December 20, 2017
4 minute read
Given the complexity of modern information technology, assessing cyber risk can quickly become overwhelming. One of the most pragmatic guides comes from the Center for Internet Security (CIS). While CIS provides a comprehensive list of twenty controls, they also provide guidance on the critical steps that "eliminate the vast majority of your organisation's vulnerabilities." These controls are the foundation of any cyber resilience platform and at the center of UpGuard's capabilities.
The most best cyber resilience project is the one you actually do. Here is what you should think about first to make improvements today.
Objective: "Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access."
What to do: UpGuard offers several options to discover the assets on your network and verify that they belong there. For organizations using Active Directory or cloud hosting like AWS or Azure, UpGuard can connect to your account, retrieve a list of all assets, and provide information about operating system and applications to determine if they should be shut down. To gain full visibility of the assets on your network, UpGuard also offers network discovery. UpGuard retrieves a list of all IP addresses that have communicated with your managed assets, then fills in gaps in the IP ranges with ping tests. If the discovered devices use credentials you know, you can start monitoring them for unauthorized software right away. If you don't have credentials to manage them then they may not belong on your network.
2) Inventory of Authorized and Unauthorized Software
Objective: "Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution."
What to do: All of the configuration items scanned by UpGuard are indexed for searching. That means finding unauthorized software just requires typing in its name. For example, Java and Internet Explorer are two packages I need to keep an eye on. After discovering risky, unpatched software, I would create a policy blacklisting it so that I will be notified in the future if it is installed again. UpGuard provides both an inventory of what is really on my systems and the capabilities to mark it as authorized or unauthorized.
Objective: "Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings."
After I know what I have through UpGuard's searchable inventory, it's time to start configuring it securely. Some packages, like Java 7, simply shouldn't be there. For these I create a test where the desired state is that the configuration item is not present. For my Windows machines, I similarly create simple tests ensuring that the latest hotfixes are installed. UpGuard can also test for other common configurations: ensuring that packages are present and are at or above a a secure version; confirming that only necessary ports are open and that risky ports are closed; testing the expiration date for certificates and domains so they don't lapse; and inspecting the contents of configuration files for secure settings.
Objective: "Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers."
What to do: UpGuard comes with a vulnerability scanner using public vulnerability definitions formerly maintained by MITRE and now by CIS. The vulnerability library tests for tens of thousands of vulnerabilities. How you scan your environment is configurable to match your remediation plan: you can look for all vulnerabilities ever or filter by severity.
Objective: "The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications."
What to do: Detecting users and groups is part of the default UpGuard baseline scan, so you always have a full audit trail on access privileges. Additionally, the baseline scans allow for comparisons between nodes to ensure that you are in a consistent state. Without automated access control audits, configuration drift in administrative privileges leads to security gaps. With UpGuard, those existing risks can be found quickly and remediated. Future changes to administrative privileges will be visible to your risk management team.