CIS-CSC – Requirements
Control # | Description | LogRhythm Objects |
|---|---|---|
1.1 | Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory. | Report ID 959 |
1.2 | Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory. |
|
1.3 | Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory. | AIE ID 383 AIE ID 508 |
1.4 | Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. | Investigation ID 219 Investigation ID 220 Investigation ID 223 Report ID 959 |
1.5 | Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. |
|
1.6 | Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner. |
|
1.7 | Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. | Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. |
1.8 | Use client certificates to authenticate hardware assets connecting to the organization's trusted network. | Use 802.1x logs with asset management lists to identify unauthorized systems |
2.1 | Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system. | Use Registry Integrity Monitor (RIM) to monitor for “Autoruns” based on a whitelist or trend and File Integrity Monitor (FIM) policy templates of OSes to determine whether authorized software has been modified. |
2.2 | Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. |
|
2.3 | Utilize software inventory tools throughout the organization to automate the documentation of all software on business system | AIE ID 452 Report ID 1004 |
2.4 | The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. |
|
2.5 | The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location. |
|
2.6 | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. |
|
2.7 | Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. | Investigation ID 227 |
2.8 | The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process. |
|
2.9 | The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system. |
|
2.10 | Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization. | Asset lists and the Entity structured can be paired with AI Engine rules to identify network connections with systems that should be air gapped. |
3.1 | Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems. | AIE ID 494 Report ID 1005 Report ID 1006 |
3.2 | Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested. | AI Engine and Reports can be configured to identify failed scan events. |
3.3 | Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. |
|
3.4 | Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. | Although LogRhythm does not have a specific “Out of the Box” report to meet this control, with Windows WSUS, you can monitor AGPM settings for systems on the domain to look for Windows Update Changes. Also, use RIM monitoring after WSUS is configured on the endpoint. |
3.5 | Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. |
|
3.6 | Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. | AIE ID 495 Report ID 1005 Report ID 1006 |
3.7 | Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. | Report ID 1005 Report ID 1006 |
4.1 | Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. | A Privileged User list and AI Engine can be used to validate that proper process has been followed. |
4.2 | Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. | Although LogRhythm does not have a specific “Out of the Box” report to meet this control, this could be supported by compliance modules within vulnerability scanning tools looking for default user names and passwords. A compliance module can be created in a vulnerability scanner to further evaluate user and password settings. Based on the vulnerability scanner log results, AIE could generate an event/alert. Reports can also be made based on results. Also, using RIM and monitoring HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters (https://support.microsoft.com/en-us/kb/225511) in combination with the AIE Rule CSC: New Network Host can generate an event/alert if a new network host is detected and its password hasn't been updated. |
4.3 | Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities. | AIE Rule 162 AIE Rule 165 |
4.4 | Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system. |
|
4.5 | Use multi-factor authentication and encrypted channels for all administrative account access. |
|
4.6 | Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet. | AI Engine whitelisting and a Privileged Users list can be used to identify administrative authentication from an unauthorized system. |
4.7 | Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities. |
|
4.8 | Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. | AIE ID 37 AIE ID 40 AIE ID 160 AIE ID 161 |
5.1 | Maintain documented, standard security configuration standards for all authorized operating systems and software. | Use File Integrity Monitor (FIM) and Registry Integrity Monitor (RIM) to detect deviations from standard images. When generating a hardened OS, it is recommended that you use the CIS Benchmark specific to your OS. |
5.2 | Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. | Investigation ID 221 Report ID 1022
|
5.3 | Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible. | Use File Integrity Monitor (FIM) to identify modifications to standard images. |
5.4 | Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. | Group Policy changes can be identified via Active Directory Event logs. |
5.5 | Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. | AIE ID 287 AIE ID 490 AIE ID 491 AIE ID 492 AIE ID 81 AIE ID 158 AIE ID 159 AIE ID 160 AIE ID 161 AIE ID 162 AIE ID 165 AIE ID 493 Investigation ID 221 |
6.1 | Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. | AI Engine whitelist functionality can be used to monitor authorized and unauthorized NTP activity. |
6.2 | Ensure that local logging has been enabled on all systems and networking devices. | AIE ID 36 AIE ID 453 Silent Log Source detection alarms can be used to identify errors in logging configuration. |
6.3 | Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. |
|
6.4 | Ensure that all systems that store logs have adequate storage space for the logs generated. | Silent Log Source detection alarms can be used to identify errors in logging configuration. |
6.5 | Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. |
|
6.6 | Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis. | Report ID 1015 |
6.7 | On a regular basis, review logs to identify anomalies or abnormal events. | Investigation ID 227 Report ID 84 Report ID 1015 |
6.8 | On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. |
|
7.1 | Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. | LogRhythm lists can be used to identify blacklisted or whitelisted User Agent strings in LogRhythm Network Monitor or outbound web proxy logs. |
7.2 | Uninstall or disable any unauthorized browser or email client plugins or add-on applications. |
|
7.3 | Ensure that only authorized scripting languages are able to run in all web browsers and email clients. |
|
7.4 | Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facility | Monitor and alarm with Next Gen Firewall or LogRhythm Network Monitor logs for unapproved traffic. |
7.5 | Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category definitions available. Uncategorized sites shall be blocked by default. |
|
7.6 | Log all URL requests from each of the organization's systems, whether onsite or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. | LogRhythm can collect and correlate data from an outbound web proxy or endpoint protection system. |
7.7 | Use DNS filtering services to help block access to known malicious domains. |
|
7.8 | To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail(DKIM) standards. |
|
7.9 | Block all e-mail attachments entering the organization's e-mail gateway if the file types are unnecessary for the organization's business. |
|
7.10 | Use sandboxing to analyze and block inbound email attachments with malicious behavior. |
|
8.1 | Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's workstations and servers. | AIE ID 14 AIE ID 99 AIE ID 115 AIE ID 117 AIE ID 488 AIE ID 509 AIE ID 1112 AIE ID 1113 Report ID 1007 |
8.2 | Ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis. |
|
8.3 | Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. |
|
8.4 | Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. | The Data Loss Defender feature of the LogRhythm System Monitor Agent can be configured to limit usage of removable media. |
8.5 | Configure devices to not auto-run content from removable media. |
|
8.6 | Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting. |
|
8.7 | Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains. | AI Engine rules and the LogRhythm Threat Intelligence Service can be used to collect DNS query logs and identify queries of malicious domains. |
8.8 | Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash. |
|
9.1 | Associate active ports, services, and protocols to the hardware assets in the asset inventory. |
|
9.2 | Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. | LogRhythm AI Engine can be configured to alarm when traffic operating on a blacklisted port or a blacklisted service is observed. |
9.3 | Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system. | AI Engine Whitelist or Trend rules can be used to identify traffic to ports which have not been used in the past. |
9.4 | Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. | AIE ID 499 AIE ID 500 LogRhythm AI Engine can be configured to alarm when traffic operating on a blacklisted port or a blacklisted service is observed. |
9.5 | Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged. | AIE ID 12 AIE ID 13 Report ID 1021
|
10.1 | Ensure that all system data is automatically backed up on regular basis. | AIE ID 498 Report ID 1008 Report ID 1023 Report ID 1024 |
10.2 | Ensure that each of the organization's key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. |
|
10.3 | Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working. | Report ID 1024 |
10.4 | Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services. |
|
10.5 | Ensure that all backups have at least one backup destination that is not continuously addressable through operating system calls. | AIE ID 498 |
11.1 | Maintain standard, documented security configuration standards for all authorized network devices. | AIE ID 81 AIE ID 493 |
11.2 | All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. |
|
11.3 | Compare all network device configuration against approved security configurations defined for each network device in use and alert when any deviations are discovered. | AIE ID 490 AIE ID 491 AIE ID 492 AIE ID 493 Report ID 1020 |
11.4 | Install the latest stable version of any security-related updates on all network devices. | LogRhythm metadata fields include a Version field which can be audited using investigations, reports, and the web console to assist in identification of current software and firmware versions. |
11.5 | Manage all network devices using multi-factor authentication and encrypted sessions. |
|
11.6 | Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet. | AI Engine rules and the Entity structure can be used to track systems used for privileged access and usage auditing, and then alarm on inappropriate activity. |
11.7 | Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices. |
|
12.1 | Maintain an up-to-date inventory of all of the organization's network boundaries. |
|
12.2 | Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. |
|
12.3 | Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization's network boundaries. | AIE ID 439 AIE ID 453 AIE ID 464 AIE ID 497 AIE ID 499 AIE ID 500 AIE ID 502 |
12.4 | Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries. |
|
12.5 | Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries. | AIE ID 115 AIE ID 117 AIE ID 436 AIE ID 437 AIE ID 448 AIE ID 452 AIE ID 496 AIE ID 1112 AIE ID 1113 Report ID 67 |
12.6 | Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization's network boundaries. | AIE ID 18 AIE ID 420 AIE ID 457 AIE ID 458 AIE ID 459 AIE ID 460 AIE ID 471 |
12.7 | Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization's network boundaries. | AIE ID 12 AIE ID 13 AIE ID 14 AIE ID 82 |
12.8 | Enable the collection of NetFlow and logging data on all network boundary devices. | AIE ID 432 |
12.9 | Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections. | Traffic data collected and analyzed by LogRhythm can be used to confirm whether an organization meets this control by identifying systems that don’t pass traffic through a proxy. |
12.10 | Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. |
|
12.11 | Require all remote login access to the organization's network to encrypt data in transit and use multi-factor authentication. | This control can be supported by collecting data from a two-factor authentication system and correlating events with remote login access logs. |
12.12 | Scan all enterprise devices remotely logging into the organization's network prior to accessing the network to ensure that each of the organization's security policies has been enforced in the same manner as local network devices. | This control can be supported by collecting data from a two-factor authentication system and correlating events with remote login access logs. |
13.1 | Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located onsite or at a remote service provider. |
|
13.2 | Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. |
|
13.3 | Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. |
|
13.4 | Only allow access to authorized cloud storage or email providers. | Investigation ID 226 |
13.5 | Monitor all traffic leaving the organization and detect any unauthorized use of encryption. | Investigation ID 226 |
13.6 | Utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices. |
|
13.7 | If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained. | The Data Loss Defender feature of the LogRhythm System Monitor Agent can be configured to monitor and prevent usage of USB mass storage devices. |
13.8 | Configure systems not to write data to external removable media, if there is no business need for supporting such devices. |
|
13.9 | If USB storage devices are required, all data stored on such devices must be encrypted while at rest. |
|
14.1 | Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs). | AIE ID 287 |
14.2 | Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities. |
|
14.3 | Disable all workstation to workstation communication to limit an attacker's ability to move laterally and compromise neighboring systems, through technologies such as Private VLANs or micro segmentation. |
|
14.4 | Encrypt all sensitive information in transit. | LogRhythm Network Monitor data can be used to alert when unencrypted data transfer methods are used. |
14.5 | Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization's technology systems, including those located onsite or at a remote service provider and update the organization's sensitive information inventory. |
|
14.6 | Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. | LogRhythm File Integrity Monitor can be configured to monitor sensitive information, with reports and investigations used to audit access. |
14.7 | Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system. |
|
14.8 | Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information. |
|
14.9 | Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information. | Investigation ID 225 |
15.1 | Maintain an inventory of authorized wireless access points connected to the wired network. |
|
15.2 | Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network. |
|
15.3 | Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points connected to the network. | AIE ID 508 |
15.4 | Disable wireless access on devices that do not have a business purpose for wireless access. |
|
15.5 | Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks. |
|
15.6 | Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. |
|
15.7 | Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. |
|
15.8 | Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication. |
|
15.9 | Disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such access is required for a business purpose. |
|
15.10 | Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly. | By using network device logging of the MAC attached to each VLAN, an AI Engine rule can be used to alarm when a new MAC address is seen on a given VLAN. |
16.1 | Maintain an inventory of each of the organization's authentication systems, including those located onsite or at a remote service provider. |
|
16.2 | Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems. | Investigation ID 219 Investigation ID 220 |
16.3 | Require multi-factor authentication for all user accounts, on all systems, whether managed onsite or by a third-party provider. |
|
16.4 | Encrypt or hash with a salt all authentication credentials when stored. | AIE ID 34 AIE ID 250 AIE ID 501 LogRhythm File Integrity Monitor can be used to monitor access and permission changes on password files. |
16.5 | Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. | LogRhythm Network Monitor can assist in meeting this control by identifying authentication activity over insecure protocols. |
16.6 | Maintain an inventory of all accounts organized by authentication system. |
|
16.7 | Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows preservation of audit trails. | AIE ID 158 AIE ID 159 Report ID 15 |
16.8 | Disable any account that cannot be associated with a business process or business owner. | AIE ID 506 AIE ID 507 Investigation ID 218 |
16.9 | Automatically disable dormant accounts after a set period of inactivity. |
|
16.10 | Ensure that all accounts have an expiration date that is monitored and enforced. |
|
16.11 | Automatically lock workstation sessions after a standard period of inactivity. |
|
16.12 | Monitor attempts to access deactivated accounts through audit logging. | AIE ID 76 AIE ID 88 |
16.13 | Alert when users deviate from normal login behavior, such as time-of-day, workstation location and duration. |
|
17.1 | Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. | Although LogRhythm does not have a specific “Out of the Box” report to meet this control, it would likely be met by analyzing the number of CSC incidents. After determining which areas of CSC have the most incidents, develop a training and awareness program around reducing future incidents. |
17.2 | Deliver training to address the skills gap identified to positively impact workforce members' security behavior. | Although LogRhythm does not have a specific “Out of the Box” report to meet this control, it would likely be met by analyzing the number of CSC incidents. After determining which areas of CSC have the most incidents, develop a training and awareness program around reducing future incidents. Alternatively, you can measure the effectiveness of the training given by in-house vs. professional training by determining the percentage decrease of incidents over time. |
17.3 | Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization's security awareness program should be communicated in a continuous and engaging manner. | Although LogRhythm does not have a specific “Out of the Box” report to meet this control, it would likely be met by analyzing the number of CSC incidents. After determining which areas of CSC have the most incidents, develop a training and awareness program around reducing future incidents. Alternatively, you can measure the effectiveness of the training given by in-house vs. professional training by determining the percentage decrease of incidents over time. Alternatively, you could monitor the training logs along with an AIE rule that would monitor for successful completion of a training module and generate an event/alert when observed. |
17.4 | Ensure that the organization's security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements. |
|
17.5 | Train workforce members on the importance of enabling and utilizing secure authentication. |
|
17.6 | Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls. |
|
17.7 | Train workforce on how to identify and properly store, transfer, archive and destroy sensitive information. |
|
17.8 | Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email. |
|
17.9 | Train employees to be able to identify the most common indicators of an incident and be able to report such an incident. |
|
18.1 | Establish secure coding practices appropriate to the programming language and development environment being used. |
|
18.2 | For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. |
|
18.3 | Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations. |
|
18.4 | Only use up-to-date and trusted third-party components for the software developed by the organization. |
|
18.5 | Use only standardized and extensively reviewed encryption algorithms. |
|
18.6 | Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. |
|
18.7 | Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed software. |
|
18.8 | Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. |
|
18.9 | Maintain separate environments for production and nonproduction systems. Developers should not have unmonitored access to production environments. | Audit logging of production environments collected by LogRhythm can be used to alarm or audit usage of these systems by developers. |
18.10 | Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed. | AIE ID 95 AIE ID 97 AIE ID 99 AIE ID 497 Report 1019 |
18.11 | For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested. |
|
19.1 | Ensure that there are written incident response plans that defines roles of personnel as well as phases of incident handling/management. | LogRhythm can support this control by allowing end users to add response procedures to each AI Engine rule. The procedures should detail the analyst response and incident handling plan. LogRhythm Case Management can also be leveraged to support this control. |
19.2 | Assign job titles and duties for handling computer and network incidents to specific individuals and ensure tracking and documentation throughout the incident through resolution. |
|
19.3 | Designate management personnel, as well as backups, who will support the incident handling process by acting in key decision-making roles. |
|
19.4 | Devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. |
|
19.5 | Assemble and maintain information on third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, and ISAC partners. |
|
19.6 | Publish information for all workforce members, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities. | This control would likely be met by analyzing the number of CSC incidents. After determining which areas of CSC have the most incidents, develop a training and awareness program around reducing future incidents. |
19.7 | Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real world threats. Exercises should test communication channels, decision making, and incident responders technical capabilities using tools and data available to them. | This control would likely be met by analyzing the number of CSC incidents. After determining which areas of CSC have the most incidents, develop a training and awareness program around reducing future incidents. |
19.8 | Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. |
|
20.1 | Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. | This control would likely be met by using the LogRhythm platform to validate the Red Team tactics and using Case Management to categorize the types of observed attacks and methods. |
20.2 | Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. |
|
20.3 | Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. | This control would likely be met by using the LogRhythm platform to validate the Red Team tactics and using Case Management to categorize the types of observed attacks and methods. |
20.4 | Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, e-mails or documents containing passwords or other information critical to system operation. | This control would likely be met by using compliance audits that look for sensitive data during vulnerability scans, along with an AIE rule that would generate event/alerts when the compliance audit fails. |
20.5 | Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems. |
|
20.6 | Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts. | This control would likely be met by observing Red Team activities with LogRhythm and practice responding accordingly. Any items that Red Teams were able to accomplish without the Security Operations Center (SOC) being alerted indicate a gap that should be evaluated. The reasons they were not noticed by the SOC should be determined and addressed. |
20.7 | Wherever possible, ensure that Red Teams results are documented using open, machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time. | This control would likely be met by generating reports in LogRhythm that are specific to the Red Team activities. |
20.8 | Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. | This control would likely be met by creating a list of accounts used by Red Team, along with an AIE rule that would generate alerts when Red Team accounts are used outside of approved engagements. |