Today, I will be going over Control 9 from version 7 of the CIS top 20 Critical Security Controls – Limitation and Control of Network Ports, Protocols, and Services. I will go through the five requirements and offer my thoughts on what I’ve found.


Key Takeaways for Control 9

  • Reduce your attack surface. So much of control 9 is about limiting the external attack surface of a system. This is always the first step in securing an endpoint.
  • Duplication with other controls. Everything being done in control 9 is going to be accomplished by completing other controls elsewhere. I would probably leave this one for last as it’s the least impactful (due to duplication) out of any of the controls.

Requirement Listing for Control 9

1. Associate Active Ports, Services and Protocols to Asset Inventory

Description: Associate active ports, services, and protocols to the hardware assets in the asset inventory.

Notes: Utilize the same technology, or at least the same asset database which you are using in Control 2 (specifically 2.5). A more advanced integration would be to tie the ports and protocols to the applications and then associate the applications with a business unit if possible. This would also relate to control 11.2, which asks to associate traffic configuration rules on the network to a business unit.

2. Ensure Only Approved Ports, Protocols and Services Are Running

Description: Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.

Notes: Create the baseline of what is listening on the systems. Over time, you can comb through the results and make sure nothing is out of the ordinary. As you are going through that process, new ports should trigger an investigation if they (Read more...)