Cybersecurity Quarterly
Summer 2020
A Publication from
Our New Guides to Mapping the CIS Controls to Common Industry Frameworks A Preemptive Approach to Defending Against Data Breaches
Technology vs. Best Practice: Which Delivers the Most Bang for the Buck? Why the Most Publicized Threats May Not Be the Ones Your Organization Should Focus On
Partners in Investigating Cybercrime For years, CIS has made valuable contributions to the development of the Verizon Data Breach Investigations Report. For 2020, our industry expertise is even more ingrained in the must-read report
prove YourSecurity Security Posture with rove Improve Your Posture with Improve Your Security Your Security Posture with with Improve Your Posture Security Posture w iningTraining fromSANS SANS Institute ning from Institute Training from SANS from Institute SANS Institute Training from SANS Institute
MostTrusted Trusted Source for Information Security Most Source for Information The Most Trusted The Most Source Trusted for Security Source Information for Information Security The Most Trusted Source forSecurity Information Securit ning, Certification, and Research ng, Certification, and Research Training, Certification, Training, Certification, and Research and Research and Research Training, Certification,
epartners partners withthe the Center for Program participants may purchase: with Center for Program participants may purchase: SANS Institute SANS partners Institute with the partners Center with for the Center Program for with participants Program participants purchase: may purchase: SANS Institute partners the Center formay Program participan rity provide top-rated ty Internet totoprovide itsitstop-rated Security Internet to provide Security its top-rated toInternet provide Security its top-rated to provide its top-rated ecurity trainingand and awareness curity training awareness information security information training security and information awareness training and awareness security training and awareness State, Local,Tribal, Tribal, andLocal, to ate,programs Local, and to State, programs Tribal, State, and Local, Tribal, and Local, Tribal, and programs to State, More than hands-on courses areavailable available More than 4040hands-on courses are More than 40 hands-on More than courses 40 hands-on are available courses av More than 40 are hand vernment organizations ernment organizations Territorial Government Territorial organizations Government organizations Territorial Government organizations OnDemand live, online the evenings via vLive. live, online ininthe evenings OnDemand or live, OnDemand onlinevia in orvLive. the live, evenings online invia the vLive. eveni OnDemand or live, at significantly significantly costs.reduced costs. oror reduced costs. atreduced ylyreduced costs. at OnDemand significantly reduced costs.
Leverage this special Leverage partnership this special to partnership ensurethis special to ensure Leverage partnership to ensure special partnership ensure pecial partnership totoensure thathave your employees thatand your have employees the skills have and theemployees skills and have the skills and that your ployees havethe theskills skills and oyees Train and testyour staff Train of and allfile test levels onTrain of email, alland levels filetest onstaff ema experience necessary experience necessary your to protect your experience necessary toofall protect Train and test staff alllevels levels onemail, email, file staff Train and test staff of on ecessary protect your to protect cessary totoprotect your storage, digital storage, access, digital general access, data andsecurity. generalacce da storage, digital critical organization critical from organization cyber threats. from cyber threats. storage, digital access, and general dataand security. storage, digital access, general data security. critical organization from and cyber threats. ization from cyberthreats. threats. ation from cyber
Special discounts Special are discounts available during are purchase available our summer during purchase our summer window purchase window pu Special discounts are available during our summer Specialdiscounts discounts areavailable available during oursummer summer purchase window Special are during our window June June 11 -- July July31, 31, 2020 2019 June 1 - July 31, 2019 June 1 - July 31, 2019 June1 1- -July July31, 31,2019 2019 June
Contact or partnership@sans.org, Contact partnership@sans.org, or visit www.sans.org/partnership/cis or visit www.sans.org/partnership/cis for moreor information. for more information. Contact partnership@sans.org, visit www.sans.org/partnership/cis for m Contact partnership@sans.org, or visit www.sans.org/partnership/cis for more information. Contact partnership@sans.org, visit www.sans.org/partnership/cis for more information.
Cybersecurity Quarterly
Contents
Featured Articles
Quarterly Regulars
Summer 2020 Volume 4 Issue 2 Founded MMXVII Editor-in-Chief Michael Mineconzo Supervising Editor Laura MacGregor
Summer 2020
2020 DBIR Includes CIS Data & Mappings 8 This year brings a whole new level of collaboration between CIS and Verizon for the development of the annual report Cutting Through the Fog: Attacks That Matter Why it's sometimes best to take a hard look at the security threats that aren't always center stage
12
Cybersecurity Fire Power: When is Enough, Enough? Finding the balance between buying the latest technology and focusing on industry best practices and recommendations
14
New Mappings for the CIS Controls Our latest efforts to make implementing the Controls and conforming to your industry's regulations easier than ever
16
Quarterly Update with John Gilligan
4
News Bits & Bytes
6
Cyberside Chat
18
ISAC Update
19
Event Calendar
20
Staff Contributors Sean Atkinson James Globe Paul Hoffman Phyllis Lee Aaron Piper Thomas Sager
Cybersecurity Quarterly is published and distributed in March, June, September, and December.
Copy Editors Danielle Koonce Autum Pylant
Copyright Š 2020 Center for Internet Security. All rights reserved.
Published by Center for Internet Security 31 Tech Valley Drive East Greenbush, New York 12061 For questions or information concerning this publication, contact CIS at info@cisecurity.org or call 518.266.3460
3
Cybersecurity Quarterly
Quarterly Update
with John Gilligan
“While many aspects of our physical environment have dramatically changed, the cybersecurity challenges that we face in our virtual environment remain a significant threat” Welcome to the Summer Issue of Cybersecurity Quarterly. Now fully entrenched in the “new normal” of COVID-19-based operations, most of us are accustomed to the rhythm of virtual operations and wearing facemasks. While many aspects of our physical environment have dramatically changed, the cybersecurity challenges that we face in our virtual environment remain a significant threat to our organizations and to our personal lives This issue focuses on cybersecurity breaches, as well as breach prevention. The pandemic has increased the use of online activities and, unfortunately, there has been a corresponding increase in cyber-attacks. Private and public organizations have expressed an increasing concern about cybersecurity breaches, especially the significant rise in ransomware attacks that are disrupting operations. It is our intent with this issue to showcase activities and best practice approaches to help prevent cybersecurity breaches.
2020 DBIR makes positive use of the CIS Controls and the implications for broader awareness and acceptance of the Controls in preventing cyber breaches. A second article provides an update on recently completed mappings between the CIS Controls and the new Cybersecurity Maturity Model Certification (CMMC) developed by the Department of Defense and the updated Payment Card Industry (PCI) controls standard. This article highlights that, in both cases, the CIS Controls provide broad coverage of the standards and also the technical specificity that organizations will find helpful as they implement the PCI or CMMC standards.
An article from our colleagues at SANS addresses how to effectively defend against cyber-attacks. SANS proposes that improved collaboration and data sharing can help organizations be more effective in responding to less publicized, but still critical, cyber-attacks. NNT, a strong supporter of the CIS Controls, has provided an article that contrasts the The CIS Controls, developed by our global community respective costs and benefits of investing in the latest of volunteers, have become a widely accepted security technology with implementing industry reference for foundational security controls. The best security practices. The article provides insights recent designation of three Implementation for organizations regarding how to be the most Groups of the 171 Sub-Controls that comprise the effective in preventing breaches. Finally, our own CIS Controls has provided organizations with a CISO, Sean Atkinson, addresses taking advantage prioritized approach to implementing the Controls. of resiliency testing to help reduce data breaches. The starting point is with basic cyber hygiene by deploying the Sub-Controls in Implementation I hope you enjoy this quarter’s issue. Have a great Group 1 (IG1), with the potential of augmenting “pandemic summer”! basic hygiene security protections by adding the SubControls identified in IG2 and then IG3. Best Regards, Two articles in this issue describe recent developments regarding the CIS Controls. Verizon’s most recent Data Breach Investigation Report (DBIR), which addresses breaches in 2019, now relates the breaches to those Controls that could have prevented them. One article describes how the
4
John M. Gilligan President & Chief Executive Officer Center for Internet Security
Summer 2020
Detect Ransomware in Minutes Notifications sent within 6 minutes of malicious activity*
Cost-effective solution Passive, fully managed intrusion detection system
Find out more →
www.cisecurity.org * Exclusive 24x7 Network Monitoring for State, Local, Tribal and Territorial Governments
Cybersecurity Quarterly
News Bits & Bytes The SANS Summer Buy Window is officially open. Through our partnership with SANS, state, local, tribal, and territorial (SLTT) government organizations, as well as other related public organizations and nonprofits, can purchase industry-leading training programs and courses to expand their employees' cybersecurity skills and better protect their sensitive data at a drastically reduced price. Until July 31, eligible organizations can take advantage of extremely competitive group purchasing discounts of over 50% off the regular price of SANS training products. Learn more at https://www.sans.org/partnership/cis.
Usage of the CIS Hardened Images® on Google Cloud Platform (GCP) quadrupled in 2019, seeing an 82% increase from 2018 to 2019. In 2019, CIS Hardened Images consumers clocked more than seven million computed usage hours on GCP, up from a little over one million in the previous year. CIS Hardened Images are virtual machine images pre-configured to applicable CIS Benchmark recommendations. CIS Benchmarks and their corresponding Hardened Images are used by thousands of organizations for compliance support with DoD Cloud Computing SRG, FedRAMP, PCI DSS, NIST, and HIPAA standards. To learn more, read our press release on the accomplishment.
Cimcor is the latest vendor to be added to CIS CyberMarket®. Cimcor, the leader in nextgeneration, file and system integrity monitoring software, will now be offering the top ranked CimTrak Integrity Suite at a discounted rate to SLTT government organizations through CIS CyberMarket. CimTrak Integrity Suite with certified CIS BenchmarksTM, offers an easy and effective way to assess and monitor systems against CIS Benchmarks, and ensure that systems configurations are in a hardened state and in a predictable state of integrity. Learn more at https://www.cisecurity. org/services/cis-cybermarket/software/cimcor/.
CIS is partnering with the U.S. Election Assistance Commission (EAC) to pilot a technology verification program focused on non-voting election technology including electronic poll books, election night reporting websites, and electronic ballot delivery systems. The program is entitled “Rapid Architecture-Based Election Technology Verification,” or RABET-V, and relies on a risk-based approach that allows rapid verification of manufacturers' security claims. To learn more, read our press release and our blog post on the pilot.
As a follow-up to the November 2019 release of Cyber Essentials, the Cybersecurity and Infrastructure Security Agency (CISA) released the first in a series of six Cyber Essentials Toolkits. This is a starting point for small businesses and government agencies to understand and address cybersecurity risk as they do other risks. CISA’s toolkits will provide greater detail, insight, and resources on each of the Cyber Essentials’ six “Essential Elements” of a Culture of Cyber Readiness. To learn more, visit https://www.cisa.gov/cyber-essentials.
6
The MS-ISAC and EI-ISAC® are partnering with the Center for Digital Government to conduct a survey of state and local government leaders to assess how prepared government agencies are to respond to a cyber incident in their jurisdiction and the possibility of assisting another jurisdiction. Completing the survey takes approximately 10 minutes, is entirely confidential, and provides valuable information to inform incident response resource development. Complete the survey at: https:// surveys.erepublic.com/s3/Cybersecurity-IncidentResponse-Survey.
Summer 2020
NNT SECUREOPS
Audit, configure and secure your entire IT network NNT SecureOps combines the essential prescribed security controls with advanced threat prevention, detection and intelligent change control technology
Reduce audit workload and automate continuous compliance and CIS system hardening
Ensure the essential security controls are in place, combined with the ability to validate the safety of all changes
Achieve cost savings, maximize operations uptime and prevent all forms of data breaches
4.9
VIEW SECUREOPS DEMO ON-DEMAND https://www.newnettechnologies.com
7
Cybersecurity Quarterly
2020 Verizon DBIR Includes CIS Data & Mappings CIS has worked with Verizon for many years to help develop the annual Data Breach Investigations Report. In 2020, we take our collaboration to a new level. By Phyllis Lee and James Globe The thirteenth Verizon Data Breach Investigations Report (DBIR) was released on May 19, 2020. Verizon may be most well-known for their leadership in telecoms, but they're also a leading provider of network cybersecurity services and solutions for organizations around the world. The DBIR is considered a must-read for both public and private organizations. The Center for Internet Security (CIS) contributed best practice expertise to the DBIR again in 2020.
Data-based, Inclusive Approach Verizon's partner-oriented approach to share data, analyze, and share results is perfectly consistent with the CIS “community-first” approach to cyber defense: shared problems require shared knowledge, leading to shared understanding and common solutions. CIS has been collaborating with Verizon and contributing to the DBIR since 2013. We're proud to have continued that participation for the 2020 report by providing expertise from our security best practice organization. For the last seven years, CIS has worked with Verizon to map the DBIR's summaries and patterns of attack to the CIS best practices, specifically the CIS Controls. This not only helps to improve the selection of Controls covered, but also helps translate attack information into positive, constructive action.
8
Verizon's partner-oriented approach to share data, analyze, and share results is perfectly consistent with the CIS “community-first” approach to cyber defense: shared problems require shared knowledge, leading to shared understanding and common solutions. CIS Controls Section in the DBIR For the first time, the 2020 Verizon DBIR integrated the CIS Controls throughout the report. For every sector, the Verizon DBIR lists relevant Controls in the "Top Controls" to show what mitigations are most effective against the top attacks for that sector. Additionally, there is a section dedicated to the CIS Controls that details the percentage of CIS Controls mapped to Verizon attack patterns. This close alignment with the CIS Controls emphasizes the importance of basic cyber hygiene, or CIS Controls Implementation Group 1, in preventing or mitigating the top attacks detailed in the DBIR. In fact, Verizon provides their mapping of the CIS Controls on the VERIS GitHub page at https:// github.com/vz-risk/veris so that all organizations
Summer 2020
can leverage this mapping to improve their cybersecurity.
Ransomware and the Public Sector The 2020 DBIR provides an annual analysis of security incidents and data breaches. The information and analysis are categorized by sector. Public sector organizations are key contributors to the report each year.
The 2020 DBIR found that ransomware continues to be a top cyber-attack and that this type of attack disproportionately affects the public administration sector (60% of malware vs. 27% of malware in all sectors).
linked to organized criminal actors The report highlights that "the Public Administration sector is an illustration of what good partner 22% of breaches included social attacks visibility into an industry looks like. The bulk of our data in this vertical comes from partners inside Defensive Strategies Against the United States Federal Government who have a Ransomware finger on the pulse of data breaches inside Public Administration." It's possible to limit the impact of ransomware by improving your organization's cyber hygiene. In The 2020 DBIR found that ransomware continues fact, many of the safeguards covered in CIS Controls to be a top cyber-attack and that this type of Implementation Group 1 support the basic cyber attack disproportionately affects the public hygiene program that can limit the impact of administration sector (60% of malware vs. 27% of ransomware attacks. The following three steps are malware in all sectors). Fortunately, it's possible to a few core defensive measures your organization limit the success of ransomware attacks through should consider implementing. good cyber hygiene and defensive strategies.
Ransomware Results from the Verizon DBIR The DBIR contains results from an analysis of 157,525 cybersecurity incidents. Of the incidents analyzed, 3,950 were confirmed data breaches. Ransomware is the third most common malware breach variety and the second most common malware incident variety. A total of 16 industries were covered, including public administration, healthcare, and information. The report found: 60% of malware affecting public entities was ransomware 40% of breaches affecting public entities involved web-based applications
1. Patching and Updates According to the DBIR, "unpatched vulnerabilities in your web application infrastructure may lead to them being found by someone with a set of tools to exploit them in an automated fashion. Keeping your infrastructure patches up to date is certainly a security best practice." Safeguards found in CIS Controls Implementation Group 1 confirm this recommendation: CIS Control 3.4: Deploy Automated Operating System Patch Management Tools CIS Control 3.5: Deploy Automated Software Patch Management Tools
Applying the latest updates and making sure all of your organization’s operating systems, applications, 70% of breaches were perpetrated by external actors and software are updated regularly will help close the security gaps that attackers are looking to 55% of breaches were assessed to be directly exploit.
9
Cybersecurity Quarterly
2. Backups (Maintain Offsite or Out-of-Band) The MS-ISAC recommends that recurring backups, as part of your organization's disaster recovery plan, are the single most effective way of limiting the impact of ransomware attacks and recovering from a ransomware infection. Backup files should be protected and stored separately offsite or outof-band from the source production files to avoid your backup files being targeted by attackers. Using cloud services could help mitigate a ransomware infection, as many retain previous versions of files allowing you to roll back to an unencrypted version. For additional recommendations on preventing and limiting the impact of ransomware, view our previous blog post on the topic. 3. Leverage an Intrusion Detection System (IDS) According to the DBIR, "at least one piece of ransomware was blocked by 18% of organizations through the year." Additionally, ransomware "presented a fairly good detection rate of 82% in simulated incident data." An IDS looks for malicious activity by comparing network traffic logs to signatures that detect known malicious activity. When ransomware strikes, it’s important for your organization to be notified and investigate quickly. According to data from Crowdstrike, it should take mature organizations 10 minutes to investigate an intrusion. However, only 10% of organizations can meet this benchmark. Albert Network Monitoring is an IDS solution tailored to U.S. SLTT government organizations. The custom signature set utilized by Albert enables it to be very effective in detecting ransomware. Organizations using Albert that are affected by
10
ransomware are typically notified within six minutes of malicious activity.
Takeaways from the DBIR Ransomware threats continue to increase, especially for the public sector. Basic cyber hygiene is an effective strategy for limiting the success of ransomware attacks. Phyllis Lee is the Senior Director for Controls at CIS. She has over 25 years of experience in information assurance and has performed vulnerability assessments, virtualization research, and worked in security automation. Prior to joining CIS, Lee worked at the National Security Agency (NSA) focusing on the intersection between malware and virtualization, which included collaboration with MIT Lincoln Labs. Lee also participated in a variety of security automation standardization efforts and led the security automation strategy for the NSA Information Assurance Directorate (IAD). She graduated from Johns Hopkins University with a Master of Science in computer science. James Globe is the Vice President of Operations at CIS, where he leads multiple security operations divisions and serves as a resource for the continuing development and enhancement of processes and procedures related to day-to-day security operations. Globe has more than 20 years in technology leadership with extensive experience in engineering signal intelligence mission systems, workflow management systems, modeling and simulation systems, and web-based information portals for top tier banking and defense contracting organizations. He holds a B.S. in Computer Science & Mathematics from Georgia State University and a M.S. from Johns Hopkins University in Telecommunications & Security Engineering.
Summer 2020
11
Cybersecurity Quarterly
Cutting Through the Fog: Attacks that Matter Too often, organizations concentrate too much on the most publicized security threats; sometimes, it's the threats that fly under the radar that pose the most risk. By Johannes Ullrich Alert fatigue – an all too common symptom of a larger problem: security teams don't have guidance to tell them what assets matter. The result is a team that chases from alert to alert like a police officer running from call to call – always late, and a lot of frustration on both sides. At the SANS Internet Storm Center, we’ve been collecting network security data for about 20 years now.¹ What we collect can often be described as the "background radiation" of the cold dark internet universe. So how is that useful, and how can this help you defend better? In some ways, you should not worry about our top 10 attackers or our blocklists. What you should worry about: attackers you see that we do not see in our database. Let me give you a few examples of how to apply this approach.
Internet Researchers We are currently tracking about half a dozen different internet researchers that are persistently scanning the internet for exposed services. Some publish results more or less in real-time, while others may take more liberty with the term "researcher" and actively send attacks. One reason to block researchers like this is to avoid listing vulnerable, exposed systems in public databases. This reasoning makes some sense, but research has
12
In some ways, you should not worry about our top 10 attackers or our blocklists. What you should worry about: attackers you see that we do not see in our database. shown that being listed in a database like Shodan does not significantly affect attack traffic.² Blocking these research scans, however, can reduce noise and make it easier to analyze the rest of the data. Research scans can make up 20-30% of unsolicited traffic.
Infected Systems Probably the most substantial contribution to unsolicited inbound connections comes from systems that are compromised. The most notable example is the Mirai botnet and variants. Mirai scans for systems with badly protected telnet ¹ SANS Technology Institute, "SANS Internet Storm Center," 6 6 2001. [Online]. Available: https://isc.sans.edu. [Accessed 6 6 2020]. 2 A. Shori, "To Block or Not to Block? Impact And Analysis of Actively Blocking Shodan Scans," 25 August 2018. [Online]. Available: https://www.sans.org/reading-room/whitepapers/ networksecurity/block-block-impact-analysis-actively-blockingshodan-scans-38645 [Accessed 8 June 2020].
Summer 2020
and ssh servers. We are tracking tens of thousands of systems worldwide performing these scans. But currently, port 445/tcp is the most scanned port. Used for Windows File Sharing, port 445 is certainly important, but scans blocked by a firewall are not the scans about which you should be worried. Similar scans look for mail servers (port 25/tcp, 587/tcp, and 465/tcp), and web servers (port 80/tcp and 443/ tcp). Unsolicited traffic to these six ports accounts for a large part of all inbound blocked traffic recently.3 Using the DShield database behind the SANS Internet Storm Center, it is pretty easy to identify compromised hosts. For example, I am selecting a random IP address that just sent a packet that my firewall blocked while I was writing this article: 156.96.118.182. The respective ISC page for this IP address shows that this host has already scanned 49 other targets.4 I am not alone. In addition to simple port scans, DShield sensors detected 17 attempts to log in to ssh honeypots. The connections blocked by the firewall appear to all be hitting port 23/tcp, 2323/ tcp, ports typically associated with telnet and the Mirai botnet. Visiting the web page at the IP address returns a default CentOS page, suggesting that this is an unconfigured host. Using Occam's razor, it is fair to assume that this host is not acting on behalf of a nation-state launching sophisticated attacks, instead, it’s infected with some Mirai like Linux malware scanning for additional weakly configured hosts.
How Does This Help Me? First of all, using collaborative automated data collection systems like DShield and the SANS Internet Storm Center will make it easy and fast to process the vast majority of automated attacks, whether from researchers or systems infected with common malware. Second, DShield is only as ³ SANS Technology Institute, "Port Data," [Online]. Available: https://isc.sans.edu/port.html. [Accessed 8 June 2020]. ⁴ SANS Internet Storm Center, "IP Summary for 156.96.118.182," [Online]. Available: https://isc.sans.edu/ipinfo. html?ip=156.96.118.182. [Accessed 6 June 2020].
good as the data it receives. Setting up a sensor and collaborating is trivial and requires minimal resources. The return to network security and the gained efficiency in understanding and eliminating random attacks and assisting in highlighting more targeted attacks is immense. Even if you do not participate, however, the old rule of medical triage still applies to network security: it is not the noisy patient you need to look out for, but the silent one. You will only see these quiet, critical patients in your logs if you manage to cut through the fog produced by researchers and bots. Collaboration and data sharing will not just help identify the tactics, techniques, and procedures of the attacks that matter. It will help you recognize everything that doesn't matter as well. Data from collaborative systems like DShield is not to be confused with a block list. But, it adds context to your logs that will help you better understand the possible motivation of an attack. Johannes Ullrich is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. In 2000, he founded DShield.org, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Ullrich worked as a lead support engineer for a web development company and as a research physicist. He holds a PhD in physics from SUNY Albany. Ullrich's daily podcast summarizes current security news in a concise format.
13
Cybersecurity Quarterly
Cybersecurity Firepower: When is Enough, Enough? Equipping your security team with the latest and greatest technology is great, but would your resources be better spent implementing industry best practices? By Mark Kedgley As a vendor, you might expect us to say that one can never have enough new cybersecurity technology, so please keep buying. Cynicism aside, the headlines tell us that most organizations don’t have nearly enough protection. While the numbers vary by industry and major incidents, such as Travelex, can skew the statistics, the fact remains the same: breaches continue to be a major problem. Many IT professionals are being caught out, often with business-threatening consequences. Ask the analysts what the solution is and, with flashy market research like the Gartner Magic Quadrants and others being their main currency, the takeaway is generally that the newest and latest innovation is where to look. Vendors also find that it’s easier to get a buyer’s attention with fresh messaging for new products. The conclusion seems to be that cybersecurity is an arms race between the hackers and corporate IT; the side with more expensive technological firepower will prevail. This is at odds with what military history tells us. Be it the Napoleonic or German invasions of Russia, the Vietnam War, or even Pearl Harbor, simply having more troops and superior weaponry isn’t necessarily enough to guarantee dominance.
14
So, when anyone asks “How much should we spend on cybersecurity?” it’s an even more difficult question to answer than most may think. Industry figures range from “10% of the IT budget,” to “0.5% of company revenue,” to “$2K per employee.” Even with a budget to invest, many organizations simply don't know what their priorities are; they are blurred by vendor and analyst affinity to the newest technological advances. But, there is a pragmatic way to identify what’s right for your situation and then budget around this. For most long journeys, the first step is the hardest; but here, it’s simple, and free! The CIS Controls, now in Version 7.1, are a relatively short list of highpriority, highly effective defensive actions that provide a "must-do, do-first" starting point for every enterprise seeking to improve their cyber defense. Developed and refined by a global community of cybersecurity professionals, these expert volunteers apply their first-hand experience to develop the most effective actions for cyber defense and breach prevention. The latest version of the CIS Controls is prioritized into three Implementation Groups (IGs), with each step building on the previous one, gradually adding more CIS Sub-Controls and providing a tailored approach to organizations based on their level of available resources and cybersecurity expertise.
Summer 2020
This strategy, focusing on the biggest “bang for the buck” security recommendations before moving on to more technically advanced, but still necessary, Sub-Controls, provides a simple and accessible way to help organizations of different maturity levels focus their scarce security resources, and still leverage the value of the CIS Controls to prevent security threats. It’s similar in concept to the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification program (CMMC), which breaks the NIST 800-171 framework into five incremental groups of controls. The aim is to encourage DoD suppliers to prove their level of cybersecurity maturity by demonstrating compliance with the CMMC. By providing five breakpoints of increasing coverage of NIST 800-171, it eases, and therefore increases, adoption. For example, CMMC Level 1 only covers 17 controls, while IG1 for the CIS Controls mandates just 43 of the 171 Sub-Controls. Why would it ever be acceptable to run just some security controls and not all of them? Of course, more is better, but research in the Verizon Data Breach Investigations Report (DBIR) shows that security recommendations contained in Implementation Group 1 (IG1) of the CIS Controls are effective in preventing or mitigating the top 4 attacks outlined in the DBIR. As a risk management approach, IG1 is an effective way to get the maximum threat mitigation from the fewest moves. Where does this leave the question about budget and how much cybersecurity investment is required? Using the CMMC or IG as stepping stones, it becomes more straightforward to run a gap analysis between the respective security recommendations and your current security capabilities. You may well end up compiling a shopping list of technology to buy, either to fill gaps or to improve what you already have, but it will help you prioritize the essential over the “nice to have.” However, as in all those seemingly one-sided wars, anyone can have more guns than the other guy, but without enough ammo, or indeed the right tactics, victory is far from assured.
NNT SecureOps delivers the evolution of IT service management (ITSM) into a modernized and securityaware version: change control. By integrating IT operations with key security controls, NNT SecureOps helps automate the implementation of the CIS Controls. Change control is a central foundation to all controls frameworks. Controls must be operated continuously, with baseline states and detection of drift reported, be it device and software inventory, patch levels, configuration states, firewall rules, network ports, and so on. Change control is not just planning and approving changes, but validating and verifying them to maintain a minimized attack surface. When executed well, the aligned security control of breach detection without false positives becomes real. By eliminating change noise, unexpected change is exposed, including any subtle indicators of compromise that need laser focus. So, by all means, keep spending on new tools, but make sure you do so inline with the priorities of your adopted controls framework, and of course, that it is all underpinned by change control. Cybersecurity is going to be a tough war, even with the best weapons and tactics. To learn more about how NNT SecureOps aligns and automates the delivery of the CIS Controls, please download our Essential Guide to the CIS Controls, or to see NNT SecureOps in action, please view our Demo On-Demand. Mark Kedgley is CTO at New Net Technologies (NNT) where he is responsible for driving ongoing product development. His primary objective is to continually push NNT’s data security and compliance solutions to protect their customers’ sensitive data against security threats and network breaches in the most efficient and cost-effective manner, whilst being easier to use than anything else out there in the market. Kedgley has been CTO at NNT since 2009 and has over 20 years’ experience in IT business development and sales. Kedgley combines a visionary yet pragmatic approach to IT: combining not just the ability to analyze business issues and scope technological solutions to address needs, but to also deliver product that is both fit-for-purpose and future-proof.
15
Cybersecurity Quarterly
New Mappings for the CIS Controls One of the ways CIS ensures the most organizations as possible can implement the CIS Controls is by mapping how they correlate to the most common industry regulations. By Thomas Sager and Aaron Piper At CIS, we believe in collaboration — by working together, we find real solutions for real cybersecurity threats. Our cybersecurity best practices grow more integrated every day through discussions taking place in our global communities in order to better assist organizations who are working towards compliance. We are in a multi-framework era where organizations large and small, public and private, are tasked with complying with multiple cybersecurity policy, regulatory, and legal frameworks. From the organizational policies and workflows laid out in the CIS Controls to the most detailed configuration checks in a CIS Benchmark, our resources are developed to work well as stand-alone resources or as companions to additional frameworks.
CIS Controls are Now Mapped to the Cybersecurity Maturity Model Certification (CMMC) The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base that will soon be a minimum requirement to be eligible for U.S. Department of Defense (DoD) contract awards. CMMC is a tiered approach to audit contractor compliance to NIST SP 800-171r2 based on five different levels of maturity.
16
We are in a multi-framework era where organizations large and small, public and private, are tasked with complying with multiple cybersecurity policy, regulatory, and legal frameworks. The CIS Controls and Sub-Controls are mapped to each CMMC level as a tool for organizations to help with meeting the CMMC requirements. Additionally, each Sub-Control is mapped to our Implementation Group methodology to help organizations implement CMMC based on their resources and cybersecurity expertise. We have found that the majority of cyber breaches occur when basic security controls have not been implemented and managed. In fact, Implementation Group 1 of the CIS Controls is effective against the top 4 attacks as described in Verizon's Data Breach Investigations Report, and ransomware. The mapping of the CIS Controls to the CMMC is available for download from CIS Workbench, as well as from our website.
CIS Controls Draft Mapping to PCI DSS The Payment Card Industry Security Standards
Summer 2020
Council (PCI SSC) leads the path to increasing payment integrity by providing data security standards and programs that can help businesses detect, mitigate, and prevent cyber-attacks. PCI DSS has been around since 2004. It was initially launched to help prevent credit card fraud. Today, there are 29 PCI Board of Advisors members, including our Senior Vice President of CIS Benchmarks, Kathleen Patentreger. Together, the Board of Advisors represent a global team of strategic partners who are dedicated to securing payment data. Each member of the board brings industry, geographical, and technical insight to PCI SSC initiatives.
We have found that the majority of cyber breaches occur when basic security controls have not been implemented and managed. In fact, Implementation Group 1 of the CIS Controls is effective against the top 4 attacks as described in Verizon's Data Breach Investigations Report, and ransomware.
PCI DSS provides a comprehensive set of requirements to secure payment account data worldwide. CIS’s security best practices are recognized and referenced as a key foundational piece of a PCI-compliant cyber defense program. Specifically, the CIS Benchmarks are referenced by PCI DSS Requirement 2 for security. Combined with the CIS Controls, the CIS Benchmarks can help with multiple aspects of PCI compliance, including firewall and router configurations, patch management, access control, and change control This means organizations can use the CIS Controls and CIS Benchmarks to help achieve PCI compliance.
has implemented the CIS Controls. This web-based application enables users to track documentation, implementation, automation, and reporting. CIS CSAT can create a report at any point during an assessment to see the progress an organization has made.
As part of our mission, CIS continues to work with PCI to provide best practice guidance for securing IT systems in the finance industry and more. The CIS Controls team is working diligently on the mapping of the CIS Controls to PCI DSS and we’d love your feedback! Help us improve our draft by sharing your thoughts. Visit CIS Workbench to download the new Mapping of the CIS Controls to PCI DSS requirements.
Using CIS CSAT to Track Your Cyber Defense Program The CIS Controls Self Assessment Tool (CSAT) is a companion tool that helps IT security teams track their implementation of every CIS Control and SubControl. Your organization can collaborate across teams with a built-in workflow to answer a set of questions based on your selected Implementation Group. These answers are used to generate an overall score that shows how well your organization
How a Community Helps the Development Process We gathered feedback from the CIS CSAT Feedback Community to determine which changes were most important to users as we created the new CIS Controls Self Assessment Tool v1.3.0 update. This release includes new features to make the tool easier to use, as well as some bug fixes. Thomas Sager is an Associate Cybersecurity Engineer for CIS. In this role, he is dubbed as the team cryptographer for mapping of the CMMC and PCI frameworks to the CIS Controls. Sager is also working on the Controls Assessment Specification to provide a common understanding of what should be measured in order to verify that CIS Sub-Controls are properly implemented. Prior to joining the CIS, Sager was a commercial security consultant under a federal contractor. Aaron Piper is a Senior Controls Content Development Lead at the Center for Internet Security (CIS) for the organization's Security Best Practices Group. He is mainly focused on the automation of our CIS Controls Self Assessment Tool. Prior to CIS, Piper worked at the National Security Agency (NSA) for about 10 years.
17
Cybersecurity Quarterly
Cyberside Chat This Quarter's Topic: Data Breaches and Preemptive Attacking Strategies by Sean Atkinson, Chief Information Security Officer, CIS The media is populated with news stories of data being breached from various companies, more often than not targeting our personal data. Given this data is a sought-after commodity, protection of data and management of privacy controls should be deemed high priority for organizations. There are many approaches to managing and addressing an organization’s resiliency to such attacks. Traditionally, our defensive posture has been to control access, perform vulnerability scans, and to penetrate systems and networks with internal and/ or external assistance. All of these methods have merit, but the next iteration to the process comes in the form of cybersecurity chaos engineering.
as a result of an adversary, the who becomes inconsequential when services are not being delivered to stakeholders.
I have long been an advocate for managing the approach to security as a red team versus blue team proposition. My own perspective is that this should not be an annual penetration test, but done through an ongoing and proactive basis within an organization. This approach should be relative to the organization’s size and the underlying complexity of managing such an approach. If the opportunity to perform such activity presents itself and the capability is available, I do believe that a planned approach to resiliency testing and engineering cybersecurity attack methods have great benefits for any organization.
If the underlying ability to defend is the ultimate challenge, then the ultimate goal is to test your abilities more often to determine the skill, capability, and strength of the control infrastructure within an organization. The simple quote below echoes the need to practice and improve.
The idea first came to my attention with respect to work done at Netflix and the methods they used to test their systems if a failure were to occur. For example: if a storage volume was suddenly unavailable, what would happen? The question is answered through experiencing the issue firsthand. Test and see, as these methods are employed against production systems, there is a possibility of consequence of catastrophic failure when appropriate controls are not in place. Whether performed intentionally by the organization or
18
It is a difficult question to answer without underlying experiences. The premise is the redundancy we have installed and configured would either mitigate the threat or would provide elements to make restoration quicker in the event of a disaster, attack, or mistake. Given our need to find auditable artifacts of control, a simulated disaster, attack, or mistake would be beneficial, as it provides an account of the event, the ability to recover or resist the disruption, and even lessons learned.
“All skills are perfected through the process of failure. Embrace loss as a necessary part of improvement.” – Jerry Lynch, sports psychologist No system is 100% secure and it takes time and knowledge to understand the limitations of systems and services in order to manage the strengths and weaknesses of defense. Using chaos engineering enables an organization to build the skills and understand how the underlying infrastructure will react to adverse conditions and situations. Practicing these skills will identify the failures or weaknesses allowing an organization to shift attention to addressing the identified risks through internal resiliency assessments. Learn more about chaos engineering in our blog or in this thorough overview article from JAXenter.
Summer 2020
ISAC Update Continued Membership Growth and New Initiatives for the MS-ISAC and EI-ISAC Like many organizations across the country, current events over the past few months have also affected membership growth at the ISACs. The impact of COVID -19 and its corresponding effects are reflected in the temporary decrease in membership growth being experienced by the MS-ISAC and EI-ISAC. The second quarter of 2020 saw slower than average growth in our ranks, a trend we expect to reverse as restrictions are lifted, state, local, tribal, and territorial governments begin to resume normal operations, and the country takes its first steps toward normalcy. We still hold the distinction of being the largest ISAC focusing exclusively on the SLTT community, as measured by our over 9,300 members. The ISACs are currently working on a new statewide initiative to enroll all 80+ counties in the State of Michigan for MS-ISAC and EI-ISAC membership. We expect that these types of recruitment drives will help us eventually achieve our goal of 100% county coverage across all 50 states. In other news, judging for the annual Kids Safe Online Poster Contest has concluded and the MS-ISAC is proud to announce that the first prize winner for 2020 is Richelle, a third-grade student from Arizona. Her winning artwork will be featured on the cover of our 2021 cybersecurity awareness calendar, which we'll release in October as part of National Cybersecurity Awareness Month at https://www.cisecurity.org/ms-isac/ms-isac-toolkit/. Congratulations to Richelle and all Poster Contest winners! Thank you to all of our current members for your efforts on our behalf and for touting the benefits of membership to your SLTT brethren. We are stronger and more connected than ever before!
New Malicious Domain Blocking and Reporting (MDBR) Service to Launch The Malicious Domain Blocking and Reporting (MDBR) service is a new, no-cost service available for U.S. State, Local, Tribal, and Territorial (SLTT) government members of the MS-ISAC and EI-ISAC, made available in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and Akamai. This service provides an additional layer of cybersecurity protection that is proven, effective, and easy to deploy. MDBR technology prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain. MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats. Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses, every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains such as those associated with malware, phishing, and ransomware, among other threats, will be blocked and logged. CIS will then provide reporting that includes log information for all blocked requests and assist in remediation if needed. The service is easy to implement and requires virtually no maintenance as CIS and the DNS vendor fully maintain the systems required to provide the service. Existing MS- and EI-ISAC members can sign up for no-cost MDBR by registering on the CIS website. Learn more at https://www.cisecurity.org/ ms-isac/services/mdbr.
19
Cybersecurity Quarterly
Upcoming Events July July 10 SANS will be hosting a webinar on The State of Security Awareness in State and Local Government and Higher Education. The panel discussion, led by SANS Security Awareness expert Lance Spitzer, will have participants from state and local government and higher education discuss the changing landscape of security awareness within their organizations and what is on the horizon for their programs. More information can be found at https://www.sans.org/webcasts/115600. July 14 Google Cloud Next '20 OnAir will begin its nine week run of fully digital events, bringing the best of Google Cloud technology to attendees online through curated content on demand, every Tuesday. The online series will be a muchneeded opportunity to connect, collaborate, and get inspired as a community to solve the most important challenges facing business today. CIS will be a sponsor of the event series and have a number of resources related to our CIS Hardened Images for Google Cloud Platform available online for attendees. Learn more at https://cloud.withgoogle. com/next/sf July 20 The National Association of Counties (NACo) will be holding their virtual NACo Annual Business Meeting. County elected and appointed officials from across the country will come together to shape NACo's federal policy agenda, elect some of the organization's new leaders and officers, and other association business. Registration is free for all NACo members at https://www.naco.org/ events/nacos-2020-annual-business-meeting July 28 Cyber Security Summit: Tampa will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. In addition to speakers from
20
the FBI, U.S. Secret Service, and CISA, CIS CISO Sean Atkinson will be a featured speaker at the online event, leading a panel of experts on a discussion covering insider threats. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. July 28 – 30 The Alliance for Innovation will hold its Transforming Local Government (TLG) Conference. The virtual event will bring together local government leaders from across the country to learn from industry experts and their peers how to identify and deploy the best practices, tools, and technologies for transforming local government. Learn more at https://www.transformgov.org/ tlg2020/.
August August 13 Cyber Security Summit: Charlotte will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. The event will feature speakers from a number of leading cybersecurity companies and a closing keynote from CISA. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. August 20 Cyber Security Summit: Philadelphia will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. The event will feature speakers from a number of leading cybersecurity companies and keynotes from the U.S. Department of Justice and CISA. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
Summer 2020
August 23 – 26 GMIS International will virtually hold its GMIS MEETS 2020 conference. The online event will bring together public technology leaders and professionals to network and learn the latest updates in the industry from leading experts. Learn more about the online event at https://www.gmis. org/page/2020gmis_meets. August 27 Cyber Security Summit: Dallas will take place, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. The event will feature speakers from a number of leading cybersecurity companies and keynotes from the U.S. Department of Justice and CISA. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
September September 1 Cyber Security Summit: Chicago will take place, bringing together executives, business leaders, and cybersecurity professionals virtually to learn about the latest cyber threats. The event will feature speakers from a number of leading cybersecurity companies and keynotes from the U.S. Department of Justice and CISA. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details. September 10 Cyber Security Summit: Denver will take place, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. The event will feature speakers from a number of leading cybersecurity companies, as well as experts from the U.S. Department of Justice, the Federal Bureau of Investigation, and CISA. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
America Community Meeting virtually. The event will bring payment and financial security leaders and professionals from all over North America together to learn about the latest updates and current threats in their industry. Learn more about the event at https://events.pcisecuritystandards.org/. September 21 – 25 Microsoft Ignite will take place as a complimentary digital event experience. Join cloud leaders and professionals from around the world to learn innovative ways to build solutions, migrate and manage your infrastructure, and connect with Microsoft experts and other technology leaders from around the globe. Learn more about the event at https://www.microsoft.com/en-us/ignite. September 21 – 24 Oracle OpenWorld is planned to take place at Caesars Forum in Las Vegas. The event will bring together Oracle customers and partners from around the world to learn about the latest products and attend learning sessions and keynote addresses for business owners, IT managers, and other business decision-makers. Note: Oracle is monitoring the evolving COVID-19 outbreak, evaluating, and making necessary changes to its in-person events. Should guidance from public health authorities or local jurisdictions cause reevaluation of the event programming, updates will be provided as soon as possible. September 23 Cyber Security Summit: DC Metro will take place, bringing together executives, business leaders, and cybersecurity professionals to learn about the latest cyber threats. The event will feature speakers from a number of leading cybersecurity companies and keynotes from the U.S. Department of Justice and CISA. Through our partnership, SLTT institutions can receive free admission to the event. Contact the CIS CyberMarket team for more details.
September 15 – 17 The Payment Card Industry Security Standards Council (PCI SSC) will host its 2020 PCI DSS North
21
Copyright Š 2020 Center for Internet Security, All rights reserved.
CIS CyberMarket Interested in being a contributor? Please contact us: info@cisalliance.org www.cisecurity.org 518.880.0699