Data breaches are a common occurrence in the world we live in today. Whether its personal data that relates to an organizations’ customers or data referencing the inner workings of an organization’s infrastructure, when it falls into the wrong hands, the consequences are disastrous.
It’s for that reason that organizations need to ensure that they have all of the necessary controls in place so that their data is safe and secure.
There is an ever-expanding list of compliance and security mandates that organizations can adhere to in order to enhance their security but the guidance that is provided within these is not always clear. This leaves organizations unsure of what it is that they need to have in place and how they can implement it, which is why the Center for Internet Security (CIS), the SANS Institute and a large number of other contributors developed and published the Center for Internet Security Critical Security Controls for Effective Cyber Defense.
Now more commonly known as the CIS Controls, it is a publication of best practice guidelines for computer security. It provides organizations with clear guidance on what actions need to be prioritized when they are looking to defend themselves against the most common cyber threats.
The CIS Controls are made up of 20 different controls/actions and is split into 3 categories:
- Basic – (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense readiness.
- Foundational – (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.
- Organizational – (CIS Controls 17- 20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused mainly on people and processes involved in cybersecurity.
In this blog we’ll be looking at the 6 Basic CIS Controls and how you can utilize NNT’s suite of security products to ensure that these are covered within your organization.
Any unauthorized hardware assets that make their way onto an organizations network could be seen as a potential threat. Even if the device belongs to somebody who works within the organization, any hardware that has not appeared on the inventory before:
- May not be configured in line with the organizations build standard
- May not be fully up to date with OS patching
- May not be fully up to date with Anti-Virus definitions
- May already be infected with a Virus, Trojan or Malware for example
All of which leave the device out of compliance, unsecure and a risk to the organization. Using some form of active or passive discovery tool will enable an organization to document what assets exist and identify when new assets are seen. Below we’ve outlined what NNT security products can help with this particular control.
If used in line with an internal process to monitor all live systems within an environment, both Change Tracker and Log Tracker could be used to document and show existing assets. Both pieces of software display key pieces of information about the systems being monitored and they active state (i.e. device online/device offline).
Using Change Tracker can also enable an organization to identify and baseline what ports are in use by a specific device and the processes and services that are running on it. An inside and outside attacker will be on the lookout for any open ports that they can use to gain access to a system. Using this particular functionality will enable you to:
- Establish what ports are currently open and decide if they are required for a servers role/function
- Disable ports that are not required/necessary
- Identify when new ports are opened on a particular system (This is a key requirement when working with a compliance standard like NERC CIP)
Using NNT Vulnerability Tracker will enable an organization to run a ‘Discovery Scan’ against their entire IP range to see what devices are present. All devices that are detected as part of the scan can be added to the application as an ‘Asset’. These assets can then be used to create a target for scanning purposes in the future.
Any unauthorized software assets that make their way onto a device within an organization could be seen as a potential threat. Even if the device belongs to somebody who works within the organization, any software that has not appeared on the inventory before:
- May not be configured in line with the organizations build standard
- May not be fully up to date with patching
All of which leave the software and the device hosting it out of compliance, unsecure and a risk to the organization. Both insider and outside attackers will look for software that has vulnerabilities that can be easily exploited. Below we’ve outlined what NNT security products can help with this particular control.
Using Change Tracker will enable an organization to scan a system for all installed software (names and version numbers) and OS updates. After the initial scan has taken place, the information that is collected forms a baseline which is used to detect and report when changes are made to the system i.e. when new software is installed or existing software is updated or uninstalled. By developing a secure baseline configuration you can easily detect when configuration drift occurs but it’s also worth bearing in mind that it’s a requirement for certain compliance standards like NERC CIP. More information about this particular functionality can be found here.
Using Vulnerability Tracker will also enable an organization to scan a system for all installed software. Once a scan is complete a user can quickly identify what known vulnerabilities effect the applications that are being used within the organization. Each vulnerability can then be remediated using:
Workaround: Information about a configuration or specific deployment scenario that can be used to avoid exposure to the vulnerability is available. There can be none, one or more workarounds available. This is usually the “first line of defense” against a new vulnerability before a mitigation or vendor fix has been issued or even discovered.
Mitigation: Information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability is available but that does not resolve the vulnerability on the affected product. Mitigations may include using devices or access controls external to the affected product. Mitigations may or may not be issued by the original author of the affected product and they may or may not be officially sanctioned by the document producer.
Vendor Fix: Information is available about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.
New vulnerabilities are being found all the time. In the last few years, there has been an uptick in the amount of vulnerabilities that have been identified and there’s no sign of it slowing down.
Reference: NIST National Vulnerabilities Database
It’s for that reason that organizations need to ensure that they proactively scan their systems for vulnerabilities and remediate the security flaws before they are exploited by an attacker and their data is compromised. The easiest way to achieve this is by running automated vulnerability scans against systems to identify the vulnerabilities in hardware and software configuration. Below we’ve outlined what NNT security products can help with this particular control.
The misuse of administrative privileges is one of the ways an attacker can move around and wreak havoc with an organization’s infrastructure. With elevated privileges an attacker can not only revert other security controls that have been put in place but they can also disable other protective measures like antivirus and firewall applications. Gaining access to a user account with administrative privileges could be achieved by:
- Carrying out brute force attacks
- Carrying out dictionary attacks
- Using different phishing techniques
- Simply guessing the password
It’s for these reasons that organizations need to ensure that they have tools in place to monitor how administrative privileges are assigned/used and to keep track of user activity within their organization. Below we’ve outlined what NNT security products can help with this particular control.
Using Change Tracker will enable an organization to scan a system for all existing user and security group information. This information can be obtained from both local machines and from Windows active directory. After the initial scan has taken place, the information that is collected forms a baseline which is used to detect and report when changes are made to the system i.e. when new users/groups are created or existing users/groups are updated or deleted. This way of monitoring can be used to easily identify where and when a user has been added into a group with escalated privileges. The change can then be quickly reverted if the user was added to the group in error or if the change was identified as malicious.
The CIS Benchmarks that are included within the Change Tracker software will also provide organizations with guidance on secure system configuration, ensuring that their hardened build standard includes a strong password, account lockout policy and secure encrypted channels only for admin access.
The default configuration of systems are developed by manufacturers for ease of development and not security. Any operating system or application that is well known can be easily exploited if left in its default state. It’s for these reasons that organizations need to ensure that they develop and implement secure configuration build standards for all of their devices. Below we’ve outlined what NNT security products can help with this particular control.
Using Change Tracker will enable an organization to access and use the latest guidelines/benchmarks provided by the CIS. These are developed to ensure that both systems and applications are not left exposed to well-known vulnerabilities. As a CIS Certified Vendor, NNT can ingest the benchmarks that the CIS provide and this allows our customers to evaluate their systems against the CIS’s recommendation on an automated basis. The software makes it easy for a user to identify when the secure configuration of a system has been changed, leaving it in a vulnerable state. Using the clear remediation text, a user can ensure that the vulnerability is remediated and the system or application brought back in line with the organizations preferred build standard.
Organizations need to collect and analyze event logs in order to detect when both legitimate and malicious changes are made to a system. Even if an organization believes they have all of the correct security defenses in place, no one can guarantee that they will not be breached. If an organization caught onto the fact that they had been breached but they had failed to collect and look at the events logs generated by their devices, they’d be left blind as to what changes had actually take place and would therefore struggle to recover from the breach as they wouldn’t know where to start looking. It’s for these reasons that organizations need to ensure that they have tools in place to report changes made to their systems in real time or on a frequent scheduled basis. Below we’ve outlined what NNT security products can help with this particular control.
Using Change Tracker will enable an organization to scan a system and keep track of changes made to the following areas:
- File Attributes (File Integrity Monitoring)
- File Contents
- Installed Software and Updates
- Registry keys and values
- Running Processes and Services
- Security and Audit Policy Settings
- Local and AD User Accounts/Groups
- Network Ports
After the initial scan has taken place, the information that is collected forms a baseline which is used to detect and report when changes are made to the system in either real time or on a scheduled basis. Change Tracker also provides context behind the change so that a user can quickly identify:
- Where the change occurred
- When the change occurred
- What change occurred
- Who made the change
The CIS Benchmarks that are included within the Change Tracker software will also provide organizations with guidance on what audit policy settings need to be configured on systems to ensure that all relevant security information is logged.
Once the necessary audit policies are configured, an organization can then utilize our Log Tracker application to collect detail-rich events including:
- On what system the event log was created
- From what system did the event log originate
- When the event log was created
- What caused the event log
- What user generated the event log
Using the functionalities with Log Tracker the user will be able to collect and store audit events generated by devices for future analysis. Any event can then be correlated/grouped together to help capture key security incidents. Attached to the correlation threads the user can then specify thresholds for certain events so that when a certain number of them are seen, an alert can be triggered. A triggered alert can then be used to create incident tickets which can be automatically assigned to the relevant user or team and an email alert can then be generated when a ticket is created so that the relevant user or team is immediately notified when a security incident occurs.