So you have identified the likely attackers, the threats that their attacks pose, and how at a high level they will carry out these attacks. Now what?
The traditional (and wrong) answer is to cover all your bases by adopting the most comprehensive set of controls possible. Whether it is NIST CSF, NIST 800-53, ISO 27002, or ISF, more is obviously better, right? Wrong!
This is the stage where, in my experience, many information security programs typically go off the rails. Rather than focusing on the fundamentals that matter, often I have seen security leaders and CEOs mandate the most comprehensive set of information security controls possible. The thinking being, that if every possibility for failure is eliminated (by mandate), failure is therefore impossible. Instead, this approach is itself a prescription for failure, under the metaphor of “Boiling the ocean”.
When you attempt to cover every possible control, the end result is that you will likely spend your time and effort focused on mandated activities that are easy, cheap, or sexy (in a technology sense), simply so that you can show progress. Instead, you need to focus on those activities that are most effective in reducing risk, which is often hard, expensive (from a manpower perspective), and not sexy.
In reviewing the history of major data breaches in large corporations, the root cause has often been traced back to failures to properly implement and manage fundamental security controls. Examples of these fundamental control mistakes include ineffective patching, failure to properly configure equipment, or not changing default credentials. What is curious is that these are organizations that spend tens if not hundreds of millions of dollars on information security, and have security organizations with hundreds if not thousands of dedicated security staff. How can these events happen so frequently with all this attention to security?
They happen because of the error of mistaking increasing complexity with increasing security: activity does not equal effectiveness. The government perpetuates this problem by adding more security regulations and requirements after every significant security breach. The end result is that security is decreased, rather than increased within affected organizations by the increased distraction that these mandates bring.
The answer to the problem of ever-increasing complexity is to start with the fundamentals, ensure that you are doing them well, evolve them incrementally, and only implement the controls that you can properly manage. In the information security world, the best description of what constitutes the fundamental controls are those which are produced by the Center for Internet Security, Inc. (CIS®).
5.1 CIS Controls®
CIS is a 20 year old community-driven nonprofit, responsible for the CIS Controls and CIS Benchmarks™, which are globally recognized best practices for securing IT systems and data. Rather than considering everything that can go wrong and developing a control to counter it, CIS instead analyzes real-world attacks to determine what happened and why. As of this writing, the CIS Controls are in their 8th version and consist of eighteen prioritized and simplified security controls with 153 specific safeguards. Implementing the full suite of these safeguards has been shown to mitigate approximately 83% of all attack techniques found in the MITRE ATT&CK® Framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The CIS Controls are widely recommended as the fundamental best practices for any organization to follow and have been cited as the minimum requirements in order to demonstrate that a company is exercising due care in IT security. Starting with the CIS Controls, even if you are mandated to implement PCI DSS, FISMA, CMMC, or some other controls framework, ensures that you are building your security program on a strong defensive foundation.
The CIS Controls are cross-referenced to their applicable equivalent controls in the NIST, FISMA, PCI DSS, GDPR, and ISO/IEC 27002 security controls. This helps you explain to your management that your efforts are focused on implementing the mandated controls framework (NIST, PCI, etc.) in the order that prioritizes those controls that have the greatest risk mitigation benefit. In addition, the CIS Controls are referenced by the U.S. Government in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as a recommended implementation approach for the NIST CSF Framework. Multiple government agencies at the state and federal level as well recommend the CIS Controls as an effective approach to implementing mandated security programs.
The 153 CIS safeguards themselves are subdivided into 3 implementation groups. This is done so as not to overwhelm new organizations in the setup of their program, and to ensure that they are implementing controls in the order the mitigates the most likely risks the soonest.
Each implementation group of safeguards builds on the safeguards that were implemented in the prior group. Implement group 1 (IG1) being the foundational set of controls, that are enhanced with additional IG2 safeguards for organizations with greater security needs, and then capped with the IG3 set of safeguards for organizations with yet higher security needs.
The 18 top-level CIS Controls as defined by CIS are listed below. To help you understand how these related to the attacks I referenced in Chapter 4 – Know Their Attacks, I have listed under each control the primary attack type(s) that it helps mitigate.
- CIS Control 1 – Inventory and Control of Enterprise Assets: Actively manage all enterprise hard assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately account for, monitor, and protect assets within the enterprise. Mitigates: Physical, Malware
- CIS Control 2 – Inventory and Control of Software Assets: Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. Mitigates: Malware, Vulnerabilities
- CIS Control 3 – Data Protection: Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. Mitigates: Hacking, Social
- CIS Control 4 – Secure Configuration of Enterprise Assets and Software: Establish and maintain the secure configuration of enterprise hard assets and software. Mitigates: Misconfiguration
- CIS Control 5 – Account Management: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts and service accounts, to enterprise assets and software. Mitigates: Malware, Hacking
- CIS Control 6 – Access Control Management: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. Mitigates: Malware, Hacking
- CIS Control 7 – Continuous Vulnerability Management: Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. Mitigates: Vulnerabilities
- CIS Control 8 – Audit Log Management: Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. Mitigates: Malware, Hacking
- CIS Control 9 – Email and Web Browser Protections: Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. Mitigates: Malware, Social
- CIS Control 10 – Malware Defenses: Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. Mitigates: Malware
- CIS Control 11 – Data Recovery: Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. Mitigates: Malware, Hacking
- CIS Control 12 – Network Infrastructure Management: Establish, implement, and actively manage (e.g., track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. Mitigates: Malware, Hacking
- CIS Control 13 – Network Monitoring and Defense: Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base. Mitigates: Malware, Hacking
- CIS Control 14 – Security Awareness and Skills Training: Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise. Mitigates: Social, Physical
- CIS Control 15 – Service Provider Management: Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately. Mitigates: Vulnerabilities, Misconfiguration, Hacking
- CIS Control 16 – Application Software Security: Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise. Mitigates: Vulnerabilities, Misconfiguration, Hacking
- CIS Control 17 – Incident Response Management: Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, communications) to prepare, detect, and quickly respond to an attack. Mitigates: All
- CIS Control 18 – Penetration Testing: Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (e.g., people, processes, technology), and simulating the objectives and actions of an attacker. Mitigates: Vulnerabilities, Misconfiguration, Hacking
This is a draft of the content from my upcoming book on Heuristic Risk Management. The anticipated release is Q1 of 2022 and it will be available through all major book retailers in both print and ebook. Footnotes are not included in these drafts, and all drafts will be removed from this forum when the book is published. Comments are welcome if there are areas that you feel are unclear or missing information. Since these are drafts, spelling and grammar issues are likely and will be corrected in the final release.