Since 2008, the CIS Controls have been through many iterations of refinement and improvement, leading up to what we are presented with today in CIS Controls version 8. CIS Controls reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, and individuals). The controls reflect consideration by people in many different roles such as threat analysts, incident responders, solution providers, policy-makers, and more. This work is the wisdom collected from experts across many sectors who have banded together to create, adopt, and support the CIS Controls.
Today, I will be going over the first Control from version 8 of the top 18 CIS Controls – Inventory and Control of Enterprise Assets. This control had some updates since its last publication in CIS Controls 7.1 such as the introduction of “Safeguards”, which were known as “Sub-Controls” in previous versions of the CIS Controls. It is also notable that there are now only 18 Controls, whereas there were previously 20. Here I will go through the five safeguards for CIS Control 1 and offer my interpretation on what I’ve found.
Key Takeaways for Control 1
- Starting with the basics. CIS Controls for version 8 have 18 controls. Out of the 18, the first six are considered to be the basics for setting the foundation for enterprise cybersecurity. Adopting the CIS Controls can both simplify and strengthen cybersecurity at once.
- Tool availability. Many of the tools that accomplish the requirements set forth in Control 1 are open-source, which can help cut costs down during adoption of CIS. This is mainly for smaller organizations, as larger ones will quickly outgrow the extent of capabilities available as open-source. Commercial tools and services are available for enterprises who fit this category.
- Reusability. Work smarter not harder. Many of the tools referenced in Control 1 can be used in Control 2, which is very helpful when tackling the Controls in order.
Safeguards for Control 1
1.1) Establish and Maintain Detailed Enterprise Asset Inventory
Description: Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data. This inventory can include end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM-type tools can support this process where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure—even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually or more frequently.
Notes: The security function for this safeguard is identifying assets and cataloging the inventory. Al assets that are recorded should be cataloged after a scan. If you are a small business, a simple csv file can be sufficient, but middle to large enterprises will require a proper asset management database.
1.2) Address Unauthorized Assets
Description: Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset to isolate it from other assets.
Notes: The security function for this safeguard is responding to unauthorized assets found on your network. Having new devices show up as discovered assets doesn’t always mean there is something nefarious afoot. Establishing a secure baseline from previous asset scans should help ease your paranoia. Keeping a secure baseline will show you when a new asset is discovered, making it easier to assess whether or not the asset is permitted to be on the network or if the asset needs to be quarantined.
1.3) Utilize an Active Discovery Tool
Description: Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute at least daily.
Notes: The security function for this safeguard is detecting assets via some active discovery method. A basic example of active discovery classic ping-and-response method used by many systems as an initial way to locate hosts on a network. Keep in mind that some assets might not show up or remain hidden with active discovery due to firewalls or transient connectivity. This is where deploying both active and passive (which we will go over later) techniques are important in order to gain full transparency of an organization’s network.
1.4) Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Description: Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly or more frequently.
Notes: The security function for this safeguard is detecting assets on a network by using DHCP logging and cataloging the updated assets. DHCP is a benefit to many organizations for the sake of centralized IP address management and the ability to easily add new devices to the network using recycled addresses. This safeguard is very similar to safeguards 1.3 and 1.5 with the exception of using DHCP versus a static IP address.
1.5) Use a Passive Asset Discovery Tool
Description: Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly.
Notes: The security function for this safeguard is detecting assets via passive discovery methods. Unlike active discovery methods where they send packets to a host and monitor its response, passive discovery locates services running on a network by observing traffic generated by servers and clients. Passive and active discovery are complementary methods that when utilized together give organizations more descriptive data that they can then start to generate a detailed outline of all assets located on their network. Organizations can’t protect what they don’t know they have.