Date post: | 30-May-2018 |
Category: |
Documents |
Upload: | gilligan-group-inc |
View: | 215 times |
Download: | 0 times |
of 40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
1/40
1
TwentyMostImportantControlsandMetricsforEffective
CyberDefenseandContinuousFISMAComplianceDraft1.0:February23,2009
NOTICEtoreadersofthisdraftdocument: Criticismsandsuggestionsarestronglyencouraged.Ifyouareactively
engagedincyberforensics,redteams,blueteams,technicalincidentresponse,vulnerabilityresearch,orcyber
attackresearchoroperations,pleasehelpmakesurethisdocumentisasgoodasitcanbe. Wealsorequest
supportinidentifyinguserswhohaveimplementedscalablemethodsformeasuringcompliancewiththesecontrols
andproducingsharablebenchmarksandothertypesofbaselineguidancethatcanbeusedtodrivetoolbased
assessmentofasmanyofthesecontrolsaspossible.
Sendcriticism/comments/suggestionstoJohnGilliganaswellasto
[email protected],2009.
INTRODUCTION
Securingour
Nation
against
cyber
attacks
has
become
one
of
the
Nations
highest
priorities.
To
achievethisobjective,networks,systems,andtheoperationsteamsthatsupportthemmust
vigorouslydefendagainstexternalattacks. Furthermore,forthoseexternalattacksthatare
successful,defensesmustbecapableofthwarting,detecting,andrespondingtofollowon
attacksoninternalnetworksasattackersspreadinsideacompromisednetwork.
AcentraltenetoftheUSComprehensiveNationalCybersecurityInitiative(CNCI)isthatoffense
mustinformdefense.Inotherwords,knowledgeofactualattacksthathavecompromised
systemsprovidestheessentialfoundationonwhichtoconstructeffectivedefenses. TheUS
SenateHomelandSecurityandGovernmentAffairsCommitteemovedtomakethissametenet
central
to
the
Federal
Information
Security
Management
Act
in
drafting
FISMA
2008.
That
new
proposedlegislationcallsuponFederalagenciesto:
Establishsecuritycontroltestingprotocolsthatensurethattheinformation
infrastructureoftheagency,includingcontractorinformationsystemsoperating
onbehalfoftheagency,areeffectivelyprotectedagainstknownvulnerabilities,
attacks,andexploitations.
Andtoworktogethertomakesurethattestingisuptodateandcomparable,by
agreeingoncommonmetricsthrough:
Establishingaprioritized
baseline
of
information
security
measures
and
controls
thatcanbecontinuouslymonitoredthroughautomatedmechanisms.
Thisconsensusdocumentisdesignedtobegintheprocessofestablishingthatprioritized
baselineofinformationsecuritymeasuresandcontrols. Theconsensuseffortthathasproduced
mailto:[email protected]:[email protected]8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
2/40
2
thisdocumenthasidentifiedtwentyspecificsecuritycontrolsthatareviewedasessentialfor
blockingknownhighpriorityattacks. Fifteenofthesecontrolscanbemonitored,atleastin
part,automaticallyandcontinuously. Theconsensusefforthasalsoidentifiedasecondsetof
fivecontrolsthatareessentialbutthatdonotappeartobeabletobemonitoredcontinuously
orautomaticallywithcurrenttechnologyandpractices.
Additionally,thecontrolsinthisdocumentaredesignedtosupportagenciesandorganizations
thatcurrentlyhavevariousdifferentlevelsofinformationsecuritycapabilities. Tohelp
organizationsfocusonachievingasoundbaselineofsecurityandthenimprovebeyondthat
baseline,certainaspectsofindividualcontrolshavebeencategorizedasfollows:
QuickWins:Thesefundamentalaspectsofinformationsecuritycanhelpanorganizationrapidlyimproveitssecuritystancegenerallywithoutmajorprocess,organization,
architecture,ortechnicalchangestoitsenvironment. Itshouldbenoted,however,
thataQuickWindoesnotnecessarilymeanthatthesecontrolsprovideprotection
againstthemostcriticalattacks. TheintentofidentifyingQuickWincontrolareasisto
highlight
where
security
can
be
improved
rapidly.
These
items
are
identified
in
this
documentwiththelabelofQW.
ImprovedVisibilityandAttribution:Thesecontrolsfocusonimprovingtheprocess,architecture,andtechnicalcapabilitiesoforganizationssothattheorganizationcan
monitortheirnetworksandcomputersystems,gainingbettervisibilityintotheirIT
operations. Attributionisassociatedwithdeterminingwhichcomputersystems,and
potentiallywhichusers,aregeneratingspecificevents. Suchimprovedvisibilityand
abilitytodetermineattributionsupportsorganizationsindetectingattackattempts,
locatingthepointsofentryforsuccessfulattacks,identifyingalreadycompromised
machines,interruptinginfiltratedattackersactivities,andgaininginformationabout
thesourcesofanattack. TheseitemsarelabeledasVis/Attrib.
HardenedConfigurationandImprovedInformationSecurityHygiene:Theseaspectsofvariouscontrolsaredesignedtoimprovetheinformationsecuritystanceofan
organizationbyreducingthenumberandmagnitudeofpotentialsecurity
vulnerabilitiesaswellasimprovingtheoperationsofnetworkedcomputersystems.
Controlguidelinesinthiscategoryareformulatedwiththeunderstandingthatawell
managednetworkisamuchhardertargetforcomputerattackerstoexploit.
Throughoutthisdocument,theseitemsarelabeledasConfig/Hygiene.
Advanced:Theseitemsaredesignedtofurtherimprovethesecurityofanorganizationbeyondtheotherthreecategories.Organizationshandlingparticularlysensitive
networksandinformationthatarealreadyfollowingalloftheothercontrolsshould
focuson
this
category.
Items
in
this
category
are
simply
called
Advanced.
Ingeneral,organizationsshouldexaminealltwentycontrolareasagainsttheircurrentstatus
anddevelopanagencyspecificplantoimplementthecontrols. Organizationswithlimited
informationsecurityprogramsmaywanttoaddresstheQuickWinsaspectsofthecontrolsin
ordertomakerapidprogressandtobuildmomentumwithintheirinformationsecurity
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
3/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
4/40
4
TheNationalInstitutesofStandardsandTechnology(NIST)hasproducedexcellentsecurity
guidelinesthatprovideaverycomprehensivesetofsecuritycontrols. Thisdocumentby
contrastseekstoidentifythatsubsetofsecuritycontrolactivitiesthatCISOs,CIOsandIGscan
agreearetheirtop,sharedpriorityforcybersecurity. Onceagreementisreached,these
controlswouldbethebasisforfutureauditsandevaluations. Whileaimedatgovernment
organizations,the
principles
and
measures
addressed
in
this
document
are
also
highly
applicabletocommercialandacademicenterprisesandshouldbeusablewithinthe
commercialmarketplace.
Whatmakesthisdocumenteffectiveisthatitreflectsknowledgeofactualattacksanddefines
controlsthatwouldhavestoppedthoseattacksfrombeingsuccessful. Toconstructthe
document,wehavecalleduponthepeoplewhohavefirsthandknowledgeabouthowthe
attacksarebeingcarriedout:
1. BlueteammembersinsidetheDepartmentofDefensewhoareoftencalledinwhenmilitarycommandersfindtheirsystemshavebeencompromised
2. USCERTandothernonmilitaryincidentresponseemployeesandconsultantswhoarecalleduponbycivilianagenciesandcompaniestoidentifythemostlikelymethodby
whichthepenetrationswereaccomplished
3. Militaryinvestigatorswhofightcybercrime4. TheFBIandotherpoliceorganizationsthatinvestigatecybercrime5. CybersecurityexpertsatUSDepartmentofEnergylaboratoriesandFederallyFunded
ResearchandDevelopmentCenters.
6. DoDandprivateforensicsexpertswhoanalyzecomputersthathavebeeninfected7. RedteammembersinDoDtaskedwithfindingwaysofcircumventingmilitarycyber
defenses
8. Civilianpenetrationtesterswhotestciviliangovernmentandcommercialsystemstofindhowtheycanbepenetrated
9. FederalCIOsandCISOswhohaveintimateknowledgeofcyberattacks10.TheGovernmentAccountabilityOffice(GAO)
ConsensusAuditGuidelineControls
Twentycriticalsecuritycontrolswereagreeduponbyknowledgeableindividualsfromthe
groupslistedabove. Thelistofcontrolsincludesfifteenthatareabletobevalidatedinan
automatedmannerandfivethatmustbevalidatedmanually.
CriticalControlsSubjecttoAutomatedMeasurementandValidation:
1:InventoryofAuthorizedandUnauthorizedHardware.
2:InventoryofAuthorizedandUnauthorizedSoftware.
3:SecureConfigurationsforHardwareandSoftwareonLaptops,Workstations,andServers.
4:SecureConfigurationsofNetworkDevicesSuchasFirewallsandRouters.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
5/40
5
5:BoundaryDefense
6:MaintenanceandAnalysisofCompleteSecurityAuditLogs
7:ApplicationSoftwareSecurity
8:ControlledUseofAdministrativePrivileges
9:ControlledAccessBasedOnNeedtoKnow
10:Continuous
Vulnerability
Testing
and
Remediation
11:DormantAccountMonitoringandControl
12:AntiMalwareDefenses
13:LimitationandControlofPorts,ProtocolsandServices
14:WirelessDeviceControl
15:DataLeakageProtection
AdditionalCriticalControls(notdirectlysupportedbyautomatedmeasurementandvalidation):
16. SecureNetworkEngineering
17. RedTeamExercises
18. IncidentResponseCapability
19. DataRecoveryCapability
20. SecuritySkillsAssessmentandTrainingtoFillGapsInthepagesthatfollow,eachofthesecontrolsisdescribedmorefully. Descriptionsinclude
howattackerswouldexploitthelackofthecontrol,howtoimplementthecontrol,andhowto
measureifthecontrolhasbeenproperlyimplemented,alongwithsuggestionsregardinghow
standardizedmeasurementscanbeapplied. Aspilotimplementationsarecompleteand
agenciesgetexperiencewithautomation,weexpectthedocumenttobeexpandedintoa
detailedauditguidethatagencyCIOscanusetoensuretheyaredoingtherightthingsfor
effectivecyber
defense
and
that
IGs
can
use
to
verify
the
CIOs
tests.
InsiderThreatsvs.OutsiderThreats
Aquickreviewofthecriticalcontrolsmayleadsomereaderstothinkthattheyareheavily
focusedonoutsiderthreatsandmay,therefore,notfullydealwithinsiderattacks. Inreality,
theinsiderthreatiswellcoveredinthesecontrolsintwoways.First,specificcontrolssuchas
networksegmentation,controlofadministrativerights,enforcementofneedtoknow,data
leakageprotection,andeffectiveincidentresponsealldirectlyaddressthekeywaysthatinsider
threatscanbemitigated. Second,theinsiderandoutsiderthreatsaremergingasoutsidersare
more
and
more
easily
penetrating
the
security
perimeters
and
becoming
insiders.
All
of
the
controlsthatlimitunauthorizedaccesswithintheorganizationworkeffectivelytomitigateboth
insiderandoutsiderthreats. Itisimportanttonotethatthesecontrolsaremeanttodealwith
multiplekindsofcomputerattackers,includingbutnotlimitedtomaliciousinternalemployees
andcontractors,independentindividualexternalactors,organizedcrimegroups,terrorists,and
nationstateactors,aswellasmixesofthesedifferentthreats.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
6/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
7/40
7
RelationshiptoOtherFederalGuidelines,Recommendations, andRequirements
TheseConsensusAuditGuidelinesaremeanttoreinforceandprioritizesomeofthemost
importantelementsoftheguidelines,standards,andrequirementsputforthinotherUS
Governmentdocumentation,suchasNISTspecialpublication80053:RecommendedSecurity
Controlsfor
Federal
Information
Systems,
SCAP,
FDCC,
FISMA,
and
Department
of
Homeland
SecuritySoftwareAssurancedocuments. Theseguidelinesdonotconflictwithsuch
recommendations. Infact,theguidelinessetforthhereinareapropersubsetofthe
recommendationsof80053,designedsothatorganizationscanfocusonaspecificsetof
actionsassociatedwithcurrentthreatsandcomputerattackstheyfaceeveryday. Adraftof
themappingofindividualguidelinesinthisdocumenttospecificrecommendationsof80053is
includedinAppendixA.
Additionally,theConsensusAuditGuidelinesarenotintendedtobecomprehensivein
addressingeverythingthataCIOorCISOmustaddressinaneffectivesecurityprogram. For
example,inadditiontoimplementingcontrolsidentifiedinthisdocument,organizationsmust
developappropriatesecuritypolicies,securityarchitectures,andsystemsecurityapprovals.
Furthermore,CIOsandCISOsmustbalancebusinessneedsandsecurityrisks,recognizingthat
therearesometimestradeoffsbetweenthemthatmustbecarefullyanalyzedandmeasured.
PeriodicandContinualTestingofControls
Eachcontrolincludedinthisdocumentdescribesaseriesofteststhatorganizationscan
conductonaperiodicor,insomecases,continualbasistoensurethatappropriatedefensesare
inplace. Oneofthegoalsofthetestsdescribedinthisdocumentistoprovideasmuch
automationoftestingaspossible.Byleveragingstandardizationeffortsandrepositoriesof
contentlike
SCAP,
these
automated
test
suites
and
scripts
can
be
highly
sharable
between
organizations,consistenttoalargeextent,andeasilyusedbyauditorsforvalidation. However,
atvariousphasesofthetests,humantestersareneededtosetuptestsorevaluateresultsina
fashionthatcannotbeautomated. Thetestersassociatedwithmeasuringsuchcontrolsmust
betrustedindividuals,asthetestmayrequirethemtoaccesssensitivesystemsordatainthe
courseoftheirtests. Withoutappropriateauthorization,backgroundchecks,andpossibly
clearance,suchtestsmaybeimpossible. Suchtestsshouldalsobesupervisedorreviewedby
appropriateagencyofficialswellversedintheparametersoflawfulmonitoringandanalysisof
informationtechnologysystems.
A
Work
in
Progress
Theconsensusefforttodefinecriticalsecuritycontrolsisaworkinprogress.Infact,changing
technologyandchangingattackpatternswillnecessitatefuturechangesevenafterithasbeen
adopted. Inasense,thiswillbealivingdocumentmovingforward,butthecontrolsdescribed
inthisversionareasolidstartonthequesttomakefundamentalcomputersecurityhygienea
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
8/40
8
wellunderstood,repeatable,measurable,scalable,andreliableprocessthroughoutthefederal
government.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
9/40
9
DESCRIPTIONOFCONTROLS
CriticalControl1:Inventoryofauthorizedandunauthorized
hardware.
Howdoattackersexploitthelackofthiscontrol?
Manycriminalgroupsandnationstatesdeploysystemsthatcontinuouslyscanaddressspaces
oftargetorganizationswaitingfornew,unprotectedsystemstobeattachedtothenetwork.
Theattackersalsolookforlaptopsnotuptodatewithpatchesbecausetheyarenotfrequently
connectedtothenetwork. Onecommonattacktakesadvantageofnewhardwarethatis
installedonthenetworkoneeveningandnotconfiguredandpatchedwithappropriatesecurity
updates(i.e.,hardened)untilthefollowingday. Attackersfromanywhereintheworldmay
quicklyfindandexploitsuchsystemsthatareInternetaccessible. Furthermore,evenfor
internalnetworksystems,attackerswhohavealreadygained internalaccessmayhuntforand
compromiseadditionalimproperlysecuredinternalcomputersystems. Theattackersusethe
nighttimewindowtoinstallbackdoorsonthesystemsthatarestillpresentafterthesystems
arehardenedandareusedforexfiltrationofsensitivedatafromcompromisedsystemsand
fromothersystemsconnectedtoit.
Additionally,attackersfrequentlylookforexperimentalortestsystemsthatarebriefly
connectedtothenetworkbutnotincludedinthestandardassetinventoryofanorganization.
Suchexperimentalsystemstendnottohaveasthoroughsecurityhardeningordefensive
measuresasothersystemsonthenetwork. Althoughthesetestsystemsdonottypicallyhold
sensitivedata,theyofferanattackeranavenueintotheorganization,andalaunchingpointfor
deeperpenetration.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
Anaccurateanduptodateinventory,controlledbyactivemonitoringandconfiguration
managementcanreducethechanceofattackersfindingunauthorized(thosenotpreviously
approvedforinstallation)andunprotectedsystemstoexploit.
1. Vis/Attrib:Maintainanassetinventoryofallcomputersystemsconnectedtothenetwork
and
the
network
devices
themselves,
recording
at
least
the
network
addresses,
machinename(s),purposeofeachsystem,andanassetownerresponsibleforeach
device.
2. Vis/Attrib:Ensurethatnetworkinventorymonitoringtoolsareoperationalandcontinuouslymonitoring,keepingtheassetinventoryuptodateandlookingfor
deviationsfromtheexpectedinventoryofassetsonthenetwork,andalertingthe
securityoperationscenterwhendeviationsarediscovered.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
10/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
11/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
12/40
12
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. Vis/Attrib:Deploysoftwareinventorytoolsthroughouttheorganizationcoveringeachoftheoperatingsystemtypesinuse,includingdesktop,server,andnetworkdevices.
Thesoftware
inventory
system
should
track
the
version
of
the
underlying
operating
systemaswellastheapplicationsinstalledonit. Furthermore,thetoolshouldrecord
notonlythetypeofsoftwareinstalledoneachsystem,butalsoitsversionnumberand
patchlevel. Thetoolshouldalsomonitorforunauthorizedsoftware.
2. Vis/Attrib:Ensuresoftwareinventorymonitoringtoolsareoperationalbyperiodicallyinstallingseveralsoftwareupdatesandnewpackagesonhardenedcontrolmachinesin
thenetworkandmeasurethedelaybeforethesoftwareinventoryindicatesthe
changes.Suchupdatesshouldbechosenforthecontrolmachinessothattheydonot
negativelyimpactproductionsystemsonthenetwork. Alsomeasuretheorganizations
responseactivitiestounauthorizedsoftwareinstalledintheenvironment.
3. Config/Hygiene:Apolicyisalsorequiredtoforcealldriverstobedigitallysignedandtheorganizationshouldconfiguresystemstoblocktheloadingofdriversthatarenotsigned
byatrustedsoftwarevendor.BothWindowsVistaandWindowsXPinclude
configurationoptionsthatcanenforcedriversigningacrossanorganization.Strictly
loadingonlysigneddriversisacrucialsteptowardblockingintruderscontrolofsystems
viarootkitsthatmodifythecoreoftheoperatingsystemtowieldcontrol.
Proceduresandtoolsforimplementingandautomatingthiscontrol:
Commercialsoftwareandassetinventorytoolsarewidelyavailableandinuseinmany
enterprisestoday. Thebestofthesetoolsprovideaninventorycheckofhundredsofcommon
applicationsusedinenterprisesonMicrosoftWindowsandothermachines,pullinginformation
aboutthe
patch
level
of
each
installed
program
to
ensure
that
it
is
the
latest
version
and
leveragingthestandardizedapplicationnamesinCPE.
Featuresthatimplementwhiteandblacklistsofprogramsallowedtorunorblockedfrom
executingareincludedinmodernendpointsecuritysuites. Moreover,commercialsolutions
areincreasinglybundlingtogetherantivirus,antispyware,personalfirewall,andhostbased
IntrusionDetectionSystemsandIntrusionPreventionSystems(IDSandIPS). Inparticular,most
endpointsecuritysolutionscanlookatthename,filesystemlocation,and/orMD5hashofa
givenexecutabletodeterminewhethertheapplicationshouldbeallowedtorunonthe
protectedmachine. Themosteffectiveofthesetoolsoffercustomwhitelistsandblacklists
based
on
executable
path,
hash,
or
regular
expression
matching.
Some
even
include
a
graylist
functionthatallowsadministratorstodefinerulesforexecutionofspecificprogramsonlyby
certainusersandatcertaintimesofdayandblacklistsbasedonspecificsignatures.
Oncesoftwareinventoryandexecutioncontrolproductsaredeployed,theycanbeevaluated
byattemptingtorunablacklistedprogramoraprogramthatisnotonthewhitelist. Totest
solutionsthatimplementablacklist,theorganizationcandefineaspecificbenignexecutable
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
13/40
13
asnotbeingallowed,suchasasimplewordprocessorcontainedinasingleEXEfile. Theycan
thenattempttoruntheprogramandtestwhetherexecutionisblocked,andwhetheranalertis
generated. Forwhitelistsolutions,theorganizationcanattempttorunasimilarbenign
executablenotonthewhitelist,againcheckingforblockedexecutionandalerts.
CriticalControl3:Secureconfigurationsforhardwareandsoftwareon
laptops,workstations,andservers.
Howdoattackersexploitthelackofthiscontrol?
OnboththeInternetandinternalnetworksthatattackershavealreadycompromised,
automatedcomputerattackprogramsconstantlysearchtargetnetworkslookingforsystems
thatwereconfiguredwithvulnerablesoftwareinstalledthewaythatitwasdeliveredfrom
manufacturersand
resellers,
thereby
being
immediately
vulnerable
to
exploitation.
Attackers
attempttoexploitbothnetworkaccessibleservicesandbrowsingclientsoftwareusingsuch
techniques. Thetwopossibledefensesagainsttheseautomatedexploitsaretoaskevery
computerusertoreconfiguresystemstobemoresecurelyconfiguredortobuyandinstall
computerandnetworkcomponentswiththesecureconfigurationsalreadyimplementedand
toupdatetheseconfigurationsonaregularbasis. Despiteamajorityofagenciesthatstilluse
theformerapproach,onlythelatterapproach(i.e.,updatingconfigurationsonaregularbasis)
iseffective. Establishingandmonitoringsecureconfigurationsprovidethemotivationtothe
agencytoensuresystemsarepurchasedwithsecureconfigurationsbakedin.
Howcan
this
control
be
implemented,
automated,
and
its
effectiveness
measured?
1. QW:Systemimagesmusthavedocumentedsecuritysettings,beapprovedbyanagencychangecontrolboard,andregisteredwithacentralimagelibraryfortheagencyor
multipleagencies. Governmentagenciesshouldnegotiatecontractstobuysystems
configuredsecurelyoutoftheboxusingtheseimages,whichshouldbedevisedtoavoid
extraneoussoftwarethatwouldincreasetheirattacksurfaceandsusceptibilityto
vulnerabilities. Theseimagesshouldbevalidatedandrefreshedonaregularbasis(such
aseverysixmonths)toupdatetheirsecurityconfigurationinlightofrecent
vulnerabilitiesandattackvectors. Themasterimagesthemselvesmustbestoredon
securelyconfiguredservers,withintegritycheckingtoolsandchangemanagementto
ensureonly
authorized
changes
to
the
images
are
possible.
2. QW:Changefactorydefaultsettingsonhardwareandsoftwareandimplementingnetworkhardeningprocedures. Thiswouldtypicallyincluderemovalofunnecessary
usernamesandlogins,aswellasthedisablingorremovalofunnecessaryservices. Such
hardeningalsoinvolves,amongothermeasures,applyingpatches,closingopenand
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
14/40
14
unusednetworkports,implementingintrusiondetectionsystemsand/orintrusion
preventionsystems,andfirewalls.
3. QW:Atleastoncepermonth,runassessmentprogramsonavaryingrandomsampleofsystemstomeasurethenumberthatareandarenotconfiguredaccordingtothesecure
configurationguidelines. Provideseniorexecutiveswithchartsshowingthenumberof
systemsthat
match
configuration
guidelines
versus
those
that
do
not
match,
illustrating
thechangeofsuchnumbersmonthbymonthforeachorganizationalunit.
4. Vis/Attrib:Implementandtestavulnerabilitymonitoringsystemtoensureitmeasuresallsecureconfigurationelementsthatcanbemeasuredthroughremotetesting,using
featuressuchasthoseincludedwithSCAPtogatherconfigurationvulnerability
information.Provideseniorexecutiveswithchartsshowingthenumberof
vulnerabilitiesidentified,separatedoutforcomparisonbasedonorganizationalunits.
Proceduresandtoolsforimplementingthiscontrol:
Organizationscanimplementthiscontrolusingcommercialand/orfreevulnerabilityscanning
toolsthatevaluatethesecurityconfigurationofmachinesandsoftware. Somehavealsofound
commercialservicesusingremotelymanagedscanningappliancestobeeffectiveaswell. To
helpstandardizethedefinitionsofdiscoveredvulnerabilitiesinmultipledepartmentsofan
agencyorevenacrossagencies,itispreferredtousevulnerabilityscanningtoolsthatmeasure
securityflawsandmapthemtovulnerabilitiesandissuescategorizedusingoneormoreofthe
followingindustryrecognizedvulnerability,configuration,andplatformclassificationschemes
andlanguages:CVE,CCE,OVAL,CPE,CVSS,and/orXCCDF. Inaddition,recentchangesin
licensingassociatedwithpopularfreevulnerabilityscannersrequireuserstopayforcertain
modules,blurringthelinebetweenfreeandcommercialtools.
Advancedvulnerability
scanning
tools
can
be
configured
with
user
credentials
to
login
to
scannedsystemsandperformmorecomprehensivescansthancanbeachievedwithoutlogin
credentials. Forexample,organizationscanrunscannerseveryweekoreverymonthwithout
credentialsforaninitialinventoryofpotentialvulnerabilities. Then,onaquarterlyorsemi
annualbasis,theorganizationcanrunthesamescanningtoolwithusercredentialsora
differentscanningtoolthatsupportsscanningwithusercredentialstofindadditional
vulnerabilities.
Inadditiontothescanningtoolsthatcheckforvulnerabilitiesandmisconfigurationsacrossthe
network,variousfreeandcommercialtoolscanevaluatesecuritysettingsandconfigurationsof
local
machines
on
which
they
are
installed.
Such
tools
can
provide
fine
grained
insight
into
unauthorizedchangesinconfigurationortheintroductionofsecurityweaknessesinadvertently
byadministrators.
Effectiveorganizationslinktheirvulnerabilityscannerswithproblemticketingsystemsthat
automaticallymonitorandreportprogressonfixingproblemsandthatmakevisible
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
15/40
15
unmitigatedcriticalvulnerabilitiestohigherlevelsofmanagementtoensuretheproblemsare
solved.
CriticalControl
4:
Secure
configurations
of
network
devices
such
as
firewalls,routers,andswitches.
Howdoattackersexploitthelackofthiscontrol?
Attackerstakeadvantageofthefactthatnetworkdevicesmaybecomelesssecurelyconfigured
overtimeasusersdemandexceptionsforspecificandtemporarybusinessneeds,the
exceptionsaredeployed,andthoseexceptionsarenotundonewhenthebusinessneedisno
longerapplicable. Makingmattersworse,insomecases,thesecurityriskoftheexceptionis
neverproperlyanalyzed,noristhisriskmeasuredagainsttheassociatedbusinessneed.
Attackerssearch
for
electronic
holes
in
firewalls,
routers,
and
switches
and
use
those
to
penetratedefenses. Attackershaveexploitedflawsinthesenetworkdevicestoredirecttraffic
onanetwork(toamalicioussystemmasqueradingasatrustedsystem),andtointerceptand
alterinformationwhileintransmission. Throughsuchactions,theattackergainsaccessto
sensitivedata,altersimportantinformation,orevenusesonecompromisedmachinetoposeas
anothertrustedsystemonthenetwork.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Comparefirewall,router,andswitchconfigurationagainststandardsecureconfigurations
defined
for
each
type
of
network
device
in
use
in
the
organization.
The
securityconfigurationofsuchdevicesshouldbedocumented,reviewed,andapproved
byanagencychangecontrolboard.
2. QW:Atnetworkinterconnectionpoints,suchasInternetgateways,interagencyconnections,andinternalnetworksegmentswithdifferentsecuritycontrols,implement
ingressandegressfilteringtoallowonlythoseportsandprotocolswithadocumented
businessneed,monitortrafficflowslookingforattacksusingintrusiondetection
technology,andlogeachconnectionforaperiodofatleast30days.
3. QW:Networkdevicesthatfilterunneededservicesorblockattacks(includingfirewalls,networkbasedIntrusionPreventionSystems,routerswithaccesscontrollists,etc.)
shouldbetestedunderlaboratoryconditionswitheachgivenorganizations
configurationto
ensure
that
these
devices
fail
in
aclosed/blocking
fashion
under
significantloadswithtrafficincludingamixtureoflegitimateallowedtrafficforthat
configurationintermixedwithattacksatlinespeeds.
4. Config/Hygiene:Allnewconfigurationrulesbeyondabaselinehardenedconfigurationthatallowtraffictoflowthroughnetworksecuritydevices,suchasfirewallsand
networkbasedIPSs,shouldbedocumentedwithaspecificbusinessreasonforthe
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
16/40
16
change,aspecificindividualsnameresponsibleforthatbusinessneed,andanexpected
durationoftheneed. Atleastonceperquarter,theserulesshouldbereviewedto
determinewhethertheyarestillrequiredfromabusinessperspective. Expiredrules
shouldberemoved.
5. Config/Hygiene:Periodicallyattempttopenetratenetworkdevicesbysimulatingattackers
actions
against
such
devices.
Such
testing
should
occur
from
outside
the
networkperimeter(i.e.,theInternetorwirelessfrequenciesaroundanagency)aswell
fromwithinitsboundaries(i.e.,ontheinternalnetwork)tosimulatebothoutsiderand
insiderattacks.
6. Config/Hygiene:Networkinfrastructuredevicesshouldbemanagedusingtwofactorauthenticationandencryptedsessions.
7. Advanced:Thenetworkinfrastructureshouldbemanagedacrossnetworkconnectionsthatareseparatedfromthebusinessuseofthatnetwork,relyingonseparateVLANsor
preferablyrelyingonentirelydifferentphysicalconnectivityformanagementsessions
fornetworkdevices.
Proceduresandtoolsforimplementingthiscontrol:
Portscannersandmostvulnerabilityscanningtoolscanbeusedtoattempttolaunchpackets
throughthedevice,measuringallTCPandUDPports.Thismeasurestheeffectivenessofthe
firewallsconfiguration. Asniffercanbesetupontheothersideofthefirewalltodetermine
whichpacketsareallowedthroughthedevice. Theresultsofthetestcanbematchedagainst
thelistofservicesthatareallowedbothinboundandoutbound(definedthroughpolicythat
shouldrepresentdocumentedbusinessneedsforeachallowedservice),therebyidentifying
misconfiguredfirewalls. Suchmeasurementshouldbeconductedatleasteveryquarter,and
alsowhensignificantchangesaremadetofirewallrulesetsandrouteraccesscontrollists.
Moreeffectiveorganizationsusecommercialtoolsthatevaluatetherulesetoffirewallsand
routerswithaccesscontrolliststodeterminewhethertheyareconsistentorinconflict,
providinganautomatedsanitycheckofnetworkfiltersandsearchforerrorsinrulesetsorACLs
thatmayallowunintendedservicesthroughthedevice. Suchtoolsshouldberuneachtime
significantchangesaremadetofirewallrulesetsorrouteraccesscontrollists.
CriticalControl
5:
Boundary
Defense
Howdoattackersexploitthelackofthiscontrol?
AttackerstargetInternetfacingsystemsbecausetheyareaccessible.Theyuseweaknessesthey
findthereasjumpingoffpointstogetinsidetheboundarytostealorchangeinformationorto
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
17/40
17
setuppersistentpresenceforlaterattacks. Additionally,manyattacksoccurbetweenbusiness
partnernetworks,sometimesreferredtoasextranets,asattackershopfromoneorganizations
networktoanother,exploitingvulnerablesystemsonextranetperimeters.
Boundarydefensestostopthesetypesofattackhavemultipledimensions:allInternetand
extranettraffic
passes
through
managed,
authenticated
proxies,
aDMZ
is
employed
that
is
separatedfrominternalsystemseitherphysicallyorthroughtightlymonitoredfiltering,and
securelyconfiguredfirewallsandintrusiondetectionsystemsaredeployedateachgateway.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
Theboundarydefensesincludedinthiscontrolbuildonthenetworkelementhardening
describedinCriticalControl4above,withtheseadditionalrecommendationsfocusedon
improvingtheoverallarchitectureandimplementationofbothInternetandinternalnetwork
boundarypoints. Internalnetworksegmentationiscentraltothiscontrolbecauseonceinsidea
network,intruderstargetthemostsensitivemachines. Usually,internalnetworkprotections
arenotsetuptodefendagainstaninternalattacker. Settingupevenabasiclevelofsecurity
segmentationacrossthenetworkandprotectingeachsegmentwithaproxyandafirewallwill
greatlyreducetheintrudersaccesstotheotherpartsofthenetwork.
Enhancenetworkaccesscontrolsinconjunctionwithauthenticationcontrolstodeter
propagationthroughthenetworkfrombusinessunittobusinessunit. Addlayersofnetwork
protectiontocriticalservicesonthenetwork,creatingalayeredaccesspathusingapplication
authenticationandnetworksegmentation.ImplementinternalACLs,internalproxiesand
firewallstolimitaccesstotheseareas.Thiswilldetertheintrudersfromgainingunauthorized
accessto
these
areas
and
could
limit
their
activity
altogether.
1. QW:DeployIDSsensorsonInternetandextranetDMZsystemsandnetworksthatlookforunusualattackmechanismsanddetectcompromiseofthesesystems. Thesesensors
shouldbeconfiguredtorecordatleastpacketheaderinformation,andpreferablyfull
packetheaderandpayloadsofthetrafficpassingthroughthenetworkborder.
2. Vis/Attrib:DefineanetworkarchitecturethatclearlyseparatesinternalsystemsfromDMZsystemsandextranetsystems. DMZsystemsaremachinesthatneedto
communicatewiththeinternalnetworkaswellastheInternet,whileextranetsystems
aresystemswhoseprimarycommunicationiswithothersystemsatabusinesspartner.
3.Vis/Attrib:
Design
and
implement
network
perimeters
so
that
all
outgoing
web,
ftp,
and
sshtraffictotheInternetmustpassthroughatleastoneproxyonaDMZnetwork. The
proxyshouldsupportloggingindividualTCPsessions;blockingspecificURLs,domain
names,andIPaddresses;andbeingabletobeconfiguredwithwhitelistsofallowed
sitestobeaccessedthroughtheproxy.
4. Vis/Attrib:Requireallremoteaccess(includingVPN,dialup,andotherforms)tousetwofactorauthentication.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
18/40
18
5. Config/Hygiene:ConductperiodicpenetrationtestsagainstDMZsfromtheInternettodeterminewhethertheattacksaredetectedand/orthwarted.
6. Config/Hygiene:PeriodicallyscanforbackchannelconnectionstotheInternetthatbypasstheDMZ.
7. Config/Hygiene:Tolimitaccessbyaninsiderormalwarespreadingonaninternalnetwork,
organizations
should
devise
internal
network
segmentation
schemes
to
limit
traffictoonlythoseservicesneededforbusinessuseacrosstheinternalnetwork.
8. Config/Hygiene:Organizationsshoulddevelopplansforrapidlydeployingfiltersoninternalnetworkstohelpstopthespreadofmalwareoranintruder.
9. Advanced:ForceoutboundtraffictotheInternetthroughanauthenticatedproxyserverontheenterpriseperimeter.Mostorganizationsalreadyusedomainauthenticationto
traversetheseroutes,andcouldimplementadditionalauthenticationthroughexternal
proxyserversthatrequireadailypassword.
10.Advanced:Tohelpidentifycovertchannelsexfiltratingdatathroughafirewall,builtinfirewallsessiontrackingmechanismsincludedinmanycommercialfirewallsshouldbe
configuredtoidentifylongtermTCPsessionsthatlastoveronehour,alertingpersonnel
aboutthesourceanddestinationaddressesassociatedwiththeselongtermsessions.
11.Advanced:Requireallauthentication,bothinternalandexternal,tousetwofactorauthentication.
Proceduresandtoolsforimplementingthiscontrol:
Oneelementofthiscontrolcanbeimplementedusingfreeorcommercialintrusiondetection
systems(IDSs)andsnifferstolookforattacksfromexternalsourcesdirectedatDMZand
internalsystems,aswellasattacksoriginatingfrominternalsystemsagainsttheDMZor
Internet.Security
personnel
should
regularly
test
these
sensors
by
launching
vulnerability
scanningtoolsagainstthemtoverifythatthescannertraffictriggersanappropriatealert. The
capturedpacketsoftheIDSsensorsshouldbereviewedusinganautomatedscripteachdayto
ensurethatlogvolumesarewithinexpectedparametersandthatthelogsareformatted
properlyandhavenotbeencorrupted.
Additionally,packetsniffersshouldbedeployedonDMZstolookforHTTPtrafficthatbypasses
HTTPproxies. Bysamplingtrafficregularly,suchasovera3hourperiodonceperweek,
informationsecuritypersonnelsearchforHTTPtrafficthatisneithersourcedbyordestinedfor
aDMZproxy,implyingthattherequirementforproxyuseisbeingbypassed.
ToidentifybackchannelconnectionsthatbypassapprovedDMZs,effectivenetworksecurity
personnelestablishanInternetaccessiblesystemtouseasareceiverfortestingoutbound
access. Thissystemisconfiguredwithafreeorcommercialpacketsniffer. Then,security
personnelconnectasendingtestsystemtovariouspointsontheorganizationsinternal
network,sendingeasilyidentifiabletraffictothesniffingreceiverontheInternet. These
packetscanbegeneratedusingfreeorcommercialtoolswithapayloadthatcontainsacustom
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
19/40
19
fileusedforthetest. Whenthepacketsarriveatthereceiversystem,thesourceaddressofthe
packetsshouldbeverifiedagainstacceptableDMZaddressesallowedfortheorganization. If
sourceaddressesarediscoveredthatarenotincludedinlegitimate,registeredDMZs,more
detailcanbegatheredbyusingatraceroutetooltodeterminethepathpacketstakefromthe
sendertothereceiversystem.
CriticalControl6:Maintenance,MonitoringandAnalysisofComplete
AuditLogsHowdoattackersexploitthelackofthiscontrol?
Deficienciesinsecurityloggingandanalysisallowattackerstohidetheirlocation,malicious
softwareusedforremotecontrol,andactivitiesonvictimmachines. Evenifthevictimsknow
thattheirsystemswerecompromised,withoutprotectedandcompleteloggingrecords,the
victimis
blind
to
the
details
of
the
attack
and
to
the
subsequent
actions
taken
by
the
attackers
aftertheygainedtheinitialfoothold. Sometimesloggingrecordsaretheonlyevidenceofa
successfulattack. Manyorganizationskeepauditrecordsforcompliancepurposesbut
attackersrelyonthefactthatsuchorganizationsrarelylookattheauditlogssotheydonot
knowthattheirsystemshavebeencompromised. Becauseofpoorornonexistentloganalysis
techniques,attackerssometimescontrolvictimmachinesformonthsoryearswithoutanyone
inthetargetorganizationknowing,eventhoughtheevidenceoftheattackhasbeenrecorded
inunexaminedlogfiles.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Validateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludedates,timestamps,sourceaddresses,destination
addresses,andvariousotherusefulelementsofeachpacketand/ortransaction.
Systemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthose
outlinedbytheCommonEventExpression(CEE). Ifsystemscannotgeneratelogsina
standardizedformat,deploylognormalizationtoolstoconvertlogsintoastandardized
format.
2. QW:Ensurethatallsystemswhichstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotation
intervals.
3. QW:Systemadministratorsandsecuritypersonnelshoulddeviseprofilesofcommoneventsfromgivensystems,sothattheycantunedetectionofattacksbyavoidingfalse
positives,morerapidlyidentifyanomalies,andavoidoverwhelminganalystswithalerts.
4. QW:Allremoteaccesstoaninternalnetwork,whetherthroughVPN,dialup,orothermechanism,shouldbeloggedverbosely.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
20/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
21/40
21
inventoryassembledaspartofCriticalControl1,toensurethateachmanageditemthatis
activelyconnectedtothenetworkisperiodicallygeneratinglogs.
Analyticalprogramsforreviewinglogscanbeuseful,butthecapabilitiesemployedto
analyzeauditlogsisquitewideranging,includingjustacursoryexaminationbyahuman.
Actualcorrelation
tools
can
make
the
logs
far
more
useful
for
subsequent
manual
inspection
by
people. Themeasurementsabovedonotrequirecorrelationtoolsbedeployed,giventheir
costandcomplexity,butsuchtoolscanbequitehelpfulinidentifyingsubtleattacks. Suchtools
arenotapanacea,however,andarenotareplacementforskilledinformationsecurity
personnelandsystemadministrators. Evenwithautomatedloganalysistools,humanexpertise
andintuitionarerequiredtoidentifyandunderstandattacks.
CriticalControl7:ApplicationSoftwareSecurity
Howdoattackersexploitthelackofthiscontrol?
Attacksagainstvulnerabilitiesinapplicationshavebeenatoppriorityforcriminalorganizations
since2005. Inthatyeartheattackersfocusedonexploitingvulnerabilitiesinubiquitous
productssuchasantivirustoolsandbackupsystems.Theseattackscontinuewithnew
vulnerabilitiesinsecurityproductsandinbackuptoolsbeingdiscoveredandexploitedeach
week. Asecond,massivewaveofapplicationattacksbegansurginginlate2006whenthe
criminalswentaftercustomdevelopedweb,server,andworkstationapplications.Theyfound
fertileterritory.Inoneattack,morethan1millionwebserverswereexploitedandturnedinto
infection
engines
for
visitors
to
those
sites.
Trusted
organizations
in
state
governments,
the
UnitedNations,andsimilarlyrespectedorganizationsinfectedhundredsorthousandsofPCs,
turningthemintozombies. Manymorewebandnonwebapplicationattacksareemerging.On
averagemorethan70newvulnerabilitiesarefoundeveryweekincommercialapplications
andmanymorearewaitingtobefound(orhavealreadybeenexploitedwithoutpublic
recognition)incustomapplicationswrittenbyprogrammersforindividualsitesingovernment,
commercial,andprivateenterprises.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Testwebandotherapplicationcodeforsourcecodeerrorspriortodeploymentusing
automated
source
code
analysis
software,
if
source
code
is
available.
In
particular,
inputvalidationandoutputencodingroutinesofapplicationsoftwareshouldbe
carefullyreviewedandtested.
2. QW:Testwebapplicationsforcommonsecurityweaknessesusingwebapplicationscannerspriortodeploymentandthennolessoftenthanweeklyaswellaswhenever
updatesaremadetotheapplication.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
22/40
22
3. Config/Hygiene:Verifythatsecurityisembeddedintheapplicationdevelopmentlifecycleofallapplications.
4. Config/Hygiene:Protectwebapplicationsbydeployingwebapplicationfirewallsthatinspectalltrafficflowingtothewebapplicationforcommonwebapplicationattacks,
includingbutnotlimitedtoCrossSiteScripting,SQLinjection,commandinjection,and
directorytraversal
attacks.
For
applications
that
are
not
web
based,
deploy
specific
applicationfirewallsifsuchtoolsareavailableforthegivenapplicationtype.
Proceduresandtoolsforimplementingthiscontrol:
Sourcecodetestingtools,webapplicationsecurityscanningtools,andobjectcodetestingtools
haveprovenusefulinsecuringapplicationsoftware,alongwithmanualapplicationsecurity
penetrationtestingbytesterswhohaveextensiveprogrammingknowledgeaswellas
applicationpenetrationtestingexpertise. TheCommonWeaknessEnumeration(CWE)is
utilizedbymanysuchtoolstoidentifytheweaknessesthattheyfind. Organizationscanalso
useCWEtodeterminewhichtypesofweaknessestheyaremostinterestedinaddressingand
removing. AbroadcommunityefforttoidentifytheTop25MostDangerousProgramming
Errorsisavailableasaminimumsetofimportantissuestoinvestigateandaddress. When
evaluatingtheeffectivenessoftestingfortheseweaknesses,theCommonAttackPattern
EnumerationandClassification(CAPEC)canbeusedtoorganizeandrecordthebreadthofthe
testingfortheCWEsaswellasawayfortesterstothinklikeattackersintheirdevelopmentof
testcases.
CriticalControl8:ControlledUseofAdministrativePrivileges
Howdoattackersexploitthelackofthiscontrol?
Twoverycommonattackertechniquestakeadvantageofuncontrolledadministrative
privileges. Inthefirst,aworkstationuserisfooledintoopeningamaliciousemailattachment,
downloadingandopeningafilefromamaliciouswebsite,orsimplysurfingtoawebsite
hostingattackercontentthatcanautomaticallyexploitbrowsers. Thefileorexploitcontains
executablecodethatrunsonthevictimsmachine.Ifthevictimscomputerisrunningwith
administrativeprivileges,theattackercantakeoverthevictimsmachinecompletelyandinstall
keystrokeloggers,sniffers,andremotecontrolsoftwaretofindadministratorpasswordsand
othersensitive
data.
The
second
common
technique
used
by
attackers
is
elevation
of
privileges
afterusingavulnerableserviceoraguessedpasswordtogainaccesstoaserver. If
administrativeprivilegesarelooselyandwidelydistributed,theattackerhasamucheasiertime
gainingfullcontroloftheservers,becausetherearemanymoreaccountsthatcanactas
avenuesfortheattackertocompromiseadministrativeprivileges. Oneofthemostcommonof
theseattacksinvolvesthedomainadministrationprivilegesinlargeWindowsenvironments,
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
23/40
23
givingtheattackersignificantcontroloverlargenumbersofmachinesandaccesstothedata
theycontain.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Inventoryalladministrativepasswordsandvalidate(throughautomation)thateachpersonwithadministrativeprivilegesisauthorizedbyaseniorexecutiveandthat
his/heradministrativepasswordhasatleast12semirandomcharacters,consistentwith
theFederalDesktopCoreConfiguration(FDCC)standard. Intestingthiscontrol,also
ensurethatnoadministratorusername/passwords(domainorlocal)arereusedamong
systemsandapplications. Inadditiontothe12ormorecharacterpassword,all
administrativeaccessshouldutilizetwofactorauthentication.
2. QW:Passwordsforallsystemsshouldbestoredinahashedorencryptedformat.Furthermore,filescontainingtheseencryptedorhashedpasswordsrequiredfor
systemstoauthenticateusersshouldbereadableonlywithsuperuserprivileges.
3. QW:Ensurethatadministratoraccountsareusedonlyforsystemadministrationactivities,andnotforreadingemail,composingdocuments,orsurfingtheInternet.
4. QW:Auditpasswordstoensurepreviouslyusedpasswordsarenotbeingauthorizedforreusewithinacertaintimeframe(e.g.,6months).
5. Vis/Attrib:Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior(e.g.,systemreconfigurationsduringnightshift)
6. Config/Hygiene:Remoteaccessdirectlytoamachineshouldbeblockedforadministratorlevelaccounts. Instead,administratorsshouldberequiredtoaccessa
systemremotelyusingafullyloggedandnonadministrativeaccount. Then,once
loggedintothemachinewithoutadminprivileges,theadministratorshouldthen
transitiontoadministrativeprivilegesusingtoolssuchassudoonLinux/UNIX,runason
Windows,and
other
similar
facilities
for
other
types
of
systems.
7. Config/Hygiene:Conducttargetedspearphishingattacksagainstbothadministrativepersonnelandnonadministrativeuserstomeasurethequalityoftheirdefenseagainst
socialengineeringandtotestwhethertheyareusingadministratorprivilegeswhile
readingemailorsurfingtheInternet.
8. Config/Hygiene:Ensurealldomainadministratoraccountsareaccessibleonlywithtwofactorauthentication.
9. Advanced:Segregateadminaccountsbasedonroles(inpolicy). Forexample,Workstationadminaccountsaretheonlyadminaccountscapableoflogginginto
workstations,laptops,etc. Domainadminaccountsarenotallowedtologinto
workstations
and
are
only
allowed
to
log
into
servers.
The
benefit
here
is
that
the
domainadminaccounts(whatthebadguyswant)willnotgetcachedonthe
workstations. Makesprivilegetodomainadminmuchharder.
Proceduresandtoolsforimplementingthiscontrol:
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
24/40
24
Builtinoperatingsystemfeaturescanextractlistsofaccountswithsuperuserprivileges,such
asthoseintheadministratorsgrouponWindowsmachinesandthosewithUIDorGID0on
LinuxandUnixsystems. InActiveDirectoryenvironments,personnelcanuseMicrosoftGroup
Policytodumplistsofsuchusersfrommachinesanddomaincontrollerssothattheseaccounts
canbereconciledagainstaninventoryofuserswithlegitimateandapprovedneedsforsuch
access.
Toverifythatuserswithsuchhighprivilegedaccountsdonotusesuchaccountsfordaytoday
websurfingandemailreading,securitypersonnelperiodically(oftensamplingweekly)can
gatheralistofrunningprocessesinanattempttodeterminewhetheranybrowsersoremail
readersarerunningwithhighprivileges. Suchinformationgatheringisoftenscripted,with
shortshellscriptsrunningthepscommandonLinuxorthetasklistcommandonWindows,and
analyzingitsoutputforadozenormoredifferentbrowsers,emailreaders,anddocument
editingprograms. Somelegitimatesystemadministrationactivitymayrequiretheexecutionof
suchprogramsovertheshortterm,butlongtermorfrequentuseofsuchprogramswith
administrativeprivilegescouldindicatethatanadministratorisnotadheringtothiscontrol.
Toenforcetherequirementforpasswordlength(12characters),builtinoperatingsystem
featuresforminimumpasswordlengthinWindowsandLinuxcanbeconfigured,whichprevent
usersfromchoosingshortpasswords. Toenforcepasswordcomplexity(requiringpasswords
tobeastringofpseudorandomcharacters),builtinWindowsGroupPolicyconfiguration
settingsandLinuxPluggableAuthenticationModules(PAM)canbeemployed.
Loganalysistoolsareusedtolookforlogsindicatingchangestosystemconfigurationthatare
notreconcilablewithchangemanagementsystemstoidentifyalterationspotentiallymadeby
anintruder.
CriticalControl9:ControlledAccessBasedOnNeedtoKnow
Howdoattackersexploitthelackofthiscontrol?
Onceanattackerhaspenetratedasensitivenetwork,ifusershaveaccesstoallormostofthe
information,theattackersjoboffindingandexfiltratingimportantinformationisgreatly
facilitated.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
25/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
26/40
26
1. QW:Verifythatvulnerabilitytestingofnetworks,systems,andapplicationsarerunnolessthanweekly. Wherefeasable,vulnerabilitytestingshouldoccuronadailybasis.
2. Config/Hygiene:Ensurevulnerabilitytestingisperformedinauthenticatedmode(i.e.,configuringthescannerwithadministratorcredentials)atleastquarterly,eitherwith
agentsrunninglocallyoneachendsystemtoanalyzethesecurityconfigurationorwith
remotescanners
that
are
given
administrative
rights
on
the
system
being
tested,
to
overcomelimitationsofunauthenticatedvulnerabilitytesting.
3. Config/Hygiene:Comparetheresultsfrombacktobackvulnerabilityteststoverifythatvulnerabilitieswereaddressedeitherbypatching,implementingacompensating
control,orbydocumentingandacceptingareasonablebusinessrisk. Suchacceptance
ofbusinessrisksforexistingvulnerabilitiesshouldbeperiodicallyreviewedaswell,to
determineifnewercompensatingcontrolsorsubsequentpatchescanaddress
vulnerabilitiesthatwerepreviouslyaccepted,orifconditionshavechangedincreasing
therisk.
4. Config/Hygiene:Chartthenumbersofunmitigated,criticalvulnerabilities,foreachdepartment/divisionandsharethereportswithseniormanagementtoprovideeffective
incentivesformitigation.
5. Config/Hygiene:Measurethedelayinpatchingnewvulnerabilitiesandensurethedelayisequaltoorlessthanthebenchmarkssetforthbytheorganization,whichshouldbe
nomorethanaweekforcriticalpatchesunlessamitigatingcontrolthatblocks
exploitationisavailable.
6. Advanced:Deployautomatedpatchmanagementtoolsforallsystemsforwhichsuchtoolsareavailableandsafe.
Proceduresand
tools
for
implementing
this
control:
Organizationscanusevulnerabilityscanningtools,suchasthefreeandcommercialtools
describedinCriticalControl#3.
Effectivevulnerabilityscanningtoolscomparetheresultsofthecurrentscanwithprevious
scanstodeterminehowthevulnerabilitiesintheenvironmenthavechangedovertime.
Securitypersonnelusethesefeaturestoconductvulnerabilitytrendingfrommonthtomonth.
Asvulnerabilitiesrelatedtounpatchedsystemsarediscoveredbyscanningtools,security
personnelshoulddetermineanddocumenttheamountoftimethatelapsedbetweenthe
publicreleaseofapatchforthesystemandtheoccurrenceofthevulnerabilityscan. Ifthistimewindowexceedstheorganizationsbenchmarksfordeploymentofthegivenpatchs
criticalitylevel,securitypersonnelshouldnotethedelayanddetermineifadeviationwas
formallydocumentedforthesystemanditspatch. Ifnot,thesecurityteamshouldworkwith
managementtoimprovethepatchingprocess.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
27/40
27
CriticalControl11:DormantAccountMonitoringandControl
Howdoattackersexploitthelackofthiscontrol?
Attackersfrequentlydiscoverandexploitlegitimatebutinactiveuseraccountstoimpersonate
legitimateusers,therebymakingdiscoveryofattackerbehaviordifficultfornetworkwatchers.
Accountsofcontractorsandemployeeswhohavebeenterminatedhaveoftenbeenmisusedin
thisway. Additionally,somemaliciousinsidersorformeremployeeshaveaccessedaccounts
leftbehindinasystemlongaftercontractexpiration,maintainingtheiraccesstoan
organizationscomputingsystemandsensitivedataforunauthorizedandsometimesmalicious
purposes.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Regularlymonitortheuseofallaccounts,automaticallyloggingoffusersafterastandardperiodofinactivity.
2. QW:Monitoraccountusagetodeterminedormantaccountsthathavenotbeenusedforagivenperiod,suchasthirtydays,notifyingtheuserorusersmanagerofthe
dormancy. Afteralongerperiod,suchassixtydays,theaccountshouldbedisabled.
3. QW:Matchactiveemployeesandcontractorswithallaccountsanddisableaccountsthatarenotassignedtoactiveemployeesorcontractors.
4. Vis/Attrib:Monitorattemptstoaccessdeactivatedaccountsthroughauditlogging.5. Config/Hygiene:Profileeachuserstypicalaccountusagebydeterminingnormaltime
ofdayaccessandaccessdurationforeachuser. Generatedailyreportsthatindicate
userswhohaveloggedinduringunusualhoursorhaveexceededtheirnormallogindurationby150%.
Proceduresandtoolsforimplementingthiscontrol:
Atestaccountshouldbecreatedeverymonth,withverylimitedprivilegessothatitcannot
accessanythingexceptpublicfilesonasystem. Nousershouldlogintothistestaccount. Any
loginactivitytothistestaccountshouldbeinvestigatedimmediately. Automatedsoftware
shouldchecktoensurethatthesystemgeneratesanoticeaboutsuchatestaccountafterthirty
daysofnonuse. Furthermore,anautomatedscriptshouldverifythattheaccounthasbeen
disabledsixty
days
after
the
account
was
first
created,
notifying
security
personnel
ifthe
accounthasnotbeenautomaticallydisabled. Attheendofthistestinterval,thefirsttest
accountshouldbedeleted,withanewlimitedtestaccountcreatedforthenextroundof
automatedchecking.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
28/40
28
CriticalControl12:AntiMalwareDefenses
Howdoattackersexploitthelackofthiscontrol?
TensofthousandsofvirusesandothermaliciouscodeexamplesarecirculatingontheInternet
eitherinemailattachmentsordownloadedfromwebsitesorthroughothermeansofdelivery.
Somemaliciouscodeactuallyturnsantimalwarefeaturesoff,givingtheattackersmalware
unfetteredaccesstothesystem.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Monitorworkstations,servers,andmobiledevicesforactive,uptodateantimalwareprotectionwithantivirus,antispyware,andhostbasedIntrusionPrevention
Systemfunctionality.
Enterprise
administrative
features
should
be
used
to
check
daily
thenumberofsystemsthatdonothavethelatestantimalwaresignatures,keepingthe
numberofsuchsystemssmalloreliminatingthementirelythroughrapidand
continuousupdates. Allmalwaredetectioneventsshouldbesenttoenterpriseanti
malwareadministrationtoolsandeventlogservers.
2. QW:Employsoftwareautoupdatefeaturesandorhaveadministratorsmanuallypushupdatestoallmachinesonaregularbasis. Afterapplyinganupdate,setupsystemsto
automaticallyverifytheupdatestatusofamachine.
3. QW:Configurelaptops,workstations,andserverssothattheywillnotautoruncontentfromUSBtokens(i.e.,thumbdrives),USBharddrives,orCDs/DVDs.
4. QW:Configuresystemssothattheyconductanautomatedantimalwarescanofremovablemediawhenitisinserted.
5. Config/Hygiene:Newupdatestothemalwaresignaturebaseofeachantimalwaretoolshouldbetestedinanonproductionenvironmenttoverifythatitdoesnotnegatively
impactsystemsbeforeitispushedtoproductionmachines.
6. Config/Hygiene:Toverifythatantimalwaresolutionsarerunning,periodicallyintroduceabenign,nonspreadingtestcase,suchastheEICARantivirustestfile,ontoa
systemintheenvironmenttoensurethatitisdetectedbytheantimalwaresystem,and
thatthedetectionisreportedtotheenterprisemanagementsystem.
7. Advanced:Deployhoneypotsortarpitsasdetectionmechanismsthatcanalsoslowdownanattacker'sprogressinsideanetwork.
Proceduresandtoolsforimplementingthiscontrol:
Relyingonpolicyanduseractiontokeepantimalwaretoolsuptodatehasbeenwidely
discredited;itdoesntwork.Toensureantivirussignaturesareuptodate,effective
organizationsuseautomation.Theyusethebuiltinadministrativefeaturesofenterpriseend
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
29/40
29
pointsecuritysuitestoverifythatantivirus,antispyware,andhostbasedIDSfeaturesare
activeoneverymanagedsystem.Theyrunautomatedassessmentsdailyandreviewthe
results,tofindandmitigatesystemsthathavedeactivatedsuchprotections,aswellassystems
thatdonothavethelatestmalwaredefinitions. Foraddedsecurityindepth,andforthose
systemsthatmayfalloutsidetheenterpriseantimalwarecoverage,theyusenetworkaccess
controltechnology
that
tests
machines
for
compliance
with
security
policy
before
allowing
themtoconnecttothenetwork.
Onaregularbasis,suchasmonthly,effectiveorganizationsdownloadandtestthefreeEICAR
filetoverifythatantivirusprotectionisfunctioningonasamplingofprotectedworkstations
andservers. Antimalwaretoolsshoulddetectthisbenignfile,andsecuritypersonnelverify
thatthedetectioneventisnotedinenterprisemonitoringandalertingsystems.
OrganizationscanusecommercialsoftwareupdateproductsonWindowsandvariousfree
Linuxsoftwareupdatetoolstodeploypatchesanduptodateversionsofsoftwarethroughout
anenvironment. Toverifythatsuchsoftwareissuccessfullydeployed,theupdatetoolitselfis
runtochecktheversioninstalledonasampleofenterprisesystems. Otherorganizationsusea
commercialversioncheckingtooltoensurethatupdateshavebeenappliedtosystems.
Advanced:Someenterprisesdeploythefreehoneypotandtarpittoolstoidentifyattackersin
theirenvironment,runningthisfreesoftwarerunningonlowcosthardware. Security
personnelcontinuouslymonitorhoneypotsandtarpitstodeterminewhethertrafficisdirected
tothemandaccountloginsareattempted. Whentheyidentifysuchevents,thesepersonnel
gatherthesourceaddressfromwhichthistrafficoriginatesforafollowoninvestigation.
CriticalControl13:LimitationandControlofPorts,Protocolsand
Services
Howdoattackersexploitthelackofthiscontrol?
Attackerssearchforservicesthathavebeenturnedonandthatcanbeexploited.Common
examplesarewebservers,mailservers,fileandprintservices,andDNSservers.Manysoftware
packagesautomaticallyinstallservicesandturnthemonaspartoftheinstallationofthemain
softwarepackage
without
ever
informing
the
user
that
the
services
have
been
enabled.
Becausetheuserdoesnotknowabouttheservices,itishighlyunlikelythatthattheuserwill
activelyensuretheservicesaredisablediftheyarenotbeingusedorregularlypatchedifthey
arebeingused.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
30/40
30
1. QW:Networkperimetersshouldimplementbothingressandegressfiltering,allowingonlythoseservicesandprotocolsthathaveadefined,documentedbusinessneedfor
theorganization. Adefaulttodenyruleshouldbeappliedbetweenfirewalled
networks,withonlyspecificservicesallowedthrough.
2. Config/Hygiene:Hostbasedfirewallsorportfilteringtoolsshouldbeappliedonendsystems,againwithadefaultdenyrule.
3. Config/Hygiene:Configurationandvulnerabilitytestingtoolsshouldbetunedtocompareservicesthatarelisteningoneachmachineagainstalistofauthorizedservices.
Thetoolsshouldbefurthertunedtoidentifychangesovertimeonsystemsforboth
authorizedandunauthorizedservices. Usegovernmentapprovedscanningfilesto
ensureminimumstandardsaremet.
4. Config/Hygiene:Implementhardeningrecommendationsfromguidelinesforunderlyingoperatingsystemsandinstalledapplications,suchasthosefoundinmandatorySTIG
(SecureTechnicalImplementationGuides)requirements,NISTconfigurationguidelines,
orCenterforInternetSecurityhardeningguides,iftheyexistforthegiventechnology.
5. Config/Hygiene:Periodically,asecureversionofanauthorizedserviceshouldbeactivatedonarelativelyunimportantsystemtoverifythatthechangeisflaggedbythe
configurationandvulnerabilitytestingtoolsintheenvironment.
Proceduresandtoolsforimplementingthiscontrol:
Portscanningtoolsareusedtodeterminewhichservicesarelisteningonthenetworkfora
rangeoftargetsystems. Inadditiontodeterminingwhichportsareopen,effectiveport
scannerscanbeconfiguredtoidentifytheversionoftheprotocolandservicelisteningoneach
discoveredopenport. Thislistofservicesandtheirversionsarecomparedagainstaninventory
ofservicesrequiredbytheorganizationforeachserverandworkstation,inanasset
managementsystem,
such
as
those
described
in
Critical
Control
#1.
Recently
added
features
in
theseportscannersarebeingusedtodeterminingthechangesinservicesofferedbyscanned
machinesonthenetworksincethepreviousscan,helpingsecuritypersonnelidentify
differencesovertime.
Toevaluatetheirscanningprocedures,informationsecuritypersonneloftenrunafreenetwork
listeningtoolsonasamplemachine,configuredsimplytolistenonagivenTCPportassociated
withacommonservice,suchasSecureShell(TCP22),HTTP(TCP80),orSMB(TCP445). Such
toolsareconfiguredmerelytolistenandthenrespondwhentheyseeaconnectionrequest,
withoutprovidinganyusefulfunctionorserviceonthesampledmachine,minimizingthe
exposure
to
this
machine
during
the
test.
With
this
benign
listener
in
place,
the
automated
scanningfunctionalitycanbeverifiedtoensurethatitdiscoversthechangewiththenewport
listeningintheenvironment.
CriticalControl14:WirelessDeviceControl
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
31/40
31
Howdoattackersexploitthelackofthiscontrol?
Oneofthelargestdatatheftsinhistorywasinitiatedbyanattackersittinginacarinaparking
lotandbreakingthroughtheorganizationssecurityperimeterbyconnectingwirelesslytoan
accesspoint
inside
the
organization.
Other
wireless
devices
accompanying
travelling
officials
arebeinginfectedeverydaythroughremoteexploitationduringairtravelorinacybercaf.
Suchexploitedsystemsarethenbeingusedasbackdoorswhentheyarereconnectedtothe
networkofatargetorganization. Stillotherorganizationshavereportedthediscoveryof
unauthorizedwirelessaccesspointsdiscoveredontheirnetwork,plantedandsometimes
hiddenforunrestrictedaccesstoaninternalnetwork. Becausetheydonotrequiredirect
physicalconnections,wirelessdevicesareaconvenientattackvector.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Ensurethateachwirelessdevicethatisconnectedtothenetworkmatchesanauthorizedconfigurationandsecurityprofile. Denyaccesstothosewirelessdevices
thatdonot.
2. QW:Ensurethatallwirelessaccesspointsaremanageableusingenterprisemanagementtools. Accesspointsdesignedforhomeuseoftenlacksuchenterprise
managementcapabilities,andshouldthereforenotbeused.
3. Vis/Attrib:Usewirelessintrusiondetectionsystems(WIDS)toidentifyroguewirelessdevicesanddetectattackattemptsandsuccessfulcompromise. InadditiontoWIDS,all
wirelesstrafficshouldbemonitoredbyawirelineIDSastrafficpassesintothewireline
network.
4. Config/Hygiene:Configurewirelessaccessonclientmachinestoallowaccessonlytoauthorized
wireless
networks.
For
devices
that
do
not
have
an
essential
wireless
businesspurpose,disablewirelessaccessinthehardwareconfiguration(BIOSorEFI),
withpasswordprotectionstolowerthepossibilitythattheuserwilloverridesuch
configurations.
5. Config/Hygiene:Regularlyscanforunauthorizedormisconfiguredwirelessinfrastructuredevices,usingtechniquessuchaswardrivingtoidentifyaccesspoints
andclientsacceptingpeertopeerconnections. Suchunauthorizedormisconfigured
devicesshouldberemovedfromthenetwork,orhavetheirconfigurationsalteredso
thattheycomplywiththesecurityrequirementsoftheorganization.
6. Config/Hygiene:EnsureallwirelesstrafficleveragesatleastAESencryptionusedwithatleast
WPA2
protection.
7. Config/Hygiene:EnsurewirelessnetworksuseauthenticationprotocolssuchasEAP/TLSorPEAP,whichprovidecredentialprotectionandmutualauthentication.
8. Config/Hygiene:Ensurewirelessclientsusestrong,multifactorauthenticationcredentialstomitigatetheriskofunauthorizedaccessfromcompromisedcredentials.
9. Config/Hygiene:Disablepeertopeerwirelessnetworkcapabilitiesonwirelessclients,unlesssuchfunctionalitymeetsadocumentedbusinessneed.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
32/40
32
10.Config/Hygiene:DisableBluetoothwirelessaccessofdevices,unlesssuchaccessisrequiredforadocumentedbusinessneed.
11.Advanced:Configureallwirelessclientsusedtoaccessagencynetworksorhandleorganizationdatainamannersothattheycannotbeusedtoconnecttopublicwireless
networksoranyothernetworksbeyondthosespecificallyallowedbytheagency.
Proceduresandtoolsforimplementingthiscontrol:
Effectiveorganizationsruncommercialswirelessscanning,detection,anddiscoverytoolsas
wellascommercialwirelessintrusionsdetectionsystems. Toevaluatetheeffectivenessofsuch
tools,securitypersonnelcouldperiodicallyactivateanisolatedwirelessaccesspoint,whichhas
nophysicalorwirelessconnectivitytoaproductionnetwork,fromwithinabuildingmonitored
byaWIDSdevice. Theteamshoulddeterminewhetherthealertingsystemistriggeredbythe
testaccesspoint,andrecordtheamountoftimesuchdetectionrequired.
Additionally,thesecurityteamcouldperiodicallycapturewirelesstrafficfromwithinthe
bordersofafacilityandusefreeandcommercialanalysistoolstodeterminewhetherthe
wirelesstrafficwastransmittedusingweakerprotocolsorencryptionthantheorganization
mandates. Whendevicesthatarerelyingonweakwirelesssecuritysettingsareidentified,they
shouldbefoundwithintheorganizationsassetinventoryandeitherreconfiguredmore
securelyordeniedaccesstotheagencynetwork.
CriticalControl15:DataLeakageProtection
Howdoattackersexploitthelackofthiscontrol?
Attackershaveexfiltratedmorethan20terabytesofoftensensitivedatafromDepartmentof
DefenseandDefenseIndustrialBase(i.e.,contractorsdoingbusinesswiththeDoD)
organizations.Yet,inmostcases,thevictimshadnocluethathugeamountsofsensitivedata
wereleavingtheirsitebecausetheywerenotmonitoringdataoutflows. Themovementof
dataacrossnetworkboundariesbothelectronicallyandphysicallymustbecarefullyscrutinized
tominimizeitsexposuretoattackers.
Howcanthiscontrolbeimplemented,automated,anditseffectivenessmeasured?
1. QW:Setupandenforcerulesandpoliciesregardingtheuseofsocialnetworksites,postinginformationonthecommercialwebsites,andsharingaccountinformation,all
ofwhichcouldbeusefulforanattacker.
2. QW:Configurefirewallsandproxiestoenforcelimitsoffilesizesthatcanbetransferred.Allowlargefiletransfersonlyafterpriorregistrationwithsecurity
personnel.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
33/40
33
3. QW:Denycommunicationswith(orlimitdataflowto)knownmaliciousIPaddresses(blacklists)orlimitaccesstotrustedsites(whitelists). Periodically,testpacketsfrom
bogonsourceIPaddressesshouldbesentintothenetworktoverifythattheyarenot
transmittedthroughnetworkperimeters. Listsofbogonaddresses(unroutableor
otherwiseunusedIPaddreses)arepubliclyavailableontheInternetfromvarious
sources,and
indicate
aseries
of
IP
addresses
that
should
not
be
used
for
legitimate
traffictraversingtheInternet.
4. QW:Developandimplementa"DataProtectionStrategy"thatdefinesproceduralandtechnicalmechanismsforprotectingdataatrest,datainuse,anddataintransit.
Specificcomputersystemsandnetworkshousingsensitivedatashouldbeinventoried.
Totheextentpossible,applicationsandsystemsshouldbedesignedthatstoredataon
protectedservers,ratherthanstoringitonworkstationorlaptopmachines.
5. Vis/Attrib:Networkmonitoringtoolsshouldanalyzeoutboundtrafficlookingforavarietyofanomalies,includinglargefiletransfers,longtimepersistentconnections,
unusualprotocolsandportsinuse,andpossiblythepresenceofcertainkeywordsinthe
datatraversingthenetworkperimeter. Moresophisticatedanalysesofnetworktraffic,
suchastransferratiosattheworkstationlevel,shouldbeusedoncegovernmentwide
analysisuncoverseffectiveparametersforsuchanalyses. Furthermore,network
monitoringtoolsmusthavetheabilitytodoimmediatenetworkforensicstoconfirm
thenatureoftheanomaliesandtoserveasatuningmechanismtorefineanomaly
tools.
6. Config/Hygiene:Datashouldbemovedbetweennetworksusingsecure,authenticated,encryptedmechanisms.
7. Config/Hygiene:Datastoredonremovable,easilytransportedstoragemedia,suchasUSBtokens(i.e.,thumbdrives),USBportableharddrives,andCDs/DVDs,shouldbe
encrypted. Systemsshouldbeconfiguredsothatalldatawrittentosuchmediais
automaticallyencrypted
without
user
intervention.
8. Advanced:Deployanautomatedtoolonnetworkperimetersthatmonitorsforcertainkeywordsandotherdocumentcharacteristicsinanautomatedfashiontodetermine
attemptstoexfiltratedatainanunauthorizedfashionacrossnetworkboundariesand
blocksuchtransferswhilealertinginformationsecuritypersonnel.
9. Advanced:ConfiguresystemssothattheywillnotwritedatatoUSBtokensorUSBharddrives.
10.Advanced:Donotuseaccountloginnamesinusersemailaddresses.Proceduresandtoolsforimplementingthiscontrol:
Periodically,
such
as
once
per
quarter,
information
security
personnel
should
run
a
script
that
purposelytriestotriggerthedataleakprotectionfunctionalitydeployedatnetworkperimeters
bysendinginnocuousdatawithcharacteristics(suchascertainkeywords,filesize,orsource
address)toatestsystemlocatedjustoutsidethedataleakageprotectiondeviceandthe
firewall. Thesepersonnelshouldensurethattheattemptedtransferwasdetectedandanalert
wasgenerated,andshouldalsoinvestigatewhetherthetransferwassuccessfullyblocked.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
34/40
34
Thefollowingparagraphsidentifyadditionalcontrolsthatareimportantbutthatcannotbe
automaticallyorcontinuouslymonitored.Itshouldbenotedthatthesecontrolsoverlaptoa
greaterdegreethantheonesintheprevioussection.
CriticalControl16: SecureNetworkEngineering
Manycontrolsinthisdocumentareeffectivebutcanbecircumventedinnetworksthatare
badlydesigned.Thereforearobustsecurenetworkengineeringprocessmustbedeployedto
complementthedetailedcontrolsbeingmeasuredinothersectionsofthisdocument. Among
theengineering/architecturalstandardstobeusedare:
1. Config/Hygiene:Tosupportrapidresponseandshunningofdetectedattacks,thenetwork
architecture
and
the
systems
that
make
it
up
should
be
engineered
for
rapid
deploymentofnewaccesscontrollists,rules,signatures,blocks,blackholesandother
defensivemeasuresrequiredbyUSCERT.
2. Vis/Attrib:AllaccessofwebsitesontheInternetmustoccurthroughaperimeterthatincludesafirewall,IDS,webproxy,packetinspection,packetloggingfunctionalityand
sessionreconstructorabilities.
3. Vis/Attrib:DNSshouldbedeployedinahierarchical,structuredfashion,withallclientmachinessendingrequeststoDNSserversinsideagovernmentcontrollednetworkand
notto
DNS
servers
located
on
the
Internet.
These
internal
DNS
servers
should
be
configuredtoforwardrequeststheycannotresolvetoDNSserverslocatedona
protectedDMZ. TheseDMZservers,inturn,shouldbetheonlyDNSserversthatare
allowedtosendrequeststotheInternet.
4. Config/Hygiene:EachorganizationshouldstandardizetheDHCPleaseinformationandtimeassignedtosystems,andverboselylogallinformationaboutDHCPleases
distributedintheorganization.
CriticalControl17: RedTeamExercises
Howdoattackersexploitthelackofthiscontrol?
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
35/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
36/40
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
37/40
37
rapidlyrestoreasystemfrombackup,makesurethattheoperatingsystem,application
software,anddataonamachineareeachincludedintheoverallbackupprocedure.
Thesethreecomponentsofasystemdonothavetobeincludedinthesamebackupfile
orusingthesamebackupsoftware. However,eachmustbebackedupatleastweekly.
2. Config/Hygiene:Ensurethatbackupsareencryptedwhentheyarestoredlocally,aswellas
when
they
are
moved
across
the
network.
3. Config/Hygiene:Backupmedia,suchasharddrivesandtapes,shouldbestoredinphysicallysecure,lockedfacilities.
Proceduresandtoolsforimplementingthiscontrol:
Onceperquarter,atestingteamshouldevaluatearandomsampleofsystembackupsby
attemptingtorestorethemonatestbedenvironment. Therestoredsystemsshouldbe
verifiedtoensurethattheoperatingsystem,application,anddatafromthebackupareall
intactandfunctional.
CriticalControl20: SecuritySkillsAssessmentandAppropriate
TrainingToFillGaps
Theskillsoffivegroupsofpeopleareconstantlybeingtestedbyattackers:
1. Endusersarefooledintoopeningattachmentsandloadingsoftwarefromuntrustedsites,visitingwebsiteswheretheyareinfectedandmore.
2. Systemadministratorsarealsofooledlikenormalusersbutarealsotestedwhenunauthorizedaccountsaresetupontheirsystems,whenunauthorizedequipmentis
attached,when
large
amounts
of
data
are
exfiltrated.
3. Securityoperatorsandanalystsaretestedwithnewandinnovativeattackswithsophisticatedprivilegeescalation,withredirectionandotherattacksalongwitha
continuousstreamofmoretraditionalattacks.
4. Applicationprogrammersaretestedbycriminalswhofindandexploitthevulnerabilitiestheyleaveintheircode.
5. Toalesserdegreesystemownersaretestedwhentheyareaskedtoinvestincybersecuritybutareunawareofthedevastateimpactacompromiseanddataexfiltrationor
dataalterationwouldhaveontheirmission.
Anyorganizationthathopestobereadytofindandrespondtoattackseffectivelyowesitto
theiremployees
and
contractors
to
find
the
gaps
in
their
knowledge
and
to
provide
exercises
andtrainingtofillthosegaps. Asolidsecurityskillsassessmentprogramcanprovideactionable
informationtodecisionmakersaboutwheresecurityawarenessneedstobeimproved,andcan
alsohelpdetermineproperallocationoflimitedresourcestoimprovesecuritypractices.
Howcanthiscontrolbeimplementedanditseffectivenessmeasured?
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
38/40
38
1. QW:Developsecurityawarenesstrainingforvariouspersonneljobdescriptions. Thetrainingshouldincludespecific,incidentbasedscenariosshowingthethreatsan
organizationfaces.
2. Config/Hygiene:Deviseperiodicsecurityawarenessassessmentquizzes,tobegiventoemployeesandcontractorsonatleastanannualbasis,determiningwhetherthey
understandtheinformationsecuritypoliciesandproceduresfortheorganization,as
wellastheirroleinthoseprocedures.
3. Config/Hygiene:Conductperiodicexercisestoverifythatemployeesandcontractorsarefulfillingtheirinformationsecurityduties,byconductingteststoseewhether
employeeswillclickonalinkfromsuspiciousemailorprovidesensitiveinformationon
thetelephonewithoutfollowingappropriateproceduresforauthenticatingacaller.
Proceduresandtoolsforimplementingthiscontrol:
Thekeytoupgradingskillsismeasurementnotwithcertificationexaminations,butwith
assessmentsthatshowboththeemployeeandtheemployerwhereknowledgeissufficientand
wherethegapsare. Oncethegapsareidentified,thoseemployeeswhohavetherequisite
skillsandknowledgecanbecalledupontomentortheemployeeswhoneedskillsimprovement
ortheorganizationcandeveloptrainingprogramsthatdirectlyfillthegapsandmaintain
employeereadiness.
SUMMARY
Thisdocument
has
been
developed
through
the
collaboration
of
adiverse
set
of
security
experts. Whilethereisnosuchthingasabsoluteprotection,properimplementationofthe
securitycontrolsidentifiedinthisdocumentwillensurethatanorganizationisprotecting
againstthemostsignificantattacks. Asattackschange,asadditionalcontrolsortoolsbecome
available,orasthestateofcommonsecuritypracticeadvances,thisdocumentwillbeupdated
toreflectwhatisviewedbythecollaboratingauthorsasthemostimportantsecuritycontrols
todefendagainstcyberattacks.
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
39/40
39
AppendixA:InitialmappingbetweenCAG097controlsetanddraftNISTSP80053
Rev1,2/9/2009
ThismappingrelaystheSP80053Rev3controlswhichaccomplishtherequirementscalledoutinthe
CAG097controlset.Notethatforthemostpart,wheretheCAG097controlsetcalledfora
requirementnot
currently
in
the
draft
for
SP
800
53
Rev
3,
an
enhancement
was
added
to
the
NIST
drafttocoverthatrequirement.AlsonotethattheNISTcontrolsmayimposeadditionalrequirements
beyondthoseexplicitlystatedinCAG097.
CAG097Control RelatedNISTSP80053Rev3Controls
CriticalControl1:Inventoryofauthorizedand
unauthorizedhardware.
CM1,CM2,CM3,CM4,CM5,CM8,CM9
CriticalControl2:Inventoryofauthorizedand
unauthorizedsoftware;enforcementofwhitelists
ofauthorizedsoftware.
CM1,CM2,CM3,CM5,CM7,CM8,CM9,SA7
CriticalControl3:Secureconfigurationsfor
hardwareandsoftwareforwhichsuch
configurationsareavailable.
CM6,CM7,CP10,IA5,SC7
CriticalControl4:Secureconfigurationsof
networkdevicessuchasfirewalls,routers,and
switches.
AC4,CM6,CM7,CP10,IA5,RA5,SC7
(AlsorelatedtoassessmentwithSP80053A)
CriticalControl
5:
Boundary
Defense
AC
17,
RA
5,
SC
7,
SI
4
(AlsorelatedtoassessmentwithSP80053A)
CriticalControl6:Maintenance,Monitoringand
AnalysisofCompleteAuditLogs
AU1,AU2,AU3,AU4,AU6,AU7,AU9,AU11,
AU12,CM3,CM5,CM6,SI4
(AlsorelatedtoassessmentwithSP80053A)
CriticalControl7:ApplicationSoftwareSecurity AC4,CM4,CM7,RA5,SA3,SA4,SA8,SA11,
SI3
CriticalControl8:ControlledUseofAdministrative
Privileges
AC6,AC17,AT2,AU2
CriticalControl9:ControlledAccessBasedOn AC1,AC2,AC3,AC6,AC13
8/14/2019 (Draft 1.0) -- 20 Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
40/40
NeedtoKnow (AlsorelatedtoassessmentwithSP80053A)
CriticalControl10:ContinuousVulnerability
TestingandRemediation
CA2,CA6,CA7,RA5,SI2
CriticalControl
11:
Dormant
Account
Monitoring
andControlAC
2,
PS
4,
PS
5
CriticalControl12:AntiMalwareDefenses AC3,AC4,AC6,AC17,AC19,AC20,AT2,AT3,
CM5,MA3,MA4,MA5,MP2,MP4,PE3,PE4,
PL4,PS6,RA5,SA7,SA12,SA13,SC3,SC7,
SC11,SC20,SC21,SC22,SC23,SC25,SC26,
SC27,SC29,SC30,SC31,SI3,SI8
CriticalControl13:LimitationandControlofPorts,
Protocolsand
Services
AC4,CM6,CM7,SC7
(AlsorelatedtoassessmentwithSP80053A)
CriticalControl14:WirelessDeviceControl AC17
CriticalControl15:DataLeakageProtection AC2,AC4,PL4,SC7,SC31,SI4
CriticalControl16: SecureNetworkEngineering AU8,CA2,CA6,CM7,SA8,SC7,SC22
CriticalControl17:RedTeamExercises CA2,CA6
CriticalControl
18:
Incident
Response
Capability
IR
1,
IR
2,
IR
3,
IR
4,
IR
5,
IR
6,
IR
7,
SI
5
CriticalControl19: DisasterRecoveryCapability
(ControlisTBDstillunderdevelopment)
CP1,CP2,CP3,CP4,CP6,CP7,CP8,CP9,CP
10
(likelybaseduponCAG097controltitle)
CriticalControl20: SecuritySkillsAssessmentand
AppropriateTrainingToFillGaps
AT2,AT3,AT4