Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 17
December 12, 2016
In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CSC 4: Continuous Vulnerability Assessment and Remediation
- CSC 5: Controlled Use of Administrative Privileges
- CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CSC 7: Email and Web Browser Protections
- CSC 8: Malware Defenses
- CSC 9: Limitation and Control of Network Ports, Protocols and Services
- CSC 10: Data Recovery Capability
- CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- CSC 12: Boundary Defense
- CSC 13: Data Protection
- CSC 14: Controlled Access Based on the Need to Know
- CSC 15: Wireless Access Control
- CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
For all functional roles in the organization prioritizing those mission critical to the business and its security, identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
It’s commonly mentioned that the weakest part of any organization is the human element. These vulnerabilities are not always technical in nature. Organizations need to prepare employees with an adequate training program informing them of the dangers they may face in the workplace.
In a social engineering attack, an attacker will start by collecting all of the information they can about an organization from public sources (e.g., public websites, Internet mailing lists, social networks, etc.) There are many tools that can help with collecting this data. What follows are two examples used by Optiv for gathering email addresses from various sources, including LinkedIn.
Once the attacker has collected information on the organization, they will begin to build a profile to decide how best to target it. Common information the attacker would search for would be:
- Email addresses
- Phone numbers
An attacker may use this information to execute a phone pretexting or spear phishing attack. Both of these attacks can be done remotely and are tailored for a specific target using the public information identified.
In a phone pretexting attack, the attacker will try to impersonate an employee, customer or vendor. Acting under a false identity, the attacker would call a specific target to extract sensitive information or convince the target to execute malicious software on the attacker’s behalf.
In a spear phishing attack, the attacker may use techniques such as spoofed emails and impersonation, and targets a specific individual or group within an organization. Depending on the organizations public exposure, an attacker may choose from a variety of exploitation scenarios. For example, if the organization exposes a single-factor authentication interface, such as a webmail service or, even worse, an SSL VPN, an attacker may try to influence the user into submitting their username and password to a website they control. For a more direct path into the network, an attacker may attempt to influence the user into opening a malicious attachment, such as a Macro enabled Microsoft Word document. Once an attacker has gained access to the target’s host or organization’s network, attackers will often either pivot further into the network in an attempt to access other hosts, or monitor the infected machine to determine its value to the attacker.
There are many different tools and techniques for crafting malicious emails and files. The following example showcases a tool, Phishery, developed by a member of the Optiv attack and penetration team, Ryan Hanson. This publicly available tool facilities a novel approach to credential harvesting. The process begins with Phishery modifying an existing Microsoft Word document by injecting a link to a remote template. Next, Phishery starts an HTTP server that will respond to that link. Once the document is opened by the victim, Microsoft Windows will automatically call out to Phishery’s HTTP server to load the linked template. The server is configured to respond in a way that tells Microsoft Windows to prompt for a username and password. Once the credentials are submitted, Phishery captures and logs them for the attacker.
Continual security awareness training for all employees is crucial in order to build a strong defense against social engineering attacks. Companies should develop and deliver enterprise-wide training that encompasses all employees, with clear instructions relating to existing policies and technologies. Such security awareness training should:
- Focus on common methods of intrusion;
- Be updated frequently to include new trends;
- Be mandatory for all employees including senior leadership; and
- Include metrics to track improvement.
In addition to conducting regular training, organizations should occasionally conduct unannounced assessments, testing employees on their security awareness. This is typically accomplished through a simulated phishing attack, tracking which users click the link on a sample phishing message. By implementing training and unannounced testing, along with measurable metrics, an organization can develop a strategy to train employees about the dangers they may encounter while using the company’s technical assets.
Of course, security awareness training can go only so far, and no matter how well users are trained there is always a potential for failure. This is why it is important to apply a defense-in-depth approach using not only the solutions discussed in this control, but also the technical controls discussed earlier in this series.
The next post will cover CSC 18: Application Software Security.