Today, I will be going over Control 14 from version 7 of the CIS top 20 Critical Security Controls – Controlled Access Based on the Need to Know. I will go through the nine requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 14
- Information Security 101. There are a lot of foundational controls in here which should be adopted by even the smallest of organizations. Network segmentation, permissions, and data encryption are basic security hygiene that are cheap and easy to implement.
- FIM is so much more. With version 7, file integrity monitoring only appears here in section 14.9. However, FIM is a key capability across a wide array of the controls from top to bottom. Deploying FIM should be considered a foundational control for many organizations.
- Automation and integration. Automating security tasks is usually going to be a force multiplier for your security staff. While not directly touched on, integrating tools together is going to be another area to amplify the workforce. By bolting together technologies, a higher visibility into the network can be obtained.
Requirement Listing for Control 14
1. Segment the Network Based on Sensitivity
Description: Segment the network based on the label or classification of the information stored on the services, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Notes: Network segmentation could have prevented a lot of the breaches we read about in the news. This is one of the foundational controls that should be in place at any organization large or small.
2. Enable Firewall Filtering Between VLANs
Description: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.
Notes: Once you have separated the networks into multiple segments, putting restrictions on how they communicate is how you can actually stop breaches from happening. Some networks are going to have to remain fairly wide open while others can be locked down heavily. For segments that are more open, make sure you are using defense-in-depth to prevent other attack vectors.
3. Disable Workstation to Workstation Communication
Description: Disable all workstation-to-workstation communication to limit an attacker’s ability to move laterally and compromise neighboring systems through technologies such as Private VLANs or micro-segmentation.
Notes: This is useful for not only for attackers’ pivoting but also for self-propagating malware. Most host-to-host communication will occur by system administrators performing maintenance or troubleshooting. Place administrators on their own VLAN to allow them communication into employee’s computers.
4. Encrypt all Sensitive Information in Transit
Description: Encrypt all sensitive information in transit.
Notes: Encrypt early, encrypt often. It doesn’t matter if data is at rest or in transit. Encryption should be done on all sensitive information. If applications aren’t encrypting natively, see if it’s a possibility to tunnel the traffic to where it needs to go.
5. Utilize an Active Discovery Tool to Identify Sensitive Data
Description: Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located onsite or at a remote service provider and update the organization’s sensitive information inventory.
Notes: Data loss prevention and data classification tools are going to help identify data at rest, which contains sensitive information. Unless you are decrypting traffic, finding data in transit is going to be difficult if not impossible. Don’t forget to look through videos and audio captures, as well. Speech-to-text can output to natural language processing tools to identify sensitive information.
6. Protect Information through Access Control Lists
Description: Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as part of their responsibilities.
Notes: Setting the proper permissions on data is fairly standard practice. What’s important to realize is that this extends out to data stored in cloud service providers, as well. Make sure your data in the cloud also has the proper access lists so the world cannot read/write to it.
7. Enforce Access Control to Data through Automated Tools
Description Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when the data is copied off a system.
Notes: As with any portion of information technology, using automation will be a force multiplier. Make sure baselines are set. Then use automation to revert unauthorized changes back to the proper baseline.
8. Encrypt Sensitive Information at Rest
Description: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system in order to access the information.
Notes: Encryption is touched on a lot across all of the controls and for good reason. By encrypting data at rest, the concern of an encrypted blob being stolen is less of a concern than an unencrypted database falling into the wrong hands.
9. Enforce Detail Logging for Access or Changes to Sensitive Data
Description: Enforce details audit logging for access to sensitive data or changes to sensitive date (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).
Notes: Audit logging for file and permission changes at the OS level can be incredibly noisy, generating millions of events sent to a centralized logging server. Instead rely on a file integrity monitoring utility to limit the scope of what to monitor and send only relevant data up to the SIEM. Integrating both of these into change management and other orchestration tools will make managing the enterprise much easier.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 (CIS) Critical Security Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers