Understanding the SANS/CIS 20 Critical Security Controls

(PART 1)

In today’s day and age it is nearly impossible to find an organization that does not face some kind of inherent cybersecurity risks. Whether it is through a zero-day attack against your firewall, or something as simple as receiving an email, the vast majority of businesses are exposed to cybersecurity risks. Over the years, many security control frameworks have been issued with the goal of providing guidance for protecting critical information.

By now, you may have heard of the guidance included in the “SANS/CIS 20 Critical Security Controls,” which is a prioritized list designed to assist companies in implementing stronger cybersecurity controls to protect themselves against real-world threats. Both International and U.S. experts met to develop this list based on sharing experiences from actual incidents to help keep it current and relevant against today’s global security threats.

Over the course of this 20 part series, I will take a deeper look into each of these critical controls and not only explain what they mean “in plain English,” but also how they will ultimately help to protect your organization in today’s operating environment.

The first several parts in our series cover the basics, which can be combined into the category of “How to better understand your environment.”

To design a secure network, it is critical that you have a complete understanding of your network environment. In the course of our network security testing performed for our clients, we inevitably identify devices and applications that might be unknown to management. Since they aren’t known, they typically are getting the basic controls in place, such as secure configurations, antivirus software, or patch management. Having a comprehensive list of devices (authorized and unauthorized), ensuring that each system is identified and configured to comply with company standards, and implementing mechanisms to monitor for new devices attempting to connect to your network, should be one of the first steps in securing a network.

Depending on the nature of your business, your network environment may change from day to day. You may have customers, vendors, regulators, auditors or contractors connecting devices to your network. Your employees may also be adding and removing personal devices or other types of unauthorized devices to and from your network environment. Detecting and, as needed, preventing such devices are critical.

For example, when testing a certain division of a company, we identified an unauthorized, unsecured wireless access point. The local management team wanted wireless access for their network, but did not want to go through the “headache” of going through the proper channels to get approval and implementation. As a result, the network had a significant security issue for nearly a year without IT management’s knowledge. Had the company had a process to detect new devices, IT management could have identified and removed the device from the network in a timely manner.

To implement and maintain a secure network, you should consider the following steps, as applicable to your environment:

Step 1: Implement an Automated Asset Inventory Discovery Tool.
An automated asset inventory discovery tool is software that can assist a company in creating a centralized, detailed listing of all network assets. From a security perspective, once you have created the detailed listing, you can establish a baseline for your environment by removing any devices that should not be running in your environment. Going forward, the tool will assist you with identifying new devices and ensuring that they are authorized for your environment. The tool will also assist you in reacting quickly if an unauthorized device is connected to your network.

Step 2: Logging and Monitoring Network Connections
If users can plug into your network and are automatically assigned a network IP address (using Dynamic Host Configuration Protocol (DHCP)), ensure that your DHCP server is enabled to log activity and that an individual is assigned responsibility for monitoring the logs. This will help to quickly identify any potential unauthorized or “rogue” devices that have been connected to your network. If you have a centralized log management system, you may also be able to configure real-time alerts. You will also want to make sure that unused network jacks, especially ones in public areas, are disabled.

Step 3: Equipment Acquisition
The help ensure that your asset inventory is kept up to date, you must have a formal equipment acquisition/change management process for adding and removing devices to your environment. The equipment acquisition/change management process must include documented procedures for the approval and installation of new network devices to the network. This process must include formal security requirements that the equipment must meet before it is implemented into your environment. You should also ensure that you have sufficient in house knowledge to support the security requirements specific to the equipment being acquired.

You should also have a formal process for removing (decommissioning) devices from the network that include removing any data from the devices as well as securely wiping or destroying the hard drives.

The process for acquiring and removing equipment from your network must also be formally documented and monitored by management. Any deviations from the process must be identified and remediated timely to reduce the risk to your network environment.

Step 4: Consider Network Access Authentication for Devices
Consider requiring authentication for network access (via 802.1x) to limit the physical devices that can connect to your network, especially if your network automatically provides access to new devices (i.e. utilizes DHCP). 802.1x works to authenticate an approved physical device in a similar process to that your network authenticates user accounts. In addition, to utilize the network authentication, your IT department should keep an inventory of all ports utilized and should consider manually disabling the ports that are not used. Ports should also be configured to prevent attacks such as spoofing by preventing duplicate MAC Addresses from being used during the authentication process.

Step 5: Consider Client Certificates
Consider using client certificates to validate and authenticate devices attempting to connect to your private network. While it can be a relatively complex and expensive option, certificate-based authentication is preferable to a solely password-based authentication process because it is based on certificates issued by a trusted party (a Certificate Authority (CA)). Also, certificate-based authentication provides integrity and confidentiality in addition to authentication. There should also be process in place to periodically check the status of the certificates to determine that they are up-to-date and are not expiring.

So what does this mean for you?

Cybersecurity risks will only continue to increase.

That being said, we all need to follow a formal framework to implement a layered security approach – meaning that if one precaution fails, there is another in place ready to back it up. The first step to a layered security approach is to truly understand your environment. Part of this is to understand the inventory of authorized and unauthorized devices in your network.

Next up is Part 2 of our 20 Part series where we will continue discussing how to better understand your environment by taking a look at authorized and unauthorized software running in our environment.