The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and
targeted attacks?”
Effective Cyber Defense Using CIS Critical Security Controls
1.
2. Fog of War
“Nebel des Krieges”
The unavoidable aspect of war wherein the
intelligence gathered is always incomplete to a degree,
thereby making any decisions concerning said war a bit...
foggy.
.
8. Who am I ?
• Vikas Singh Yadav
• Information Security Professional
• M Tech (Comp Science) – IIT Khargapur
• Certifications - PMP, CISM, CCSK
• Member – ISACA , CCICI, PMI, CISO Platform
• Indian Army Officer
• Soldier and Leader - OP Vijay , Op Parakram
• Information Warrior
• Speaker , Writer , Blogger.
9. Overview
• Are we Doing Enough ?
• Why the CIS CSC ?
• CIS 20 Controls
• Top 5 – Foundational Cyber Hygiene
• Benefits
• Action points
10. Are we not doing Enough ?
Audits
Firewall
UTM
Air Gap
DMZ
VLAN
Policies
DLP
Compliance
Anti
Malware
IDS / IPS
SIEM
13. Median time to discover Incidents
Source : Fireye MTrends Asia Pacific 2016
14. What are CIS Critical Security Controls ?
“ Technical Controls selected and prioritized by
consensus agreement “
“ Prioritized well vetted and supported Security
Actions that organizations can take to assess and
improve their current security state”
15.
16. CIS CSC Body of Knowledge
90 page PDF with pictures
17.
18. Core Principles or Critical Tenets
Automation
Are we reducing human effort and error ?
Continuous Diagnostics and Mitigation
Are the controls still in place and functional ?
Metrics
Is What we are doing Effective ?
Prioritization
Are u investing in Controls that provide greatest Risk Reduction?
Offense informs Defense
Use Knowledge of Actual Attacks
20. The Top 5 Controls
CSC 5: Controlled Use of Administrator Privileges
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 3: Secure Configurations for Hardware and Software
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 1: Inventory of Authorized and Unauthorized Devices
Prevents/stops 85-90% attacks…
21. CIS Critical Security Controls
CSC 10: Data Recovery Capability
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 8: Malware Defenses
CSC 7: Email and Web Browser Protections
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
22. CIS Critical Security Controls
CSC 15: Wireless Access Control
CSC 14: Controlled Access based on the Need to Know
CSC 13: Data Protection
CSC 12: Boundary Defense
CSC 11: Secure Configurations for Network Devices
23. CIS Critical Security Controls
CSC 20: Penetration Tests and Red Team Exercises
CSC 19: Incident Response and Management
CSC 18: Application Software Security
CSC 17: Security Skills Assessment and Training
CSC 16: Account Monitoring and Control
29. CSC 1
Inventory of Devices
Why? Unpatched Systems, Unchecked
Networks, BYOD
“‘If you can’t see it, you can’t protect it’
Identify all
devices
Document
the
inventory
Keep the
inventory
current
30. CSC 2
Inventory of Auth and UnAuth Software
Why? Attackers look for vulnerable
software, malware installation, etc.
List of Auth
software
Application
whitelisting
Software
inventory
tools
Use of VMs
and Air
Gapped
NWs
Vikas Singh Yadav 30
31. CSC 3
Secure Config for HW and SW
Why? Default configuration designed
for use, not security. Security “Decay”.
Secure
Config for
OS and
SW
Strict
Config
Mgt
File
integrity
Checkers
Config
Mgt Tools
Vikas Singh Yadav 31
32. CSC 4
Continuous Vulnerability Assess & Remediation
Why? Attackers exploit vulnerable
systems
“Vendors continue to produce security
remediations, it does little good if they
are not installed by the end user.”
Automated
Scanning
Tools
Automated
Patch Mgt
Monitor
event logs
Vikas Singh Yadav 32
33. CSC 5
Controlled use of Admin Privileges
Why? One of the primary means
attackers spread through an enterprise.
Minimize
Admin
Privileges
Inventory
Admin
Accounts
Change
default
passwords
Use Multi
Factor
Auth
Vikas Singh Yadav 33
34. Benefits of CIS Controls
• Risk based
• Simple.
• Reality based
• Dynamic
• Affordable
35. Additional Benefits
Solid Platform to build
other standards on
Can be used to
create a Roadmap
A starting point for those who don’t
know where to begin
36. Getting Started
Answer Key Questions
• What am I trying to protect ?
• What are my Gaps ?
• What are my priorities ?
• Where can I automate ?
• How can my vendor partners help ?
37. Implementation
• Depends on your Environment
• Areas which you are weak
• Gap Analysis
• Do the Foundational first
• Then tackle Advanced
38. Action Steps
• Read the CIS CSC version 6.1
• Do a Gap Assessment
• Read implementation articles
• Make a roadmap for 1 / 3 / 6 / 12 months what
you want to accomplish in your organisation.
46. Vikas Singh Yadav
• Information Security professional with specialization in
Telecom and Cloud Computing.
• 15 years plus experience in field of Information Security,
Cyber Audit, Incident Response, Technology Management,
Project Management, Training & Development and Personnel
Management.
• Leadership role in It and Cyber Security for last 6 years.
• B Tech (Telecom and IT) , M Tech (Comp Science) – IIT
Khargapur
• Certifications - PMP, CISM, CCSK
• Member – ISACA , CCICI, PMI, CISO Platform
• Keen Photographer, Travel Enthusiast and Golfer.
47. REFERENCES
• The CIS Critical Controls for Effective Cyber Defence Version 6.0 -
http://www.cisecurity.org/critical-controls.
• SANS Critical Controls - http://www.sans.org/critical-security-controls
• NIST Cyber Security Framework (CSF) -
http://www.nist.gov/cyberframework/
• UK Cyber Essentials Scheme -
https://www.cyberstreetwise.com/cyberessentials/
• ISO 27001 - www.iso.org/iso/iso27001
• Open Vulnerability Assessment System (OpenVAS)-
http://www.openvas.org
• Total Network Inventory - http://www.softinventive.com
• CIS Security Benchmark resources -
https://benchmarks.cisecurity.org/downloads
• NIST SP 800-128 Guide for Security-Focused Configuration Management
of Information Systems -
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
128.pdf
Editor's Notes
The state of ignorance in which commanders frequently find themselves as regards the real strength and position, not only of their foes, but also of their friends
Cal Von Clauswitz the great German or be more precise Prussian military strategist is believed to have coined the term Fog Of War
It describes a state in which military commanders find themselves when they are flooded with Information which is both ambiguous and incomplete thereby making decision making difficult but necessary.
Similarly in Security today we are confronted with huge amount of information in terms of Polices , procedures , standards and guidelines, Latest technologies – DLP, UTM, SIEM, Anti Malware , multiple compliances – IT Act , ISO 27001, RBI Guidelines , GDPR ,. Add to that Audits and need to adhere to budgets and deadlines and the whole situation can be described by the term Security Fog of More coined by Tony Sager Technology evangelist of Centre of Internet Security the non profit org which presently oversees the development and progress of CIS Critical Security Controls.
Over the next 15 to 20 mins I will talk of how to achieve Effective Cyber Defense using CIS CSC.
Now most of time Security professionals tend to be asking the question that are they doing enough
- Technology
- Audit
- Compliance
The question is are Are we Winning ?
Statistics speak other wise
We can dispute the findings to be hype and biased
But there is no denying the fact that breaches and incidents are happening.
Examples range from Yahoo internationally to Hitachi ATMs locally
Stuxnet by Nation States to Lottery SCAMs by Nigerains
So the Issue is what can an organization do in this regard.
In 2010 I was deep into implementing telecom networks and then computer science research during my M Tech in IIT Kharagpur
After getting back to mainstream I was given the task of Driving Infosecurity across our Organisation with 30 locations all over India.
I did not have the time to see all these locations , we could not hire consultants and I did not know the state of IT implementations in this departments
My best bet would have been Install Anti Virus at the Endpoints , Firewall at the perimeter and Encrypting the Data
But I decided to take a while and study the literature of Info Sec and I read a few articles browsed a few books including the Tome 1000 age Shon Harris
I needed a framework - ISO 27001 cost money , NIST was too long.
Then I stumbled on the Top 20 Security Controls - or the SANS Critcal Security controls as they were called a that point m time
90 page PDF with number of Diagrams
Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.
Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.
Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.
Do we know what is connected to our systems and networks?
Do we know what software is running (or trying to run) on our systems and networks?
Are we continuously managing our systems using “known good” configurations?
Are we continuously looking for and managing “known bad” software?
Do we limit and track the people who have the administrative privileges ?
Prevents/stops 85-90% attacks…
Do we know what is connected to our systems and networks?
Do we know what software is running (or trying to run) on our systems and networks?
Are we continuously managing our systems using “known good” configurations?
Are we continuously looking for and managing “known bad” software?
Do we limit and track the people who have the administrative privileges ?
Do we know what is connected to our systems and networks?
Do we know what software is running (or trying to run) on our systems and networks?
Are we continuously managing our systems using “known good” configurations?
Are we continuously looking for and managing “known bad” software?
Do we limit and track the people who have the administrative privileges ?
Do we know what is connected to our systems and networks?
Do we know what software is running (or trying to run) on our systems and networks?
Are we continuously managing our systems using “known good” configurations?
Are we continuously looking for and managing “known bad” software?
Do we limit and track the people who have the administrative privileges ?
These seem to meet my requirement as they were
• What are we trying to protect? How much should we spend?• Risk is function of threat (offense), vulnerability (defense), probability,
and, consequence• What can be controlled?