cis critical security controls: technical control · pdf filecis critical security controls:...

CIS Critical Security Controls:

Technical Control Automation

Automating the Center for Internet Security’s 20 CSCs with Tenable SecurityCenter Continuous View™

June 21, 2016

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous

View, Passive Vulnerability Scanner, and Log Correlation Engine are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 2

Table of Contents

Introduction ............................................................................................................................................................................................................................ 3

What are the CIS Critical Security Controls? ........................................................................................................................................................ 3

Tenable’s Solution ................................................................................................................................................................................................................. 4

Account Monitoring and Control............................................................................................................................................................................... 5

Data Protection ................................................................................................................................................................................................................ 6

Vulnerability Management .......................................................................................................................................................................................... 7

Secure Configuration ..................................................................................................................................................................................................... 8

Hardware and Devices .................................................................................................................................................................................................. 9

Software and Applications ........................................................................................................................................................................................... 9

Logging and Monitoring ................................................................................................................................................................................................ 9

Foundational Cyber Hygiene .................................................................................................................................................................................... 10

About Tenable Network Security ................................................................................................................................................................................. 10

Appendix A: Tenable Solution for the CIS Critical Security Controls .............................................................................................................. 11



Introduction This paper provides insight to how Tenable addresses the Center for Internet Security (CIS) Critical Security Controls for

Effective Cyber Defense (CSC) version 6.0. The CSCs are a recommended set of actions that provide specific and actionable

protection against cyberattacks.

Specifically, this paper describes how Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) can be leveraged to

help meet the guidelines and practices outlined in the CSCs through automation of their technical controls. Organizations

can use the CSCs to take a prioritized approach to selecting and deploying security controls. Because the CSCs are not

intended to be a “one size fits all” approach, Tenable’s solution is scalable across all organizational sizes and can be adapted

for specific use across multiple industries.

What are the CIS Critical Security Controls?

The CIS Critical Security Controls are 20 prioritized, vetted, and well supported security actions to assess and improve cyber

security. They were created, are regularly reviewed, and updated by a collaboration of security experts from all types of

organizations, roles, and sectors. The practical knowledge and contribution of these stakeholders to the CSCs ensure that

control specifications will provide “the most effective and specific set of technical measures available to detect, prevent,

respond, and mitigate damage from the most common to the most advanced of those attacks.”1 The CIS notes the controls’

five critical tenets for effective cyber defense:2

Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.

Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.

Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.

Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps.

Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

A comprehensive summary of the requirements in all of the CSC controls and sub-controls is detailed in Appendix A with

corresponding automation capabilities for technical controls provided by Tenable.

1 CIS Critical Security Controls, Version 6.0, p. 2. 2 Quoted from CIS Critical Security Controls, Version 6.0, p. 3.

https://www.cisecurity.org/

https://www.cisecurity.org/critical-controls.cfm

https://www.cisecurity.org/critical-controls.cfm



Tenable’s Solution SecurityCenter CV is a robust solution that addresses about 66% of the CSCs’ technical controls. SecurityCenter CV is also

extremely powerful for communicating CSCs’ conformance results to many different internal and external stakeholders.

SecurityCenter CV is a comprehensive solution that utilizes active scanning, intelligent connectors, agent scanning, passive

listening, and host data to provide continuous visibility and critical context, enabling decisive action. With advanced

analytics, it gives you continuous assurance that your security program is working. Capabilities include:

Information on which assets are connected to the network and how they are communicating

Active monitoring of host activities and events, including who is accessing them and what is changing

Identification of previously unknown resources, changes in behavior, and new application usage

Near real-time metrics for continuous security and compliance

Correlation of real-time activity with the state-based vulnerability data

Security assurance using Tenable exclusive Assurance Report Cards™ (ARCs) that measure effectiveness of security

investments

Highly customizable dashboards, reports, and workflows for rapid response

Communication of consolidated metrics

Trends across systems, services, and geographies

Controls team member permissions by role

Advanced analytics with actionable information and trending to prioritize events/alerts

The key features and functionality of SecurityCenter CV as they relate to automating the CSCs’ technical controls are

described in the following sections.



Account Monitoring and Control

User account management, access control, and enforcement of least privilege are critical to effective information security

practices. Without proper user account management, an organization may not know who has access to their assets, whether

or not the old accounts of former employees are still active, and whether or not user passwords meet policy requirements.

Without proper access control and enforcement of least privilege, users inadvertently access information they should not

access, change files, or install malware on the network. This increases the risk of network intrusion and compromise, insider

activity, and data loss. Monitoring user access and least privilege and taking appropriate actions are very important to

protect the organization.

Account Monitoring and Control is required by CSC 5 – Controlled Use of Administrative Privileges, and CSC 16 – Account

Monitoring and Control. SecurityCenter CV addresses these controls via its Account Monitoring and Control dashboard.

This dashboard provides components to assist an organization in identifying the users, identifying users who have performed

administrative actions, monitoring for account and credential vulnerabilities, and identifying any user access, password

requirement, or least privilege compliance failures. The dashboard also provides components that allow an organization to

monitor user access-related events and changes, such as first time logons to a system, login failures due to expired

passwords or disabled accounts, and privilege and group membership changes. Indicators for suspicious and anomalous user

activity are also presented. Analysts can use this dashboard to easily drill down into the data presented and gain more

detailed information.

SecurityCenter Continuous View Dashboard for Account Monitoring and Control



Data Protection

Data leakage can happen when organizations lose track of where sensitive data is stored, who has access to that data, and

how sensitive data traverses the network. Financial information, payment card numbers, and personally identifiable

information (PII) can be leaked both unintentionally and intentionally. Security incidents can increase the risk of identity

theft, stolen account information, and exfiltration of sensitive internal data, which can be costly and damaging to an

organization’s reputation and business. This dashboard can assist the organization in reducing data leakage, protecting

sensitive data, and monitoring for related suspicious activity.

Data Protection is required by CSC 13 – Data Protection, and CSC 14 – Controlled Access Based on the Need to Know.

SecurityCenter CV addresses these controls via its Data Protection dashboard.

The dashboard automatically collects and correlates input from several Tenable sensors. Passive listening analyzes data in

motion and can detect sensitive data such as unencrypted credit card numbers and Social Security numbers traversing the

network. These events as well as events from Data Loss Prevention (DLP) systems are forwarded to SecurityCenter CV.

Active scans can identify vulnerabilities that could lead to data leakage. The dashboard presents all this information to assist

the organization in detecting data exfiltration and securing sensitive data. Analysts can also use this dashboard to easily drill

down and gain more detailed information.

SecurityCenter Continuous View Dashboard for Data Protection



Vulnerability Management

Vulnerable devices and applications on an organization's network pose a great risk. Vulnerabilities such as outdated

software, susceptibility to buffer overflows, risky enabled services, etc. are weaknesses in the network that could be

exploited. Organizations that do not continuously look for vulnerabilities and proactively address discovered flaws are very

likely to have their network compromised and their data stolen or destroyed.

Vulnerability Management is required by CSC 4 – Continuous Vulnerability Assessment and Remediation. SecurityCenter

CV addresses these controls via its Vulnerability Management dashboard. This dashboard provides a high-level overview of

an organization's vulnerability management program and can assist the organization in identifying vulnerabilities,

prioritizing remediations, and tracking remediation progress.

Analysts can also use this dashboard to easily drill down into the data presented by the dashboard components. This enables

the analyst to gain more detailed information about the vulnerabilities found on the network, such as which vulnerabilities

are the most dangerous. The analyst can also determine the root cause of vulnerabilities that are not patched within your

corporate standard timeframes. This information might include on which hosts a vulnerability is found and what

remediations would most benefit a particular group of machines. Knowing these details can enable better and more efficient

vulnerability management, patching, and mitigation within the organization. This in turn will help the organization better

protect itself from exploitation of network vulnerabilities, and potential intrusions, attacks, and data loss.

SecurityCenter Continuous View Dashboard for Vulnerability Management



Secure Configuration

Compliance and regulatory changes can be challenging for organizations to manage effectively. Not only do organizations

have to keep systems updated with the latest patches, but systems also need to be hardened to reduce the attack surface.

Default configurations for operating systems, applications, and devices tend to be geared for ease-of-use rather than

security. If these systems are not locked down, attackers will find opportunities to exploit them. Hardening systems will

remove access to unnecessary services, software, and users, which helps to ensure the security of network systems.

Secure Configuration is required by CSC 3 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops,

Workstations, and Servers, and CSC 11 – Secure Configurations for Network Devices. SecurityCenter CV addresses these

controls via its Secure Configuration dashboard.

This dashboard reports the results of compliance scans across various compliance standards and network systems, in order

to assist in the compliance and device hardening efforts of an organization. It can measure compliance using audit files that

cover a wide range of major regulatory and other auditable standards, such as CIS benchmarks, HIPAA, NIST SP 800-53, PCI,

STIGs, and more. Tenable provides over 450 audit files, available for download from the Tenable Support Portal, in

categories such as operating systems, applications, databases, and network devices. Audit files can be customized if desired

to match an organization’s security policy. For more information on using audit files, see the Nessus Compliance Checks paper.

The components on this dashboard present various views into the compliance scan results, providing an analyst with

targeted information such as compliance results per standard, per device type, and per keyword. Analysts can easily drill

down into the data presented by the dashboard components to gain more detailed information about the compliance checks.

This might include the systems on which compliance failures were found, expected vs. actual policy values, and the specific

sections of the various standards to which a compliance check relates. The organization can then use this information to

apply hardening techniques and reduce the organization’s overall attack surface.

SecurityCenter Continuous View Dashboard for Secure Configuration

https://support.tenable.com/support-center/

https://support.tenable.com/support-center/nessus_compliance_checks.pdf



Hardware and Devices

As new technologies continue to advance, personal devices are increasingly found connected to enterprise networks. New or

unknown devices on an organization's network can pose a great risk to the organization. Managing control of all network

devices is critical in maintaining a secure environment.

This requirement for Hardware and Devices is in CSC 1 – Inventory of Authorized and Unauthorized Hosts, and CSC 9 –

Limitation and Control of Network Ports, Protocols, and Services. SecurityCenter CV addresses these controls via its

Devices and Ports dashboard.

Analysts can use this dashboard to easily drill down into the data presented by the dashboard components. Detailed

information on devices and ports provide a starting point to determine what further steps are the most beneficial. This

information can provide more effective and efficient vulnerability management, patching, and remediation within the

organization. In turn, further assisting the organization to better protect itself from exploitation of network vulnerabilities,

potential intrusions, attacks, and data loss.

Software and Applications

Identifying when software is installed, changed, out of date, or contains malware is important in maintaining a secure

environment. This information is required to assist in protecting organizations from unwanted or potentially dangerous

applications, enabling better and more efficient vulnerability management, and identifying software and application

vulnerabilities within the organization.

This functionality is required by CSC 2 – Inventory of Authorized and Unauthorized Devices, CSC 3 – Secure Configurations

for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, CSC 7 – Email and Web Browser

Protections, CSC 8 – Malware Defenses, and CSC 18 – Application Software Security. SecurityCenter CV addresses these

controls via its Software and Applications dashboard.

This dashboard presents tables and indicators for events that identify when software is installed, changed, or removed.

Unsupported applications, missing patches, browser, and malware checks are also identified. Software and application

vulnerabilities present on a network can pose a risk to the organization. Evaluating and remediating software and

applications vulnerabilities is critical in maintaining a secure environment.

Analysts can use this dashboard to easily drill down into the data presented by the dashboard components. Detailed

information on software and application vulnerabilities provides a starting point to determine what further steps are the

most beneficial. This information can provide more effective and efficient vulnerability management, patching, and

remediation within the organization. In turn, further assisting the organization to better protect itself from exploitation of

network vulnerabilities, potential intrusions, attacks, and data loss.

Logging and Monitoring

Monitoring of system logs is critical in reducing the potential of data compromise as logs contain alerts events and historical

data. This data provides details and information on logging and monitoring efforts, and can aid in improving vulnerability

management and intrusion detection.

Logging and Monitoring is required by CSC 6 – Maintenance, Monitoring, and Analysis of Audit Logs, CSC 12 – Boundary

Defense, and CSC 15 – Wireless Access Control. SecurityCenter CV addresses these controls via its Logging and Monitoring

dashboard.



This dashboard presents tables and indicators for events that, if present on an organization's network, can pose risk to the

organization. Analysts can also use this dashboard to easily drill down into the data, which provides detailed information on

events including log sources, wireless events, bot-net activity, event spikes, and others. Each of the indicators on this

dashboard provide a starting point to determine any further steps that are required to identify an incident or track

unauthorized activity. Knowing the details of these events can enable better and more efficient vulnerability management

practices within the organization. This information will help the organization prevent or minimize exploitation of network

vulnerabilities, potential intrusions, attacks, and data loss.

Foundational Cyber Hygiene

Establishing a starting point can improve an organizations security posture to provide the greatest protection against threats

and vulnerabilities, and is beneficial to every security program. New or unknown devices, software, applications, and

vulnerabilities on an organization's network pose a great risk to the organization. Continuous monitoring for vulnerabilities,

including new/unknown devices, and proactively addressing discovered flaws could reduce the risks of network compromise,

data theft, or destruction. These activities are collectively known as “Foundational Cyber Hygiene.”

Foundational Cyber Hygiene is required by CSC 1 – Inventory of Authorized and Unauthorized Devices, CSC 2 – Inventory

of Authorized and Unauthorized Software, CSC 3 – Secure Configurations for Hardware and Software on Mobile Devices,

Laptops, Workstations, and Servers, CSC 4 – Continuous Vulnerability Assessment and Remediation, and CSC 5 – Controlled

Use of Administrative Privileges. SecurityCenter CV addresses these controls via its Foundational Cyber Hygiene

dashboard.

To streamline management of these controls, Tenable aligns our dashboard with the Top 5 Priorities of the National Cyber

Hygiene Campaign: “Count, Configure, Control, Patch, and Repeat.” The National Cyber Hygiene Campaign was developed

as a foundation to assist in implementing the CIS Critical Security Controls. The campaign begins by asking five questions

that align with the first five CSC categories: What is connected to the network? What software is running on the network?

Are you managing your systems? Are you looking for known bad software? Do you track those with administrative

privileges?

Analysts can use this dashboard to easily drill down into the data to determine further steps that can be the most beneficial

in securing the network. Knowing these details can enable better and more efficient vulnerability management strategies

within the organization. Subsequently the organization may be better protected from exploitation of network vulnerabilities,

and potential intrusions, attacks, and data loss.

“Appendix A” breaks down the CSCs by controls and sub-controls, and describes how SecurityCenter CV can automate the

vast majority of the CSCs’ technical controls.

About Tenable Network Security Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive

solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization.

Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and

more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's

customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses

in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with

Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.



Appendix A: Tenable Solution for the CIS Critical Security Controls Note: Tenable SecurityCenter CV can help organizations automate about 66% of the CIS Critical Security Controls’ technical

controls. Specific categories of each Critical Control are listed in the table below, along with how SecurityCenter CV can be

matched to each item. The examples below are not all-inclusive, and in many cases, SecurityCenter CV can be used for more

in-depth coverage of a specific category.

Process Name How Tenable Can Help

CSC-1 Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

1.1 /

System

Deploy an automated asset inventory discovery tool

and build inventory of networked systems

Tenable presents a list of all assets discovered on

the network; list must be reviewed/filtered to

denote unauthorized assets.

1.2 /

System

Deploy dynamic host configuration protocol server

logging to improve asset inventory (if DHCP is used)

Tenable does this for MS DHCP servers only and

the MS server needs to have the Log Correlation

Engine client installed.

1.3 /

System

Automatically update asset inventory with addition

of new equipment

Partly an administrative control; n/a.

1.4 /

System

Maintain asset inventory of all networked systems

and devices

Tenable can partially fulfill 1.4.

1.5 /

System

Deploy network level authentication via 802.1x to

control network access

n/a

1.6 /

System

Use client certificates to validate and authenticate

systems for network access

n/a

CSC-2 Inventory of Authorized and Unauthorized Software Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

2.1 /

System

Devise list of authorized software and versions;

monitor for integrity

Tenable’s Software Enumeration capability can

build a list of currently deployed software that can

be reviewed to determine what is authorized.

2.2 /

System

Deploy whitelisting software to deny execution of

unauthorized software

Tenable’s dynamic assets lists can identify systems

containing an enumerated list of whitelisted or

blacklisted software. Tenable also supports

whitelist plugins to search authorized and

unauthorized software.

2.3 /

System

Deploy software inventory tools to centrally track

software & OSes on all networked devices

Tenable presents a list of software; list must be

reviewed/filtered to find unauthorized assets.

Tenable supports a few plugins that inventory

software via SSH, WMI, and for OS X.



2.4 /

System

Run higher risk applications on virtual machines

and/or air-gapped systems

Administrative control; n/a.

CSC-3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

3.1 /

System

Establish standard secure configurations of OSes and

software applications

Tenable supplies a series of audit files based on the

CIS Critical Security Controls OS and configuration

standard.

3.2 /

System

Follow strict configuration management to build a

secure image on all new deployed systems

n/a

3.3 /

System

Securely store master images to prevent

unauthorized changes

Tenable can scan systems cloned from the master

image provided the cloned OS is running during the

scan.

3.4 /

System

Perform all remote administration over secure

channels

Tenable partially fulfills 3.4 with passive

monitoring, which can detect the use of

unencrypted VNC and RDP protocols.

3.5 /

System

Use file integrity checking tools to ensure that critical

system files have not been altered

Tenable partially fulfills 3.5 by monitoring critical

system files and application executables for

change, and can identify suspicious changes by

comparing the changed files to known malware.

3.6 /

System

Implement and test automated configuration

monitoring (preferably SCAP) to detect and alert

unauthorized changes

Tenable can use regularly scheduled agent

assessments to detect, log, and alert on these

events.

3.7 /

System

Deploy system configuration management tools to

automatically enforce and redeploy configuration

settings

Tenable can detect configuration change when

new policies are applied.

CSC-4 Continuous Vulnerability Assessment and Remediation Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

4.1 /

System

Run automated vulnerability scanning tools against

all systems on the network on a weekly or more

frequent basis; inform system administrators of most

critical vulnerabilities

Tenable can run automated vulnerability scans

against all systems on the network on a weekly or

more frequent basis – even continuously for

maximum security vigilance. Tenable dashboards,

reports, and alerts inform system administrators of

the most critical vulnerabilities and their relative

threat to specific assets on your network.

4.2 /

System

Correlate event logs with vulnerability scanning data Tenable correlates event logs with vulnerability

scanning data and provides reports using the SCAP

framework and CVSS scores.



4.3 /

System

Perform vulnerability scanning on each end system in

authenticated mode with agents or remote scanners

Tenable can provide authenticated vulnerability

scanning on all networked end systems using

software agents or remote scanners.

4.4 /

System

Subscribe to vulnerability intelligence services or

ensure vulnerability scanning tools and data are

regularly updated

SecurityCenter CV incorporates vulnerability

intelligence from leading industry sources. The

newest vulnerability intelligence is automatically

provided to you with the current version of

SecurityCenter CV. Updates occur automatically

with our cloud-based solution and can be

automatically configured in local deployments.

4.5 /

System

Deploy automated patch management tools and

software update tools for OS and software; apply

patches to all systems

Tenable integrates with leading patch management

tools and software update tools via an API. The

integrations allow Tenable to validate patching to

assist with remediation and updates, and detects,

logs, and can alert updates as they occur.

4.6 /

System

Monitor logs associated with any scanning activity

and associated administrator accounts to ensure

legitimate scans

Scans by Tenable are permitted by role-based

access control, and alerts of scans by specific

administrators can be configured as needed to

ensure there is no abuse of privilege.

4.7 /

System

Compare results from back-to-back vulnerability

scans to verify remediation or compensating control

Tenable scan reports provide back-to-back

comparisons of scans to verify the application of a

patch, re-configuration, or other remedial action.

4.8 /

System

Establish a process to risk-rate vulnerabilities based

on exploitability and potential impact

Tenable assists in the classification process by

assigning severity levels to vulnerabilities based on

CVE and the business value of particular network

and other IT assets.

CSC-5 Controlled Use of Administrative Privileges The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

5.1 /

System

Minimize administrative privileges and only use

administrative accounts when required; audit them

closely

Tenable continuously monitors and logs anomalous

events on administrative accounts; it provides least

privilege compliance checks and alerts when

attempts are made to exceed privileges. Tenable’s

agent-based scans also fulfill this function.

5.2 /

System

Use automated tools to inventory administrative

accounts and privileges, and validate their

authorization

Tenable continuously monitors administrative

accounts and privileges, and logs and alerts

changes to privileges and group memberships on

Microsoft Windows and Apple OS machines. This

includes tracking use of root privilege.

5.3 /

System

Before deployment of any new networked device,

change all default passwords

n/a



5.4 /

System

Configure systems to issue a log entry and alert when

administrative assignments change

Tenable can audit systems to verify that 5.4 logging

is enabled and log relevant events.

5.5 /

System

Configure systems to issue a log entry and alert on

any unsuccessful login to an administrative account

Tenable can audit systems to verify that 5.5 logging

is enabled and log relevant events.

5.6 /

System

Use multi-factor authentication for all administrative

access

n/a

5.7 /

System

Where multi-factor authentication is not supported,

passwords for user accounts must be longer than 14

characters

Tenable can test for password length as defined by

policy.

5.8 /

System

Administrators should be required to access a system

using a fully logged and non-administrative account –

then use tools for administrative privileges

Tenable partially fulfills 5.8 by tracking the sudo or

RUNAS events.

5.9 /

System

Administrators shall use a dedicated machine for all

administrative tasks or tasks requiring elevated

access


CSC-6 Maintenance, Monitoring, and Analysis of Audit Logs Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

6.1 /

System

Include at least two synchronized time sources to

consistently timestamp logs for all network devices

Tenable can audit configurations for use of two

time sources. Also can detect NTP Servers and NTP

server configurations.

6.2 /

System

Validate audit log settings for each hardware device

and software

Tenable can audit configurations for compliance.

6.3 /

System

Ensure that all systems storing logs have adequate

storage space; archive and sign logs periodically


6.4 /

System

Security personnel and/or system administrators

should run biweekly reports on log anomalies, review

and document findings

Tenable partially fulfills 6.4 by automatically

running reports and sending them to security

responders and/or system administrators.

6.5 /

System

Configure network boundary devices to verbosely

log all inbound traffic

Tenable partially fulfills 6.5 by auditing

configurations for compliance.

6.6 /

System

Deploy a SIEM or log analytic tools for log

aggregation and consolidation from multiple

machines, and for log correlation, analysis and more

accurate reporting

Tenable reporting integrates data with APIs from

SIEM and log analytic tools.

CSC-7 Email and Web Browser Protections Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

7.1 /

System

Ensure that only fully supported web browsers and

email clients are allowed to execute, ideally with

most recent update

Tenable can identify unsupported browsers and

clients and create an alert to trigger action by

system administrators.



7.2 /

System

Uninstall or disable any unnecessary or unauthorized

browser or email client plugins or add-on

applications

Tenable can detect browser plugins.

7.3 /

System

Limit use of unnecessary scripting languages in all

web browsers and email clients

n/a

7.4 /

System

Log all URL requests from all local or remote devices

to identify potentially malicious activity or

compromised systems

Tenable can log requests specified by 7.4.

7.5 /

System

Deploy two separate browser configurations to each

system, one to disable unnecessary functionality and

the other to add authorized functionality

n/a

7.6 /

System

Use URL filters and controls to limit a system’s ability

to connect to non-approved websites

Tenable partially fulfills 7.6 by normalizing bad

URL events with a content filter and creating

related alerts.

7.7 /

System

Minimize spoofed email by using the Sender Policy

Framework (SPF) and DNS

n/a

7.8 /

System

Scan and block all inbound email and attachments

with malicious code or unnecessary file types

n/a

CSC-8 Malware Defenses Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

8.1 /

System

Use automated tools to continuously monitor all

devices with anti-virus, anti-spyware, and host-based

IPS functionality, and alert when malware events are

detected

Tenable can fulfill 8.1.

8.2 /

System

Use centralized anti-malware software or manually

push updates to all machines

n/a

8.3 /

System

Monitor for and limit use of external devices without

an approved, documented business need

Tenable can monitor attempted use of external

devices and audit configuration to determine if

they comply with policy.

8.4 /

System

Enable anti-exploitation features and apply them

broadly for more protection

n/a

8.5 /

System

Use network-based anti-malware tools with

advanced detection techniques to identity and filter

out malicious content

Tenable partially fulfills 8.5 by identifying malicious

content.

8.6 /

System

Enable DNS query logging to detect hostname

lookup for known malicious C2 domains




CSC-9 Limitation and Control of Network Ports Manage (track/control/correct) the ongoing operational use of port, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

9.1 /

System

Ensure that only ports, protocols, and services with

valid business needs are running on each system

Tenable can audit configurations for compliance

and monitor actual port, protocol, and service

usage.

9.2 /

System

Apply host-based firewalls or port filtering tools on

end systems to deny all unauthorized traffic


and collect Netflow traffic.

9.3 /

System

Perform automated port scans on a regular basis and

alert when baseline configurations are changed


9.4 /

System

Verify the non-business requirement for any server

visible from the internet or untrusted network and

move it to an internal VLAN

Administrative and technical control. Tenable

partially fulfills 9.4 by identifying these servers,

and can identify the systems with plugins.

9.5 /

System

Operate critical services on separate physical or

logical hosts

Tenable can partially fulfill 9.5 by identifying

critical services running on machines not matching

a dynamic asset list. With the Tenable List of

Services tool, you can use Netflow and netstat to

identify services.

9.6 /

System

Place applications firewalls in front of critical servers

to block unauthorized traffic

Administrative and technical control; n/a.

CSC-10 Data Recovery Capability The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

10.1 /

System

Backup each system at least week, and more often

for systems storing sensitive information following

policies for compliance


10.2 /

System

Test data on backup media by performing regular

data restoration


10.3 /

System

Protect backup data in transmission or at rest with

physical security or encryption

n/a

10.4 /

System

Key systems must have at least one backup

destination not continuously addressable via OS calls

Tenable can partially fulfill 10.4 by auditing


CSC-11 Secure Configurations for Network Devices Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

11.1 /

System

Compare configurations of network devices with

standard configurations


11.2 /

System

All new configuration rules for network devices must

conform to business reasons for each change

n/a



11.3 /

System

Use automated tools to verify standard device

configurations, and detect and alert changes


11.4 /

System

Manage network devices using two-factor

authentication and encrypted sessions



11.5 /

System

Install the latest stable version of any security-

related updates on all network devices



11.6 /

System

Network engineers shall use a dedicated machine for

all administrative tasks or tasks requiring elevated

access


11.7 /

System

Manage network infrastructure with connections

separate from production links; use VLANs or

separate physical networks


CSC-12 Boundary Defense Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

12.1 /

Network

Deny communications with known malicious IPs or

limit access only to trusted sites

Tenable can partially fulfill 12.1 by identifying

these communications, logging, and alerting.

12.2 /

Network

On DMZ networks, configure monitoring systems to

record log data about traffic traversing the network

border

Partially fulfills 12.2 by passively monitoring and

analyzing packet headers and the first x,000 bytes

of payload.

12.3 /

Network

Deploy network-based IDS sensors to detect unusual

attack mechanisms and compromised systems

n/a

12.4 /

Network

Deploy network-based IPS devices to block known

bad signatures or the behavior of potential attacks

n/a

12.5 /

Network

Design and implement network perimeters so all

outbound traffic must pass through at least one

application layer filtering proxy server.

n/a

12.6 /

Network

Require all remote login access to use two-factor

authentication

Tenable can partially help fulfill 12.6 by auditing

configurations for compliance, logging, and

alerting.

12.7 /

Network

An organization must manage remote access of all

enterprise devices, including remote control of

configurations; and scan third party devices before

allowing access

Tenable can partially fulfill 12.7 by providing

intelligence connectors to MDM systems.

12.8 /

Network

Periodically scan for back-channel connections that

bypass the DMZ

Tenable fulfills 12.8.

12.9 /

Network

Deploy Netflow collection and analysis to DMZ

network flows to detect anomalous activity

Tenable fulfills 12.9 by analyzing Netflow data.



12.10 /

Network

Use firewall session tracking to identify and alert

discovery of covert channels exfiltrating data

Tenable fulfills 12.10 by auditing configurations for

compliance, including identifying unusually long

sessions.

CSC-13 Data Protection The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

13-1 /

Network

Assess data to identify sensitive information

requiring encryption / integrity controls.


13.2 /

Network

Deploy approved hard drive encryption software to

mobile devices and systems with sensitive data.


configurations for compliance (with the exception

of mobile devices).

13.3 /

Network

Deploy automated tool on network perimeters

monitoring sensitive information and unauthorized

exfiltration and alert / block activity.

Tenable partially fulfills 13.3 by scanning for and

identifying unencrypted sensitive data in transit.

Tenable does not block these vulnerabilities.

13.4 /

Network

Use automated tools to periodically scan servers for

sensitive data stored in clear text.

Tenable can scan file systems for sensitive data.

There are special audits for Windows and Unix;

these scan the first 60k of the file.

13.5 /

Network

Use controls protecting data on USB devices. n/a

13.6 /

Network

Use network-based DLP solutions to monitor and

control internal data flows.

Tenable can partially fulfill 13.6 by detecting

anomalies; it cannot control the data flows.

13.7 /

Network

Monitor all traffic leaving the organization and

detect any unauthorized use of encryption.

Plugins used with Tenable can detect the use of

encryption on random ports.

13.8 /

Network

Block access to known file transfer and email

exfiltration websites.

n/a

13.9 /

Network

Use host-based DLP to enforce ACLs even when data

is copied off a server.

n/a

CSC-14 Controlled Access Based on the Need to Know The processes and tools used to track, control, prevent and correct secure access to critical assets based on approval of need and right to know.

14.1 /

Application

Segment network based on classification of

information on servers – including VLANs. Ensure

access authorization is based on specific

responsibilities.

n/a

14.2 /

Application

Encrypt all sensitive information sent over less-

trusted networks.

n/a

14.3 /

Application

All network switches will enable VLANs to limit

access by unauthorized parties and limit lateral

movement in a network.

n/a



14.4 /

Application

Use controls to protect sensitive information by

limiting access only to authorized parties with a

need-to-know.

Tenable partially fulfills 14.4 by detecting changes

to file permissions and related rights.

14.5 /

Application

Encrypt sensitive information as it is stored on

systems. For access, use secondary authentication

not integrated into the operating system.

n/a

14.6 /

Application

Enforce detailed audit logging to nonpublic data and

special authentication for sensitive data.



14.7 /

Application

Archived data sets or systems not regularly accessed

shall be removed from the organization’s network.


CSC-15 Wireless Access Control The processes and tools used to track/control/prevent the security use of wireless local area networks (LANs), access points, and wireless client systems.

15.1 /

Network

Wireless devices connected to the network must

match an authorized configuration and security

profile


15.2 /

Network

Configure network vulnerability scanning tools to

detect and deactivate unauthorized wireless access

points

Administrative and technical control. Tenable

partially fulfills 15.2 by detecting wireless access

points.

15.3 /

Network

Use wireless intrusion detection to detect rogue

wireless devices and attacks

n/a

15.4 /

Network

Configure wireless access on clients to allow access

only to authorized networks; disable access by

unauthorized clients


with custom audit files.

15.5 /

Network

All wireless traffic must use at least AES encryption

with at least WPA2


configurations for compliance; it concurrently

checks clients to use WPA or WEP.

15.6 /

Network

Wireless networks must use authentication

protocols such as EAP/TLS



15.7 /

Network

Disable peer-to-peer wireless network capabilities

on clients



15.8 /

Network

Disable wireless peripheral access of devices unless

required for business need



15.9 /

Network

Create separate VLANs for BYOD systems or other

untrusted devices

n/a

CSC-16 Account Monitoring and Control Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.

16.1 /

Application

Review all system accounts and disable those

unassociated with a business process and owner




16.2 /

Application

Ensure all accounts have an expiration date that is

monitored and enforced



16.3 /

Application

Establish and follow a process to revoke system

access by disabling accounts immediately upon

termination of an employee or contractor


16.4 /

Application

Regularly monitor use of all accounts; automatically

log off users after standard period of inactivity



16.5 /

Application

Configure screen locks on systems to limit access to

unattended workstations



16.6 /

Application

Monitor account usage to determine dormant

accounts, notifying the user or user’s manager


16.7 /

Application

Use and configure account lockouts for set number

of failed login attempts

Tenable audits configurations for compliance.

16.8 /

Application

Monitor attempts to access deactivated accounts Tenable tracks all access attempts by all user

accounts, including deactivated accounts and

displays suspicious access activity.

16.9 /

Application

Configure access for all accounts through a

centralized point of authentication

Tenable fulfills 16.9 by auditing configurations for

compliance.

16.10 /

Application

Profile each user’s typical account usage and flag for

unusual variances

Tenable continuously monitors system and host

access by all users and alerts administrators when

detecting suspicious activity.

16.11 /

Application

Require multi-factor authentication for all access to

sensitive data or systems

n/a

16.12 /

Application

Where multi-factor authentication is not supported,

passwords must exceed 14 characters

n/a

16.13 /

Application

All account usernames and authentication

credentials must use encrypted network channels

n/a

16.14 /

Application

Verify all authentication files are encrypted or

hashed and cannot be accessed without root or

administrator privileges; audit all access to password

files in the system


CSC-17 Security Skills Assessment and Appropriate Training to Fill Gaps For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

17.1 /

Application

Perform gap analysis to spot missing needs for

employee training


17.2 /

Application

Deliver training to fill skills gap Administrative control; n/a.



17.3 /

Application

Implement a security awareness program Administrative control; n/a.

17.4 /

Application

Validate and improve awareness levels through

periodic employee tests and targeted training


17.5 /

Application

Use security skills assessments for each of the

mission critical roles to identify skills gaps


CSC-18 Application Software Security Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

18.1 /

Application

Verify software to be current; update and patch if

needed


18.2 /

Application

Protect web applications with web application

firewalls

n/a

18.3 /

Application

For in-house developed software, test and document

for explicit error checking for all input

n/a

18.4 /

Application

Test in-house-developed and third-party-procured

web applications with automated remote web

application scanners

n/a

18.5 /

Application

Do not display system error messages to end-users n/a

18.6 /

Application

Maintain separate environments for production and

non-production systems

n/a

18.7 /

Application

For applications relying on a database, use standard

hardening configuration templates


18.8 /

Application

All software developers must be trained in writing

secure code for their specific environments


18.9 /

Application

For in-house developed applications, all development

artifacts must be excluded from deployed software

and be inaccessible in the production environment


CSC-19 Incident Response and Management Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

19.1 /

Application

Provide written incident response procedures and

define personal roles for handling incidents


19.2 /

Application

Assign job titles and duties for handling computer

and network incidents to specific individuals




19.3 /

Application

Define management personnel who will be deciders

in the incident handling process


19.4 /

Application

Devise standards for the time required by system

administrators and others to report anomalous

events to the response team


19.5 /

Application

Assemble and maintain information for everyone in

the organization about incidents and responses


19.6 /

Application

Publish information for everyone in the organization

about incidents and responses


19.7 /

Application

Conduct periodic incident scenario training sessions

with team responders


CSC-20 Penetration Tests and Red Team Exercises Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

20.1 /

Application

Conduct regular external and internal penetration

tests to assess vulnerabilities and attack vectors

n/a

20.2 /

Application

Users and system accounts used to perform

penetration testing should be controlled and

monitored for legitimate use


20.3 /

Application

Perform periodic Red Team exercises to test

organizational readiness for attack response


20.4 /

Application

Include tests for the presence of unprotected system

information and artifacts useful to attackers


20.5 /

Application

Plan clear goals of the penetration test with blended

attacks in mind on specific target assets


20.6 /

Application

Use vulnerability management and penetration

testing tools in concert

Tenable partially fulfills 20.6 with vulnerability

scanning.

20.7 /

Application

When possible, document Red Team results with

open, machine-readable standards and scoring


20.8 /

Application

Create a test bed that mimics a production

environment for specific penetration tests and Red

Team attacks on extraordinary assets such as a

SCADA system


cis critical security controls: technical control · pdf filecis critical security controls:...

Documents