Today, I will be going over Control 20 from version 7 of the top 20 CIS Controls – Penetration Tests and Red Team Exercises. I will go through the eight requirements and offer my thoughts on what I’ve found.
Key Takeaways from Control 20
- Rely on the previous controls. So much of what’s happening in Control 20 leverages some of the earlier Controls. Understanding your attack surfaces from Controls 1 and 2 can help scope sections 1-3. Control 3 is going to define your vulnerability management toolset, which can be leveraged across most of the sections in this control. The findings from your red team exercises are going to help mature your coverage in every previous control.
- Where’s the remediation? Section 7 states that results should be compared over time; however, there is no guidance on giving these results to the Blue Team to close the gaps discovered from the penetration tests.
Requirement Listing for Control 20
1. Establish a Penetration Testing Program
Description: Establish a program for penetration tests that includes a full scope of blended attacks such as wireless, client-based, and web application attacks.
Notes: This has taken the place as the starting point for those looking to start penetration tests against their assets. If you’re just beginning, don’t try to tackle the full blend of attacks at once. Start with something you may have expertise in and/or a critical finding from a vulnerability scan. Over time, you can get to having the full blend of attacks in your arsenal.
2. Conduct Regular External and Internal Penetration Tests
Description: Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.
Notes: This section remains relatively intact from the previous version of the controls, albeit with more simple language. As with section 1, you can start with an internal scan then work towards eventually having the external scan results.
3. Perform Periodic Red Team Exercises
Description: Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively.
Notes: The difference between sections 2 and 3, is that the defenders (Blue Team) will not be aware of an attack happening. This is designed to test the defenses rather than purely determine if there are holes in the network.
4. Include Tests for Presence of Unprotected System Information and Artifacts
Description: Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, email or documents containing passwords, or other information critical to system operation.
Notes: If you’re not already leveraging Control 13.1, then it will be difficult to be successful in this section. Knowing where your sensitive data is before the attackers do is critical.
5. Create a Test Bed for Elements Not Typically Tested in Production
Description: Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
Notes: This section provides a safe proving ground for testing systems that cannot afford to have any downtime. Even for systems that can afford downtime, it’s good to have a testing environment to develop proof of concept attacks which can then be leveraged on the production environment, if applicable.
6. Use Vulnerability Scanning and Penetration Testing Tools in Concert
Description: Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.
Notes: Results from the vulnerability scan can and should be used to feed the penetration testing tools. Unless you are doing a black box attack, having the knowledge of what the attack surface is will help the red team be successful. However, be mindful that this could create a bias towards testing only results from the vulnerability scan. Make sure that the red teams are actively testing items that the vulnerability scanner is not reporting, as well.
7. Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
Description: Wherever possible, ensure that Red Teams results are documented using open, machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time.
Notes: Using SCAP will be valuable if there are multiple tools from multiple vendors being leveraged by the various security teams. However, the more important requirement here is that you compare your results internally over time regardless of what format is being used.
8. Control and Monitor Accounts Associated with Penetration Testing
Description: Any use or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes and are removed or restored to normal function after testing is over.
Notes: This is part of the clean-up that happens after each engagement by the red team. However, as discussed in the key takeaways above, there is still much to be done after the tests are ran.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 –Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.