Networks form a critical core for our modern-day society and businesses. These networks are comprised of many types of components that make up the networks’ infrastructure. Network infrastructure devices can be physical or virtual and include things such as routers, switches, firewalls, and wireless access points. Unfortunately, many devices are shipped from manufacturers with “default” configuration settings and passwords that, if deployed as-is, can significantly weaken an organization’s network infrastructure. Even if network devices are hardened with non-default configurations and strong passwords, over time these devices will be targeted by new vulnerabilities that are discovered by security researchers.
Key Takeaways for Control 12
Enterprises should ensure the teams implementing and operating the network infrastructure have processes and procedures in place that include capabilities for having a secure network infrastructure. These processes and procedures include, but are not limited to:
- developing a network security architecture,
- implementing a continuous security improvement process,
- creating and evolving a network security maturity model,
- developing and maintaining network architecture diagrams and documentation,
- ensuring no default settings or passwords for network devices, and
- implementing a patch and vulnerability management program for network infrastructure devices.
Control 12 is designed to help organizations enable and maintain more secure network infrastructure.
Safeguards for Control 12
1: Ensure Network Infrastructure is Up-to-Date
Description: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Notes: The security function associated with this safeguard is Protect.
2: Establish and Maintain a Secure Network Architecture
Description: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Notes: The security function associated with this safeguard is Protect.
3: Securely Manage Network Infrastructure
Description: Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Notes: The security function associated with this safeguard is Protect.
4: Establish and Maintain Architecture Diagrams
Description: Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Notes: The security function associated with this safeguard is Identify.
5: Centralize Network Authentication, Authorization, and Auditing (AAA)
Description: Centralize network AAA.
Notes: The security function associated with this safeguard is Protect.
6: Use of Secure Network Management and Communication Protocols
Description: Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).
Notes: The security function associated with this safeguard is Protect.
7: Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure
Description: Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.
Notes: The security function associated with this safeguard is Protect.
8: Establish and Maintain Dedicated Computing Resources for all Administrative Work
Description: Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.
Notes: The security function associated with this safeguard is Protect.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide.
Read more about the 18 CIS Controls here:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management