Security would be so much easier if there was a formula everyone could follow. A simple, straight forward set of processes you could put in place and guarantee you and your systems will be protected. The world, unfortunately, does not work this way. Security is the most dynamic, subjective subject matter in the world. What works for some won’t work for others and doesn’t apply to the rest. The challenge is how to keep it all together and stay sane day-to-day.
The industry and government have attempted to bring some order to the chaos through sets of regulations and frameworks to give the best roadmaps to secure practices. One of the leading and most widely accepted approach is from the Center of Internet Security (CIS) through the Critical Security Controls (CSC). Industry security experts got together, taking cues from NIST, ISO, and other frameworks and brought them together into the 20 key controls that make up the CSC.
Through this series I will break down all 20, showing examples, offer approaches to solution to meet these controls and provide insight on how hackers and cyber-criminals could use these to their advantage. As a security consultant I see a wide variety of security professionals, teams and companies of all shapes and sizes. I use the CSC as the foundation for security projects, policy improvements and assessments. Everyone, no matter the size or maturity, can always improve on their security postures.
CSC 1: Inventory of Authorized and Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
There is a reason the CSC lists this control first. Knowledge is power and you cannot maintain a security program unless you know EVERYTHING in your environment. Yes, EVERYTHING. Servers, laptops, wireless devices, phones, printers, networking components, etc… If it’s inside, plugged in to the network, you need to know about it, track it and manage it.
The second part to this control is maintaining a set of policies, procedures and technical controls to categorize and authorize every device. Once you find the device you need to show that it is allowed to be there. When unauthorized devices are detected you need to have plans in place to isolate, disable and remove it. This is one of the most difficult, yet most important, control there is.
The first step is to create an inventory. It will be tedious, time consuming, and depending on availability of scanning tools you may not be able to collect everything in an automated way. Everyone needs to start somewhere and as progress is made the easier the inventory will get to complete. However, your environment changes daily, an inventory isn’t meant to be a one and done activity. There should be processes and technologies in place to review and monitor the environment to alert and validate that all devices detected are authorized to be there.
Once you get your lists going there needs to be an authorization process created to ensure that the right people are allowing devices to connect to the network and access resources. If the IT organization is disorganized there may be an aspect of your company that exists known as Shadow IT. Shadow IT within an organization is a sub-IT group that operates independently from the corporate standards, Shadow IT procures systems and software without a central check and balance system in place to verify that the systems are compliant and meet a standard of business process and security requirements. Until Shadow IT is brought under control you will not be able to fully meet this CSC control.
How It Could Be Exploited
Not all attacks are deliberate. All it takes is someone bringing in a personal laptop and hopping on the network to access the Internet and spread malware around the network. Preventing unauthorized devices from connecting to the corporate network through certificates, authentication, or some other technical verification and Network Access Control process will help slow this down. The control still states that you should have a lists of all authorized and unauthorized devices in your environment.
I had one employee bring in a stronger wireless access point to boost coverage but the signal could be picked up outside the building on the street exposing the network to outside access easier than before. We had detection systems and even a Wi-Fi radar to pick up the broadcasts, remove the device and the employee was immediately terminated on the spot. That’s where you want to get to.
The first control is simple on paper. Make a list of all your devices. Simple. Easy, right? When you sit back and start to think about every single device the company and employees use and if you allow BYOD, peripherals, mobile devices and not Internet enabled devices (IoT) the effort involved becomes clear.
In the first control of 20 if CSC 1 is addressed the other 19 become exponentially more difficult.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.