2. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
“Monitor, detect, analyze, protect, report, and respond against known
vulnerabilities, known & unknown attacks, and exploitations”
and “continuously test and evaluate information
And the security controls and techniques to
ensure that they are effectively implemented.”
2
3. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• The control areas in the CIS CSC focus on various technical aspects of
information security
• Primary goal of supporting organizations in prioritizing their efforts in defending
against today’s most common and damaging attacks.
• Outside of the technical realm, a comprehensive security program should also
take into account:
• Numerous additional areas of security, including overall policy, organizational structure,
personnel issues (e.g., background checks, etc.), and physical security.
• To help maintain focus, the controls in this document do not deal with these
important, but non-technical, aspects of information security.
• Organizations should build a comprehensive approach in these other aspects of
security as well
3
4. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
4
CIS Top 20 Critical Security Controls
• What is an IT security framework?
• An information security framework is a series of documented processes that are used to
define policies and procedures around the implementation and ongoing management of
information security controls in an enterprise environment.
• These frameworks are basically a "blueprint" for building an information security
program to manage risk and reduce vulnerabilities. Information security teams can
utilize these frameworks to define and prioritize the tasks required to build security into
an organization.
• NISTCybersecurity Framework, NIST guidelines, and the ISO 27000 series or regulations such
as PCI DSS, HIPAA, NERC CIP, FISMA
6. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
Understanding the CIS Critical Security Controls
• In 2008, the Center for Internet Security’s Critical Security Controls (“CIS
Controls”) were created
• A collaboration between representatives from the U.S. government and
private sector security & research organizations.
• A set of practical defenses specifically targeted toward stopping cyber
attacks
• The CIS Controls were crafted to answer the frequent question:
• “Where should I start when I want to improve my cyber defenses?”
6
7. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• The CIS CSC Relationship to Other Federal Guidelines, Recommendations, and
Requirements
• Once companies have addressed the 20 Critical Controls, it is recommended that
NIST 800-53 guidelines be used to ensure that they have assessed and
implemented an appropriate set of management controls
• The CIS controls are meant to reinforce and prioritize some of the most important
elements of other frameworks, guidelines, standards, and requirements put forth
in other US Government documentation, such as NIST Special Publication 800-53:
Recommended Security Controls for Federal Information Systems, SCAP, FDCC,
FISMA, and Department of Homeland Security Software Assurance documents.
7
8. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
Guiding principles used in devising these control areas and their associated sub
controls include:
• Defenses should focus on addressing the most common and damaging attacks
• Enterprise environments must ensure consistent controls across an enterprise
to effectively negate attacks.
• Defenses should be automated where possible, and periodically or continuously
measured using automated measurement techniques where feasible.
8
9. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
•Getting Started: Ask and Answer Key Questions
• What am I trying to protect?
• Where are my gaps?
• What are my priorities?
• Where can I automate?
• How can my vendor partners help?
9
CIS Top 20 Critical Security Controls
10. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• General Guidance for Implementing the Controls:
• Carefully plan.
• Organizational structure for program’s success.
• Establish a “Governance, Risk, and Compliance (GRC)” program.
• Assigning program managers
10
11. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• There are a few practical considerations an organization should make when
embarking on this journey. Specifically, an organization should:
• Make a formal, top-level decision to make the CIS Controls part of the organization’s standard
• Senior management - support and accountability.
• Assign a program manager
• Who will be responsible for the long-term maintaining cyber defenses.
• Start with a gap analysis
• Develop an implementation plan
• Document the long-term plan (3-5 years)
• Embed the definitions of CIS Controls into organization’s security policies
• Educate workforce on the organization’s security goals and enlist their help as a part of the
long-term defense of the organization’s data.
11
12. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• Successful implementation of the Controls will require many organizations to
shift their mindset on security and how they approach IT operations and
defense.
• No longer can employees be allowed to install software at random or travel
with sensitive data in their pockets.
• It has been established that the cultural acceptance of changes needed to
implement the technical controls is a necessary prerequisite for success.
• This is probably the most significant obstacle most organizations need to
overcome.
12
13. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• The Controls are not limited to blocking the initial compromise of systems
• Detecting already--‐compromised machines and preventing or disrupting
attackers’ follow--‐on actions.
• Reducing the initial attack surface by hardening device configurations,
identifying compromised machines to address long--‐term threats inside an
organization’s network, disrupting attackers’ command--‐and--‐control of
implanted malicious code, and establishing an adaptive, continuous defense
13
14. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
• The five critical tenets of an effective cyber defense system as
reflected in the CIS Critical Security Controls are:
• Offense informs defense
• Prioritization
• Metrics
• Continuous diagnostics and mitigation
• Automation
14
CIS Top 20 Critical Security Controls
16. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
•How to Get Started
•Step 1. Perform Initial GapAssessment.
•Step 2. Develop an Implementation Roadmap
•Step 3. Implement the First Phase of Controls
•Step 4. Integrate Controls into Operations
•Step 5. Report and Manage Progress against the
Implementation Roadmap
16
CIS Top 20 Critical Security Controls
17. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
• Control #1
• Inventory of Authorized and Unauthorized Devices
• Key Principle Control:
• Actively manage (inventory, track, and correct) all hardware
devices on the network so that only authorized devices are given
access, and unauthorized and unmanaged devices are found and
prevented from gaining access.
17
CIS Top 20 Critical Security Controls
18. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
• The purpose of this Control is to help organizations define a baseline of what
must be defended.
• Without an understanding of what devices and data are connected, they cannot
be defended.
18
CIS Top 20 Critical Security Controls
19. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
• Why is CIS Control 1 critical?
• Attackers are continuously scanning the address space of target
organizations, waiting for new and unprotected systems to be attached to
the network.
• Devices that are not visible from the Internet can be used by attackers who
have already gained internal access and are hunting for internal jump points
or victims.
• Looking for new or test systems
19
CIS Top 20 Critical Security Controls
20. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
20
Family Control Control Description Foundational Advanced
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
System 1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems
connected to an organization’s public and private network(s). Both active tools that scan through IPv4 or IPv6
network address ranges and passive tools that identify hosts based on analyzing their traffic should be
employed.
Y Use a mix of active
and passive tools,
and apply as part of
a continuous
monitoring
program.
System 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration
protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect
unknown systems.
Y
System 1.3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are
connected to the network.
Y
System 1.4 Maintain an asset inventory of all systems connected to the network and the network devices themselves,
recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible
for each device, and the department associated with each device.The inventory should include every system
that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers,
network equipment (routers, switches, firewalls, etc.), printers, storage area networks,Voice Over-IP
telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data
on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and
other portable electronic devices that store or process data must be identified, regardless of whether they are
attached to the organization’s network.
Y
System 1.5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the
network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized
systems.
Y Authentication
mechanisms are
closely coupled to
management of
hardware inventory
System 1.6 Use client certificates to validate and authenticate systems prior to connecting to the private network. Y
CIS Top 20 Critical Security Controls
21. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
• CSC 1 Procedures andTools
• The Control requires both technical and procedural actions;
• It is critical for all devices to have an accurate and up-to-date inventory control system in
place (excel, database, manual or commercial automatic tool) with device details/owners
• Securely pull device details (MAC) switch, routers, aps, DHCP, servers, span ports
• Scanning tools (Active/passive) every 12 hours, ICMP sweep, fingerprinting
• Standard device naming conventions can help so unrecognized device names stand out
• Maturity goes from manual, automated, monitored and measured
• Place new device on network monthly to test tools/procedures effectiveness
21
CIS Top 20 Critical Security Controls
22. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• CSC 1 Procedures andTools
• Ensure that network inventory monitoring tools keeping the asset inventory
up to date on a real-time basis
• Looking for deviations from the expected inventory of assets on the network,
and alerting security
• Secure the asset inventory database with asset information is encrypted.
• Limit access to these systems to authorized personnel only, and carefully log
all such access.
• For additional security, a secure copy of the asset inventory may be kept in an
off-line system.
22
23. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• CSC 1 Procedures andTools
• In addition to an inventory of hardware, organizations should develop an inventory
of data/information assets and maps critical information to the hardware assets
• A department and individual responsible for each data asset should be identified,
recorded, and tracked.
• To evaluate the effectiveness of automated asset inventory tools, periodically attach
several hardened computer systems not already included in asset inventories to the
network and measure the delay before each device connection is disabled or the
installers confronted.
• Advanced:The organization’s asset inventory should include removable media
devices, including USB sticks, external hard drives, and other related information
storage devices.
23
26. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
26
CSC 1.1 Requirement: Inventory of Authorized and Unauthorized devices
CSC 1.1 Procedure: Asset Inventory
The organization:
1. Departments will document and clearly define what authorized and unauthorized
devices are in their respective areas.
1. Departments will update the Assets inventory reports and auditors of inventory devices.
1. Departments will spot check devices monthly to ensure that they are authorized
Metrics:
1. The IT department will maintain a list of de-authorized devices
1. The IT department spot check each department every 6-months
27. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
Sub-Control Description Control SecurityTechnology Controls
1
Inventory of Authorized and
Unauthorized Devices
Active Device Discovery
System
Tenable, Qualys, Infoblox NetMRI,
ForeScout
2
Inventory of Authorized and
Unauthorized Devices
Passive Device Discovery
System
Tenable, Qualys, Infoblox NetMRI,
ForeScout
3
Inventory of Authorized and
Unauthorized Devices
Log Management
System / SIEM Log Rhythm, Splunk
4
Inventory of Authorized and
Unauthorized Devices Asset Inventory System
Tenable, Qualys, Infoblox NetMRI,
ForeScout, Db, Excel
5
Inventory of Authorized and
Unauthorized Devices
Network Level
Authentication (NLA)
Tenable, Qualys, Infoblox NetMRI,
ForeScout, Juniper
6
Inventory of Authorized and
Unauthorized Devices
Public Key Infrastruture
(PKI) Microsoft 27
CIS Top 20 Critical Security Controls
28. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• Inventory of Authorized and Unauthorized Devices
1-1 - Deploy an automated asset inventory discovery tool
FreeTools
• Spiceworks - active scanning.
• AlienVault OSSIM - Inventorying
• OpenAudIT - All open source inventorying, and auditing platform
• OpenNSM - Open Network Management System
• Windows DHCP Server Audit EventTool -This tool can be used by Admins to
view all the events generated by DHCP Server directly
• Linux DHCP Server Config and Logging - CentOS DHCP Server
28
29. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• 1-5 - Deploy network level authentication via 802.1x to limit and control which
devices can be connected to the network.The 802.1x must be tied into the inventory
data to determine authorized versus unauthorized systems.
FreeTools
• Windows NPS Server Role - Just beware that NAP is deprecated inWindows 10 so
you will need a 2rd party NAP client.
• FreeRADIUS & 802.1x - How to setup 802.1x with FreeRADIUS.
• SANS guide to deploy 802.1x
• Group Policy forWireless 802.1x - Group Policy forWired 802.1x
• 802.1x standard on most switches
Enterprise tools
• Cisco ISE
29
30. TECHTVSERIES
COLLABORATE,INNOVATE,VALIDATE
CIS Top 20 Critical Security Controls
• 1-6 - Deploy network access control (NAC) to monitor authorized systems so
if attacks occur, the impact can be remediated by moving the untrusted
system to a virtual local area network that has minimal access.
FreeTools
• PacketFence - Flagship of open source Network Access Control (NAC).
• OpenNAC - Open source Network access control that provide secure access
for LAN/WAN.
CommercialTools
• Forescout - Offers health checks before authenticating supplicants to your
network. For wired and wireless networks.
• Microsoft SCCM - NAC with health checks is but one small piece of the SCCM 30