(Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

1/40

1

TwentyMostImportantControlsandMetricsforEffective

CyberDefenseandContinuousFISMAComplianceDraft1.0:February23,2009

NOTICEtoreadersofthisdraftdocument: Criticismsandsuggestionsarestronglyencouraged.Ifyouareactively

engagedincyberforensics,redteams,blueteams,technicalincidentresponse,vulnerabilityresearch,orcyber

attackresearchoroperations,pleasehelpmakesurethisdocumentisasgoodasitcanbe. Wealsorequest

supportinidentifyinguserswhohaveimplementedscalablemethodsformeasuringcompliancewiththesecontrols

andproducingsharablebenchmarksandothertypesofbaselineguidancethatcanbeusedtodrivetoolbased

assessmentofasmanyofthesecontrolsaspossible.

Sendcriticism/comments/suggestionstoJohnGilliganaswellasto

[email protected],2009.

INTRODUCTION

Securingour

Nation

against

cyber

attacks

has

become

one

of

the

Nations

highest

priorities.

To

achievethisobjective,networks,systems,andtheoperationsteamsthatsupportthemmust

vigorouslydefendagainstexternalattacks. Furthermore,forthoseexternalattacksthatare

successful,defensesmustbecapableofthwarting,detecting,andrespondingtofollowon

attacksoninternalnetworksasattackersspreadinsideacompromisednetwork.

AcentraltenetoftheUSComprehensiveNationalCybersecurityInitiative(CNCI)isthatoffense

mustinformdefense.Inotherwords,knowledgeofactualattacksthathavecompromised

systemsprovidestheessentialfoundationonwhichtoconstructeffectivedefenses. TheUS

SenateHomelandSecurityandGovernmentAffairsCommitteemovedtomakethissametenet

central

to

the

Federal

Information

Security

Management

Act

in

drafting

FISMA

2008.

That

new

proposedlegislationcallsuponFederalagenciesto:

Establishsecuritycontroltestingprotocolsthatensurethattheinformation

infrastructureoftheagency,includingcontractorinformationsystemsoperating

onbehalfoftheagency,areeffectivelyprotectedagainstknownvulnerabilities,

attacks,andexploitations.

Andtoworktogethertomakesurethattestingisuptodateandcomparable,by

agreeingoncommonmetricsthrough:

Establishingaprioritized

baseline

of

information

security

measures

and

controls

thatcanbecontinuouslymonitoredthroughautomatedmechanisms.

Thisconsensusdocumentisdesignedtobegintheprocessofestablishingthatprioritized

baselineofinformationsecuritymeasuresandcontrols. Theconsensuseffortthathasproduced
mailto:[email protected]:[email protected]


2/40

2

thisdocumenthasidentifiedtwentyspecificsecuritycontrolsthatareviewedasessentialfor

blockingknownhighpriorityattacks. Fifteenofthesecontrolscanbemonitored,atleastin

part,automaticallyandcontinuously. Theconsensusefforthasalsoidentifiedasecondsetof

fivecontrolsthatareessentialbutthatdonotappeartobeabletobemonitoredcontinuously

orautomaticallywithcurrenttechnologyandpractices.

Additionally,thecontrolsinthisdocumentaredesignedtosupportagenciesandorganizations

thatcurrentlyhavevariousdifferentlevelsofinformationsecuritycapabilities. Tohelp

organizationsfocusonachievingasoundbaselineofsecurityandthenimprovebeyondthat

baseline,certainaspectsofindividualcontrolshavebeencategorizedasfollows:

QuickWins:Thesefundamentalaspectsofinformationsecuritycanhelpanorganizationrapidlyimproveitssecuritystancegenerallywithoutmajorprocess,organization,

architecture,ortechnicalchangestoitsenvironment. Itshouldbenoted,however,

thataQuickWindoesnotnecessarilymeanthatthesecontrolsprovideprotection

againstthemostcriticalattacks. TheintentofidentifyingQuickWincontrolareasisto

highlight

where

security

can

be

improved

rapidly.

These

items

are

identified

in

this

documentwiththelabelofQW.

ImprovedVisibilityandAttribution:Thesecontrolsfocusonimprovingtheprocess,architecture,andtechnicalcapabilitiesoforganizationssothattheorganizationcan

monitortheirnetworksandcomputersystems,gainingbettervisibilityintotheirIT

operations. Attributionisassociatedwithdeterminingwhichcomputersystems,and

potentiallywhichusers,aregeneratingspecificevents. Suchimprovedvisibilityand

abilitytodetermineattributionsupportsorganizationsindetectingattackattempts,

locatingthepointsofentryforsuccessfulattacks,identifyingalreadycompromised

machines,interruptinginfiltratedattackersactivities,andgaininginformationabout

thesourcesofanattack. TheseitemsarelabeledasVis/Attrib.

HardenedConfigurationandImprovedInformationSecurityHygiene:Theseaspectsofvariouscontrolsaredesignedtoimprovetheinformationsecuritystanceofan

organizationbyreducingthenumberandmagnitudeofpotentialsecurity

vulnerabilitiesaswellasimprovingtheoperationsofnetworkedcomputersystems.

Controlguidelinesinthiscategoryareformulatedwiththeunderstandingthatawell

managednetworkisamuchhardertargetforcomputerattackerstoexploit.

Throughoutthisdocument,theseitemsarelabeledasConfig/Hygiene.

Advanced:Theseitemsaredesignedtofurtherimprovethesecurityofanorganizationbeyondtheotherthreecategories.Organizationshandlingparticularlysensitive

networksandinformationthatarealreadyfollowingalloftheothercontrolsshould

focuson

this

category.

Items

in

this

category

are

simply

called

Advanced.

Ingeneral,organizationsshouldexaminealltwentycontrolareasagainsttheircurrentstatus

anddevelopanagencyspecificplantoimplementthecontrols. Organizationswithlimited

informationsecurityprogramsmaywanttoaddresstheQuickWinsaspectsofthecontrolsin

ordertomakerapidprogressandtobuildmomentumwithintheirinformationsecurity


3/40


4/40

4

TheNationalInstitutesofStandardsandTechnology(NIST)hasproducedexcellentsecurity

guidelinesthatprovideaverycomprehensivesetofsecuritycontrols. Thisdocumentby

contrastseekstoidentifythatsubsetofsecuritycontrolactivitiesthatCISOs,CIOsandIGscan

agreearetheirtop,sharedpriorityforcybersecurity. Onceagreementisreached,these

controlswouldbethebasisforfutureauditsandevaluations. Whileaimedatgovernment

organizations,the

principles

and

measures

addressed

in

this

document

are

also

highly

applicabletocommercialandacademicenterprisesandshouldbeusablewithinthe

commercialmarketplace.

Whatmakesthisdocumenteffectiveisthatitreflectsknowledgeofactualattacksanddefines

controlsthatwouldhavestoppedthoseattacksfrombeingsuccessful. Toconstructthe

document,wehavecalleduponthepeoplewhohavefirsthandknowledgeabouthowthe

attacksarebeingcarriedout:

1. BlueteammembersinsidetheDepartmentofDefensewhoareoftencalledinwhenmilitarycommandersfindtheirsystemshavebeencompromised

2. USCERTandothernonmilitaryincidentresponseemployeesandconsultantswhoarecalleduponbycivilianagenciesandcompaniestoidentifythemostlikelymethodby

whichthepenetrationswereaccomplished

3. Militaryinvestigatorswhofightcybercrime4. TheFBIandotherpoliceorganizationsthatinvestigatecybercrime5. CybersecurityexpertsatUSDepartmentofEnergylaboratoriesandFederallyFunded

ResearchandDevelopmentCenters.

6. DoDandprivateforensicsexpertswhoanalyzecomputersthathavebeeninfected7. RedteammembersinDoDtaskedwithfindingwaysofcircumventingmilitarycyber

defenses

8. Civilianpenetrationtesterswhotestciviliangovernmentandcommercialsystemstofindhowtheycanbepenetrated

9. FederalCIOsandCISOswhohaveintimateknowledgeofcyberattacks10.TheGovernmentAccountabilityOffice(GAO)

ConsensusAuditGuidelineControls

Twentycriticalsecuritycontrolswereagreeduponbyknowledgeableindividualsfromthe

groupslistedabove. Thelistofcontrolsincludesfifteenthatareabletobevalidatedinan

automatedmannerandfivethatmustbevalidatedmanually.

CriticalControlsSubjecttoAutomatedMeasurementandValidation:

1:InventoryofAuthorizedandUnauthorizedHardware.

2:InventoryofAuthorizedandUnauthorizedSoftware.

3:SecureConfigurationsforHardwareandSoftwareonLaptops,Workstations,andServers.

4:SecureConfigurationsofNetworkDevicesSuchasFirewallsandRouters.


5/40

5

5:BoundaryDefense

6:MaintenanceandAnalysisofCompleteSecurityAuditLogs

7:ApplicationSoftwareSecurity

8:ControlledUseofAdministrativePrivileges

9:ControlledAccessBasedOnNeedtoKnow

10:Continuous

Vulnerability

Testing

and

Remediation

11:DormantAccountMonitoringandControl

12:AntiMalwareDefenses

13:LimitationandControlofPorts,ProtocolsandServices

14:WirelessDeviceControl

15:DataLeakageProtection

AdditionalCriticalControls(notdirectlysupportedbyautomatedmeasurementandvalidation):

16. SecureNetworkEngineering

17. RedTeamExercises

18. IncidentResponseCapability

19. DataRecoveryCapability

20. SecuritySkillsAssessmentandTrainingtoFillGapsInthepagesthatfollow,eachofthesecontrolsisdescribedmorefully. Descriptionsinclude

howattackerswouldexploitthelackofthecontrol,howtoimplementthecontrol,andhowto

measureifthecontrolhasbeenproperlyimplemented,alongwithsuggestionsregardinghow

standardizedmeasurementscanbeapplied. Aspilotimplementationsarecompleteand

agenciesgetexperiencewithautomation,weexpectthedocumenttobeexpandedintoa

detailedauditguidethatagencyCIOscanusetoensuretheyaredoingtherightthingsfor

effectivecyber

defense

and

that

IGs

can

use

to

verify

the

CIOs

tests.

InsiderThreatsvs.OutsiderThreats

Aquickreviewofthecriticalcontrolsmayleadsomereaderstothinkthattheyareheavily

focusedonoutsiderthreatsandmay,therefore,notfullydealwithinsiderattacks. Inreality,

theinsiderthreatiswellcoveredinthesecontrolsintwoways.First,specificcontrolssuchas

networksegmentation,controlofadministrativerights,enforcementofneedtoknow,data

leakageprotection,andeffectiveincidentresponsealldirectlyaddressthekeywaysthatinsider

threatscanbemitigated. Second,theinsiderandoutsiderthreatsaremergingasoutsidersare

more

and

more

easily

penetrating

the

security

perimeters

and

becoming

insiders.

All

of

the

controlsthatlimitunauthorizedaccesswithintheorganizationworkeffectivelytomitigateboth

insiderandoutsiderthreats. Itisimportanttonotethatthesecontrolsaremeanttodealwith

multiplekindsofcomputerattackers,includingbutnotlimitedtomaliciousinternalemployees

andcontractors,independentindividualexternalactors,organizedcrimegroups,terrorists,and

nationstateactors,aswellasmixesofthesedifferentthreats.


6/40


7/40

7

RelationshiptoOtherFederalGuidelines,Recommendations, andRequirements

TheseConsensusAuditGuidelinesaremeanttoreinforceandprioritizesomeofthemost

importantelementsoftheguidelines,standards,andrequirementsputforthinotherUS

Governmentdocumentation,suchasNISTspecialpublication80053:RecommendedSecurity

Controlsfor

Federal

Information

Systems,

SCAP,

FDCC,

FISMA,

and

Department

of

Homeland

SecuritySoftwareAssurancedocuments. Theseguidelinesdonotconflictwithsuch

recommendations. Infact,theguidelinessetforthhereinareapropersubsetofthe

recommendationsof80053,designedsothatorganizationscanfocusonaspecificsetof

actionsassociatedwithcurrentthreatsandcomputerattackstheyfaceeveryday. Adraftof

themappingofindividualguidelinesinthisdocumenttospecificrecommendationsof80053is

includedinAppendixA.

Additionally,theConsensusAuditGuidelinesarenotintendedtobecomprehensivein

addressingeverythingthataCIOorCISOmustaddressinaneffectivesecurityprogram. For

example,inadditiontoimplementingcontrolsidentifiedinthisdocument,organizationsmust

developappropriatesecuritypolicies,securityarchitectures,andsystemsecurityapprovals.

Furthermore,CIOsandCISOsmustbalancebusinessneedsandsecurityrisks,recognizingthat

therearesometimestradeoffsbetweenthemthatmustbecarefullyanalyzedandmeasured.

PeriodicandContinualTestingofControls

Eachcontrolincludedinthisdocumentdescribesaseriesofteststhatorganizationscan

conductonaperiodicor,insomecases,continualbasistoensurethatappropriatedefensesare

inplace. Oneofthegoalsofthetestsdescribedinthisdocumentistoprovideasmuch

automationoftestingaspossible.Byleveragingstandardizationeffortsandrepositoriesof

contentlike

SCAP,

these

automated

test

suites

and

scripts

can

be

highly

sharable

between

organizations,consistenttoalargeextent,andeasilyusedbyauditorsforvalidation. However,

atvariousphasesofthetests,humantestersareneededtosetuptestsorevaluateresultsina

fashionthatcannotbeautomated. Thetestersassociatedwithmeasuringsuchcontrolsmust

betrustedindividuals,asthetestmayrequirethemtoaccesssensitivesystemsordatainthe

courseoftheirtests. Withoutappropriateauthorization,backgroundchecks,andpossibly

clearance,suchtestsmaybeimpossible. Suchtestsshouldalsobesupervisedorreviewedby

appropriateagencyofficialswellversedintheparametersoflawfulmonitoringandanalysisof

informationtechnologysystems.

A

Work

in

Progress

Theconsensusefforttodefinecriticalsecuritycontrolsisaworkinprogress.Infact,changing

technologyandchangingattackpatternswillnecessitatefuturechangesevenafterithasbeen

adopted. Inasense,thiswillbealivingdocumentmovingforward,butthecontrolsdescribed

inthisversionareasolidstartonthequesttomakefundamentalcomputersecurityhygienea


8/40

8

wellunderstood,repeatable,measurable,scalable,andreliableprocessthroughoutthefederal

government.


9/40

9

DESCRIPTIONOFCONTROLS

CriticalControl1:Inventoryofauthorizedandunauthorized

hardware.

Howdoattackersexploitthelackofthiscontrol?

Manycriminalgroupsandnationstatesdeploysystemsthatcontinuouslyscanaddressspaces

oftargetorganizationswaitingfornew,unprotectedsystemstobeattachedtothenetwork.

Theattackersalsolookforlaptopsnotuptodatewithpatchesbecausetheyarenotfrequently

connectedtothenetwork. Onecommonattacktakesadvantageofnewhardwarethatis

installedonthenetworkoneeveningandnotconfiguredandpatchedwithappropriatesecurity

updates(i.e.,hardened)untilthefollowingday. Attackersfromanywhereintheworldmay

quicklyfindandexploitsuchsystemsthatareInternetaccessible. Furthermore,evenfor

internalnetworksystems,attackerswhohavealreadygained internalaccessmayhuntforand

compromiseadditionalimproperlysecuredinternalcomputersystems. Theattackersusethe

nighttimewindowtoinstallbackdoorsonthesystemsthatarestillpresentafterthesystems

arehardenedandareusedforexfiltrationofsensitivedatafromcompromisedsystemsand

fromothersystemsconnectedtoit.

Additionally,attackersfrequentlylookforexperimentalortestsystemsthatarebriefly

connectedtothenetworkbutnotincludedinthestandardassetinventoryofanorganization.

Suchexperimentalsystemstendnottohaveasthoroughsecurityhardeningordefensive

measuresasothersystemsonthenetwork. Althoughthesetestsystemsdonottypicallyhold

sensitivedata,theyofferanattackeranavenueintotheorganization,andalaunchingpointfor

deeperpenetration.

Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?

Anaccurateanduptodateinventory,controlledbyactivemonitoringandconfiguration

managementcanreducethechanceofattackersfindingunauthorized(thosenotpreviously

approvedforinstallation)andunprotectedsystemstoexploit.

1. Vis/Attrib:Maintainanassetinventoryofallcomputersystemsconnectedtothenetwork

and

the

network

devices

themselves,

recording

at

least

the

network

addresses,

machinename(s),purposeofeachsystem,andanassetownerresponsibleforeach

device.

2. Vis/Attrib:Ensurethatnetworkinventorymonitoringtoolsareoperationalandcontinuouslymonitoring,keepingtheassetinventoryuptodateandlookingfor

deviationsfromtheexpectedinventoryofassetsonthenetwork,andalertingthe

securityoperationscenterwhendeviationsarediscovered.


10/40


11/40


12/40

12


1. Vis/Attrib:Deploysoftwareinventorytoolsthroughouttheorganizationcoveringeachoftheoperatingsystemtypesinuse,includingdesktop,server,andnetworkdevices.

Thesoftware

inventory

system

should

track

the

version

of

the

underlying

operating

systemaswellastheapplicationsinstalledonit. Furthermore,thetoolshouldrecord

notonlythetypeofsoftwareinstalledoneachsystem,butalsoitsversionnumberand

patchlevel. Thetoolshouldalsomonitorforunauthorizedsoftware.

2. Vis/Attrib:Ensuresoftwareinventorymonitoringtoolsareoperationalbyperiodicallyinstallingseveralsoftwareupdatesandnewpackagesonhardenedcontrolmachinesin

thenetworkandmeasurethedelaybeforethesoftwareinventoryindicatesthe

changes.Suchupdatesshouldbechosenforthecontrolmachinessothattheydonot

negativelyimpactproductionsystemsonthenetwork. Alsomeasuretheorganizations

responseactivitiestounauthorizedsoftwareinstalledintheenvironment.

3. Config/Hygiene:Apolicyisalsorequiredtoforcealldriverstobedigitallysignedandtheorganizationshouldconfiguresystemstoblocktheloadingofdriversthatarenotsigned

byatrustedsoftwarevendor.BothWindowsVistaandWindowsXPinclude

configurationoptionsthatcanenforcedriversigningacrossanorganization.Strictly

loadingonlysigneddriversisacrucialsteptowardblockingintruderscontrolofsystems

viarootkitsthatmodifythecoreoftheoperatingsystemtowieldcontrol.

Proceduresandtoolsforimplementingandautomatingthiscontrol:

Commercialsoftwareandassetinventorytoolsarewidelyavailableandinuseinmany

enterprisestoday. Thebestofthesetoolsprovideaninventorycheckofhundredsofcommon

applicationsusedinenterprisesonMicrosoftWindowsandothermachines,pullinginformation

aboutthe

patch

level

of

each

installed

program

to

ensure

that

it

is

the

latest

version

and

leveragingthestandardizedapplicationnamesinCPE.

Featuresthatimplementwhiteandblacklistsofprogramsallowedtorunorblockedfrom

executingareincludedinmodernendpointsecuritysuites. Moreover,commercialsolutions

areincreasinglybundlingtogetherantivirus,antispyware,personalfirewall,andhostbased

IntrusionDetectionSystemsandIntrusionPreventionSystems(IDSandIPS). Inparticular,most

endpointsecuritysolutionscanlookatthename,filesystemlocation,and/orMD5hashofa

givenexecutabletodeterminewhethertheapplicationshouldbeallowedtorunonthe

protectedmachine. Themosteffectiveofthesetoolsoffercustomwhitelistsandblacklists

based

on

executable

path,

hash,

or

regular

expression

matching.

Some

even

include

a

graylist

functionthatallowsadministratorstodefinerulesforexecutionofspecificprogramsonlyby

certainusersandatcertaintimesofdayandblacklistsbasedonspecificsignatures.

Oncesoftwareinventoryandexecutioncontrolproductsaredeployed,theycanbeevaluated

byattemptingtorunablacklistedprogramoraprogramthatisnotonthewhitelist. Totest

solutionsthatimplementablacklist,theorganizationcandefineaspecificbenignexecutable


13/40

13

asnotbeingallowed,suchasasimplewordprocessorcontainedinasingleEXEfile. Theycan

thenattempttoruntheprogramandtestwhetherexecutionisblocked,andwhetheranalertis

generated. Forwhitelistsolutions,theorganizationcanattempttorunasimilarbenign

executablenotonthewhitelist,againcheckingforblockedexecutionandalerts.

CriticalControl3:Secureconfigurationsforhardwareandsoftwareon

laptops,workstations,andservers.


OnboththeInternetandinternalnetworksthatattackershavealreadycompromised,

automatedcomputerattackprogramsconstantlysearchtargetnetworkslookingforsystems

thatwereconfiguredwithvulnerablesoftwareinstalledthewaythatitwasdeliveredfrom

manufacturersand

resellers,

thereby

being

immediately

vulnerable

to

exploitation.

Attackers

attempttoexploitbothnetworkaccessibleservicesandbrowsingclientsoftwareusingsuch

techniques. Thetwopossibledefensesagainsttheseautomatedexploitsaretoaskevery

computerusertoreconfiguresystemstobemoresecurelyconfiguredortobuyandinstall

computerandnetworkcomponentswiththesecureconfigurationsalreadyimplementedand

toupdatetheseconfigurationsonaregularbasis. Despiteamajorityofagenciesthatstilluse

theformerapproach,onlythelatterapproach(i.e.,updatingconfigurationsonaregularbasis)

iseffective. Establishingandmonitoringsecureconfigurationsprovidethemotivationtothe

agencytoensuresystemsarepurchasedwithsecureconfigurationsbakedin.

Howcan

this

control

be

implemented,

automated,

and

its

effectiveness

measured?

1. QW:Systemimagesmusthavedocumentedsecuritysettings,beapprovedbyanagencychangecontrolboard,andregisteredwithacentralimagelibraryfortheagencyor

multipleagencies. Governmentagenciesshouldnegotiatecontractstobuysystems

configuredsecurelyoutoftheboxusingtheseimages,whichshouldbedevisedtoavoid

extraneoussoftwarethatwouldincreasetheirattacksurfaceandsusceptibilityto

vulnerabilities. Theseimagesshouldbevalidatedandrefreshedonaregularbasis(such

aseverysixmonths)toupdatetheirsecurityconfigurationinlightofrecent

vulnerabilitiesandattackvectors. Themasterimagesthemselvesmustbestoredon

securelyconfiguredservers,withintegritycheckingtoolsandchangemanagementto

ensureonly

authorized

changes

to

the

images

are

possible.

2. QW:Changefactorydefaultsettingsonhardwareandsoftwareandimplementingnetworkhardeningprocedures. Thiswouldtypicallyincluderemovalofunnecessary

usernamesandlogins,aswellasthedisablingorremovalofunnecessaryservices. Such

hardeningalsoinvolves,amongothermeasures,applyingpatches,closingopenand


14/40

14

unusednetworkports,implementingintrusiondetectionsystemsand/orintrusion

preventionsystems,andfirewalls.

3. QW:Atleastoncepermonth,runassessmentprogramsonavaryingrandomsampleofsystemstomeasurethenumberthatareandarenotconfiguredaccordingtothesecure

configurationguidelines. Provideseniorexecutiveswithchartsshowingthenumberof

systemsthat

match

configuration

guidelines

versus

those

that

do

not

match,

illustrating

thechangeofsuchnumbersmonthbymonthforeachorganizationalunit.

4. Vis/Attrib:Implementandtestavulnerabilitymonitoringsystemtoensureitmeasuresallsecureconfigurationelementsthatcanbemeasuredthroughremotetesting,using

featuressuchasthoseincludedwithSCAPtogatherconfigurationvulnerability

information.Provideseniorexecutiveswithchartsshowingthenumberof

vulnerabilitiesidentified,separatedoutforcomparisonbasedonorganizationalunits.

Proceduresandtoolsforimplementingthiscontrol:

Organizationscanimplementthiscontrolusingcommercialand/orfreevulnerabilityscanning

toolsthatevaluatethesecurityconfigurationofmachinesandsoftware. Somehavealsofound

commercialservicesusingremotelymanagedscanningappliancestobeeffectiveaswell. To

helpstandardizethedefinitionsofdiscoveredvulnerabilitiesinmultipledepartmentsofan

agencyorevenacrossagencies,itispreferredtousevulnerabilityscanningtoolsthatmeasure

securityflawsandmapthemtovulnerabilitiesandissuescategorizedusingoneormoreofthe

followingindustryrecognizedvulnerability,configuration,andplatformclassificationschemes

andlanguages:CVE,CCE,OVAL,CPE,CVSS,and/orXCCDF. Inaddition,recentchangesin

licensingassociatedwithpopularfreevulnerabilityscannersrequireuserstopayforcertain

modules,blurringthelinebetweenfreeandcommercialtools.

Advancedvulnerability

scanning

tools

can

be

configured

with

user

credentials

to

login

to

scannedsystemsandperformmorecomprehensivescansthancanbeachievedwithoutlogin

credentials. Forexample,organizationscanrunscannerseveryweekoreverymonthwithout

credentialsforaninitialinventoryofpotentialvulnerabilities. Then,onaquarterlyorsemi

annualbasis,theorganizationcanrunthesamescanningtoolwithusercredentialsora

differentscanningtoolthatsupportsscanningwithusercredentialstofindadditional

vulnerabilities.

Inadditiontothescanningtoolsthatcheckforvulnerabilitiesandmisconfigurationsacrossthe

network,variousfreeandcommercialtoolscanevaluatesecuritysettingsandconfigurationsof

local

machines

on

which

they

are

installed.

Such

tools

can

provide

fine

grained

insight

into

unauthorizedchangesinconfigurationortheintroductionofsecurityweaknessesinadvertently

byadministrators.

Effectiveorganizationslinktheirvulnerabilityscannerswithproblemticketingsystemsthat

automaticallymonitorandreportprogressonfixingproblemsandthatmakevisible


15/40

15

unmitigatedcriticalvulnerabilitiestohigherlevelsofmanagementtoensuretheproblemsare

solved.

CriticalControl

4:

Secure

configurations

of

network

devices

such

as

firewalls,routers,andswitches.


Attackerstakeadvantageofthefactthatnetworkdevicesmaybecomelesssecurelyconfigured

overtimeasusersdemandexceptionsforspecificandtemporarybusinessneeds,the

exceptionsaredeployed,andthoseexceptionsarenotundonewhenthebusinessneedisno

longerapplicable. Makingmattersworse,insomecases,thesecurityriskoftheexceptionis

neverproperlyanalyzed,noristhisriskmeasuredagainsttheassociatedbusinessneed.

Attackerssearch

for

electronic

holes

in

firewalls,

routers,

and

switches

and

use

those

to

penetratedefenses. Attackershaveexploitedflawsinthesenetworkdevicestoredirecttraffic

onanetwork(toamalicioussystemmasqueradingasatrustedsystem),andtointerceptand

alterinformationwhileintransmission. Throughsuchactions,theattackergainsaccessto

sensitivedata,altersimportantinformation,orevenusesonecompromisedmachinetoposeas

anothertrustedsystemonthenetwork.


1. QW:Comparefirewall,router,andswitchconfigurationagainststandardsecureconfigurations

defined

for

each

type

of

network

device

in

use

in

the

organization.

The

securityconfigurationofsuchdevicesshouldbedocumented,reviewed,andapproved

byanagencychangecontrolboard.

2. QW:Atnetworkinterconnectionpoints,suchasInternetgateways,interagencyconnections,andinternalnetworksegmentswithdifferentsecuritycontrols,implement

ingressandegressfilteringtoallowonlythoseportsandprotocolswithadocumented

businessneed,monitortrafficflowslookingforattacksusingintrusiondetection

technology,andlogeachconnectionforaperiodofatleast30days.

3. QW:Networkdevicesthatfilterunneededservicesorblockattacks(includingfirewalls,networkbasedIntrusionPreventionSystems,routerswithaccesscontrollists,etc.)

shouldbetestedunderlaboratoryconditionswitheachgivenorganizations

configurationto

ensure

that

these

devices

fail

in

aclosed/blocking

fashion

under

significantloadswithtrafficincludingamixtureoflegitimateallowedtrafficforthat

configurationintermixedwithattacksatlinespeeds.

4. Config/Hygiene:Allnewconfigurationrulesbeyondabaselinehardenedconfigurationthatallowtraffictoflowthroughnetworksecuritydevices,suchasfirewallsand

networkbasedIPSs,shouldbedocumentedwithaspecificbusinessreasonforthe


16/40

16

change,aspecificindividualsnameresponsibleforthatbusinessneed,andanexpected

durationoftheneed. Atleastonceperquarter,theserulesshouldbereviewedto

determinewhethertheyarestillrequiredfromabusinessperspective. Expiredrules

shouldberemoved.

5. Config/Hygiene:Periodicallyattempttopenetratenetworkdevicesbysimulatingattackers

actions

against

such

devices.

Such

testing

should

occur

from

outside

the

networkperimeter(i.e.,theInternetorwirelessfrequenciesaroundanagency)aswell

fromwithinitsboundaries(i.e.,ontheinternalnetwork)tosimulatebothoutsiderand

insiderattacks.

6. Config/Hygiene:Networkinfrastructuredevicesshouldbemanagedusingtwofactorauthenticationandencryptedsessions.

7. Advanced:Thenetworkinfrastructureshouldbemanagedacrossnetworkconnectionsthatareseparatedfromthebusinessuseofthatnetwork,relyingonseparateVLANsor

preferablyrelyingonentirelydifferentphysicalconnectivityformanagementsessions

fornetworkdevices.


Portscannersandmostvulnerabilityscanningtoolscanbeusedtoattempttolaunchpackets

throughthedevice,measuringallTCPandUDPports.Thismeasurestheeffectivenessofthe

firewallsconfiguration. Asniffercanbesetupontheothersideofthefirewalltodetermine

whichpacketsareallowedthroughthedevice. Theresultsofthetestcanbematchedagainst

thelistofservicesthatareallowedbothinboundandoutbound(definedthroughpolicythat

shouldrepresentdocumentedbusinessneedsforeachallowedservice),therebyidentifying

misconfiguredfirewalls. Suchmeasurementshouldbeconductedatleasteveryquarter,and

alsowhensignificantchangesaremadetofirewallrulesetsandrouteraccesscontrollists.

Moreeffectiveorganizationsusecommercialtoolsthatevaluatetherulesetoffirewallsand

routerswithaccesscontrolliststodeterminewhethertheyareconsistentorinconflict,

providinganautomatedsanitycheckofnetworkfiltersandsearchforerrorsinrulesetsorACLs

thatmayallowunintendedservicesthroughthedevice. Suchtoolsshouldberuneachtime

significantchangesaremadetofirewallrulesetsorrouteraccesscontrollists.

CriticalControl

5:

Boundary

Defense


AttackerstargetInternetfacingsystemsbecausetheyareaccessible.Theyuseweaknessesthey

findthereasjumpingoffpointstogetinsidetheboundarytostealorchangeinformationorto


17/40

17

setuppersistentpresenceforlaterattacks. Additionally,manyattacksoccurbetweenbusiness

partnernetworks,sometimesreferredtoasextranets,asattackershopfromoneorganizations

networktoanother,exploitingvulnerablesystemsonextranetperimeters.

Boundarydefensestostopthesetypesofattackhavemultipledimensions:allInternetand

extranettraffic

passes

through

managed,

authenticated

proxies,

aDMZ

is

employed

that

is

separatedfrominternalsystemseitherphysicallyorthroughtightlymonitoredfiltering,and

securelyconfiguredfirewallsandintrusiondetectionsystemsaredeployedateachgateway.


Theboundarydefensesincludedinthiscontrolbuildonthenetworkelementhardening

describedinCriticalControl4above,withtheseadditionalrecommendationsfocusedon

improvingtheoverallarchitectureandimplementationofbothInternetandinternalnetwork

boundarypoints. Internalnetworksegmentationiscentraltothiscontrolbecauseonceinsidea

network,intruderstargetthemostsensitivemachines. Usually,internalnetworkprotections

arenotsetuptodefendagainstaninternalattacker. Settingupevenabasiclevelofsecurity

segmentationacrossthenetworkandprotectingeachsegmentwithaproxyandafirewallwill

greatlyreducetheintrudersaccesstotheotherpartsofthenetwork.

Enhancenetworkaccesscontrolsinconjunctionwithauthenticationcontrolstodeter

propagationthroughthenetworkfrombusinessunittobusinessunit. Addlayersofnetwork

protectiontocriticalservicesonthenetwork,creatingalayeredaccesspathusingapplication

authenticationandnetworksegmentation.ImplementinternalACLs,internalproxiesand

firewallstolimitaccesstotheseareas.Thiswilldetertheintrudersfromgainingunauthorized

accessto

these

areas

and

could

limit

their

activity

altogether.

1. QW:DeployIDSsensorsonInternetandextranetDMZsystemsandnetworksthatlookforunusualattackmechanismsanddetectcompromiseofthesesystems. Thesesensors

shouldbeconfiguredtorecordatleastpacketheaderinformation,andpreferablyfull

packetheaderandpayloadsofthetrafficpassingthroughthenetworkborder.

2. Vis/Attrib:DefineanetworkarchitecturethatclearlyseparatesinternalsystemsfromDMZsystemsandextranetsystems. DMZsystemsaremachinesthatneedto

communicatewiththeinternalnetworkaswellastheInternet,whileextranetsystems

aresystemswhoseprimarycommunicationiswithothersystemsatabusinesspartner.

3.Vis/Attrib:

Design

and

implement

network

perimeters

so

that

all

outgoing

web,

ftp,

and

sshtraffictotheInternetmustpassthroughatleastoneproxyonaDMZnetwork. The

proxyshouldsupportloggingindividualTCPsessions;blockingspecificURLs,domain

names,andIPaddresses;andbeingabletobeconfiguredwithwhitelistsofallowed

sitestobeaccessedthroughtheproxy.

4. Vis/Attrib:Requireallremoteaccess(includingVPN,dialup,andotherforms)tousetwofactorauthentication.


18/40

18

5. Config/Hygiene:ConductperiodicpenetrationtestsagainstDMZsfromtheInternettodeterminewhethertheattacksaredetectedand/orthwarted.

6. Config/Hygiene:PeriodicallyscanforbackchannelconnectionstotheInternetthatbypasstheDMZ.

7. Config/Hygiene:Tolimitaccessbyaninsiderormalwarespreadingonaninternalnetwork,

organizations

should

devise

internal

network

segmentation

schemes

to

limit

traffictoonlythoseservicesneededforbusinessuseacrosstheinternalnetwork.

8. Config/Hygiene:Organizationsshoulddevelopplansforrapidlydeployingfiltersoninternalnetworkstohelpstopthespreadofmalwareoranintruder.

9. Advanced:ForceoutboundtraffictotheInternetthroughanauthenticatedproxyserverontheenterpriseperimeter.Mostorganizationsalreadyusedomainauthenticationto

traversetheseroutes,andcouldimplementadditionalauthenticationthroughexternal

proxyserversthatrequireadailypassword.

10.Advanced:Tohelpidentifycovertchannelsexfiltratingdatathroughafirewall,builtinfirewallsessiontrackingmechanismsincludedinmanycommercialfirewallsshouldbe

configuredtoidentifylongtermTCPsessionsthatlastoveronehour,alertingpersonnel

aboutthesourceanddestinationaddressesassociatedwiththeselongtermsessions.

11.Advanced:Requireallauthentication,bothinternalandexternal,tousetwofactorauthentication.


Oneelementofthiscontrolcanbeimplementedusingfreeorcommercialintrusiondetection

systems(IDSs)andsnifferstolookforattacksfromexternalsourcesdirectedatDMZand

internalsystems,aswellasattacksoriginatingfrominternalsystemsagainsttheDMZor

Internet.Security

personnel

should

regularly

test

these

sensors

by

launching

vulnerability

scanningtoolsagainstthemtoverifythatthescannertraffictriggersanappropriatealert. The

capturedpacketsoftheIDSsensorsshouldbereviewedusinganautomatedscripteachdayto

ensurethatlogvolumesarewithinexpectedparametersandthatthelogsareformatted

properlyandhavenotbeencorrupted.

Additionally,packetsniffersshouldbedeployedonDMZstolookforHTTPtrafficthatbypasses

HTTPproxies. Bysamplingtrafficregularly,suchasovera3hourperiodonceperweek,

informationsecuritypersonnelsearchforHTTPtrafficthatisneithersourcedbyordestinedfor

aDMZproxy,implyingthattherequirementforproxyuseisbeingbypassed.

ToidentifybackchannelconnectionsthatbypassapprovedDMZs,effectivenetworksecurity

personnelestablishanInternetaccessiblesystemtouseasareceiverfortestingoutbound

access. Thissystemisconfiguredwithafreeorcommercialpacketsniffer. Then,security

personnelconnectasendingtestsystemtovariouspointsontheorganizationsinternal

network,sendingeasilyidentifiabletraffictothesniffingreceiverontheInternet. These

packetscanbegeneratedusingfreeorcommercialtoolswithapayloadthatcontainsacustom


19/40

19

fileusedforthetest. Whenthepacketsarriveatthereceiversystem,thesourceaddressofthe

packetsshouldbeverifiedagainstacceptableDMZaddressesallowedfortheorganization. If

sourceaddressesarediscoveredthatarenotincludedinlegitimate,registeredDMZs,more

detailcanbegatheredbyusingatraceroutetooltodeterminethepathpacketstakefromthe

sendertothereceiversystem.

CriticalControl6:Maintenance,MonitoringandAnalysisofComplete

AuditLogsHowdoattackersexploitthelackofthiscontrol?

Deficienciesinsecurityloggingandanalysisallowattackerstohidetheirlocation,malicious

softwareusedforremotecontrol,andactivitiesonvictimmachines. Evenifthevictimsknow

thattheirsystemswerecompromised,withoutprotectedandcompleteloggingrecords,the

victimis

blind

to

the

details

of

the

attack

and

to

the

subsequent

actions

taken

by

the

attackers

aftertheygainedtheinitialfoothold. Sometimesloggingrecordsaretheonlyevidenceofa

successfulattack. Manyorganizationskeepauditrecordsforcompliancepurposesbut

attackersrelyonthefactthatsuchorganizationsrarelylookattheauditlogssotheydonot

knowthattheirsystemshavebeencompromised. Becauseofpoorornonexistentloganalysis

techniques,attackerssometimescontrolvictimmachinesformonthsoryearswithoutanyone

inthetargetorganizationknowing,eventhoughtheevidenceoftheattackhasbeenrecorded

inunexaminedlogfiles.


1. QW:Validateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludedates,timestamps,sourceaddresses,destination

addresses,andvariousotherusefulelementsofeachpacketand/ortransaction.

Systemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthose

outlinedbytheCommonEventExpression(CEE). Ifsystemscannotgeneratelogsina

standardizedformat,deploylognormalizationtoolstoconvertlogsintoastandardized

format.

2. QW:Ensurethatallsystemswhichstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotation

intervals.

3. QW:Systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystems,sothattheycantunedetectionofattacksbyavoidingfalse

positives,morerapidlyidentifyanomalies,andavoidoverwhelminganalystswithalerts.

4. QW:Allremoteaccesstoaninternalnetwork,whetherthroughVPN,dialup,orothermechanism,shouldbeloggedverbosely.


20/40


21/40

21

inventoryassembledaspartofCriticalControl1,toensurethateachmanageditemthatis

activelyconnectedtothenetworkisperiodicallygeneratinglogs.

Analyticalprogramsforreviewinglogscanbeuseful,butthecapabilitiesemployedto

analyzeauditlogsisquitewideranging,includingjustacursoryexaminationbyahuman.

Actualcorrelation

tools

can

make

the

logs

far

more

useful

for

subsequent

manual

inspection

by

people. Themeasurementsabovedonotrequirecorrelationtoolsbedeployed,giventheir

costandcomplexity,butsuchtoolscanbequitehelpfulinidentifyingsubtleattacks. Suchtools

arenotapanacea,however,andarenotareplacementforskilledinformationsecurity

personnelandsystemadministrators. Evenwithautomatedloganalysistools,humanexpertise

andintuitionarerequiredtoidentifyandunderstandattacks.

CriticalControl7:ApplicationSoftwareSecurity


Attacksagainstvulnerabilitiesinapplicationshavebeenatoppriorityforcriminalorganizations

since2005. Inthatyeartheattackersfocusedonexploitingvulnerabilitiesinubiquitous

productssuchasantivirustoolsandbackupsystems.Theseattackscontinuewithnew

vulnerabilitiesinsecurityproductsandinbackuptoolsbeingdiscoveredandexploitedeach

week. Asecond,massivewaveofapplicationattacksbegansurginginlate2006whenthe

criminalswentaftercustomdevelopedweb,server,andworkstationapplications.Theyfound

fertileterritory.Inoneattack,morethan1millionwebserverswereexploitedandturnedinto

infection

engines

for

visitors

to

those

sites.

Trusted

organizations

in

state

governments,

the

UnitedNations,andsimilarlyrespectedorganizationsinfectedhundredsorthousandsofPCs,

turningthemintozombies. Manymorewebandnonwebapplicationattacksareemerging.On

averagemorethan70newvulnerabilitiesarefoundeveryweekincommercialapplications

andmanymorearewaitingtobefound(orhavealreadybeenexploitedwithoutpublic

recognition)incustomapplicationswrittenbyprogrammersforindividualsitesingovernment,

commercial,andprivateenterprises.


1. QW:Testwebandotherapplicationcodeforsourcecodeerrorspriortodeploymentusing

automated

source

code

analysis

software,

if

source

code

is

available.

In

particular,

inputvalidationandoutputencodingroutinesofapplicationsoftwareshouldbe

carefullyreviewedandtested.

2. QW:Testwebapplicationsforcommonsecurityweaknessesusingwebapplicationscannerspriortodeploymentandthennolessoftenthanweeklyaswellaswhenever

updatesaremadetotheapplication.


22/40

22

3. Config/Hygiene:Verifythatsecurityisembeddedintheapplicationdevelopmentlifecycleofallapplications.

4. Config/Hygiene:Protectwebapplicationsbydeployingwebapplicationfirewallsthatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,

includingbutnotlimitedtoCrossSiteScripting,SQLinjection,commandinjection,and

directorytraversal

attacks.

For

applications

that

are

not

web

based,

deploy

specific

applicationfirewallsifsuchtoolsareavailableforthegivenapplicationtype.


Sourcecodetestingtools,webapplicationsecurityscanningtools,andobjectcodetestingtools

haveprovenusefulinsecuringapplicationsoftware,alongwithmanualapplicationsecurity

penetrationtestingbytesterswhohaveextensiveprogrammingknowledgeaswellas

applicationpenetrationtestingexpertise. TheCommonWeaknessEnumeration(CWE)is

utilizedbymanysuchtoolstoidentifytheweaknessesthattheyfind. Organizationscanalso

useCWEtodeterminewhichtypesofweaknessestheyaremostinterestedinaddressingand

removing. AbroadcommunityefforttoidentifytheTop25MostDangerousProgramming

Errorsisavailableasaminimumsetofimportantissuestoinvestigateandaddress. When

evaluatingtheeffectivenessoftestingfortheseweaknesses,theCommonAttackPattern

EnumerationandClassification(CAPEC)canbeusedtoorganizeandrecordthebreadthofthe

testingfortheCWEsaswellasawayfortesterstothinklikeattackersintheirdevelopmentof

testcases.

CriticalControl8:ControlledUseofAdministrativePrivileges


Twoverycommonattackertechniquestakeadvantageofuncontrolledadministrative

privileges. Inthefirst,aworkstationuserisfooledintoopeningamaliciousemailattachment,

downloadingandopeningafilefromamaliciouswebsite,orsimplysurfingtoawebsite

hostingattackercontentthatcanautomaticallyexploitbrowsers. Thefileorexploitcontains

executablecodethatrunsonthevictimsmachine.Ifthevictimscomputerisrunningwith

administrativeprivileges,theattackercantakeoverthevictimsmachinecompletelyandinstall

keystrokeloggers,sniffers,andremotecontrolsoftwaretofindadministratorpasswordsand

othersensitive

data.

The

second

common

technique

used

by

attackers

is

elevation

of

privileges

afterusingavulnerableserviceoraguessedpasswordtogainaccesstoaserver. If

administrativeprivilegesarelooselyandwidelydistributed,theattackerhasamucheasiertime

gainingfullcontroloftheservers,becausetherearemanymoreaccountsthatcanactas

avenuesfortheattackertocompromiseadministrativeprivileges. Oneofthemostcommonof

theseattacksinvolvesthedomainadministrationprivilegesinlargeWindowsenvironments,


23/40

23

givingtheattackersignificantcontroloverlargenumbersofmachinesandaccesstothedata

theycontain.


1. QW:Inventoryalladministrativepasswordsandvalidate(throughautomation)thateachpersonwithadministrativeprivilegesisauthorizedbyaseniorexecutiveandthat

his/heradministrativepasswordhasatleast12semirandomcharacters,consistentwith

theFederalDesktopCoreConfiguration(FDCC)standard. Intestingthiscontrol,also

ensurethatnoadministratorusername/passwords(domainorlocal)arereusedamong

systemsandapplications. Inadditiontothe12ormorecharacterpassword,all

administrativeaccessshouldutilizetwofactorauthentication.

2. QW:Passwordsforallsystemsshouldbestoredinahashedorencryptedformat.Furthermore,filescontainingtheseencryptedorhashedpasswordsrequiredfor

systemstoauthenticateusersshouldbereadableonlywithsuperuserprivileges.

3. QW:Ensurethatadministratoraccountsareusedonlyforsystemadministrationactivities,andnotforreadingemail,composingdocuments,orsurfingtheInternet.

4. QW:Auditpasswordstoensurepreviouslyusedpasswordsarenotbeingauthorizedforreusewithinacertaintimeframe(e.g.,6months).

5. Vis/Attrib:Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior(e.g.,systemreconfigurationsduringnightshift)

6. Config/Hygiene:Remoteaccessdirectlytoamachineshouldbeblockedforadministratorlevelaccounts. Instead,administratorsshouldberequiredtoaccessa

systemremotelyusingafullyloggedandnonadministrativeaccount. Then,once

loggedintothemachinewithoutadminprivileges,theadministratorshouldthen

transitiontoadministrativeprivilegesusingtoolssuchassudoonLinux/UNIX,runason

Windows,and

other

similar

facilities

for

other

types

of

systems.

7. Config/Hygiene:Conducttargetedspearphishingattacksagainstbothadministrativepersonnelandnonadministrativeuserstomeasurethequalityoftheirdefenseagainst

socialengineeringandtotestwhethertheyareusingadministratorprivilegeswhile

readingemailorsurfingtheInternet.

8. Config/Hygiene:Ensurealldomainadministratoraccountsareaccessibleonlywithtwofactorauthentication.

9. Advanced:Segregateadminaccountsbasedonroles(inpolicy). Forexample,Workstationadminaccountsaretheonlyadminaccountscapableoflogginginto

workstations,laptops,etc. Domainadminaccountsarenotallowedtologinto

workstations

and

are

only

allowed

to

log

into

servers.

The

benefit

here

is

that

the

domainadminaccounts(whatthebadguyswant)willnotgetcachedonthe

workstations. Makesprivilegetodomainadminmuchharder.



24/40

24

Builtinoperatingsystemfeaturescanextractlistsofaccountswithsuperuserprivileges,such

asthoseintheadministratorsgrouponWindowsmachinesandthosewithUIDorGID0on

LinuxandUnixsystems. InActiveDirectoryenvironments,personnelcanuseMicrosoftGroup

Policytodumplistsofsuchusersfrommachinesanddomaincontrollerssothattheseaccounts

canbereconciledagainstaninventoryofuserswithlegitimateandapprovedneedsforsuch

access.

Toverifythatuserswithsuchhighprivilegedaccountsdonotusesuchaccountsfordaytoday

websurfingandemailreading,securitypersonnelperiodically(oftensamplingweekly)can

gatheralistofrunningprocessesinanattempttodeterminewhetheranybrowsersoremail

readersarerunningwithhighprivileges. Suchinformationgatheringisoftenscripted,with

shortshellscriptsrunningthepscommandonLinuxorthetasklistcommandonWindows,and

analyzingitsoutputforadozenormoredifferentbrowsers,emailreaders,anddocument

editingprograms. Somelegitimatesystemadministrationactivitymayrequiretheexecutionof

suchprogramsovertheshortterm,butlongtermorfrequentuseofsuchprogramswith

administrativeprivilegescouldindicatethatanadministratorisnotadheringtothiscontrol.

Toenforcetherequirementforpasswordlength(12characters),builtinoperatingsystem

featuresforminimumpasswordlengthinWindowsandLinuxcanbeconfigured,whichprevent

usersfromchoosingshortpasswords. Toenforcepasswordcomplexity(requiringpasswords

tobeastringofpseudorandomcharacters),builtinWindowsGroupPolicyconfiguration

settingsandLinuxPluggableAuthenticationModules(PAM)canbeemployed.

Loganalysistoolsareusedtolookforlogsindicatingchangestosystemconfigurationthatare

notreconcilablewithchangemanagementsystemstoidentifyalterationspotentiallymadeby

anintruder.

CriticalControl9:ControlledAccessBasedOnNeedtoKnow


Onceanattackerhaspenetratedasensitivenetwork,ifusershaveaccesstoallormostofthe

information,theattackersjoboffindingandexfiltratingimportantinformationisgreatly

facilitated.



25/40


26/40

26

1. QW:Verifythatvulnerabilitytestingofnetworks,systems,andapplicationsarerunnolessthanweekly. Wherefeasable,vulnerabilitytestingshouldoccuronadailybasis.

2. Config/Hygiene:Ensurevulnerabilitytestingisperformedinauthenticatedmode(i.e.,configuringthescannerwithadministratorcredentials)atleastquarterly,eitherwith

agentsrunninglocallyoneachendsystemtoanalyzethesecurityconfigurationorwith

remotescanners

that

are

given

administrative

rights

on

the

system

being

tested,

to

overcomelimitationsofunauthenticatedvulnerabilitytesting.

3. Config/Hygiene:Comparetheresultsfrombacktobackvulnerabilityteststoverifythatvulnerabilitieswereaddressedeitherbypatching,implementingacompensating

control,orbydocumentingandacceptingareasonablebusinessrisk. Suchacceptance

ofbusinessrisksforexistingvulnerabilitiesshouldbeperiodicallyreviewedaswell,to

determineifnewercompensatingcontrolsorsubsequentpatchescanaddress

vulnerabilitiesthatwerepreviouslyaccepted,orifconditionshavechangedincreasing

therisk.

4. Config/Hygiene:Chartthenumbersofunmitigated,criticalvulnerabilities,foreachdepartment/divisionandsharethereportswithseniormanagementtoprovideeffective

incentivesformitigation.

5. Config/Hygiene:Measurethedelayinpatchingnewvulnerabilitiesandensurethedelayisequaltoorlessthanthebenchmarkssetforthbytheorganization,whichshouldbe

nomorethanaweekforcriticalpatchesunlessamitigatingcontrolthatblocks

exploitationisavailable.

6. Advanced:Deployautomatedpatchmanagementtoolsforallsystemsforwhichsuchtoolsareavailableandsafe.

Proceduresand

tools

for

implementing

this

control:

Organizationscanusevulnerabilityscanningtools,suchasthefreeandcommercialtools

describedinCriticalControl#3.

Effectivevulnerabilityscanningtoolscomparetheresultsofthecurrentscanwithprevious

scanstodeterminehowthevulnerabilitiesintheenvironmenthavechangedovertime.

Securitypersonnelusethesefeaturestoconductvulnerabilitytrendingfrommonthtomonth.

Asvulnerabilitiesrelatedtounpatchedsystemsarediscoveredbyscanningtools,security

personnelshoulddetermineanddocumenttheamountoftimethatelapsedbetweenthe

publicreleaseofapatchforthesystemandtheoccurrenceofthevulnerabilityscan. Ifthistimewindowexceedstheorganizationsbenchmarksfordeploymentofthegivenpatchs

criticalitylevel,securitypersonnelshouldnotethedelayanddetermineifadeviationwas

formallydocumentedforthesystemanditspatch. Ifnot,thesecurityteamshouldworkwith

managementtoimprovethepatchingprocess.


27/40

27

CriticalControl11:DormantAccountMonitoringandControl


Attackersfrequentlydiscoverandexploitlegitimatebutinactiveuseraccountstoimpersonate

legitimateusers,therebymakingdiscoveryofattackerbehaviordifficultfornetworkwatchers.

Accountsofcontractorsandemployeeswhohavebeenterminatedhaveoftenbeenmisusedin

thisway. Additionally,somemaliciousinsidersorformeremployeeshaveaccessedaccounts

leftbehindinasystemlongaftercontractexpiration,maintainingtheiraccesstoan

organizationscomputingsystemandsensitivedataforunauthorizedandsometimesmalicious

purposes.


1. QW:Regularlymonitortheuseofallaccounts,automaticallyloggingoffusersafterastandardperiodofinactivity.

2. QW:Monitoraccountusagetodeterminedormantaccountsthathavenotbeenusedforagivenperiod,suchasthirtydays,notifyingtheuserorusersmanagerofthe

dormancy. Afteralongerperiod,suchassixtydays,theaccountshouldbedisabled.

3. QW:Matchactiveemployeesandcontractorswithallaccountsanddisableaccountsthatarenotassignedtoactiveemployeesorcontractors.

4. Vis/Attrib:Monitorattemptstoaccessdeactivatedaccountsthroughauditlogging.5. Config/Hygiene:Profileeachuserstypicalaccountusagebydeterminingnormaltime

ofdayaccessandaccessdurationforeachuser. Generatedailyreportsthatindicate

userswhohaveloggedinduringunusualhoursorhaveexceededtheirnormallogindurationby150%.


Atestaccountshouldbecreatedeverymonth,withverylimitedprivilegessothatitcannot

accessanythingexceptpublicfilesonasystem. Nousershouldlogintothistestaccount. Any

loginactivitytothistestaccountshouldbeinvestigatedimmediately. Automatedsoftware

shouldchecktoensurethatthesystemgeneratesanoticeaboutsuchatestaccountafterthirty

daysofnonuse. Furthermore,anautomatedscriptshouldverifythattheaccounthasbeen

disabledsixty

days

after

the

account

was

first

created,

notifying

security

personnel

ifthe

accounthasnotbeenautomaticallydisabled. Attheendofthistestinterval,thefirsttest

accountshouldbedeleted,withanewlimitedtestaccountcreatedforthenextroundof

automatedchecking.


28/40

28

CriticalControl12:AntiMalwareDefenses


TensofthousandsofvirusesandothermaliciouscodeexamplesarecirculatingontheInternet

eitherinemailattachmentsordownloadedfromwebsitesorthroughothermeansofdelivery.

Somemaliciouscodeactuallyturnsantimalwarefeaturesoff,givingtheattackersmalware

unfetteredaccesstothesystem.


1. QW:Monitorworkstations,servers,andmobiledevicesforactive,uptodateantimalwareprotectionwithantivirus,antispyware,andhostbasedIntrusionPrevention

Systemfunctionality.

Enterprise

administrative

features

should

be

used

to

check

daily

thenumberofsystemsthatdonothavethelatestantimalwaresignatures,keepingthe

numberofsuchsystemssmalloreliminatingthementirelythroughrapidand

continuousupdates. Allmalwaredetectioneventsshouldbesenttoenterpriseanti

malwareadministrationtoolsandeventlogservers.

2. QW:Employsoftwareautoupdatefeaturesandorhaveadministratorsmanuallypushupdatestoallmachinesonaregularbasis. Afterapplyinganupdate,setupsystemsto

automaticallyverifytheupdatestatusofamachine.

3. QW:Configurelaptops,workstations,andserverssothattheywillnotautoruncontentfromUSBtokens(i.e.,thumbdrives),USBharddrives,orCDs/DVDs.

4. QW:Configuresystemssothattheyconductanautomatedantimalwarescanofremovablemediawhenitisinserted.

5. Config/Hygiene:Newupdatestothemalwaresignaturebaseofeachantimalwaretoolshouldbetestedinanonproductionenvironmenttoverifythatitdoesnotnegatively

impactsystemsbeforeitispushedtoproductionmachines.

6. Config/Hygiene:Toverifythatantimalwaresolutionsarerunning,periodicallyintroduceabenign,nonspreadingtestcase,suchastheEICARantivirustestfile,ontoa

systemintheenvironmenttoensurethatitisdetectedbytheantimalwaresystem,and

thatthedetectionisreportedtotheenterprisemanagementsystem.

7. Advanced:Deployhoneypotsortarpitsasdetectionmechanismsthatcanalsoslowdownanattacker'sprogressinsideanetwork.


Relyingonpolicyanduseractiontokeepantimalwaretoolsuptodatehasbeenwidely

discredited;itdoesntwork.Toensureantivirussignaturesareuptodate,effective

organizationsuseautomation.Theyusethebuiltinadministrativefeaturesofenterpriseend


29/40

29

pointsecuritysuitestoverifythatantivirus,antispyware,andhostbasedIDSfeaturesare

activeoneverymanagedsystem.Theyrunautomatedassessmentsdailyandreviewthe

results,tofindandmitigatesystemsthathavedeactivatedsuchprotections,aswellassystems

thatdonothavethelatestmalwaredefinitions. Foraddedsecurityindepth,andforthose

systemsthatmayfalloutsidetheenterpriseantimalwarecoverage,theyusenetworkaccess

controltechnology

that

tests

machines

for

compliance

with

security

policy

before

allowing

themtoconnecttothenetwork.

Onaregularbasis,suchasmonthly,effectiveorganizationsdownloadandtestthefreeEICAR

filetoverifythatantivirusprotectionisfunctioningonasamplingofprotectedworkstations

andservers. Antimalwaretoolsshoulddetectthisbenignfile,andsecuritypersonnelverify

thatthedetectioneventisnotedinenterprisemonitoringandalertingsystems.

OrganizationscanusecommercialsoftwareupdateproductsonWindowsandvariousfree

Linuxsoftwareupdatetoolstodeploypatchesanduptodateversionsofsoftwarethroughout

anenvironment. Toverifythatsuchsoftwareissuccessfullydeployed,theupdatetoolitselfis

runtochecktheversioninstalledonasampleofenterprisesystems. Otherorganizationsusea

commercialversioncheckingtooltoensurethatupdateshavebeenappliedtosystems.

Advanced:Someenterprisesdeploythefreehoneypotandtarpittoolstoidentifyattackersin

theirenvironment,runningthisfreesoftwarerunningonlowcosthardware. Security

personnelcontinuouslymonitorhoneypotsandtarpitstodeterminewhethertrafficisdirected

tothemandaccountloginsareattempted. Whentheyidentifysuchevents,thesepersonnel

gatherthesourceaddressfromwhichthistrafficoriginatesforafollowoninvestigation.

CriticalControl13:LimitationandControlofPorts,Protocolsand

Services


Attackerssearchforservicesthathavebeenturnedonandthatcanbeexploited.Common

examplesarewebservers,mailservers,fileandprintservices,andDNSservers.Manysoftware

packagesautomaticallyinstallservicesandturnthemonaspartoftheinstallationofthemain

softwarepackage

without

ever

informing

the

user

that

the

services

have

been

enabled.

Becausetheuserdoesnotknowabouttheservices,itishighlyunlikelythatthattheuserwill

activelyensuretheservicesaredisablediftheyarenotbeingusedorregularlypatchedifthey

arebeingused.



30/40

30

1. QW:Networkperimetersshouldimplementbothingressandegressfiltering,allowingonlythoseservicesandprotocolsthathaveadefined,documentedbusinessneedfor

theorganization. Adefaulttodenyruleshouldbeappliedbetweenfirewalled

networks,withonlyspecificservicesallowedthrough.

2. Config/Hygiene:Hostbasedfirewallsorportfilteringtoolsshouldbeappliedonendsystems,againwithadefaultdenyrule.

3. Config/Hygiene:Configurationandvulnerabilitytestingtoolsshouldbetunedtocompareservicesthatarelisteningoneachmachineagainstalistofauthorizedservices.

Thetoolsshouldbefurthertunedtoidentifychangesovertimeonsystemsforboth

authorizedandunauthorizedservices. Usegovernmentapprovedscanningfilesto

ensureminimumstandardsaremet.

4. Config/Hygiene:Implementhardeningrecommendationsfromguidelinesforunderlyingoperatingsystemsandinstalledapplications,suchasthosefoundinmandatorySTIG

(SecureTechnicalImplementationGuides)requirements,NISTconfigurationguidelines,

orCenterforInternetSecurityhardeningguides,iftheyexistforthegiventechnology.

5. Config/Hygiene:Periodically,asecureversionofanauthorizedserviceshouldbeactivatedonarelativelyunimportantsystemtoverifythatthechangeisflaggedbythe

configurationandvulnerabilitytestingtoolsintheenvironment.


Portscanningtoolsareusedtodeterminewhichservicesarelisteningonthenetworkfora

rangeoftargetsystems. Inadditiontodeterminingwhichportsareopen,effectiveport

scannerscanbeconfiguredtoidentifytheversionoftheprotocolandservicelisteningoneach

discoveredopenport. Thislistofservicesandtheirversionsarecomparedagainstaninventory

ofservicesrequiredbytheorganizationforeachserverandworkstation,inanasset

managementsystem,

such

as

those

described

in

Critical

Control

#1.

Recently

added

features

in

theseportscannersarebeingusedtodeterminingthechangesinservicesofferedbyscanned

machinesonthenetworksincethepreviousscan,helpingsecuritypersonnelidentify

differencesovertime.

Toevaluatetheirscanningprocedures,informationsecuritypersonneloftenrunafreenetwork

listeningtoolsonasamplemachine,configuredsimplytolistenonagivenTCPportassociated

withacommonservice,suchasSecureShell(TCP22),HTTP(TCP80),orSMB(TCP445). Such

toolsareconfiguredmerelytolistenandthenrespondwhentheyseeaconnectionrequest,

withoutprovidinganyusefulfunctionorserviceonthesampledmachine,minimizingthe

exposure

to

this

machine

during

the

test.

With

this

benign

listener

in

place,

the

automated

scanningfunctionalitycanbeverifiedtoensurethatitdiscoversthechangewiththenewport

listeningintheenvironment.

CriticalControl14:WirelessDeviceControl


31/40

31


Oneofthelargestdatatheftsinhistorywasinitiatedbyanattackersittinginacarinaparking

lotandbreakingthroughtheorganizationssecurityperimeterbyconnectingwirelesslytoan

accesspoint

inside

the

organization.

Other

wireless

devices

accompanying

travelling

officials

arebeinginfectedeverydaythroughremoteexploitationduringairtravelorinacybercaf.

Suchexploitedsystemsarethenbeingusedasbackdoorswhentheyarereconnectedtothe

networkofatargetorganization. Stillotherorganizationshavereportedthediscoveryof

unauthorizedwirelessaccesspointsdiscoveredontheirnetwork,plantedandsometimes

hiddenforunrestrictedaccesstoaninternalnetwork. Becausetheydonotrequiredirect

physicalconnections,wirelessdevicesareaconvenientattackvector.


1. QW:Ensurethateachwirelessdevicethatisconnectedtothenetworkmatchesanauthorizedconfigurationandsecurityprofile. Denyaccesstothosewirelessdevices

thatdonot.

2. QW:Ensurethatallwirelessaccesspointsaremanageableusingenterprisemanagementtools. Accesspointsdesignedforhomeuseoftenlacksuchenterprise

managementcapabilities,andshouldthereforenotbeused.

3. Vis/Attrib:Usewirelessintrusiondetectionsystems(WIDS)toidentifyroguewirelessdevicesanddetectattackattemptsandsuccessfulcompromise. InadditiontoWIDS,all

wirelesstrafficshouldbemonitoredbyawirelineIDSastrafficpassesintothewireline

network.

4. Config/Hygiene:Configurewirelessaccessonclientmachinestoallowaccessonlytoauthorized

wireless

networks.

For

devices

that

do

not

have

an

essential

wireless

businesspurpose,disablewirelessaccessinthehardwareconfiguration(BIOSorEFI),

withpasswordprotectionstolowerthepossibilitythattheuserwilloverridesuch

configurations.

5. Config/Hygiene:Regularlyscanforunauthorizedormisconfiguredwirelessinfrastructuredevices,usingtechniquessuchaswardrivingtoidentifyaccesspoints

andclientsacceptingpeertopeerconnections. Suchunauthorizedormisconfigured

devicesshouldberemovedfromthenetwork,orhavetheirconfigurationsalteredso

thattheycomplywiththesecurityrequirementsoftheorganization.

6. Config/Hygiene:EnsureallwirelesstrafficleveragesatleastAESencryptionusedwithatleast

WPA2

protection.

7. Config/Hygiene:EnsurewirelessnetworksuseauthenticationprotocolssuchasEAP/TLSorPEAP,whichprovidecredentialprotectionandmutualauthentication.

8. Config/Hygiene:Ensurewirelessclientsusestrong,multifactorauthenticationcredentialstomitigatetheriskofunauthorizedaccessfromcompromisedcredentials.

9. Config/Hygiene:Disablepeertopeerwirelessnetworkcapabilitiesonwirelessclients,unlesssuchfunctionalitymeetsadocumentedbusinessneed.


32/40

32

10.Config/Hygiene:DisableBluetoothwirelessaccessofdevices,unlesssuchaccessisrequiredforadocumentedbusinessneed.

11.Advanced:Configureallwirelessclientsusedtoaccessagencynetworksorhandleorganizationdatainamannersothattheycannotbeusedtoconnecttopublicwireless

networksoranyothernetworksbeyondthosespecificallyallowedbytheagency.


Effectiveorganizationsruncommercialswirelessscanning,detection,anddiscoverytoolsas

wellascommercialwirelessintrusionsdetectionsystems. Toevaluatetheeffectivenessofsuch

tools,securitypersonnelcouldperiodicallyactivateanisolatedwirelessaccesspoint,whichhas

nophysicalorwirelessconnectivitytoaproductionnetwork,fromwithinabuildingmonitored

byaWIDSdevice. Theteamshoulddeterminewhetherthealertingsystemistriggeredbythe

testaccesspoint,andrecordtheamountoftimesuchdetectionrequired.

Additionally,thesecurityteamcouldperiodicallycapturewirelesstrafficfromwithinthe

bordersofafacilityandusefreeandcommercialanalysistoolstodeterminewhetherthe

wirelesstrafficwastransmittedusingweakerprotocolsorencryptionthantheorganization

mandates. Whendevicesthatarerelyingonweakwirelesssecuritysettingsareidentified,they

shouldbefoundwithintheorganizationsassetinventoryandeitherreconfiguredmore

securelyordeniedaccesstotheagencynetwork.

CriticalControl15:DataLeakageProtection


Attackershaveexfiltratedmorethan20terabytesofoftensensitivedatafromDepartmentof

DefenseandDefenseIndustrialBase(i.e.,contractorsdoingbusinesswiththeDoD)

organizations.Yet,inmostcases,thevictimshadnocluethathugeamountsofsensitivedata

wereleavingtheirsitebecausetheywerenotmonitoringdataoutflows. Themovementof

dataacrossnetworkboundariesbothelectronicallyandphysicallymustbecarefullyscrutinized

tominimizeitsexposuretoattackers.


1. QW:Setupandenforcerulesandpoliciesregardingtheuseofsocialnetworksites,postinginformationonthecommercialwebsites,andsharingaccountinformation,all

ofwhichcouldbeusefulforanattacker.

2. QW:Configurefirewallsandproxiestoenforcelimitsoffilesizesthatcanbetransferred.Allowlargefiletransfersonlyafterpriorregistrationwithsecurity

personnel.


33/40

33

3. QW:Denycommunicationswith(orlimitdataflowto)knownmaliciousIPaddresses(blacklists)orlimitaccesstotrustedsites(whitelists). Periodically,testpacketsfrom

bogonsourceIPaddressesshouldbesentintothenetworktoverifythattheyarenot

transmittedthroughnetworkperimeters. Listsofbogonaddresses(unroutableor

otherwiseunusedIPaddreses)arepubliclyavailableontheInternetfromvarious

sources,and

indicate

aseries

of

IP

addresses

that

should

not

be

used

for

legitimate

traffictraversingtheInternet.

4. QW:Developandimplementa"DataProtectionStrategy"thatdefinesproceduralandtechnicalmechanismsforprotectingdataatrest,datainuse,anddataintransit.

Specificcomputersystemsandnetworkshousingsensitivedatashouldbeinventoried.

Totheextentpossible,applicationsandsystemsshouldbedesignedthatstoredataon

protectedservers,ratherthanstoringitonworkstationorlaptopmachines.

5. Vis/Attrib:Networkmonitoringtoolsshouldanalyzeoutboundtrafficlookingforavarietyofanomalies,includinglargefiletransfers,longtimepersistentconnections,

unusualprotocolsandportsinuse,andpossiblythepresenceofcertainkeywordsinthe

datatraversingthenetworkperimeter. Moresophisticatedanalysesofnetworktraffic,

suchastransferratiosattheworkstationlevel,shouldbeusedoncegovernmentwide

analysisuncoverseffectiveparametersforsuchanalyses. Furthermore,network

monitoringtoolsmusthavetheabilitytodoimmediatenetworkforensicstoconfirm

thenatureoftheanomaliesandtoserveasatuningmechanismtorefineanomaly

tools.

6. Config/Hygiene:Datashouldbemovedbetweennetworksusingsecure,authenticated,encryptedmechanisms.

7. Config/Hygiene:Datastoredonremovable,easilytransportedstoragemedia,suchasUSBtokens(i.e.,thumbdrives),USBportableharddrives,andCDs/DVDs,shouldbe

encrypted. Systemsshouldbeconfiguredsothatalldatawrittentosuchmediais

automaticallyencrypted

without

user

intervention.

8. Advanced:Deployanautomatedtoolonnetworkperimetersthatmonitorsforcertainkeywordsandotherdocumentcharacteristicsinanautomatedfashiontodetermine

attemptstoexfiltratedatainanunauthorizedfashionacrossnetworkboundariesand

blocksuchtransferswhilealertinginformationsecuritypersonnel.

9. Advanced:ConfiguresystemssothattheywillnotwritedatatoUSBtokensorUSBharddrives.

10.Advanced:Donotuseaccountloginnamesinusersemailaddresses.Proceduresandtoolsforimplementingthiscontrol:

Periodically,

such

as

once

per

quarter,

information

security

personnel

should

run

a

script

that

purposelytriestotriggerthedataleakprotectionfunctionalitydeployedatnetworkperimeters

bysendinginnocuousdatawithcharacteristics(suchascertainkeywords,filesize,orsource

address)toatestsystemlocatedjustoutsidethedataleakageprotectiondeviceandthe

firewall. Thesepersonnelshouldensurethattheattemptedtransferwasdetectedandanalert

wasgenerated,andshouldalsoinvestigatewhetherthetransferwassuccessfullyblocked.


34/40

34

Thefollowingparagraphsidentifyadditionalcontrolsthatareimportantbutthatcannotbe

automaticallyorcontinuouslymonitored.Itshouldbenotedthatthesecontrolsoverlaptoa

greaterdegreethantheonesintheprevioussection.

CriticalControl16: SecureNetworkEngineering

Manycontrolsinthisdocumentareeffectivebutcanbecircumventedinnetworksthatare

badlydesigned.Thereforearobustsecurenetworkengineeringprocessmustbedeployedto

complementthedetailedcontrolsbeingmeasuredinothersectionsofthisdocument. Among

theengineering/architecturalstandardstobeusedare:

1. Config/Hygiene:Tosupportrapidresponseandshunningofdetectedattacks,thenetwork

architecture

and

the

systems

that

make

it

up

should

be

engineered

for

rapid

deploymentofnewaccesscontrollists,rules,signatures,blocks,blackholesandother

defensivemeasuresrequiredbyUSCERT.

2. Vis/Attrib:AllaccessofwebsitesontheInternetmustoccurthroughaperimeterthatincludesafirewall,IDS,webproxy,packetinspection,packetloggingfunctionalityand

sessionreconstructorabilities.

3. Vis/Attrib:DNSshouldbedeployedinahierarchical,structuredfashion,withallclientmachinessendingrequeststoDNSserversinsideagovernmentcontrollednetworkand

notto

DNS

servers

located

on

the

Internet.

These

internal

DNS

servers

should

be

configuredtoforwardrequeststheycannotresolvetoDNSserverslocatedona

protectedDMZ. TheseDMZservers,inturn,shouldbetheonlyDNSserversthatare

allowedtosendrequeststotheInternet.

4. Config/Hygiene:EachorganizationshouldstandardizetheDHCPleaseinformationandtimeassignedtosystems,andverboselylogallinformationaboutDHCPleases

distributedintheorganization.

CriticalControl17: RedTeamExercises



35/40


36/40


37/40

37

rapidlyrestoreasystemfrombackup,makesurethattheoperatingsystem,application

software,anddataonamachineareeachincludedintheoverallbackupprocedure.

Thesethreecomponentsofasystemdonothavetobeincludedinthesamebackupfile

orusingthesamebackupsoftware. However,eachmustbebackedupatleastweekly.

2. Config/Hygiene:Ensurethatbackupsareencryptedwhentheyarestoredlocally,aswellas

when

they

are

moved

across

the

network.

3. Config/Hygiene:Backupmedia,suchasharddrivesandtapes,shouldbestoredinphysicallysecure,lockedfacilities.


Onceperquarter,atestingteamshouldevaluatearandomsampleofsystembackupsby

attemptingtorestorethemonatestbedenvironment. Therestoredsystemsshouldbe

verifiedtoensurethattheoperatingsystem,application,anddatafromthebackupareall

intactandfunctional.

CriticalControl20: SecuritySkillsAssessmentandAppropriate

TrainingToFillGaps

Theskillsoffivegroupsofpeopleareconstantlybeingtestedbyattackers:

1. Endusersarefooledintoopeningattachmentsandloadingsoftwarefromuntrustedsites,visitingwebsiteswheretheyareinfectedandmore.

2. Systemadministratorsarealsofooledlikenormalusersbutarealsotestedwhenunauthorizedaccountsaresetupontheirsystems,whenunauthorizedequipmentis

attached,when

large

amounts

of

data

are

exfiltrated.

3. Securityoperatorsandanalystsaretestedwithnewandinnovativeattackswithsophisticatedprivilegeescalation,withredirectionandotherattacksalongwitha

continuousstreamofmoretraditionalattacks.

4. Applicationprogrammersaretestedbycriminalswhofindandexploitthevulnerabilitiestheyleaveintheircode.

5. Toalesserdegreesystemownersaretestedwhentheyareaskedtoinvestincybersecuritybutareunawareofthedevastateimpactacompromiseanddataexfiltrationor

dataalterationwouldhaveontheirmission.

Anyorganizationthathopestobereadytofindandrespondtoattackseffectivelyowesitto

theiremployees

and

contractors

to

find

the

gaps

in

their

knowledge

and

to

provide

exercises

andtrainingtofillthosegaps. Asolidsecurityskillsassessmentprogramcanprovideactionable

informationtodecisionmakersaboutwheresecurityawarenessneedstobeimproved,andcan

alsohelpdetermineproperallocationoflimitedresourcestoimprovesecuritypractices.

Howcanthiscontrolbeimplementedanditseffectivenessmeasured?


38/40

38

1. QW:Developsecurityawarenesstrainingforvariouspersonneljobdescriptions. Thetrainingshouldincludespecific,incidentbasedscenariosshowingthethreatsan

organizationfaces.

2. Config/Hygiene:Deviseperiodicsecurityawarenessassessmentquizzes,tobegiventoemployeesandcontractorsonatleastanannualbasis,determiningwhetherthey

understandtheinformationsecuritypoliciesandproceduresfortheorganization,as

wellastheirroleinthoseprocedures.

3. Config/Hygiene:Conductperiodicexercisestoverifythatemployeesandcontractorsarefulfillingtheirinformationsecurityduties,byconductingteststoseewhether

employeeswillclickonalinkfromsuspiciousemailorprovidesensitiveinformationon

thetelephonewithoutfollowingappropriateproceduresforauthenticatingacaller.


Thekeytoupgradingskillsismeasurementnotwithcertificationexaminations,butwith

assessmentsthatshowboththeemployeeandtheemployerwhereknowledgeissufficientand

wherethegapsare. Oncethegapsareidentified,thoseemployeeswhohavetherequisite

skillsandknowledgecanbecalledupontomentortheemployeeswhoneedskillsimprovement

ortheorganizationcandeveloptrainingprogramsthatdirectlyfillthegapsandmaintain

employeereadiness.

SUMMARY

Thisdocument

has

been

developed

through

the

collaboration

of

adiverse

set

of

security

experts. Whilethereisnosuchthingasabsoluteprotection,properimplementationofthe

securitycontrolsidentifiedinthisdocumentwillensurethatanorganizationisprotecting

againstthemostsignificantattacks. Asattackschange,asadditionalcontrolsortoolsbecome

available,orasthestateofcommonsecuritypracticeadvances,thisdocumentwillbeupdated

toreflectwhatisviewedbythecollaboratingauthorsasthemostimportantsecuritycontrols

todefendagainstcyberattacks.


39/40

39

AppendixA:InitialmappingbetweenCAG097controlsetanddraftNISTSP80053

Rev1,2/9/2009

ThismappingrelaystheSP80053Rev3controlswhichaccomplishtherequirementscalledoutinthe

CAG097controlset.Notethatforthemostpart,wheretheCAG097controlsetcalledfora

requirementnot

currently

in

the

draft

for

SP

800

53

Rev

3,

an

enhancement

was

added

to

the

NIST

drafttocoverthatrequirement.AlsonotethattheNISTcontrolsmayimposeadditionalrequirements

beyondthoseexplicitlystatedinCAG097.

CAG097Control RelatedNISTSP80053Rev3Controls

CriticalControl1:Inventoryofauthorizedand

unauthorizedhardware.

CM1,CM2,CM3,CM4,CM5,CM8,CM9

CriticalControl2:Inventoryofauthorizedand

unauthorizedsoftware;enforcementofwhitelists

ofauthorizedsoftware.

CM1,CM2,CM3,CM5,CM7,CM8,CM9,SA7

CriticalControl3:Secureconfigurationsfor

hardwareandsoftwareforwhichsuch

configurationsareavailable.

CM6,CM7,CP10,IA5,SC7

CriticalControl4:Secureconfigurationsof

networkdevicessuchasfirewalls,routers,and

switches.

AC4,CM6,CM7,CP10,IA5,RA5,SC7

(AlsorelatedtoassessmentwithSP80053A)

CriticalControl

5:

Boundary

Defense

AC

17,

RA

5,

SC

7,

SI

4


CriticalControl6:Maintenance,Monitoringand

AnalysisofCompleteAuditLogs

AU1,AU2,AU3,AU4,AU6,AU7,AU9,AU11,

AU12,CM3,CM5,CM6,SI4


CriticalControl7:ApplicationSoftwareSecurity AC4,CM4,CM7,RA5,SA3,SA4,SA8,SA11,

SI3

CriticalControl8:ControlledUseofAdministrative

Privileges

AC6,AC17,AT2,AU2

CriticalControl9:ControlledAccessBasedOn AC1,AC2,AC3,AC6,AC13


40/40

NeedtoKnow (AlsorelatedtoassessmentwithSP80053A)

CriticalControl10:ContinuousVulnerability

TestingandRemediation

CA2,CA6,CA7,RA5,SI2

CriticalControl

11:

Dormant

Account

Monitoring

andControlAC

2,

PS

4,

PS

5

CriticalControl12:AntiMalwareDefenses AC3,AC4,AC6,AC17,AC19,AC20,AT2,AT3,

CM5,MA3,MA4,MA5,MP2,MP4,PE3,PE4,

PL4,PS6,RA5,SA7,SA12,SA13,SC3,SC7,

SC11,SC20,SC21,SC22,SC23,SC25,SC26,

SC27,SC29,SC30,SC31,SI3,SI8

CriticalControl13:LimitationandControlofPorts,

Protocolsand

Services

AC4,CM6,CM7,SC7


CriticalControl14:WirelessDeviceControl AC17

CriticalControl15:DataLeakageProtection AC2,AC4,PL4,SC7,SC31,SI4

CriticalControl16: SecureNetworkEngineering AU8,CA2,CA6,CM7,SA8,SC7,SC22

CriticalControl17:RedTeamExercises CA2,CA6

CriticalControl

18:

Incident

Response

Capability

IR

1,

IR

2,

IR

3,

IR

4,

IR

5,

IR

6,

IR

7,

SI

5

CriticalControl19: DisasterRecoveryCapability

(ControlisTBDstillunderdevelopment)

CP1,CP2,CP3,CP4,CP6,CP7,CP8,CP9,CP

10

(likelybaseduponCAG097controltitle)

CriticalControl20: SecuritySkillsAssessmentand

AppropriateTrainingToFillGaps

AT2,AT3,AT4

Documents

(Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance