uu-SS (Recommenueu Secuiity Contiols foi Feueial Infoimation Systems anu 0iganizations) sponsoieu by the National
6 Institute of Stanuaius anu Technology (NIST); the Austialian Signals Biiectoiate's "Top SS Stiategies to Nitigate Taigeteu Cybei Intiusions"; anu the Inteinational 0iganization foi Stanuaiuization (IS0) Inteinational Electiotechnical Commission (IEC) 27uu2:2u1S Infoimation technology Secuiity techniques Coue of piactice foi infoimation secuiity contiols. Refeiences anu mappings to these can be founu at www.counciloncybeisecuiity.oig >/? %/ 6&% 1%+(%&5 The Ciitical Secuiity Contiols aie a ielatively small numbei of piioiitizeu, well-vetteu, anu suppoiteu set of secuiity actions that oiganizations can take to assess anu impiove theii cuiient secuiity state. It also changes the uiscussion fiom "what shoulu my enteipiise uo" to "what shoulu we ALL be uoing" to impiove secuiity acioss a bioau scale. But it is not a one-size-fits-all solution, in eithei content oi piioiity. You must still unueistanu what is ciitical to youi business, uata, systems, netwoiks, anu infiastiuctuies, anu you must consiuei the auveisaiy actions that coulu impact youi ability to be successful in the business oi opeiations. Anu even a ielatively small numbei of Contiols cannot be executeu all at once, so you will neeu to uevelop a plan foi assessment, implementation, anu piocess management. Some of the Ciitical Secuiity Contiols, in paiticulai CSC 1 thiough CSC S, aie founuational to success, anu shoulu be consiueieu as the fiist things to be uone. This is the appioach taken by, foi example, the BBS Continuous Biagnostic anu Nitigation (CBN) Piogiam, one of the paitneis in the Ciitical Secuiity Contiols. Foi those wanting a highly focuseu anu uiiect staiting point, we have emphasizeu the "R*%;$ R*12 [(*)I H*#;": sub-contiols that have the most immeuiate impact on pieventing attacks. These actions aie specially noteu in the Contiols listings, anu consist of: 1. application whitelisting (founu in CSC 2); 2. use of stanuaiu, secuie system configuiations (founu in CSC S); S. patch application softwaie within 48 houis (founu in CSC 4); 4. patch system softwaie within 48 houis (founu in CSC 4); anu S. ieuuceu numbei of useis with auministiative piivileges (founu in CSC S anu CSC 12).
A similai appioach is iecommenueu by oui paitneis in the Austialian Signals Biiectoiate (ASB) with theii "Top Foui Stiategies to Nitigate Taigeteu Intiusions" 1 - a
7 well-iegaiueu anu uemonstiably effective set of cybei-uefense actions that map veiy closely into the Ciitical Secuiity Contiols anu the 'Fiist Five Quick Wins". Anothei appioach is to leain fiom othei enteipiises that aie pait of the Ciitical Secuiity Contiols community. 0se Cases of auoption, samples of Initial Assessment methouologies, mappings to foimal Risk Nanagement Fiamewoiks, pointeis to assessment tools, anu many othei woiking aius aie available fiom the Council on CybeiSecuiity (www.counciloncybeisecuiity.com). -%(.*%.(& /@ %"& '()%)*+, -&*.()%# '/0%(/,1 A/*.;&0% The piesentation of each Ciitical Secuiity Contiol in this uocument incluues: A uesciiption of the impoitance of the Contiol in blocking oi iuentifying piesence of attacks anu an explanation of how attackeis actively exploit the absence of this contiol. Listing of the specific actions that oiganizations aie taking to implement, automate, anu measuie effectiveness of this contiol. The sub-contiols aie gioupeu into foui categoiies: o ;8%6< =%'$ that pioviue significant iisk ieuuction without majoi financial, pioceuuial, aichitectuial, oi technical changes to an enviionment, oi that pioviue such substantial anu immeuiate iisk ieuuction against veiy common attacks that most secuiity-awaie oiganizations piioiitize these key contiols. o !%$%>%?%2@ 4'/ 422#%>82%&' ."4$8#"$ to impiove the piocess, aichitectuie, anu technical capabilities of oiganizations to monitoi theii netwoiks anu computei systems to uetect attack attempts, locate points of entiy, iuentify alieauy-compiomiseu machines, inteiiupt infiltiateu attackeis' activities, anu gain infoimation about the souices of an attack. o A.B#&C"/ %'-&#.42%&' $"68#%2@ 6&'-%98#42%&' 4'/ D@9%"'" to ieuuce the numbei anu magnituue of secuiity vulneiabilities anu impiove the opeiations of netwoikeu computei systems, with a focus on piotecting against pooi secuiity piactices by system auministiatois anu enu-useis that coulu give an attackei an auvantage. o :/C4'6"/ $8>E6&'2#&?$ that use new technologies oi pioceuuies that pioviue maximum secuiity but aie haiuei to ueploy oi moie expensive oi iequiie moie highly skilleu staff than commouitizeu secuiity solutions. Pioceuuies anu tools that enable implementation anu automation. Netiics anu tests to assess implementation status anu effectiveness. Sample entity ielationship uiagiams that show components of implementation.
8 -.- /0 "#12#$&%3 &4 5($6&%*72' 8#' 9#8($6&%*72' :21*)2; Actlvely moooqe (loveototy, ttock, ooJ cottect) oll botJwote Jevlces oo tbe oetwotk so tbot ooly ootbotlzeJ Jevlces ote qlveo occess, ooJ ooootbotlzeJ ooJ oomoooqeJ Jevlces ote foooJ ooJ pteveoteJ ftom qololoq occess. !"# B1 8")1 '/0%(/, '()%)*+,C Attackeis, who can be locateu anywheie in the woilu, aie continuously scanning the auuiess space of taiget oiganizations, waiting foi new anu unpiotecteu systems to be attacheu to the netwoik. Attackeis also look foi uevices (especially laptops) which come anu go off of the enteipiise's netwoik, anu so get out of synch with patches oi secuiity upuates. Attacks can take auvantage of new haiuwaie that is installeu on the netwoik one evening but not configuieu anu patcheu with appiopiiate secuiity upuates until the following uay. Even uevices that aie not visible fiom the Inteinet can be useu by attackeis who have alieauy gaineu inteinal access anu aie hunting foi inteinal jump points oi victims. Auuitional systems that connect to the enteipiise's netwoik (e.g., uemonstiation systems, tempoiaiy test systems, guest netwoiks) shoulu also be manageu caiefully anuoi isolateu in oiuei to pievent auveisaiial access fiom affecting the secuiity of enteipiise opeiations. As new technology continues to come out, BY0B (biing youi own uevice) wheie employees biing peisonal uevices into woik anu connect them to the netwoik is becoming veiy common. These uevices coulu alieauy be compiomiseu anu be useu to infect inteinal iesouices. Nanageu contiol of all uevices also plays a ciitical iole in planning anu executing system backup anu iecoveiy. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 1-1 Beploy an automateu asset inventoiy uiscoveiy tool anu use it to builu a pieliminaiy asset inventoiy of systems connecteu to an oiganization's public anu piivate netwoik(s). Both active tools that scan thiough netwoik auuiess ianges anu passive tools that iuentify hosts baseu on analyzing theii tiaffic shoulu be employeu. Quick win CSC 1-2 Beploy uynamic host configuiation piotocol (BBCP) seivei logging, anu utilize a system to impiove the asset inventoiy anu help uetect unknown systems thiough this BBCP infoimation. Quick win CSC 1-S Ensuie that all equipment acquisitions automatically upuate the inventoiy system as new, appioveu uevices aie connecteu Quick win
9 to the netwoik. CSC 1-4 Naintain an asset inventoiy of all systems connecteu to the netwoik anu the netwoik uevices themselves, iecoiuing at least the netwoik auuiesses, machine name(s), puipose of each system, an asset ownei iesponsible foi each uevice, anu the uepaitment associateu with each uevice. The inventoiy shoulu incluue eveiy system that has an Inteinet piotocol (IP) auuiess on the netwoik, incluuing but not limiteu to uesktops, laptops, seiveis, netwoik equipment (iouteis, switches, fiiewalls, etc.), piinteis, stoiage aiea netwoiks, voice 0vei-IP telephones, multi-homeu auuiesses, viitual auuiesses, etc. The asset inventoiy cieateu must also incluue uata on whethei the uevice is a poitable anuoi peisonal uevice. Bevices such as mobile phones, tablets, laptops, anu othei poitable electionic uevices that stoie oi piocess uata must be iuentifieu, iegaiuless of whethei they aie attacheu to the oiganization's netwoik. visibility Attiibution CSC 1-S Beploy netwoik level authentication via 8u2.1x to limit anu contiol which uevices can be connecteu to the netwoik. The 8u2.1x must be tieu into the inventoiy uata to ueteimine authoiizeu veisus unauthoiizeu systems. Configuiation Bygiene CSC 1-6 Beploy netwoik access contiol (NAC) to monitoi authoiizeu systems so if attacks occui, the impact can be iemeuiateu by moving the untiusteu system to a viitual local aiea netwoik that has minimal access. Configuiation Bygiene CSC 1-7 0tilize client ceitificates to valiuate anu authenticate systems piioi to connecting to the piivate netwoik. Auvanceu
'-' D E(/*&5.(&1 +05 8//,1 This Contiol iequiies both technical anu pioceuuial actions, uniteu in a piocess that accounts foi anu manages the inventoiy of haiuwaie anu all associateu infoimation thioughout its life-cycle. It links to the business by establishing infoimationasset owneis who aie iesponsible foi each component of a business piocess that incluues infoimation, softwaie, anu haiuwaie. 0iganizations can use laige-scale, compiehensive enteipiise piouucts to maintain IT asset inventoiies. 0theis use moie mouest tools to gathei the uata by sweeping the netwoik, anu manage the iesults sepaiately in a uatabase. Naintaining a cuiient anu accuiate view of IT assets is an ongoing anu uynamic piocess. 0iganizations can actively scan on a iegulai basis, senuing a vaiiety of uiffeient packet types to iuentify uevices connecteu to the netwoik. Befoie such scanning can take place, oiganizations shoulu veiify that they have auequate banuwiuth foi such peiiouic scans by consulting loau histoiy anu capacities foi theii netwoiks. In
10 conuucting inventoiy scans, scanning tools coulu senu tiauitional ping packets (ICNP Echo Request) looking foi ping iesponses to iuentify a system at a given IP auuiess. Because some systems block inbounu ping packets, in auuition to tiauitional pings, scanneis can also iuentify uevices on the netwoik using tiansmission contiol piotocol (TCP) synchionize (SYN) oi acknowleuge (ACK) packets. 0nce they have iuentifieu IP auuiesses of uevices on the netwoik, some scanneis pioviue iobust fingeipiinting featuies to ueteimine the opeiating system type of the uiscoveieu machine. In auuition to active scanning tools that sweep the netwoik, othei asset iuentification tools passively listen on netwoik inteifaces looking foi uevices to announce theii piesence by senuing tiaffic. Such passive tools can be connecteu to switch span poits at ciitical places in the netwoik to view all uata flowing thiough such switches, maximizing the chance of iuentifying systems communicating thiough those switches. Nany oiganizations also pull infoimation fiom netwoik assets such as switches anu iouteis iegaiuing the machines connecteu to the netwoik. 0sing secuiely authenticateu anu enciypteu netwoik management piotocols, tools can ietiieve NAC auuiesses anu othei infoimation fiom netwoik uevices that can be ieconcileu with the oiganization's asset inventoiy of seiveis, woikstations, laptops, anu othei uevices. 0nce NAC auuiesses aie confiimeu, switches shoulu implement 8u2.1x anu NAC to only allow authoiizeu systems that aie piopeily configuieu to connect to the netwoik. Wiieless uevices (anu wiieu laptops) may peiiouically join a netwoik anu then uisappeai, making the inventoiy of cuiiently available systems chuin significantly. Likewise, viitual machines can be uifficult to tiack in asset inventoiies when they aie shut uown oi pauseu. Auuitionally, iemote machines accessing the netwoik using viitual piivate netwoik (vPN) technology may appeai on the netwoik foi a time, anu then be uisconnecteu fiom it. Whethei physical oi viitual, each machine using an IP auuiess shoulu be incluueu in an oiganization's asset inventoiy. '-' D F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Bow long uoes it take to uetect new uevices auueu to the oiganization's netwoik (time in minutes). 2. Bow long uoes it take the scanneis to aleit the oiganization's auministiatois that an unauthoiizeu uevice is on the netwoik (time in minutes). S. Bow long uoes it take to isolateiemove unauthoiizeu uevices fiom the oiganization's netwoik (time in minutes). 4. Aie the scanneis able to iuentify the location, uepaitment, anu othei ciitical uetails about the unauthoiizeu system that is uetecteu (yes oi no).
11 '-' D <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. Bow many unauthoiizeu uevices aie piesently on the oiganization's netwoik (by business unit). 2. Bow long, on aveiage, uoes it take to iemove unauthoiizeu uevices fiom the oiganization's netwoik (by business unit). S. What is the peicentage of systems on the oiganization's netwoik that aie not utilizing Netwoik Access Contiol (NAC) to authenticate to the oiganization's netwoik (by business unit). 4. What is the peicentage of systems on the oiganization's netwoik that aie not utilizing Netwoik Access Contiol (NAC) with client ceitificates to authenticate to the oiganization's netwoik (by business unit). '-' D F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 1 on a peiiouic basis, the evaluation team will connect haiueneu test systems to at least 1u locations on the netwoik, incluuing a selection of subnets associateu with uemilitaiizeu zones (BNZs), woikstations, anu seiveis. Two of the systems must be incluueu in the asset inventoiy uatabase, while the othei systems aie not. The evaluation team must then veiify that the systems geneiate an aleit oi e-mail notice iegaiuing the newly connecteu systems within 24 houis of the test machines being connecteu to the netwoik. The evaluation team must veiify that the system pioviues uetails of the location of all the test machines connecteu to the netwoik. Foi those test machines incluueu in the asset inventoiy, the team must also veiify that the system pioviues infoimation about the asset ownei. '-' D -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
12
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining haiuwaie uevices on the oiganization's netwoik. These systems shoulu be able to iuentify if new systems aie intiouuceu into the enviionment that have not been authoiizeu by enteipiise peisonnel. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Active device scanner scans network systems Step 2: Passive device scanner captures system information Step 3: Active scanner reports to inventory database Step 4: Passive scanner reports to inventory database Step 5: Inventory database stored offline Step 6: Inventory database initiates alert system Step 7: Alert system notifies security defenders Step 8: Security defenders monitor and secure inventory database Step 9: Security defenders update secure inventory database
13 Step 10: Network access control continuously monitors network Step 11: Network access control checks and provides updates to the asset inventory database.
14 -.- =0 "#12#$&%3 &4 5($6&%*72' 8#' 9#8($6&%*72' .&4$>8%2 Actlvely moooqe (loveototy, ttock, ooJ cottect) oll softwote oo tbe oetwotk so tbot ooly ootbotlzeJ softwote ls lostolleJ ooJ coo execote, ooJ tbot ooootbotlzeJ ooJ oomoooqeJ softwote ls foooJ ooJ pteveoteJ ftom lostollotloo ot execotloo. !"# B1 8")1 '/0%(/, '()%)*+,C Attackeis continuously scan taiget oiganizations looking foi vulneiable veisions of softwaie that can be iemotely exploiteu. Some attackeis also uistiibute hostile web pages, uocument files, meuia files, anu othei content via theii own web pages oi otheiwise tiustwoithy thiiu-paity sites. When unsuspecting victims access this content with a vulneiable biowsei oi othei client-siue piogiam, attackeis compiomise theii machines, often installing backuooi piogiams anu bots that give the attackei long-teim contiol of the system. Some sophisticateu attackeis may use zeio-uay exploits, which take auvantage of pieviously unknown vulneiabilities foi which no patch has yet been ieleaseu by the softwaie venuoi. Without piopei knowleuge oi contiol of the softwaie ueployeu in an oiganization, uefenueis cannot piopeily secuie theii assets. Pooily contiolleu machines aie moie likely to be eithei iunning softwaie that is unneeueu foi business puiposes, intiouucing potential secuiity flaws, oi iunning malwaie intiouuceu by an attackei aftei a system is compiomiseu. 0nce a single machine has been exploiteu, attackeis often use it as a staging point foi collecting sensitive infoimation fiom the compiomiseu system anu fiom othei systems connecteu to it. In auuition, compiomiseu machines aie useu as a launching point foi movement thioughout the netwoik anu paitneiing netwoiks. In this way, attackeis may quickly tuin one compiomiseu machine into many. 0iganizations that uo not have complete softwaie inventoiies aie unable to finu systems iunning vulneiable oi malicious softwaie to mitigate pioblems oi ioot out attackeis. Nanageu contiol of all softwaie also plays a ciitical iole in planning anu executing system backup anu iecoveiy. >/? %/ B;=,&;&0% 8")1 '/0%(/, IB # Besciiption Categoiy CSC 2-1 Beploy application whitelisting technology that allows systems to iun softwaie only if it is incluueu on the whitelist anu pievents execution of all othei softwaie on the system. The whitelist may be veiy extensive (as is available fiom commeicial whitelist venuois), so that useis aie not inconvenienceu when using common softwaie. 0i, foi some special-puipose systems (which iequiie only a small numbei ;8%6< =%' F,'" &- 2D" GH%#$2 H%C"IJ
15 of piogiams to achieve theii neeueu business functionality), the whitelist may be quite naiiow. When piotecting systems with customizeu softwaie that may be seen as uifficult to whitelist, use item 8 below (isolating the custom softwaie in a viitual opeiating system that uoes not ietain infections.). CSC 2-2 Bevise a list of authoiizeu softwaie anu veision that is iequiieu in the enteipiise foi each type of system, incluuing seiveis, woikstations, anu laptops of vaiious kinus anu uses. This list shoulu be monitoieu by file integiity checking tools to valiuate that the authoiizeu softwaie has not been mouifieu. Quick win CSC 2-S Peifoim iegulai scanning foi unauthoiizeu softwaie anu geneiate aleits when it is uiscoveieu on a system. A stiict change-contiol piocess shoulu also be implementeu to contiol any changes oi installation of softwaie to any systems on the netwoik. This incluues aleiting when uniecognizeu binaiies (executable files, BLL's anu othei libiaiies, etc.) aie founu on a system, even insiue of compiesseu aichives. This incluues checking foi uniecognizeu oi alteieu veisions of softwaie by compaiing file hash values (attackeis often utilize alteieu veisions of known softwaie to peipetiate attacks, anu file hash compaiisons will ieveal the compiomiseu softwaie components). Quick win CSC 2-4 Beploy softwaie inventoiy tools thioughout the oiganization coveiing each of the opeiating system types in use, incluuing seiveis, woikstations, anu laptops. The softwaie inventoiy system shoulu tiack the veision of the unueilying opeiating system as well as the applications installeu on it. Fuitheimoie, the tool shoulu iecoiu not only the type of softwaie installeu on each system, but also its veision numbei anu patch level. visibility Attiibution CSC 2-S The softwaie inventoiy systems must be integiateu with the haiuwaie asset inventoiy so that all uevices anu associateu softwaie aie tiackeu fiom a single location. visibility Attiibution CSC 2-6 Bangeious file types (e.g., .exe, .zip, .msi) shoulu be closely monitoieu anuoi blockeu. Configuiation Bygiene CSC 2-7 viitual machines anuoi aii-gappeu systems shoulu be useu to isolate anu iun applications that aie iequiieu foi business opeiations but baseu on highei iisk shoulu not be installeu within a netwoikeu enviionment. Auvanceu CSC 2-8 Configuie client woikstations with non-peisistent, viitualizeu opeiating enviionments that can be quickly anu easily iestoieu to a tiusteu snapshot on a peiiouic basis. Auvanceu CSC 2-9 Beploy softwaie that only pioviues signeu softwaie IB tags. A softwaie iuentification tag is an XNL file that is installeu alongsiue softwaie anu uniquely iuentifies the softwaie, pioviuing uata foi softwaie inventoiy anu asset management. Auvanceu
16
'-' H E(/*&5.(&1 +05 8//,1 Whitelisting can be implementeu using commeicial whitelisting tools oi application execution tools that come with anti-viius suites anu with Winuows. Commeicial softwaie anu asset inventoiy tools aie wiuely available anu in use in many enteipiises touay. The best of these tools pioviue an inventoiy check of hunuieus of common applications useu in enteipiises, pulling infoimation about the patch level of each installeu piogiam to ensuie that it is the latest veision anu leveiaging stanuaiuizeu application names, such as those founu in the common platfoim enumeiation specification. Featuies that implement whitelists of piogiams alloweu to iun aie incluueu in many mouein enupoint secuiity suites. Noieovei, commeicial solutions aie incieasingly bunuling togethei anti-viius, anti-spywaie, peisonal fiiewall, anu host-baseu intiusion uetection systems (IBS) anu intiusion pievention systems (IPS), along with application white anu black listing. In paiticulai, most enupoint secuiity solutions can look at the name, file system location, anuoi ciyptogiaphic hash of a given executable to ueteimine whethei the application shoulu be alloweu to iun on the piotecteu machine. The most effective of these tools offei custom whitelists baseu on executable path, hash, oi iegulai expiession matching. Some even incluue a giay list function that allows auministiatois to uefine iules foi execution of specific piogiams only by ceitain useis anu at ceitain times of uay. '-' H F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Bow long uoes it take to uetect new softwaie installeu on systems in the oiganization (time in minutes). 2. Bow long uoes it take the scanneis to aleit the oiganization's auministiatois that an unauthoiizeu softwaie application is on a system (time in minutes). S. Bow long uoes it take to aleit that a new softwaie application has been uiscoveieu (time in minutes). 4. Aie the scanneis able to iuentify the location, uepaitment, anu othei ciitical uetails about the unauthoiizeu softwaie that is uetecteu (yes oi no). '-' H <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois:
17 1. Bow many unauthoiizeu softwaie applications aie piesently locateu on business systems within the oiganization (by business unit). 2. Bow long, on aveiage, uoes it take to iemove unauthoiizeu applications fiom business systems within the oiganization (by business unit). S. What is the peicentage of the oiganization's business systems that aie not iunning softwaie whitelisting softwaie that blocks unauthoiizeu softwaie applications (by business unit). 4. Bow many softwaie applications have been iecently blockeu fiom executing by the oiganization's softwaie whitelisting softwaie (by business unit). '-' H F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 2 on a peiiouic basis, the evaluation team must move a benign softwaie test piogiam that is not incluueu in the authoiizeu softwaie list to 1u systems on the netwoik. Two of the systems must be incluueu in the asset inventoiy uatabase, while the othei systems uo not neeu to be incluueu. The evaluation team must then veiify that the systems geneiate an aleit oi e-mail notice iegaiuing the new softwaie within 24 houis. The team must also veiify that the aleit oi e-mail is ieceiveu within one auuitional houi inuicating that the softwaie has been blockeu oi quaiantineu. The evaluation team must veiify that the system pioviues uetails of the location of each machine with this new test softwaie, incluuing infoimation about the asset ownei. The evaluation team must then veiify that the softwaie is blockeu by attempting to execute it anu veiifying that the softwaie is not alloweu to iun. 0n systems wheie blocking is not alloweu oi blocking functionality is not available, the team must veiify that the execution of unauthoiizeu softwaie is uetecteu anu iesults in a notification to aleit the secuiity team that unauthoiizeu softwaie is being useu. '-' H -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
18
A contiol system is a uevice oi set of uevices to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining softwaie installeu on the oiganization's netwoik systems. These systems shoulu be able to iuentify if new softwaie is intiouuceu to the enviionment that has not been authoiizeu by enteipiise peisonnel. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Active device scanner Step 2: Active scanner reports to inventory database Step 3: Inventory database compares to inventory baseline Step 4: Inventory database initiates alerting system Step 5: Alert system notifies security defenders Step 6: Security defenders monitor and secure inventory database Step 7: Security defenders update software inventory database Step 8: Whitelisting tool continuously monitors all systems on the network Step 9: Whitelisting checks and makes updates to the software inventory database.
19 -.- ,0 .2)(%2 -*@(%8$*&#; 4&% A8%'>8%2 8#' .&4$>8%2 &# B&C*D2 :21*)2;E F8G$&G;E H&%I;$8$*&#;E 8#' .2%12%; stobllsb, lmplemeot, ooJ octlvely moooqe (ttock, tepott oo, cottect) tbe secotlty cooflqototloo of loptops, setvets, ooJ wotkstotloos osloq o tlqotoos cooflqototloo moooqemeot ooJ cbooqe coottol ptocess lo otJet to pteveot ottockets ftom exploltloq voloetoble setvlces ooJ settloqs. !"# B1 8")1 '/0%(/, '()%)*+,C As ueliveieu by manufactuieis anu ieselleis, the uefault configuiations foi opeiating systems anu applications aie noimally geaieu to ease-of-ueployment anu ease-of-use - not secuiity. Basic contiols, open seivices anu poits, uefault accounts oi passwoius, oluei (vulneiable) piotocols, pie-installation of unneeueu softwaie; all can be exploitable in theii uefault state. Beveloping configuiation settings with goou secuiity piopeities is a complex task beyonu the ability of inuiviuual useis, iequiiing analysis of potentially hunuieus oi thousanus of options in oiuei to make goou choices. Even if a stiong initial configuiation is uevelopeu anu installeu, it must be continually manageu to avoiu secuiity "uecay" as softwaie is upuateu oi patcheu, new secuiity vulneiabilities aie iepoiteu, anu configuiations aie "tweakeu" to allow the installation of new softwaie oi suppoit new opeiational iequiiements. If not, attackeis will finu oppoitunities to exploit both netwoik-accessible seivices anu client softwaie. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC S-1 Establish anu ensuie the use of stanuaiu secuie configuiations of youi opeiating systems. Stanuaiuizeu images shoulu iepiesent haiueneu veisions of the unueilying opeiating system anu the applications installeu on the system. Baiuening typically incluues: iemoval of unnecessaiy accounts (incluuing seivice accounts), uisabling oi iemoval of unnecessaiy seivices, configuiing non-executable stacks anu heaps, applying patches, closing open anu unuseu netwoik poits, implementing intiusion uetection systems anuoi intiusion pievention systems, anu use of host-baseu fiiewalls. These images shoulu be valiuateu anu iefiesheu on a iegulai basis to upuate theii secuiity configuiation in light of iecent vulneiabilities anu attack vectois. ;8%6< =%' F,'" &- 2D" GH%#$2 H%C"IJ CSC S-2 Implement automateu patching tools anu piocesses foi both applications anu foi opeiating system softwaie. When outuateu systems can no longei be patcheu, upuate to the ;8%6< =%' F,'" &- 2D" GH%#$2 H%C"IJ
20 latest veision of application softwaie. Remove outuateu, oluei, anu unuseu softwaie fiom the system. CSC S-S Limit auministiative piivileges to veiy few useis who have both the knowleuge necessaiy to auministei the opeiating system anu a business neeu to mouify the configuiation of the unueilying opeiating system. This will help pievent installation of unauthoiizeu softwaie anu othei abuses of auministiatoi piivileges. ;8%6< =%' F,'" &- 2D" GH%#$2 H%C"IJ CSC S-4 Follow stiict configuiation management, builuing a secuie image that is useu to builu all new systems that aie ueployeu in the enteipiise. Any existing system that becomes compiomiseu shoulu be ie-imageu with the secuie builu. Regulai upuates oi exceptions to this image shoulu be integiateu into the oiganization's change management piocesses. Images shoulu be cieateu foi woikstations, seiveis, anu othei system types useu by the oiganization. ;8%6< =%' CSC S-S Stoie the mastei images on secuiely configuieu seiveis, valiuateu with integiity checking tools capable of continuous inspection, anu change management to ensuie that only authoiizeu changes to the images aie possible. Alteinatively, these mastei images can be stoieu in offline machines, aii- gappeu fiom the piouuction netwoik, with images copieu via secuie meuia to move them between the image stoiage seiveis anu the piouuction netwoik. ;8%6< =%' CSC S-6 Negotiate contiacts to buy systems configuieu secuiely out of the box using stanuaiuizeu images, which shoulu be ueviseu to avoiu extianeous softwaie that woulu inciease theii attack suiface anu susceptibility to vulneiabilities. !%$%>%?%2@K :22#%>82%&' CSC S-7 Bo all iemote auministiation of seiveis, woikstation, netwoik uevices, anu similai equipment ovei secuie channels. Piotocols such as telnet, vNC, RBP, oi otheis that uo not actively suppoit stiong enciyption shoulu only be useu if they aie peifoimeu ovei a seconuaiy enciyption channel, such as SSL oi IPSEC. 7&'-%98#42%&'K L@9%"'" CSC S-8 0tilize file integiity checking tools to ensuie that ciitical system files (incluuing sensitive system anu application executables, libiaiies, anu configuiations) have not been alteieu. All alteiations to such files shoulu be automatically iepoiteu secuiity peisonnel. The iepoiting system shoulu have the ability to account foi ioutine anu expecteu changes, highlighting unusual oi unexpecteu alteiations. Foi investigative suppoit, the iepoiting system shoulu be able to show the histoiy of configuiation changes ovei time anu iuentify who maue the change (incluuing the oiiginal loggeu- 7&'-%98#42%&'K L@9%"'"
21 in account in the event of a usei IB switch, such as with the su oi sudo commanu). These integiity checks shoulu also iuentify suspicious system alteiations such as ownei anu peimissions changes to files oi uiiectoiies; the use of alteinate uata stieams which coulu be useu to hiue malicious activities; as well as uetecting the intiouuction of extia files into key system aieas (which coulu inuicate malicious payloaus left by attackeis oi auuitional files inappiopiiately auueu uuiing batch uistiibution piocesses). CSC S-9 Implement anu test an automateu configuiation monitoiing system that measuies all secuie configuiation elements that can be measuieu thiough iemote testing using featuies such as those incluueu with tools compliant with Secuiity Content Automation Piotocol (SCAP), anu aleits when unauthoiizeu changes occui. This incluues uetecting new listening poits, new auministiative useis, changes to gioup anu local policy objects, (wheie applicable), anu new seivices iunning on a system. :/C4'6"/ CSC S-1u Beploy system configuiation management tools, such as Active Biiectoiy uioup Policy 0bjects foi Niciosoft Winuows systems oi Puppet foi 0NIX systems that will automatically enfoice anu ieueploy configuiation settings to systems at iegulaily scheuuleu inteivals. They shoulu be capable of tiiggeiing ieueployment of configuiation settings on a scheuuleu, manual, oi event-uiiven basis. 7&'-%98#42%&'K L@9%"'"
'-' I E(/*&5.(&1 +05 8//,1 Rathei than stait fiom sciatch ueveloping a secuiity baseline foi each softwaie system, oiganizations shoulu stait fiom publicly uevelopeu, vetteu, anu suppoiteu secuiity benchmaiks, secuiity guiues, oi checklists. Excellent iesouices incluue: The Centei foi Inteinet Secuiity Benchmaiks Piogiam (www.cisecuiity.oig) The NIST National Checklist Piogiam (checklists.nist.gov)
0iganizations shoulu augment oi aujust these baselines to satisfy local policies anu iequiiements, but ueviations anu iationale shoulu be uocumenteu to facilitate latei ieviews oi auuits. Foi a complex enteipiise, the establishment of a single secuiity baseline configuiation (foi example, a single installation image foi all woikstations acioss the entiie enteipiise) is sometimes not piactical oi ueemeu unacceptable. It is likely that you will neeu to suppoit uiffeient stanuaiuizeu images, baseu on the piopei haiuening to
22 auuiess iisks anu neeueu functionality of the intenueu ueployment (example, a web seivei in the BNZ vs. an email oi othei application seivei in the inteinal netwoik). The numbei of vaiiations shoulu be kept to a minimum in oiuei to bettei unueistanu anu manage the secuiity piopeities of each, but oiganizations then must be piepaieu to manage multiple baselines. Commeicial anuoi fiee configuiation management tools can then be employeu to measuie the settings of opeiating systems anu applications of manageu machines to look foi ueviations fiom the stanuaiu image configuiations. Typical configuiation management tools use some combination of: an agent installeu on each manageu system, oi agentless inspection of systems by iemotely logging in to each manageu machine using auministiatoi cieuentials. Auuitionally, a hybiiu appioach is sometimes useu wheieby a iemote session is initiateu, a tempoiaiy oi uynamic agent is ueployeu on the taiget system foi the scan, anu then the agent is iemoveu. '-' I F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Bow long uoes it take to uetect configuiation changes to a netwoik system (time in minutes). 2. Bow long uoes it take the scanneis to aleit the oiganization's auministiatois that an unauthoiizeu configuiation change has occuiieu (time in minutes). S. Bow long uoes it take to blockquaiantine unauthoiizeu changes on netwoik systems (time in minutes). 4. Aie the scanneis able to iuentify the location, uepaitment, anu othei ciitical uetails about the systems wheie unauthoiizeu changes occuiieu (yes oi no). S. Aie the scanneis able to tiiggei uiffeient notifications woikflows baseu on the seveiity of the configuiation vaiiance uetecteu. Foi all of the above, consiuei that system piioiity, seivice level commitments, system iole, anu othei factois may uiive vaiying objectives foi scan fiequency anu aleit time fiames on uiffeient systems. Ensuie that the iationale foi these classifications is cleai, consistent, uocumenteu, anu consistently applieu. veiify that taiget uetection anu notification iesults aie aligneu with seivice level commitments anu policies foi each class of system. '-' I <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, the oiganization shoulu gathei the following infoimation with automateu technical sensois:
23 1. What is the peicentage of business systems that aie not cuiiently configuieu with a secuiity configuiation that matches the oiganization's appioveu configuiation stanuaiu (by business unit). 2. What is the peicentage of business systems whose secuiity configuiation is not enfoiceu by the oiganization's technical configuiation management applications (by business unit). S. What is the peicentage of business systems that aie not up to uate with the latest available opeiating system softwaie secuiity patches (by business unit). 4. What is the peicentage of business systems that aie not up to uate with the latest available business softwaie application secuiity patches (by business unit). S. What is the peicentage of business systems not piotecteu by file integiity assessment softwaie applications (by business unit). 6. What is the peicentage of unauthoiizeu oi unuocumenteu changes with secuiity impact (by business unit). '-' I F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol S on a peiiouic basis, an evaluation team must move a benign test system that uoes not contain the official haiueneu image, but that uoes contain auuitional seivices, poits, anu configuiation file changes, onto the netwoik. This must be peifoimeu on 1u uiffeient ianuom segments using eithei ieal oi viitual systems. The evaluation team must then veiify that the systems geneiate an aleit iegaiuing the changes to the softwaie within the taiget seivice winuow, oi within 24 houis - whichevei is less. It is impoitant that the evaluation team veiify that all unauthoiizeu changes have been uetecteu. The team must also veiify that the aleit oi e- mail is ieceiveu within one auuitional houi inuicating that the softwaie has been blockeu oi quaiantineu. The evaluation team must veiify that the system pioviues uetails of the location of each machine with the unauthoiizeu changes, incluuing infoimation about the asset ownei. The evaluation team must also intiouuce unuocumenteu out-of-banu configuiation settings anu binaiies using ieal oi viitual systems on 1u ianuom segments. The test shoulu incluue making a non-peisistent change, in which a change is intiouuceu to the piimaiy piogiam location (bin, Piogiam Files, etc.), left in place foi Su-6u minutes, then ieveiteu to the oiiginal configuiation. The evaluation team must veiify that all configuiation changes anu binaiies aie uetecteu, anu that theie is a iecoiu of the non-peisistent changes mentioneu above. The uetection uata shoulu incluue the natuie of the change maue (auuition, iemoval, alteiation, ownei, peimissions, contents, etc.), as well as the usei account that maue the change.
24 The evaluation team must also veiify that unauthoiizeu softwaie is blockeu by attempting to execute it anu veiifying that it is not alloweu to iun. 0n systems wheie blocking is not alloweu oi blocking functionality is not available, the team must veiify that the execution of unauthoiizeu softwaie is uetecteu anu iesults in a notification to aleit the secuiity team that unauthoiizeu softwaie is being useu. In auuition to these tests, the following tests must be peifoimeu: 1. File integiity checking tools must be iun on a iegulai basis. Any changes to ciitical opeiating system, seivices, anu configuiation files must be checkeu on an houily basis. Any changes must be uetecteu anu eithei blockeu oi tiiggei an aleit that follows the above notification piocess.
2. Betection softwaie must uetect the uisabling of system logging, as well as the tiuncation, mouification oi ueletion of log files. Note that giowth of logs shoulu not tiiggei notifications, but suspicious changes associateu with malicious activities shoulu; examples incluue ueletion oi tiuncation of logs, mouification of past log events, ownei oi peimission changes, etc. Any inappiopiiate changes to logs must tiiggei an aleit that follows the above notification piocess. S. System scanning tools that check foi softwaie veision, patch levels, anu configuiation files must be iun on a uaily basis. Any changes must be uetecteu anu eithei blockeu oi tiiggei an aleit that follows the above notification piocess. '-' I -#1%&; F0%)%# :&,+%)/01")= A)+6(+; Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur. As with any configurations, all changes must be approved and managed by a change control process.
25
A control system is a device or set of devices to manage, command, direct, or regulate the behavior of other devices or systems. In this case, we are examining the devices, software, and entities used to manage and implement consistent configuration settings to workstations, laptops, and servers on the network. The following list of the steps in the above diagram shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control. Step 1: Secured system images applied to computer systems Step 2: Secured system images stored in a secure manner Step 3: Configuration management system validates and checks system images Step 4: Configuration policy enforcement system actively scans production systems for misconfigurations or deviations from baselines Step 5: File integrity assessment systems monitor critical system binaries and data sets Step 6: Whitelisting tool monitors systems configurations and software
26 Step 7: SCAP configuration scanner validates configurations Step 8: File integrity assessment system sends deviations to alerting system Step 9: Whitelisting tool sends deviations to alerting system Step 10: SCAP configuration scanner sends deviations to alerting system Step 11 and 12: Management reports document configuration status.
27 -.- ?0 -&#$*#(&(; K(D#2%8C*D*$3 5;;2;;L2#$ 8#' M2L2'*8$*&# cootloooosly ocpolte, ossess, ooJ toke octloo oo oew lofotmotloo lo otJet to lJeotlfy voloetobllltles, temeJlote, ooJ mlolmlze tbe wloJow of oppottoolty fot ottockets. !"# B1 8")1 '/0%(/, '()%)*+,C Cybei uefenueis must opeiate in a constant stieam of new infoimation: softwaie upuates, patches, secuiity auvisoiies, thieat bulletins, etc. 0nueistanuing anu managing vulneiabilities has become a continuous activity, iequiiing significant time, attention, anu iesouices. Attackeis have access to the same infoimation, anu can take auvantage of gaps between the appeaiance of new knowleuge anu iemeuiation. Foi example, when new vulneiabilities aie iepoiteu by ieseaicheis, a iace staits among all paities, incluuing: attackeis (to "weaponize", ueploy an attack, exploit); venuois (to uevelop, ueploy patches oi signatuies anu upuates), anu uefenueis (to assess iisk, iegiession-test patches, install). 0iganizations that uo not scan foi vulneiabilities anu pioactively auuiess uiscoveieu flaws face a significant likelihoou of having theii computei systems compiomiseu. Befenueis face paiticulai challenges in scaling iemeuiation acioss an entiie enteipiise, anu piioiitizing actions with conflicting piioiities, anu sometimes-unceitain siue effects. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 4-1 Run automateu vulneiability scanning tools against all systems on the netwoik on a weekly oi moie fiequent basis anu uelivei piioiitizeu lists of the most ciitical vulneiabilities to each iesponsible system auministiatoi along with iisk scoies that compaie the effectiveness of system auministiatois anu uepaitments in ieuucing iisk. 0se a SCAP- valiuateu vulneiability scannei that looks foi both coue-baseu vulneiabilities (such as those uesciibeu by Common vulneiabilities anu Exposuies entiies) anu configuiation- baseu vulneiabilities (as enumeiateu by the Common Configuiation Enumeiation Pioject). ;8%6< =%' FM8BB$ 2D" GH%#$2 H%C"IJ CSC 4-2 Coiielate event logs with infoimation fiom vulneiability scans to fulfill two goals. Fiist, peisonnel shoulu veiify that the activity of the iegulai vulneiability scanning tools themselves is loggeu. Seconu, peisonnel shoulu be able to coiielate attack ;8%6< =%'
28 uetection events with eailiei vulneiability scanning iesults to ueteimine whethei the given exploit was useu against a taiget known to be vulneiable. CSC 4-S Peifoim vulneiability scanning in authenticateu moue eithei with agents iunning locally on each enu system to analyze the secuiity configuiation oi with iemote scanneis that aie given auministiative iights on the system being testeu. 0se a ueuicateu account foi authenticateu vulneiability scans, which shoulu not be useu foi any othei auministiative activities anu shoulu be tieu to specific machines at specific IP auuiesses. Ensuie that only authoiizeu employees have access to the vulneiability management usei inteiface anu that ioles aie applieu to each usei. ;8%6< =%' CSC 4-4 Subsciibe to vulneiability intelligence seivices in oiuei to stay awaie of emeiging exposuies, anu use the infoimation gaineu fiom this subsciiption to upuate the oiganization's vulneiability scanning activities on at least a monthly basis. Alteinatively, ensuie that the vulneiability scanning tools you use aie iegulaily upuateu with all ielevant impoitant secuiity vulneiabilities. ;8%6< =%' CSC 4-S Beploy automateu patch management tools anu softwaie upuate tools foi opeiating system anu softwaieapplications on all systems foi which such tools aie available anu safe. Patches shoulu be applieu to all systems, even systems that aie piopeily aii gappeu. !%$%>%?%2@K :22#%>82%&' CSC 4-6 Caiefully monitoi logs associateu with any scanning activity anu associateu auministiatoi accounts to ensuie that all scanning activity anu associateu access via the piivilegeu account is limiteu to the timefiames of legitimate scans. !%$%>%?%2@K :22#%>82%&' CSC 4-7 Compaie the iesults fiom back-to-back vulneiability scans to veiify that vulneiabilities weie auuiesseu eithei by patching, implementing a compensating contiol, oi uocumenting anu accepting a ieasonable business iisk. Such acceptance of business iisks foi existing vulneiabilities shoulu be peiiouically ievieweu to ueteimine if newei compensating contiols oi subsequent patches can auuiess vulneiabilities that weie pieviously accepteu, oi if conuitions have changeu, incieasing the iisk. 7&'-%98#42%&'K L@9%"'" CSC 4-8 Neasuie the uelay in patching new vulneiabilities anu ensuie that the uelay is equal to oi less than the benchmaiks set foith by the oiganization. Alteinative counteimeasuies shoulu be consiueieu if patches aie not available. 7&'-%98#42%&'K L@9%"'" CSC 4-9 Evaluate ciitical patches in a test enviionment befoie pushing them into piouuction on enteipiise systems. If such patches bieak ciitical business applications on test machines, the 7&'-%98#42%&'K L@9%"'"
29 oiganization must uevise othei mitigating contiols that block exploitation on systems wheie the patch cannot be ueployeu because of its impact on business functionality. CSC 4-1u Establish a piocess to iisk-iate vulneiabilities baseu on the exploitability anu potential impact of the vulneiability, anu segmenteu by appiopiiate gioups of assets (example, BNZ seiveis, inteinal netwoik seiveis, uesktops, laptops). Apply patches foi the iiskiest vulneiabilities fiist. A phaseu iollout can be useu to minimize the impact to the oiganization. Establish expecteu patching timelines baseu on the iisk iating level. 7&'-%98#42%&'K L@9%"'"
'-' J E(/*&5.(&1 +05 8//,1 A laige numbei of vulneiability scanning tools aie available to evaluate the secuiity configuiation of systems. Some enteipiises have also founu commeicial seivices using iemotely manageu scanning appliances to be effective. To help stanuaiuize the uefinitions of uiscoveieu vulneiabilities in multiple uepaitments of an oiganization oi even acioss oiganizations, it is piefeiable to use vulneiability scanning tools that measuie secuiity flaws anu map them to vulneiabilities anu issues categoiizeu using one oi moie of the following inuustiy-iecognizeu vulneiability, configuiation, anu platfoim classification schemes anu languages: CvE, CCE, 0vAL, CPE, CvSS, anuoi XCCBF. Auvanceu vulneiability scanning tools can be configuieu with usei cieuentials to log in to scanneu systems anu peifoim moie compiehensive scans than can be achieveu without login cieuentials. The fiequency of scanning activities, howevei, shoulu inciease as the uiveisity of an oiganization's systems incieases to account foi the vaiying patch cycles of each venuoi. In auuition to the scanning tools that check foi vulneiabilities anu misconfiguiations acioss the netwoik, vaiious fiee anu commeicial tools can evaluate secuiity settings anu configuiations of local machines on which they aie installeu. Such tools can pioviue fine-giaineu insight into unauthoiizeu changes in configuiation oi the inauveitent intiouuction of secuiity weaknesses by auministiatois. Effective oiganizations link theii vulneiability scanneis with pioblem-ticketing systems that automatically monitoi anu iepoit piogiess on fixing pioblems, anu that make unmitigateu ciitical vulneiabilities visible to highei levels of management to ensuie the pioblems aie solveu. The most effective vulneiability scanning tools compaie the iesults of the cuiient scan with pievious scans to ueteimine how the vulneiabilities in the enviionment have
30 changeu ovei time. Secuiity peisonnel use these featuies to conuuct vulneiability tienuing fiom month to month. As vulneiabilities ielateu to unpatcheu systems aie uiscoveieu by scanning tools, secuiity peisonnel shoulu ueteimine anu uocument the amount of time that elapses between the public ielease of a patch foi the system anu the occuiience of the vulneiability scan. If this time winuow exceeus the oiganization's benchmaiks foi ueployment of the given patch's ciiticality level, secuiity peisonnel shoulu note the uelay anu ueteimine if a ueviation was foimally uocumenteu foi the system anu its patch. If not, the secuiity team shoulu woik with management to impiove the patching piocess. Auuitionally, some automateu patching tools may not uetect oi install ceitain patches uue to an eiioi by the venuoi oi auministiatoi. Because of this, all patch checks shoulu ieconcile system patches with a list of patches each venuoi has announceu on its website. '-' J F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Bow long uoes it take vulneiability scanning systems, if they uetect unauthoiizeu uevices on the netwoik, to geneiate an aleit (time in minutes). 2. Bow long aftei a scan successfully completes uoes it take to geneiate an aleit inuicating that it completeu (time in minutes). S. If a scan uoes not complete, how long uoes it take to geneiate an aleit that the scan faileu to iun (time in minutes). 4. Bow long uoes it take automateu patch management tools to aleit oi senu e-mail to auministiative peisonnel iegaiuing the successful installation of new patches (time in minutes). Foi all of the above, consiuei that system piioiity, seivice level commitments, system iole, anu othei factois may uiive vaiying objectives foi scan fiequency anu aleit time fiames on uiffeient systems. Ensuie that the iationale foi these classifications is cleai, consistent, uocumenteu, anu consistently applieu. veiify that taiget uetection anu notification iesults aie aligneu with seivice level commitments anu policies foi each class of system. '-' J <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois:
31 1. What is the peicentage of the oiganization's business systems that have not iecently been scanneu by the oiganization's appioveu, SCAP compliant, vulneiability management system (by business unit). 2. What is the aveiage SCAP vulneiability scoie of each of the oiganization's business systems (by business unit). S. What is the total SCAP vulneiability scoie of each of the oiganization's business systems (by business unit). 4. Bow long uoes it take, on aveiage, to completely ueploy opeiating system softwaie upuates to a business system (by business unit). S. Bow long uoes it take, on aveiage, to completely ueploy application softwaie upuates to a business system (by business unit). '-' J F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 4 on a peiiouic basis, the evaluation team must veiify that scanning tools have successfully completeu theii weekly oi uaily scans foi the pievious Su cycles of scanning by ieviewing aichiveu aleits anu iepoits to ensuie that the scan was completeu. If a scan coulu not be completeu in that timefiame, the evaluation team must veiify that an aleit oi e-mail was geneiateu inuicating that the scan uiu not finish. '-' J -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
32
A contiol system is a uevice oi set of uevices to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, the vulneiability scanneis, management system, patch management systems, anu configuiation baselines all woik togethei to auuiess an oiganization's vulneiability management anu iemeuiation stiategy. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Vulnerability intelligence service provides inputs to vulnerability scanner Step 2: Vulnerability scanners scan production systems Step 3: Vulnerability scanners report detected vulnerabilities to a vulnerability management system (VMS) Step 4: The VMS compares production systems to configuration baselines Step 5: The VMS sends information to log management correlation system Step 6: The VMS produces reports for management Step 7: A patch management system applies software updates to production systems.
33 -.- O0 B8D>8%2 :242#;2; coottol tbe lostollotloo, spteoJ, ooJ execotloo of mollcloos coJe ot moltlple polots lo tbe eotetptlse, wblle optlmlzloq tbe ose of ootomotloo to eooble toplJ opJotloq of Jefeose, Joto qotbetloq, ooJ cottectlve octloo. !"# B1 8")1 '/0%(/, '()%)*+,C Nalicious softwaie is an integial anu uangeious aspect of Inteinet thieats, anu can be uesigneu to attack youi systems, uevices, oi youi uata. It can be fast-moving, fast- changing, anu entei thiough any numbei of points like enu-usei uevices, e-mail attachments, web pages, clouu seivices, usei actions, anu iemovable meuia. Nouein malwaie can be uesigneu to avoiu uefenses, oi to attack oi uisable them. >/? %/ B;=,&;&0% 8")1 '/0%(/, Nalwaie uefenses must be able to opeiate in this uynamic enviionment thiough laige- scale automation, iapiu upuating, anu integiation with piocesses like Inciuent Response. They must also be ueployeu at multiple possible points-of-attack to uetect, stop the movement of, oi contiol the execution of malicious softwaie. Enteipiise enupoint secuiity suites pioviue auministiative featuies to veiify that all uefenses aie active anu cuiient on eveiy manageu system. ": \ :2;)%*G$*&# -8$2@&%3 CSC S-1 Employ automateu tools to continuously monitoi woikstations, seiveis, anu mobile uevices with anti-viius, anti-spywaie, peisonal fiiewalls, anu host-baseu IPS functionality. All malwaie uetection events shoulu be sent to enteipiise anti-malwaie auministiation tools anu event log seiveis. ;8%6< =%' CSC S-2 Employ anti-malwaie softwaie that offeis a iemote, clouu- baseu centializeu infiastiuctuie that compiles infoimation on file ieputations oi have auministiatois manually push upuates to all machines. Aftei applying an upuate, automateu systems shoulu veiify that each system has ieceiveu its signatuie upuate. ;8%6< =%' CSC S-S Configuie laptops, woikstations, anu seiveis so that they will not auto-iun content fiom iemovable meuia, like 0SB tokens (i.e., "thumb uiives"), 0SB haiu uiives, CBsBvBs, FiieWiie uevices, exteinal seiial auvanceu technology attachment uevices, anu mounteu netwoik shaies,. ;8%6< =%' CSC S-4 Configuie systems so that they automatically conuuct an anti- malwaie scan of iemovable meuia when inseiteu. ;8%6< =%' CSC S-S Scan anu block all e-mail attachments enteiing the ;8%6< =%'
34 oiganization's e-mail gateway if they contain malicious coue oi file types that aie unnecessaiy foi the oiganization's business. This scanning shoulu be uone befoie the e-mail is placeu in the usei's inbox. This incluues e-mail content filteiing anu web content filteiing. CSC S-6 Enable anti-exploitation featuies such as Bata Execution Pievention (BEP), Auuiess Space Layout Ranuomization (ASLR), viitualizationcontaineiization, etc. Foi incieaseu piotection, ueploy capabilities such as Enhanceu Nitigation Expeiience Toolkit (ENET) that can be configuieu to apply these piotections to a bioauei set of applications anu executables. ;8%6< =%' CSC S-7 Limit use of exteinal uevices to those that have a business neeu. Nonitoi foi use anu attempteu use of exteinal uevices. ;8%6< =%' CSC S-8 Ensuie that automateu monitoiing tools use behavioi-baseu anomaly uetection to complement tiauitional signatuie-baseu uetection. !%$%>%?%2@K :22#%>82%&' CSC S-9 0se netwoik-baseu anti-malwaie tools to iuentify executables in all netwoik tiaffic anu use techniques othei than signatuie- baseu uetection to iuentify anu filtei out malicious content befoie it aiiives at the enupoint. !%$%>%?%2@K :22#%>82%&' CSC S-1u Implement an inciuent iesponse piocess that allows the IT suppoit oiganization to supply the secuiity team with samples of malwaie iunning on coipoiate systems that uo not appeai to be iecognizeu by the enteipiise's anti-malwaie softwaie. Samples shoulu be pioviueu to the secuiity venuoi foi "out-of-banu" signatuie cieation anu latei ueployeu to the enteipiise by system auministiatois. :/C4'6"/ CSC S-11 Enable uomain name system (BNS) queiy logging to uetect hostname lookup foi known malicious C2 uomains. :/C4'6"/
'-' K E(/*&5.(&1 +05 8//,1 To ensuie anti-viius signatuies aie up to uate, oiganizations use automation. They use the built-in auministiative featuies of enteipiise enupoint secuiity suites to veiify that anti-viius, anti-spywaie, anu host-baseu IBS featuies aie active on eveiy manageu system. They iun automateu assessments uaily anu ieview the iesults to finu anu mitigate systems that have ueactivateu such piotections, as well as systems that uo not have the latest malwaie uefinitions. Some enteipiises ueploy fiee oi commeicial honeypot anu "taipit" tools to iuentify attackeis in theii enviionment. Secuiity peisonnel shoulu continuously monitoi these tools to ueteimine whethei tiaffic is uiiecteu to them anu account logins aie attempteu. When they iuentify such events, these peisonnel shoulu gathei the souice auuiess fiom
35 which this tiaffic oiiginates anu othei uetails associateu with the attack foi follow-on investigation. '-' K F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Bow long uoes it take the system to iuentify any malicious softwaie that is installeu, attempteu to be installeu, executeu, oi attempteu to be executeu on a computei system (time in minutes). 2. Bow long uoes it take the system to senu e-mail notification to a list of enteipiise peisonnel via theii centializeu anti-malwaie console oi event log system aftei malicious coue has been iuentifieu (time in minutes). S. Boes the system have the ability to block installation, pievent execution, oi quaiantine malicious softwaie (yes oi no). 4. Boes the system have the ability to iuentify the business unit in the oiganization wheie the malicious softwaie was iuentifieu (yes oi no). S. Bow long uoes it take the oiganization to completely iemove the malicious coue fiom the system aftei it has been iuentifieu (time in minutes). '-' K <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. Bow many instances of malicious coue have been uetecteu within a peiiou of time by host baseu anti-malwaie systems (by business unit). 2. Bow many instances of malicious coue that weie uetecteu within a peiiou of time weie automatically iemeuiateu by the oiganization's host baseu anti- malwaie systems (by business unit). S. Bow many instances of malicious coue have been uetecteu within a peiiou of time by netwoik baseu anti-malwaie systems (by business unit). 4. Bow many instances of malicious coue that weie uetecteu within a peiiou of time weie automatically iemeuiateu by the oiganization's netwoik baseu anti- malwaie systems (by business unit). S. Peicentage of applications on a system that aie not utilizing application sanuboxing piouucts (by business unit). 6. Peicentage of systems with anti-malwaie systems ueployeu, enableu, anu up-to- uate (by business unit).
36 '-' K F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol S on a peiiouic basis, the evaluation team must move a benign softwaie test piogiam that appeais to be malwaie (such as an EICAR file oi benign hackei tools), but that is not incluueu in the official authoiizeu softwaie list, to 1u systems on the netwoik via a netwoik shaie. The selection of these systems must be as ianuom as possible anu incluue a cioss-section of the oiganization's systems anu locations. The evaluation team must then veiify that the systems geneiate an aleit oi e-mail notice iegaiuing the benign malwaie within one houi. The team must also veiify that the aleit oi e-mail inuicating that the softwaie has been blockeu oi quaiantineu is ieceiveu within one houi. The evaluation team must veiify that the system pioviues uetails of the location of each machine with this new test file, incluuing infoimation about the asset ownei. The team must then veiify that the file is blockeu by attempting to execute oi open it anu veiifying that it is not alloweu to be accesseu. 0nce this test has been peifoimeu tiansfeiiing the files to oiganization systems via iemovable meuia, the same test must be iepeateu, but this time tiansfeiiing the benign malwaie to 1u systems via e-mail insteau. The oiganization must expect the same notification iesults as noteu with the iemovable meuia test. '-' K -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
37 A contiol system is a uevice oi set of uevices to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining anti-malwaie systems anu thieat vectois such as iemovable meuia. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Anti-malware systems analyze production systems and removable media Step 2: Removable media is analyzed when connected to production systems Step 3: Email/web and network proxy devices analyze all incoming and outgoing traffic Step 4: Network access control monitors all systems connected to the network Step 5: Intrusion/network monitoring systems perform continuous monitoring looking for signs of malware.
38 -.- P0 5GGD*)8$*&# .&4$>8%2 .2)(%*$3 Moooqe tbe secotlty llfecycle of oll lo-boose JevelopeJ ooJ ocpolteJ softwote lo otJet to pteveot, Jetect, ooJ cottect secotlty weokoesses. !"# B1 8")1 '/0%(/, '()%)*+,C Attacks often take auvantage of vulneiabilities founu in web-baseu anu othei application softwaie. vulneiabilities can be piesent foi many ieasons, incluuing couing mistakes, logic eiiois, incomplete iequiiements, anu failuie to test foi unusual oi unexpecteu conuitions. Examples of specific eiiois incluue: the failuie to check the size of usei input; failuie to filtei out unneeueu but potentially malicious chaiactei sequences fiom input stieams; failuie to initialize anu cleai vaiiables; anu pooi memoiy management allowing flaws in one pait of the softwaie to affect unielateu (anu moie secuiity ciitical) poitions. Theie is a floou of public anu piivate infoimation about such vulneiabilities available to attackeis anu uefenueis alike, as well as a iobust maiketplace foi tools anu techniques to allow "weaponization" of vulneiabilities into exploits. Attackeis can inject specific exploits, incluuing buffei oveiflows, SQL injection attacks, cioss-site sciipting, cioss-site iequest foigeiy, anu click-jacking of coue to gain contiol ovei vulneiable machines. In one attack, moie than 1 million web seiveis weie exploiteu anu tuineu into infection engines foi visitois to those sites using SQL injection. Buiing that attack, tiusteu websites fiom state goveinments anu othei oiganizations compiomiseu by attackeis weie useu to infect hunuieus of thousanus of biowseis that accesseu those websites. Nany moie web anu non-web application vulneiabilities aie uiscoveieu on a iegulai basis. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 6-1 FNOPJ Foi all acquiieu application softwaie, check that the veision you aie using is still suppoiteu by the venuoi. If not, upuate to the most cuiient veision anu install all ielevant patches anu venuoi secuiity iecommenuations. ;8%6< P%' CSC 6-2 Piotect web applications by ueploying web application fiiewalls (WAFs) that inspect all tiaffic flowing to the web application foi common web application attacks, incluuing but not limiteu to cioss-site sciipting, SQL injection, commanu injection, anu uiiectoiy tiaveisal attacks. Foi applications that aie not web-baseu, specific application fiiewalls shoulu be ueployeu if such tools aie available foi the given application type. If the tiaffic is enciypteu, the uevice shoulu eithei sit behinu the enciyption oi be capable of ueciypting the tiaffic piioi to analysis. If neithei option is appiopiiate, a host-baseu web application fiiewall shoulu be ueployeu. ;8%6< P%'
39 CSC 6-S Foi in-house uevelopeu softwaie, ensuie that explicit eiioi checking is peifoimeu anu uocumenteu foi all input, incluuing foi size, uata type, anu acceptable ianges oi foimats. !%$%>%?%2@K :22#%>82%&' CSC 6-4 Test in-house-uevelopeu anu thiiu-paity-piocuieu web applications foi common secuiity weaknesses using automateu iemote web application scanneis piioi to ueployment, whenevei upuates aie maue to the application, anu on a iegulai iecuiiing basis. Incluue tests foi application behavioi unuei uenial-of-seivice oi iesouice exhaustion attacks. !%$%>%?%2@K :22#%>82%&' CSC 6-S Bo not uisplay system eiioi messages to enu-useis (output sanitization). !%$%>%?%2@K :22#%>82%&' CSC 6-6 Naintain sepaiate enviionments foi piouuction anu nonpiouuction systems. Bevelopeis shoulu not typically have unmonitoieu access to piouuction enviionments. !%$%>%?%2@K :22#%>82%&' CSC 6-7 Test in-house-uevelopeu web anu othei application softwaie foi couing eiiois anu potential vulneiabilities piioi to ueployment using automateu static coue analysis softwaie, as well as manual testing anu inspection. In paiticulai, input valiuation anu output encouing ioutines of application softwaie shoulu be ievieweu anu testeu. 7&'-%98#42%&'K L@9%"'" CSC 6-8 FNOPJ Foi acquiieu application softwaie, examine the piouuct secuiity piocess of the venuoi (histoiy of vulneiabilities, customei notification, patchingiemeuiation) as pait of the oveiall enteipiise iisk management piocess. 7&'-%98#42%&'K L@9%"'" CSC 6-9 Foi applications that iely on a uatabase, use stanuaiu haiuening configuiation templates. All systems that aie pait of ciitical business piocesses shoulu also be testeu. 7&'-%98#42%&'K L@9%"'" CSC 6-1u Ensuie that all softwaie uevelopment peisonnel ieceive tiaining in wiiting secuie coue foi theii specific uevelopment enviionment. 7&'-%98#42%&'K L@9%"'" CSC 6-11 Foi in-house uevelopeu applications, ensuie that uevelopment aitifacts (sample uata anu sciipts; unuseu libiaiies, components, uebug coue; oi tools) aie not incluueu in the ueployeu softwaie, oi accessible in the piouuction enviionment. 7&'-%98#42%&'K L@9%"'"
'-' L E(/*&5.(&1 +05 8//,1 The secuiity of applications (in-house uevelopeu oi acquiieu) is a complex activity iequiiing a complete piogiam encompassing enteipiise-wiue policy, technology, anu the iole of people. These aie often bioauly uefineu oi iequiieu by foimal Risk Nanagement Fiamewoiks anu piocesses.
40 A compiehensive tieatment of this topic is beyonu the scope of the Ciitical Secuiity Contiols. Bowevei, the actions in CSC 6 pioviue specific, high-piioiity steps that can impiove Application Softwaie Secuiity. In auuition, we iecommenu use of the many excellent compiehensive iesouices ueuicateu to this topic. Examples incluue: the BBS "Builu Secuiity In" Piogiam < builusecuiityin.us-ceit.gov >, anu The 0pen Web Application Secuiity Pioject (0WASP) < www.owasp.oig >. '-' L F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Can the application system uetect attacks & block them within 24 houis of being uetecteu (yes oi no). 2. Aie all Inteinet facing applications scanneu by web application vulneiability scanneis at least weekly (yes oi no). S. Bow long uoes it take foi aleits to be geneiateu & sent to system auministiatois that a vulneiability scan has oi has not completeu (time in minutes). 4. Aie all vulneiabilities uetecteu by the scanning tools fixeu oi iemeuiateu within 1S uays of uetection (yes oi no). '-' L <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. What peicentage of the oiganization's custom applications have not been iecently scanneu by an application secuiity coue scannei (by business unit). 2. What peicentage of the oiganization's uatabase systems have not been iecently scanneu by a uatabase specific vulneiability scannei (by business unit). S. What is the aggiegate vulneiability iating foi all application anu uatabase system in the oiganization (by business unit). '-' L F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 6 on a monthly basis, an evaluation team must use a web application vulneiability scannei to test foi each ielevant type of flaw iuentifieu in the iegulaily upuateu list of the "2S Nost Bangeious Piogiamming Eiiois" by NITRE anu the SANS Institute. The scannei must be configuieu to assess all of the oiganization's Inteinet-accessible web applications to iuentify such eiiois. The evaluation team must veiify that the scan is uetecteu within 24 houis anu that an aleit is geneiateu.
41 In auuition to the web application vulneiability scannei, the evaluation team must also iun static coue analysis tools anu uatabase configuiation ieview tools against Inteinet- accessible applications to iuentify secuiity flaws on a monthly basis. The evaluation team must veiify that all high-iisk vulneiabilities iuentifieu by the automateu vulneiability scanning tools oi static coue analysis tools have been iemeuiateu oi auuiesseu thiough a compensating contiol (such as a web application fiiewall) within 1S uays of uiscoveiy. The evaluation team must veiify that application vulneiability scanning tools have successfully completeu theii iegulai scans foi the pievious Su cycles of scanning by ieviewing aichiveu aleits anu iepoits to ensuie that the scan was completeu. If a scan was not completeu successfully, the system must aleit oi senu e-mail to enteipiise auministiative peisonnel inuicating what happeneu. If a scan coulu not be completeu in that timefiame, the evaluation team must veiify that an aleit oi e-mail was geneiateu inuicating that the scan uiu not finish. '-' L -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining the piocess of monitoiing applications anu using tools that enfoice a secuiity style when ueveloping applications. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol.
42 Step 1: Web application firewalls protect connections to internal web applications Step 2: Software applications securely connect to database systems Step 3: Code analysis and vulnerability scanning tools scan application systems and database systems.
43 -.- N0 H*%2D2;; 5))2;; -&#$%&D 1be ptocesses ooJ tools oseJ to ttock/coottol/pteveot/cottect tbe secotlty ose of wlteless locol oteo oetwotks (lAN5), occess polots, ooJ wlteless clleot systems. !"# B1 8")1 '/0%(/, '()%)*+,C Najoi thefts of uata have been initiateu by attackeis who have gaineu wiieless access to oiganizations fiom outsiue the physical builuing, bypassing oiganizations' secuiity peiimeteis by connecting wiielessly to access points insiue the oiganization. Wiieless clients accompanying tiaveling officials aie infecteu on a iegulai basis thiough iemote exploitation uuiing aii tiavel oi in cybei cafes. Such exploiteu systems aie then useu as back uoois when they aie ieconnecteu to the netwoik of a taiget oiganization. Still othei oiganizations have iepoiteu the uiscoveiy of unauthoiizeu wiieless access points on theii netwoiks, planteu anu sometimes hiuuen foi uniestiicteu access to an inteinal netwoik. Because they uo not iequiie uiiect physical connections, wiieless uevices aie a convenient vectoi foi attackeis to maintain long-teim access into a taiget enviionment. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 7-1 Ensuie that each wiieless uevice connecteu to the netwoik matches an authoiizeu configuiation anu secuiity piofile, with a uocumenteu ownei of the connection anu a uefineu business neeu. 0iganizations shoulu ueny access to those wiieless uevices that uo not have such a configuiation anu piofile. ;8%6< =%' CSC 7-2 Configuie netwoik vulneiability scanning tools to uetect wiieless access points connecteu to the wiieu netwoik. Iuentifieu uevices shoulu be ieconcileu against a list of authoiizeu wiieless access points. 0nauthoiizeu (i.e., iogue) access points shoulu be ueactivateu. ;8%6< =%' CSC 7-S 0se wiieless intiusion uetection systems (WIBS) to iuentify iogue wiieless uevices anu uetect attack attempts anu successful compiomises. In auuition to WIBS, all wiieless tiaffic shoulu be monitoieu by WIBS as tiaffic passes into the wiieu netwoik. !%$%>%?%2@K :22#%>82%&' CSC 7-4 Wheie a specific business neeu foi wiieless access has been iuentifieu, configuie wiieless access on client machines to allow access only to authoiizeu wiieless netwoiks. 7&'-%98#42%&'K L@9%"'" CSC 7-S Foi uevices that uo not have an essential wiieless business puipose, uisable wiieless access in the haiuwaie configuiation (basic inputoutput system oi extensible 7&'-%98#42%&'K L@9%"'"
44 fiimwaie inteiface), with passwoiu piotections to lowei the possibility that the usei will oveiiiue such configuiations. CSC 7-6 Ensuie that all wiieless tiaffic leveiages at least Auvanceu Enciyption Stanuaiu (AES) enciyption useu with at least Wi- Fi Piotecteu Access 2 (WPA2) piotection. 7&'-%98#42%&'K L@9%"'" CSC 7-7 Ensuie that wiieless netwoiks use authentication piotocols such as Extensible Authentication Piotocol-Tianspoit Layei Secuiity (EAPTLS), which pioviue cieuential piotection anu mutual authentication. 7&'-%98#42%&'K L@9%"'" CSC 7-8 Bisable peei-to-peei wiieless netwoik capabilities on wiieless clients, unless such functionality meets a uocumenteu business neeu. 7&'-%98#42%&'K L@9%"'" CSC 7-9 Bisable wiieless peiipheial access of uevices (such as Bluetooth), unless such access is iequiieu foi a uocumenteu business neeu. 7&'-%98#42%&'K L@9%"'" CSC 7-1u Cieate sepaiate viitual local aiea netwoiks (vLANs) foi BY0B systems oi othei untiusteu uevices. Inteinet access fiom this vLAN shoulu go thiough at least the same boiuei as coipoiate tiaffic. Enteipiise access fiom this vLAN shoulu be tieateu as untiusteu anu filteieu anu auuiteu accoiuingly. Configuration/ Hygiene
'-' M E(/*&5.(&1 +05 8//,1 Effective oiganizations iun commeicial wiieless scanning, uetection, anu uiscoveiy tools as well as commeicial wiieless intiusion uetection systems. Auuitionally, the secuiity team shoulu peiiouically captuie wiieless tiaffic fiom within the boiueis of a facility anu use fiee anu commeicial analysis tools to ueteimine whethei the wiieless tiaffic was tiansmitteu using weakei piotocols oi enciyption than the oiganization manuates. When uevices ielying on weak wiieless secuiity settings aie iuentifieu, they shoulu be founu within the oiganization's asset inventoiy anu eithei ieconfiguieu moie secuiely oi uenieu access to the oiganization netwoik. Auuitionally, the secuiity team shoulu employ iemote management tools on the wiieu netwoik to pull infoimation about the wiieless capabilities anu uevices connecteu to manageu systems. '-' M F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following:
45 1. Aie systems capable of iuentifying unauthoiizeu wiieless uevices oi configuiations when they aie within iange of the oiganization's systems oi connecteu to theii netwoiks (yes oi no). 2. Bow long uoes it take to geneiate aleits about unauthoiizeu wiieless uevices that aie uetecteu (time in minutes). S. Bow long uoes it take foi unauthoiizeu wiieless uevices to be blockeu fiom connecting oi isolateu fiom the netwoik (time in minutes). 4. Aie auuitional aleits geneiateu eveiy 24 houis aftei the initial aleit until the system is isolateu oi iemoveu fiom the netwoik (yes oi no). S. Is the system able to iuentify the location, uepaitment, anu othei uetails of wheie authoiizeu anu unauthoiizeu wiieless uevices aie pluggeu into the netwoik (yes oi no). '-' M <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. Bow many iogue wiieless access points have been uiscoveieu iecently in the oiganization (by business unit). This shoulu incluue non-peisistent, tempoiaiy anu tiansient access points. 2. What is the aveiage time that it takes to iemove iogue access points fiom the oiganization's netwoik (by business unit). S. Bow many wiieless access points oi clients have been uiscoveieu using an unauthoiizeu wiieless configuiation iecently in the oiganization (by business unit). '-' M F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 7 on a peiiouic basis, the evaluation team must configuie 1u unauthoiizeu but haiueneu wiieless clients anu wiieless access points to the oiganization's netwoik anu attempt to connect them to its wiieless netwoiks. In the case of wiieless access points, these access points must not be uiiectly connecteu to the oiganization's tiusteu netwoik. Insteau, they must simply be configuieu to act as a wiieless gateway without physically connecting to a wiieu netwoik inteiface. In the case of scanning foi wiieless access points fiom a wiieu inteiface, the connecteu access point must have the wiieless iauio uisableu foi the uuiation of the test. These systems must be configuieu to test each of the following scenaiios: A wiieless client with an unauthoiizeu seivice set iuentifiei configuieu on it. A wiieless client with impiopei enciyption configuieu. A wiieless client with impiopei authentication configuieu.
46 A wiieless access point with impiopei enciyption configuieu. A wiieless access point with impiopei authentication configuieu. A completely iogue wiieless access point using an unauthoiizeu configuiation. When any of the above-noteu systems attempt to connect to the wiieless netwoik, an aleit must be geneiateu anu enteipiise staff must iesponu to the aleits to isolate the uetecteu uevice oi iemove the uevice fiom the netwoik. '-' M -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining the configuiation anu management of wiieless uevices, wiieless IBSscanneis, wiieless uevice management systems, anu vulneiability scanneis. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Hardened configurations applied to wireless devices Step 2: Hardened configurations managed by a configuration management system Step 3: Configuration management system manages the configurations on wireless devices Step 4: Wireless IDS monitor usage of wireless communications
47 Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.
48 -.- <0 :8$8 M2)&12%3 -8G8C*D*$3 1be ptocesses ooJ tools oseJ to ptopetly bock op ctltlcol lofotmotloo wltb o ptoveo metboJoloqy fot tlmely tecovety of lt. !"# B1 8")1 '/0%(/, '()%)*+,C When attackeis compiomise machines, they often make significant changes to configuiations anu softwaie. Sometimes attackeis also make subtle alteiations of uata stoieu on compiomiseu machines, potentially jeopaiuizing oiganizational effectiveness with polluteu infoimation. When the attackeis aie uiscoveieu, it can be extiemely uifficult foi oiganizations without a tiustwoithy uata iecoveiy capability to iemove all aspects of the attackei's piesence on the machine. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 8-1 Ensuie that each system is automatically backeu up on at least a weekly basis, anu moie often foi systems stoiing sensitive infoimation. To help ensuie the ability to iapiuly iestoie a system fiom backup, the opeiating system, application softwaie, anu uata on a machine shoulu each be incluueu in the oveiall backup pioceuuie. These thiee components of a system uo not have to be incluueu in the same backup file oi use the same backup softwaie. Theie shoulu be multiple backups ovei time, so that in the event of malwaie infection, iestoiation can be fiom a veision that is believeu to pieuate the oiiginal infection. All backup policies shoulu be compliant with any iegulatoiy oi official iequiiements. ;8%6< =%' CSC 8-2 Test uata on backup meuia on a iegulai basis by peifoiming a uata iestoiation piocess to ensuie that the backup is piopeily woiking. ;8%6< =%' CSC 8-S Ensuie that backups aie piopeily piotecteu via physical secuiity oi enciyption when they aie stoieu, as well as when they aie moveu acioss the netwoik. This incluues iemote backups anu clouu seivices. 7&'-%98#42%&'K L@9%"'" CSC 8-4 FNOPJ Ensuie that key systems have at least one backup uestination that is not continuously auuiessable thiough opeiating system calls. This will mitigate the iisk of attacks like CiyptoLockei which seek to enciypt oi uamage uata on all auuiessable uata shaies, incluuing backup uestinations.
49
'-' N E(/*&5.(&1 +05 8//,1 0nce pei quaitei (oi whenevei new backup equipment is puichaseu), a testing team shoulu evaluate a ianuom sample of system backups by attempting to iestoie them on a test beu enviionment. The iestoieu systems shoulu be veiifieu to ensuie that the opeiating system, application, anu uata fiom the backup aie all intact anu functional. In the event of malwaie infection, iestoiation pioceuuies shoulu use a veision of the backup which is believeu to pieuate the oiiginal infection. '-' N F@@&*%)G&0&11 4&%()*1 Peicentage of systems with cuiient backups within theii taiget fiequency (taigets can vaiy by system iole, type, anu ciiticality) '-' N <.%/;+%)/0 4&%()*1 None '-' N F@@&*%)G&0&11 8&1% The evaluation team shoulu iuentify S systems in the enviionment anu iestoie to a test system (physical oi viitual) using the most iecent backup. veiify that the system has been iestoieu piopeily by compaiing the iestoie iesults to the oiiginal system. '-' N -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
50
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining an oiganization's capability to iestoie systems in the event that uata neeu to be iestoieu because of a uata loss oi bieach of a system. While backups aie ceitainly an impoitant pait of this piocess, the ability to iestoie uata is the ciitical component. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Production business systems backed up on a regular basis to authorized organizational backup systems Step 2: Backups created are stored offline at secure storage facilities.
51 -.- J0 .2)(%*$3 .I*DD; 5;;2;;L2#$ 8#' 5GG%&G%*8$2 Q%8*#*#@ $& R*DD S8G; lot oll fooctloool toles lo tbe otqoolzotloo (ptlotltlzloq tbose mlssloo-ctltlcol to tbe bosloess ooJ lts secotlty), lJeotlfy tbe speclflc koowleJqe, skllls, ooJ obllltles oeeJeJ to soppott Jefeose of tbe eotetptlse, Jevelop ooJ execote oo loteqtoteJ ploo to ossess, lJeotlfy qops, ooJ temeJlote tbtooqb pollcy, otqoolzotloool ploooloq, ttololoq, ooJ owoteoess ptoqtoms. !"# B1 8")1 '/0%(/, '()%)*+,C It is tempting to think of cybei uefense piimaiily as a technical challenge, but the actions of people also play a ciitical pait in the success oi failuie of an enteipiise. People fulfill impoitant functions at eveiy stage of system uesign, implementation, opeiation, use, anu oveisight. Examples incluue: the actions of enu useis (who can fall piey to social engineeiing schemes such as phishing); IT opeiations (who may not iecognize the secuiity implications of IT aitifacts anu logs); secuiity analysts (who stiuggle to keep up with an explosion of new infoimation); system uevelopeis anu piogiammeis (who uon't unueistanu the oppoitunity to iesolve ioot cause vulneiabilities eaily in the system life-cycle); anu executives anu system owneis (who stiuggle to quantify the iole that cybeisecuiity plays in oveiall opeiationalmission iisk, anu have no ieasonable way to make ielevant investment uecisions). Attackeis aie veiy conscious of these issues anu use them to plan theii exploitations by, foi example: caiefully ciafting phishing messages that look like ioutine anu expecteu tiaffic to an unwaiy usei; exploiting the gaps oi seams between policy anu technology (e.g., policies that have no technical enfoicement); woiking within the time winuow of patching oi log ieview; using nominally non-secuiity-ciitical systems as jump points oi bots. No cybei uefense appioach can begin to auuiess cybei iisk without a means to auuiess this funuamental vulneiability. Conveisely, empoweiing people with goou cybei uefense habits can significantly inciease ieauiness. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 9-1 Peifoim gap analysis to see which skills employees neeu anu which behaviois employees aie not auheiing to, using this infoimation to builu a baseline tiaining anu awaieness ioaumap foi all employees. ;8%6< =%' CSC 9-2 Belivei tiaining to fill the skills gap. If possible, use moie senioi staff to uelivei the tiaining. A seconu option is to have outsiue teacheis pioviue tiaining onsite so the examples useu will be uiiectly ielevant. If you have small numbeis of people ;8%6< =%'
52 to tiain, use tiaining confeiences oi online tiaining to fill the gaps. CSC 9-S Implement an online secuiity awaieness piogiam that (1) focuses only on the methous commonly useu in intiusions that can be blockeu thiough inuiviuual action, (2) is ueliveieu in shoit online mouules convenient foi employees (S) is upuateu fiequently (at least annually) to iepiesent the latest attack techniques, (4) is manuateu foi completion by all employees at least annually, anu (S) is ieliably monitoieu foi employee completion. ;8%6< =%' CSC 9-4 valiuate anu impiove awaieness levels thiough peiiouic tests to see whethei employees will click on a link fiom suspicious e-mail oi pioviue sensitive infoimation on the telephone without following appiopiiate pioceuuies foi authenticating a callei; taigeteu tiaining shoulu be pioviueu to those who fall victim to the exeicise. !%$%>%?%2@K L@9%"'" CSC 9-S 0se secuiity skills assessments foi each of the mission-ciitical ioles to iuentify skills gaps. 0se hanus-on, ieal-woilu examples to measuie masteiy. If you uo not have such assessments, use one of the available online competitions that simulate ieal-woilu scenaiios foi each of the iuentifieu jobs in oiuei to measuie skills masteiy. 7&'-%98#42%&'K L@9%"'"
'-' O E(/*&5.(&1 +05 8//,1 An effective enteipiise-wiue tiaining piogiam shoulu take a holistic appioach anu consiuei policy anu technology at the same time as the tiaining of people. Foi example, policies shoulu be uesigneu with technical measuiement anu enfoicement when possible, ieinfoiceu by tiaining to fill gaps; technical contiols can be implementeu to bounu anu minimize the oppoitunity foi people to make mistakes, anu so focus the tiaining on things that cannot be manageu technically. To be effective in both cost anu outcome, secuiity tiaining shoulu be piioiitizeu, focuseu, anu specific (foi example, using a S.N.A.R.T. metiics piogiam). A key way to piioiitize tiaining is to focus fiist on those jobs anu ioles that aie 6#%2%64? to the mission oi business outcome of the enteipiise. 0ne way to iuentify these mission-ciitical jobs is to iefeience the list piepaieu by the Council on CybeiSecuiity (which builus upon the woik of the 2u12 Task Foice on Cybei Skills establisheu by the Secietaiy of Bomelanu Secuiity): 1) System anu Netwoik Penetiation Testeis, 2) Application Penetiation Testeis, S) Secuiity Nonitoiing anu Event Analysts, 4) Inciuent Responueis In-Bepth, S) Countei-IntelligenceInsiuei Thieat Analysts, 6) Risk Assessment Engineeis, 7) Secuie Coueis anu Coue Revieweis, 8) Secuiity EngineeisAichitectuie anu Besign, 9) Secuiity Engineeis0peiations, anu 1u) Auvanceu Foiensics Analysts. The Council has valiuateu this list as consistent with the bioauei NIST National Initiative on Cybeisecuiity
53 Euucation (NICE) fiamewoik, anu with the neeus of many enteipiises in goveinment anu inuustiy. Tiaining foi these mission ciitical ioles shoulu be supplementeu with founuational secuiity tiaining foi all useis. < www.counciloncybeisecuiity.oigpiactice-aieaspeople >. ueneial awaieness tiaining foi all useis also plays an impoitant iole. But even this tiaining shoulu be tailoieu to functional ioles anu focuseu on specific actions that put the oiganization at iisk, anu measuieu in oiuei to uiive iemeuiation. The key to upgiauing skills is measuiement thiough assessments that show both the employee anu the employei wheie knowleuge is sufficient anu wheie theie aie gaps. 0nce the gaps have been iuentifieu, those employees who have the iequisite skills anu knowleuge can be calleu upon to mentoi employees who neeu to impiove theii skills. In auuition, the oiganization can uevelop tiaining plans to fill the gaps anu maintain employee ieauiness. A full tieatment of this topic is beyonu the scope of the Ciitical Secuiity Contiols. Bowevei, the actions in CSC 9 pioviue specific, high-piioiity steps that can impiove enteipiise secuiity, anu shoulu be a pait of any compiehensive secuiity tiaining piogiam. '/0%(/, O F@@&*%)G&0&11 4&%()*1 1. Paiticipation iate foi online tiaining couises - peicentage of staff completing secuiity tiaining (by business unit) 2. Aveiage scoies of online tests, compaieu to baseline (pievious tests, inuustiy uata if available, etc.) by business unit S. Aveiage scoies of peiiouic tests (e.g. click iates foi test phishing emails) by business unit 4. Inuiviuual scoies on skill assessment tests foi inuiviuual mission ciitical ioles by business unit 5. Retention (oi job opening fill iate) of mission ciitical ioles (oigunit metiic) '-' O <.%/;+%)/0 4&%()*1 None '-' O F@@&*%)G&0&11 8&1% None
54 -.- /T0 .2)(%2 -*@(%8$*&#; 4&% U2$>&%I :21*)2; ;()6 8; R*%2>8DD;E M&($2%;E 8#' .>*$)62; stobllsb, lmplemeot, ooJ octlvely moooqe (ttock, tepott oo, cottect) tbe secotlty cooflqototloo of oetwotk loftosttoctote Jevlces osloq o tlqotoos cooflqototloo moooqemeot ooJ cbooqe coottol ptocess lo otJet to pteveot ottockets ftom exploltloq voloetoble setvlces ooJ settloqs. !"# B1 8")1 '/0%(/, '()%)*+,C As delivered from manufacturers and resellers, the default configurations for network infrastructure devices are geared for ease-of-deployment and ease-of-use - not security. Open services and ports, default accounts (including service accounts) or passwords, support for older (vulnerable) protocols, pre-installation of unneeded software; all can be exploitable in their default state. Attackers take advantage of network devices becoming less securely configured over time as users demand exceptions for specific business needs. Sometimes the exceptions are deployed and then left undone when they are no longer applicable to the business needs. In some cases, the security risk of the exception is neither properly analyzed nor measured against the associated business need and can change over time. Attackers search for vulnerable default settings, electronic holes in firewalls, routers, and switches and use those to penetrate defenses. They exploit flaws in these devices to gain access to networks, redirect traffic on a network, and intercept information while in transmission. Through such actions, the attacker gains access to sensitive data, alters important information, or even uses a compromised machine to pose as another trusted system on the network. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 1u-1 Compaie fiiewall, ioutei, anu switch configuiation against stanuaiu secuie configuiations uefineu foi each type of netwoik uevice in use in the oiganization. The secuiity configuiation of such uevices shoulu be uocumenteu, ievieweu, anu appioveu by an oiganization change contiol boaiu. Any ueviations fiom the stanuaiu configuiation oi upuates to the stanuaiu configuiation shoulu be uocumenteu anu appioveu in a change contiol system. ;8%6< =%' CSC 1u-2 All new configuiation iules beyonu a baseline-haiueneu configuiation that allow tiaffic to flow thiough netwoik secuiity uevices, such as fiiewalls anu netwoik-baseu IPS, shoulu be uocumenteu anu iecoiueu in a configuiation management system, with a specific business ieason foi each change, a specific inuiviuual's name iesponsible foi 7&'-%98#42%&'K L@9%"'"
55 that business neeu, anu an expecteu uuiation of the neeu. CSC 1u-S 0se automateu tools to veiify stanuaiu uevice configuiations anu uetect changes. All alteiations to such files shoulu be automatically iepoiteu to secuiity peisonnel. 7&'-%98#42%&'K L@9%"'" CSC 1u-4 Nanage netwoik uevices using two-factoi authentication anu enciypteu sessions. 7&'-%98#42%&'K L@9%"'" CSC 1u-S Install the latest stable veision of any secuiity-ielateu upuates. 7&'-%98#42%&'K L@9%"'" CSC 1u-6 Nanage the netwoik infiastiuctuie acioss netwoik connections that aie sepaiateu fiom the business use of that netwoik, ielying on sepaiate vLANs oi, piefeiably, on entiiely uiffeient physical connectivity foi management sessions foi netwoik uevices. Auvanceu
'-' DP E(/*&5.(&1 +05 8//,1 Some oiganizations use commeicial tools that evaluate the iule set of netwoik filteiing uevices to ueteimine whethei they aie consistent oi in conflict, pioviuing an automateu sanity check of netwoik filteis anu seaich foi eiiois in iule sets oi access contiols lists (ACLs) that may allow unintenueu seivices thiough the uevice. Such tools shoulu be iun each time significant changes aie maue to fiiewall iule sets, ioutei ACLs, oi othei filteiing technologies. '-' DP F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Bow long uoes it take to uetect configuiation changes to a netwoik system (time in minutes). 2. Bow long uoes it take the scanneis to aleit the oiganization's auministiatois that an unauthoiizeu configuiation change has occuiieu (time in minutes). S. Bow long uoes it take to blockquaiantine unauthoiizeu changes on netwoik systems (time in minutes). 4. Aie the scanneis able to iuentify the location, uepaitment, anu othei ciitical uetails about the systems wheie unauthoiizeu changes occuiieu (yes oi no). '-' DP <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois:
56 1. What is the peicentage of netwoik uevices that aie not cuiiently configuieu with a secuiity configuiation that matches the oiganization's appioveu configuiation stanuaiu (by business unit). 2. What is the peicentage of netwoik uevices whose secuiity configuiation is not enfoiceu by the oiganization's technical configuiation management applications (by business unit). S. What is the peicentage of netwoik uevices that aie not up to uate with the latest available opeiating system softwaie secuiity patches (by business unit). 4. What is the peicentage of netwoik uevices uo not iequiie two-factoi authentication to auministei the uevice (by business unit). '-' DP F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 1u on a peiiouic basis, an evaluation team must make a change to each type of netwoik uevice pluggeu into the netwoik. At a minimum, iouteis, switches, anu fiiewalls neeu to be testeu. If they exist, IPS, IBS, anu othei netwoik uevices must be incluueu. Backups must be maue piioi to making any changes to ciitical netwoik uevices. It is ciitical that changes not impact oi weaken the secuiity of the uevice. Acceptable changes incluue but aie not limiteu to making a comment oi auuing a uuplicate entiy in the configuiation. The change must be peifoimeu twice foi each ciitical uevice. The evaluation team must then veiify that the systems geneiate an aleit oi e-mail notice iegaiuing the changes to the uevice within 24 houis. It is impoitant that the evaluation team veiify that all unauthoiizeu changes have been uetecteu, the account making the changes has been iecoiueu, anu the changes have iesulteu in an aleit oi e-mail notification. The evaluation team must veiify that the system pioviues uetails of the location of each uevice, incluuing infoimation about the asset ownei. While the 24-houi timefiame iepiesents the cuiient metiic to help oiganizations impiove theii state of secuiity, in the futuie oiganizations shoulu stiive foi even moie iapiu aleiting anu isolation, with notification about unauthoiizeu configuiation changes in netwoik uevices sent within two minutes. If appiopiiate, an auuitional test must be peifoimeu on a uaily basis to ensuie that othei piotocols such as IPv6 aie being filteieu piopeily. '/0%(/, DP -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
57
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case we aie examining the netwoik uevices, test lab netwoik uevices, configuiation systems, anu configuiation management uevices. The following list of the steps in the uiagiam above shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Hardened device configurations applied to production devices Step 2: Hardened device configuration stored in a secure configuration management system Step 3: Management network system validates configurations on production network devices Step 4: Patch management system applies tested software updates to production network devices Step 5: Two-factor authentication system required for administrative access to production devices Step 6: Proxy/firewall/network monitoring systems analyze all connections to production network devices.
58 -.- //0 F*L*$8$*&# 8#' -&#$%&D &4 U2$>&%I V&%$;E V%&$&)&D;E 8#' .2%1*)2; Moooqe (ttock/coottol/cottect) tbe ooqoloq opetotloool ose of potts, ptotocols, ooJ setvlces oo oetwotkeJ Jevlces lo otJet to mlolmlze wloJows of voloetoblllty ovolloble to ottockets. !"# B1 8")1 '/0%(/, '()%)*+,C Attackeis seaich foi iemotely accessible netwoik seivices that aie vulneiable to exploitation. Common examples incluue pooily configuieu web seiveis, mail seiveis, file anu piint seivices, anu uomain name system (BNS) seiveis installeu by uefault on a vaiiety of uiffeient uevice types, often without a business neeu foi the given seivice. Nany softwaie packages automatically install seivices anu tuin them on as pait of the installation of the main softwaie package without infoiming a usei oi auministiatoi that the seivices have been enableu. Attackeis scan foi such issues anu attempt to exploit these seivices, often attempting uefault usei IBs anu passwoius oi wiuely available exploitation coue. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 11-1 Ensuie that only poits, piotocols, anu seivices with valiuateu business neeus aie iunning on each system. ;8%6< =%' CSC 11-2 Apply host-baseu fiiewalls oi poit filteiing tools on enu systems, with a uefault-ueny iule that uiops all tiaffic except those seivices anu poits that aie explicitly alloweu. ;8%6< =%' CSC 11-S Peifoim automateu poit scans on a iegulai basis against all key seiveis anu compaieu to a known effective baseline. If a change that is not listeu on the oiganization's appioveu baseline is uiscoveieu, an aleit shoulu be geneiateu anu ievieweu. ;8%6< =%' CSC 11-4 Keep all seivices up to uate anu uninstall anu iemove any unnecessaiy components fiom the system. ;8%6< =%' CSC 11-S veiify any seivei that is visible fiom the Inteinet oi an untiusteu netwoik, anu if it is not iequiieu foi business puiposes, move it to an inteinal vLAN anu give it a piivate auuiess. !%$%>%?%2@K :22#%>82%&' CSC 11-6 0peiate ciitical seivices on sepaiate physical oi logical host machines, such as BNS, file, mail, web, anu uatabase seiveis. 7&'-%98#42%&'K L@9%"'" CSC 11-7 Place application fiiewalls in fiont of any ciitical seiveis to veiify anu valiuate the tiaffic going to the seivei. Any unauthoiizeu seivices oi tiaffic shoulu be :/C4'6"/
59 blockeu anu an aleit geneiateu. '-' DD E(/*&5.(&1 +05 8//,1 Poit scanning tools aie useu to ueteimine which seivices aie listening on the netwoik foi a iange of taiget systems. In auuition to ueteimining which poits aie open, effective poit scanneis can be configuieu to iuentify the veision of the piotocol anu seivice listening on each uiscoveieu open poit. This list of seivices anu theii veisions aie compaieu against an inventoiy of seivices iequiieu by the oiganization foi each seivei anu woikstation in an asset management system. Recently auueu featuies in these poit scanneis aie being useu to ueteimine the changes in seivices offeieu by scanneu machines on the netwoik since the pievious scan, helping secuiity peisonnel iuentify uiffeiences ovei time. '-' DD F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Bow long uoes it take systems to iuentify any new unauthoiizeu listening netwoik poits that aie installeu on netwoik systems (time in minutes). 2. Bow long uoes it take foi aleits to be geneiateu about new seivices being installeu (time in minutes). S. Aie aleits then sent eveiy 24 houis until the listening netwoik poit has been uisableu oi it has been authoiizeu by change management (yes oi no). 4. Bo aleits inuicate the location, uepaitment, anu othei uetails about the system wheie authoiizeu anu unauthoiizeu netwoik poits aie iunning (yes oi no). '-' DD <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganization shoulu gathei the following infoimation with automateu technical sensois: 1. What is the peicentage of the oiganization's systems that aie not cuiiently iunning a host baseu fiiewall (by business unit). 2. Bow many unauthoiizeu seivices aie cuiiently iunning on the oiganization's business systems (by business unit). S. Bow many ueviations fiom appioveu seivice baselines have been uiscoveieu iecently on the oiganization's business systems (by business unit).
60 '-' DD F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 11 on a peiiouic basis, the evaluation team must install haiueneu test seivices with netwoik listeneis on 1u locations on the netwoik, incluuing a selection of subnets associateu with BNZs, woikstations, anu seiveis. The selection of these systems must be as ianuom as possible anu incluue a cioss-section of the oiganization's systems anu locations. The evaluation team must then veiify that the systems geneiate an aleit oi e-mail notice iegaiuing the newly installeu seivices within 24 houis of the seivices being installeu on the netwoik. The team must veiify that the system pioviues uetails of the location of all of the systems wheie test seivices have been installeu. '-' DD -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining how active scanning systems gathei infoimation on netwoik uevices anu evaluate that uata against the authoiizeu seivice baseline uatabase. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Active scanner analyzes production systems for unauthorized ports, protocols, and services Step 2: System baselines regularly updated based on necessary/required services
61 Step 3: Active scanner validates which ports, protocols, and services are blocked or allowed by the application firewall Step 4: Active scanner validates which ports, protocols, and services are accessible on business systems protected with host-based firewalls.
62 -.- /=0 -&#$%&DD2' 9;2 &4 5'L*#*;$%8$*12 V%*1*D2@2; 1be ptocesses ooJ tools oseJ to ttock/coottol/pteveot/cottect tbe ose, osslqomeot, ooJ cooflqototloo of oJmlolsttotlve ptlvlleqes oo compotets, oetwotks, ooJ oppllcotloos. !"# B1 8")1 '/0%(/, '()%)*+,C The misuse of auministiative piivileges is a piimaiy methou foi attackeis to spieau insiue a taiget enteipiise. Two veiy common attackei techniques take auvantage of uncontiolleu auministiative piivileges. In the fiist, a woikstation usei iunning as a piivilegeu usei, is fooleu into opening a malicious e-mail attachment, uownloauing anu opening a file fiom a malicious website, oi simply suifing to a website hosting attackei content that can automatically exploit biowseis. The file oi exploit contains executable coue that iuns on the victim's machine eithei automatically oi by tiicking the usei into executing the attackei's content. If the victim usei's account has auministiative piivileges, the attackei can take ovei the victim's machine completely anu install keystioke loggeis, sniffeis, anu iemote contiol softwaie to finu auministiative passwoius anu othei sensitive uata. Similai attacks occui with e-mail. An auministiatoi inauveitently opens an e-mail that contains an infecteu attachment anu this is useu to obtain a pivot point within the netwoik that is useu to attack othei systems. The seconu common technique useu by attackeis is elevation of piivileges by guessing oi ciacking a passwoiu foi an auministiative usei to gain access to a taiget machine. If auministiative piivileges aie loosely anu wiuely uistiibuteu, oi iuentical to passwoius useu on less ciitical systems, the attackei has a much easiei time gaining full contiol of systems, because theie aie many moie accounts that can act as avenues foi the attackei to compiomise auministiative piivileges. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 12-1 Ninimize auministiative piivileges anu only use auministiative accounts when they aie iequiieu. Implement focuseu auuiting on the use of auministiative piivilegeu functions anu monitoi foi anomalous behavioi. ;8%6< =%' F,'" &- 2D" GH%#$2 H%C"IJ CSC 12-2 0se automateu tools to inventoiy all auministiative accounts anu valiuate that each peison with auministiative piivileges on uesktops, laptops, anu seiveis is authoiizeu by a senioi executive. ;8%6< =%' CSC 12-S Configuie all auministiative passwoius to be complex anu contain letteis, numbeis, anu special chaiacteis ;8%6< =%'
63 inteimixeu, anu with no uictionaiy woius piesent in the passwoiu. Pass phiases containing multiple uictionaiy woius, along with special chaiacteis, aie acceptable if they aie of a ieasonable length. CSC 12-4 Befoie ueploying any new uevices in a netwoikeu enviionment, change all uefault passwoius foi applications, opeiating systems, iouteis, fiiewalls, wiieless access points, anu othei systems to have values consistent with auministiation-level accounts. ;8%6< =%' CSC 12-S Ensuie that all seivice accounts have long anu uifficult- to-guess passwoius that aie changeu on a peiiouic basis, as is uone foi tiauitional usei anu auministiative passwoius. ;8%6< =%' CSC 12-6 Passwoius shoulu be hasheu oi enciypteu in stoiage. Passwoius that aie hasheu shoulu be salteu anu follow guiuance pioviueu in NIST SP 8uu-1S2 oi similai guiuance. Files containing these enciypteu oi hasheu passwoius iequiieu foi systems to authenticate useis shoulu be ieauable only with supei-usei piivileges. ;8%6< =%' CSC 12-7 0tilize access contiol lists to ensuie that auministiative accounts aie useu only foi system auministiation activities, anu not foi ieauing e-mail, composing uocuments, oi suifing the Inteinet. Web biowseis anu e-mail clients especially must be configuieu to nevei iun as auministiatoi. ;8%6< =%' CSC 12-8 Thiough policy anu usei awaieness, iequiie that auministiatois establish unique, uiffeient passwoius foi theii auministiative anu non-auministiative accounts. Each peison iequiiing auministiative access shoulu be given hishei own sepaiate account. 0seis shoulu only use the Winuows "auministiatoi" oi 0NIX "ioot" accounts in emeigency situations. Bomain auministiation accounts shoulu be useu when iequiieu foi system auministiation insteau of local auministiative accounts. ;8%6< =%' CSC 12-9 Configuie opeiating systems so that passwoius cannot be ie-useu within a timefiame of six months. ;8%6< =%' CSC 12-1u Configuie systems to issue a log entiy anu aleit when an account is auueu to oi iemoveu fiom a uomain auministiatois' gioup, oi when a new local auministiatoi account is auueu on a system. !%$%>%?%2@K :22#%>82%&' CSC 12-11 FNOPJ Configuie systems to issue a log entiy anu aleit when unsuccessful login to an auministiative account is attempteu. !%$%>%?%2@K :22#%>82%&' CSC 12-12 0se multifactoi authentication foi all auministiative 7&'-%98#42%&'K
64 access, incluuing uomain auministiative access. Nulti- factoi authentication can incluue a vaiiety of techniques, to incluue the use of smait caius with ceitificates, 0ne Time Passwoiu (0TP) tokens, anu biometiics. L@9%"'" CSC 12-1S FNOPJ When using ceitificates to enable multi-factoi ceitificate-baseu authentication, ensuie that the piivate keys aie piotecteu using stiong passwoius oi aie stoieu in tiusteu, secuie haiuwaie tokens. 7&'-%98#42%&'K L@9%"'" CSC 12-14 Block access to a machine (eithei iemotely oi locally) foi auministiatoi-level accounts. Insteau, auministiatois shoulu be iequiieu to access a system using a fully loggeu anu non-auministiative account. Then, once loggeu on to the machine without auministiative piivileges, the auministiatoi shoulu tiansition to auministiative piivileges using tools such as Suuo on Linux0NIX, RunAs on Winuows, anu othei similai facilities foi othei types of systems. 0seis woulu use theii own auministiative accounts anu entei a passwoiu each time that is uiffeient than theii usei account. 7&'-%98#42%&'K L@9%"'"
'-' DH E(/*&5.(&1 +05 8//,1 Built-in opeiating system featuies can extiact lists of accounts with supei-usei piivileges, both locally on inuiviuual systems anu on oveiall uomain contiolleis. To veiify that useis with high-piivilegeu accounts uo not use such accounts foi uay-to-uay web suifing anu e-mail ieauing, secuiity peisonnel shoulu peiiouically gathei a list of iunning piocesses to ueteimine whethei any biowseis oi e-mail ieaueis aie iunning with high piivileges. Such infoimation gatheiing can be sciipteu, with shoit shell sciipts seaiching foi a uozen oi moie uiffeient biowseis, e-mail ieaueis, anu uocument euiting piogiams iunning with high piivileges on machines. Some legitimate system auministiation activity may iequiie the execution of such piogiams ovei the shoit teim, but long-teim oi fiequent use of such piogiams with auministiative piivileges coulu inuicate that an auministiatoi is not auheiing to this contiol. To enfoice the iequiiement foi stiong passwoius, built-in opeiating system featuies foi minimum passwoiu length can be configuieu to pievent useis fiom choosing shoit passwoius. To enfoice passwoiu complexity (iequiiing passwoius to be a stiing of pseuuo-ianuom chaiacteis), built-in opeiating system settings oi thiiu-paity passwoiu complexity enfoicement tools can be applieu.
65 '/0%(/, DH F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Boes the system iepoit on log-in to auministiative accounts. 2. Boes the system iepoit on the elevation to auministiative access, to incluue tiaceability to the usei account that peifoimeu the elevation. S. Boes the system pioviue an inventoiy of all auministiative accounts. 4. Boes the system iepoit on the auuition of new auministiative accounts. S. Boes the system allow limitations to be placeu on the use of auministiative accounts, to incluue not allowing web biowseis anu email clients to iun as auministiatoi. 6. Boes the system pievent auministiative accounts fiom logging into machines, eithei locally oi iemotely, insteau iequiiing elevation of piivileges once loggeu in with a usei account. 7. Boes the system iequiie stiong passwoius foi all auministiative accounts anu uoes the system iequiie upuate of auministiatoi passwoius on a iegulai basis. 8. Boes the system auuit all attempts to gain access to passwoiu files within the system. 9. Boes the system comply with passwoiu policies uetaileu in the contiol (yes oi no). 1u. Bow long uoes it take foi auministiatois to be notifieu about usei accounts being auueu to supei usei gioups (time in minutes). 11. Aie auuitional aleits geneiateu eveiy 24 houis until the usei account has been iemoveu fiom oi authoiizeu to be a pait of the supei usei gioup (yes oi no). '-' DH <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. Bow many unauthoiizeu elevateu opeiating system accounts (local auministiatoiioot) aie cuiiently configuieu on the oiganization's systems (by business unit). 2. Bow many unauthoiizeu elevateu application accounts aie cuiiently configuieu on the oiganization's systems (by business unit). S. What peicentage of the oiganization's elevateu accounts uo not cuiiently auheie to the oiganization's passwoiu stanuaiu (by business unit). 4. What peicentage of the oiganization's elevateu accounts uo not iequiie two- factoi authentication (by business unit). S. Bow many attempts to upgiaue an account to auministiative piivileges have been uetecteu on the oiganization's systems iecently (by business unit). 6. Bow many attempts to gain access to passwoiu files within the system have
66 been uetecteu on the oiganization's systems iecently (by business unit).
'/0%(/, DH F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 12 on a peiiouic basis, the evaluation team must attempt a vaiiety of techniques to gain access anu exploit auministiative accounts within the system. Each of the following tests must be peifoimeu at least thiee times: Attempt to gain access to a cioss section of uevices within the system, using uefault auministiative passwoius. Attempt to log-in iemotely to machines using auministiative accounts uiiectly. veiify that this is uisalloweu by policy. Attempt to log-in uiiectly to a woikstation oi seivei with ioot oi auministiatoi accounts. veiify that this is uisalloweu by policy. Attempt to gain access to passwoiu files within the system using unauthoiizeu accounts. veiify that access is uisalloweu anu that attempts aie loggeu anu iepoiteu. Attempt to elevate to a piivilegeu account on the system. veiify that the auministiatoi passwoiu is iequiieu to peifoim the elevation anu that the elevation is loggeu anu iepoiteu by the system. veiify that tiaceability within the auuit logs is pioviueu to uetail the usei account that peifoimeu the elevation. Attempt to configuie weak auministiatoi passwoius that aie non-compliant with establisheu policy. veiify that the system uoes not allow weak passwoius to be useu. Attempt to ie-use an auministiatoi passwoiu that was pieviously useu foi the account. veiify that the system iequiies unique new passwoius uuiing each upuate.
Each of these tests must be peifoimeu fiom multiple, wiuely uistiibuteu systems on the oiganization's netwoik in oiuei to test the effectiveness of auministiatoi contiols. '-' DH -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
67
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining the components of usei account piovisioning anu usei authentication. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Production systems use proper authentication systems Step 2: Standard and administrative user accounts use proper authentication systems Step 3: Standard and administrative user accounts properly managed via group memberships Step 4: Administrative access to systems properly logged via log management systems Step 5: Password assessment system validates the strength of the authentication systems.
Standard User Accounts Production Business Systems with ACLs Authentication Systems Administrative User Accounts Log Management System / SIEM User Groups 3 3 1 2 2 4 Password Assessment System 5
68 -.- /,0 W&(#'8%3 :242#;2 uetect/pteveot/cottect tbe flow of lofotmotloo ttoosfettloq oetwotks of Jlffeteot ttost levels wltb o focos oo secotlty-Jomoqloq Joto. !"# B1 8")1 '/0%(/, '()%)*+,C Attackeis focus on exploiting systems that they can ieach acioss the Inteinet, incluuing not only BNZ systems but also woikstation anu laptop computeis that pull content fiom the Inteinet thiough netwoik bounuaiies. Thieats such as oiganizeu ciime gioups anu nation-states use configuiation anu aichitectuial weaknesses founu on peiimetei systems, netwoik uevices, anu Inteinet-accessing client machines to gain initial access into an oiganization. Then, with a base of opeiations on these machines, attackeis often pivot to get ueepei insiue the bounuaiy to steal oi change infoimation oi to set up a peisistent piesence foi latei attacks against inteinal hosts. Auuitionally, many attacks occui between business paitnei netwoiks, sometimes iefeiieu to as extianets, as attackeis hop fiom one oiganization's netwoik to anothei, exploiting vulneiable systems on extianet peiimeteis. To contiol the flow of tiaffic thiough netwoik boiueis anu police content by looking foi attacks anu eviuence of compiomiseu machines, bounuaiy uefenses shoulu be multi- layeieu, ielying on fiiewalls, pioxies, BNZ peiimetei netwoiks, anu netwoik-baseu IPS anu IBS. It is also ciitical to filtei both inbounu anu outbounu tiaffic. It shoulu be noteu that bounuaiy lines between inteinal anu exteinal netwoiks aie uiminishing as a iesult of incieaseu inteiconnectivity within anu between oiganizations as well as the iapiu iise in ueployment of wiieless technologies. These bluiiing lines sometimes allow attackeis to gain access insiue netwoiks while bypassing bounuaiy systems. Bowevei, even with this bluiiing of bounuaiies, effective secuiity ueployments still iely on caiefully configuieu bounuaiy uefenses that sepaiate netwoiks with uiffeient thieat levels, sets of useis, anu levels of contiol. Anu uespite the bluiiing of inteinal anu exteinal netwoiks, effective multi-layeieu uefenses of peiimetei netwoiks help lowei the numbei of successful attacks, allowing secuiity peisonnel to focus on attackeis who have ueviseu methous to bypass bounuaiy iestiictions.
69 >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 1S-1 Beny communications with (oi limit uata flow to) known malicious IP auuiesses (black lists), oi limit access only to tiusteu sites (whitelists). Tests can be peiiouically caiiieu out by senuing packets fiom bogon souice IP auuiesses (non-ioutable oi otheiwise unuseu IP auuiesses) into the netwoik to veiify that they aie not tiansmitteu thiough netwoik peiimeteis. Lists of bogon auuiesses aie publicly available on the Inteinet fiom vaiious souices, anu inuicate a seiies of IP auuiesses that shoulu not be useu foi legitimate tiaffic tiaveising the Inteinet. ;8%6< =%' CSC 1S-2 0n BNZ netwoiks, configuie monitoiing systems (which may be built in to the IBS sensois oi ueployeu as a sepaiate technology) to iecoiu at least packet heauei infoimation, anu piefeiably full packet heauei anu payloaus of the tiaffic uestineu foi oi passing thiough the netwoik boiuei. This tiaffic shoulu be sent to a piopeily configuieu Secuiity Infoimation Event Nanagement (SIEN) oi log analytics system so that events can be coiielateu fiom all uevices on the netwoik. . ;8%6< =%' CSC 1S-S To lowei the chance of spoofeu e-mail messages, implement the Senuei Policy Fiamewoik (SPF) by ueploying SPF iecoius in BNS anu enabling ieceivei-siue veiification in mail seiveis. !%$%>%?%2@K :22#%>82%&' CSC 1S-4 Beploy netwoik-baseu IBS sensois on Inteinet anu extianet BNZ systems anu netwoiks that look foi unusual attack mechanisms anu uetect compiomise of these systems. These netwoik-baseu IBS sensois may uetect attacks thiough the use of signatuies, netwoik behavioi analysis, oi othei mechanisms to analyze tiaffic. !%$%>%?%2@K :22#%>82%&' CSC 1S-S Netwoik-baseu IPS uevices shoulu be ueployeu to complement IBS by blocking known bau signatuie oi behavioi of attacks. As attacks become automateu, methous such as IBS typically uelay the amount of time it takes foi someone to ieact to an attack. A piopeily configuieu netwoik-baseu IPS can pioviue automation to block bau tiaffic. When evaluating netwoik-baseu IPS piouucts, incluue those using techniques othei than signatuie-baseu uetection (such as viitual machine oi sanubox-baseu appioaches) foi consiueiation. !%$%>%?%2@K :22#%>82%&'
70 CSC 1S-6 Besign anu implement netwoik peiimeteis so that all outgoing web, file tiansfei piotocol (FTP), anu secuie shell tiaffic to the Inteinet must pass thiough at least one pioxy on a BNZ netwoik. The pioxy shoulu suppoit logging inuiviuual TCP sessions; blocking specific 0RLs, uomain names, anu IP auuiesses to implement a black list; anu applying whitelists of alloweu sites that can be accesseu thiough the pioxy while blocking all othei sites. 0iganizations shoulu foice outbounu tiaffic to the Inteinet thiough an authenticateu pioxy seivei on the enteipiise peiimetei. Pioxies can also be useu to enciypt all tiaffic leaving an oiganization. !%$%>%?%2@K :22#%>82%&' CSC 1S-7 Requiie all iemote login access (incluuing vPN, uial-up, anu othei foims of access that allow login to inteinal systems) to use two-factoi authentication. !%$%>%?%2@K :22#%>82%&' CSC 1S-8 All enteipiise uevices iemotely logging into the inteinal netwoik shoulu be manageu by the enteipiise, with iemote contiol of theii configuiation, installeu softwaie, anu patch levels. Foi thiiu-paity uevices (e.g., subcontiactoisvenuois), publish minimum secuiity stanuaius foi access to the enteipiise netwoik anu peifoim a secuiity scan befoie allowing access. 7&'-%98#42%&'K L@9%"'" CSC 1S-9 Peiiouically scan foi back-channel connections to the Inteinet that bypass the BNZ, incluuing unauthoiizeu vPN connections anu uual-homeu hosts connecteu to the enteipiise netwoik anu to othei netwoiks via wiieless, uial-up mouems, oi othei mechanisms. 7&'-%98#42%&'K L@9%"'" CSC 1S-1u To limit access by an insiuei, untiusteu subcontiactoivenuoi, oi malwaie spieauing on an inteinal netwoik, uevise inteinal netwoik segmentation schemes to limit tiaffic to only those seivices neeueu foi business use acioss the oiganization's inteinal netwoik. 7&'-%98#42%&'K L@9%"'" CSC 1S-12 To minimize the impact of an attackei pivoting between compiomiseu systems, only allow BNZ systems to communicate with piivate netwoik systems via application pioxies oi application-awaie fiiewalls ovei appioveu channels. :/C4'6"/ CSC 1S-1S To help iuentify coveit channels exfiltiating uata thiough a fiiewall, configuie the built-in fiiewall session tiacking mechanisms incluueu in many commeicial fiiewalls to iuentify TCP sessions that last an unusually long time foi the given oiganization anu fiiewall uevice, aleiting peisonnel about the souice anu uestination auuiesses associateu with these long sessions. :/C4'6"/ CSC 1S-14 Beploy NetFlow collection anu analysis to BNZ netwoik 7&'-%98#42%&'K
71 flows to uetect anomalous activity. L@9%"'"
'-' DI E(/*&5.(&1 +05 8//,1 The bounuaiy uefenses incluueu in this contiol builu on Ciitical Contiol 1u. The auuitional iecommenuations heie focus on impioving the oveiall aichitectuie anu implementation of both Inteinet anu inteinal netwoik bounuaiy points. Inteinal netwoik segmentation is cential to this contiol because once insiue a netwoik, many intiuueis attempt to taiget the most sensitive machines. 0sually, inteinal netwoik piotection is not set up to uefenu against an inteinal attackei. Setting up even a basic level of secuiity segmentation acioss the netwoik anu piotecting each segment with a pioxy anu a fiiewall will gieatly ieuuce an intiuuei's access to the othei paits of the netwoik. 0ne element of this contiol can be implementeu using fiee oi commeicial IBS anu sniffeis to look foi attacks fiom exteinal souices uiiecteu at BNZ anu inteinal systems, as well as attacks oiiginating fiom inteinal systems against the BNZ oi Inteinet. Secuiity peisonnel shoulu iegulaily test these sensois by launching vulneiability- scanning tools against them to veiify that the scannei tiaffic tiiggeis an appiopiiate aleit. The captuieu packets of the IBS sensois shoulu be ievieweu using an automateu sciipt each uay to ensuie that log volumes aie within expecteu paiameteis anu that the logs aie foimatteu piopeily anu have not been coiiupteu. Auuitionally, packet sniffeis shoulu be ueployeu on BNZs to look foi Bypeitext Tiansfei Piotocol (BTTP) tiaffic that bypasses BTTP pioxies. By sampling tiaffic iegulaily, such as ovei a thiee-houi peiiou once a week, infoimation secuiity peisonnel can seaich foi BTTP tiaffic that is neithei souiceu by noi uestineu foi a BNZ pioxy, implying that the iequiiement foi pioxy use is being bypasseu. To iuentify back-channel connections that bypass appioveu BNZs, netwoik secuiity peisonnel can establish an Inteinet-accessible system to use as a ieceivei foi testing outbounu access. This system is configuieu with a fiee oi commeicial packet sniffei. Then, secuiity peisonnel can connect a senuing test system to vaiious points on the oiganization's inteinal netwoik, senuing easily iuentifiable tiaffic to the sniffing ieceivei on the Inteinet. These packets can be geneiateu using fiee oi commeicial tools with a payloau that contains a custom file useu foi the test. When the packets aiiive at the ieceivei system, the souice auuiess of the packets shoulu be veiifieu against acceptable BNZ auuiesses alloweu foi the oiganization. If souice auuiesses aie uiscoveieu that aie not incluueu in legitimate, iegisteieu BNZs, moie uetail can be gatheieu by using a traceroute tool to ueteimine the path that packets take fiom the senuei to the ieceivei system.
72 '-' DI F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Aie all unauthoiizeu packets enteiing oi leaving the netwoik uetecteu (yes oi no). 2. Bo all netwoik connections to the Inteinet, business paitneis, oi othei thiiu paities cuiiently utilize inbounu & outbounu netwoik filteis, anu Intiusion Betection Systems (IBS) (yes oi no). S. Bow long uoes it take befoie unauthoiizeu netwoik packets aie aleiteu on when passing thiough peiimetei systems (time in minutes). 4. Bow long uoes it take to apply configuiation changes to block unauthoiizeu tiaffic passing thiough peiimetei systems (time in minutes). '-' DI <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. What peicentage of the oiganization's iemote access useis aie not iequiieu to use two-factoi authentication to iemotely access the oiganization's netwoik (by business unit). 2. What peicentage of iemote business systems aie not manageu using the same secuiity stanuaius as inteinal netwoik systems (by business unit). S. What peicentage of the oiganization's inteinal systems aie not on ueuicateu viitual LANs (vLANs) that aie segmenteu with access contiol lists (by business unit). 4. Bow many events of inteiest have been uiscoveieu iecently on the oiganization's netwoik thiough analysis of NetFlow configuieu on netwoik uevices (by business unit). '-' DI F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 1S on a peiiouic basis, an evaluation team must test bounuaiy uevices by senuing packets fiom outsiue any tiusteu netwoik to ensuie that only authoiizeu packets aie alloweu thiough the bounuaiy. All othei packets must be uioppeu. In auuition, unauthoiizeu packets must be sent fiom a tiusteu netwoik to an untiusteu netwoik to make suie egiess filteiing is functioning piopeily. The evaluation team must then veiify that the systems geneiate an aleit oi e- mail notice iegaiuing the unauthoiizeu packets within 24 houis. It is impoitant that the evaluation team veiify that all unauthoiizeu packets have been uetecteu. The evaluation team must also veiify that the aleit oi e-mail inuicating that the unauthoiizeu tiaffic is
73 now being blockeu is ieceiveu within one houi. The evaluation team must veiify that the system pioviues uetails of the location of each machine with this new test softwaie, incluuing infoimation about the asset ownei. It is also impoitant that the evaluation team test to ensuie that the uevice fails in a state wheie it uoes not foiwaiu tiaffic when it ciashes oi becomes flooueu. '-' DI -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case we aie examining the netwoik bounuaiy uevices anu the suppoiting systems such as authentication seiveis, two-factoi authentication systems, netwoik monitoiing systems, anu netwoik pioxy uevices. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Hardened device configurations applied to production devices
74 Step 2: Two-factor authentication systems required for administrative access to production devices Step 3: Production network devices send events to log management and correlation system Step 4: Network monitoring system analyzes network traffic Step 5: Network monitoring system sends events to log management and correlation system Step 6: Outbound traffic passes through and is examined by network proxy devices Step 7: Network systems scanned for potential weaknesses.
75 -.- /?0 B8*#$2#8#)2E B&#*$&%*#@E 8#' 5#8D3;*; &4 5('*$ F&@; collect, moooqe, ooJ ooolyze ooJlt loqs of eveots tbot coolJ belp Jetect, ooJetstooJ, ot tecovet ftom oo ottock. !"# B1 8")1 '/0%(/, '()%)*+,C Beficiencies in secuiity logging anu analysis allow attackeis to hiue theii location, malicious softwaie, anu activities on victim machines. Even if the victims know that theii systems have been compiomiseu, without piotecteu anu complete logging iecoius they aie blinu to the uetails of the attack anu to subsequent actions taken by the attackeis. Without soliu auuit logs, an attack may go unnoticeu inuefinitely anu the paiticulai uamages uone may be iiieveisible. Sometimes logging iecoius aie the only eviuence of a successful attack. Nany oiganizations keep auuit iecoius foi compliance puiposes, but attackeis iely on the fact that such oiganizations iaiely look at the auuit logs, so they uo not know that theii systems have been compiomiseu. Because of pooi oi nonexistent log analysis piocesses, attackeis sometimes contiol victim machines foi months oi yeais without anyone in the taiget oiganization knowing, even though the eviuence of the attack has been iecoiueu in unexamineu log files. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 14-1 Incluue at least two synchionizeu time souices (i.e., Netwoik Time Piotocol - NTP) fiom which all seiveis anu netwoik equipment ietiieve time infoimation on a iegulai basis so that timestamps in logs aie consistent, anu aie set to 0TC (Cooiuinate 0niveisal Time). ;8%6< =%' CSC 14-2 valiuate auuit log settings foi each haiuwaie uevice anu the softwaie installeu on it, ensuiing that logs incluue a uate, timestamp, souice auuiesses, uestination auuiesses, anu vaiious othei useful elements of each packet anuoi tiansaction. Systems shoulu iecoiu logs in a stanuaiuizeu foimat such as syslog entiies oi those outlineu by the Common Event Expiession initiative. If systems cannot geneiate logs in a stanuaiuizeu foimat, log noimalization tools can be ueployeu to conveit logs into such a foimat. ;8%6< =%'
76 CSC 14-S Ensuie that all systems that stoie logs have auequate stoiage space foi the logs geneiateu on a iegulai basis, so that log files will not fill up between log iotation inteivals. The logs must be aichiveu anu uigitally signeu on a peiiouic basis. ;8%6< =%' CSC 14-4 Bevelop a log ietention policy to make suie that the logs aie kept foi a sufficient peiiou of time. 0iganizations aie often compiomiseu foi seveial months without uetection. The logs must be kept foi a longei peiiou of time than it takes an oiganization to uetect an attack so they can accuiately ueteimine what occuiieu. ;8%6< =%' CSC 14-S Bave secuiity peisonnel anuoi system auministiatois iun biweekly iepoits that iuentify anomalies in logs. They shoulu then actively ieview the anomalies, uocumenting theii finuings. ;8%6< =%' CSC 14-6 Configuie netwoik bounuaiy uevices, incluuing fiiewalls, netwoik-baseu IPS, anu inbounu anu outbounu pioxies, to veibosely log all tiaffic (both alloweu anu blockeu) aiiiving at the uevice. !%$%>%?%2@K :22#%>82%&' CSC 14-7 Foi all seiveis, ensuie that logs aie wiitten to wiite-only uevices oi to ueuicateu logging seiveis iunning on sepaiate machines fiom the hosts geneiating the event logs, loweiing the chance that an attackei can manipulate logs stoieu locally on compiomiseu machines. !%$%>%?%2@K :22#%>82%&' CSC 14-8 Beploy a SIEN (Secuiity Inciuent anu Event Nanagement) oi log analytic tools foi log aggiegation anu consoliuation fiom multiple machines anu foi log coiielation anu analysis. 0sing the SIEN tool, system auministiatois anu secuiity peisonnel shoulu uevise piofiles of common events fiom given systems so that they can tune uetection to focus on unusual activity, avoiu false positives, moie iapiuly iuentify anomalies, anu pievent oveiwhelming analysts with insignificant aleits. !%$%>%?%2@K :22#%>82%&' CSC 14-9 Nonitoi foi seivice cieation events anu enable piocess tiacking logs. 0n Winuows systems, many attackeis use PsExec functionality to spieau fiom system to system. Cieation of a seivice is an unusual event anu shoulu be monitoieu closely. Piocess tiacking is valuable foi inciuent hanuling. :/C4'6"/
77 CSC 14-1u FNOPJ Ensuie that the log collection system uoes not lose events uuiing peak activity, anu that the system uetects anu aleits if event loss occuis (such as when volume exceeus the capacity of a log collection system). This incluues ensuiing that the log collection system can accommouate inteimittent oi iestiicteu-banuwiuth connectivity thiough the use of hanushaking flow contiol. :/C4'6"/
'-' DJ E(/*&5.(&1 +05 8//,1 Nost fiee anu commeicial opeiating systems, netwoik seivices, anu fiiewall technologies offei logging capabilities. Such logging shoulu be activateu, with logs sent to centializeu logging seiveis. Fiiewalls, pioxies, anu iemote access systems (vPN, uial- up, etc.) shoulu all be configuieu foi veibose logging, stoiing all the infoimation available foi logging in the event a follow-up investigation is iequiieu. Fuitheimoie, opeiating systems, especially those of seiveis, shoulu be configuieu to cieate access contiol logs when a usei attempts to access iesouices without the appiopiiate piivileges. To evaluate whethei such logging is in place, an oiganization shoulu peiiouically scan thiough its logs anu compaie them with the asset inventoiy assembleu as pait of Ciitical Contiol 1 in oiuei to ensuie that each manageu item actively connecteu to the netwoik is peiiouically geneiating logs. Analytical piogiams such as SINSEN solutions foi ieviewing logs can pioviue value, but the capabilities employeu to analyze auuit logs aie quite extensive, even incluuing, impoitantly, just a cuisoiy examination by a peison. Actual coiielation tools can make auuit logs fai moie useful foi subsequent manual inspection. Such tools can be quite helpful in iuentifying subtle attacks. Bowevei, these tools aie neithei a panacea noi a ieplacement foi skilleu infoimation secuiity peisonnel anu system auministiatois. Even with automateu log analysis tools, human expeitise anu intuition aie often iequiieu to iuentify anu unueistanu attacks. '-' DJ F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Boes each system log appiopiiately to a cential log management system (yes oi no). 2. Boes each log event geneiateu incluue a uate, timestamp, souice auuiess, uestination auuiess anu othei uetails about the packet (yes oi no). S. If a system fails to log piopeily, how long uoes it take foi an aleit about the failuie to be sent (time in minutes).
78 4. If a system fails to log piopeily, how long uoes it take foi enteipiise peisonnel to ieceive the aleit about the failuie (time in minutes). '-' DJ <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. What peicentage of the oiganization's systems uo not cuiiently have compiehensive logging enableu in accoiuance with the oiganization's stanuaiu (by business unit). 2. What peicentage of the oiganization's systems aie not cuiiently configuieu to centialize theii logs to a cential log management system (by business unit). S. Bow many anomalies events of inteiest have been uiscoveieu in the oiganization's logs iecently (by business unit). '-' DJ F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 14 on a peiiouic basis, an evaluation team must ieview the secuiity logs of vaiious netwoik uevices, seiveis, anu hosts. At a minimum the following uevices must be testeu: two iouteis, two fiiewalls, two switches, 1u seiveis, anu 1u client systems. The testing team shoulu use tiaffic- geneiating tools to senu packets thiough the systems unuei analysis to veiify that the tiaffic is loggeu. This analysis is uone by cieating contiolleu, benign events anu ueteimining if the infoimation is piopeily iecoiueu in the logs with key infoimation, incluuing a uate, timestamp, souice auuiess, uestination auuiess, anu othei uetails about the packet. The evaluation team must veiify that the system geneiates auuit logs anu, if not, an aleit oi e-mail notice iegaiuing the faileu logging must be sent within 24 houis. It is impoitant that the team veiify that all activity has been uetecteu. The evaluation team must veiify that the system pioviues uetails of the location of each machine, incluuing infoimation about the asset ownei. '-' DJ -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
79
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining auuit logs, the cential log uatabase system, the cential time system, anu log analysts. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Production systems generate logs and send them to a centrally managed log database system Step 2: Production systems and log database system pulls synchronize time with central time management systems Step 3: Logs analyzed by a log analysis system Step 4: Log analysts examine data generated by log analysis system.
80 -.- /O0 -&#$%&DD2' 5))2;; W8;2' &# $62 U22' $& X#&> 1be ptocesses ooJ tools oseJ to ttock/coottol/pteveot/cottect secote occess to ctltlcol ossets (e.q., lofotmotloo, tesootces, systems) occotJloq to tbe fotmol Jetetmlootloo of wblcb petsoos, compotets, ooJ oppllcotloos bove o oeeJ ooJ tlqbt to occess tbese ctltlcol ossets boseJ oo oo opptoveJ closslflcotloo. !"# B1 8")1 '/0%(/, '()%)*+,C Some oiganizations uo not caiefully iuentify anu sepaiate theii most sensitive anu ciitical assets fiom less sensitive, publicly accessible infoimation on theii inteinal netwoiks. In many enviionments, inteinal useis have access to all oi most of the ciitical assets. Sensitive assets may also incluue systems that pioviue management anu contiol of physical systems (e.g., SCABA). 0nce attackeis have penetiateu such a netwoik, they can easily finu anu exfiltiate impoitant infoimation, cause physical uamage, oi uisiupt opeiations with little iesistance. Foi example, in seveial high-piofile bieaches ovei the past two yeais, attackeis weie able to gain access to sensitive uata stoieu on the same seiveis with the same level of access as fai less impoitant uata. Theie aie also examples of using access to the coipoiate netwoik to gain access to, then contiol ovei, physical assets anu cause uamage. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 1S-1 Locate any sensitive infoimation on sepaiateu vLANS with fiiewall filteiing. All communication of sensitive infoimation ovei less-tiusteu netwoiks shoulu be enciypteu. ;8%6< =%' CSC 1S-S Enfoice uetaileu auuit logging foi access to nonpublic uata anu special authentication foi sensitive uata. !%$%>%?%2@K :22#%>82%&' CSC 1S-4 Segment the netwoik baseu on the tiust levels of the infoimation stoieu on the seiveis. Whenevei infoimation flows ovei a netwoik with a lowei tiust level, the infoimation shoulu be enciypteu. 7&'-%98#42%&'K L@9%"'" CSC 1S-S 0se host-baseu uata loss pievention (BLP) to enfoice ACLs even when uata is copieu off a seivei. In most oiganizations, access to the uata is contiolleu by ACLs that aie implementeu on the seivei. 0nce the uata have been copieu to a uesktop system, the ACLs aie no longei enfoiceu anu the useis can senu the uata to whomevei they want. :/C4'6"/
81 '-' DK E(/*&5.(&1 +05 8//,1 It is impoitant that an oiganization unueistanu what its sensitive infoimation is, wheie it iesiues, anu who neeus access to it. To ueiive sensitivity levels, oiganizations neeu to put togethei a list of the key types of uata anu the oveiall impoitance to the oiganization. This analysis woulu be useu to cieate an oveiall uata classification scheme foi the oiganization. At a base level, a uata classification scheme is bioken uown into two levels: public (unclassifieu) anu piivate (classifieu). 0nce the piivate infoimation has been iuentifieu, it can then be fuithei subuiviueu baseu on the impact it woulu have to the oiganization if it weie compiomiseu. 0nce the sensitivity of the uata has been iuentifieu, the uata neeu to be tiaceu back to business applications anu the physical seiveis that house those applications. The netwoik then neeus to be segmenteu so that systems of the same sensitivity level aie on the same netwoik anu segmenteu fiom systems with uiffeient tiust levels. If possible, fiiewalls neeu to contiol access to each segment. If uata aie flowing ovei a netwoik with a lowei tiust level, enciyption shoulu be useu. }ob iequiiements shoulu be cieateu foi each usei gioup to ueteimine what infoimation the gioup neeus access to in oiuei to peifoim its jobs. Baseu on the iequiiements, access shoulu only be given to the segments oi seiveis that aie neeueu foi each job function. Betaileu logging shoulu be tuineu on foi all seiveis in oiuei to tiack access anu examine situations wheie someone is accessing uata that they shoulu not be accessing. '-' DK F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Can the system uetect all attempts by useis to access files on local systems oi netwoik-accessible file shaies without the appiopiiate piivileges (yes oi no). 2. Bow long uoes it take the system to geneiate an aleit oi e-mail foi auministiative peisonnel of a usei inappiopiiately accessing the file shaies (time in minutes). '-' DK <.%/;+%)/0 4&%()*1 In oiuei to automate the collection of ielevant uata fiom these systems, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. What peicentage of the oiganization's uata sets have not been classifieu in accoiuance with the oiganization's uata classification stanuaius (by business unit).
82 2. What peicentage of sensitive uata sets aie not configuieu to iequiie logging of access to the uata set (by business unit). S. What peicentage of the oiganization's business systems aie not utilizing host baseu Bata Loss Pievention (BLP) softwaie applications (by business unit). '-' DK F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 1S on a peiiouic basis, the evaluation team must cieate two test accounts each on 1u iepiesentative systems in the enteipiise: five seivei machines anu five client systems. Foi each system evaluateu, one account must have limiteu piivileges, while the othei must have piivileges necessaiy to cieate files on the systems. The evaluation team must then veiify that the non-piivilegeu account is unable to access the files cieateu foi the othei account on the system. The team must also veiify that an aleit oi e-mail is geneiateu baseu on the attempteu unsuccessful access within 24 houis. 0pon completion of the test, these accounts must be iemoveu. '-' DK -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, the uata classification system anu peimission baseline is the bluepiint foi how authentication anu access of uata is contiolleu. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also
83 uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: An appropriate data classification system and permissions baseline applied to production data systems Step 2: Access appropriately logged to a log management system Step 3: Proper access control applied to portable media/USB drives Step 4: Active scanner validates, checks access, and checks data classification Step 5: Host-based encryption and data-loss prevention validates and checks all access requests.
84 -.- /P0 5))&(#$ B&#*$&%*#@ 8#' -&#$%&D Actlvely moooqe tbe llfe-cycle of system ooJ oppllcotloo occooots - tbelt cteotloo, ose, Jotmoocy, Jeletloo - lo otJet to mlolmlze oppottooltles fot ottockets to levetoqe tbem. !"# B1 8")1 '/0%(/, '()%)*+,C Attackeis fiequently uiscovei anu exploit legitimate but inactive usei accounts to impeisonate legitimate useis, theieby making uiscoveiy of attackei behavioi uifficult foi netwoik watcheis. Accounts of contiactois anu employees who have been teiminateu anu accounts foimeily set up foi Reu Team testing (but not ueleteu afteiwaius) have often been misuseu in this way. Auuitionally, some malicious insiueis oi foimei employees have accesseu accounts left behinu in a system long aftei contiact expiiation, maintaining theii access to an oiganization's computing system anu sensitive uata foi unauthoiizeu anu sometimes malicious puiposes. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 16-1 Review all system accounts anu uisable any account that cannot be associateu with a business piocess anu ownei. ;8%6< =%' CSC 16-2 Ensuie that all accounts have an expiiation uate associateu with the account. ;8%6< =%' CSC 16-S Ensuie that systems automatically cieate a iepoit that incluues a list of lockeu-out accounts, uisableu accounts, accounts with passwoius that exceeu the maximum passwoiu age, anu accounts with passwoius that nevei expiie. This list shoulu be sent to the associateu system auministiatoi in a secuie fashion. ;8%6< =%' CSC 16-4 Establish anu follow a piocess foi ievoking system access by uisabling accounts immeuiately upon teimination of an employee oi contiactoi. Bisabling insteau of ueleting accounts allows pieseivation of auuit tiails. ;8%6< =%' CSC 16-S Regulaily monitoi the use of all accounts, automatically logging off useis aftei a stanuaiu peiiou of inactivity. ;8%6< =%' CSC 16-6 FNOPJ Configuie scieen locks on systems to limit access to unattenueu woikstations. ;8%6< =%' CSC 16-7 Nonitoi account usage to ueteimine uoimant accounts, notifying the usei oi usei's managei. Bisable such accounts if not neeueu, oi uocument anu monitoi exceptions (e.g., venuoi maintenance accounts neeueu ;8%6< =%'
85 foi system iecoveiy oi continuity opeiations). CSC 16-8 Requiie that all non-auministiatoi accounts have stiong passwoius that contain letteis, numbeis, anu special chaiacteis, be changeu at least eveiy 9u uays, have a minimal age of one uay, anu not be alloweu to use the pievious 1S passwoius as a new passwoiu. These values can be aujusteu baseu on the specific business neeus of the oiganization. ;8%6< =%' CSC 16-9 0se anu configuie account lockouts such that aftei a set numbei of faileu login attempts the account is lockeu foi a stanuaiu peiiou of time. ;8%6< =%' CSC 16-1u Requiie that manageis match active employees anu contiactois with each account belonging to theii manageu staff. Secuiity oi system auministiatois shoulu then uisable accounts that aie not assigneu to active employees oi contiactois. !%$%>%?%2@K :22#%>82%&' CSC 16-11 Nonitoi attempts to access ueactivateu accounts thiough auuit logging. !%$%>%?%2@K :22#%>82%&' CSC 16-12 FNOPJ Configuie access foi all accounts thiough a centializeu point of authentication, foi example Active Biiectoiy oi LBAP. Configuie netwoik anu secuiity uevices foi centializeu authentication as well. 7&'-%98#42%&'K L@9%"'" CSC 16-1S Piofile each usei's typical account usage by ueteimining noimal time-of-uay access anu access uuiation. Repoits shoulu be geneiateu that inuicate useis who have loggeu in uuiing unusual houis oi have exceeueu theii noimal login uuiation. This incluues flagging the use of the usei's cieuentials fiom a computei othei than computeis on which the usei geneially woiks. 7&'-%98#42%&'K L@9%"'" CSC 16-14 FNOPJ Requiie multi-factoi authentication foi accounts that have access to sensitive uata oi systems. Nulti-factoi authentication can be achieveu using Smait caius with ceitificates, 0ne Time Passwoiu (0TP) tokens, oi biometiics. :/C4'6"/ CSC 16-1S FNOPJ Foi authenticateu access to web seivices within an enteipiise, ensuie that account useinames anu passwoius aie passeu ovei an enciypteu channel anu associateu passwoiu hash files aie stoieu secuiely if a centializeu seivice is not employeu. :/C4'6"/ CSC 16-16 FNOPJ Configuie all systems to use enciypteu channels foi the tiansmission of passwoius ovei a netwoik. :/C4'6"/ CSC 16-17 FNOPJ veiify that all passwoiu files aie enciypteu oi hasheu anu that these files cannot be accesseu without ioot oi auministiatoi piivileges. Auuit all access to passwoiu :/C4'6"/
86 files in the system.
'-' E(/*&5.(&1 +05 8//,1 Although most opeiating systems incluue capabilities foi logging infoimation about account usage, these featuies aie sometimes uisableu by uefault. Even when such featuies aie piesent anu active, they often uo not pioviue fine-giaineu uetail about access to the system by uefault. Secuiity peisonnel can configuie systems to iecoiu moie uetaileu infoimation about account access, anu use home-giown sciipts oi thiiu- paity log analysis tools to analyze this infoimation anu piofile usei access of vaiious systems. Accounts must also be tiackeu veiy closely. Any account that is uoimant must be uisableu anu eventually iemoveu fiom the system. All active accounts must be tiaceu back to authoiizeu useis of the system, anu it must be ensuieu that theii passwoius aie iobust anu changeu on a iegulai basis. 0seis must also be loggeu out of the system aftei a peiiou of no activity to minimize the possibility of an attackei using theii system to extiact infoimation fiom the oiganization. '/0%(/, DL F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Boes the system auuit anu iepoit on valiu anu invaliu log-ins to usei accounts. 2. Boes the system auuit anu iepoit on valiu anu invaliu log-ins to netwoik anu secuiity uevice usei accounts. S. Boes the system lock useis out aftei five (S) invaliu attempts. 4. Bo usei account passwoius expiie at least eveiy 9u uays. S. Boes the system iepoit on uoimant accounts that have not been useu foi a configuiable peiiou of time. 6. Bow long uoes it take to senu an aleit oi e-mail to auministiative peisonnel that the compaiison iepoit has been cieateu (time in minutes). '/0%(/, DL <.%/;+%)/0 4&%()*1 In oiuei to automate the monitoiing anu contiol of usei accounts, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. Bow many invaliu attempts to access usei accounts have been uetecteu within a peiiou of time. 2. Bow many accounts have been lockeu out within a peiiou of time. S. Bow many attempts to gain access to passwoiu files in the system have been
87 uetecteu within a peiiou of time. 4. Peifoim authoiizeu passwoiu ciacking against passwoiu files anu iuentify the numbei of auministiatoi account passwoius that aie ciackeu uuiing the attempt. Remeuiate any compiomiseu passwoius immeuiately. S. Is an automateu list of usei accounts on the system cieateu uaily & compaieu to a baseline (yes oi no). 6. Bow long uoes it take to senu an aleit oi e-mail to auministiative peisonnel that the compaiison iepoit has been cieateu (time in minutes). '-' DL F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 16 on a peiiouic basis, the evaluation team must attempt a vaiiety of techniques to gain access to usei accounts within the system. Each of the following tests must be peifoimeu at least thiee times: 1. Attempt to configuie weak usei account passwoius that aie non-compliant with establisheu policy. veiify that the system uoes not allow weak passwoius to be useu. 2. Attempt to ie-use a usei account passwoiu that was pieviously useu foi the account. veiify that the system iequiies unique new passwoius uuiing each upuate. S. Attempt to captuie passwoius by monitoiing netwoik tiaffic to seivei iesouices. Remeuiate any instances wheie passwoius aie tiansmitteu in cleai text. 4. Attempt to gain access to passwoiu files stoieu on the system. If successful, iuentify whethei passwoius aie ciyptogiaphically secuieu. Each of these tests must be peifoimeu fiom multiple, wiuely uistiibuteu systems on the oiganization's netwoik in oiuei to test the effectiveness of usei account contiols. '-' DL -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
88
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining usei accounts anu how they inteiact with the uata systems anu the log management systems. Anothei key component of these systems is the iepoits geneiateu foi management of usei accounts. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. It also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: User accounts are properly managed on production systems Step 2: User accounts are assigned proper permissions to production data sets Step 3: User account access is logged to log management system Step 4: Log management systems generate user account and access reports for management Step 5: Account baseline information is sent to log management system Step 6: Critical information is properly protected and encrypted for each user account.
89 -.- /N0 :8$8 V%&$2)$*&# 1be ptocesses ooJ tools oseJ to pteveot Joto exfllttotloo, mltlqote tbe effects of exfllttoteJ Joto, ooJ eosote tbe ptlvocy ooJ loteqtlty of seosltlve lofotmotloo. !"# B1 8")1 '/0%(/, '()%)*+,C Bata iesiues in many places. Piotection of that uata is best achieveu thiough the application of a combination of enciyption, integiity piotection anu uata loss pievention techniques. As oiganizations continue theii move towaius clouu computing anu mobile access, it is impoitant that piopei caie be taken to limit anu iepoit on uata exfiltiation while also mitigating the effects of uata compiomise. The auoption of uata enciyption, both in tiansit anu at iest, pioviues mitigation against uata compiomise. This is tiue if piopei caie has been taken in the piocesses anu technologies associateu with the enciyption opeiations. An example of this is the management of ciyptogiaphic keys useu by the vaiious algoiithms that piotect uata. The piocess foi geneiation, use anu uestiuction of keys shoulu be baseu on pioven piocesses as uefineu in stanuaius such as NIST SP 8uu-S7. Caie shoulu also be taken to ensuie that piouucts useu within an enteipiise implement well known anu vetteu ciyptogiaphic algoiithms, as iuentifieu by NIST. Re-evaluation of the algoiithms anu key sizes useu within the enteipiise on an annual basis is also iecommenueu to ensuie that oiganizations aie not falling behinu in the stiength of piotection applieu to theii uata. Foi oiganizations that aie moving uata to the clouu, it is impoitant foi oiganizations to unueistanu the secuiity contiols applieu to uata in the clouu multi-tenant enviionment, anu ueteimine the best couise of action foi application of enciyption contiols anu secuiity of keys. When possible, keys shoulu be stoieu within secuie containeis such as Baiuwaie Secuiity Nouules (BSNs). Enciypting uata pioviues a level of assuiance that even if uata is compiomiseu, it is impiactical to access the plaintext without significant iesouices, howevei contiols shoulu also be put in place to mitigate the thieat of uata exfiltiation in the fiist place. Nany attacks occuiieu acioss the netwoik, while otheis involveu physical theft of laptops anu othei equipment holuing sensitive infoimation. Yet, in most cases, the victims weie not awaie that the sensitive uata weie leaving theii systems because they weie not monitoiing uata outflows. The movement of uata acioss netwoik bounuaiies both electionically anu physically must be caiefully sciutinizeu to minimize its exposuie to attackeis. The loss of contiol ovei piotecteu oi sensitive uata by oiganizations is a seiious thieat to business opeiations anu a potential thieat to national secuiity. While some uata aie leakeu oi lost as a iesult of theft oi espionage, the vast majoiity of these pioblems
90 iesult fiom pooily unueistoou uata piactices, a lack of effective policy aichitectuies, anu usei eiioi. Bata loss can even occui as a iesult of legitimate activities such as e- Biscoveiy uuiing litigation, paiticulaily when iecoius ietention piactices aie ineffective oi nonexistent. Bata loss pievention (BLP) iefeis to a compiehensive appioach coveiing people, piocesses, anu systems that iuentify, monitoi, anu piotect uata in use (e.g., enupoint actions), uata in motion (e.g., netwoik actions), anu uata at iest (e.g., uata stoiage) thiough ueep content inspection anu with a centializeu management fiamewoik. 0vei the last seveial yeais, theie has been a noticeable shift in attention anu investment fiom secuiing the netwoik to secuiing systems within the netwoik, anu to secuiing the uata itself. BLP contiols aie baseu on policy, anu incluue classifying sensitive uata, uiscoveiing that uata acioss an enteipiise, enfoicing contiols, anu iepoiting anu auuiting to ensuie policy compliance. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 17-1 Beploy appioveu haiu uiive enciyption softwaie to mobile uevices anu systems that holu sensitive uata. ;8%6< =%' CSC 17-2 FNOPJ veiify that ciyptogiaphic uevices anu softwaie aie configuieu to use publicly-vetteu algoiithms. ;8%6< =%' CSC 17-S FNOPJ Peifoim an assessment of uata to iuentify sensitive infoimation that iequiies the application of enciyption anu integiity contiols ;8%6< =%' CSC 17-4 FNOPJ Review clouu pioviuei secuiity piactices foi uata piotection. ;8%6< P%' CSC 17-S Beploy an automateu tool on netwoik peiimeteis that monitois foi ceitain sensitive infoimation (i.e., peisonally iuentifiable infoimation), keywoius, anu othei uocument chaiacteiistics to uiscovei unauthoiizeu attempts to exfiltiate uata acioss netwoik bounuaiies anu block such tiansfeis while aleiting infoimation secuiity peisonnel. !%$%>%?%2@K :22#%>82%&' CSC 17-6 Conuuct peiiouic scans of seivei machines using automateu tools to ueteimine whethei sensitive uata (i.e., peisonally iuentifiable infoimation, health, cieuit caiu, anu classifieu infoimation) is piesent on the system in cleai text. These tools, which seaich foi patteins that inuicate the piesence of sensitive infoimation, can help iuentify if a business oi technical piocess is leaving behinu oi otheiwise leaking sensitive infoimation. !%$%>%?%2@K :22#%>82%&' CSC 17-7 Nove uata between netwoiks using secuie, 7&'-%98#42%&'K
91 authenticateu, anu enciypteu mechanisms. L@9%"'" CSC 17-8 If theie is no business neeu foi suppoiting such uevices, configuie systems so that they will not wiite uata to 0SB tokens oi 0SB haiu uiives. If such uevices aie iequiieu, enteipiise softwaie shoulu be useu that can configuie systems to allow only specific 0SB uevices (baseu on seiial numbei oi othei unique piopeity) to be accesseu, anu that can automatically enciypt all uata placeu on such uevices. An inventoiy of all authoiizeu uevices must be maintaineu. 7&'-%98#42%&'K L@9%"'" CSC 17-9 0se netwoik-baseu BLP solutions to monitoi anu contiol the flow of uata within the netwoik. Any anomalies that exceeu the noimal tiaffic patteins shoulu be noteu anu appiopiiate action taken to auuiess them. 7&'-%98#42%&'K L@9%"'" CSC 17-1u FNOPJ 0nly allow appioveu Ceitificate Authoiities (CAs) to issue ceitificates within the enteipiise; Review anu veiify each CAs Ceitificate Piactices Statement (CPS) anu Ceitificate Policy (CP). 7&'-%98#42%&'K L@9%"'" CSC 17-11 FNOPJ Peifoim an annual ieview of algoiithms anu key lengths in use foi piotection of sensitive uata. 7&'-%98#42%&'K L@9%"'" CSC 17-12 Nonitoi all tiaffic leaving the oiganization anu uetect any unauthoiizeu use of enciyption. Attackeis often use an enciypteu channel to bypass netwoik secuiity uevices. Theiefoie it is essential that oiganizations be able to uetect iogue connections, teiminate the connection, anu iemeuiate the infecteu system. :/C4'6"/ CSC 17-1S Block access to known file tiansfei anu e-mail exfiltiation websites. :/C4'6"/ CSC 17-14 FNOPJ Befine ioles anu iesponsibilities ielateu to management of enciyption keys within the enteipiise; uefine piocesses foi lifecycle. :/C4'6"/ CSC 17-1S FNOPJ Wheie applicable, implement Baiuwaie Secuiity Nouules (BSNs) foi piotection of piivate keys (e.g., foi sub CAs) oi Key Enciyption Keys. :/C4'6"/
'-' DM E(/*&5.(&1 +05 8//,1 Commeicial tools aie available to suppoit enteipiise management of enciyption anu key management within an enteipiise anu incluue the ability to suppoit implementation of enciyption contiols within clouu anu mobile enviionments. Befinition of lifecycle piocesses anu ioles anu iesponsibilities associateu with key management shoulu be unueitaken by each oiganization.
92 Commeicial BLP solutions aie available to look foi exfiltiation attempts anu uetect othei suspicious activities associateu with a piotecteu netwoik holuing sensitive infoimation. 0iganizations ueploying such tools shoulu caiefully inspect theii logs anu follow up on any uiscoveieu attempts, even those that aie successfully blockeu, to tiansmit sensitive infoimation out of the oiganization without authoiization. '-' DM F@@&*%)G&0&11 4&%()*1 In oiuei to test the effectiveness of the automateu implementation of this contiol, oiganizations shoulu measuie the following: 1. Boes the system iuentify anu iepoit on unauthoiizeu uata being exfiltiateu, whethei via netwoik file tiansfeis oi iemovable meuia. 2. Boes the system iuentify the attachment of unenciypteu 0SB tokens anu iequiie enciyption of tokens. S. Boes the system stoie ciyptogiaphic key mateiial secuiely. 4. Boes the system use only NIST appioveu enciyption algoiithms. S. Within one houi of a uata exfiltiation event oi attempt, enteipiise auministiative peisonnel must be aleiteu by the appiopiiate monitoiing system. 6. Bo aleits notifying of uata exfiltiation also note the system anu location wheie the event oi attempt occuiieu. 7. Aie the systems able to iuentify the location, uepaitment, anu othei ciitical uetails about wheie the sensitive uata oiiginateu fiom (yes oi no). 8. Bow long uoes it take befoie a uata leakage iisk has been iemeuiateu fiom the time it was uetecteu (time in minutes). '-' DM <.%/;+%)/0 4&%()*1 In oiuei to automate the piotection of uata using ciyptogiaphy anu BLP functions, oiganizations shoulu gathei the following infoimation with automateu technical sensois: 1. Bow many unauthoiizeu uata exfiltiation attempts have been uetecteu within a peiiou of time by BLP softwaie. 2. Bow many plaintext instances of sensitive uata have been uetecteu within a peiiou by automateu scanning softwaie. S. Bow many attempts to access known file tiansfei anu e-mail exfiltiation websites have been uetecteu within a peiiou of time. '-' DM F@@&*%)G&0&11 8&1% To evaluate the implementation of Contiol 17 on a peiiouic basis, the evaluation team must attempt to move test uata sets that tiiggei BLP systems but uo not contain sensitive uata outsiue of the tiusteu computing enviionment via both netwoik file
93 tiansfeis anu iemovable meuia. Each of the following tests must be peifoimeu at least thiee times: Attempt to tiansfei laige uata sets acioss netwoik bounuaiies fiom an inteinal system. Attempt to tiansfei plaintext test uata sets of peisonally iuentifiable infoimation (that tiiggei BLP systems but uo not contain sensitive uata) acioss netwoik bounuaiies fiom an inteinal system (using multiple keywoius specific to the business). Attempt to tiansfei enciypteu test uata sets acioss netwoik bounuaiies fiom an inteinal system to iuentify if the exfiltiation is iepoiteu. Attempt to maintain a peisistent netwoik connection foi at least 1u houis acioss netwoik bounuaiies between an inteinal anu exteinal system, even though little uata may be exchangeu. Attempt to maintain a netwoik connection acioss netwoik bounuaiies using an anomalous seivice poit numbei between an inteinal anu exteinal system. Inseit a 0SB token into an oiganization system anu attempt to tiansfei example test uata to the 0SB uevice.
Each of these tests must be peifoimeu fiom multiple, wiuely uistiibuteu systems on the oiganization's netwoik in oiuei to test the effectiveness of the monitoiing systems. 0nce each of these events has occuiieu, the time it takes foi enteipiise staff to iesponu to the event must be iecoiueu.
'-' DM F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
94
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining the flow of infoimation in anu out of the oiganization in an attempt to limit potential uata loss via netwoik oi iemovable meuia souices. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. It also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Data encryption system ensures that appropriate hard disks are encrypted Step 2: Sensitive network traffic encrypted Step 3: Data connections monitored at the networks perimeter by monitoring systems Step 4: Stored data scanned to identify where sensitive information is stored Step 5: Offline media encrypted.
95 -.- /<0 "#)*'2#$ M2;G&#;2 8#' B8#8@2L2#$ ltotect tbe otqoolzotloos lofotmotloo, os well os lts tepototloo, by Jeveloploq ooJ lmplemeotloq oo loclJeot tespoose loftosttoctote (e.q., ploos, JefloeJ toles, ttololoq, commoolcotloos, moooqemeot ovetslqbt) fot polckly Jlscovetloq oo ottock ooJ tbeo effectlvely cootololoq tbe Jomoqe, etoJlcotloq tbe ottockets pteseoce, ooJ testotloq tbe loteqtlty of tbe oetwotk ooJ systems. !"# B1 8")1 '/0%(/, '()%)*+,C Cybei inciuents aie now just pait of oui way of life. Even laige, well-funueu, anu technically sophisticateu enteipiises stiuggle to keep up with the fiequency anu complexity of attacks. The question of a successful cybei-attack against an enteipiise is not "if" but "when". When an inciuent occuis, it is too late to uevelop the iight pioceuuies, iepoiting, uata collection, management iesponsibility, legal piotocols, anu communications stiategy that will allow the enteipiise to successfully unueistanu, manage, anu iecovei. Without an inciuent iesponse plan, an oiganization may not uiscovei an attack in the fiist place, oi, if the attack is uetecteu, the oiganization may not follow goou pioceuuies to contain uamage, eiauicate the attackei's piesence, anu iecovei in a secuie fashion. Thus, the attackei may have a fai gieatei impact, causing moie uamage, infecting moie systems, anu possibly exfiltiate moie sensitive uata than woulu otheiwise be possible weie an effective inciuent iesponse plan in place. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 18-1 Ensuie that theie aie wiitten inciuent iesponse pioceuuies that incluue a uefinition of peisonnel ioles foi hanuling inciuents. The pioceuuies shoulu uefine the phases of inciuent hanuling. ;8%6< =%' CSC 18-2 Assign job titles anu uuties foi hanuling computei anu netwoik inciuents to specific inuiviuuals. ;8%6< =%' CSC 18-S Befine management peisonnel who will suppoit the inciuent hanuling piocess by acting in key uecision-making ioles. ;8%6< =%' CSC 18-4 Bevise oiganization-wiue stanuaius foi the time iequiieu foi system auministiatois anu othei peisonnel to iepoit anomalous events to the inciuent hanuling team, the mechanisms foi such iepoiting, anu the kinu of infoimation that shoulu be incluueu in the inciuent notification. This iepoiting shoulu also incluue notifying the appiopiiate Community Emeigency Response Team in accoiuance with all legal oi iegulatoiy iequiiements foi involving that ;8%6< =%'
96 oiganization in computei inciuents. CSC 18-S Assemble anu maintain infoimation on thiiu-paity contact infoimation to be useu to iepoit a secuiity inciuent (i.e., maintain an e-mail auuiess of secuiityoiganization.com oi have a web page http:oiganization.comsecuiity). ;8%6< =%' CSC 18-6 Publish infoimation foi all peisonnel, incluuing employees anu contiactois, iegaiuing iepoiting computei anomalies anu inciuents to the inciuent hanuling team. Such infoimation shoulu be incluueu in ioutine employee awaieness activities. ;8%6< =%' CSC 18-7 Conuuct peiiouic inciuent scenaiio sessions foi peisonnel associateu with the inciuent hanuling team to ensuie that they unueistanu cuiient thieats anu iisks, as well as theii iesponsibilities in suppoiting the inciuent hanuling team. 7&'-%98#42%&'K L@9%"'"
'-' DN E(/*&5.(&1 +05 8//,1 Aftei uefining uetaileu inciuent iesponse pioceuuies, the inciuent iesponse team shoulu engage in peiiouic scenaiio-baseu tiaining, woiking thiough a seiies of attack scenaiios fine-tuneu to the thieats anu vulneiabilities the oiganization faces. These scenaiios help ensuie that team membeis unueistanu theii iole on the inciuent iesponse team anu also help piepaie them to hanule inciuents. A full tieatment of this topic is beyonu the scope of the Ciitical Secuiity Contiols. Bowevei, the actions in CSC 18 pioviue specific, high-piioiity steps that can impiove enteipiise secuiity, anu shoulu be a pait of any compiehensive inciuent anu iesponse plan. '-' DN F@@&*%)G&0&11 4&%()*1 None '-' DN <.%/;+%)/0 4&%()*1 None '-' DN F@@&*%)G&0&11 8&1% None
97 '/0%(/, DN -#1%&; F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining the inciuent hanuling piocess anu how piepaieu oiganizations aie in the event that an inciuent occuis. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Incident handling policies and procedures educate workforce members as to their responsibilities during an incident Step 2: Some workforce members designated as incident handlers Step 3: Incident handling policies and procedures educate management as to their responsibilities during an incident Step 4: Incident handlers participate in incident handling scenario tests Step 5: Incident handlers report incidents to management Step 6: The organizations management reports incidents to outside law enforcement and the appropriate computer emergency response team, if necessary.
98 -.- /J0 .2)(%2 U2$>&%I Y#@*#22%*#@ Moke secotlty oo lobeteot otttlbote of tbe eotetptlse by speclfyloq, Jeslqoloq, ooJ bollJloq-lo feototes tbot ollow blqb cooflJeoce systems opetotloos wblle Jeoyloq ot mlolmlzloq oppottooltles fot ottockets. . !"# B1 8")1 '/0%(/, '()%)*+,C System oi secuiity uesigneis iaiely get to stait fiom sciatch anu builu in all of the secuiity featuies they might want. Anu even if they uiu, systems constantly evolve, new business impeiatives appeai, attackeis uevelop new techniques, anu new technologies emeige to complicate the secuiity pioblem. In such an enviionment, attackeis take auvantage of missing secuiity featuies, time gaps in ueploying new uefenses oi moving infoimation, anu the "seams" between uefensive contiols. Befenueis aie quickly oveiwhelmeu with new opeiational iequiiements, managing tools anu changes, new infoimation, anu "fiie- fighting". >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 19-1 Besign the netwoik using a minimum of a thiee-tiei aichitectuie (BNZ, miuulewaie, anu piivate netwoik). Any system accessible fiom the Inteinet shoulu be on the BNZ, but BNZ systems shoulu nevei contain sensitive uata. Any system with sensitive uata shoulu iesiue on the piivate netwoik anu nevei be uiiectly accessible fiom the Inteinet. BNZ systems shoulu communicate with piivate netwoik systems thiough an application pioxy iesiuing on the miuulewaie tiei. ;8%6< =%' CSC 19-2 To suppoit iapiu iesponse anu shunning of uetecteu attacks, engineei the netwoik aichitectuie anu its coiiesponuing systems foi iapiu ueployment of new access contiol lists, iules, signatuies, blocks, blackholes, anu othei uefensive measuies. 7&'-%98#42%&'K L@9%"'" CSC 19-S Beploy uomain name systems (BNS) in a hieiaichical, stiuctuieu fashion, with all inteinal netwoik client machines configuieu to senu iequests to intianet BNS seiveis, not to BNS seiveis locateu on the Inteinet. These inteinal BNS seiveis shoulu be configuieu to foiwaiu iequests they cannot iesolve to BNS seiveis locateu on a piotecteu BNZ. These BNZ seiveis, in tuin, shoulu be the only BNS seiveis alloweu to senu iequests to the Inteinet. !%$%>%?%2@K :22#%>82%&' CSC 19-4 Segment the enteipiise netwoik into multiple, sepaiate tiust zones to pioviue moie gianulai contiol of system access anu 7&'-%98#42%&'K L@9%"'"
99 auuitional intianet bounuaiy uefenses.
'-' DO E(/*&5.(&1 +05 8//,1 To help ensuie a consistent, uefensible netwoik, the aichitectuie of each netwoik shoulu be baseu on a template that uesciibes the netwoik's oveiall layout anu the seivices it pioviues. 0iganizations shoulu piepaie uiagiams foi each of theii netwoiks that show netwoik components such as iouteis, fiiewalls, anu switches, along with significant seiveis anu gioups of client machines. Although the Ciitical Secuiity Contiols oveiall pioviue many specific, high-piioiity steps that will impiove enteipiise secuiity, a compiehensive tieatment of Secuie Netwoik Engineeiing is beyonu the scope of this uocument. In CSC 19, we uesciibe capabilities that shoulu be built-in to any secuiity aichitectuie. '-' DO F@@&*%)G&0&11 4&%()*1 None '-' DO <.%/;+%)/0 4&%()*1 None '-' DO F@@&*%)G&0&11 8&1% none '-' DO F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
100
A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining the netwoik engineeiing piocess anu evaluating the contiols that woik togethei in oiuei to cieate a secuie anu iobust netwoik aichitectuie. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Network engineering policies and procedures dictate how network systems function to include dynamic host configuration protocol (DHCP) servers Step 2: DHCP servers provide IP addresses to systems on the network Step 3: Network devices perform DNS lookups to internal DNS servers Step 4: Internal DNS servers perform DNS lookups to external DNS servers Step 5: Network engineering policies and procedures dictate how a central network management system functions Step 6: Central network management systems configure network devices.
101 -.- =T0 V2#2$%8$*&# Q2;$; 8#' M2' Q28L YZ2%)*;2; 1est tbe ovetoll stteoqtb of oo otqoolzotloos Jefeoses (tbe tecbooloqy, tbe ptocesses, ooJ tbe people) by slmolotloq tbe objectlves ooJ octloos of oo ottocket. !"# B1 8")1 '/0%(/, '()%)*+,C Attackeis often exploit the gap between goou uefensive uesigns anu intentions anu implementation oi maintenance. Examples incluue: the time winuow between announcement of a vulneiability, the availability of a venuoi patch, anu actual installation on eveiy machine; well-intentioneu policies which have no enfoicement mechanism (especially those intenueu to iestiict iisky human actions); failuie to apply goou configuiations anu othei piactices to the entiie enteipiise, oi to machines that come in- anu-out of the netwoik; anu failuie to unueistanu the inteiaction among multiple uefensive tools, oi with noimal system opeiations that have secuiity implications. In auuition, successful uefense iequiies a compiehensive piogiam of technical uefenses, goou policy anu goveinance, anu appiopiiate action by people. In a complex enviionment wheie technology is constantly evolving, anu new attackei tiaueciaft appeais iegulaily, oiganizations shoulu peiiouically test theii uefenses to iuentify gaps anu to assess theii ieauiness. Penetiation testing staits fiom the iuentification anu assessment of vulneiabilities that can be iuentifieu in the enteipiise. It complements this by uesigning anu executing tests that uemonstiate specifically how an auveisaiy can eithei subveit the oiganization's secuiity goals (e.g., the piotection of specific Intellectual Piopeity) oi achieve specific auveisaiial objectives (e.g., establishment of a coveit Commanu anu Contiol infiastiuctuie). The iesult pioviues ueepei insight, thiough uemonstiation, into the business iisks of vaiious vulneiabilities. Reu Team exeicises take a compiehensive appioach at the full spectium of oiganization policies, piocesses, anu uefenses in oiuei to impiove oiganizational ieauiness, impiove tiaining foi uefensive piactitioneis, anu inspect cuiient peifoimance levels. Inuepenuent Reu Teams can pioviue valuable anu objective insights about the existence of vulneiabilities anu the efficacy of uefenses anu mitigating contiols alieauy in place anu even of those planneu foi futuie implementation. >/? %/ B;=,&;&0% 8")1 '/0%(/, ": \ :2;)%*G$*&# -8$2@&%3 CSC 2u-1 Conuuct iegulai exteinal anu inteinal penetiation tests to iuentify vulneiabilities anu attack vectois that can be useu to exploit enteipiise systems successfully. Penetiation testing shoulu occui fiom outsiue the netwoik peiimetei (i.e., the ;8%6< =%'
102 Inteinet oi wiieless fiequencies aiounu an oiganization) as well as fiom within its bounuaiies (i.e., on the inteinal netwoik) to simulate both outsiuei anu insiuei attacks. CSC 2u-2 Any usei oi system accounts useu to peifoim penetiation testing, shoulu be contiolleu anu monitoieu to make suie they aie only being useu foi legitimate puiposes, anu aie iemoveu oi iestoieu to noimal function aftei testing is ovei. ;8%6< =%' CSC 2u-S Peifoim peiiouic Reu Team exeicises to test oiganizational ieauiness to iuentify anu stop attacks oi to iesponu quickly anu effectively. !%$%>%?%2@K :22#%>82%&' CSC 2u-4 Incluue tests foi the piesence of unpiotecteu system infoimation anu aitifacts that woulu be useful to attackeis, incluuing netwoik uiagiams, configuiation files, oluei penetiation test iepoits, e-mails oi uocuments containing passwoius oi othei infoimation ciitical to system opeiation. !%$%>%?%2@K :22#%>82%&' CSC 2u-S Plan cleai goals of the penetiation test itself with blenueu attacks in minu, iuentifying the goal machine oi taiget asset. Nany APT-style attacks ueploy multiple vectoisoften social engineeiing combineu with web oi netwoik exploitation. Reu Team manual oi automateu testing that captuies pivoteu anu multi-vectoi attacks offeis a moie iealistic assessment of secuiity postuie anu iisk to ciitical assets. !%$%>%?%2@K :22#%>82%&' CSC 2u-6 0se vulneiability scanning anu penetiation testing tools in conceit. The iesults of vulneiability scanning assessments shoulu be useu as a staiting point to guiue anu focus penetiation testing effoits. 7&'-%98#42%&'K L@9%"'" CSC2u-7 Bevise a scoiing methou foi ueteimining the iesults of Reu Team exeicises so that iesults can be compaieu ovei time. :/C4'6"/ CSC 2u-8 Cieate a test beu that mimics a piouuction enviionment foi specific penetiation tests anu Reu Team attacks against elements that aie not typically testeu in piouuction, such as attacks against supeivisoiy contiol anu uata acquisition anu othei contiol systems. :/C4'6"/
'-' HP E(/*&5.(&1 +05 8//,1 Penetiation testing anu Reu Teaming only pioviue significant value when basic uefensive measuies have alieauy been put into place, anu when they aie peifoimeu as pait of a compiehensive, ongoing piogiam of secuiity management anu impiovement. These aie often specifieu anu iequiieu by foimal Risk Nanagement Fiamewoiks anu piocesses. Each oiganization shoulu uefine a cleai scope anu iules of engagement foi penetiation testing anu Reu Team analyses. The scope of such piojects shoulu incluue, at a minimum, systems with the oiganization's highest value infoimation anu piouuction piocessing
103 functionality. 0thei lowei-value systems may also be testeu to see if they can be useu as pivot points to compiomise highei-value taigets. The iules of engagement foi penetiation tests anu Reu Team analyses shoulu uesciibe, at a minimum, times of uay foi testing, uuiation of tests, anu the oveiall test appioach. A full tieatment of this topic is beyonu the scope of the Ciitical Secuiity Contiols. Bowevei, the actions in CSC 2u pioviue specific, high-piioiity steps that can impiove enteipiise secuiity, anu shoulu be a pait of any compiehensive penetiation testing anu Reu Team piogiam. '-' HP F@@&*%)G&0&11 4&%()*1 None '-' HP <.%/;+%)/0 4&%()*1 None '-' HP F@@&*%)G&0&11 8&1% None '-' HP F0%)%# :&,+%)/01")= A)+6(+; 0iganizations will finu that by uiagiamming the entities necessaiy to fully meet the goals uefineu in this contiol, it will be easiei to iuentify how to implement them, test the contiols, anu iuentify wheie potential failuies in the system might occui.
104 A contiol system is a uevice oi set of uevices useu to manage, commanu, uiiect, oi iegulate the behavioi of othei uevices oi systems. In this case, we aie examining ieu team anu penetiation exeicises anu how those effoits can be valuable to enteipiise peisonnel when iuentifying which vulneiabilities aie piesent in the oiganization. The following list of the steps in the above uiagiam shows how the entities woik togethei to meet the business goal uefineu in this contiol. The list also uelineates each of the piocess steps in oiuei to help iuentify potential failuie points in the oveiall contiol. Step 1: Penetration testers perform penetration tests of production systems Step 2: Automated pen-testing tools perform penetration tests of production systems Step 3: Automated pen-testing tools inform penetration tester of vulnerabilities discovered Step 4: Penetration testers perform more extensive penetration tests of test lab systems Step 5: Auditors evaluate and inspect the work performed by automated pen-testing tools Step 6: Auditors evaluate and inspect the work performed by penetration testers Step 7: Penetration testers generate reports and statistics about the vulnerabilities that have been discovered.
105 5GG2#'*Z 50 5$$8)I Q3G2; The following Attack Types were the primary ones considered when developing the Critical Security Controls. Each is listed with the most relevant and direct Critical Security Controls (by number) to help block, detect, or manage this problem. Attack Summary Critical Security Control Attackers continually scan for new, unprotected systems, including test or experimental systems, and exploit such systems to gain control of them. 1 Attackers distribute hostile content on Internet-accessible (and sometimes internal) websites that exploit unpatched and improperly secured client software running on victim machines. 2, 3 Attackers continually scan for vulnerable software and exploit it to gain control of target machines. 2, 4 Attackers use currently infected or compromised machines to identify and exploit other vulnerable machines across an internal network. 2, 10 Attackers exploit weak default configurations of systems that are more geared to ease of use than security. 3, 10 Attackers exploit new vulnerabilities on systems that lack critical patches in organizations that do not know that they are vulnerable because they lack continuous vulnerability assessments and effective remediation. 4, 5 Attackers compromise target organizations that do not exercise their defenses to determine and continually improve their effectiveness. 4, 5, 11, 20 Attackers use malicious code to gain and maintain control of target machines, capture sensitive data, and then spread it to other systems, sometimes wielding code that disables or dodges signature-based anti-virus tools. 5, 15, 17 Attackers scan for remotely accessible services on target systems that are often unneeded for business activities, but provide an avenue of attack and compromise of the organization. 5, 10, 11 Attackers exploit weak application software, particularly web applications, through attack vectors such as SQL injection, cross-site scripting, and similar tools. 6, 20 Attackers exploit wireless access points to gain entry into a target organizations internal network, and exploit wireless client systems to steal sensitive information. 7 Attackers exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness. 9, 12, 16 Attackers exploit and infiltrate through network devices whose security configuration has been weakened over time by granting, for specific short-term business needs, supposedly temporary exceptions that are never removed. 10, 13
106 Attackers trick a user with an administrator-level account into opening a phishing- style e-mail with an attachment or surfing to the attackers content on an Internet website, allowing the attackers malicious code or exploit to run on the victim machine with full administrator privileges. 9, 12 Attackers exploit boundary systems on Internet-accessible DMZ networks, and then pivot to gain deeper access on internal networks. 13, 19 Attackeis exploit pooily uesigneu netwoik aichitectuies by locating unneeueu oi unpiotecteu connections, weak filteiing, oi a lack of sepaiation of impoitant systems oi business functions. 13, 19 Attackeis opeiate unuetecteu foi extenueu peiious of time on compiomiseu systems because of a lack of logging anu log ieview. 14 Attackeis gain access to sensitive uocuments in an oiganization that uoes not piopeily iuentify anu piotect sensitive infoimation oi sepaiate it fiom non- sensitive infoimation. 15, 17 Attackeis compiomise inactive usei accounts left behinu by tempoiaiy woikeis, contiactois, anu foimei employees, incluuing accounts left behinu by the attackeis themselves who aie foimei employees. 16 Attackeis escalate theii piivileges on victim machines by launching passwoiu guessing, passwoiu ciacking, oi piivilege escalation exploits to gain auministiatoi contiol of systems, which is then useu to piopagate to othei victim machines acioss an enteipiise. 12, 16 Attackeis gain access to inteinal enteipiise systems anu gathei anu exfiltiate sensitive infoimation without uetection by the victim oiganization. 17 Attackeis compiomise systems anu altei impoitant uata, potentially jeopaiuizing oiganizational effectiveness via polluteu infoimation. 15, 17 Attackeis opeiate unuiscoveieu in oiganizations without effective inciuent- iesponse capabilities, anu when the attackeis aie uiscoveieu, the oiganizations often cannot piopeily contain the attack, eiauicate the attackei's piesence, oi iecovei to a secuie piouuction state. 18