The Shifting Landscape of Security Controls, Part 2
Last month the Center for Internet Security released an update to its Critical Security Controls. Here's part two in a three post breakdown of the changes they made.
In my previous post I reviewed the first 5 Critical Security Controls (CSC) on the updated list, those referred to as “foundational cyber hygiene” by the Center for Internet Security (CIS). Implementing these top 5 gives companies a picture of what is on their networks, outlines a vulnerability management program, and controls the use of administrative privileges. While the top 5 had minor changes from the previous version of the CSC Top 20, the mid-tier had far more activity. In what I am labeling the “optimizing” section not a single control maintained its spot, some moved a spot here or there while two jumped 8 spots on the list and one new control entered the list. To start, here's the section that this post will cover:
- CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CSC 7: Email and Web Browser Protections
- CSC 8: Malware Defenses
- CSC 9: Limitation and Control of Network Ports, Protocols, and Services
- CSC 10: Data Recovery Capability
- CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- CSC 12: Boundary Defense
- CSC 13: Data Protection
- CSC 14: Controlled Access Based on the Need to Know
- CSC 15: Wireless Access Control
I will start with the big movers, and in one sense Control #7 makes the biggest move; in the previous version this control didn’t even exist as a standalone. CSC #7 focuses upon email and web browser protections, two common and successful attack vectors today. Phishing is still remarkably successful and given that browsers are essentially on every machine and represent an entry point to any organization. This control borrows from CSC #2 for its top priority: ensure that only supported browsers and email clients are allowed. Given the amount of options available for email clients and browsers today, enforcing proper email and browser usage can be challenging. Anyone can easily download Chrome or Chromium, the real problem is when they grab MyChromium or BoBrowser, two fake versions of Chrome with adware, malware or both depending on your definition. Unsanctioned email usage can easily lead to data loss as well, as webmail clients can lie outside security teams’ scope for monitoring and control.
The next two big movers shifted 8 spots; while “Maintenance, Monitoring, and Analysis of Audit Logs” jumped up to #6, “Wireless Access Control” dropped to #15. Audit logs are the breadcrumbs that lead back to the attacker, their target, and often their tactics; the challenge is the sheer volume of log entries that need either eyeballs, which simply doesn’t scale, or a big data analytics solution and the resources to manage it. This volume of logs not being reviewed, or only given a cursory skim, is instrumental in allotting attackers the time they need to hide within an organization. A favorite tactic used by hackers to cover their tracks is to clear the entire log history of a device; this may seem like an announcement of an attack, but by the time they do this they are on the way out the door, with your data. Even a review that discovers a gap in the log files is a good sign that more digging is needed to find out what happened; it also means you can control the news around a breach versus a third party breaking the news. Moving this up this list will push security teams to dedicate more resources here; while this task isn’t sexy it can be effective.
Wireless access control was the second biggest loser on the list (The top ranking in that category goes to “Secure Network Engineering” which fell off the list altogether; some of the core tenets being absorbed into other categories). Wireless networks are everywhere; ranging from endorsed and supported corporate access points and adjacent office access points to rogue networks in the office and malicious networks intent on spying, so why did this drop? In the world of forced ranking, even important best practices can be knocked down. Simply stated, putting some of the previously mentioned controls in place can render this moot. If you have a rock solid policy on hardware, software, and data protection, having your wireless network compromised may be less damaging, though clearly the ideal is to lock up wireless access too.
Moving up 4 spots is a control that needs to be in order to keep your critical information where it belongs: CSC #13, “Data Protection.” After a year wrought with high profile data loss incidents highlighting the importance of data protection, moving up 4 spots in the rankings demonstrates this control is gaining traction in the market. With breaches continuing to occur despite the emphasis on perimeter defenses, implementing a data protection strategy helps keep sensitive data within your control. In a defense-in-depth model, data protection should serve as your last line; being able to prevent data exfiltration even if all of your other defenses have failed can go a long way in limiting the damage of a breach. The growth of ransomware, however, ensures that there is still no silver bullet for infosec professionals, as encrypted data that is still within your control but can’t be decrypted will hamstring most companies.
One of the moves that initially seemed curious, but upon further reflection is a reaction to the fading effectiveness of the control, is “Malware Defense,” now #8 (down from #5 previously). Many of the traditional tools for malware defense are signature-based and require a sample of the malware for analysis. Given the proliferation of malware in the wild and the number of new variants being designed to evade detection, these tools are fighting an uphill battle. I don’t know of many organizations that have completely decommissioned their AV solutions however – while not perfect, they will stop some known attacks. Research shows that many of the vulnerabilities exploited by malware are holes that have been identified for months. The comments about the death of AV may be overstated; perhaps better stated is that AV is ripe for disruption.
The rest of the controls in the 6-15 group shuffle up or down 1-2 spots; these minor changes don’t reflect a sea change in the controls, but more likely the subtle shift in the reactions to the evolving threats. Each organization must decide where their priorities lie to help decide what makes most sense to them when evaluation and prioritized the controls in this middle tier.
Join us next week for the third installment of this series where I will analyze the final controls and supporting document that helps organizations quantify their security effectiveness.