Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 20

In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browser Protections
• CSC 8: Malware Defenses
• CSC 9: Limitation and Control of Network Ports, Protocols and Services
• CSC 10: Data Recovery Capability
• CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• CSC 12: Boundary Defense
• CSC 13: Data Protection
• CSC 14: Controlled Access Based on the Need to Know
• CSC 15: Wireless Access Control
• CSC 16: Account Monitoring and Control
• CSC 17: Security Skills Assessment
• CSC 18: Application Software Security
• CSC 19: Incident Response and Management

CSC 20: Penetration Tests and Red Team Exercises

The Control

Test the overall strength of an organization’s defenses (the technology, the process and the people) by simulating the objectives and actions of an attacker.

A Twist: The Attack is the Solution

We now move into our final step of the Top 20 CIS Critical Security Controls. Throughout the series, we demonstrated how attack scenarios can be leveraged to take advantage of the lack of, or misconfigured, controls. A penetration test is the next logical step after you have implemented these controls to ensure that the controls have been implemented correctly.

A penetration test comes in many forms depending on the organizational need, company hired and end goal. I have broken these into four main types of tests performed regularly; however, there may be other tests offered to meet different goals. Either way, it is strongly recommended that you don’t just go out and buy a penetration test but that you define these goals and identify which test works best for your needs.

1. Compliance-Driven Penetration Testing (PCI/HIPAA/SOX) – The most motivating reason to perform a penetration test may not be a decision at all but rather a requirement by a compliance organization. PCI DSS clearly states that card holder data environment network penetration testing must occur annually as well as every time there is a major change to the network or application which serves the card holder data environment. When performing this type of test, assessors will follow a strict adherence to best practices surrounding the requirement. With PCI this may mean those requirements presented in the Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation and latest releases of PCI-DSS documentation. Often, assessors will have a relationship with a PCI QSA which can assist in ensuring that all avenues of testing are comprehensive. A common failure seen is that organizations will buy the cheapest penetration test they can and use it as their PCI penetration test. While this may work if the organization is taking other steps such as performing segmentation testing, it may not be as exhaustive as their QSA or ISA would prefer.
    
2. Comprehensive Penetration Testing – This type of test focuses on bridging the gap between a vulnerability management program and a penetration test. It is generally the first level of non-compliance testing that is recommended for an organization. It allows an organization to get a holistic view of their networks and vulnerabilities, giving them the opportunity to match it up with their vulnerability management program to identify gaps in their current vulnerability detection methods. Often, it will be found that organizations aren’t sure about the entirety of their internal network IP ranging or will have misconfigured scanners which are not reporting on vulnerabilities correctly. To throw another wrench in there, not all scanners find the same things, so what one organization sees for a missing patch may be different than what an assessor is able to identify. Comprehensive testing is followed up with exploitation and post exploitation to demonstrate the risk of critical vulnerabilities identified. This risk is presented to help prioritize the remediation of critical vulnerabilities within the organization’s information technology and security hierarchy, often showing scenarios where more staffing hours or money may be required.
    
3. Targeted Penetration Testing – A targeted penetration test, on the other hand, is a scenario where a specific goal is in mind by the organization. Most commonly confused with a targeted compliance driven test, it focuses on the breach of a target system or specific information through the compromise of intermediary pivot systems. The information being targeted is completely up to the organization ordering the penetration test; however, it commonly includes: company secrets and trade information, payroll information such as direct deposit accounts and W2s, financial information such as ACH transfers and/or credit card data. Often an initial compromise of a domain administrator account will occur, allowing an attacker to move throughout the network as a legitimate user searching for the specified target.
    
4. Red Team Penetration Testing – The Holy Grail. If your organization ever gets to the point where you are ready to take the plunge into the deepest of penetration testing, then the Red Team assessment is for you. Red Team assessments are generally a “no holds barred” type assessment where an organization hires a team of experienced testers to breach the organization without any information being provided and without any assistance from the organization. This is a true black box test only designed for companies who have shown a strong security model and have resisted compromise in most other penetration testing activities. With these tests, assessors will only give the organization a broad period of time in which the assessment may occur and only limited company personnel should be in the “know.” This creates the most realistic scenario for your system defenses to be tested as well as your system operators. Red Team assessments are generally completed as stealthily as possible, targeting specific individuals with social engineering to gain a foot hold into the organization. With this, often assessors will scope out network as well as physical security controls and attempt to circumvent them by gaining access to sensitive network data or the physical location. Onsite, more social engineering may be leveraged to access buildings and implant devices onto the network. Multiple attack paths are considered, but the quietest and most impactful scenarios are demonstrated.

While all of this can sound scary to an organization just getting starting with penetration testing, going with a reputable group of proven professionals can help to avoid most pitfalls that can occur. This testing, when performed in combination with your security and technology staff, can have a greater impact as knowledge transfer both ways can really add an extra level of effectiveness to the penetration test. Assessors benefit from this conversation by knowing key areas to check into and staff benefit by learning how risky some innocuous vulnerability may be. Not all penetration tests leverage high and critical vulnerabilities, some don’t even use a vulnerability scanner. It’s important to know what your organization needs (is it compliance driven?) and wants (collaborative understanding) when selecting a company and type of penetration test.

This concludes our series on the critical security controls.