Our Views: CIS Controls 13-15
This month we investigate CIS controls 13, 14 and 15. CIS Control 13 contains advanced safeguards, and it is primarily recommended for organisations that are medium to large and employ individuals responsible for managing and protecting IT infrastructure. However, it may also be considered by organisations with increased operational complexity regardless of size. In contrast, CIS controls 14 and 15 contain vital safeguards for all organisations irrespective of size, resource availability and operational complexity.
CIS Control 13: Network Monitoring and Defence
Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against security threats across the enterprise’s network infrastructure and user base.
Why is it needed?
Even with the best intentions, the network defences operated by any organisation can be vulnerable. Attackers often share knowledge of exploits and new techniques to bypass network security defences. Most network security products also require configuration and tuning for each unique environment to provide optimal protection. Human error or a lack of specific tool knowledge can hinder their effectiveness, and therefore, a process of continually monitoring for security issues is vital.
Networks are often compromised months before the compromise is discovered. Accordingly, a network monitoring process that detects, analyses and responds to potential network threats will allow a swifter response, reducing any impact. Good situational awareness plays a key role in enabling a fast response, and this is gained by teams such as security operations identifying the Tactics, Techniques and Procedures of attackers and the Indicators of Compromise.
How is it implemented?
Developing situational awareness requires an organisation to understand its critical business functions, data flows, network architecture, vendor and partner connections and end-user devices and accounts. A good understanding of this environment drives the development of a sound security architecture and the implementation of appropriate security controls and monitoring and response processes. Larger enterprises may choose to set up a security operations centre internally; however, an external service provider or consultancy can equally provide incident detection, analysis, and mitigation.
CIS Control 13 requires security event alerts to be centralised, preferably using a Security Information and Event Management (SIEM) tool that correlates vendor-defined alerts. A log analytics platform is also an option if it correlates relevant security alerts.
Intrusion Detection Solutions can also be deployed to satisfy this control, by capturing logs and enabling alerts. Access control to the network for remote assets should be managed based on whether anti-malware is installed and up to date, whether the device meets the organisation’s security configuration standards, and whether the operating system and applications are up to date.
CIS Control 14: Security Awareness and Skills Training
Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Why is it needed?
Unlike CIS control 13, the safeguards described in this control are essential for all organisations. Attackers know it is much easier to trick a busy user than to develop a successful network exploit. Therefore, they target human vulnerabilities making people the backbone of a successful or unsuccessful organisational security program. In addition to targeted “social engineering” attacks, people make simple mistakes resulting in unintentional or intentional cyber incidents. These may include sharing sensitive data by sending an email addressed to the wrong recipient, losing a device, or using the same password on multiple sites.
How is it implemented?
To satisfy this control, organisations should establish and maintain a security awareness program that educates users (both when they commence employment and then annually and ongoing) about cyber safety in your business.
Making cybersecurity awareness training effective involves designing a program that is topical and relevant to your environment. Cybersafety messages should be dispersed regularly to ensure they remain targeted, relevant and front of mind. For example, a simple reminder of the increase in malicious emails purporting to be from delivery companies as Christmas approaches. Phishing tests should be relevant to the individual roles within your business for greater effectiveness. For example: send a phishing test email that purports to be a vendor asking to change bank account details for invoice payment to the accounts payable team.
Additional essential safeguards are training users on best practice authentication (Multi-factor Authentication and safe password use), secure data handling and the causes of unintentional data exposure, and the risks of connecting to and transferring data over insecure networks.
Finally, training users to recognise and report security incidents allows cybersecurity responsibility to be spread amongst the organisation leading to a greater overall level of organisational protection.
CIS Control 15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Why is it needed?
Organisations rely on an array of service providers, vendors and partners to supply infrastructure, applications and data on their behalf. Given they are essential, service providers are also a core cybersecurity governance risk that must be understood and managed as the impact of a third party breach can include business disruption, data loss and reputational damage.
Assessing the cyber security posture of any provider is a fundamental risk management process. Additionally, many data privacy regulations require that protections extend to service providers, making this process essential in many industries.
Service providers may also contract with additional parties to provide services, creating an even greater potential risk footprint. The security of large cloud-based service providers is often scrutinised when they perform business-critical services; however, smaller service providers can be easily overlooked.
How is it implemented?
You cannot manage what you are unaware of, and therefore implementing this control starts with creating and maintaining an inventory of all service providers. All businesses should have this inventory.
Creating a service provider management policy is next. This policy should outline how you will classify, list, assess, monitor and decommission all service providers. Classification of each provider should be undertaken using characteristics such as data sensitivity, data volume, availability needs, applicable regulations, and inherent and mitigated risk.
Service Provider contracts should include minimum security requirements, incident response processes, data breach notification, encryption requirements, data handling and disposal requirements. Regularly reviewing contracts to ensure they still meet your organisation’s security requirements should be completed annually.
More advanced safeguards for this control include:
- Assessing Service Providers: The scope of the assessment may consist of reviewing penetration testing, regulatory testing (PCI compliance) reports or targeted questionnaires.
- Monitoring Service Providers: Monitoring may include activities such as reassessment of supplier compliance, review of release notes, dark web monitoring.
- Securely Decommission Service Providers: Consider user and service account deactivation, secure disposal of data.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 