SEC566: Implementing and Auditing CIS Controls

Overview

Students will learn the background and context for Version 8.1 of the CIS Controls. In addition, students will learn about the ecosystem of tools and resources to implement, measure, assess and report on the security program. These foundational concepts are key to prioritizing implementation of controls to address the ever-changing threat landscape. Focus will be placed on the evolving network landscape and how to apply the CIS Controls in modern environments, including cloud and IoT technologies. Students will learn how to prioritize control implementation based on CIS Implementation Groups.

In this first section we will establish baseline knowledge of key terms used in the defensive domains. In addition, we will take a deep dive into Control #1, the Inventory and Control of Enterprise Assets. Any time a new device is installed on a network, there are risks of exposing the network to unknown vulnerabilities or hampering its operation. Malicious code can take advantage of new hardware that is not configured and patched with appropriate security updates at the time of installation. Attackers can use these vulnerable systems to install backdoors before they are hardened. In automating CIS Control #1, it is critical that all devices be included in an accurate and up-to-date inventory control system. Devices include physical and logical devices, including cloud resources, virtualization, and containers. Any device not in the database should not be allowed to be connected to the network. Some organizations maintain asset inventories by using specific large-scale enterprise commercial products or by using free solutions to periodically track and sweep the network.

Exercises

• Preparing Student Laptops for Class 
• Performing a Gap Analysis: CSAT 
• Performing a Gap Analysis: Excel-based tools 
• Automating Device Inventories with Powershell 
• Cyber42: leadership simulation game

Topics

• Understanding the CIS Critical Controls
• Understanding the resources and tools related to the CIS Controls
• Understand control effectiveness against common threats leveraging Mitre ATT&CK
• Understanding and practicing control assessments
• CIS Control #1: Inventory and Control of Enterprise Assets

Overview

During Section 2, the course will begin to cover the defensive domains of software control, data protection, identification and authentication, and access control management. Students will learn how identity and access management (IAM) promotes data protection. Specifically, in Section 2 of the course students will learn the following defensive domains:

Inventory and Control of Software Assets

An organization without the ability to inventory and control the programs installed on its computer has more vulnerable systems and is more likely to be attacked. Furthermore, poorly managed machines are more likely to be outdated and to have needless software that introduces potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this threat, an organization should scan its network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications by leveraging standardized application names like those found in the Common Platform Enumeration (CPE) specification. These inventory tools pull the latest version of the application as well as pull information about the patch level of each installed program. In addition to inventory checks, tools that implement allow lists and deny lists of programs are included in many modern end-point protection security suites.

Data Protection

The loss of protected and sensitive data is a serious threat to business operations consumer privacy, and potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, including a lack of effective policy architectures and user error. The term "Data Loss Prevention" (DLP) refers to a comprehensive approach covering the people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. The system must be capable of identifying unauthorized data that leaves the organization's systems whether via network file transfers or removable media.

Account Management

The most common method attackers use to infiltrate a target enterprise is through a misuse of account privileges whether those of a normal business user or privileged account. An attacker can easily convince a workstation user to open a malicious e-mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built-in operating system features can extract lists of accounts with super-user privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely.

Access Control Management

Some organizations do not carefully identify and separate sensitive data from less sensitive data publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. The Access Management Control is often implemented using the built-in separation of administrator accounts from non-administrator accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e-mail for administrative personnel. This includes information on local systems or network accessible file shares.

Exercises

• How to use Microsoft AppLocker to enforce Application Control
• How to Use Veracrypt to Encrypt Data at Rest
• How to Use Mimikatz to Abuse Privileged Access
• Understanding Powershell and Windows Management Instrumentation (WMI) for Baselining 
• Cyber42: leadership simulation game

Topics

• CIS Control #2: Inventory and Control of Software Assets
• CIS Control #3: Data Protection
• CIS Control #5: Account Management
• CIS Control #6: Access Control Management

Overview

During Section 3 , the course will cover the defensive domains of configuration management, email and web browser integrity, vulnerability management, and audit and accountability. Specifically, students will learn the following defensive domains:

Continuous Vulnerability Management

Soon after security researchers and vendors discover and report new vulnerabilities, attackers create or update exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines and software identified by the asset inventory system must be scanned for vulnerabilities.

Secure Configuration of Enterprise Assets and Software

Default configurations of software are often geared to ease-of-deployment and ease-of-use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network-accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization.

Audit Log Management

At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs are not reviewed, organizations do not know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-based systems.

Email and Web Browser Protections

Web browsers and email clients are very common points of entry and attack because of their high technical complexity and flexibility, and their direct interaction with users and within the other systems and websites. Content can be crafted to entice of spoof users into taking actions that greatly increase risk and allow for introduction of malicious code, loss of valuable data, and other attacks. Organizations must minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

Exercises

• Perform a vulnerability scan
• Compare a vulnerability report with Patching services to identify gaps
• How to Use the CIS-CAT Tool to Audit Configurations 
• Apply secure configuration via Group Policy and compare results
• How to Parse Nmap Output with PowerShell 
• Cyber42: leadership simulation game

Topics

• CIS Control #7: Continuous Vulnerability Management
• CIS Control #4: Secure Configuration of Enterprise Assets and Software
• CIS Control #8: Audit Log Management
• CIS Control #9: Email and Web Browser Protections

Overview

Section 4 will cover the defensive domains of system integrity, system and communications protection, configuration management, and media protection. Specifically, during this section of the course, students will learn the following cybersecurity controls: malware defense, network and endpoint detection and response, data recovery, and network device management

Malware Defenses

Malicious software is an integral and dangerous aspect of Internet threats because it targets end users and organizations via web browsing, e-mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's components, capture sensitive data, and spread infected code to other systems. To ensure anti-virus signatures are up-to-date, effective organizations use automation including the built-in administrative features of enterprise endpoint security suites to verify that anti-virus, anti-spyware, and host-based Intrusion Detection Systems (IDS) features are active on every managed system. They also run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed or has been attempted to be installed, or executed, or attempted to be executed, on a computer system.

Data Recovery

When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them onto a test bed environment. The restored systems should be verified to ensure that the operating system, application, and data from the backup are all intact and functional.

Network Infrastructure Management

Attackers penetrate defenses by searching for electronic holes and misconfigurations in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic to a malicious system masquerading as a trusted system, and intercept and alter data while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices in order to determine whether they are consistent or in conflict and to provide an automated check of network filters. Additionally, these commercial tools search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router access control lists, or other filtering technologies.

Network Monitoring and Defense

By attacking Internet-facing systems, attackers can create a relay point or bridgehead to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi-layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability-scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day to ensure that log volumes are within expected parameters, are formatted properly, and have not been corrupted.

Exercises

• How to use CIS Navigator to map controls between Frameworks, Compliance and CIS Controls
• How to Use Nipper to Audit Network Device Configurations
• How to Use Wireshark to Detect Malicious Activity
• How to Use Wireshark and Ngrep to emulate Data Loss Prevention
• Cyber42: leadership simulation game

Topics

• CIS Control #10: Malware Defenses
• CIS Control #11: Data Recovery
• CIS Control #12: Network Infrastructure Management
• CIS Control #13: Network Monitoring and Defense

Overview

Section 5 will cover the defensive domains of security awareness , service provider management, application development security, incident management, and penetration testing. Specifically during this section of the course, students will learn about the following cybersecurity domains:

Security Awareness and Skills Training

An organization hoping to effectively identify and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision-makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement - not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness.

Service Provider Management

More and more organizations use third-party service providers to supplement their technology needs or services. Examples of service providers include outsourced consultants, IT providers, payroll providers, electronic billing providers, manufacturers, hardware and software providers, and more. Third parties can introduce additional risks to the security posture of organizations through remote connections, business-to-business networks, and the sharing and processing of data.

Application Software Security

Criminal organizations frequently attack vulnerabilities in both web-based and non-web-based application software. In fact, it is a top priority for criminals. Application software is vulnerable to remote compromise in three ways:

• It does not properly check the size of user input
• It fails to sanitize user input by filtering out potentially malicious character sequences
• It does not properly initialize and clear variables properly

To avoid attacks, internally developed and third-party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application-level software attack, and must generate an alert or send e-mail to enterprise administrative personnel.

Incident Response Management

Without an incident response plan, an organization may not discover an attack in the first place. Even if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have a major impact even though detected, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible. After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, including working through a series of attack scenarios that are fine-tuned to the threats and vulnerabilities the organization faces.

Penetration Testing

Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Penetration testing involves mimicking the actions of computer attackers and exploiting them to determine what kind of access an attacker can gain. Each organization should define a clear scope and the rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at a minimum, systems with the highest value information and production processing functionality.

Exercises

• Performing phishing tests with GoPhish
• How to build robust Incident Response Tabletop Exercises 
• How to use CIS Risk Assessment Model (CIS-RAM) to identify, prioritize and report on residual risk 
• Cyber42: leadership simulation game

Topics

• CIS Control #14: Security Awareness and Skills Training
• CIS Control #15: Service Provider Management
• CIS Control #16: Application Software Security
• CIS Control #17: Incident Response Management
• CIS Control #18: Penetration Testing