Skip to main content

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 13

October 21, 2016

In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

CSC 13 Featured

CSC 13: Data Protection

The Control

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

The Attack

Data protection is the key to why security is so important. In the triad of CIA (Confidentiality, Integrity and Availability) perhaps the most critical component is the confidentiality of the data organizations have on their products, customers or business ventures. Integrity and availability are important as well, but when a breach occurs and organizational data is leaked to the world, it can be one of the biggest hits to a company’s reputation. A lot of controls work together, and CSC 13 does share similarities with CSC 12: Boundary Defense. For that purpose this post will focus less on the components that overlap and more on the unique metrics that organizations can implement to improve security. 

For my example attack in this blog post, I will show a policy violation surrounding data loss prevention (DLP). Often this is not done out of malicious intent, but I have seen this situation in real organizations.

There are several scenarios where employees may access sensitive data and inadvertently break DLP policies exposing secure information, such as:

  • Downloading a file
  • Printing data
  • Saving a screenshot

CSC 13.1
Figure 1: Saved data

Often the information systems which are configured to house sensitive data are also configured with strong security mechanisms to prevent unauthorized access to data. When data is downloaded, printed  or copied in any form from the environment, the security controls protecting the data are generally no longer in place. As a result, if an attacker can gain access to employee’s workstations through some attack such as email phishing, then the attacker would be able to access the data much easier than trying to break into the system where the data is most protected.

The Solution

For the above scenario, it takes a combination of technology and policy in order to effectively secure data. Organizations should employ defense-in-depth in order to protect data as much as possible and assume that it is possible for data to leak from its primary secured storage locations. A few of these defense-in-depth technologies/policies include:

  • Encrypting data as rest
    • Strong encryption key management
  • Full disk encryption (FDE) on mobile devices
  • Restrict access to file upload and transfer sites
  • Disable USB write access
  • Implement a network-based DLP solution configured on a network SPAN port

Additionally, organizations should periodically scan for data on systems which it is not intended to be on employee workstations. This can be done with a continuous monitoring tool but should be validated occasionally with full system scans to identify RegEx patterns which match the privileged information the company is attempting to protect (i.e. credit cards or social security numbers).

A strong method to go about validating that data is protected within the organization includes:

  • Implementing strong technology solutions to prevent the leaking of privileged information
  • Consistent staff training of privileged data handling processes and policies
  • Making sure that data is only where it is intended and is encrypted

The next post will cover CSC 14: Controlled Access Based on the Need to Know.


    Joshua Platz

By: Joshua Platz

Senior Consultant

See More

Related Blogs

November 04, 2016

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 14

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, and systems) according t...

See Details

September 22, 2016

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 12

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

November 21, 2014

Strategy and Tactics: Penetration Testing in the Security Program

In the war of information security, the eldritch horror of knowing resides in the bowels of the vulnerability scanning report. Before, you might have ...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

October 26, 2014

Common Web Application Vulnerabilities - Part 1.1

While Cross-Site Scripting (“XSS”) is neither a new nor a particularly exciting class of web application vulnerabilities, it certainly is one of the m...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.