CIS Top 20 #1 Inventory of Authorized and Unauthorized …...Critical Security Control #1: Inventory of Authorized and Unauthorized Devices System 1.1 Deploy an automated asset inventory

Tech TVSeries

COLLABORATE, INNOVATE, VALIDATE CIS Top 20

#1Inventory of Authorized and

Unauthorized Devices

Lisa Niles – CISSP, Chief Solution Architect

1

TECH TV SERIES

COLLABO

RATE,INNOVATE, VALID

ATE

CIS Top 20 Critical Security Controls

“Monitor, detect, analyze, protect, report, and respond against known

vulnerabilities, known & unknown attacks, and exploitations”

and “continuously test and evaluate information

And the security controls and techniques to

ensure that they are effectively implemented.”

2

TECH TV SERIES

COLLABO


ATE


• The control areas in the CIS CSC focus on various technical aspects of information security

• Primary goal of supporting organizations in prioritizing their efforts in defending against today’s most common and damaging attacks.

• Outside of the technical realm, a comprehensive security program should also take into account:

• Numerous additional areas of security, including overall policy, organizational structure, personnel issues (e.g., background checks, etc.), and physical security.

• To help maintain focus, the controls in this document do not deal with these important, but non-technical, aspects of information security.

• Organizations should build a comprehensive approach in these other aspects of security as well

3

TECH TV SERIES

COLLABO


ATE

4

CIS Top 20 Critical Security Controls• What is an IT security framework?

• An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment.

• These frameworks are basically a "blueprint" for building an information security program to manage risk and reduce vulnerabilities. Information security teams can utilize these frameworks to define and prioritize the tasks required to build security into an organization.

• NIST Cybersecurity Framework, NIST guidelines, and the ISO 27000 series or regulations such as PCI DSS, HIPAA, NERC CIP, FISMA

TECH TV SERIES

COLLABO


ATE


5

TECH TV SERIES

COLLABO


ATE

CIS Top 20 Critical Security ControlsUnderstanding the CIS Critical Security Controls

• In 2008, the Center for Internet Security’s Critical Security Controls (“CIS Controls”) were created

• A collaboration between representatives from the U.S. government and private sector security & research organizations.

• A set of practical defenses specifically targeted toward stopping cyber attacks

• The CIS Controls were crafted to answer the frequent question:

• “Where should I start when I want to improve my cyber defenses?”

6

TECH TV SERIES

COLLABO


ATE


• The CIS CSC Relationship to Other Federal Guidelines, Recommendations, and Requirements

• Once companies have addressed the 20 Critical Controls, it is recommended that NIST 800-53 guidelines be used to ensure that they have assessed and implemented an appropriate set of management controls

• The CIS controls are meant to reinforce and prioritize some of the most important elements of other frameworks, guidelines, standards, and requirements put forth in other US Government documentation, such as NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems, SCAP, FDCC, FISMA, and Department of Homeland Security Software Assurance documents.

7

TECH TV SERIES

COLLABO


ATE

CIS Top 20 Critical Security ControlsGuiding principles used in devising these control areas and their associated sub controls include:

• Defenses should focus on addressing the most common and damaging attacks

• Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks.

• Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible.

8

TECH TV SERIES

COLLABO


ATE

•Getting Started: Ask and Answer Key Questions

• What am I trying to protect?

• Where are my gaps?

• What are my priorities?

• Where can I automate?

• How can my vendor partners help?

9


TECH TV SERIES

COLLABO


ATE


• General Guidance for Implementing the Controls:

• Carefully plan.

• Organizational structure for program’s success.

• Establish a “Governance, Risk, and Compliance (GRC)” program.

• Assigning program managers

10

TECH TV SERIES

COLLABO


ATE

CIS Top 20 Critical Security Controls• There are a few practical considerations an organization should make when

embarking on this journey. Specifically, an organization should:

• Make a formal, top-level decision to make the CIS Controls part of the organization’s standard

• Senior management - support and accountability.

• Assign a program manager

• Who will be responsible for the long-term maintaining cyber defenses.

• Start with a gap analysis

• Develop an implementation plan

• Document the long-term plan (3-5 years)

• Embed the definitions of CIS Controls into organization’s security policies

• Educate workforce on the organization’s security goals and enlist their help as a part of the long-term defense of the organization’s data.

11

TECH TV SERIES

COLLABO


ATE


• Successful implementation of the Controls will require many organizations to shift their mindset on security and how they approach IT operations and defense.

• No longer can employees be allowed to install software at random or travel with sensitive data in their pockets.

• It has been established that the cultural acceptance of changes needed to implement the technical controls is a necessary prerequisite for success.

• This is probably the most significant obstacle most organizations need to overcome.

12

TECH TV SERIES

COLLABO


ATE


• The Controls are not limited to blocking the initial compromise of systems

• Detecting already--‐compromised machines and preventing or disrupting attackers’ follow--‐on actions.

• Reducing the initial attack surface by hardening device configurations, identifying compromised machines to address long--‐term threats inside an organization’s network, disrupting attackers’ command--‐and--‐control of implanted malicious code, and establishing an adaptive, continuous defense

13

TECH TV SERIES

COLLABO


ATE

• The five critical tenets of an effective cyber defense system as reflected in the CIS Critical Security Controls are:

• Offense informs defense

• Prioritization

• Metrics

• Continuous diagnostics and mitigation

• Automation

14


TECH TV SERIES

COLLABO


ATE

15


TECH TV SERIES

COLLABO


ATE

•How to Get Started

• Step 1. Perform Initial Gap Assessment.

• Step 2. Develop an Implementation Roadmap

• Step 3. Implement the First Phase of Controls

• Step 4. Integrate Controls into Operations

• Step 5. Report and Manage Progress against the Implementation Roadmap

16


TECH TV SERIES

COLLABO


ATE

• Control #1

• Inventory of Authorized and Unauthorized Devices

• Key Principle Control:

• Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

17


TECH TV SERIES

COLLABO


ATE

• The purpose of this Control is to help organizations define a baseline of what must be defended.

• Without an understanding of what devices and data are connected, they cannot be defended.

18


TECH TV SERIES

COLLABO


ATE

• Why is CIS Control 1 critical?

• Attackers are continuously scanning the address space of target organizations, waiting for new and unprotected systems to be attached to the network.

• Devices that are not visible from the Internet can be used by attackers who have already gained internal access and are hunting for internal jump points or victims.

• Looking for new or test systems

19


TECH TV SERIES

COLLABO


ATE

20

Family Control Control Description Foundational Advanced

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

System 1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization’s public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.

Y Use a mix of active and passive tools,

and apply as part of a continuous monitoring program.

System 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems.

Y

System 1.3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.

Y

System 1.4 Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network.

Y

System 1.5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.

Y Authentication mechanisms are

closely coupled to management of

hardware inventory

System 1.6 Use client certificates to validate and authenticate systems prior to connecting to the private network. Y


TECH TV SERIES

COLLABO


ATE

• CSC 1 Procedures and Tools

• The Control requires both technical and procedural actions;

• It is critical for all devices to have an accurate and up-to-date inventory control system in place (excel, database, manual or commercial automatic tool) with device details/owners

• Securely pull device details (MAC) switch, routers, aps, DHCP, servers, span ports

• Scanning tools (Active/passive) every 12 hours, ICMP sweep, fingerprinting

• Standard device naming conventions can help so unrecognized device names stand out

• Maturity goes from manual, automated, monitored and measured

• Place new device on network monthly to test tools/procedures effectiveness

21


TECH TV SERIES

COLLABO


ATE



• Ensure that network inventory monitoring tools keeping the asset inventory up to date on a real-time basis

• Looking for deviations from the expected inventory of assets on the network, and alerting security

• Secure the asset inventory database with asset information is encrypted.

• Limit access to these systems to authorized personnel only, and carefully log all such access.

• For additional security, a secure copy of the asset inventory may be kept in an off-line system.

22

TECH TV SERIES

COLLABO


ATE



• In addition to an inventory of hardware, organizations should develop an inventory of data/information assets and maps critical information to the hardware assets

• A department and individual responsible for each data asset should be identified, recorded, and tracked.

• To evaluate the effectiveness of automated asset inventory tools, periodically attach several hardened computer systems not already included in asset inventories to the network and measure the delay before each device connection is disabled or the installers confronted.

• Advanced: The organization’s asset inventory should include removable media devices, including USB sticks, external hard drives, and other related information storage devices.

23

TECH TV SERIES

COLLABO


ATE

24


TECH TV SERIES

COLLABO


ATE


25

TECH TV SERIES

COLLABO


ATE


26

CSC 1.1 Requirement: Inventory of Authorized and Unauthorized devices

CSC 1.1 Procedure: Asset Inventory

The organization:

1. Departments will document and clearly define what authorized and unauthorized

devices are in their respective areas.

1. Departments will update the Assets inventory reports and auditors of inventory devices.

1. Departments will spot check devices monthly to ensure that they are authorized

Metrics:

1. The IT department will maintain a list of de-authorized devices

1. The IT department spot check each department every 6-months

TECH TV SERIES

COLLABO


ATE

Sub-Control Description Control Security Technology Controls

1Inventory of Authorized and Unauthorized Devices

Active Device Discovery System

Tenable, Qualys, Infoblox NetMRI, ForeScout


Passive Device Discovery System

Tenable, Qualys, Infoblox NetMRI, ForeScout


Log Management System / SIEM Log Rhythm, Splunk

4Inventory of Authorized and Unauthorized Devices Asset Inventory System

Tenable, Qualys, Infoblox NetMRI, ForeScout, Db, Excel


Network Level Authentication (NLA)

Tenable, Qualys, Infoblox NetMRI, ForeScout, Juniper


Public Key Infrastruture (PKI) Microsoft 27


TECH TV SERIES

COLLABO


ATE


• Inventory of Authorized and Unauthorized Devices

1-1 - Deploy an automated asset inventory discovery tool

Free Tools

• Spiceworks - active scanning.

• AlienVault OSSIM - Inventorying

• OpenAudIT - All open source inventorying, and auditing platform

• OpenNSM - Open Network Management System

• Windows DHCP Server Audit Event Tool - This tool can be used by Admins to view all the events generated by DHCP Server directly

• Linux DHCP Server Config and Logging - CentOS DHCP Server28

TECH TV SERIES

COLLABO


ATE


• 1-5 - Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.

Free Tools

• Windows NPS Server Role - Just beware that NAP is deprecated in Windows 10 so you will need a 2rd party NAP client.

• FreeRADIUS & 802.1x - How to setup 802.1x with FreeRADIUS.

• SANS guide to deploy 802.1x

• Group Policy for Wireless 802.1x - Group Policy for Wired 802.1x

• 802.1x standard on most switches

Enterprise tools

• Cisco ISE29

TECH TV SERIES

COLLABO


ATE


• 1-6 - Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access.

Free Tools

• PacketFence - Flagship of open source Network Access Control (NAC).

• OpenNAC - Open source Network access control that provide secure access for LAN/WAN.

Commercial Tools

• Forescout - Offers health checks before authenticating supplicants to your network. For wired and wireless networks.

• Microsoft SCCM - NAC with health checks is but one small piece of the SCCM 30

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAAahUKEwiM9s6ehKXHAhVCB5IKHW5dCRw&url=http://www.packetfence.org/&ei=uQPMVcy1GMKOyATuuqXgAQ&usg=AFQjCNEeoYaQ4iH2052Z7v-6hXVNj596EA&sig2=rtwlrHACvjeaXzs4O4FfhQ&bvm=bv.99804247,d.aWw

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAAahUKEwjsvbCnhKXHAhWHQ5IKHR0pAlk&url=http://www.opennac.org/&ei=ywPMVaysL4eHyQSd0ojIBQ&usg=AFQjCNHHWWqX8hQbp3Cmf24W9j8ZbEiKvg&sig2=k4YNcY3O9jq-nWIdBSpenw&bvm=bv.99804247,d.aWw

TECH TV SERIES

COLLABO


ATE


31

TECH TV SERIES

COLLABO


ATE

CIS Top 20 Critical Security ControlsCIS Critical Security Controls

#

Customer solution? Budgeted 2018? Reviewed solutions?

SynerComm Solutions

1 Inventory of Authorized and Unauthorized Devices

Tenable, Qualys, Infoblox, Forescout

2 Inventory of Authorized and Unauthorized Software

Tenable, Qualys, Infoblox, Carbonblack

3 Secure Configuration of end-user devices

Tenable, Rapid7

4 Continious Vulnerability & remediation Qualys, Tenable, Rapid7

5 Controlled Use of Administrative priviledges

Centrify, CyberArk, BeyondTrust, Okta

6 Maintenance, Monitoring and Analysis of Audit Logs

SolarWinds, Log Rhythum

7 Email and Web Browser Protection Barracuda, Proofpoint, zScaler, Fireeye (Web - Palo, Checkpoint, Forcepoint)

8 Malware Defense Bitdefender, carbonblack, PaloAlto TRAPS, Sophos, TrendMicro

9 Limitation & Control of network Ports, protocols, and Service

PaloAlto, Juniper, Checkpoint, Fortinet

10 Data Recovery Capability Barracuda

11 Secure Configuration of Network Devices

SynerComm Config Assurance, A&A, Firemon, RedSeal, Tenable, Rapid7

12 Boundry Defense PaloAlto, Juniper, Checkpoint, Fortinet

13 Data Protection Rapid7, tenable, Imperva, Infoblox, PaloAlto

14 Controlled Access Based on Need to Know

Centrify , OKTA

15 Wireless Access Control Aerohive with 802.1x & WIPS/FW

16 Account Monitoring and Control Centrify, Beyond Trust, OKTA,

17 Security Skills Assessment and Appropriate Training

A&A training

18 Application Software Security Rapid7, Splunk

19 Incident Response and Management Rapid7, redseal, A&A

20 Penetration Tests and Red Team Exercises A&A

32

TECH TV SERIES

COLLABO


ATE


33

• Center for Internet Security (CIS): https://www.cisecurity.org/

• NIST Cyber Security Framework (CSF): http://www.nist.gov/cyberframework/

• CIS Critical Security Controls (CSC): https://www.cisecurity.org/critical-controls.cfm

• Auditscripts resources (provided by James Tarala, CSC Editor): https://www.auditscripts.com/free-resources/critical-security-controls/

• CSF planning spreadsheet: http://www.tenable.com/whitepapers/nist-csf-implementation-planning-tool

https://www.cisecurity.org/

http://www.nist.gov/cyberframework/

https://www.cisecurity.org/critical-controls.cfm

https://www.auditscripts.com/free-resources/critical-security-controls/

http://www.tenable.com/whitepapers/nist-csf-implementation-planning-tool

TECH TV SERIES

COLLABO


ATE

• CISsecurity.org JOIN!!

34


TECH TV SERIES

COLLABO


ATE


35

TECH TV SERIES

COLLABO


ATE

Thank you for Attending.

Hope you can join us for the Complete CIS Top 20 CSC

36


CIS Top 20 #1 Inventory of Authorized and Unauthorized …...Critical Security Control #1: Inventory of Authorized and Unauthorized Devices System 1.1 Deploy an automated asset inventory

Documents