Our Views:
This month’s theme is “Cyber Controls # 7 to 9”.
This month we look at CIS controls 7, 8 and 9, marking the half way point in our deep dive of all 18 recommended cybersecurity controls .
CIS Control 7: Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimise, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Why is it needed?
Cyber attackers are always looking for vulnerabilities within systems to exploit. To defend against these attacks your business must ingest multiple sources of threat information and act in a timely fashion on software updates, security advisories, patches and more. After a new vulnerability is found and reported on, by either researchers or the IT community, it is essentially a race between the cyber attackers looking to leverage this vulnerability to cause harm and the defenders. As a business, you must wait for vendors to develop and deploy a suitable patch, report indicators of compromise (IOCs) and produce upgrades to combat the vulnerability. Once this is complete you must assess the risk of the vulnerability to your business, regression test against existing systems and finally install the patch or update. Clearly there is a window in this cycle whereby many organisations remain vulnerable and attackers may leverage the gap. The longer it takes for your organisation to assess the risk and patch your systems the more vulnerable you are to exploits.
As vulnerabilities are now being discovered at pace in our environments, not only does vulnerability management need to be a continuous process, but it requires strong prioritisation of the risks and corresponding patches for deployment. Ongoing monitoring of vulnerabilities is needed as devices may only be connected to your network for brief periods of time. Maintaining visibility in this dynamic environment is crucial.
How is it implemented?
Meeting this control at a basic level initially requires establishing and maintaining a vulnerability management and remediation process. This process should encompass the assessment of new threats, a strong prioritisation method, and action steps and accountability for remediation. The process and remediation should be reviewed at least monthly. Automated Operating System and Application patch management is also a baseline requirement to meet this control. These standard automatic updates must occur monthly or more frequently.
At a more advanced level, a business can consider introducing automated vulnerability scanning of all internal and externally-exposed assets. Remediation of any vulnerabilities found from this automated process should occur on a monthly or more frequent basis.
There are many commercial tools available for network vulnerability scanning, at both a manual and automated level and many of these can be managed remotely. The frequency of scanning needed to discover potential vulnerabilities and remain secure is usually determined by the complexity of your business assets. More frequent scans are necessary with a greater number of vendors in order to align with their different patch cycles. Other tools that assist with vulnerability management include free and commercial tools that review your network assets’ security settings and secure configuration. Once again more advanced tools can automatically notify you if settings are inadequate or show unauthorised or unintended changes in your network that may introduce risk.
Scanning tools can be linked to ticketing systems in the overall management process to ensure that any vulnerabilities are remediated quickly. When introducing a vulnerability management process, one recommendation is to use standardised schemes and languages such as Common Vulnerabilities and Exposures (CVE), or Open Vulnerability and Assessment Language (OVAL). Additionally, the NIST’s Common Vulnerability Scoring System (CVSS) is a good place to start when introducing vulnerability prioritisation in your process. Adding organisational specific information, such as the potential of a specific threat to impact your business and the likelihood of it occurring, to the information in the CVSS will help to produce a contextually relevant vulnerability prioritisation scheme for your organisation.
CIS Control 8: Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Why is it needed?
Writing from an incident response and forensic analysis point of view (rather than a general IT or security standpoint) it is hard to stress enough the importance of suitable log collection, management and analysis. In fact, we could probably write a book on this control alone. Poor log collection or analysis processes can allow an attacker to sit inside a network for lengthy periods without anyone being aware they are there. In contrast, if logs are analysed effectively then intrusions can be discovered and dealt with in a timely fashion.
Log data can also provide critical information around suspected cyber incidents and may at times be the only evidence of a cyberattack. If suitable and complete logs are kept, they can provide valuable insight into a suspected attack such as when and how it may have occurred, how long an attacker may have had access to your systems, what data was accessed, and if any data was exfiltrated.
How is it implemented?
The basic level of this control involves establishing and maintaining an audit log management process. This process defines the organisations logging requirements and specifies the collection, review and retention of all log data. Audit logs across all enterprise assets must be collected in alignment with the log management process and adequate storage for log data maintained.
Most assets and software allow logging capability. It is important to differentiate here between system and audit logs as system logs are generally native to the system and easy to turn on, whereas audit logs require more attention. System logs generally show system related events such as process timing and crashes. In contrast, audit logs show vital information around user events such as number of log ins, time of log ins, file and folder accessed etc. Audit logs require more configuration to enable, however they are essential for visibility into your environment.
Once a basic logging management process is embedded in your business the CIS control recommend the following steps for consideration:
- Configuring two standard synchronised time sources across the environment to enable time synchronisation of logs
- Collecting detailed audit logs for any assets that hold sensitive data. Note: Despite this being an intermediate step in the CIS controls, we believe this should be seriously considered in today’s privacy-aware environment.
- Collecting DNS query, URL request, and command-line audit logs wherever supported. Firewalls, proxies and remote access systems should all have verbose log data enabled where practicable.
- Centralising all logging by sending all enabled logs to a centralised logging server.
- Retaining all logs for a minimum of 90 days. Ideally, encrypted log data should then be saved (but archived) for an additional 365 days.
- Conducting log reviews on a weekly (or more frequent) basis to detect anomalies that may indicate a threat.
- Collecting service provider logs where available such as authorisation events.
Finally, it is wise to regularly perform simulations to test your logging and ensure appropriate logs are generated and able to be accessed for each suspicious event. This is a key part of being forensically prepared to respond to any cyber incident.
CIS Control 9: Email and Web Browser Protections
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behaviour through direct engagement.
Why is it needed?
Email and the web are the primary (digital) ways in which users in your business access the outside world and interact with untrusted users and environments. Unfortunately, this makes them common targets for attackers using malicious code or social engineering techniques to access your network.
Web browsers can be exploited in various ways. The browser itself may be outdated or have a vulnerability that can be exploited. A third-party plug-in to the browser may be outdated, have a vulnerability, or have come from an untrusted source, making it an easy target for malware. Attackers may also create malicious web pages designed specifically to target insecure browsers. Email is generally targeted with spam or malicious messages and attachments (phishing attacks) designed to catch a victim in a moment of inattention.
How is it implemented?
CIS control 9 focuses on implementing safeguards against email and web browser attacks.:
Firstly, ensure only fully supported browsers and clients are used with DNS filtering on all enterprise assets. Browsers and email clients should be from a trusted vendor, with DNS filtering in place to block malicious domains. A more advanced safeguard that follows DNS filtering is the maintenance and enforcement of network-based URL filters. These can be configured in various ways, such as category-based filtering or through block lists allowing businesses to decide what is relevant for them.
Preventing users from installing unsupported plugins, or any unauthorised browser or email extensions is also important to minimise risk. Any unauthorised or unsupported plugins or extensions should be uninstalled or disabled, thereby ensuring all browsers on your network are known and included in the vulnerability management process outlined in control 7.
Implementing Domain-based Message Authentication, Reporting & Conformance (DMARC) will lower the potential for spoofed emails from valid domains. DMARC policy and verification should be implemented starting with Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) standards. Additionally, blocking any unnecessary file typed from accessing your email gateway will reduce the risk.
The final recommended step for robust email protection is to consider deploying email server anti-malware protections that work by scanning attachments to detect potential threats and then sandboxing these for analysis.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 