Today, I will be going over Control 12 from version 7 of the CIS top 20 Critical Security Controls – Boundary Defense. I will go through the 12 requirements and offer my thoughts on what I’ve found.

Key Takeaways from Control 12

  • Quick and powerful wins available. Use tools at your disposal to quickly address some of the network scanning and logging requirements. To go for more impact, implement boundary decryption raise your awareness and remote multi-factor authentication to reduce your attack surface.
  • Use premium feeds. There are recommendations for threat intelligence as well as IDS/IPS signature-based tools throughout control 12. A paid-for and/or curated feed is highly recommended. You will get what you pay for when it comes to using free versus premium feeds.

Requirement Listing from Control 12

1. Maintain an Inventory of Network Boundaries

Description: Maintain an up-to-date inventory of all of the organization’s network boundaries.

Notes: This should be a quick win with tools readily available in every organization. Using something like NMAP can not only identify your devices but also alert if something new pops up. Scan both from the internal and external sides to make sure an incorrect configuration didn’t poke a hole through your perimeter.

2. Scan for Unauthorized Connections across Trusted Network Boundaries

Description: Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.

Notes: I have seen a new ESX server that re-used an IP address from a retired web server. Since the organization did not have great asset and configuration management in place, the ESX server was exposed directly to the internet. Only by following this recommendation would you be able to automatically detect this.

3. Deny Communications with Known Malicious IP Addresses

Description: Deny (Read more...)