Following on from my last post on the CIS Basic Security Controls, this post will look at the next group – the foundational controls. These are a step up from what is considered “the basics” and are things that organisations should be thinking about implementing for good security posture.

There are quite a few controls in this section, so I’ll try to keep the blurb on each relatively succinct. This won’t be an in-depth review of each, that being said, be warned that it will be a longer than usual post!

For an in-depth explanation of each of the points, I’d recommending downloading the controls from the CIS website - CIS Controls

Foundational controls

7) Email and web browser protections

It comes as no surprise that web browsing and email are two of the most common entry points into the network for attackers. Why spend time probing servers, looking for vulnerabilities and then trying to exploit them, when you can just ping an email to a user with a malicious link!

Recommendations regarding web browsers include things such as ensuring fully supported browsers are deployed and that unnecessary browser extensions are disabled/prevented. The first seems (hopefully) obvious to most people – vulnerable old browsers may be susceptible to compromise simply by browsing to a site. The latter point perhaps not so obvious. But browser extensions are an increasingly common way that attackers are targeting and compromising endpoints or the services they connect to.

URL and DNS filtering are unsurprisingly recommended as in the control. I’d recommend you think about where your users are working when you start to think about this too. With an increasingly mobile workforce and a shift to cloud-based apps, URL/DNS filtering needs to be implemented wherever the end-user is – be that the office, home or a coffee shop down the road! An office-based proxy alone is typically not fit for purpose anymore.

SPAM filters are also a no-brainer and something that every organisation should be implementing. Email is still one of the most common (if not THE most common) attack vector. Unnecessary file types are recommended to be blocked and sandboxing considered. Email tools such as DMARC, DKIM and SPF should also be implemented within organisations. One thing not specifically called out in this section which I feel is important is user education and phishing simulation. Simulations give you the opportunity to see which of your users perhaps require a bit more attention.

8) Malware defences

Again, hopefully it comes as no surprise that anti-malware software is one of the top twenty controls. The CIS controls hone in on the fact that this should be centrally managed and regularly updated. Malware evolves quickly and usually comes in a number of different “strains”, so staying on top of updates is important if you want to prevent your endpoints being compromised.

The control also touches on some less commonly considered areas such as enabling operating system anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR), disabling auto-run of removable media and enabling DNS query logging. Command line auditing is also recommended for shells such as cmd, PowerShell and Bash to highlight where an attacker may be using built-in tools to carry out malicious activities post-compromise, so they can “fly under the radar” as it were.

9) Limitation and control of network ports, protocols and services

An easily overlooked aspect of installing new systems is to review what they have enabled and disable any services that aren’t required. Even “secure” devices such as edge firewalls should still be reviewed and tuned accordingly. Take this relatively recently disclosed vulnerability as an example – Cisco SIP Vulnerability. The advisory references a vulnerability that could allow an unauthenticated, remote attacker to reload a Cisco firewall. The underlying vulnerability ties back to issues within the SIP inspection engine (related to Session Initiation Protocol – a voice/video signalling protocol). This inspection is on by default, however if it had been reviewed and disabled (assuming it wasn’t required) then it would have mitigated the attack.

It is relatively common to see organisations doing this kind of filtering on edge firewalls – perhaps for servers in a DMZ. But what about internal hosts? Just because a device isn’t Internet facing shouldn’t exclude it from this scrutiny. If you’ve got a bunch of poorly configured internal devices, then this can aid an attacker in lateral movement and persistence should they compromise your edge defences. Don’t think of this as a one-time task either. Software upgrades, configuration changes, patches – they can all introduce new holes that weren’t there previously. Automated scanning should take place in the environment to flag when the situation changes.

The control also calls out the use “application firewalls” in critical servers to verify and validate traffic. One example of this type of firewall would be a Web Application Firewall (WAF) in front of some Internet facing web servers. These solutions help to remove any potentially malicious traffic and ensure attacks aren’t getting through to the backend. These should be considered a “defence in depth” strategy however and are not a substitution for good patch management and good coding of applications.

On a similar train of thought, L3/L4 firewalls that filter traffic purely based on port/protocol are often largely inefficient without some application context associated as well. Letting port “80” out of your organisation does not guarantee you are only letting clear text HTTP out – any number of applications could be tunnelled through that port. Even a rule allowing DNS can be abused to tunnel other types of traffic.

10) Data recovery capabilities

What… wait? Backups? I thought we were talking about security? Largely not thought of from a “security” aspect, but consider the three pillars of security – Confidentiality, Integrity and Availability. If you have your organisation wiped out by ransomware and have no backups you’re going to struggle with that last one!

Backups need to be carried out regularly and automatically. Please don’t forget to ensure you test restoration of services as well. It is one thing having backups, but if you come to use them and they are corrupt, damaged or you just don’t know how to restore them, then again that availability piece is going to be a bit tricky for you!

I’d caution people to think about where and what they are backing up. A couple of examples to illustrate what I mean.

  • Say you are backing up your machine to a cloud-based OneDrive account (or similar). Great, “the cloud” is completely independent of your hardware right? Unless of course, you leave it mapped as a network drive which Ransomware can then encrypt. At least one of your backup sources needs to not be “addressable through operating system calls”
  • Plan for the worst. Based on articles I’ve read online (so it may not be true of course), a certain organisation that was badly hit by NotPetya last year (Google it yourself – I’m not going to name here), only managed to restore their Active Directory infrastructure by way of a bit of luck. Specifically, one of their domain controllers happened to be offline at the time of the ransomware outbreak due to a local power outage. New domain controllers can restore themselves from other domain controllers, however the organisation had never planned for the worst outcome whereby all their domain controllers were unavailable at the same time. Good job that one server was offline at the time…

Don’t forget either – those backups that you are shipping to an offsite location (be it physical or cloud-based) likely contain sensitive information. So, make sure you are considering physical security and encryption when thinking about how and where your backups are stored.

11) Secure configuration for network devices

Similar to the secure configuration of mobile, endpoint and server devices (as referenced in the “basic” category), however this control is specifically aimed at your routers, switches, firewalls, wireless LAN controllers and other such devices. Out of the box, many devices do not offer a secure configuration. Designing and documenting a secure standard is therefore important to ensure the devices are correctly configured but now and in the future. As with a lot of controls there then needs to be a continuous process to monitor for any changes to the secure baseline.

Other recommendations include applying the latest security patches, management via encrypted sessions (such as HTTPS and SSH) and the implementation of multi-factor authentication. Multi-factor/2FA is often one of those things I end up commonly seeing for external facing services (which is really important) but lacking on internal resources. Whilst the necessity of it being applied internally isn’t quite as critical, chances are you already have the relevant infrastructure/services in place to do so – so why not use what you have and bolster your security a bit more?

Another recommendation I don’t often see applied is the use of dedicated workstations for the management of the infrastructure. The idea behind this is obviously to separate risky usage such as web-browsing and email from the use of privileged accounts and access rights. This doesn’t necessarily mean administrators need to walk around with two laptops, but you could look at implementing secured bastion hosts such as a Windows or Linux virtual machine, used solely for administration.

12) Boundary defence

The network boundary – the area between your internal networks and the Internet. It is becoming somewhat of a blurred line in the shift to cloud-based applications and the increase in mobile work-forces. That being said, there are few organisations operating in an entirely cloud-based infrastructure, so this is still important and not going away anytime soon.

This control is all about ensuring you know what is coming in and out of your networks. This can be helped by appropriate controls such as scanning your external IP ranges, decryption of outbound traffic, IDS/IPS systems and denying connections to known malicious hosts. TLS decryption is one of those things I often see organisations wary off (as you can read more on my previous article – here) but without carrying it out it can be difficult to see what is going on and provide adequate protection. Malware often uses TLS to mask what it is doing, so if you are just allowing “port 443” out to the Internet, how are you ensuring it is valid web browsing and not malicious communication?

Once again, multi-factor authentication is called out as a recommendation for remote access to internal resources (such as VPN and email). You’ll see this is a recurring point across multiple controls – if you aren’t yet doing it and have public services (cloud or on-prem) then you really need to be thinking about implementing it. There are numerous solutions out there and most are really easy to get up and running. They start offering benefits really quickly and help protect against humans being notoriously poor at passwords!

13) Data protection

As the CIS controls point out – “Data resides in many places” and this is especially true nowadays with the huge surge in cloud-based solutions and services. This has always been important but seems to be more on people’s radar with the likes of GDPR coming into play recently.

What the content and sensitivity of said “data” is, will vary from organisation to organisation. The first step in being able to protect your data is to actually understand what data is sensitive, where it resides and how it is stored, processed and transmitted. Only when you understand this, can you actually begin applying adequate protection. This could include things such as monitoring and blocking unauthorised file transfer, restricting the use of cloud-based email services and monitoring the use of encryption – all of which could be used by someone trying to stealthily exfiltrate data.

Protection against potential malicious behaviour isn’t the only thing this control aims to address. It also recommends encrypting hard-drives and managing the use of USB storage devices, both of which could help protect against clumsy end-users who lose devices or plug in USBs without considering the implications. There have been numerous data breaches over the years where people have just left devices on public transport and they lacked any kind of encryption.

14) Controlled access based on a need to know

This ties back closely to the previous point. One way in reducing the potential attack surface of your sensitive data is to reduce the number of people/devices that have access. The control specifically calls out good segmentation (something that many organisations lack), encryption of data (both at-rest and in-transit) and good auditing.

Encryption is one of the key themes of this control. Done properly, encryption can protect data even in the event of the breach. Granted, it would be best if an attacker didn’t get their hands on a database full of sensitive info in the first place, but if they do and it has the relevant layers of strong encryption, then it will in effect be useless to them and other malicious parties.

Data Loss Prevention (DLP) is mentioned as a recommendation and is an approach that consists of people, processes and technology to help ensure that data is only accessed and transmitted where it should be. DLP solutions aim to categorise data in some manner and then apply policies based on that categorisation. There are a number of solutions on the market, but I’d caution you to do homework and ensure that it meets your requirements – DLP can be difficult. Keep in mind again, many of your employees are likely to be remote – so how are you enforcing any DLP policies for them? For instance, you may have a network-based DLP solution at your Internet boundary to look for certain types of files, but what if someone accesses a cloud-based application directly from home? Or what if they open a sensitive document and then copy/paste or into a cloud-based email service? What if they take a screenshot? All things to be considered when asking “does this solution address our risks?”

15) Wireless access control

Many of the points we have discussed make reference to gaining access to an internal network. Be that via plugging into a floor port or compromising a system. However, with wireless access you are literally broadcasting your network out to the surrounding streets! You’d better be focusing some attention on this and ensuring it is properly secured.

The control recommends being able to detect unauthorised wireless access points. These could be incorrectly/poorly configured access points that have been plugged into your LAN or could be an attacker sat outside spoofing your corporate SSID and trying to entice users to enter their credentials. Wired Network Access Control can most definitely help with the first point, but for the second you need to be thinking about Wireless Intrusion Detection System (WIDS/WIPS) capabilities and restricting which networks corporate issued machines can connect to.

Strong encryption and access control is also a must. You should be utilising AES for encryption and implementing a secure mutually authenticated 802.1x/EAP authentication process such as EAP-TLS or EAP-PEAP. Enterprise networks shouldn’t be using pre-shared-key, but again is something I see more than I’d like. I’d recommend considering the type of EAP authentication you implement as well. For instance, user-based PEAP authentication alone would allow an employee to connect any device they want as they know their credentials. Machine-based authentication however allows you to control what device is connecting to the network. It is also recommended that if you are providing guest/BYOD type access (as most organisations do) that the personal/visiting devices are sufficiently isolated from your other devices/internal network.

Maybe consider 2FA as well. It is rare I see this being done on wireless networks as it is relatively intrusive to the user (broadly speaking) but if your environment dictates particularly high-levels of security then it could be worth considering over perhaps scrapping the benefits of wireless altogether.

16) Accounting monitoring and control

Finally, but by absolutely by no means last, this section brings in some more monitoring and control recommendations in relation to accounts. I see plenty of environments with some really great security products in, but if you aren’t carrying out a decent level of logging and monitoring, I guarantee you are missing potential problems. What are some of the things this control recommends and how could they help?

One thing the recommendations focus on is identifying, consolidating and centralising your authentication systems. Having one or two solutions to manage for all of your authentications is a lot easier than each maintaining twenty different applications each with their own credential repository. It makes monitoring and granting/revoking access a lot easier. This is particularly important to consider in the shift to cloud-based applications as well, where if you aren’t revoking access after a user leaves, they could potentially still access resources you don’t want them to. Solutions based on SAML and OAuth are two common approaches to help implement this.

Our good friend 2FA crops up again here (seriously – have I persuaded you to go and look at this yet?!). I’ll say no more.

Good account hygiene is also important. Things such as revoking access when users leave, disabling unused accounts, monitoring for logins to disabled accounts and ensuring expiration dates are in place. You should be applying appropriate monitoring of your authentication activity and end-user behaviour as well. SIEM solutions will often incorporate UEBA (user/entity behaviour analytics) into their products. This allows you to monitor activity and alert on suspicious behaviour. Examples of the type of things you may want to see include if an IP fails to login to numerous accounts. Or if an account successfully authenticates in the UK then five minutes later in the US. Or maybe a user usually logs in from an office in London and then suddenly appears out of the blue in Russia. All possible signs something untoward is going on.

Summary

That was a brief look over controls 7 through to 16 – the foundational level CIS controls. It is by no means in-depth and I’d encourage people to look through the official controls that I linked to in the opening paragraphs. Hopefully if nothing else it has given you some food for thought and some areas to start focusing on and thinking about.