SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1

Tech TV
Series
COLLABORATE, INNOVATE,
VALIDATE CIS Top 20
#1
Inventory of Authorized and
Unauthorized Devices
Lisa Niles – CISSP, Chief Solution Architect
1

TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
“Monitor, detect, analyze, protect, report, and respond against known
vulnerabilities, known & unknown attacks, and exploitations”
and “continuously test and evaluate information
And the security controls and techniques to
ensure that they are effectively implemented.”
2

TECHTVSERIES
• The control areas in the CIS CSC focus on various technical aspects of
information security
• Primary goal of supporting organizations in prioritizing their efforts in defending
against today’s most common and damaging attacks.
• Outside of the technical realm, a comprehensive security program should also
take into account:
• Numerous additional areas of security, including overall policy, organizational structure,
personnel issues (e.g., background checks, etc.), and physical security.
• To help maintain focus, the controls in this document do not deal with these
important, but non-technical, aspects of information security.
• Organizations should build a comprehensive approach in these other aspects of
security as well
3

TECHTVSERIES
4
• What is an IT security framework?
• An information security framework is a series of documented processes that are used to
define policies and procedures around the implementation and ongoing management of
information security controls in an enterprise environment.
• These frameworks are basically a "blueprint" for building an information security
program to manage risk and reduce vulnerabilities. Information security teams can
utilize these frameworks to define and prioritize the tasks required to build security into
an organization.
• NISTCybersecurity Framework, NIST guidelines, and the ISO 27000 series or regulations such
as PCI DSS, HIPAA, NERC CIP, FISMA

TECHTVSERIES
5

TECHTVSERIES
Understanding the CIS Critical Security Controls
• In 2008, the Center for Internet Security’s Critical Security Controls (“CIS
Controls”) were created
• A collaboration between representatives from the U.S. government and
private sector security & research organizations.
• A set of practical defenses specifically targeted toward stopping cyber
attacks
• The CIS Controls were crafted to answer the frequent question:
• “Where should I start when I want to improve my cyber defenses?”
6

TECHTVSERIES
• The CIS CSC Relationship to Other Federal Guidelines, Recommendations, and
Requirements
• Once companies have addressed the 20 Critical Controls, it is recommended that
NIST 800-53 guidelines be used to ensure that they have assessed and
implemented an appropriate set of management controls
• The CIS controls are meant to reinforce and prioritize some of the most important
elements of other frameworks, guidelines, standards, and requirements put forth
in other US Government documentation, such as NIST Special Publication 800-53:
Recommended Security Controls for Federal Information Systems, SCAP, FDCC,
FISMA, and Department of Homeland Security Software Assurance documents.
7

TECHTVSERIES
Guiding principles used in devising these control areas and their associated sub
controls include:
• Defenses should focus on addressing the most common and damaging attacks
• Enterprise environments must ensure consistent controls across an enterprise
to effectively negate attacks.
• Defenses should be automated where possible, and periodically or continuously
measured using automated measurement techniques where feasible.
8

TECHTVSERIES
•Getting Started: Ask and Answer Key Questions
• What am I trying to protect?
• Where are my gaps?
• What are my priorities?
• Where can I automate?
• How can my vendor partners help?
9

TECHTVSERIES
• General Guidance for Implementing the Controls:
• Carefully plan.
• Organizational structure for program’s success.
• Establish a “Governance, Risk, and Compliance (GRC)” program.
• Assigning program managers
10

TECHTVSERIES
• There are a few practical considerations an organization should make when
embarking on this journey. Specifically, an organization should:
• Make a formal, top-level decision to make the CIS Controls part of the organization’s standard
• Senior management - support and accountability.
• Assign a program manager
• Who will be responsible for the long-term maintaining cyber defenses.
• Start with a gap analysis
• Develop an implementation plan
• Document the long-term plan (3-5 years)
• Embed the definitions of CIS Controls into organization’s security policies
• Educate workforce on the organization’s security goals and enlist their help as a part of the
long-term defense of the organization’s data.
11

TECHTVSERIES
• Successful implementation of the Controls will require many organizations to
shift their mindset on security and how they approach IT operations and
defense.
• No longer can employees be allowed to install software at random or travel
with sensitive data in their pockets.
• It has been established that the cultural acceptance of changes needed to
implement the technical controls is a necessary prerequisite for success.
• This is probably the most significant obstacle most organizations need to
overcome.
12

TECHTVSERIES
• The Controls are not limited to blocking the initial compromise of systems
• Detecting already--‐compromised machines and preventing or disrupting
attackers’ follow--‐on actions.
• Reducing the initial attack surface by hardening device configurations,
identifying compromised machines to address long--‐term threats inside an
organization’s network, disrupting attackers’ command--‐and--‐control of
implanted malicious code, and establishing an adaptive, continuous defense
13

TECHTVSERIES
• The five critical tenets of an effective cyber defense system as
reflected in the CIS Critical Security Controls are:
• Offense informs defense
• Prioritization
• Metrics
• Continuous diagnostics and mitigation
• Automation
14

TECHTVSERIES
15

TECHTVSERIES
•How to Get Started
•Step 1. Perform Initial GapAssessment.
•Step 2. Develop an Implementation Roadmap
•Step 3. Implement the First Phase of Controls
•Step 4. Integrate Controls into Operations
•Step 5. Report and Manage Progress against the
Implementation Roadmap
16

TECHTVSERIES
• Control #1
• Inventory of Authorized and Unauthorized Devices
• Key Principle Control:
• Actively manage (inventory, track, and correct) all hardware
devices on the network so that only authorized devices are given
access, and unauthorized and unmanaged devices are found and
prevented from gaining access.
17

TECHTVSERIES
• The purpose of this Control is to help organizations define a baseline of what
must be defended.
• Without an understanding of what devices and data are connected, they cannot
be defended.
18

TECHTVSERIES
• Why is CIS Control 1 critical?
• Attackers are continuously scanning the address space of target
organizations, waiting for new and unprotected systems to be attached to
the network.
• Devices that are not visible from the Internet can be used by attackers who
have already gained internal access and are hunting for internal jump points
or victims.
• Looking for new or test systems
19

TECHTVSERIES
20
Family Control Control Description Foundational Advanced
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
System 1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems
connected to an organization’s public and private network(s). Both active tools that scan through IPv4 or IPv6
network address ranges and passive tools that identify hosts based on analyzing their traffic should be
employed.
Y Use a mix of active
and passive tools,
and apply as part of
a continuous
monitoring
program.
System 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration
protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect
unknown systems.
Y
System 1.3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are
connected to the network.
Y
System 1.4 Maintain an asset inventory of all systems connected to the network and the network devices themselves,
recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible
for each device, and the department associated with each device.The inventory should include every system
that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers,
network equipment (routers, switches, firewalls, etc.), printers, storage area networks,Voice Over-IP
telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data
on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and
other portable electronic devices that store or process data must be identified, regardless of whether they are
attached to the organization’s network.
Y
System 1.5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the
network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized
systems.
Y Authentication
mechanisms are
closely coupled to
management of
hardware inventory
System 1.6 Use client certificates to validate and authenticate systems prior to connecting to the private network. Y

TECHTVSERIES
• CSC 1 Procedures andTools
• The Control requires both technical and procedural actions;
• It is critical for all devices to have an accurate and up-to-date inventory control system in
place (excel, database, manual or commercial automatic tool) with device details/owners
• Securely pull device details (MAC) switch, routers, aps, DHCP, servers, span ports
• Scanning tools (Active/passive) every 12 hours, ICMP sweep, fingerprinting
• Standard device naming conventions can help so unrecognized device names stand out
• Maturity goes from manual, automated, monitored and measured
• Place new device on network monthly to test tools/procedures effectiveness
21

TECHTVSERIES
• Ensure that network inventory monitoring tools keeping the asset inventory
up to date on a real-time basis
• Looking for deviations from the expected inventory of assets on the network,
and alerting security
• Secure the asset inventory database with asset information is encrypted.
• Limit access to these systems to authorized personnel only, and carefully log
all such access.
• For additional security, a secure copy of the asset inventory may be kept in an
off-line system.
22

TECHTVSERIES
• In addition to an inventory of hardware, organizations should develop an inventory
of data/information assets and maps critical information to the hardware assets
• A department and individual responsible for each data asset should be identified,
recorded, and tracked.
• To evaluate the effectiveness of automated asset inventory tools, periodically attach
several hardened computer systems not already included in asset inventories to the
network and measure the delay before each device connection is disabled or the
installers confronted.
• Advanced:The organization’s asset inventory should include removable media
devices, including USB sticks, external hard drives, and other related information
storage devices.
23

TECHTVSERIES
24

TECHTVSERIES
25

TECHTVSERIES
26
CSC 1.1 Requirement: Inventory of Authorized and Unauthorized devices
CSC 1.1 Procedure: Asset Inventory
The organization:
1. Departments will document and clearly define what authorized and unauthorized
devices are in their respective areas.
1. Departments will update the Assets inventory reports and auditors of inventory devices.
1. Departments will spot check devices monthly to ensure that they are authorized
Metrics:
1. The IT department will maintain a list of de-authorized devices
1. The IT department spot check each department every 6-months

TECHTVSERIES
Sub-Control Description Control SecurityTechnology Controls
1
Active Device Discovery
System
Tenable, Qualys, Infoblox NetMRI,
ForeScout
2
Passive Device Discovery
System
ForeScout
3
Log Management
System / SIEM Log Rhythm, Splunk
4
Unauthorized Devices Asset Inventory System
ForeScout, Db, Excel
5
Network Level
Authentication (NLA)
ForeScout, Juniper
6
Public Key Infrastruture
(PKI) Microsoft 27

TECHTVSERIES
• Inventory of Authorized and Unauthorized Devices
1-1 - Deploy an automated asset inventory discovery tool
FreeTools
• Spiceworks - active scanning.
• AlienVault OSSIM - Inventorying
• OpenAudIT - All open source inventorying, and auditing platform
• OpenNSM - Open Network Management System
• Windows DHCP Server Audit EventTool -This tool can be used by Admins to
view all the events generated by DHCP Server directly
• Linux DHCP Server Config and Logging - CentOS DHCP Server
28

TECHTVSERIES
• 1-5 - Deploy network level authentication via 802.1x to limit and control which
devices can be connected to the network.The 802.1x must be tied into the inventory
data to determine authorized versus unauthorized systems.
FreeTools
• Windows NPS Server Role - Just beware that NAP is deprecated inWindows 10 so
you will need a 2rd party NAP client.
• FreeRADIUS & 802.1x - How to setup 802.1x with FreeRADIUS.
• SANS guide to deploy 802.1x
• Group Policy forWireless 802.1x - Group Policy forWired 802.1x
• 802.1x standard on most switches
Enterprise tools
• Cisco ISE
29

TECHTVSERIES
• 1-6 - Deploy network access control (NAC) to monitor authorized systems so
if attacks occur, the impact can be remediated by moving the untrusted
system to a virtual local area network that has minimal access.
FreeTools
• PacketFence - Flagship of open source Network Access Control (NAC).
• OpenNAC - Open source Network access control that provide secure access
for LAN/WAN.
CommercialTools
• Forescout - Offers health checks before authenticating supplicants to your
network. For wired and wireless networks.
• Microsoft SCCM - NAC with health checks is but one small piece of the SCCM 30

TECHTVSERIES
31

TECHTVSERIES
CIS Critical Security Controls
#
Customer solution? Budgeted 2018? Reviewed solutions?
SynerComm Solutions
1 Inventory of Authorized and
Tenable, Qualys, Infoblox,
Forescout
2 Inventory of Authorized and
Unauthorized Software
Tenable, Qualys, Infoblox,
Carbonblack
3 Secure Configuration of end-user
devices
Tenable, Rapid7
4 Continious Vulnerability & remediation Qualys, Tenable, Rapid7
5 Controlled Use of Administrative
priviledges
Centrify, CyberArk, BeyondTrust,
Okta
6 Maintenance, Monitoring and Analysis
of Audit Logs
SolarWinds, Log Rhythum
7 Email and Web Browser Protection Barracuda, Proofpoint, zScaler,
Fireeye (Web - Palo, Checkpoint,
Forcepoint)
8 Malware Defense Bitdefender, carbonblack, PaloAlto
TRAPS, Sophos, TrendMicro
9 Limitation & Control of network Ports,
protocols, and Service
PaloAlto, Juniper, Checkpoint,
Fortinet
10 Data Recovery Capability Barracuda
11 Secure Configuration of Network
Devices
SynerComm Config Assurance,
A&A, Firemon, RedSeal, Tenable,
Rapid7
12 Boundry Defense PaloAlto, Juniper, Checkpoint,
Fortinet
13 Data Protection Rapid7, tenable, Imperva, Infoblox,
PaloAlto
14 Controlled Access Based on Need to
Know
Centrify , OKTA
15 Wireless Access Control Aerohive with 802.1x & WIPS/FW
16 Account Monitoring and Control Centrify, Beyond Trust, OKTA,
17 Security Skills Assessment and
Appropriate Training
A&A training
18 Application Software Security Rapid7, Splunk
19 Incident Response and Management Rapid7, redseal, A&A
20 Penetration Tests and Red Team
Exercises A&A
32

TECHTVSERIES
33
• Center for Internet Security (CIS): https://www.cisecurity.org/
• NIST Cyber Security Framework (CSF):
http://www.nist.gov/cyberframework/
• CIS Critical Security Controls (CSC):
https://www.cisecurity.org/critical-controls.cfm
• Auditscripts resources (provided by James Tarala, CSC Editor):
https://www.auditscripts.com/free-resources/critical-security-
controls/
• CSF planning spreadsheet: http://www.tenable.com/whitepapers/nist-
csf-implementation-planning-tool

TECHTVSERIES
• CISsecurity.org JOIN!!
34

TECHTVSERIES
35

TECHTVSERIES
Thank you for Attending.
Hope you can join us for the Complete CIS Top 20 CSC
36

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1

More Related Content

What's hot (20)

Similar to SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1 (20)

Recently uploaded (20)

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1