Council on CyberSecurity - Critical Security Controls Report

by Cody Dumont
March 18, 2014

This report covers many controls found in the Council on CyberSecurity 20 Critical Security Controls.  The report is available in the SecurityCenter 4.7 Report app feed, an app store of dashboards, reports and assets.  The report requirements are:

  • Security Center 4.7.1
  • LCE 4.2.2
  • PVS 4.0.1
  • Nessus Scanner 5.2.5

As published by Council on CyberSecurity, the goal of the 20 Critical Security Controls is to protect assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous automated protection and monitoring.  The report is comprised of 15 chapters, and a series of sections within each chapter.  The report is essentially over 50 smaller reports combined together.  Each mini-report consists of two or more descriptive paragraphs, an asset summary, and top 100 table.  

The descriptive paragraphs provide an overview of each control and a description what is being used to check each control.  The asset summary is a chart view of the detailed control as it pertains to assets.  The top 100 is a table of vulnerabilities, hosts, or ports.

In addition, the requirements of having Nessus, PVS, and LCE are needed to enable functionality of certain compliance indicators, such as CIS, HIPAA, PCI, or DISA. These can be left to the organization’s preference, and regulatory requirements that need to be fulfilled are fully customizable within the component itself.

Depending on organizational requirements and/or needs, all report sections are easily and highly configurable to be used in any environment with basic knowledge of SecurityCenter. The following is a brief description of each component and the associated control.

CoCS 20 Critical Security Controls - Control 1 New Device Detection: This chapter utilizes Nessus, LCE, and PVS plugins (active, event, and passive) to report new hosts found in the configured network range over the last 48 hours by recording the network address and machine names.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: CM-8, IA-3, SA-4, SC-17, SI-4, PM-5

CoCS 20 Critical Security Controls - Control 3 Secure Configurations: The results for this chapter are defined by keywords in vulnerability text that match text contained in several plugins. The chapter sections provide mini-reports for compliance data against PCI, DISA, CIS, and HIPAA checks.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: CM-2, CM-3, CM-5, CM-6, CM-7, CM-8, CM-9, CM-11, MA-4, RA-5, SA-4, SC-15, SI-2, SI-4

CoCS 20 Critical Security Controls - Control 4 Continuous Vulnerability Scanning: This chapter displays the total number of known systems within the specified range, the number that have been observed over the last 30 days, and the percentage of systems that have had a credentialed scan completed over the last 30 days. It allows you to determine if vulnerability scanning is occurring against all the systems in the specified range.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: RA-5, SI-4, SI-7

CoCS 20 Critical Security Controls - Control 5 Malware Controls: This chapter displays indicator type results from the Tenable Malicious Process Detection plugin, as well as provides details on large virus anomalies, and active virus detection on the specified network range.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: SC-39, SI-3, SI-4

CoCS 20 Critical Security Controls - Control 6 Web Application Security: This chapter utilizes PVS and a wide variety of plugins to passively identify application vulnerabilities within web applications, even detecting unsupported or vulnerable software versions. Included tests are: SQL injections, CGI abuses, Backdoors, XSS, DNS and FTP checks, IMAP, SMTP, and POP checks, Internet Service Checks, and Web Server checks, sorted by severity.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: RA-5, SA-3, SA-10, SA-11, SA-17, SC-39, SI-10, SI-16

CoCS 20 Critical Security Controls - Control 7 Wireless Access Control: This chapter utilizes active and passive checks for Wireless Access Point Detection to report on the total number of WAP devices found, as well as a check to report the number that have appeared over the last 7 days, and if they have any known vulnerabilities. 

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-18, AC-19, CA-3, CM-2, IA-3, SC-8, SC-17, SI-4

CoCS 20 Critical Security Controls - Control 10 Secure Configurations for Network Devices: The results for this chapter are defined by keywords in vulnerability text that match text contained in several plugins. The sections report of the compliance status of Cisco IOS and Juniper devices.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-4, CA-3, CM-2, CM-3, CM-5, CM-6, CM-8, MA-4, SC-24, SI-4

CoCS 20 Critical Security Controls - Control 11 Control of Ports/Protocols/Services: This chapter utilizes Nessus to identify open ports over the last 24 hours in an indicator fashion. The total number of hosts on the defined network is displayed, as well as the total number of services found active.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-4, CM-2, CM-6, CM-8, SC-20, SC-21, SC-22, SI-4

CoCS 20 Critical Security Controls - 12 Controlled Use of Administrator Privileges: This chapter provides an indication of change in user accounts by utilizing LCE’s ability to trend user creation, modification, and removals over the last 72 hours. Various deployments of software often include the creation of, and many times the subsequent removal of temporary accounts, all of which will also be detected. Other items under CoCS Critical Control 12, such as the password requirements, are bundled in Control 16, which covers Account Monitoring.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-2, AC-6, AC-17, AC-19, IA-2, IA-4, IA-5, SI-4

CoCS 20 Critical Security Controls - Control 13 Boundary Defense: This chapter focuses on common anomalies that may indicate unwanted activity against internal systems. The chapter displays devices that are identified as remote hosts listed in public botnet databases, websites that contain links that are listed in public malware databases, threat-list intrusion events, and threat-list statistics. Also indicated are spikes in large firewall statistical anomalies, connections, denial of access events, and authentication failures.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-4, AC-17, AC-20, CA-3, CM-2, SA-9, SC-7, SC-8, SI-4

CoCS 20 Critical Security Controls - Control 14 Monitoring and Analysis of Logs: This chapter displays a detailed log analysis. First a 48-hour event summary is provided.  Followed by logs that report intrusion, system failures, DNS problems, long-term error trends, and denial of service activity.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AU-2, AU-3, AU-4, AU-5, AU-6, AU-8, AU-9, AU-10, AU-12, SI-4

CoCS 20 Critical Security Controls - Control 15 Controlled Access/Sensitive Information: This chapter focuses on Nessus vulnerability data, sorted by severity, that may indicate the exfiltration of sensitive data, as well as utilizing PVS’s ability to capture sensitive data in transit. A handful of the triggers are: Peer to Peer File Sharing, IM, FTP, and PVS’s Data Leakage plugins.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-1, AC-2, AC-3, AC-6, RA-2, SI-4

CoCS 20 Critical Security Controls - Control 16 Account Monitoring and Control: This chapter displays several different account event anomalies that have appeared on the defined network over the last 48 hours, such as login failures, account lockout events password guessing and successful password guessing. Also displayed are events showing account related settings found by active scanning such as, passwords that are set to never expire, have never been changed, are blank and that are set to default.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-2, AC-3, IA-5, SC-17, SC-23, SI-4

CoCS 20 Critical Security Controls - Control 17 Data Protection: From PVS’s Data Leakage family of plugins to Nessus active scanning plugins that report USB device usage, this indicator style component triggers on events that could potentially be data leakage events. Dropbox usage and BitTorrent activity are also reported.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: AC-3, AC-4, MP-5, SC-8, SC-28, SI-4

CoCS 20 Critical Security Controls - Control 20 Penetration Testing: Just as penetration testing seeks out vulnerabilities and attempts exploits, this chapter focuses on exploitable vulnerabilities found by active and passive scanning. Active scan results based on patching levels are analyzed, and this indicator is triggered if any active exploits exist against the vulnerabilities. Mobile devices and web clients are passively monitored by PVS and a wide variety of active and passive plugins are used to trigger a general indicator. Ports that have been found to be exploitable are broken down into 4 ranges (1-1024, 1025-5000, 5000-10000 and 10000+) and are displayed in an indicator fashion below the services, allowing you to rapidly locate and identify newly opened or vulnerable ports.

Associated NIST SP 800-53 Rev 4 Priority 1 Controls: CA-8, SI-6, PM-6, PM-14