Control 1: A Framework for an Offense-informed Defense
As we discussed in our earlier blog post concerning the cybersecurity landscape and making sense of it, the banking industry has evolved and adapted their business in fundamental ways to mitigate the threats naturally encountered in day-to-day operations. This ranges from architectural changes of bank branches, to Know Your Customer (KYC) protocols, to electronic and information security controls. There is very nearly no area of the banking business which has been unchanged by security threats over the years. We use this analogy because it’s easy to understand. The agents of the Federal Bureau of Investigation and U.S. Secret Service persuaded successful bank robbers to help inform the defense of these critical institutions once they were caught. They did this by learning how the robbers pulled off the heist and then informing the banking industry of these details. Banks then adapted their defensive measures accordingly. Through a consistent and iterative approach this method has led to the very successful detection, prevention, and hardening of banks of all sizes against a wide range of attacks. Modern cybersecurity often sounds like the early days of the banking industry. A sea of vendors each with a product that is guaranteed* to stop a litany of attacks. Each year, the claims are the same and often sound like an article that ran in the New York Times in 1862 advertising “Burglar-Proof Bank Safes”.
Does this sound like many of the modern cybersecurity product ads? As they compare themselves to other ‘inferior’ products?
If we are to believe all of the marketing hyperbole, then the issue of modern-day hacking was solved a long time ago, as far back as 2012. This is an actual marketing slide from a major Cyber Security conference (Black Hat Conference). It represents but one example of a point-product vendor making claims that their product effectively “hack-proofs” a computer network and the systems therein.
I don’t believe that today any self-respecting or reasonably informed organization would post such a claim. The threats have become so numerous and complex that no single product can solve the entirety of the problem. Amongst the marketing-induced noise there remains a consistent methodology that is equally applicable in banking to financial services to manufacturing to small business. That is the concept of using an offense-informed defensive posture. The same way that banks have thwarted countless would-be robbers so to can business safeguard business information systems.
Enter the 20 Critical Controls – 20 CSC
The 20 Critical security controls, 20CSC, were originally developed by a collaboration of experience from academia, education, industry, government, and law enforcement through the SANS Institute. Using the gold-standard of technical security standards developed by the U.S. Government, the NIST SP800 Series. SANS combined government-derived information security and real-life attacks in businesses of all sizes to inform appropriate defense. This effort by SANS formed the original list of 10 then 20 security controls. Over the years this list has evolved. Through these numerous evolutions, the concept hasn’t wavered. Use offensive techniques and methods to better inform and equip detection and defense. Today, in an effort to make the 20 Critical Controls more actionable and objective, the 20 CSC have been broken down into controls paired with individual sub-controls. This structure delivers a smaller and more implementable set of security controls across businesses of all sizes and forms.
“The true power of the CIS Controls is not about creating the best list of things to do, it’s
about harnessing the experience of a community of individuals and enterprises to make
security improvements through the sharing of ideas, and collective action”
-Center for Internet Security, CIS Controls v.7 Introduction
The genius of the CIT Controls is that an entire community of thousands of individuals which represent all areas of business operations contribute to form, refine, and update them. Through this effort, our collective defense can be informed by the combined experience of tens-of-thousands of representative attacks. The controls aren’t perfect. They have been proven to be accurate and effective in over 92% of post-breach root cause analysis since 2015. Those are odds that business can take action upon with reasonable expectation of demonstrable value.
We’re going to start our journey through the controls in the first column. The ‘Basic’ controls. These are controls which every organization, regardless of size, in which information (or their client’s/customer’s/partner’s information) is considered an asset should adopt and meaningfully implement.
The organization of the sub-controls
Each sub-control is organized into vendor (and largely technology) agnostic security-functional categories. These categories are provided to communicate the intention of why the sub-control exists. Each sub-control applies to either devices (computers, laptops, tablets, mobile phones, etc.), Applications (software), Users (humans or system accounts), Network (the plumbing and all devices therein), or the data (information assets; at rest or in motion).
Critical Control #1
“Understanding what’s connected to your computer network.”
It seems like such a benign and obvious statement. This practice can be one of the most effective, if properly implemented, at mitigating and hardening against an attack or data breach.
At its most basic level, this control dictates the establishment of different “zones of trust” throughout a computer network. It can be as simple as not permitting employees, clients, vendors, and/or guests from connecting their computer systems onto the same network as those used by the business computers. In more mature (and defensive) implementation models, this control includes introducing technologies which require every device to first gain authorization from a central authority prior to being permitted on to the network. Taking effective action to both restrict and audit what’s connected in each zone can be informed by the sub-controls of Control 1.
Critical Control 1: Inventory and Control of Hardware Assets
|Sub-control||Applies to:||Security Function (intention)||Sub-control Title||Description|
|1.1||Devices||Identify||Utilize an Active Discovery Tool||Utilize an active discovery tool to
identify devices connected to the
organization’s network and update
the hardware asset inventory.
|1.2||Devices||Identify||Utilize a Passive Asset Discovery Tool||Automatically detect and identify known (or known) devices using passive network communication monitoring.|
|1.3||Devices||Identify||Use DHCP Logging to update asset inventory||Enable DHCP logging on all HCP servers to record and validate DHCP requests against known devices.|
|1.4||Devices||Identify||Maintain Detailed Asset Inventory||Maintain an accurate and up-to-date
inventory of all technology assets
with the potential to store or process
information. This inventory shall
include all hardware assets, whether
connected to the organization’s
network or not
|1.5||Devices||Identify||Maintain Asset Inventory Information||Ensure that the hardware asset
inventory records the network
address, hardware address, machine
name, data asset owner, and
department for each asset and
whether the hardware asset has
been approved to connect to the
|1.6||Devices||Respond||Address Unauthorized Assets||Ensure that unauthorized assets are
either removed from the network,
quarantined or the inventory is
updated in a timely manner.
|1.7||Devices||Protect||Deploy (network) port-level access control||Utilize port level access control,
following 802.1x standards, to
control which devices can
authenticate to the network. The
authentication system shall be tied
into the hardware asset inventory
data to ensure only authorized
devices can connect to the network
|1.8||Devices||Protect||Utilize Client Certificates to authenticate hardware assets||Use client certificates to authenticate
hardware assets connecting to the
organization’s trusted network.
Making application: Control 1
Control 1 requires that business network operators and administrators at a minimum use overlapping methods to (1) identify what is on their network(s), (2) understand what should be on this/these network(s), and do these activities on a regular basis. As we progress from Detection methods into response and ultimately prevention of unauthorized devices, Control 1 requires a central authority to permit (authorize) each and every device which makes connection to a business network. Furthermore these devices must be authorized within the specific area (zone of trust) to which they are connecting. Sub-controls 1.7 and 1.8 provide overlapping coverage for this last protective measure.
Many small to mid-market organizations may look at this list and quickly become overwhelmed. We’ve seen it a thousand times, especially in smaller firms. The argument against deploying this type of control is often “we’re not large enough” or “we know everything on the network; it’s all in this one office”. Those environments are both the easiest to secure and the easiest to exploit. Implementing meaningful adoption of Control 1 can range from a centrally documented list of every device (Phone, Laptop, Computer, Workstation, Server, IP Camera, etc.) which is permitted to connect to the network and then performing automated deviation analysis (or persistent reservations in very small environments) against that list to something much more complicated.
For small single-site organizations, we recommend starting here:
- Enable DHCP Logging
- Here’s how to accomplish this on Windows Servers.
- Collect the asset and technical details about each device on your network. Record this information centrally.
- In small organizations Belarc Advisor can provide this functionality.
- Larger networks can utilize powershell or free/low-cost tools such as SysAid/Spiceworks to collect this information.
- Identify the zones of trust within your organization.
- Do you have the right zones? Any zones? Define them and write down what differentiates each.
- Ensure that physical and logical segmentation are in place between each zone.
- No, that free “guest wifi” network provided by your ISP doesn’t cut it to keep visitors off of your network. Often those networks aren’t much more than an extension of your internal business network.
- Record the technical details of everything which must connect to each zone
- e.g. Employee’s and/or guest’s cell phones don’t need to connect to the internal wifi network.
- Use a log event monitoring tool, such as SolarWinds | Nagios | ManageEngine | etc. to send an alert when something that is new (a new MAC address) is issued from your internal DHCP server(s).
- Perform automated scans of each network zone on a regular basis using a network scanning tool. Configure the tool to send an alert any time it sees something for the first time.
- Audit (really, actually audit) the list you collected in #2 at least quarterly. Make it a required step in all technology acquisition and disposition activities to update this list.
Following these 5 steps will provide small organizations meaningful adoption of the key detection mechanisms specified by Control 1. Understanding what is and what should be on your network(s) is the first and most fundamental step in securing important business computer systems.
Larger and more complex organizations also fall prey to the “not-us” trap. Commonly, this is manifested as: “The organization is too large”, “<insert department name here> does that for us”, “there are too many stakeholders”, and/or “that’s not in <insert department name here> charter or area of responsibility”. For larger organizations or those which require an additional measure of deterrence and defense within Control 1, the use of standards-based network admission control technologies may be the best (and least expensive) way to achieve this need. We pause and emphasize the use of standards-based network admission control technologies. Most commonly this includes 802.1x, or “dot 1x”. Why do we emphasize this? Simply, there are dozens of competing proprietary protocols and systems offering similar levels of functionality. We recommend avoiding those solutions due to the long-term cost of maintenance and ongoing compatibility. The benefits of utilizing 802.1x regularly outweigh the implementation costs. Most modern network equipment is 802.1x capable right out of the box. Additionally, most network systems which utilize Microsoft Windows or Linux operating systems as server platforms already have the capability to provide 802.1x port-based access control. Implementing such a system provides built-in detection, protection, and audit for each and every device which makes connection to the in-scope networks. Every device must first be registered and approved to access one or more network zones of trust. Unknown or unregistered devices, such as those used by visitors, can be automatically segregated and permitted to access only limited (often Internet-based) resources.
Critical Control 1 serves as the foundation onto which many of the additional controls are built upon. It affords network administrators the ability to know and control what devices should be on their business computer networks. It also provides the means to detect and alert when a new or unknown device is introduced. Implementing Control 1 can be simply undertaken with free to low-cost software. The security benefits provided by Control 1 typically far outweigh the ongoing human cost to administer and respond to the systems required to meaningfully implement this control.
If you’re interested in diving deeper, we suggest beginning with quantifying risk in information systems. The seminal work of Andrew Baze in Risk Management using the Critical Controls provides an exceptional framework to understand this important topic.
Who is Corporate Information Technologies (CIT):
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including Critical Control centric Managed and Co-Managed technology services, information security policy creation & assessment, cybersecurity services, penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations maximize and optimize their technology systems while identifying and mitigating cybersecurity risks presented by those very systems.
Contact us to learn more and let us show you how good I.T. can be!