Skip to main content

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 1

May 18, 2016

Security is hard. Organizations are facing a growing threat, and breaches are becoming commonplace, even happening to companies trying to do everything the right way. The old motto goes, “The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe.” It’s hard to do business like that. So what can you do? It starts with implementing a mature security program to address known attack vectors. 

This is where the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC) come into play, providing organizations with 20 key controls that they can implement to mitigate some of the threats they are facing. Unfortunately, even implementing all of these controls won’t make you “un-hackable,” however, it starts to raise the complexity level required to get hacked, increasing the cost, time, effort, and skillset necessary to attack your organization.

Through this blog series, I will cover each of the 20 controls, showing attack examples and explaining how each control could have prevented the attack from being successful. As a penetration tester, I see these controls daily, not from a policy standpoint, but rather from vulnerability identification and exploitation. The best way to make an environment secure is not to run around plugging the individual holes that are identified, but to instead address the larger root cause of the problem. Often, this entails implementing some policy standards, and also ensuring that the information technology assets actually follow that policy. My goal for this blog series is to be less comprehensive than the original distribution of the controls from SANS, and to focus on what you need to know, what the risk is, and how to apply it.

CSC1 Series

CSC 1: Inventory of Authorized and Unauthorized Devices

The Control

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. 

The Attack

Not everything that can go wrong on the network is done out of malice. Sometimes employees may not realize the bigger picture when they decide to bring a device and plug it into the network. It can be something as simple as an employee thinking that the wireless signal at their desk is too weak, or perhaps they decided they needed an extra Ethernet port for some additional use. It would not be unheard of for an employee to bring in a wireless access point and plug it into the network to achieve those needs. While the organization may have ways to better address the employee’s needs, an organization should also have the ability to detect when a non-organizational asset is attached to the network.

WAP
A wireless access point plugged into the network

I often am presented with scenarios where we may be brought onto an assessment to perform some level of physical social engineering. Sometimes our client asks us to just get in the door, but often they also request we try to obtain remote access to the network after we leave. For that reason, it is not uncommon for me to have a couple of extra wireless access points with me so I can try to connect it to the network.

Placement of these devices depends on the architecture of the building. If there are no windows and the building is quite large, I may opt to use a mini, fanless computer, which can establish a remote VPN connection over the Internet using the client’s network. The successful use of these devices often depends on the company’s ability to detect rogue devices.

The Solution

The first thing that must be done to even begin to implement this control is to create an inventory of all company assets. Even for small companies, this is no easy undertaking. It involves identifying the unique MAC address that each device uses, including not just PCs and servers, but phones, printers, fax machines, or even vending machines that connect to the network to process payment transactions. There are software solutions out there which can assist in asset discovery, however, even those applications require quite a bit of effort to categorize all existing devices. Identifying PCs and servers is easy if they are joined to your networked domain, but identifying and validating the remaining devices can involve a lot of time, research, and in some situations, legwork.

Once an organization has identified all of the existing assets, it is important for the organization to develop a Network Access Control (NAC) system for both existing and new devices. Oftentimes, organizations will implement a simple 802.1x authentication, requiring credentials in order to connect to the network. Without the use of certificates, this control would only be partially implemented because it would be possible for an attacker to steal valid credentials through other means prior to arriving onsite. It is therefore critical to ensure that a certificate management program is put in place to ensure that only devices with a valid certificate and valid user credentials can access the network.

The next post will cover CSC 2: Inventory of Authorized and Unauthorized Software. 


    Joshua Platz

By: Joshua Platz

Senior Consultant

See More

Related Blogs

May 25, 2016

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 2

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that un...

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 23, 2015

The Diminishing Efficacy of Network Security | Optiv

I am an old-school network security guy, and it pains me to see the rapid decline of network security solutions due to the advancement of detection ev...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

November 21, 2014

Strategy and Tactics: Penetration Testing in the Security Program

In the war of information security, the eldritch horror of knowing resides in the bowels of the vulnerability scanning report. Before, you might have ...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

October 26, 2014

Common Web Application Vulnerabilities - Part 1.1

While Cross-Site Scripting (“XSS”) is neither a new nor a particularly exciting class of web application vulnerabilities, it certainly is one of the m...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.