Critical Security Controls - Obsidian Publish

up:: [[Security Standards and Best Practices]] # Critical Security Controls Critical Security Controls are a set of best practices designed to prevent, detect, and mitigate the most pervasive and dangerous threats to [[network security]]. These controls are often developed and refined by cybersecurity organizations in collaboration with IT security experts and are based on real-world data about actual attacks and breaches. ## Overview of Security Controls The critical security controls are generally categorized into three groups: Basic, Foundational, and Organizational. Each category targets different aspects of IT security, from essential hygiene to more advanced defensive measures. ## Categories and Examples ### Basic Security Controls | Control | Description | How to Exploit | | ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | **Inventory and Control of Hardware Assets** | Actively manage all hardware devices on the network so that only authorized devices are given access and unauthorized devices are found and prevented from gaining access. | Attackers are particularly interested in devices that come & go off the enterprise's network. BYOD = vulnerable. | | **Inventory and Control of Software Assets** | Ensure that only authorized software is installed and can execute, and that unauthorized software is found and prevented from installation or execution. | Use vulnerable softwares to compromise machines. Look for unpatched vulnerabilities. | | **Continuous Vulnerability Management** | Continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. | Attackers have access to the same info & take advantage of gaps between knowledge to remediation. | | **Controlled Use of Administrative Privileges** | Use processes and tools to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. | Attackers try to take advantage of uncontrolled admin privileges or gain an Elevation of Privileges. | | **Secure Configuration for Hardware and Software** | Establish, implement, and actively manage security configurations of laptops, servers, and workstations to remove vulnerabilities and enforce security baselines. | Default configurations are geared towards ease of use, not security. Can be exploited in default state. | | **Maintenance, Monitoring, and Analysis of Audit Logs** | Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. | Deficiencies in security logging allow hackers to hide location, malicious software, and activities on victim machines. | ### Foundational Security Controls | Control | Description | How to Exploit | | ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Email and Web Browser Protections** | Minimize the attack surface and the opportunities for attackers by controlling the use of potentially risky web and email content. | Very common point of entry/attack. Entice/spoof users here. Main means where targets interact with untrusted environments. | | **[[Malware]] Defenses** | Control the installation, spread, and execution of malicious code at multiple points in the enterprise. | Use modern malware, designed to avoid defenses, then attack/disable them. | | **Limitation and Control of Network Ports** | Manage the network infrastructure to prevent attackers from exploiting vulnerable services and settings. | Look to remotely exploit poorly configured web servers, mail servers, file and print services and DNS servers installed by default on a variety of device types. | | **Data Recovery Capabilities** | Ensure that data can be recovered reliably and quickly after a compromise. | Make significant changes to configurations and software. Make it impossible for trustworthy data recovery sans attackers presence. | | **Secure Configuration for Network Devices** | Establish a robust security configuration for network devices such as [[firewalls]], routers, and switches. | Default configurations for network infrastructure are insecure. Open services and ports, default accounts, passwords, pre-installed unnecessary software, & support for older protocols. Also search for gaps/inconsistencies in Firewall rulesets, routers, and switches. Use this to gain access to a network, redirect traffic, and intercept information. | | **Boundary Defense** | Control the flow of traffic through network borders and police content by leveraging security configurations and architecture. | Exploit weaknesses on perimeter systems, network devices, and internet-accessing client machines to gain initial access, reroute traffic, or intercept data. | | **Data Protection** | Prioritize the protection of critical assets by isolating them from less sensitive, publicly accessible information within internal networks. | Target sensitive data for exfiltration, physical damage, or operational disruption to compromise organizational integrity and security. | | **Controlled Access Based on the Need to Know** | Restrict access and permissions strictly to individuals whose roles require it, ensuring secure and relevant data flow. | Scrutinize data movement across network boundaries. Look for privilege creep for users. | | **Wireless Access Control** | Implement robust security measures for wireless networks by securing access points, utilizing strong encryption, and segregating networks. | Exploit weak encryption and poorly secured access points to infiltrate network systems and implant backdoors. | | **Account Monitoring and Control** | Regularly review and deactivate obsolete user accounts to maintain a secure and current user base. | Use dormant but legitimate user accounts to impersonate authorized users and bypass security protocols, particularly focusing on accounts left from Red Team tests. | ### Organizational Security Controls | Control | Description | How to Exploit | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Security [[Awareness and Training]]** | Create programs for all employees to understand their roles in maintaining good security practices. | Make a super fake phishing-looking email and then hide the malicious link in the "report this email" link. | | **Application Software Security** | Protect against vulnerabilities found in web-based and other application software. | Look for coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions. Try SQL injection. Specific errors: failure to: check the size of user input; filter out unneeded but malicious character sequences from input streams; initialize and clear variables, and poor memory management allowing flaws in unrelated areas to affect security critical portions. | | **Incident Response and Management** | Develop and implement an incident response infrastructure for quickly discovering an attack and effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems. | Strike as quickly as possible before emergency action plans are carried out. | | **[[Penetration Testing]] and [[Red Teaming]]** | Test the effectiveness of security configurations and practices by simulating the tactics and techniques of potential attackers. | Exploit the gap between good defensive designs and intentions and implementation or maintenance. | ## Related Cybersecurity Policies Adherence to critical security controls is often part of compliance with various regulatory and industry standards, including but not limited to: - **[[NIST Special Publication 800-53|NIST SP 800-53]],** for federal information systems except those related to national security. - **[[ISOIEC 27001|ISO/IEC 27001]],** which provides requirements for an information security management system (ISMS). - **[[PCI DSS]],** for organizations that handle credit card transactions. ## Best Practices - **Regularly Update Controls:** Security environments and threats evolve; therefore, it is crucial to update controls and practices continually. - **Integrate Controls into a Holistic Security Program:** Controls should not function in isolation but as part of a comprehensive security strategy. - **Automate Controls When Possible:** Automation can help maintain consistency and reduce the potential for human error. ## Current Status As cyber threats evolve, so too do critical security controls. Organizations and cybersecurity groups periodically review and update these controls to stay ahead of [[emerging threats]]. ## Revision History - **2024-04-14:** Entry created.