Implementation of these critical security controls is part of an effective overall network security strategy.
Companies getting hacked and the resultant massive data breaches are constantly in the news, and are becoming more common. You’ve probably read about one recently, from DropBox to the Illinois elections hacks, and it likely won’t be long until another takes place. So many have occurred, it’s even likely that you’ve even been affected by one (check the database, here, to find out … I, personally, have been affected by two!).
Due to these realities, taking a firm stance on network security is a must for every organization with a technical presence. The following security controls represent a minimum baseline recommended by CSC (https://www.cisecurity.org/critical-controls.cfm), with the most up to date version always available at the aforementioned link.
Today, we will focus on controls 1 & 2, which are related to Inventory and control of Authorized and Unauthorized Hardware and Software, and specifically, how Device42 aids in enforcing these controls.
Device42 is especially relevant to these 4 (of 20) controls:
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations, and Servers
- CSC 4: Continuous Vulnerability Assessment and Remediation
“The Controls take the best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace. Too often in cybersecurity, it seems the “bad guys” are better organized and collaborate more closely than the “good guys.” The Controls provide a means to turn that around.” – sans.org
CSC 1: Inventory of Authorized and Unauthorized Devices
“Actively manage all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”
Why is this control important?
Attackers all over the world continuously scan the internet for open and vulnerable devices that can be exploited. If you’ve ever hosted a website, and looked at the server logs, you’ve seen this for yourself. Attackers especially target devices that aren’t properly patched, as well as those that use default usernames and passwords. It only takes one compromised device to get into your network; and from this “jump point” (think of it as the attack’s ‘control center’) device, the attacker may sit and wait, monitoring the network for more machines to compromise.
Controlling all devices that attach to your network is paramount to protecting yourself, as is limiting which segments devices you cannot control can connect to, e.g. BYOD to isolated guest networks, only.
Summary of CSC’s Recommended implementation of CSC 1:
Deploy an automated asset inventory discovery tool (e.g. Device42) to build an inventory of systems connected to the network. Device42’s extensive auto-discovery and self-documentation capabilities implement this control.
When using DHCP, logging is suggested. Device42’s IPAM module is a perfect fit for this task.
Ensure that all new equipment is added to inventory. Scheduling Device42’s auto-discovery to run regularly addresses this control.
Record the network address, machine name, purpose, asset owner, and department (at least) associated with each device. Device42 has provisions to record all this information about each and every IP (and non-IP!) device, and custom fields can be added for extra information.
Deploy 802.1x authentication to limit devices able to connect to the network. Only allow devices that are in the Inventory system to connect. Device42’s API can be leveraged to implement this control.
Use client certificates to ensure clients are authorized. Device42’s certificate management system can track the certificates in use.
CSC 2: Inventory of Authorized and Unauthorized Software
“Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.”
Why is this control important?
Much like with hardware, malicious attackers all over the world continuously scan vast swaths of the internet for open and vulnerable software that is subject to exploit. As mentioned previously, if you’ve ever hosted a website, and examined the logs, you’ve likely seen these attempts to identify and exploit your web servers software for yourself. Attackers target software that isn’t properly up-to-date and patched, and especially love finding software deployments that use default usernames and passwords (a single “default” WordPress install is sometimes all it takes to be compromised, not to infer WordPress is any more vulnerable than any other software). It only takes one exploited compromise to gain access to your network; and this entry point may be used to launch further attacks and compromises. In this way, an attacker can quickly turn a single compromised machine into an entire network of compromised machines – eventually forming a “botnet”, so to speak.
Controlling all software that runs on devices that can access your network is paramount to protecting yourself, and again, as is limiting which network segments devices you cannot control can connect to, e.g. BYOD to isolated guest network VLANs, only.
Summary of CSC’s Recommended implementation of CSC 2:
Devise a list of software that your organization considers authorized for each type of system that will be deployed. Device42 allows you to assign this software to a group, or “suite”, as well as mark other software as “prohibited”. Alerts can be sent when prohibited software is detected.
Deploy application white listing so that systems only run software that you have determined, in the previous step, is authorized. As mentioned previously, Device42’s prohibited software detection and alerting functionality can assist in enforcing the spirit of this control.
Deploy a software inventory tool that tracks all installed software and software versions. Ensure all devices in use at your organization, and their respective operating systems are covered. Integrations with the hardware inventory is emphasized by this control. Device42 is able to track all installed software and software versions across both servers and user devices alike. The software inventory is auto-discovered, and is associated directly with the device the software was discovered on, allowing a “single pane of glass” view to implement this control.
Use only virtual machines or stand alone, air-gapped systems to run higher risk, but required applications, keeping these machines isolated from network access.
It’s a good idea to take a proactive stance on security in today’s world. In fact, it’s always been a good idea, but especially so as more and more companies come to possess databases holding sensitive user data. Meanwhile, as more software proliferates our tech-laden lives, and the code bases continue to grow with time and feature additions, zero-day bugs will inevitably become more common. History has shown that some percentage of those bugs will be easily exploitable not only by the elite and state sponsored hackers, but by the so-called “script kiddies” too, who are usually thought to be more immature and less talented, but are often just as dangerous once inside your network.
We at Device42 want to emphasize that it’s a smart move to take all possible steps to minimize your attack surface to help ensure your organization isn’t the latest headline. After all; nobody is going to write an article about “That time your organization’s security worked as planned.” — That’s an everyday thing, right up until it isn’t! Device42 doesn’t directly handle your security for you, but it provides a robust set of tools that can help bolster your organization’s security, and most importantly, keep you out of the news.