Today, I will be going over Control 9 from version 7 of the CIS top 20 Critical Security Controls – Limitation and Control of Network Ports, Protocols, and Services. I will go through the five requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 9
- Reduce your attack surface. So much of control 9 is about limiting the external attack surface of a system. This is always the first step in securing an endpoint.
- Duplication with other controls. Everything being done in control 9 is going to be accomplished by completing other controls elsewhere. I would probably leave this one for last as it’s the least impactful (due to duplication) out of any of the controls.
Requirement Listing for Control 9
1. Associate Active Ports, Services and Protocols to Asset Inventory
Description: Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Notes: Utilize the same technology, or at least the same asset database which you are using in Control 2 (specifically 2.5). A more advanced integration would be to tie the ports and protocols to the applications and then associate the applications with a business unit if possible. This would also relate to control 11.2, which asks to associate traffic configuration rules on the network to a business unit.
2. Ensure Only Approved Ports, Protocols and Services Are Running
Description: Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.
Notes: Create the baseline of what is listening on the systems. Over time, you can comb through the results and make sure nothing is out of the ordinary. As you are going through that process, new ports should trigger an investigation if they are not expected. Using a vulnerability scanner such as IP360 or a tool like Tripwire Enterprise to list out ports will make this much easier on the security teams.
3. Perform Regular Automated Port Scans
Description: Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.
Notes: Performing these scans will feed the previous sections. For smaller environments, a simple NMAP scan could suffice. However, larger organizations will want to take advantage of more robust scanning tools, such as IP360, that can tackle thousands of endpoints in a shorter period of time.
4. Apply Host-based Firewalls or Port Filtering
Description: Apply host-based firewalls or port filtering tools on end systems with a default-deny rule that drops all traffic except those services and ports which are explicitly allowed.
Notes: Don’t fall for the trap that only applying a network-based firewall is going to protect you as traffic on the same subnet can bypass network firewall configurations. When implementing, don’t forget that limiting outbound traffic is just as important as restricting inbound communications.
5. Implement Application Firewalls
Description: Place application firewalls in front of any critical service to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.
Notes: Any firewall or IDS/IPS that can understand the application layer traffic is going to be more effective than just blocking ports and protocols. I would expect to see this requirement dropped in favor of combining it with requirement 18.10 (Deploy Web Application Firewalls). However, a four requirement control would be a little light, so maybe we need to move the remaining controls elsewhere as well in favor of a more impactful control?
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 Critical Security Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
You can also learn more about the CIS security controls here.