The JW Secure Informer logo

archive blog contact

The Practical Guide to
Critical Security Controls

JWSecure informer imagery

Frameworks and Practicality

IT decision makers must prioritize their investments of time and money in order to meet the evolving needs of their constituencies. Failing to plan is planning to fail and the only way to strengthen a muscle is to use it (cat poster slogans apply nicely to data security).

Clichés aside, checklists and management models are useful tools for planning and guiding prioritization, even though such tools frequently appear either too cumbersome or too abstract. In order to improve your ability to defend against and respond to threats, you must be proactive and systematic, drawing from published best practices as well as from the needs of the business that you serve.

Critical Security Controls

We have written previously about security frameworks, including The Four Pillars of Endpoint Security. While we favor the brevity of the Four Pillars, it is relatively high-level and strategic.

One example of a more tactical IT security model is the SANS CIS Critical Security Controls. These controls are publicized as taking "the best-in-class threat data and transforming it into actionable guidance." They are indeed useful, but can come across as another abstract, academic exercise. For practitioners, it is helpful to restate these security controls in plain language with examples and references to real-world business needs.

1. Inventory of Authorized and Unauthorized Devices

Control is impossible without inventory. But knowing what is on the network, and defining what should be on the network, are separate problems. Regarding what should be, will you keep a whitelist of what's allowed to access your assets or a blacklist of what's not?

Regarding what is on the network, and what (and who) is accessing sensitive resources, it's rarely what should be. This fact, and the compliance gap that represents it, can create a perverse incentive to ease up on security hardening. Don't give in to the pressure.

2. Inventory of Authorized and Unauthorized Software

Enterprise asset and purchasing managers have long struggled with the need to accurately count software licenses for end of year "true up". Inventory is just as critical for the IT organizations that consume technology as it is for the software companies that sell it.

For example, software patching is the number one low-hanging fruit when it comes to improving network defense. However, patching is impossible if you don't know what you're running, and the vast majority of unpatched vulnerabilities are in the application tier rather than the platform tier.

Application inventory — not to mention application patching — are difficult problems to solve in an automated way. But if attackers have a wide range of unpatched vulnerabilities to choose from when penetrating an organization, you'll be lucky to even learn about the penetration, let alone break out of the constant cycles of incident response

3. Secure Configurations for Hardware and Software on Computers

The text in the original control references Mobile Devices, Laptops, Workstations, and Servers. However, even that list is deceptively terse. For example, Server scope must explicitly include the security configuration of every hosted virtual machine plus that of the physical host.

Regarding Mobile Devices, that category must include all hardware to which enterprise data is exposed. For example, a user might access corporate email via a shared kiosk in a public library. What assurances can be made about the integrity of an internet kiosk?

4. Continuous Vulnerability Assessment and Remediation

Network scanners such as Nessus and OpenVAS have been available for years and should be part of the regular assessment cycle of your network attack surface. Remember that the traditional corporate firewall is no longer an effective security boundary: data protection must be enforced at each resource.

5. Controlled Use of Administrative Privileges

Password reuse is a pervasive risk in our interconnected world, with implications ranging from consumer privacy on the internet to ease of attacker penetration into the digital crown jewels (M&A plans; recipe for Coca-Cola; etc.) on the corporate network.

Elevation of Privilege (EoP) is a class of attack that allows the bad guy to, for example, start with a compromised user account and end up with full sysadmin-level access. Common mistakes make this sort of EoP all too easy to accomplish:

  • Reusing local administrator, built-in, and service accounts with a static password that rarely changes. Such passwords are frequently written in scripts and on whiteboards and are known to people that are no longer employed by the organization.
  • Initiating administrative tasks from a computer that is also used for tasks such as reading email and surfing the internet.
  • Granting high-privileged account access to a large number of corporate users. A frequent cause of this is careless use of Active Directory security group membership assignments.
  • Allowing the use of static passwords at all for high-privilege accounts. This risk is difficult to mitigate, given that virtually every computer operating system defines an administrator or root account with a static password. Examine classes of computers to determine cases where that account can be disabled.
For more information about EoP, please see our recommendations on mitigating enterprise credential theft risk.

6. Maintenance, Monitoring, and Analysis of Audit Logs

The signal to noise ratio of audit logs is very low. That the SIEM market is in transition is evidence of this, and there is considerable investment by the venture capital community in machine learning for network traffic and security log data. In the meantime, SIEM deployments are expensive to tune and require a great deal of tolerance for false positives — all the while risking the black eyes caused by false negatives.

This should not be construed as an excuse to skip this critical security control. An easy win, frequently overlooked by IT security, is to enable the logging of the most typical audit events and to ensure that the logs are gathered and retained for a period of time deemed suitable by governance. That way, when somebody does something bad, the audit trail is available for manual forensic analysis.

7. Email and Web Browser Protections

Browser helper objects, such as ActiveX controls for Internet Explorer, are notorious vectors for malware infection. Sun Java and Adobe Flash are two such plug-ins with less than stellar track records for security in the face of their considerable attack surface. And yet, given the pervasiveness of Java in enterprise IT, and of Flash on consumer internet websites, to attempt to block them outright is to fight a losing battle against usability.

Regarding email, research has shown that any typical group of users is practically guaranteed to fall victim to an email phishing campaign of reasonable sophistication. In other words, when an overseas hacking organization decides to attack you in this way, one of your users will open an infected attachment.

In both cases, the best defense is to always immediately enforce the use of patched software versions, as soon as they are made available. Block access corporate data access to all devices with any unpatched software.

8. Malware Defenses

Like SIEM, traditional antivirus has largely been overcome by the sophistication of modern internet-based threat actors. In short, blacklisting doesn't work against focused attacks.

And yet, internet attack statistics tell two separate stories. While targeted attacks against large organizations favor the attacker, the majority of remote software exploits take advantage of known vulnerabilities for which a patch is available.

9. Limitation & Control of Network Ports, Protocols, and Services

At every network boundary between different levels of trust, firewalls need to be provided that filter out any type of access that is not required for a known business purpose. Each server that holds enterprise assets must have a firewall enabled to perform the same sort of filtering operation.

10. Data Recovery Capability

Business continuity is dependent on access to digital data. Critical data must be hidden from attackers and available to those with a need to know. For each mission-critical IT service, establish and test a Service Level Agreement encompassing redundancy, resilience, and recovery.

11. Secure Configurations for Network & other Hardware Devices

Anything more complicated than an Ethernet switch is likely running the equivalent of a full operating system with all of the attack surface and patching challenges that come with it.

The text of the SANS control references the configuration of Firewalls, Routers, and Switches. But note that all connected devices, including HVAC and physical access control hardware, are potential vectors.

12. Boundary Defense

For an earlier generation of IT folk, the internet/intranet perimeter was the primary control point. However, a huge volume and variety of data traverses that perimeter as HTTP traffic. Also, attacks such as phishing are highly effective and tend to bypass boundary defenses, including blacklist based content scanners. Most enterprises will find that a segmented internal network is required with access checks at each trust boundary.

13. Data Protection

Data needs to be protected both in transit and at rest. Encryption is one part of the solution, but it transfers the problem to controlling access to the key that decrypts the data. Nevertheless, there is a body of expertise and best practices for key management. The important step is to realize that encryption is not the solution; key management is.

14. Controlled Access Based on the Need to Know

The IT department won't understand the context of all business data well enough to manage access control with sufficient granularity. For example, it is not sufficient to know that a user wants access. Does the user need to know, given current job requirements? The only part of the organization that has both the knowledge and incentives to protect the data is the business unit that owns the data. Each business unit must have procedures in place for user onboarding, off-boarding, and data access management.

15. Wireless Access Control

This means more than WiFi; a variety of wireless transports are gaining prominence and there are many published vulnerabilities.

The first step is to be sure that all links have encryption enabled. The second step is to ensure that outdated encryption and authentication standards are blocked. If the enterprise offers network access to guest workers, or if some devices are not fully trusted, it may be necessary to create segregated networks for guest accounts. Note that VLANs are not an effective security boundary.

16. Account Monitoring and Control

This control refers primarily to the monitoring and lifecycle of network accounts. That's indeed important, and we've written about it above.

It's important to consider the human element, too. Before any user is given an enterprise account, there must be human resource evaluation as to the suitability of that person for the job function, and to the amount of responsibility entailed. The core competence model of the late 1990s notwithstanding, evaluation of suitability for a given job function is ultimately the responsibility of each business unit. As in the case of data access controls, above, each business unit must take ownership of the policies and procedures appropriate for the sensitivity and potential revenue impact of its data.

17. Security Skills Assessment & Appropriate Training to Fill Gaps

Every person that has access to sensitive data is a potential victim for social engineering, identity theft, and other targeted attacks. Ensure that people have the training needed to counter these risks.

18. Application Software Security

The BYOD trend means that users select the devices they use and the applications that run on those devices. Serving mobile devices means lots of internet-facing web applications. The number of attack points against enterprise data has exploded. However, IT security should rightly be asking whether the most sensitive business data should be exposed to all application and device classes.

19. Incident Response and Management

"Incident" has two meanings in an IT environment: catching the intrusion versus reacting to the intrusion. For the first meaning, provide tools and training to the staff that scans the network for intrusions. For the second meaning, assume breach, and ensure that you have designated responsibilities and procedures for incident response.

20. Penetration Tests and Red Team Exercises

For data that should be protected from release or modification for significant business reasons, it is advisable for someone skilled in the art of gaining access to test your defenses. Brief your staff in advance that (a) the intrusion will succeed, (b) they shouldn't take it personally, and (c) they should take it as a professional wake-up call.


Keep in touch


Just for laughs

JW Secure Informer cartoon

Quote of the month

If you judge people, you have no time to love them.
- Mother Teresa -

Thank you for reading the JW Secure Informer

The JWSecure Informer is a bimonthly newsletter that can be sent directly to your inbox. Please add to your safe sender list. To subscribe, or contact Customer Care, use the links below.
Update Your Preferences | Subscribe | Contact Us | Privacy Policy
This information has been organized and published by:
JW Secure, Inc.
1752 NW Market St. • Suite 227 • Seattle, WA 98107
© 2015 JW Secure, Inc. All Rights Reserved.