Solving the 20 Critical Controls – Control 1

As we start off the month of February, let’s look at the “20 Critical Controls” and how McAfee solutions can be used to achieve each control.

Each day we will cover one of the 20 controls, highlighting key ways that organizations can more effectively implement each control. The important thing to remember is that McAfee products can cover and solve many of the controls in an integrated and automated fashion.

If you are not familiar with the 20 critical controls, details can be found at http://www.sans.org/critical-security-controls/, but the general approach of the controls is designed to begin the process of establishing the prioritized baseline of information security measures and controls that will lead to effective security.

The following are the 20 critical controls:

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations of Network Devices Such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention
16. Secure Network Engineering
17. Penetration Tests and Red Team Exercises
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Training to Fill Gaps Since it is February

First, let’s look at control 1.

Critical Control 1: Inventory of Authorized and Unauthorized Devices

You cannot protect what you do not know. Many times organizations are broken into because they have unprotected systems connected to their network that they did not know about. An organization cannot patch or secure a box that they are unaware exists; however attackers will quickly be able to find these systems, compromise them and use them as a foothold to compromise the rest of the network. While asset management is often not thought about as a security control, it is a key foundational item in which a security infrastructure is built. Only by carefully tracking all devices and changes through a robust change controls process can an organization properly manage security.

Key tests to perform to check compliance with this control:

1) Connect a new device to your network and see if it is allowed to connect;
2) After connecting a new device to your network does anyone notice;
3) If they do notice what action is taken to remediate the issue;

Key steps organizations should take to properly implement this control:

1) Scan all IP ranges and subnets belonging to the company and confirm all devices are valid;
2) Any new devices or changes to existing devices need to go through a change control board (CCB);
3) Update or rescan when new devices are approved by the CCB and plugged into the network;
4) Have an automated scanning tool (i.e. nmap) that scans on a regular basis and notifies you of any new devices that it found on the network;

This control is critical because many criminal groups and nation states deploy systems that continuously scan address spaces of target organizations waiting for new, unprotected systems to be attached to the network. The attackers also look for laptops not up to date with patches because they are not frequently connected to the network. One common attack takes advantage of new hardware that is installed on the network one evening and not configured and patched with appropriate security updates until the following day. Attackers from anywhere in the world may quickly find and exploit such systems that are Internet-accessible. Furthermore, even for internal network systems, attackers who have already gained internal access may hunt for and compromise additional improperly secured internal computer systems.

Some attackers use the local nighttime window to install backdoors on the systems before they are hardened. Additionally, attackers frequently look for experimental or test systems that are briefly connected to the network but not included in the standard asset inventory of an organization. Such experimental systems tend not to have as thorough security hardening or defensive measures as other systems on the network. Although these test systems do not typically hold sensitive data, they offer an attacker an avenue into the organization, and a launching point for deeper penetration.

McAfee’s integrated suite of products can meet all of the requirements of control. McAfee’s Network Access Control passively identifies, quarantines, and remediates noncompliant, infected, and misconfigured systems via pre/post adminission. Information gathered by NAC is stored in our centralized ePolicy Orchestrator product. For actively scanning of systems, McAfee Vulnerability Manager provides asset-based discovery, management, scanning, and reporting. McAfee Vulnerability Manager supports LDAP integration to import systems from existing asset repositories and provides a centralized view of assets discovered through active asset discovery scanning. Assets are able to be classified according to risk and other descriptors, such as asset owner and purpose, are able to be documented for assets.

McAfee ePolicy Orchestrator provides a centralized asset inventory of all systems, networks and devices on the network. McAfee Vulnerability Manager maintains an up-to-date inventory of all systems connected to the network including any system with an IP address. McAfee Rogue System Detection provides real-time detection of rogue systems by means of a sensor placed on at least one system within each network broadcast segment (typically a subnet).

Both McAfee Vulnerability Manager and McAfee ePolicy Orchestrator provides a secure environment for storing asset and system security information. Role based access controls ensure that data is only provided on a needs-to-know basis to authorized personnel.

Portions of the above are taken from version 2.2 of The Twenty Critical Controls. You can also follow Dr. Eric Cole on twitter at drericcole or email eric_cole@mcafee.com.

About the Author: