Today, I will be going over Control 20 from version 7 of the CIS top 20 Critical Security Controls – Penetration Tests and Red Team Exercises. I will go through the eight requirements and offer my thoughts on what I’ve found.Key Take Aways from Control 20Rely on the previous controls. So much of what’s happening in Control 20 leverages some of the earlier Controls. Understanding your attack surfaces from Controls 1 and 2 can help scope sections 1 through 3. Control 3 is going to define your vulnerability management tool set, which can be leveraged across most of the sections in this control. The findings from your red team exercises are going to help mature your coverage in every previous control.Where’s the remediation? Section 7 states that results should be compared over time; however, there is no guidance on giving these results to the Blue Team to close the gaps discovered from the penetration tests.Requirement Listing for Control 20Establish a Penetration Testing ProgramDescription: Establish a program for penetration tests that includes a full scope of blended attacks such as wireless, client-based, and web application attacks.Notes: This has taken the place as the starting point for those looking to start penetration tests against their assets. If you’re just beginning, don’t try to tackle the full blend of attacks at once. Start with something you may have expertise in and/or a critical finding from a vulnerability scan. Over time, you can get to having the full blend of attacks in your arsenal.Conduct Regular External and Internal Penetration TestsDescription: Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.Notes: This section remains relatively intact from the previous version of the controls, albeit with more simple language. As with section 1, you can start with an internal scan then work towards eventually having the external scan results.Perform Periodic Red Team ExercisesDescription: Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively.Notes: The difference between sections 2 and 3, is that the defenders (Blue Team) will not be aware of an attack happening. This is designed to test the defenses rather than purely determine if there are holes in the network.Include Tests for Presence of Unprotected System Information and ArtifactsDescription: Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, email or documents containing passwords, or other information critical to system operation.Notes: If you’re not already leveraging Control 13.1, then it will be difficult to be successful in this section. Knowing where your sensitive data is before the attackers do is critical.Create a Test Bed for Elements Not Typically Tested in ProductionDescription: Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.Notes: This section provides a safe proving ground for testing systems that cannot afford to have any downtime. Even for systems that can afford downtime, it’s good to have a testing environment to develop proof of concept attacks which can then be leveraged on the production environment, if applicable.Use Vulnerability Scanning and Penetration Testing Tools in ConcertDescription: Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.Notes: Results from the vulnerability scan can and should be used to feed the penetration testing tools. Unless you are doing a black box attack, having the knowledge of what the attack surface is will help the red team be successful. However, be mindful that this could create a bias towards testing only results from the vulnerability scan. Make sure that the red teams are actively testing items that the vulnerability scanner is not reporting as well.Ensure Results from Penetration Test are Documented Using Open, Machine-readable StandardsDescription: Wherever possible, ensure that Red Teams results are documented using open, machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time.Notes: Using SCAP will be valuable if there are multiple tools from multiple vendors being leveraged by the various security teams. However, the more important requirement here is that you compare your results internally over time regardless of what format is being used.Control and Monitor Accounts Associated with Penetration TestingDescription: Any use or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes and are removed or restored to normal function after testing is over.Notes: This is part of the clean-up that happens after each engagement by the red team. However, as discussed in the Key Take Aways above, there is still much to be done after the tests are ran.See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
You can also learn more about the CIS security controls here.