by Dwayne Stewart
3:30 min read
The first two CIS Controls for Internet security address keeping an inventory of hardware and software. The third CIS Control deals with secure system configurations. Its central principle is that a strict process for change control and configuration management is necessary to prevent attackers from exploiting poorly set up hardware and software. The road inside should be a less navigable path for those coming from the outside.
The importance of configuration management
Accepting the default configuration in any installation rarely produces the most secure configuration. The emphasis is on ease of deployment and use. And attackers know what to look for. A secure configuration turns off options which aren't necessary, changes names from the defaults, and limits access to what's necessary for usage.
It's especially important to turn off inherently insecure features. There's no good reason for modern systems to allow Telnet access or unencrypted FTP, nor should web servers provide directory listings to the browser.
Default accounts are a common vulnerability, even if they have custom passwords. Eliminating these accounts if they aren't needed, or changing their names if they are, will reduce susceptibility to standard probes. Any, and all, "admin" accounts need to be rechristened.
Even devices that normally aren't considered computers need configuration management. A printer may directly accept print jobs via email, communicate by Bluetooth or run unused network services such as Telnet, FTP and SNMP. These services could provide an avenue of attack for a malicious user and they should be disabled if not used. Some services may be re-enabled after applying a firmware update or performing a hard reset, so continuous monitoring of these devices is important.
Establishing a standard, secure configuration of operating systems and applications provides consistency. This can be accomplished using installation scripts or directly installable system images. Containerized software is especially amenable to this approach.
The Center for Internet Security recommends creating standardized system images with hardened versions of the operating system and applications. This is an effective approach for multiple servers sharing the same tasks or as a baseline for desktop systems. Standard images need to be updated periodically as security patches are issued or new concerns arise. If a system becomes compromised, reinstalling the image is a quick way to get the software back to a known, good state.
Configuration management tools
Software automation tools are a huge help to configuration management. Manual deployments are time-consuming and error-prone. The larger a network is, the greater the value it gains from automating its configurations. Tools such as Puppet, PowerShell DSC and Windows Group Policy allow centralized automation of system configurations.
File integrity tools can check installed software using a digest or checksum to make sure it hasn't been altered. If there is an unexplained change, the software should be reinstalled and the machine checked for any other signs of a breach.
Administrators should be able to run the tools from a single console through a secure channel. The less they need to visit machines in person, the more effective they'll be.
Being scanned is a fact of life. Internet connected devices worldwide are continuously scanned for vulnerabilities by untold numbers of bots. Many of these vulnerabilities exist due to default, or an otherwise insecure, configuration.
Many tools are available to scan software installations for weak points. Scanning master images periodically for vulnerabilities can call attention to the need for updates or tightened configurations.
Tools that follow the SCAP standard provide a consistent way of checking configurations against standard baselines. They will report any deviations; whether they are acceptable depends on company policy and the level of security needed. The report may include recommendations for fixing issues.
CIS benchmarks provide recommendations for secure configurations of various operating systems, applications and network devices. Many tools build their baselines on them.
Greater security and confidence
Using standard configurations, supported by automation tools and vulnerability scanning, provides a double benefit. It makes software more consistently secure while reducing the effort needed to configure it. Having the same settings in every installation reduces idiosyncratic software behavior, so there are fewer maintenance issues. This also aids in the deployments of patches across the network.
A fair amount of effort is needed up front to set up standard configurations, and ongoing work is necessary to keep them up to date. In the long run, though, they save effort as they improve security.
by Andrea Lee Taylor
Wondering how to go about implementing or integrating Control 2 with your current system set up? We're partners with Tenable and Ted Gary's blog post about this specific CIS is especially apt.
"Knowing and controlling your software is certainly a control that increases security – detecting and blocking malware and high-risk applications reduces your attack surface and can prevent incidents. However, the benefits of knowing and controlling your software extend beyond security. For example, identifying and updating unsupported software versions reduces IT support costs, and can even increase user productivity and license compliance." -- Ted Gary
Read the full post here.
by Marian Bodunrin
4:00 min read
The first of the CIS Controls for internet security is taking an inventory of authorized and unauthorized devices/hardware. The second CIS control is so similar it’s natural to wonder why it was granted its own control: an inventory of authorized and unauthorized software. The purpose and some of the methods are similar, but software is more fluid than hardware. Adding software is common, updates are necessary, and vulnerability reports can require reassessing existing software.
Unauthorized software, in this context, simply means software that hasn't been authorized, not necessarily forbidden software. Users may have leeway to install applications without explicit permission. However, a secure network needs to identify and assess the software which is installed on each machine, especially if it isn't pre-approved.
The potential complexity of implementing control 2, as well as control 1, pales in comparison to its importance to a responsive security program.
There are several risks in unauthorized software:
Methods of tracking software
Endpoint management is as useful in tracking software as it is in tracking hardware. A software agent in each machine will report installed software and versions. Inventories need to run frequently, since new software can be installed at any time. Automated asset discovery tools exist, allowing for more accurate data and less confusion and ambiguity.
Not all machines can have agents, for example it's usually impractical to require them on personal mobile devices and home computers. Neither are they likely to agree to list all software on their computers, or to be able to find it all even with their best efforts. Network managers can compensate for this lack by restricting access from these machines and monitoring their network activity.
A whitelist, covering software which is explicitly authorized and up to date, lets IT management focus on whatever other software is present. Some networks may allow only authorized software; others may consider it case by case even blacklisting unauthorized applications. Servers should never have software which isn't there for an explicit reason, but desktop machines and mobile devices may need more flexibility.
If endpoint management isn't suitable for a network, it needs to have policies on installing software. Setting rules (e.g., "no games" or "no installation without specific permission") and requiring users to report any applications they install is much better than nothing. Periodic audits of machines, merging the results into the inventory, will get people to take the policies seriously.
The list of authorized software and accepted versions needs to be kept up to date. If an important vulnerability report comes out and the publisher issues a patch, the previously acceptable version can become risky and unacceptable overnight.
This is where the inventory becomes your best asset, demonstrating its value in the extreme. If it comprehensively lists the installations of software that needs updating, the IT department can push the update to all the machines. For a quick response makes attackers' window of opportunity as small as possible.
If software is no longer getting support, it will eventually become necessary to remove it from the authorized list. Identifying the situation as early as possible makes it easier to find alternatives before compatibility or security problems arise.
An organization that doesn't know what software is on its computers is open to unnecessary risks. Keeping track of software, by whatever means are best suited to the network's needs, is an essential part of a security strategy.
by Andrea Lee Taylor
3:00 min read
When an inventory of authorized and unauthorized devices seems daunting, a first step is a comprehensive approach to mapping what's there. There are tools that can fundamentally help. One of our partners, ForeScout, has found that "what is often lacking, though, is the clear direction as to what “improving security” actually entails". Following a well-known framework, the CIS Controls, provides this guidance. More from their blog.... https://www.forescout.com/company/blog/ot-network-security-starts-knowing/
by Dwayne Stewart
4:00 min read
The CIS Controls provide a clear and elegant, if not always simple, framework for a cybersecurity plan. From the Center for Internet Security, the top 5 in order of priority:
The device inventory
The first priority masks a simple assumption – that there is an explicit awareness of every device on a network. Without this fundamental information, it isn't even possible to track software, configurations, and access reliably. Compiling a full inventory may take some effort if starting from scratch, taking into consideration remote employees, mobile devices, and IoT devices. But there are several software tools/vendors in the IT asset management market that help expedite inventory making it much less onerous.
While the process takes a significant time commitment, it’s truly essential for being able to get the most out of your security efforts. Sometimes there are rogue devices that have gained access, usually through Wi-Fi. If there’s been a breach, an accurate inventory proves crucial for locating devices and enacting safeguards quickly.
Newer devices are generally more up to date and easier to keep secure, while older devices may have problems updating to the latest, most secure software. IT management needs to identify the devices that need special attention. At some point, they should be retired for security reasons; if this isn't possible, access to the network should be restricted.
The process needs to start with a scan of the network to identify as many devices as possible. The results should include anything with an IP address, including printers, VoIP phones, PoS devices, and network-connected devices. The first scan will most likely be incomplete, since some devices are intermittently connected, but it establishes a baseline.
The scan needs to obtain as much identifying information as possible. This includes the MAC address, device type, operating system, and version. Devices that can't be identified need additional scrutiny. The safest policy is to block access until they can be validated. If the network uses DHCP to assign IP addresses, DHCP server logging will help to track all devices.
A network that implements complete endpoint management, with a software agent in each authorized device, can take an inventory most easily. It may not be possible to install agents in all cases, but the better discovery software products can recognize many devices even without one. Where possible, they rely on queries with ICMP, HTTP, and other protocols. In addition, they can send and track malformed packets as different device models and operating systems respond to those in different ways. These techniques can identify nearly all machines that aren't intentionally disguised.
Going forward, it is then necessary to simply stay up to date. If the endpoint discovery software can recognize any new device when it joins the network, this will happen automatically. Otherwise, periodic rescanning of the network will pick up devices that were previously offline or have been added.
Matching the physical devices
While the inventory process starts on the network, the devices it lists are physical objects. Devices on the premises have to be matched up with listed network devices. Personal devices need to be matched with their owners. This establishes who is responsible for a device, where it can be found if service is needed, and whether it has an appropriate level of physical protection.
The process of acquiring and adding a device should start with confirming that it conforms to the network's requirements, including the installation of software agents if required. New devices need to be set up securely before connecting them to the network; otherwise they constitute a window of vulnerability which malicious network probing can quickly find. Devices which are added to the network temporarily, or which aren't fully under the network management's control, need to be treated with special care such as mobile devices under a BYOD policy and home computers used for telecommuting.
Checking and updating devices
Having an inventory lets the network administrator check whether each connected device meets the requirements for safely connecting to the network. This gets into control #3: configuration of hardware and software. Every device should be running a currently maintained and patched operating system. If any of them aren't, they should be updated, blocked, or at least restricted in their access to the network. Endpoint management software can keep all devices which have installed agents up to date. In other cases, the network needs enforced policies for updating all authorized devices.
How tightly an organization can control its inventory of devices will vary greatly from case to case. In all cases though, network management needs to make the best effort possible to enumerate the devices which are authorized to access the network, if only in order to identify and remediate unauthorized ones. Device inventory -- a security basic with a top priority; it makes everything that follows less complicated.
by Andrea Lee Taylor
3:35 min read
When the training of employees becomes your next step in securing the organization against human risk, where do you begin? We've chosen to partner with Wombat because of a storied history of helping with just that. Take a look at a few of the considerations from their blog.....
Security Awareness Training: Best Practices to Consider
by Gretel Egan | January 16, 2018
When it comes to security awareness training, each organization's program is likely to be, at least slightly, unique. In fact, we encourage organizations to put their own stamp on their cybersecurity education initiatives in order to reflect specific policies and elements of corporate culture. That said, we have identified several elements that are common threads among the most effective programs. These are the key components to consider as you plan your initiatives:
The most successful security awareness and training programs not only have top-down buy-in, they have top-down participation. This is simply because an all-in approach is the best — if not only — way to build an organization-wide culture of security in which good decision-making and application of cybersecurity best practices become daily pursuits for end users at all levels. When certain groups, locations, or individuals are excluded from a program, it is more difficult to encourage a mindset in which all employees feel equally invested in improving cyber hygiene.
C-level executives, board members, and managers absolutely should be communicated to early and often with regard to the vision and progress of your program. But end users should also be regarded as stakeholders — a factor that organizations can tend to overlook (to their detriment).
It is critical that employees understand the value and purpose of cybersecurity education before they ever receive a training assignment. And as a security awareness and training program continues, end users should remain clear on what is happening and, more importantly, why it’s happening and how they fit in.
Baseline Vulnerability Measurements
The premise of this recommendation is simple: How can you know how far you’ve come if you don’t know where you started? Baseline assessment scores — related to phishing susceptibility and cybersecurity knowledge levels — allow you to mark your starting point and gauge progress. But it’s also a good idea to take note of other metrics — like rates of malware infections and successful phishing attacks from the wild — before you begin employee awareness training. You should see a reduction in employee-driven cybersecurity incidents over time, which is a good indicator of program success.
Regular, Ongoing Assessments and Training
To change mindsets and reduce the mistakes and risk associated with end-user behaviors, cybersecurity must become a regular pursuit. Occasional phishing tests and once- or twice-a-year training simply will not be enough to raise awareness and help your employees learn how to apply best practices. To develop new skills, end users must be given the benefit of regular cybersecurity education and the opportunity to learn over time.
Creating a Clear Link Between Assessments and Training
As is reflected in our Continuous Training Methodology, we make a clear distinction between assessments (like simulated phishing attacks and question-based evaluations) and training. These two types of activities work most successfully when used in conjunction with one another. A phishing test, for example, is an excellent way to motivate employees to complete follow-up training. However, it’s critical that these initiatives are clearly linked, with a small window of time between assessments and training. After all, if you send a phishing test in January and then send an anti-phishing training assignment in October, the logical connection between those two activities is lost.
We’ve regularly spoken about the need to reinforce key messages with end users. When you revisit topics on a regular basis and incorporate ongoing awareness activities, you help to keep cybersecurity best practices top-of-mind for employees. Without reinforcement, you are put in the position to regularly rebuild — rather than build upon — a cybersecurity foundation.
Consistent Tracking and Reporting
As is reflected in the Data-Information-Knowledge-Wisdom hierarchy, data is helpful, but wisdom should be your ultimate goal. As such, it’s important to choose security awareness and training tools that do more than churn out data for data’s sake. Seek instead tracking and reporting capabilities that give you access to value-add data that ultimately translates to actionable business intelligence.
We’ve seen a number of organizations generate great engagement and results by applying gamification techniques to their programs. We strongly believe in using rewards and positive reinforcement to raise end-user interest and participation; in fact, our reporting features, including our Training Leaderboard report, are designed to help organizations track successes at the individual and department levels and more easily apply gamification to their programs. We do recommend exploring this option if it's supported within your corporate culture because it can elevate the effectiveness of your program.