Today, I will be going over Control 1 from version 7 of the top 20 CIS Controls – Inventory and Control of Hardware Assets. I will go through the eight requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 1
- Start small. This is going to be a control that will need to be continually revisited as you mature the security operations of the organization. Many of these requirements can be done with free tools and managed with simple spreadsheet software. As the organization grows and more controls are implemented, these become more complex and integrate tightly with other requirements throughout the entire suite of CIS security controls.
- Ask for guidance from vendors. Many of these requirements are core capabilities of vendors you already have in your environment. Bring up integrations with various other tools to unlock the full potential of the dollars you already spent.
- Use standardized data formats. Unfortunately, other controls list out standardized data formats such as SCAP. As you begin scanning and gathering data, use common data formats that more complex tools utilize so you don’t need to lose valuable data when deploying new tools.
Requirement Listing for Control 1
1. Utilize an Active Discovery Tool
Description: Utilize an active discovery tool to identify devices connected to the organization’s network and update the hardware asset inventory.
Notes: By active discovery, they mean scanning the network to be able to find devices, such as a ping sweep. A quick win is using NMAP to do just that. However, once you get down to Control 3, you can use your vulnerability scanning tools to discover devices for you.
2. Use a Passive Asset Discovery Tool
Description: Utilize a passive discovery tool to identify devices connected to the organization’s network and automatically update the organization’s hardware asset inventory.
Notes: Passive discovery means scanning the network traffic logs for new devices. Scan firewall, dns, dhcp and web logs to check for new devices. Anytime something new is found, it should be automatically scanned with your vulnerability tool as outlined in Control 3.
3. Use DHCP Logging to Update Asset Inventory
Description: Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization’s hardware asset inventory.
Notes: I consider this to just be part of the previous control. It’s surprising this one is called out specifically because it can be easily bypassed by using static IP addresses.
4. Maintain Detailed Asset Inventory
Description: Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory should include all hardware assets whether connected to the organization’s network or not.
Notes: This is a byproduct of implementing the first three recommendations. Anytime you find something from a scan, it has to go somewhere. This is where it will go. For smaller organizations, a spreadsheet is just fine. Larger organizations will need to integrate into an asset management database.
5. Maintain Asset Inventory Information
Description: Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner and department for each asset and whether the hardware asset has been approved to connect to the network.
Notes: I don’t really see much difference between this and the previous requirement besides this one stating the types of metadata to collect. Any piece of telemetry you can gather about the asset should be added into the asset inventory database.
6. Address Unauthorized Assets
Description: Ensure that unauthorized assets are removed from the network, quarantined or that the inventory is updated in a timely manner.
Notes: Once a baseline is established, new devices should rarely appear on the network, especially if a change management process has been put in place. Detecting new devices may not necessarily be a malicious actor gaining access to the internal network. It may be employees plugging in personal computers into the network, computers which may be littered with viruses.
7. Deploy Port Level Access Control
Description: Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.
Notes: To solve requirement 6, implement 802.1x across the board. Getting this deployed correctly is not an easy task, but if you are worried about rogue devices appearing on the network, this can work. Another lesser control would be to tie MAC addresses directly to ports at the switch level. While this can prevent a rogue device from gaining network access, any laptops that travel to various parts of the building may not be allowed physical network access. It can also be a headache to manage if people are moving cubicles often.
8. Utilize Client Certificated to Authenticate Hardware Assets
Description: Use client certificates to authenticate hardware assets connecting to the organization’s trusted network.
Notes: This is one of the more complex requirements, technically speaking, in the entire set of controls. Properly implementing anything dealing with cryptography is challenging. You will need to understand the nuances of the enrollment process and how to manage the Public Key Infrastructure before even thinking about rolling this one out.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2: Inventory and Control of Software Assets
Control 1: Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.