Easily Complying with CIS/CSC 20 controlsElli Lytra
Welcome to a brave new world where governments have started to recognize the significant work being done by security groups to shore up our defenses against malware, data compromise and account misuse. A prime example of this is the California Attorney General’s statement which puts emphasis on making sure that businesses understand it’s not going to be business as usual anymore. In this article we will talk about what CIS 20 controls stands for and the highlights of the Attorney General’s report.
On February, 25 2016 the Govt. of California released its data breach report. This report is an interesting read and provides a good glimpse into the landscape of security and threats we are facing. Some of the numbers in this report are quite stark. Consider this, 3 out of 5 Californians are potentially affected by a data breach. The number has increased 6 fold since the last year. Pause for a second and think – 6X increase in 1 year. Surely, with all the security dollars being spent something must not be right. How can numbers like this keep appearing whilst security spending seems to be going up year on year.
What is this CIS/CSC thing?
CIS stands for Center for Internet Security. CIS has released version 6 of its guidelines and there are some points to keep in mind. The CIS 20 controls can help any organization focus on the top few, critical security practices that need to get implemented, now. This list is drawn up from practical and real life experiences of various types of security organizations, professionals, IT gurus and more. In fact the top list is so effective that on the CIS site the Australian government claims that implementing just even the top 5 controls cuts down (known) attacks by 85%. That is no mean feat. This includes taking an inventory of IT assets, implementing secure configurations, patching vulnerabilities, and restricting unauthorized users.
Who is it applicable to?
Everyone – yes. However, retail companies, healthcare companies and financial companies seem to be bearing the brunt of these attacks. Retail was responsible for 25% of breaches followed by healthcare and financial constituting 18% of breaches. If you are in any one of these sectors you are probably dealing with fires that need to be extinguished. We hope that a rundown of the CIS highlights will provide more clarity into how you can be compliant with the CIS 20 controls.
What are the highlights here?
There are 2 parts to this answer. The first one will deal with the findings and recommendations from the Attorney General, Kamala Harris’s report. Quoting from Cooley’s excellent analysis – Reasonable Security Defined: California Attorney General’s 2016 Data Breach Report.
- Implement the 20 controls in the Center for Internet Security’s (“CIS”) Critical Security Controls (“CSC” or “Controls”) “that apply to [the] organization’s environment”;
- Expand the use of multi-factor authentication to protect consumer-facing online accounts that contain sensitive personal information, including online shopping accounts, health care patient portals, and web-based email accounts;
- Use strong encryption to protect personal information on laptops and other portable devices, and consider using the same encryption on desktop computers; and
- Encourage individuals affected by a data breach to place a fraud alert on their credit files.
In my opinion, recommendations 1 and 2 are the most critical. These recommendations are not just for show, consider the Attorney General emphasizing that these “define a minimum level of information security that all organizations that collect or maintain personal information should meet,” and that “failure to implement all the [applicable] Controls … constitutes a lack of reasonable security”.
Now we’ll talk about the CIS/CSC top 20 controls.
CIS 20 controls top list
A quick poster view that you can print out and keep handy is available at SANS.org.
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Secure configuration for hardware and software on mobile devices, laptops and servers
- Continuous vulnerability assessment and remediation
- Controlled use of administrative privileges
- Maintenance, Monitoring and Analysis of Logs
- Email and Web browser protection
- Malware defenses
- Limitation and controls for network ports and services
- Data recovery capability
- Secure configurations for network devices like firewalls and routers
- Boundary defense
- Data protection
- Controlled access based on the need to know
- Wireless Access Control
- Account Monitoring and Control
- Security skills assessment
- Application software security
- Incidence Response and Management
- Penetration tests and red team exercises
Your organization will certainly benefit from adopting even a subset of these recommendations. These points above are not radically new but they are a nice concise list that highlight the most important areas of focus where you can allocate you r limited security budget.
How does PAM map over here
There are various open source tools that you can use to plumb together a solution that can help you with these recommendations. Certain security companies also have free versions of their tools ranging from end point security to SIEMs that you can use to achieve compliance with the CIS/CSC top 20. We are not going to endorse any specific tool or company. Instead we are going to talk about how Privileged Access Management solutions (like Onion ID) can help with compliance for the list above.
A privileged access management (PAM) solution helps make sure that employee accounts on SaaS services and servers are not misused. A PAM solution can help map over and comply with many of the CSC/CIS top 20 recommendations.
A PAM solution can address #5,6,9,10,11,14,16 and 19 to different degrees. We present a brief rationale below:
- Controlled use of administrative privileges – A PAM solution can tightly control what privileges are present for any account not only on servers but also on any 3rd party SaaS service.
- Maintenance, Monitoring and Analysis of Logs – A PAM solution can feed in event information in syslog, JSON formats to a SIEM endpoint for analysis.
- Limitation and controls for network ports and services – A PAM solution can make sure that certain accounts cannot use protocols like SSH over certain IP ranges and ports.
- Data recovery capability – A PAM solution allows for delegation of access when an employee is fired so that no data loss is incurred in removal of access for the erstwhile employee.
- Secure configurations for network devices like firewalls and routers – A PAM solution can ensure that only certain updates or patches can be applied to critical equipment managing the network. This can be achieved via command introspection.
- Controlled access based on the need to know – A PAM solution is purpose built to solve this pain point. You should be able to choose who accesses what and what can they do with the access with most PAM solutions.
- Account Monitoring and Control – same as above.
- Incidence Response and Management – PAM solutions are often tied to into the dashboards that IR teams use. It’s important for a PAM solution to export data in real time so that it can be used for IR by the team. This is already available in a few PAM solutions.
In this article we have listed the CIS/CSC top 20 recommendations, the rationale from a state level perspective of why it’s important to adhere to them and have provided information about how a PAM solution can map over to help comply with certain portions of the requirements.