CIS Critical Security Controls

In the earlier post, we discussed CIS Security Benchmarks and how it can be useful to public or private organizations. In this post, we will explore some of the CIS Critical Security Controls.

The CIS Critical Security Controls, also known as CIS Controls, are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. The CIS controls are developed, refined and validated by a community of leading experts around the world. Though it’s widely considered that by applying top 5 CIS controls, an organization should be able to reduce 85 percents of risk related to cyberattack, we will review all 20 CIS controls here for clarity sake.

  1. CSC # 1: Inventory of Authorized and Unauthorized Device
  2. CSC # 2: Inventory of Authorized and Unauthorized Software
  3. CSC # 3: Secure Configurations for Hardware and Software
  4. CSC # 4: Continuous Vulnerability Assessment and Remediation
  5. CSC # 5: Controlled Use of Administrative Privileges
  6. CSC # 6: Maintenance, Monitoring, and Analysis of Audit Logs
  7. CSC # 7: Email and Web Browser Protections
  8. CSC # 8: Malware Defenses
  9. CSC # 9: Limitation and Control of Network Ports
  10. CSC # 10: Data Recovery Capability
  11. CSC # 11: Secure Configurations for Network Devices
  12. CSC # 12: Boundary Defense
  13. CSC # 13: Data Protection
  14. CSC # 14: Controlled Access Based on the Need to Know
  15. CSC # 15: Wireless Access Control
  16. CSC # 16: Account Monitoring and Control
  17. CSC # 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  18. CSC # 18: Application Software Security
  19. CSC # 19: Incident Response and Management
  20. CSC # 20: Penetration Tests and Red Team Exercises

Each of these controls has its own sub-control, which has it’s own threshold metrics (from Low Risk, Medium Risk, or High Risk). For example, our first control states that we should have an inventory of authorized and unauthorized devices. First sub-control requires us to deploy an “automated” asset inventory discovery tool and as a part of that our metric should be How many “Unauthorized” Devices present in our network at a given time. If that number is somewhere between 0-1%, that’s considered Low Risk. If that number is between 1-4%, it’s medium risk while anything above 4% is considered High Risk – and appropriate actions should be taken to mitigate such risks!

Amazon Web Services (AWS) Risk and Compliance

This is a summary of AWS’s Risk and Compliance White Paper
AWS publishes SOC1 report – formerly known as Statement on Auditing Standards (SAS) 70, Service Organization report, widely recognized auditing standard developed by AICPA (American Institute of Certified Public Accountants). 
SOC 1 audit is an in-depth audit of design and operating effectiveness of AWS’s defined control objectives and control activities. 
Type II – refers that each of the controls described in reports are not only evaluated for adequacy of design, but are also tested for operating effectiveness by the external auditor. 
With ISO 27001 certification AWS is complying with a broad, comprehensive security standard and follows best practices in maintaining a secure environment. 
With PCI Data Security Standards (PCI DSS), AWS is complying with set of controls important to companies that handle credit card information. 
With AWS’s compliance with FISMA standards, AWS complies with wide range of specific control requirements by US government agencies. 
Risk Management:
AWS management has developed a strategic business plan which includes risk identification and the implementation of controls to mitigate and manage risks. Based on my understanding, AWS management re-evaluate those plans at least twice a year. 
Also, AWS compliance team have adopted various Information Security and Compliance framework – including but not limited to COBIT, ISO 27001/27002, AICPA Trust Service Principles, NIST 800-53 and PCI DSS v3.1. 
Additionally, AWS regularly scan all their Internet facing services for possible vulnerabilities and notified parties involved in remediation. External Pen Test (VA test) are also performed by reputed independent companies and repots are shared with AWS management. 
Reports/Certifications:
FedRAMP: AWS is Federal Risk and Authorization Management Program (FedRAMPsm) compliant Cloud Service Provider. 
FIPS 140-2: The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. AWS is operating their GovCloud (US) with FIPS 140-2 validated hardware. 
FISMA and DIACAP:
To allow US government agencies to comply with FISMA (Federal Information Security Management Act), AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owner’s approval process.
Many agencies have successfully achieved security authorization for systems hosted in AWS in accordance with Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP).
HIPPA:
Leveraging secure AWS environment to process, maintain and store protected health information, AWS is enabling entities to work in AWS cloud who need to comply with US Health Insurance Portability and Accountability Act (HIPPA). 
ISO 9001:
AWS has achieved ISO 9001 certification to directly support customers who develop, migrate and operate their quality-controlled IT systems in AWS cloud. This allows customers to utilize AWS’s compliance report as evidence of their ISO 9001 programs for industry specific quality programs such as ISO/TS 16949 in auto sector, ISO 13485 in medical devices, GxP in life science, AS9100 in aerospace industry. 
ISO 27001:
AWS has achieved ISO 27001 certification of their Information Security Management Systems (ISMS) covering AWS infrastructure, data centers, and multiple cloud services. 
ITAR:
AWS GovCloud (US) supports US International Traffic in Arms Regulations (ITAR) compliance. Companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US persons and restricting physical location of that data to US. AWS GovCloud provides such facilities and comply to the required compliance requirements. 
PCI DSS Level 1:
AWS is level 1 compliant under PCI DSS (Payment Card Industry Data Security Standards). Based on February 2013 guidelines by PCI Security Standards Council, AWS incorporated those guidelines in AWS PCI Compliance Package for customers. AWS PCI Compliance package include AWS PCI Attestation of Compliance (AoC), which shows that AWS has been successfully validated against standard applicable to a Level 1 Service Provider under PCI DSS Version 3.1.
SOC1/SOC2/SOC3:
AWS publishes Service Organization Controls 1 (SOC 1), Type II report. Audit of this report is done in accordance with AICPA: AT 801 (formerly SSAE 16) and International Standards for Assurance Engagements No. 3402 (ISAE 3402). 
This dual report intended to meet a broad range of financial auditing requirement of US and international bodies. 
In addition to SOC 1, AWS also publishes SOC 2, Type II report – that expands the evaluation of controls to the criteria set forth by the AICPA Trust Service Principles. These principle defines leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organization such as AWS. 
SOC 3 report is publicly-available summary of AWS SOC 2 report. The report includes the external auditor’s opinion of the operation of controls based on (AICPA’s Security Trust Principle included in SOC 2 report), the assertion from AWS management regarding effectiveness of controls, and overview of AWS infrastructure and Services.

Risk Management Models

There are various Risk Management Models around, some of them discussed here:

General Risk Management Model: 

This five step general risk management model can be used in virtually any risk management process:

Step 1: Asset Identification

Identify and classify the assets, systems, and processes that need protection because they are vulnerable to threats. 

Step 2: Threat Assessment

After identifying assets, you identify both the threats and the vulnerabilities associated with each assets and the likelihood of their occurrence. All things have vulnerabilities; one of the key is to examine exploitable vulnerabilities. To list: CWE (from mitre.org), SANS Top 25 list, OWASP Top 10 list.. 

Step 3: Impact Determination and Quantification:

An impact is the loss created when a threat is realized and exploits a vulnerability. Tangible impact results in financial loss or physical damage. An intangible impact, such as impact on the reputation of a company, assigning a financial value can be difficult. 

Step 4: Control Design and Evaluation:

Determine the controls (also called countermeasure or safeguards) to put in place to mitigate risks. List of software control can be found in NIST SP 800-53
Step 5: Residual Risk Management:
A risk that remains after implementing controls is termed as residual risk. Multiple controls can be applied to achieve better defense posture through defense in depth.

Software Engineering Institute Model:

1. Identify:

Examine the system, enumerating potential risks.

2. Analyze:

Convert the risk data gathered into information that can be used to make decisions. Evaluate the impact, probability, and timeframe of the risk. Classify and prioritize each of the risks.

3. Plan: 

Review and evaluate the risks and decide what actions to take to mitigate them. Implement the plan.

4. Track:

Monitor the risks and the mitigation plans. Review periodically to measure progress and identify new risks.

5. Control:

Make corrections for deviations from risk mitigation plans. Changes in business procedures may require adjustments in plans or actions, as do faulty plans and risks that become problems.

Security Models

Security Models are used to understand the systems and processes developed to enforce security principles. There are three key elements which plays role in model implementation:

  • People
  • Processes
  • Technology

Various models discussed here are:

Access Control Models: 

There are various different access control models provide different aspect of protection but Access Control List (ACL) is the most commonly used. ACL is a list that contains the subject that has access right to a particular object. An ACL will identify not only the subject, but also the specific access that subject has for the object.

Other models discussed below: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-based Access Control (RBAC), Rule-based Access Control (RBA)

Bell-LaPadula Confidentiality Model:

Bell-LaPadula security model is combination of mandatory and discretionary access control mechanism.

First Principle, known as – Simple Security Rule – that no subject can read information from an object with a security classification higher than that possessed by the subject itself. This is also refferred as “no-read-up” rule.

So arrange the access level in hierarchal form, with defined higher and lower level of access.

Bell-LaPadula was designed to preserve “confidentiality” – focused on read and write access.

Reading material higher than subject’s level is a form of unauthorized access.

Courtesy: rutgures.edu

Second Principle, known as *-property (star property) – states that subject can write an object only if it’s security classification is less than or equal to the object’s security classification.

Also known as “No-Write-Down” principle.

This prevents the dissemination of information users that do not have appropriate level of access.

Usage example – to prevent data leakage, publishing bank balance – to a public page..

Take-Grant Model:

  • Built upon Graph Theory
  • Distinct Advantage: Definitively Determine Rights – Unique Rights (take and grant)
courtesy: http://clinuxpro.com/wp-content/uploads/2013/10/Take-Grant-Model.png
  • Value lies in ability to analyze an implementation is complete or might be capable to leak information.

My CSSLP Notes

While I am studying for CSSLP, I am keeping notes about it here. This notes may have references from various CSSLP books.

Confidentiality: Confidentiality is the concept of preventing the disclosure of information to unauthorized parties. In layman terms, keeping secret secret is confidentiality.

Integrity: Integrity is similar to confidentiality, except rather than protecting the data from unauthorized access, integrity refers to protecting data from unauthorized alteration.

Availability: Access to systems by authorized personnel can be expressed as the system’s availability.

Authentication: Authentication is the process of determining the identity of a user. Three general methods are used in authentication. In order to verify your identity, you can provide:

  • Something you know
  • Something you have
  • Something about you (something that you are)

Authorization: Authorization is the process of applying access control rules to a user process, determining whether or not a particular user process can access an object. Three elements are used in discussion of authorization:

  • A requester (sometimes referred to as the subject)
  • The object
  • The type or level of access to be granted.

Accounting (Auditing): Accounting is means of measuring activity. With IT systems, this can be done by logging crucial elements of activity as they occur. With respect to Data Elements, accounting is needed when activity is determined to be crucial to the degree that it may be audited at a later date and time.

*** A key element in audit logs is the employment of a monitoring, detection, and response process. Without mechanism or processes to “trigger” alerts or notifications to admins based on particular logged events, the value of logging is diminished or isolated to a post-incident resource instead of contributing to an alerting or incident prevention resource.

Non-repudiation: Non-repudiation is the concept of preventing a subject from denying a previous action with an object in a system. When authentication, authorization and auditing are properly configured, the ability to prevent repudiation by a specific subject with respect to an action and an object is ensured.

System Tenets:

Session Management: Session management refers to the design and implementation of controls to ensure that communication channels are secured from unauthorized access and disruption of a communication.