Page 18 - CDM Cyber Warnings November 2013
P. 18
Twenty Critical CSIS Security Controls: Part Six
Limitations & Controls and Administrative Privileges
by Adam Montville, Security and Compliance Architect
Synopsis:
In earlier installments of this series we covered device and software inventories, secure
hardware and software configurations, continuous vulnerability assessments and remediation
efforts, malware and application security, wireless controls and data recovery, skills assessment
and device configurations.
It’s time to take a closer look at Controls 11 and 12 of the CSIS 20 Critical Security Controls
which deal with Limitations & Controls for of Network Ports, Protocols and Services, and
Administrative Privileges, respectively (I consulted the PDF version for this analysis, but the
online versions are here and here).
Before getting started with the key take aways for Controls 11 and 12, I must reassert that each
control we examine will include a set of requirements that you really should be taking directly to
your security tool vendors. When you do, do not just take their word for it if they tell you they
meet the 20 CSC requirements – make them really dig down and prove it to you. These controls
are that important to your organization.
Limitation and Control of Network Ports, Protocols, and Services
In a Nutshell:
Interoperability is required: You need to have a deep understanding of your asset inventory
before you’re going to make very much progress on this Control. And, your asset management
system is going to need to be up to par. It’s great if you have an asset management system
that knows about everything you have, but if it is unable to characterize each asset down to the
port level, then interoperability hasn’t been realized.
Automation is your friend: If you’ve not automated the scans required by this control, you’re in
for a lot of work – especially if you’re larger. Automate as much as you possibly can, then
validate the automation from time to time. You’ll save time and money this way.
Areas for Improvement:
Language clean up: There were only a couple of them in this Control, but some word choices
didn’t sit well with me. For example, the fourth requirement uses the word “change” when I
would prefer to see “deviation.” It’s semantic, but I think important.
Requirement placement: I really think that some of the requirements found herein should be
in a different Control. The Control that kept coming up was Control 19 (Secure Network
Engineering).
18 Cyber Warnings E-Magazine – November 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
