Rapid7 Blog

CIS Controls  

The CIS Critical Controls Explained - Control 7: Email and Web browser protection

This blog is a continuation of our blog post series around the CIS Critical Controls. The biggest threat surface in any organization is its workstations. This is the reason so many of the CIS Critical Security Controls relate to workstation and user-focused endpoint security. It…

This blog is a continuation of our blog post series around the CIS Critical Controls. The biggest threat surface in any organization is its workstations. This is the reason so many of the CIS Critical Security Controls relate to workstation and user-focused endpoint security. It is also the reason that workstation security is a multibillion-dollar industry. For the next two posts, I'll be covering the specifics of Controls 7 and 8, which focus on the biggest weak points in Information Security: web browsers, email, and malware. This set of posts is intended to help you understand how to properly control the threat surface without limiting usability. Email and web access are critical for most day-to-day operations in any organization, but they're also a significant source of attacks and incidents. Properly securing email servers, web browsers, and mail clients can go an extremely long way in limiting incidents that routinely make news headlines. Good configuration and control of email and web browsers is also going to significantly reduce the number of low-level incidents your organization will encounter on a monthly basis. What the CIS Critical Control 7 covers Critical Control 7 has eight sections that cover the basics of browser and email client safety, secure configuration and mail handling at the server level. The control pays specific attention to concepts like scripting and active component limiting in browsers and email clients, attachment handling, configuration, URL logging, filtering and whitelisting. The premise of the control is fairly straightforward: browser and email client security are critically important for low-level risk mitigation. If your browsers and email aren't secure, your users and your network aren't either. It's worth noting that this control as well as Controls 1, 2 and 8 are often directly connected, and tie into quite a few of the other 20 pretty easily. As I mentioned in the posts for Controls 1 and 2, properly implemented browser and email security will improve any organizations security posture with regards to the other controls. How To Implement it Since this control touches on a number of typically different IT functions, it's important to have the people who run the various systems implicated on board when working with it. Personally, I love dealing with controls like this, as they have the potential to unify an IT or IT/IS department in terms of strategy and process, which always helps improve security awareness and capacity. Start with filtering Successful implementations of Control 7 usually work from two sides: the server/network side and the endpoint configuration/application side. Networking and email server teams should start by limiting how attachments are handled and forwarded from the mail server to clients, and implement content filtering first. In many cases, this is already set up on mail servers for purposes of space management or security, but it's worthwhile to go a step further and ensure that potentially malicious content is being filtered before it reaches any user's inboxes. Implement SPF, or something similar At the same time, implementing Sender Policy Framework at a DNS level and on the mail servers should cut down on the amount of spam and malicious traffic that is coming in to the system. It should be noted that while SPF is not an anti-spam measure, it's effective as a control for malicious mail traffic. It's important that the SPF records and implementation include receiver-side verification (this is actually directly mentioned in sub-control7.7). Typically, this section of Control 7 is overlooked, as it's a high-effort measure, but it's worthwhile for a number of reasons, including SMTP traffic reduction, better junk mail sorting, compatibility with other services, and a general reduction in those "I didn't send a message to this person, but I'm being notified that I did" conversations with your colleagues. It's also worth noting that there are a few pitfalls in implementing it. OpenSPF.org has a good overview of SPF best practices, which should serve as a good starting point. While the CIS recommends SPF, there are alternative systems and strategies. I'd suggest looking into DKIM and DMARC, since they work well in combination with SPF although they're not directly mentioned in the CIS Critical Control 7. If you're using a third-party provider for e-mail, it's assessing this with their personnel; they may have extra expertise on hand, or have done it already. Configure all the things! By far, the hardest part of this control is managing the browsers and clients on your network. It's inevitable that there will be roadblocks, but the good news is that there are a number of good ways to handle browser configuration that should both enable your users, and limit the risks from malicious code in websites (and any attachments that do get through your already iron-clad email server). Typically, Rapid7 recommends that workstations have a “2 browser” system- one should be well secured, and seriously limit access for third-party scripting, ads, and any software that hasn't been reviewed by the security team. The second should be used for general Internet access, and anything that is considered remotely risky. The other configuration should usually be less secure, but limited in use to internal or organization specific services. Usually, this means script based applications or software that require old, out of date or insecure code and components. For example, if your corporate intranet relies on Flash and ActiveX scripts to manage employee benefits, it's probably a good idea to set up a browser so that your users access the intranet with a specially configured browser for that task. This can be as simple as putting a link or batch file on workstation desktops with specific startup info for the browser, or leaving the homepage set to the specific resource in question. I've seen more complex configurations that rely on secure jumphosts, Citrix, or remote desktop and network limitations, but these are often cumbersome for most users, and not recommended. One last bit of advice The simple axiom to follow when implementing this control is: You need to make it simple for the users, or they will find a way around it. It's important to consider this when applying controls 7 and 8, because increasing complexity or the effort your users have to put in often leads to privilege misuse or other workarounds to defeat the controls. In this context, it's worth remembering that human error is still the major source of most breaches and incidents. This includes phishing and clickjacking campaigns, which often foil the best of us, despite well configured systems. A note on URL requests, privacy and security Subcontrol 7.4 specifically identifies URL request logging as a necessity for the identification of potentially compromised systems. This subcontrol actually overlaps with Critical Control 6, which Cindy Jones discussed in an earlier post. While it's important to have this data for incident response and awareness purposes, it's worth considering how long it's kept, and how it's managed; it's extremely important that the request logs are considered private or limited-access data, and aren't being shared in a way that could put users of your network at risk. This also applies to any TLS or encrypted traffic monitoring that you may be undertaking. SPF diagram courtesy of Alessandro Vesely via Wikimedia Commons "Double Fail" image courtesy of Dmitry Baranovskiy via Flickr Arapahoe Basin and ski poles banner courtesy of the author. As with security, proper configuration is often what makes or breaks good skiing. Related Blog Posts: Control 1: Inventory of Authorized and Unauthorized Devices Explained Control 2: Inventory of Authorized and Unauthorized Software Explained Control 3: Secure Configurations for Hardware & Software Explained Control 4: Continuous Vulnerability Assessment & Remediation Explained Control 5: Controlled Use of Administrative Privilege Explained Control 6: Maintenance, Monitoring and Analysis of Audit Logs Explained

The CIS Critical Security Controls Explained - Control 6: Maintenance, Monitoring and Analysis of Audit Logs

In your organizational environment, Audit Logs are your best friend. Seriously. This is the sixth blog of the series based on the CIS Critical Security Controls. I'll be taking you through Control 6: Maintenance, Monitoring and Analysis of Audit Logs, in helping you to understand…

In your organizational environment, Audit Logs are your best friend. Seriously. This is the sixth blog of the series based on the CIS Critical Security Controls. I'll be taking you through Control 6: Maintenance, Monitoring and Analysis of Audit Logs, in helping you to understand the need to nurture this friendship and how it can bring your information security program to a higher level of maturity while helping gain visibility into the deep dark workings of your environment. In the case of a security event or incident, real or perceived, and whether it takes place due to one of the NIST-defined incident threat vectors, or falls into the “Other” category, having the data available to investigate and effectively respond to anomalous activity in your environment, is not only beneficial, but necessary. What this Control Covers: This control has six sections which cover everything from NTP configuration, to verbose logging of traffic from network devices to how the organization can best leverage a SIEM for a consolidated view and action points, and how often reports need to be reviewed for anomalies. There are many areas where this control runs alongside or directly connects to some of the other controls as discussed in other CIS Critical Control Blog posts. How to Implement It: Initial implementation of the different aspects of this control range in complexity from a “quick win” to full configuration of log collection, maintenance, alerting and monitoring. Network Time Protocol: Here's your quick win. By ensuring that all hosts on your network are using the same time source, event correlation can be accomplished in a much more streamlined fashion. We recommend leveraging the various NTP pools that are available, such as those offered from pool.ntp.org. Having your systems check in to a single regionally available server on your network, which has obtained its time from the NTP pool will save you hours of chasing down information. Reviewing and Alerting: As you can imagine, there is a potential for a huge amount of data to be sent over to your SIEM for analysis and alerting. Knowing what information to capture and retain is a huge part of the initial and ongoing configuration of the SIEM. Fine tuning of alerts is a challenge for a lot of organizations. What is a critical alert? Who should be receiving these and how should they be alerted? What qualifies as a potential security event? SIEM manufacturers and Managed Service Providers have their pre-defined criteria, and for the most part, are able to effectively define clear use cases for what should be alerted upon, however your organization may have additional needs. Whether these needs are the result of compliance requirements or you needing to keep an eye on a specific critical system for anomalous activity, defining your use cases and ensuring that alerts are sent for the appropriate level of concern as well as having them sent to the appropriate resources is key in avoiding alert fatigue. Events that may not require immediate notification still have to be reviewed. Most regulatory requirements state that logs should be reviewed "regularly" but remain vague on what this means. A good rule of thumb is to have logs reviewed on a weekly basis, at a minimum. While your SIEM may have the analytical capabilities to draw correlations, there will undoubtedly be items that you find that will require action. What should I be collecting? There is a lot of technology out there to “help” secure your environment. Everything from Active Directory auditing tools, which allow you to pull nicely formatted and predefined reports, to the network configuration management tools. There are all flavors out there that are doing the same thing that your SIEM tool can do with appropriately managed alerting and reporting. It should be able to be a one stop shop for your log data. In a perfect world, where storage isn't an issue, each of the following items would have security related logs sent to the SIEM. Network gear Switches Routers Firewalls Wireless Controllers and their APs. 3rd Party Security support platforms Web proxy and filtration Anti-malware solutions Endpoint Security platforms (HBSS, EMET) Identity Management solutions IDS/IPS Servers Special emphasis on any system that maintains an identity store, including all Domain Controllers in a Windows environment. Application servers Database servers Web Servers File Servers – Yes, even in the age of cloud storage, file servers are still a thing, and access (allowed or denied) needs to be logged and managed. Workstations All security log files This list is by no means exhaustive, and even at the level noted we are talking about large volumes of information. This information needs a home. This home needs to be equipped with adequate storage and alerting capabilities. Local storage is an alternative, but it will not provide the correlation, alerting or retention capabilities as a full blown SIEM implementation. There has been some great work done in helping organizations refine what information to include in log collections. Here are a few resources I have used. SANS - https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-log-manag ement-strategies-audit-compliance-33528 NIST SP 800-92 - http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf Malware Archeology - https://www.malwarearchaeology.com/cheat-sheets/ Read more on the CIS Critical Security Controls: The CIS Critical Security Controls Explained - Control 1: Inventory of Authorized and Unauthorized Devices The CIS Critical Security Controls Explained - Control 2: Inventory of Authorized and Unauthorized Software The CIS Critical Security Controls Explained – Control 3: Secure Configurations for Hardware & Software The CIS Critical Security Controls Explained – Control 4: Continuous Vulnerability Assessment & Remediation The CIS Critical Security Controls Explained – Control 5: Controlled Use of Administrative Privilege

The CIS Critical Security Controls Series

What are the CIS Critical Security Controls? The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), is an industry-leading way to answer your key security question: “How can I be prepared to stop…

What are the CIS Critical Security Controls? The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), is an industry-leading way to answer your key security question: “How can I be prepared to stop known attacks?” The controls transform best-in-class threat data into prioritized and actionable ways to protect your organization from today's most common attack patterns. Achievable Implementation of the CIS Critical Security Controls The interesting thing about the critical security controls is how well they scale to work for organizations of any size, from very small to very large. They are written in easy to understand business language, so non-security people can easily grasp what they do. They cover many parts of an organization, including people, processes and technology. As a subset of the priority 1 items in the NIST 800-53 special publication, they are also highly relevant and complimentary to many established frameworks. Leveraging Rapid7's expertise to assist your successful implementation As part of a Rapid7 managed services unit, the Security Advisory Services team at Rapid7 specializes in security assessments for organizations. Using the CIS Critical Security Controls (formerly the SANS 20 Critical Controls) as a baseline, the team assesses and evaluates strengths and gaps, and makes recommendations on closing those gaps. The Security Advisory Services team will be posting a blog series on each of the controls. These posts are based on our experience over the last two years of our assessment activity with the controls, and how we feel each control can be approached, implemented and evaluated. If you are interested in learning more about the CIS Critical Controls, stay tuned here as we roll out posts weekly. Thanks for your interest and we look forward to sharing our knowledge with you! The definitive guide of all CIS Critical Security Controls As the blog series expands, we'll use this space to keep a running total of all the 20 CIS Critical Controls. Check back here to stay updated on each control. Control 1: Inventory of Authorized and Unauthorized Devices This control is split into 6 focused sections relating to network access control, automation and asset management. The control specifically addresses the need for awareness of what's connected to your network, as well as the need for proper internal inventory management and management automation. Implementing inventory control is probably the least glamorous way to improve a security program, but if it's done right it reduces insider threat and loss risks, cleans up the IT environment and improves the other 19 controls. Learn more. Control 2: Inventory of Authorized and Unauthorized Software The second control is split into 4 sections, each dealing with a different aspect of software management. Much like Control 1, this control addresses the need for awareness of what's running on your systems and network, as well as the need for proper internal inventory management. The CIS placed these controls as the "top 2" in much the same way that the NIST Cybersecurity Framework addresses them as "priority 1" controls on the 800-53 framework; inventory and endpoint-level network awareness is critical to decent incident response, protection and defense. Learn more. Control 3: Secure Configurations for Hardware & Software This control deals with Secure Configurations for Hardware & Software. The Critical Controls are numbered in a specific way, following a logical path of building foundations while you gradually improve your security posture and reduce your exposure. Controls 1 and 2 are foundational to understanding what inventory you have. The next step, Control 3, is all about shrinking that attack surface by securing the inventory in your network.Learn more. Control 4: Continuous Vulnerability Assessment & Remediation Organizations operate in a constant stream of new security information: software updates, patches, security advisories, threat bulletins, etc. Understanding and managing vulnerabilities has become a continuous activity and requires a significant amount of time, attention and resources. Attackers have access to the same information, but have significantly more time on their hands. This can lead to them taking advantage of gaps between the appearance of new knowledge and remediation activities. Control 4 challenges you to understand why vulnerability management and remediation is important to your overall security maturity. Learn more. Control 5: Controlled Use of Administrative Privilege The ultimate goal of an information security program is to reduce risk. Often, hidden risks run amok in organizations that just aren't thinking about risk in the right way. Control 5 of the CIS Critical Security Controls can be contentious, can cause bad feelings, and is sometimes hated by system administrators and users alike. It is, however, one of the controls that can have the largest impact on risk. Discover how reducing or controlling administrative privilege and access can reduce the risk of an attacker comprising your sensitive information. Learn more. Control 6: Maintenance, Monitoring and Analysis of Audit Logs This control has six sections which cover everything from NTP configuration, to verbose logging of traffic from network devices to how the organization can best leverage a SIEM for a consolidated view and action points, and how often reports need to be reviewed for anomalies. Learn more. Control 7: Email and Web Browser Protection Critical Control 7 has eight sections that cover the basics of browser and email client safety, secure configuration and mail handling at the server level. The control pays specific attention to concepts like scripting and active component limiting in browsers and email clients, attachment handling, configuration, URL logging, filtering and whitelisting. The premise of the control is fairly straightforward: browser and email client security are critically important for low-level risk mitigation. Learn more. Control 8: Malware Defenses Control 8 covers malware and antivirus protection at system, network, and organizational levels. It isn't limited to workstations, since even servers that don't run Windows are regularly targeted (and affected) by malware. Control 8 should be used to asses infrastructure, IoT, mobile devices, and anything else that can become a target for malicious software—not just endpoints. Learn more.

The CIS Critical Security Controls Explained - Control 5: Controlled Use of Administrative Privilege

The ultimate goal of an information security program is to reduce risk. Often, hidden risks run amok in organizations that just aren't thinking about risk in the right way. Control 5 of the CIS Critical Security Controls can be contentious, can cause bad feelings, and…

The ultimate goal of an information security program is to reduce risk. Often, hidden risks run amok in organizations that just aren't thinking about risk in the right way. Control 5 of the CIS Critical Security Controls can be contentious, can cause bad feelings, and is sometimes hated by system administrators and users alike. It is, however, one of the controls that can have the largest impact on risk. Therefore it is an important control, and the conversation around why it is important is also important. We'll talk about both. Misuse of privilege is a primary method for attackers to land and expand inside networks. Two very common attacks rely on privilege to execute. The first is when a user running with privilege is tricked into opening a malicious attachment, or gets malware from a drive-by website, such as malware which loads silently in the background. Privileged accounts just make these attacks succeed quickly, and user machines can be controlled, or keylogging can be installed, or running malicious processes can be hidden from view. The second common technique is the elevation of privilege when guessing or cracking a password for an administrative user and gaining access on a target machine. Especially if the password policy is weak (8 characters is not sufficient!) or not enforced, the risk increases. What it is Reducing administrative privilege specifically means running services or accounts without admin level access all the time. This does not mean that no one should have admin, it means admin privilege should be heavily restricted to only those users whose jobs, and more specifically tasks, require admin privilege. Regular, normal users of a system should never require admin privilege to do daily tasks. Superusers of a system might require admin access for certain tasks, but don't necessarily need it all the time. Even system administrators do not require admin level access 100% of the time to do their jobs. Do you need admin access to read & send emails? Or search the web? How to implement it There's a lot of different ways to implement restrictions on admin privilege. You are first going to have to deal with the political issues of why to do this. Trust me, addressing this up front saves you a lot of heartache later on. The political stuff Case #1: All users have admin, either local admin and/or admin account privileges My first question, when I see this happening in any organization, is “why do they need this?” Typical answers are: They need to install software [HINT: no they don't.] Applications might fail to work [Possible but unlikely, the app just might be installed improperly.] They need it to print !!! [No.] My executives demand it [They demand a lot in IT without understanding. Help them understand. See below.] Why not? [Seriously?] All of these Some of these are valid responses. The problem is we don't understand the root issue that's driving the reason that everyone needs admin level access to do their daily duties. And this is probably true of many organizations. It's simpler just to give admin access because things will then work, but you create loads of risk when you do this. You have to take the time to determine what functions actually need the access, and remove this access from those functions that don't require it, to lower the risk and the attack surface. All of these responses speak to worries about not being able to do a business function when they need to. They also imply that the people in charge of approving these permissions really don't understand the risks associated with imparting them. We need to get them to understand the lowered risks of possibly needing admin once or twice, and much higher risks of having it when attackers strike. Case #2: Your admins say they have to have it “to do their jobs” I don't disagree with this statement. Admins do need admin rights to do some tasks. But not every task calls for it. Do this exercise: list all the daily tasks an admin does on an average day. Then, mark each task which does not require admin privilege to accomplish. Show that list to the person responsible for managing risk in your organization. Then simply create a separate, normal user account for your admins, and require them to use it for all those tasks that are marked. For all other tasks, they escalate into their admin account and then de-escalate when done. It's an extra step, and it is a secure one. The conversation Now have the conversation. It may be painful. I have actually been in meetings where people got so mad they threw things, and would be in tears when we told them we were “taking away” their privilege. This is why we say “reducing” or "controlling.” These are important words. The phrase is “we're reducing/controlling risk by allowing you to use your privilege only for tasks that require it.” For executives that demand it, point out they are the highest risk to the organization due to their status and are frequently a high value target sought by attackers. Then you support your conversation with information from around the web, whitepapers, studies, anything that helps drive your point. For example this article from Avecto illustrates 97% of critical Windows vulnerabilities are mitigated when reducing admin privilege. Allowing you to focus on the remaining 3%, and be more effective. Search around, there's lots more good supporting material. This does not need to be an expensive exercise. Using techniques like Windows delegation of authority, you can give administrative privilege to users for specific tasks, like delegating to your help desk the ability to disable accounts or move them to different OUs. They don't need full admin to do this. On linux systems, using sudo instead of root interactively is much less risky. If you are a compliance-driven organization, most compliance requirements state reduction of admin is required as part of access controls. Here's a brief glimpse of some compliance requirements that are addressed by Control 5: PCI Compliance Objective “Implement strong access control measures” Sections 7.1, 7.2, 7.3, 8.1, 8.2, 8.3, 8.7 HIPAA Compliance 164.308(a)(4)(ii)(B) Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule. FFIEC (Federal Financial Institutions Examination Council) Authentication and Access Controls The technical stuff Reducing admin privilege supports the Pareto principle, or the 80/20 rule. Effectively, reducing admin privilege, combined with the first four CIS critical security controls, can reduce the risks in your organization by 80% or more. This allows you to focus on the remaining 20%. It's very likely the risk factor reduction is even higher! The Australian Signals Defence Directorate lists reducing admin in its Top 4 Mitigation Strategies, along with elements from Control 2 by using application whitelisting, and Control 4 by having an ongoing patching program. Here is Microsoft's guidance on implementing Least-Privilege Administrative Models. If you use Active Directory and are on a Windows domain this is very helpful in making meaningful changes to your admin models. For Linux environments, each sysadmin should have a separate account. Enforce them using the ‘su' command to gain root. Better yet is disabling su and enforcing the use of the ‘sudo' command. There are also 3rd parties who sell software which can help with this, such as CyberArk Viewfinity, Avecto PrivilegeGuard, BeyondTrust Powerbroker or Thycotic Privilege Manager. Note Rapid7 does not partner with these companies, but we recommend them based on what we see other organizations deploying. All the other things As with most of the controls, the sub-controls also list other precautions. Change all default passwords on all deployed devices Use multi-factor authentication for all administrative access Use long passwords (14 characters or more) Require system admins to have a normal account and a privileged account, and access the privileged account through an escalation mechanism, such as sudo for Linux or RunAs for Windows. Configure systems to issue alerts on unsuccessful logins to admin accounts. Rapid7 offers products such as InsightIDR which can detect and alert on these events. A use case might be if an admin leaves for vacation, you monitor their account and if you see any login attempts, it triggers an investigation. As an advanced control, admin tasks can only be performed on machines which are air-gapped from the rest of the network, and only connect to systems they need to administer. Reducing or controlling admin is not hard to implement. However, it is a change to the way things are being done, and fear of change is very powerful. Do your best to have conversations to ease the fear. You are not taking anything away. You are simply making it harder for errors to occur which have large impact, and you are reducing the risk that an attacker can easily comprise an account, a system, fileshares, sensitive data, and more. Related Resources CIS Critical Control 1: Inventory of Authorized and Unauthorized Devices Explained CIS Critical Control 2: Inventory of Authorized and Unauthorized Software Explained CIS Critical Control 3: Secure Configurations for Hardware & Software Explained CIS Critical Control 4: Continuous Vulnerability Assessment & Remediation

The CIS Critical Security Controls Explained - Control 4: Continuous Vulnerability Assessment & Remediation

Welcome to the fourth blog post on the CIS Critical Security Controls! This week, I will be walking you through the fourth Critical Control: Continuous Vulnerability Assessment & Remediation. Specifically, we will be looking at why vulnerability management and remediation is important for your overall…

Welcome to the fourth blog post on the CIS Critical Security Controls! This week, I will be walking you through the fourth Critical Control: Continuous Vulnerability Assessment & Remediation. Specifically, we will be looking at why vulnerability management and remediation is important for your overall security maturity, what the control consists of, and how to implement it. Organizations operate in a constant stream of new security information: software updates, patches, security advisories, threat bulletins, etc. Understanding and managing vulnerabilities has become a continuous activity and requires a significant amount of time, attention and resources. Attackers have access to the same information, but have significantly more time on their hands. This can lead to them taking advantage of gaps between the appearance of new knowledge and remediation activities. By not proactively scanning for vulnerabilities and addressing discovered flaws, the likelihood of an organization's computer systems becoming compromised is high. Kind of like building and implementing an ornate gate with no fence. Identifying and remediating vulnerabilities on a regular basis is also essential to a strong overall information security program. What it is: The Continuous Vulnerability Assessment and Remediation control is part of the “systems” group of the 20 critical controls. This control consists of eight (8) difference sections with 4.1 and 4.3 giving guidelines around performing vulnerability scans, 4.2 and 4.6 talk about the importance of monitoring and correlating logs, 4.4 addresses staying on top of new and emerging vulnerabilities and exposures, 4.5 and 4.7 pertains to remediation, and 4.8 talks about establishing a process to assign risk ratings to vulnerabilities. How to implement it To best understand how to integrate each section of this control into your security program, we're going to break them up into the logical groupings I described in the previous section (scanning, logs, new threats and exposures, risk rating, and remediation). A large part of vulnerability assessment and remediation has to do with scanning, as proven by the fact that two sections directly pertain to scanning and two others indirectly reference it by discussing monitoring scanning logs and correlating logs to ongoing scans. The frequency of scanning will largely depend on how mature your organization is from a security standpoint and how easily it can adopt a comprehensive vulnerability management program. Section 4.1 specifically states that vulnerability scanning should occur weekly, but we know that that is not always possible due to various circumstances. This may mean monthly for organizations without a well-defined vulnerability management process or weekly for those that are better established. Either way, when performing these scans it is important to have both an internal and external scan perspective. This means that scans on machines that are internally-facing only should have authenticated scans performed on them and outward-facing devices should have both authenticated and unauthenticated scans performed. Another point to remember about performing authenticated scans is that the administrative account being used for scans should not be tied to any particular user. Since these credentials will have administrative access to all devices being scanned, we want to decrease the risk of them getting compromised. This is also why it is important to ensure all of your scanning activities are being logged, monitored, and stored. Depending on the type of scan you are running, your vulnerability scanner should be generating at least some attack detection events. It is important that your security team is able to (1) see that these events are being generated and (2) can match them to scan logs in order to determine whether the exploit was used against a target known to be vulnerable instead of being part of an actual attack. Additionally, scan logs and alerts should be generated and stored to track when and where the administrative credentials were being used. This way, we can determine that the credentials are only being used during scans on devices for which the use of those credentials has been approved. So now that we have discussed scanning and logs, we are going to address how you can keep up with all of the vulnerabilities being released. There are several sites and feeds that you can subscribe to in order to stay on top of new and emerging vulnerabilities and exposures. Some of our favorite places are: US-CERT National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) Open Vulnerability and Assessment Language (OVAL) Rapid7's Vulnerability Database It isn't enough to just be alerted to new vulnerabilities, however, we need to take the knowledge we have about our environment into consideration and then determine how these vulnerabilities will impact it. This is where risk rating comes into play. Section 4.8 states that we must have a process to risk-rate a vulnerability based on exploitability and potential impact and then use that as guidance for prioritization of remediation. What it doesn't spell out for us is what this process looks like. Typically, when we work with an organization, we recommend that for each asset they take three factors into consideration: Threat Level – How would you classify the importance of the asset in terms of the data it hosts as well as its exposure level? For example, a web server may pose a higher level of threat than a device that isn't accessible via the Internet. Risk of Compromise – What is the likelihood that the vulnerability will compromise this system? Something to keep in mind is how easy is it to exploit this vulnerability, does it require user interaction, etc. Impact of Compromise –What is the impact to the confidentiality, integrity, and availability of the system and data it hosts should a particular vulnerability gets exploited? After our scans are complete and we are staring at the long list of vulnerabilities found on our systems, we need to determine the order in which we will do remediation. In order to ensure patches are being applied across all systems within the organization, it is recommended to deploy and use an automated patch management tool as well as a software update tool. As you look to increase the overall security maturity of your organization, you will see that these tools are necessary if you want to have a standardized and centrally managed patching process. In more mature organizations, part of the remediation process will include pushing patches, updates, and other fixes to a single host initially. When the patching efforts are complete on this one device, the security team then performs a scan of that device in order to ensure the vulnerability was remediated prior to pushing the fix across the entire organization via the aforementioned tools. Tools are not enough to ensure that patches were fully and correctly applied, however. Vulnerability management is an iterative process, which means that vulnerability scans that occurs after remediation should be analyzed to ensure that vulnerabilities that were supposed to be remediated are no longer showing upon the report. Vulnerability management software helps you identify the holes that can be used during an attack and how to seal them before a breach happens. But it's more than launching scans and finding vulnerabilities; it requires you to create processes around efficient remediation and to ensure that the most critical items are being fixed first. What you do with the data you uncover is more important than simply finding vulnerabilities, which is why we recommend integrating the processes around each section of Critical Control 4. Related Resources CIS Critical Control 1: Inventory of Authorized and Unauthorized Devices Explained CIS Critical Control 2: Inventory of Authorized and Unauthorized Software Explained CIS Critical Control 3: Secure Configurations for Hardware & Software Explained

The CIS Critical Security Controls Explained - Control 3: Secure Configurations for Hardware & Software

Stop number 3 on our tour of the CIS Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) deals with Secure Configurations for Hardware & Software. This is great timing with the announcement of the death of SHA1. (Pro tip: don't…

Stop number 3 on our tour of the CIS Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls) deals with Secure Configurations for Hardware & Software. This is great timing with the announcement of the death of SHA1. (Pro tip: don't use SHA1). The Critical Controls are numbered in a specific way, following a logical path of building foundations while you gradually improve your security posture and reduce your exposure. Control 1: Inventory of Authorized and Unauthorized Devices, and Control 2: Inventory of Authorized and Unauthorized Software are foundational to understanding what you have. Now it's time to shrink that attack surface by securing the inventory in your network. As stated in the control description, default configurations for operating systems and applications are normally geared toward ease-of-deployment and not toward security. This means open and running ports and services, default accounts or passwords, older and more vulnerable protocols (I'm looking at YOU telnet), pre-installed and perhaps unnecessary software, and the list goes on. All of these are exploitable in their default state. The big question is, what constitutes secure configurations? As with most questions in information security, the answer is all contextual, based on your business rules. So before you attempt a secure configuration, you need to have some understanding of what your business needs to do and what it does today.  This also means a lot of detailed analysis of your applications, and this can be a complex task. This is also a task that is a continuous process; it is not just “one and done.” Secure configuration must be continually managed to avoid security decay. As you implement vulnerability management, your systems and applications will be patched and updated, and this will change your position on secure configurations. Configurations will change based on new software or operational support changes, and if not secured attackers will take advantage of the opportunities to exploit both network-accessible services and client software. What It Is Secure Configurations for Hardware & Software is part of the “systems” group of the CIS critical security controls. This means that this is in the back office, by IT and security, and should not be handled by users in the front office. It's very likely that your organization is using some kind of secure configs unless you run 100% out-of-the-box. Rapid7 finds that most orgs do not go far enough, and a lot of exposure exists that has no defined business purpose or need. This control is broken down into seven sub-controls. The sub-controls describe the entire process of managing secure configurations, but do not go into specifics about the configurations themselves. So we will cite resources here you can use to help you start to securely configure your enterprise (and even your home systems). How to Implement It There are many ways to go about secure configurations, and it's likely that not everything publicly available is going to be completely relevant. Like you would with a deny all rule in a firewall deployment, approach these with a mindset of starting as small as you can and gradually opening up your systems and applications until they are usable. This is great for new systems or those yet to be deployed. But what about older systems? It's not very likely you can just shut them down and work this process. Still, you should seek to reduce the running services and ports, especially those which are known to be vulnerable and not in use. The Configs There are a number of usable resources for secure configurations. Rapid7 regularly recommends to clients the following: NIST 800-70 rev 3 This NIST special publication is a document that governs the use of checklists, it is not itself a configuration guide. It is most valuable in breaking down configuration levels for using multiple checklists. This is especially useful in complex business environments, when you will need to have many different configuration baselines for your systems. It also contains information on developing, evaluating and testing your checklists. National Vulnerability Database (NVD) The NVD maintained by NIST is a great repository for many things in control 4 (Vulnerability Management), and it is also useful for control 3 with their checklists. This repo contains SCAP content, Group Policy Objects for Active Directory, and human readable settings. This is a great first start for any secure configuration activity. CIS Benchmarks Sometimes these are referred to hardening guides, their official name is the CIS Benchmarks. Curated by the same organization that handles the Critical Controls, the CIS Benchmarks are available for multiple operating systems, web browsers, mobile devices, virtualization platforms and more. You can also get SCAP-compliant checklists in XCCDF format for direct application to systems. Security Technical Implementation Guide (STIG) The STIGs are curated by the federal government, adhering to rules and guidelines issued by the Department of Defense. These pages contain actual configuration templates (some in SCAP format) that can be directly applied to systems. There are also templates for cloud-based services, application security and a lot of training references. STIGs are great, but not for the faint of heart, or for organizations who don't have a deep technical understanding of the application or OS they're attempting to reconfigure. So handle them with caution, but they are very helpful in locking down systems. Minimum Standards All of the above resources are based on consensus and community or government standards and are considered to be sound strategies to reduce your attack surface. They are not comprehensive, and as already stated your mileage may vary and you should take a customized approach that best supports your business needs. At the end of the day, what you are looking to do is maintain a set of minimum standards for your configs. You can pore through the checklists to give you ideas, like disable IPv6 if it is not necessary, don't use RDP without TLS, don't ever run Telnet ever for any reason ever. Did I mention not to run telnet? Build your checklist and use it for all your deployments, and don't forget about your existing and vulnerable systems! They need extra love too. Rapid7 observes many organizations that know they have a vulnerable legacy system that they cannot modify directly to reduce the attack surface. If you have one of these brittle/fragile/unfixable systems, consider ways to limit inbound/outbound access and connectivity to help mitigate the risk until it can be upgraded or replaced with something more securable. All The Other Things Everything above talks about the first sub-control, which is the secure config itself. There are several more things this control covers, such as: Follow strict configuration management processes for all changes to your secure builds. Create master images (gold images) that are secure, and store those in a safe and secure location so they can't be altered. Perform remote administration only over secure channels, and use a separate administration network if possible. Use file integrity checking tools or application whitelisting tools to ensure your images are not being altered without authorization. Verify your testable configurations and automate this as much as possible – run your vulnerability scanner against your gold image on a regular frequency and use SCAP to streamline reporting and integration. Deploy configuration management tools (SCCM, Puppet/Chef, Casper) to enforce your secure configurations once they are deployed. As you can see there's quite a bit to getting your systems and applications secured, as well as having processes to support the ongoing care and feeding of your secure configs. This is a foundational control, so it's important to get right and keep going with continual improvement. Putting the required time and effort into this will yield you a lot of return, simply because your exposure will have shrunk significantly, and allow you to focus on the more advanced security measures without worrying about some Powershell script kiddie popping your box because of insecure telnet. Oh, by the way, you should probably disable telnet. For more posts examining the CIS Critical Security Controls, search for the tag "CIS 20."

The CIS Critical Security Controls Explained - Control 1: Inventory of Authorized and Unauthorized Devices

The Rapid7 Security Advisory Service relies heavily on the CIS top 20 critical controls as a framework for security program analysis because they are universally applicable to information security and IT governance. Correct implementation of all 20 of the critical controls greatly reduces security risk,…

The Rapid7 Security Advisory Service relies heavily on the CIS top 20 critical controls as a framework for security program analysis because they are universally applicable to information security and IT governance. Correct implementation of all 20 of the critical controls greatly reduces security risk, lowers operational costs, and significantly improves any organization's defensive posture. The 20 critical controls are divided into System, Network, and Application families, and each control can be subdivided into sections in order to facilitate implementation and analysis. The first of the 20 controls, “Inventory of Authorized and Unauthorized Devices” is split into 6 focused sections relating to network access control, automation and asset management. The control specifically addresses the need for awareness of what's connected to your network (Tip: Don't forget to scan your network for IoT devices), as well as the need for proper internal inventory management and management automation. Implementing inventory control is probably the least glamorous way to improve a security program, but if it's done right it reduces insider threat and loss risks, cleans up the IT environment and improves the other 19 controls. What it is: The Inventory of Authorized and Unauthorized Devices is part of the “systems” group of the CIS top 20 critical security controls. It specifically addresses the need for awareness of what is on your network, as well as awareness of what shouldn't be. Sections 1.1, 1.3 and 1.4 address the need for automated tracking and inventory, while 1.2, 1.5 and 1.6 are related to device-level network access control and management. The theme of the control is fairly simple; You should be able to see what is on your network, know which systems belong to whom, and use this information to prevent unauthorized users from connecting to the network. High maturity organizations often address the automation and management sections of this control well, but Rapid7 often sees gaps around network access control based on inventory due to the perceived complexity of implementing NAC. How to implement it: There are numerous effective ways to implement the Inventory of Authorized and Unauthorized Devices control. Many of them will also significantly improve the implementation of other controls relating to network access, asset configuration, and system management. Successful implementations often focus on bridging existing system inventory or configuration management services and device-based network access control. The inventory management portion is usually based on software or endpoint management services such as SCCM, while access control can leverage existing network technology to limit device access to networks. Robust implementation of DHCP logging and management will effectively address sections 1.1, 1.2, and 1.4 of Critical Control #1. Deploying DHCP logging and using the outputs to establish awareness of what is currently connected to the network is an extremely good first step to full implementation. Tracking DHCP activity has an additional impact on the IT support and management side of the organization, as well; it serves as a sort of “early warning” system for network misconfiguration and management issues. For organizations with a SIEM solution or centralized audit repository, ingested DHCP logs can allow correlation with other security and network events. Correlating the logs against additional system information from tools like SCCM or event monitoring services can also assist with inventory tracking and automated inventory management, which has added benefits on the financial and operations management side of the shop, as well. Admin Tips: For DHCP-enabled network segments that have lower change rates (non-workstation segments) consider adding a detective control such as a notification of a new DHCP lease. Backup, VOIP, or network device management networks are often effective conduits for an attacker's lateral movement efforts, and usually don't have a high amount of device churn, so increasing detective controls there may create little administrative overhead and increase the possibility of detecting indicators of compromise. The Inventory of Authorized and Unauthorized Devices control also recommends the use of automated inventory tools that scan the network to discover new systems or devices, as well as tracking the changes made to existing systems. While DHCP logging is an effective basic measure, tools such as SCCM, KACE, Munki, and SolarWinds effectively lower the effort and time surrounding inventory management, asset configuration, and system management.  Many customers with existing Microsoft Enterprise Agreements may already have licenses available for SCCM. When combined with Certificate Authorities, Group Policies, and some creativity with Powershell, a handful of Administrators can maintain awareness and control of authorized devices to address many aspects of this foundational critical control. If you're a Nexpose customer, thank you, and Nexpose will let you import your DHCP logs into your deployment to perform dynamic scans of new assets joining your network. Even if you don't use SCCM or Nexpose, most agent-based system discovery and configuration management will allow organizations to address this control and other governance requirements. Effective implementation of inventory based access control will let the organization see and manage what is connecting to their network, which is critical for any good security program. While management tools often require time and effort to deploy, the cost benefit is significant; it allows smaller IT teams to have a major impact on their network quickly, and assists with patching, situational awareness, and malware defense. Hat tip and thanks to Jason Beatty and Magen Wu for application-specific info and editorial suggestions. Related: The CIS Critical Security Controls Explained – Control 2: Inventory of Authorized and Unauthorized Software

The CIS Critical Security Controls Explained - Control 2: Inventory of Authorized and Unauthorized Software

As I mentioned in our last post, the 20 critical controls are divided into System, Network, and Application families in order to simplify analysis and implementation. This also allows partial implementation of the controls by security program developers who aren't building a program from scratch,…

As I mentioned in our last post, the 20 critical controls are divided into System, Network, and Application families in order to simplify analysis and implementation. This also allows partial implementation of the controls by security program developers who aren't building a program from scratch, but want to apply all 20 of the controls. The first two controls of the Center for Internet Security's (CIS) Critical Controls are based around inventory; in my experience, they're also often overlooked by most security teams at the level that the CIS and NIST address them. Knowledge and control of inventory is an essential security architecture need - done properly, it gives the security team very strong awareness of the organization's network and personnel environment, and significantly improves detection and response aspects of any security program. The second control, “Inventory of Authorized and Unauthorized Software” is split into 4 sections, each dealing with a different aspect of software management. Much like Control 1, “Inventory of Authorized and Unauthorized Devices”, this control addresses the need for awareness of what's running on your systems and network, as well as the need for proper internal inventory management. The CIS placed these controls as the "top 2" in much the same way that the NIST Cybersecurity Framework addresses them as "priority 1" controls on the 800-53 framework; inventory and endpoint-level network awareness is critical to decent incident response, protection and defense. What it is:The Inventory of Authorized and Unauthorized Software is part of the “systems” group of the 20 critical controls. The theme of the control is fairly simple: You should be able to see what software is on your systems, who installed it, and what it does. You should be able use this information to prevent unauthorized software from being installed on endpoints. The control is well outlined in NIST Special Publication 800-167, and relates back to NIST 800-53 and Cybersecurity Framework recommendations. High-maturity organizations often address the automation and management sections of this control well, but Rapid7 sees gaps around software configuration control based on inventory due to the perceived complexity of implementing software inventory management systems, or endpoint management clients. How to implement it:Many of the methods used to implement the inventory of authorized and unauthorized software will also significantly improve the implementation of other controls relating to network access, asset configuration, and system management (Controls 1,6,10, 14, 15, 17 and 19). Specifically, Local Administrator access and install rights should not be granted for most users. This limitation also assists with other critical controls that deal with access and authentication. Limiting who can install software also limits who can click “ok” on installations that include malware, adware and other unwanted code. The added bonus to successful removal of admin rights is the lowering of the shadow IT footprint in most organizations, contributing to better internal communication and security awareness. Once installation rights have been limited, any whitelisting or blacklisting processes should be done in stages, typically starting with a list of unauthorized applications (a blacklist), and finishing with a list of authorized applications that make up the whitelist. This can be rolled out as an authorized software policy first, and followed up with scanning, removal and then, central inventory control. Successful implementations of software inventory control often focus on bridging system configuration management services and software blacklisting and whitelisting. The inventory management portion is usually based on a software inventory tool or endpoint management services such as SCCM, Footprints, or GPO and local policy controls on windows. Beyond administrator and installation rights limiting, and blacklisting, some form of integrity checking and management should be set up. This is possible using only OS-based tools in most cases, and Microsoft includes integrity management tools in Windows 10. Typically, OS level integrity management tools rely on limiting installation based on a list of trusted actors (Installers, sources, etc). In more comprehensive cases, such as some endpoint protection services, there are heuristic and behavior based tools that monitor critical application libraries and paths for change. Since integrity management is intrinsically tied to malware prevention and data protection, implementing this section of the control actually assists with Controls 8,9 and 14: Browser and e-mail configuration, Malware Defenses and Data Protection. Admin Tips:Aside from AppLocker, Microsoft allows GPO based whitelisting for supported versions of Windows. These can be edited locally using “secpol.msc” on everything but the “Home” versions of Windows. Organizations with domain controllers or centrally managed Group Policy Objects can use the same process by accessing “software restriction policies” and adjusting the “designated file types” object to include authorized software. This method is effective for workstations with limited software needs, and single-purpose systems such as application servers or virtual machines that run dedicated software. Apple's OSX and most flavors of Linux have similar features, although they may be a little harder to access.Most endpoint protection suites have some form of integrity protection included as an add-on. Your milage may vary with this, since it can be tricky to tune the alerts from these services, but they're a helpful addition to the software integrity side of things, and can be used as a primary means of integrity control in cases where there's already a good inventory in place.  For more general-purpose workstations, a number of client based solutions exist, ranging from antivirus and endpoint protection suites that limit software from a central console to tools like Carbon Black, Power Broker, and the Authority Management Suite integrated into Dell's KACE. Software inventory management is an important enough topic in security that The National Institute of Standards and Technology has published a guide to implementing software whitelisting which covers most of Control 2. It's part of their cybersecurity series, and is available for free on the NIST website as a PDF or by searching the site for publication 800-167. As I mentioned above, this control, and the device inventory control are critical to having a  responsive security program; getting the inventory side of the office in order will cut down on the amount of work needed when an incident arises, and will make policy development and enforcement far easier.

Using CIS Controls To Stop Your Network From Falling in With the Wrong Crowd

Earlier this month Kyle Flaherty wrote a post on the Rapid7 Community Blog about how Rapid7 came out on top for coverage of the Center for Internet Security (CIS) Top 20 Security Controls. In light of recent DDoS events I'd like to take a little…

Earlier this month Kyle Flaherty wrote a post on the Rapid7 Community Blog about how Rapid7 came out on top for coverage of the Center for Internet Security (CIS) Top 20 Security Controls. In light of recent DDoS events I'd like to take a little time to discuss at a high level what the controls are, how they would help, and what organizations can do to improve their posture in these areas.What are the Critical Security Controls?Here is how the CIS describes the Top 20 Critical Security Controls:The CIS Critical Security Controls (CIS Controls) are a concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber attacks. The CIS Controls are developed, refined, and validated by a community of leading experts from around the world. Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.Each CIS control is made up of a high level concept and contains multiple sub-controls that support this concept. The controls are prioritized and efforts to implement a given control will support and enable the implementation of lower priority controls. Progression through the controls also serves as a measure of security program maturity.Why do they matter?You don't have to be tech-savvy to be aware of the impact that inadequately secured devices can have on organizations and the general Internet. In the last few weeks record breaking DDoS attacks have originated from Internet of Things (IoT) devices. News of these events made the general non-tech press when Brian Krebs was targeted. They gained an all new level of public awareness when they were used to DDoS Dyn's DNS services last week and impacted Twitter, Spotify, Reddit, GitHub, and others. While the public sees the impacts to Twitter, organizations feel the impact when services like GitHub and Okta aren't available.These attacks have been tied to the Mirai malware which spreads by logging into Internet accessible Telnet services using a list of factory default credentials. Reports of the botnet's size vary widely depending on the source and their access to data. Level3 blogged that they have found over 490,000 members of Mirai family botnets. Dyn stated that they saw "10s of millions of IP addresses" during the attack on them. One would hope that a protocol as insecure as Telnet would not continue to be prevalent but recent scans of the Internet by Censys.io reveal over 5.3 million devices that returned a Telnet banner on port 23/TCP. Since Mirai kills the Telnet, SSH, and HTTP services, any devices that were infected at the time of the scan would not be represented.A device doesn't have to be compromised to be used in a DDoS. Jon Hart, a fellow researcher on the Rapid7 Labs team, recently wrote a blog post describing how public access to certain UDP services can enable Distributed Reflected Denial of Service (DRDoS) attacks. These attacks can allow the attacker to hide the source of the attack often while amplifying the size of the attack. He provided some great data about services that could be used by attackers and provided pointers to the datasets that Rapid7 makes publicly available via Project Sonar. These datasets are the results of Internet IPv4 scanning and provide insight into the prevalence of certain services and potential amplification metrics.I'd like to expand on Jon's post a bit by talking about two services in particular.  As Jon pointed out 1,768,634 hosts responded to a NetBIOS name service probe on port 137/UDP.  If you dig into data that he linked you will find that 1,657,431 (93.7%) responded with a NetBIOS hostname and in many cases a domain name. There is another UDP study that Project Sonar performs that I think is relevant as well. We scan on 1434/UDP for the Microsoft SQL Browser Service.  This service provides information about the Microsoft SQL Server, which databases it hosts, and on what ports or endpoints they can be found.  If you look at the dataset from 10/03/2016 and process it using Rapid7's open source DAP and Recog tools you will find that there were 149,344 responses that provided instance and/or server names as well as server version information. Both of these services not only lend themselves to being used in DRDoS attacks, they also leak potentially sensitive data. It's unlikely that services exposed by these hosts were intended to be Internet accessible. Their presence on the Internet present a risk not only to the Internet in general but to the device owners as well.How do the Critical Security Controls help?Adoption of the CIS Controls can significantly reduce risk and greatly improve an organization's ability to respond to security incidents. For example, here are 5 of the 20 CIS Controls that, if followed, would reduce an organizations likelihood of being a source of traffic in a DDoS:  1. Inventory of Authorized and Unauthorized Devices   2. Inventory of Authorized and Unauthorized Software   4. Continuous Vulnerability Assessment and Remediation   9. Limitations and Control of Network Ports, Protocols, and Services 11. Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesYes, those are all obvious security measures. The value here is that the CIS controls provide prioritization of efforts. For example, implementing #9 or #11 above without #1 or #2 is doomed to failure in any complex environment. Additionally, each high level control has between 4 and 14 more tactical sub-controls that support it. Here extracts from a couple of selected example controls:1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization's public and private network(s)… 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems. 4.1 Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator 9.1 Ensure that only ports, protocols, and services with validated business needs are running on each system. 9.4 Verify any server that is visible from the Internet or an untrusted network, and if it is not required for business purposes, move it to an internal VLAN and give it a private address.Each of the sub-controls helps build capability and awareness as well as enables the implementation of later controls. When these controls are baked into an organization's operational processes security becomes an intrinsic attribute of the environment, not an on demand effort that interrupts business processes when an event occurs. An organization that had implemented these controls would be aware of the services that were exposed to the Internet and the risks that they present. In the case of a previously unknown vulnerability it would have the information required to quickly respond and mitigate the risk.Next StepsHere are some steps that you can take to learn about the CIS Controls as well as reduce the likelihood that devices in your environment are used in DDoS attacks.Go to the CIS website and learn about the CIS Controls. They provide high level overviews, FAQs, and the ability to download the CIS Controls for free.If your organization is a service provider or a company with assigned ASNs you can sign up for free Shadowserver reports.  The Shadowserver Foundation scans the Internet for certain services of concern, such as those that could be used in DDoS, and will provide regular reports on these to network owners.Use an external service, such as the Rapid7 Perimeter Scanning Service, or an externally hosted scan engine to perform scans of your Internet accessible IP space. This will provide a more accurate picture of what your organization is exposing to the Internet than that provided by an internally hosted scanner.Use the data provided by Rapid7 Project Sonar, the Censys team, and others on the Scans.IO website.  You can download datasets individually or use the Censys team's search engine.Good Luck!

Rapid7 On Top in SANS Top 20 Critical Security Controls

Being great is, well… great, right? But as we all know it doesn't happen in a vacuum, it's an equation: Greatness = Individual Excellence + Teamwork + Meaningful Customer Relationships Coincidentally (or not), these items make up three of the five core values we strive towards here at…

Being great is, well… great, right? But as we all know it doesn't happen in a vacuum, it's an equation: Greatness = Individual Excellence + Teamwork + Meaningful Customer Relationships Coincidentally (or not), these items make up three of the five core values we strive towards here at Rapid7 – the other two play a role as well in ‘Disciplined Risk Taking' and ‘Continuous Learning', but we all know blog posts need three things, it's some sort of Internet rule. Now, let's be honest, public displays of boasting are not what we are about here, but when you witness a tidal wave of public support from your customers on the Gartner Peer Insights portal and, simultaneously, your company comes out on top of the coverage for the SANS Top 20 Security Controls (2016 PDF poster), you have to pause for just a moment to let people know. This is important, especially during National Cybersecurity Awareness month, because it's all about our customers and employees working together to create killer solutions and services. And in this world where we all want the benefits of being interconnected but understand the risks, the heroes have become the IT and security teams. Equipping these teams is what drives us each day. Below is more info on each of these accolades, and a big thank you to our entire community for giving us this amazing moment. Rapid7 Provides the Most Coverage for the SANS Top 20 Critical Security Controls Many organizations rely on the SANS Top 20 Critical Security Controls (now a joint venture with SANS and the Center for Internet Security) to help them understand what they can do to minimize risk and harden resiliency. The Critical Security Controls run the gamut from asset identification and management to continuous monitoring and secure configurations. How does it work? Well SANS surveyed industry vendors in March 2016, using the Center for Internet Security (CIS) document “A Measurement Companion to the CIS Critical Security Controls (Version 6)” as the baseline. The “heat map” below has shaded areas totaling the number of measurements a vendor covers divided by the total number of measurements listed for that Critical Control. As you see below, Rapid7 leads the way. This is a representation of our full portfolio including pen testing (Metasploit), vulnerability management (Nexpose), application security (AppSpider), and SIEM/UBA/EDR (InsightIDR). If you are already using one of our products in one area, we should show you how our solutions work together to get you even more coverage. Ultimately though, this helps people understand that our solutions provide the quality, usability, and ultimately, the insight that security professionals need to get the job done. Gartner Peer Insight: Security Product Reviews for Rapid7 at the Top If you haven't checked out Gartner Peer Insights yet, it's a resource fed by the user community themselves where they provide in-depth reviews about products they are using, ranging from SIEM and UBA, to vulnerability management, and application security. We are proud of what our customers say about us, and we are always listening for ways to improve their experience and success using our solutions. Below you'll see where Rapid7 stacks up in terms of overall peer rating on Gartner Peer Insight in the SIEM category: Go take a look at what folks are saying, and then do your own searches for the solutions you need! And if you have any questions or need to talk to us about any of our solutions just let us know in the comments or contact us page. Now that we're done celebrating we're back at work, with all of you, to keep progressing!

Use DHCP Discovery to Implement Critical Security Control #1

The number one critical security control from the Center for Internet Security recommends actively managing all hardware devices on the network:CSC 1: Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized…

The number one critical security control from the Center for Internet Security recommends actively managing all hardware devices on the network:CSC 1: Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.http://www.cisecurity.org/critical-controls.cfmHere a some of the reasons you should actively inventory your hardware:Discover new assets that have not yet patchedDetect returning hardware such as laptops that have missed previous updatesIdentify unauthorized hardwareWhatever the scenario, you'll want to establish your surface area in order to accurately assess your risk and remediate vulnerabilities.Before you can track and correct assets on your network, you must first establish a method to inventory all of the assets connected to your network. Employing a DHCP dynamic discovery connection in Nexpose is a great way to determine what hardware is present on your network.Nexpose dynamic asset discovery via DHCP parses DHCP server logs and supports two collection methods for gathering DHCP log entries:Directory watcher – watches a specified directory for new and updated DHCP log files.Syslog – listens on a TCP/UDP port to receive syslog messages much like a syslog serverNexpose dynamic asset discovery currently supports Microsoft Server 2008 and 1012 using either directory watcher or syslog, as well as, Infoblox Trinzic using syslog.How to Create a DHCP Discovery ConnectionFrom the Administration page, find the Discovery Options section and click the Create link next to CONNECTIONS.Next, fill in all three tabs of the form…From the General tab, select DHCP Service and provide the name of your discovery connection.From the Service tab, select the event source, collection method, and engine. The source and collection method will determine what additional fields are required. In the example, using the directory watcher collection method for Windows Server mandates providing the fully qualified path to the directory where DHCP logs reside.From the Credentials tab, provide the username and password for you to access the directory.As the DHCP server logs events, they will be parsed and imported as assets discovered by connection. Previously assessed assets that appear in DHCP logs will continue to show only as assessed. Discovered assets have not been assessed and present unknown risk to your network.The Assessment Status chart on the Assets page gives you a clear indication of your un-assessed surface area. Additionally, the Discovered by Connection table enumerates the discovered assets that have not yet been assessed.

Top 3 Takeaways from the "Simplify Controls: How to Align Security Controls to Reduce Risk to Your Business" Webcast

This week we heard from Bill Bradley, Product Marketing Manager at Rapid7, about the far reaching implications of security controls. Each organization (SANS and the Australian Signals Directorate to name a couple) that highlights recommended controls promotes a slightly different twist on the weighting and…

This week we heard from Bill Bradley, Product Marketing Manager at Rapid7, about the far reaching implications of security controls. Each organization (SANS and the Australian Signals Directorate to name a couple) that highlights recommended controls promotes a slightly different twist on the weighting and criticality of controls. We looked at which controls across each organization with recommendations are the most important and effective risk reduction tools, and how professionals in different industries should prioritize them. Read on to learn the top 3 takeaways from, "Simplify Controls: How to Align Security Controls to Reduce Risk to Your Business": 1. Patch, Patch, Patch – Implementing automated patching tools and processes is important for helping to minimize forgetfulness and ensure that your security program is rigorous and constantly looking for machines that need updating. Vulnerabilities are discovered continually. It's important to know what is out there, and which ones may impact your environment. Develop an inventory of what's in your production system so that you can classify the risk of different vulnerabilities and determine their severity within your environment. Any risk can have a different level of relevance to your organization depending on how your business is designed and where your security priorities lie.2. Deploy, Segment & Conquer – When deploying devices onto your network, make sure you have a detailed understanding of how they will fit in, and configure devices so they can be modified and updated over time to have a small vulnerability footprint on the network. Speaking of networks - it's highly recommended for security professionals to implement network segmentation. Segmentation helps limit what an attacker can do if they've successfully gotten past your security measures. Breaking up the network into different logical segments ensures that the attacker will have much more difficulty moving through your network, and this will make your organization a much less attractive target. Some deployment best practices: take inventory of your assets, identify target systems, categorize installed software, determine critical gaps, and more. It's important that when you're planning and implementing controls that you have short and long term goals for maintenance and tracking. View the full webcast for more details. 3. Communicate with Users and Management – Educating users on why and how the controls you have in place benefits the organization is important for keeping everyone on the same page and understanding of how you are working to protect any and all sensitive data tied to the company. If everyone is aligned about business and security priorities, and management is able to see metrics and tangible successes based on your controls, you may even be able to get increased budget to implement more and even better controls over time.For the in-depth look at security controls best practices, including how different industries should prioritize them: watch the full webcast now.

How ControlsInsight aligns to SANS 20 Critical Security Controls

During the development of ControlsInsight, we selected the first set of controls based on input from Rapid7 experts with extensive experience in attacker methodology (like HD Moore and our co-founders Tas Giakouminakis and Chad Loder) combined with industry best practices for risk mitigation. One of…

During the development of ControlsInsight, we selected the first set of controls based on input from Rapid7 experts with extensive experience in attacker methodology (like HD Moore and our co-founders Tas Giakouminakis and Chad Loder) combined with industry best practices for risk mitigation. One of the best practices we used was the SANS 20 Critical Security Controls, which helps organization focus efforts on security controls that would have the greatest impact in improving risk posture against real-world threats. According to the US State Department, organizations can achieve more than 94% risk reduction through the rigorous automation and measurement of the Top 20 Controls. ControlsInsight takes a similar approach to security - the solution prioritizes controls deployment based on effectiveness at defending against threats, giving you an action plan to address the most significant risks across your organization. With ControlsInsight, you can automatically monitor the following critical security controls: SANS Top 20 Controls ControlsInsight Why This Control is Critical 3-2 Implement automated patching tools and processes Operating systems up-to-date Browsers up-to-date High-risk applications up-to-date Cybercriminals often use known exploits to hack into systems that have not been patched. According to the Verizon 2013 Data Breach Investigations Report, 75% of attacks are opportunistic, meaning the victim was targeted because they exhibited a weakness the attacker knew how to exploit. 5-1 Continuously monitor for active, up-to-date anti-malware protection Anti-virus optimized (installed, enabled and DAT file up-to-date) While anti-virus software has its limitations, it can help defend against threats by attempting to detect malware and block its execution. 5-2 Verify that each system has received its malware signature update Anti-virus optimized (installed, enabled and DAT file up-to-date) "Trust but verify" - it's important to check that the latest malware signature has been successfully deployed and applied to each system. 5-3 Configure workstations so that they will not auto-run content from USB thumb drives USB access blocked Attackers have been known to infect networks by dropping USB thumb drives containing malicious code on-site for unwitting users to pick up. 5-5 Scan and block all e-mail attachments including e-mail and web content filtering Email client attachment filtering enabled Third party URL filtering enabled Email phishing is a common method used by attackers to gain access to a network, who employ clever tactics to trick users into clicking on attachments. 5-7 Deploy features and toolkits such as DEP and EMET Code execution prevention deployed (EMET installed, ASLR, DEP and SEHOP enabled) These mitigation features prevent malicious code execution and limits the potential damage from both existing exploits and future zero-day exploits. 11-2 Apply host-based firewalls or port filtering tools on end systems Windows firewall enabled Workstation firewalls configured to deny traffic by default unless explicitly allowed can protect against malicious or unauthorized network traffic. 12-3 Configure all administrative passwords to be complex Strong local password policy enabled According to the Verizon 2013 Data Breach Investigations Report, 76% of network intrusions exploit weak or stolen credentials. 12-4 Configure all administrative-level accounts to require regular password changes Strong local password policy enabled See 12-3 12-9 Administrative accounts should never be shared Unique administrator password Ensuring unique passwords limits the impact if a single set of credentials are compromised by stopping attackers from propagating across the network. 12-10 Configure OS so that passwords cannot be re-used within a certain timeframe Strong local password policy enabled See 12-3 13-1 Deny communications with known malicious IP addresses URL reputation scanning enabled Third party URL filtering enabled Attackers focus on exploiting systems that they can reach across the Internet, including devices that pull content from the Internet through network boundaries. To learn more about the SANS Top 20 Controls and how you can use them to build an effective security program, watch the joint webcast by Rapid7 and SANS here: Take Control! 7 Steps to Prioritize Your Security Program

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now