Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 1

Security is hard. Organizations are facing a growing threat, and breaches are becoming commonplace, even happening to companies trying to do everything the right way. The old motto goes, “The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe.” It’s hard to do business like that. So what can you do? It starts with implementing a mature security program to address known attack vectors. 

This is where the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC) come into play, providing organizations with 20 key controls that they can implement to mitigate some of the threats they are facing. Unfortunately, even implementing all of these controls won’t make you “un-hackable,” however, it starts to raise the complexity level required to get hacked, increasing the cost, time, effort, and skillset necessary to attack your organization.

Through this blog series, I will cover each of the 20 controls, showing attack examples and explaining how each control could have prevented the attack from being successful. As a penetration tester, I see these controls daily, not from a policy standpoint, but rather from vulnerability identification and exploitation. The best way to make an environment secure is not to run around plugging the individual holes that are identified, but to instead address the larger root cause of the problem. Often, this entails implementing some policy standards, and also ensuring that the information technology assets actually follow that policy. My goal for this blog series is to be less comprehensive than the original distribution of the controls from SANS, and to focus on what you need to know, what the risk is, and how to apply it.

CSC 1: Inventory of Authorized and Unauthorized Devices

The Control

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. 

The Attack

Not everything that can go wrong on the network is done out of malice. Sometimes employees may not realize the bigger picture when they decide to bring a device and plug it into the network. It can be something as simple as an employee thinking that the wireless signal at their desk is too weak, or perhaps they decided they needed an extra Ethernet port for some additional use. It would not be unheard of for an employee to bring in a wireless access point and plug it into the network to achieve those needs. While the organization may have ways to better address the employee’s needs, an organization should also have the ability to detect when a non-organizational asset is attached to the network.

A wireless access point plugged into the network

I often am presented with scenarios where we may be brought onto an assessment to perform some level of physical social engineering. Sometimes our client asks us to just get in the door, but often they also request we try to obtain remote access to the network after we leave. For that reason, it is not uncommon for me to have a couple of extra wireless access points with me so I can try to connect it to the network.

Placement of these devices depends on the architecture of the building. If there are no windows and the building is quite large, I may opt to use a mini, fanless computer, which can establish a remote VPN connection over the Internet using the client’s network. The successful use of these devices often depends on the company’s ability to detect rogue devices.

The Solution

The first thing that must be done to even begin to implement this control is to create an inventory of all company assets. Even for small companies, this is no easy undertaking. It involves identifying the unique MAC address that each device uses, including not just PCs and servers, but phones, printers, fax machines, or even vending machines that connect to the network to process payment transactions. There are software solutions out there which can assist in asset discovery, however, even those applications require quite a bit of effort to categorize all existing devices. Identifying PCs and servers is easy if they are joined to your networked domain, but identifying and validating the remaining devices can involve a lot of time, research, and in some situations, legwork.

Once an organization has identified all of the existing assets, it is important for the organization to develop a Network Access Control (NAC) system for both existing and new devices. Oftentimes, organizations will implement a simple 802.1x authentication, requiring credentials in order to connect to the network. Without the use of certificates, this control would only be partially implemented because it would be possible for an attacker to steal valid credentials through other means prior to arriving onsite. It is therefore critical to ensure that a certificate management program is put in place to ensure that only devices with a valid certificate and valid user credentials can access the network.

The next post will cover CSC 2: Inventory of Authorized and Unauthorized Software.