Detections
Analytics
CIS Critical Security Controls v7.1
Reference Details
Name: CIS Critical Security Controls v7.1
Reference Items
| Control | Description |
|---|---|
| 1.1 | Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory. |
| 1.2 | Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory. |
| 1.3 | Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory. |
| 1.4 | Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not. |
| 1.5 | Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. |
| 1.6 | Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner. |
| 1.7 | Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. |
| 1.8 | Use client certificates to authenticate hardware assets connecting to the organization's trusted network. |
| 2.1 | Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system. |
| 2.2 | Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. |
| 2.3 | Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems. |
| 2.4 | The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization. |
| 2.5 | The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location. |
| 2.6 | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner |
| 2.7 | Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. |
| 2.8 | The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process. |
| 2.9 | The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc.) are allowed to run on a system. |
| 2.10 | Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incurs higher risk for the organization. |
| 3.1 | Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems. |
| 3.2 | Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested. |
| 3.3 | Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. |
| 3.4 | Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. |
| 3.5 | Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. |
| 3.6 | Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. |
| 3.7 | Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. |
| 4.1 | Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. |
| 4.2 | Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. |
| 4.3 | Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities. |
| 4.4 | Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system. |
| 4.5 | Use multi-factor authentication and encrypted channels for all administrative account access. |
| 4.6 | Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet. |
| 4.7 | Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities. |
| 4.8 | Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. |
| 4.9 | Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account. |
| 5.1 | Maintain documented security configuration standards for all authorized operating systems and software. |
| 5.2 | Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. |
| 5.3 | Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible. |
| 5.4 | Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. |
| 5.5 | Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. |
| 6.1 | Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. |
| 6.2 | Ensure that local logging has been enabled on all systems and networking devices. |
| 6.3 | Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. |
| 6.4 | Ensure that all systems that store logs have adequate storage space for the logs generated. |
| 6.5 | Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. |
| 6.6 | Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis. |
| 6.7 | On a regular basis, review logs to identify anomalies or abnormal events. |
| 6.8 | On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. |
| 7.1 | Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. |
| 7.2 | Uninstall or disable any unauthorized browser or email client plugins or add-on applications. |
| 7.3 | Ensure that only authorized scripting languages are able to run in all web browsers and email clients. |