Utilizing CIS 20 Controls for Vulnerability Prioritization

CIS 20 Security Controls represent one of the reference frameworks of the most critical controls an organization can implement to establish a well balanced security program to safeguard confidentiality, integrity and availability of information. It provides a detailed guide for prioritization, implementation and customization of your security controls as well as sequence, test, and achieve continuous automation.

The CIS 20 controls are also known to be relatively difficult to implement fully. It is the type of framework that organizations need to build overtime, and improves with maturity. With that in mind, in this blog post we’re covering 13 out of the 20 controls. We chose them because these particular controls map out directly to what our vulnerability management and risk measurement platform, Unified VRM powered by E3 Engine, covers. They are the following:

  • CSC1 – Inventory of Authorized and Unauthorized Devices
  • CSC2 – Inventory of Authorized and Unauthorized Software
  • CSC3 – Secure Configurations for Hardware and Software
  • CSC4 – Continuous Vulnerability Assessment and Remediation
  • CSC5 – Controlled Use of Administrative Privileges
  • CSC7 – Email and Web Browser Protections
  • CSC8 – Malware Defenses
  • CSC9 – Limitation and Control of Network Ports
  • CSC11 – Secure Configurations for Network Devices
  • CSC12 – Boundary Defense
  • CSC15 – Wireless Access Control
  • CSC18 – Application Software Security
  • CSC20 – Penetration Tests and Red Team Exercises

We’ll go through each of these controls, and how each one corresponds to the capabilities of Unified VRM. Imagine having one platform that covers 13 out of the 20 controls right away.

Note: This is a gist of an informative webcast by our CTO. To catch the free webcast in its entirety on-demand, catch it here at CIS 20 Controls: How Unified VRM Can Help.

CSC1 – Inventory of Authorized and Unauthorized Devices

How Unified VRM Helps:

  • Importing scan results automatically load corresponding vulnerable assets.
  • Scanning automatically detects live hosts within a target network
  • Clients piped the updated assets on their network via the UVRM REST API to load updated assets into the platform.

 

CSC2 – Inventory of Authorized and Unauthorized Software

How Unified VRM Helps:

  • Importing scan results automatically detects and catalog installed software
  • Scanning automatically detects installed software, especially when conducting an authenticated scan

 

CSC3 – Secure Configuration of Hardware & Software

How Unified VRM Helps:

  • Unified VRM configuration testing allows to test configuration based on best practices checklist (NIST, CIS and various compliance standards).
  • Identification of bad and non-compliant security standards

CSC4 – Continuous Vulnerability Assessment and Remediation

How Unified VRM Helps:

  • Scan and import vulnerability scans on both network and applications
  • Import results regardless of the scanner used
  • Customized remediation guidance
  • Connection to SCCM for automated remediation
  • Automated generation of WAF rules for web applications

 

CSC5 – Controlled Use of Administrative Privileges

How Unified VRM Helps:

  • When we scan a Windows domain controller, we can get information on Domain Group Policies:
    • Password Length
    • User belonging to the admin group
    • Audit Policies with monitoring domain admin users
    • Other relevant policies
  • With Unified VRM Configuration module, we can check admin users monitoring policies and other relevant domain configurations by checking the domain controller configuration.

 

CSC7 – Email and Web Browsers Protections

How Unified VRM Helps:

  • Either with native scan or import, by performing authenticated scans or by performing configuration module scans, vulnerabilities and misconfigurations are reported for both email and web browsers, including patch and configuration management gaps.
  • Mail Servers vulnerabilities and misconfigurations are checked.
  • Web browsers most common  vulnerabilities and missing patches are reported.

 

CSC8 – Malware Defenses

How Unified VRM Helps:

  • Unified VRM allows to join the vulnerability management risk evaluation with threat intelligence on malware and public exploits in the wild
  • The correlation between vulnerabilities and related malware and exploits that use those vulnerabilities allows a better evaluation and prioritization of the vulnerabilities and to better schedule related remedial actions.

CSC9 – Limitation and Control of Network Ports

How Unified VRM Helps:

  • For both external and internal scans, for our embedded scanner, you can configure scan templates to select the ports (all or part) and the protocols (TCP and UDP) you want to be scanned.
  • For external network scan, the network port scanner can be configured not to ping the IP prior to port scan them.
  • OS and Service fingerprinting can be configured to provide additional details and detection on the host scanned.

CSC11 – Secure Configurations for Network Devices

How Unified VRM Helps:

  • As part of our embedded scanner, we can perform authenticated scans via SSH and SNMP against network devices for vulnerabilities
  • The configuration module can detect misconfigurations on network devices such routers and switches by comparing with industry standard configuration checklists, such as NIST, CIS, compliance, etc.

 

CSC12 – Boundary Defense

How Unified VRM Helps:

  • Port scanning, fingerprinting as well as VPN connections vulnerability identification are all steps performed in a vulnerability scans, both embedded and as a import.
  • Web application security testing could determine the effectiveness of Web Application Firewall guarding Internet-facing applications.

CSC15 – Wireless Access Control

How Unified VRM Helps:

  • Wireless module could perform:
    • Wireless network site survey
    • Rogue access point detection
    • WEP and WPA2 key cracking, including dictionary attacks and bruteforcing
  • Infrastructure vulnerabilities that are common in the internal and wireless module could be identified via asset tagging.

CSC18 – Application Software Security

How Unified VRM Helps:

  • Web Application module finds 0-day vulnerabilities as part of authenticated and unauthenticated web application.
  • Dynamic Analysis
  • OWASP Top 10 vulnerabilities, including SQLi, XSS, CSRF, path traversal, etc.
  • Automated generation of virtual patching rules for various WAF platforms.

 

CSC20 – Penetration Tests and Red Team Exercises

How Unified VRM Helps:

  • NopSec performs various and in-depth flavors of penetration tests, including external, internal, web app, wireless, mobile, embedded devices / IoTs, social engineering
  • We perform cutting edge engagements mimicking the real adversarial techniques, with or without use of exploits
  • We perform full logical and physical Red Team Exercises, with collaboration and cooperation of internal Blue Teams.
  • NopSec Unified VRM powered by E3 Engine also performs safe, continuous active check of your mitigating controls to verify validity

To find out more how NopSec can help you achieve compliance (and beyond), and harden your cyber security posture, reach out by using this form and we’ll get back to you within one business day.