This is a continuation of our CIS critical security controls blog series. See why SANS listed Rapid7 as the top solution provider addressing the CIS top 20 controls.
Let’s start with some simple, yet often unasked questions. Do you know what critical assets—information and data, applications, hardware, SCADA systems, etc.—exist in your organization’s network? Do you have a data classification policy? Who defines the criticality of systems and information? These are questions many organizations struggle to answer. It’s no wonder companies have difficulty determining which people, computers, and applications have both the need and the right to access these critical assets, and the information stored on them.
CIS Critical Control 14 says that network segmentation should be based on a classification of the information stored on the servers. Let’s dig into what the challenge is and how you can address it.
What’s the problem?
If you carefully examine any number of high profile breaches, attackers are often able to access sensitive data by first accessing systems on the same network segments with much lower criticality scores, and with much less sensitive information. In other cases, sensitive data or services run on the same physical or virtual systems as data or services that are far less critical.
Data classification needs to be simple, otherwise it will be ineffective. Here’s one example:
- Level 1: Data for public consumption. Data that may be freely disclosed.
- Level 2: Internal data not for public disclosure.
- Level 3: Sensitive internal data that if disclosed, could affect the company.
- Level 4: Highly sensitive corporate, employee and customer data.
Based on this classification, would you want to store level 1 data on the same system as level 4 data? Surprisingly the answer may not be as clear cut as you think. If you’re dealing with data on a central file server, or central database server, you may not have a choice. Application servers, ERP systems, and web servers are easier to classify. Regardless, if you are left in a situation where data of different classification levels must reside on the same server, be sure that intermixed data is labeled and classified using the highest classification rating and thus protected accordingly.
To put this in perspective, let’s apply this concept to your personal data. You likely store your own level 4 data (your social security card, your passport, your birth certificate) in a locked cabinet or drawer, or perhaps in a fireproof safe or in a safety deposit box at the bank. In order to access any of these items, there are security controls in place for good reason. Would you be likely to place your grocery list in your safe deposit box? (If you’re Bobby Flay maybe.) Conversely would you be ok if your social security card and grocery list were in the same unlocked drawer in your kitchen?
The first step is ensuring that your network is segmented based on the classification described above. CIS Critical Control 14 states that network segmentation should be based on the label or classification level of the information stored on the servers. All systems with data classified as sensitive should be located on separate VLANS with firewall filtering.
As outlined in CIS Control 5 one of the main reasons Rapid7 recommends that organizations remove local desktop administrative privileges is to reduce the ability of attackers to move laterally from a compromised system. Similarly, Control 14 recommends that all network switches enable Private VLANS to reduce the ability of an attacker to communicate to other devices on the same subnet from a compromised system. Recovering from one compromised system is painful enough; don’t make it easier for attackers.
Access control lists
OK, great, you’ve segmented your network or are on your way. What further controls around sensitive data are a must? Let’s discuss Access Control Lists. Do you give a key to your house to everyone in your neighborhood? Even Martha Stewart is not that polite. No, you want to ensure that all information stored on systems is protected by access control lists. This includes file system, network share, application, and database information. Following the principle of least privilege, users must only be able to access the information and resources necessary as part of their responsibilities.
Most organizations that Rapid7 Advisory Services consults have Microsoft Windows Active Directory deployed in their environments. Active Directory provides a granular level of security control over access to a wide variety of objects, most specifically for this discussion NTFS files and folders, but this concept can be applied to any system which provides ACL control. Active Directory user and group accounts are a great way to ensure that access to sensitive data is properly restricted on your file servers. If you aren’t interested in the hassle of changing permissions on a bunch of folders, use Active Directory Group Policy. GPOs grant administrators the ability to grant, or deny users or groups access to specific folders. Audit settings to these folders can also be configured through group policy.
Role Based Access Control (RBAC), sometimes called role based security, is an alternative to ACLs, and assigns roles to job functions rather than individuals. Because access rights are assigned to roles, and not users, management of user rights is as simple as assigning a role to the user account, and makes user rights management, especially users changing job functions, easier to manage.
Taking the next step
You’ve segmented your network and are using proper ACLs to control access. Great. As Obi-Wan would say, you’ve taken your first step into a larger world. So what are the next steps you can take to ensure your security controls around data access are robust?
- Audit your ACLs and AD users and security groups regularly. Just because you established access 3 or 6 months ago doesn’t mean that your organization has remained static. Users come and go, and change roles within companies all the time. Access creep is a real enemy of security. Ensure that regular reviews occur with a member of your business. Remember, changes to access is not an IT decision.
- The most sensitive data you guard should be encrypted at rest, and secondary authentication required to access it.
- Audit access to non public and sensitive data. It’s important to know who is accessing this type of information, how often and what they are doing with it. There are many file auditing applications that can assist with this task.
- IT should regularly report on stale data, which is any data that has not been accessed for a standard length of time, defined by your business. This data should be archived and removed from your systems.
There’s a lot to digest here, where should I start?
OK, I know. Classification, segmentation, ACLs, encryption, multi factor authentication, auditing. It’s a lot to take in and can certainly be overwhelming. The secret is realizing you are not alone. Many organizations struggle to identify the problems and prioritize solutions. Here’s my recommendation:
- Develop an organizational wide Data Classification Policy and apply it to all IT systems, applications, databases, and data. Channel your inner GI Joe—knowing is half the battle. This is directly related to CIS Control 1 and Control 2. You can’t protect what you don’t know you have. You can’t determine who should have access to what until you know the types of data in your environment.
- Segment your network based on the information from your classification policy.
- Implement access control lists on all systems, and audit not only the ACLs themselves, but also the detailed user access to those systems and data.
- Encrypt data both at rest, and in transit, especially when data traverses trust zones.
- Offload and archive old data sets.
Reach out to Rapid7 Advisory Services and ask how we can help. We assist many organizations of different sizes and industries in how to mature their security programs.