Most security attacks are simple minded. As you read through the news of the recent security breaches, most of them could have been avoided. These breaches can be tracked down to simple misconfigurations such as a misconfigured s3 bucket for public access or lack of basic security hygiene such as out of date security patching. And yet, so many of us don’t seem to know or follow the basic security hygiene. The security market is confusing with hundreds of security vendors offering their products and dozens of compliance frameworks such as NIST, CIS, HIPPA, FedRAMP, and more to choose from. It often is unclear where to begin and what to focus on first. It seems that enterprises might be focussing on defending complex security scenarios and challenges such as sophisticated threat vectors and advanced persistent threats but unwittingly missing the basic common sense security practices first steps. We believe that by implementing just the top 5 Center for Internet Security (CIS) controls, enterprises can reduce their cyber risk by 85% according to many studies done in the industry. Let us break this down further and see how we can get to 85% safety with just 5 steps.
Top 5 CIS Controls – What are they?
The Center for Internet Security has created 20 controls and prioritized the top 5 if implemented rightly will reduce security risks by 85%. These controls are pragmatic, prescriptive and can be easily automated through security automation tools listed below.
Table 1. Center for Internet Security Top 5 Security Controls
|The Top 5 CIS Controls||Security Automation Tools and Practices|
|1. Inventory of Authorized and Unauthorized Devices||BMC Discovery
|2. Inventory of Authorized and Unauthorized Software||BMC Discovery|
|3. Secure configurations for Hardware and Software (also see CIS 9. and CIS 11. for securing configurations of network infrastructure)||Assessment and Remediation in Cloud – SecOps Policy
Assessment and Remediation in Datacenter – Bladelogic Server and Network Automation
|4. Continuous Vulnerability Assessment and Remediation||Scanning – Qualys, Nessus, Rapid7
Vulnerability management – SecOps Response
Patching – Bladelogic, SCCM
|5. Controlled Use of Administrative Privileges||SecOps Policy
The First Two
The first 2 CIS controls focus on ‘Inventory of Authorized and Unauthorized Devices and Software’. We all have heard a management tenet – You cannot manage what you don’t know. In security, “You cannot secure what you don’t know” is equally applicable. Having a complete visibility into all devices, computers, servers, network devices, databases, as well as all the software and applications is the first critical step for any enterprise. Without this complete list of “inventory”, security scanning, patching, compliance and operations teams will not know about the missing devices (machines etc.) or missing applications, and will fail to either scan them or patch them. This lack of visibility can lead to security threats. Enterprises should consider a) An automated discovery tool that discovers not just infrastructure, devices and machines but also applications and software b) Correlation tools that can correlate and map device data from multiple enterprise tools such as scanning, patching, compliance and discovery tools and alert you on the ‘blindspots’. These blindspots represent potential security risks as these remain invisible and hence go unscanned or un-patched.
The CIS control #3 deals with ‘Secure Configurations for Hardware and Software’. Common security misconfigurations are very common and very much preventable. For example, a port on a machine or firewall is left open, an operating system that is not hardened, an s3 bucket or files are left open for public access, MongoDB or Elasticsearch DB is left publicly accessible, default passwords are not changed or a misconfigured firewall was letting unwanted traffic are some of the common misconfigurations that can yield to highly publicized breaches both in cloud an datacenter.
While CIS #3 control focusses on hardware and software, there are a 2 related and similar controls that would extend secure configurations to network devices and are important considerations. CIS control #11 is about “Secure Configurations of Network Devices” that is similar to #3. CIS control #9 is “Limitation and Control of Network Ports, Protocols and Services”. These two together will secure network infrastructure such as open firewalls and ports we discussed earlier.
Enterprises should consider a) Tools to assess, harden and remediate operating systems to create “golden” images and Docker containers based on standards such as CIS, DISA and PCI b) Tools that can assess, harden and remediate their cloud resources that cover all resources from hardware, software, servers, storage and network. As companies move to public cloud, it is even more important that cloud resources are also hardened just like servers are in datacenters. Cloud resources include s3 buckets, load balancers and security groups security configurations using standards such as CIS AWS foundations. Once the assessment is completed, a well established process must exist to remediate violations across the full stack and multi-cloud. More details here.
The CIS control #4 refers to “Continuous Vulnerability Assessment and Remediation”. Vulnerabilities in servers are one of the sure ways of getting attacked given there are over 80,000 vulnerabilities (CVEs) identified in NIST and each week a dozen or more continuously get added. Now, what is even more interesting is that 99% of the exploited vulnerabilities were compromised more than a year after the CVE was published. The window of opportunity for attackers should be minimized by fixing the critical, high and higly exploitable vulnerabilities as soon as fixes are available and not wait for months and years. Enterprises should consider a) Automated scanning tools that can scan for vulnerabilities b) Vulnerability life-cycle management tools that can prioritize and plan for remediation SLAs to keep the window of opportunity small and c) Patching tools to execute remediations on servers, and network devices across cloud and datacenters.
The Last but not the least
The final control #5 in the top 5 deals with “Controlled Use of Administrative Privileges” or “processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.” Elevating access privileges, improperly configured identity and access permissions (IAM), weak administrative passwords without complex password policies, no rotation of passwords, no MFA, and more can all lead to breaches and attacks. Enterprises should consider a) Assessment and hardening tools to validate that all their systems from operating systems, servers, to applications and cloud use best practices for administrative privilege management such as assessing for password policies for account logins; b) Continuous monitoring tools like SIEM to track activity related to administrative privilege usage and alert on suspicious activity. CIS for AWS cloud and servers has number of rules related to this that most assessment and hardening tools can easily address such as SecOps and Bladelogic.
The CIS Critical Security Controls are a prioritized and actionable set of cybersecurity best practices to prevent the most dangerous and common cyber attacks. Using just the top 5 can reduce your risks by 85%. As an example, a cloud assessment and remediation tool like SecOps Policy could have detected the three high profile breaches related to s3 very easily. The recent Wannacry attack could have been thwarted by proactively remediating vulnerablities using SecOps Response. There are a number of security automation tools in the marketplace to help you achieve 85% security that you should leverage first. After you implement the top 5, move to the remaining 15 and to more complex frameworks such as NIST and ISO which will add another 100-300 controls to further tighten security of cloud apps and datacenter.
— CIS (@CISecurity) July 23, 2017