Critical Controls for Effective Cyber Defense

Description of Controls Critical Control 1: Inventory of Authorized and Unauthorized Devices The processes and tools used to track/control/prevent/correct network access by devices (computers, network components, printers, anything with IP addresses) based on an asset inventory of which devices are allowed to connect to the network. How Do Attackers Exploit the Absence of this Control? Many criminal groups and nation-states deploy systems that continuously scan address spaces of target organizations, waiting for new and unprotected systems to be attached to the network. The attackers also look for laptops not up to date with patches because they are not frequently connected to the network. One common attack takes advantage of new hardware that is installed on the network one evening and not configured and patched with appropriate security updates until the following day. Attackers from anywhere in the world may quickly find and exploit such systems that are accessible via the Internet. Furthermore, even for internal network systems, attackers who have already gained internal access may hunt for and compromise additional improperly secured internal computer systems. Some attackers use the local nighttime window to install backdoors on the systems before they are hardened. APTs (advanced persistent threat) target internal users with the goal of compromising a system on the private network that can be used as a pivot point to attack internal systems. Even systems that are connected to the private network, without visibility from the Internet, can still be a target of the advanced adversary. Any system, even test systems that are connected for a short period of time, can still be used as a relay point to cause damage to an organization. As new technology continues to come out, BYOD (bring your own device)— where employees bring personal devices into work and connect them to the network—is becoming very common. These devices could already be compromised and be used to infect internal resources. How to Implement, Automate, and Measure the Effectiveness of this Control 1. Quick wins: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization’s public and private network(s). Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed. 2. Quick wins: Deploy DHCP Server logging, and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information. 3. Quick wins: All equipment acquisitions should automatically update the inventory system as new, approved devices are connected to the network. A robust change control process can also be used to validate and approve all new devices. 4. Visibility/Attribution: Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every 6