Critical Security Controls are an essential resource for anyone wishing to approach cybersecurity at the enterprise level and are the basis of AgID Circular 2/2017. Few people are familiar with this resource, so it is a good idea to delve deeper into the subject.
Preliminary considerations
This article is the first in a series of writings that will examine CSC 8 in more detail. The topic is so complex that a single article would not be able to deal with it effectively.
AgID Circular 2/2017 contains the ‘Minimum ICT Security Measures for Public Administrations’ and has been a regulatory obligation since 31/12/2017. At the time of drafting these minimum measures, reference was made to three resources:
- Directive 1 August 2015: Directive of the President of the Council of Ministers 1 August 2015.
- SANS 20: CIS Critical Security Controls for Effective Cyber Defence – version 6.0 of October 2015
- La Sapienza – 2015 Italian Cyber Security Report by CIS
These are the three documents mentioned within Circular 2/2017, and it is no coincidence that document two contains a reference to Critical Security Controls that were level 6 at the time. Page 67-68 of the Official Gazette reads:
The decision to take as a starting point the set of controls known as SANS 20, now published by the Center for Internet Security as CCSC ‘CIS Critical Security Controls for Effective Cyber Defence’ in version 6.0 of October 2015, is justified not only by its wide dissemination and practical use, but also by the fact that it was created with a particular sensitivity to the various costs that the implementation of a security measure requires, and the benefits it can offer. The list of the twenty controls into which it is divided, normally referred to as Critical Security Controls (CSC), is ordered on the basis of their impact on the security of the systems, so that each control precedes all those whose implementation raises the level of security to a lesser degree. It is a common belief that the first five controls are those that are indispensable to ensure the minimum level of protection in most situations, and it is from these that we started to establish the minimum security measures for the Italian public administration, bearing in mind the enormous differences in size, mandate, types of information managed, exposure to risk, and whatever else characterises the more than twenty thousand public administrations.
Critical Security Control 8
Version 8 of the Critical Security Controls was defined in May 2021 and implements 53 new security controls. For some time now, there has been debate as to whether to update AgID Circular 2/2017 with CSC 8, subject to AgID’s ‘adaptation’ to the Italian P.A. reality. However, these security controls are little known and it is therefore worth learning more about them.
The principles behind the controls
Officially, CSCs are born around well-defined principles and are really interesting to examine:
- The attacker informs the defence. CIS Controls are selected, eliminated and prioritised based on data and specific knowledge of the attacker’s behaviour and how to stop it
- Focus. Help defenders identify the most important elements they need to stop the most important attacks. Avoid being tempted to solve every security problem, avoid adding ‘good things to do’ or ‘things you could do’.
- Feasibility. All individual recommendations (Safeguards) must be specific and practically implementable.
- Measurability. All CIS Controls, especially for Implementation Group 1, must be measurable. Simplify or eliminate language ambiguities to avoid inconsistent interpretations. Some safeguards may have a threshold.
- Alignment. Create and demonstrate ‘peaceful coexistence’ with other regulations, administrations, management processes, frameworks and structures. Cooperate by pointing to other security standards and recommendations if they exist e.g. National Institute of Technology Standards (NIST®), Cloud Security Alliance (CSA), Software Assurance Forum for Excellence in Code (SAFECode), ATT&CK, Open Web Application Security Project® (OWASP®)
Security controls are subject to specific functions designed to protect the entire cyber perimeter. These functions are: detect (detect), identify (identify), protect (protect), recover (recover), respond (respond).
List of Controls and Description
Below is a list of the ‘families’ of controls with a descriptive extract of each family.
- Inventory and control of corporate resources: actively manage (inventory, track and correct) all corporate resources (end-user devices, including mobile and portable, network devices, non-computer devices/Internet of Things – IoT and servers) connected to the infrastructure physically, virtually, remotely and those in cloud environments, to know precisely the totality of resources that need to be monitored and protected in the company. Companies cannot defend what they do not know they have. Managed control of all corporate resources also plays a key role in security monitoring, incident response, and system backup and recovery.
- Inventory and control of software resources: actively manage (inventory, track and correct) all software (operating systems and applications) on the network so that only authorised software can be installed and executed and that unauthorised and unmanaged software is found and prevented from being installed or executed. A complete software inventory is a fundamental basis for preventing attacks. Attackers continuously scan target companies for vulnerable versions of software that can be remotely exploited.
- Data protection: Develop processes and technical controls to identify, classify, securely process, store and delete data. Data is no longer held only within corporate boundaries; it is in the cloud, on end-users’ mobile devices used for work from home, often shared with partners or online services that may be located anywhere in the world.
- Secure configuration of corporate resources and software: establish and maintain the secure configuration of corporate resources (end-user devices, including laptops and mobiles, network devices, non-computer / IoT devices, servers) and software (operating systems and applications). As provided by manufacturers and resellers, default configurations for corporate resources and software are usually oriented towards ease of deployment and use rather than security.
- Account management: Use procedures and tools to assign and manage credential authorisation to corporate resources and software, for user accounts, including administrative and service accounts. It is easier for an external or internal attacker to gain unauthorised access to corporate resources or data by using valid user credentials than by ‘hacking’ the environment.
- Access Control Management: Use processes and tools to create, assign, manage and revoke access credentials and privileges for user, administrator and service accounts for corporate resources and software.While CIS 5 Controls deal specifically with account management, CIS 6 Controls focus on managing account access, ensuring that users have authorisation only to the corporate data or resources required for their role, and ensuring that strong authentication is in place for particularly sensitive or critical functions or data.
- Continuous vulnerability management: Develop a plan to continuously assess and monitor vulnerabilities on all corporate assets within the infrastructure to remediate and minimise the window of opportunity for attackers. Monitor public and private sector information sources for the latest threats and vulnerabilities. Cyber defence is constantly challenged by attackers looking for vulnerabilities within the infrastructure to exploit in order to gain access. Defenders must have timely threat information available to them regarding: software updates, patches, security alerts, bulletins, etc., and should regularly review their environments for vulnerabilities before attackers do.
- Management of control logs: collect, alert, examine and store event control logs that could help detect, understand or remedy an attack. Collecting and analysing logs is critical to a company’s ability to quickly detect malicious activity. Sometimes audit records are the only evidence of a successful attack.
- E-mail and web browser protection: Improve protections and detection of threats from e-mail and web vectors, which give attackers the opportunity to manipulate human behaviour by exploiting their direct involvement. Web browsers and e-mail clients are very common entry points for attackers due to their direct interaction with corporate users. Content can be created to entice or induce users to divulge credentials, provide sensitive data or open a channel for attackers to gain access, thus increasing the risk to the company.
- Malware defence: preventing or controlling the installation, dissemination and execution of malicious applications, code or scripts on company resources. Malicious software (also referred to as viruses or trojans) is an integral and dangerous aspect of threats from the Internet. They can have many purposes: acquiring credentials, stealing data, identifying other targets within the network, encrypting or destroying data.
- Data recovery: Establish and maintain sufficient data recovery procedures to restore business assets to a reliable pre-incident state. In the information security triangle-Confidentiality, Integrity and Availability (CIA)-data availability is, in some cases, more critical than data confidentiality. Companies need many types of data to make their decisions, and when such data are unavailable or unreliable, it could impact business.
- Network infrastructure management: Establish, deploy and actively manage (trace, report, fix) network devices to prevent attackers from exploiting vulnerable services and access points. A secure network infrastructure is an essential defence against attacks. This includes an appropriate security architecture that addresses vulnerabilities that are often introduced with default settings, monitoring changes and re-evaluating current configurations. The network infrastructure includes devices such as physical and virtualised gateways, firewalls, wireless access points, routers and switches.
- Network monitoring and defence: adopt processes and tools to establish and maintain comprehensive network monitoring and defence against security threats to the corporate network infrastructure and users. It is not possible to rely on a perfect network defence. Adversaries continue to evolve and mature as they share or sell information in their communities about exploits and bypasses of security controls. Even if security tools work ‘as advertised’, it is necessary to understand the level of business risk in order to configure, optimise and track them for effectiveness.
- Security Awareness Training: establish and maintain a security awareness programme to educate personnel to be aware of and adequately prepared to reduce corporate IT security risks. People’s actions play a key role in the success or failure of the corporate security programme. It is easier for an attacker to induce a user to click on a link or open an e-mail attachment to install malware in order to break into a company, than to find a network exploit to do so directly.
- Service provider management: Develop a procedure to assess service providers that hold sensitive data or are responsible for key business IT platforms or processes, to ensure that they protect these platforms and data appropriately. In our modern, connected world, companies rely on suppliers and partners to manage their data or rely on third-party infrastructures for key functions or applications.
- Application security: manage the lifecycle security of self-developed, hosted or purchased software to prevent, detect and remediate security weaknesses before they can impact the business.
- Incident response management: establish a programme to develop and maintain an incident response capability (e.g. policies, plans, procedures, defined roles, training and communications) to prepare to detect and respond quickly to an attack. A comprehensive cyber security programme includes protection, detection, response and recovery capabilities. Often, the last two are neglected in less advanced companies, or the response technique adopted for compromised systems simply consists of restoring them to their original state in order to restart. The main objective of incident response is to identify threats within the company, respond before they spread and remediate before they can cause damage.
- Penetration testing: testing the effectiveness and resilience of corporate resources by identifying and exploiting weaknesses in controls (people, processes and technology) and simulating the objectives and actions of a malicious user. A successful defensive attitude requires a comprehensive programme of effective policy and administration, robust technical defences, combined with an appropriate people attitude.
Implementation Groups
The CIS Control Implementation Groups are self-assessment categories for companies and have been grouped into three basic categories.
- IG1: An IG1 company is small or medium-sized with limited IT and IT security skills to devote to the protection of assets and personnel. The main objective of these companies is to remain operational, as they have a low tolerance for downtime. The sensitivity of the data they protect is low and mainly concerns financial and employee information. The Safeguards provided in IG1 should be implementable with limited IT security experience and aimed at countering generic, non-targeted attacks. These Safeguards are typically designed to work in conjunction with commercial hardware and software (COTS) in small business or home offices.
- IG 2 (also implements IG 1): an IG2 company employs staff responsible for the management and protection of the IT infrastructure. These companies support various departments with different risk profiles according to their job function and objectives. Some small company departments may also have regulatory compliance obligations. IG2 companies often store and process sensitive customer or business information and may endure short service interruptions. A major concern is the loss of credibility in the event of a breach. The Safeguards provided in IG2 help security teams cope with increased operational complexity. The applicability of the Safeguards will depend on the company’s level of technology and available skills, which are required for the correct installations and configurations.
- IG 3 (also implements IG 1 and 2): a company in IG3 employs security experts specialised in various aspects of IT security (e.g. risk management, penetration testing, application security). The assets and data in IG3 contain sensitive information or functions subject to regulatory and compliance requirements. An IG3 enterprise must ensure the availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant damage to a wide audience. Safeguards in IG3 must drastically reduce targeted attacks by a sophisticated adversary and contain the impact of zero-day attacks.
Conclusions
This article has merely introduced the topic of CSC 8, which will clearly be developed later with more specific writings. However, it remains interesting to note that there has been a natural evolution towards more aware and more pervasive cybersecurity.