Next up with Safeguard 4.7 we have to manage those pesky default accounts on your assets and software. This includes root, administrator, guest, and the other built-in or configured vendor accounts.

Managing these accounts is not rocket science, but is something most of us are not doing a good job with.

First disable the accounts that are not required, and if it's a vendor that only signs in once a quarter, then it's disabled until they need to login and have a documented process to validate the person who needs to login is actually still with that vendor.

The next piece is the stale password threats that these default accounts carry. If you're using basic passwords then sure resetting them every 90 days or whatever may be necessary but let's be honest you don't have time to reset all of them on a regular cadence and if you do, human error may cause a mistake.

The same is true for any applications that may have default accounts for the vendor or my favorite are those off the domain systems that run the HVAC or physical access systems. Just sitting there oftentimes with no security controls and an outdated Operating System.

"If it's on your network, can process your data, then it's your responsibility to ensure it is secure."

Microsoft LAPS (Local Administrator Password Solution) is a great tool (AND ITS FREE) that can provide the management of those local account passwords of domain joined computers and store these passwords in AD protected by ACL. LAPS will randomly generate passwords that are automatically changed on managed machines that are at least Windows 7 or Windows Server 2008 and newer.

The bottom line is we all have to stop using the same password on every workstation, or domain admin account out there. Use a secure password management solution that meets your (and your teams) needs while updating the default account credentials on a regular basis.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

Safeguard 4.6 requires you to securely manage your assets and software. Example implementations include managing configuration through version-controlled-infrastrcuture-as-code and accessing administrative interfaces over secure network protocols, such as SSH (Secure Shell) and Hypertext Transfer Protocol Secure (HTTPS).

You should not use insecure management protocols such as Telnet (Teletype Network) and HTTP, unless it is operationally essential.

Infrastructure-as-code help you ensure that changes are reviewed by someone on your team before being implemented into production to reduce the risk of mistakes or vulnerabilities from being introduced into the system. It also enables you to track changes in real time and to roll back to a previous version to maintain the integrity of the system.

The big takeaway with Safeguard 4.6 is to disable Telnet and HTTP if it's not required, you should also consider disabling other outdated technologies like POP, IMAP, SMTP, TLSv1.0, TLSv1.1, and many others. Disabling of them will force your teams to use the approved and secure management interfaces.

For each asset, you want to document how you should be connecting to the asset and if any legacy or unsupported services or interfaces are required for it to function.

Remember you shouldn't document the processes, the map (configuration data), and the key (credentials) in the same place.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

Today's Modern Workforce requires a different approach to Cybersecurity and securing workstations then it did just five years ago.

This is why CIS Safeguard 4.5 is so important, as it requires the implementation and management of a host-based firewall or port-filtering tool on end-user devices. It also requires a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

The good thing is most default configurations like Windows Defender Firewall in Windows 10 will block everything unless there's an exception rule created - so by even just enabling the default configuration. The issue comes into play if you start customizing and forget to ensure there is still a default-deny rule placed in your custom settings.

The majority of the Remote Monitoring and Management Tools (RMMs) including Microsoft Intune provide the ability to configure these settings and most will alert you if the setting changes (if enabled).

I would recommend ensuring your Windows Defender Firewall with Advanced Security log is enabled and configured so you can have a historical record of when the firewall was disabled/enabled/etc. Tools like Netwrix Corporation or Liongard may provide you a third-party method of tracking these changes as well.

The historical record is important as you want to be able to prove to an auditor that you have the policy and automation setup to establish the firewall, but also the historical records showing it continues to stay active and protecting your end users.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

Servers power the data we process in today's modern workforce and it doesn't matter if it's a traditional on-premise server or the latest cloud hosted server. It's storing, processing, and providing access to the applications, data, and services you need for your business to run.

CIS Safeguard 4.4 requires you to implement and manage a virtual, operating system, or a third-party firewall agent on every server (where supported).

First, I believe the where supported should be taken out of the requirement because every modern supported server or cloud based service has the capability of running a firewall agent or service to protect it. So there is no excuse not to keep that firewall running.

I have seen the well my network is a walled garden and is secured by the network firewall, so my servers don't need the firewall running. This also is the wrong approach as you want to create a number of walls within your network so if the initial wall is breached you still have safeguards in place that can protect and secure your data. That's the importance of enabling the firewall on servers.

So to check off CIS Safeguard 4.4 you need to revert to your server inventory (1.1) and ensure each server has a firewall enabled. You want to have a tool or service that monitors the server configuration and can alert you if and when the firewall is disabled.

It doesn't matter if you're running Microsoft Windows Server, Linux, or UNIX servers. Turn the #Firewall on.

Just having the firewall on may be enough to mark the checkbox, but the safeguard requires you to manage the firewall as well. You want to ensure you are using least privilege or zero trust models and ensure only those who need access have access. Check and validate what ports, what permissions, and who has and ultimately why or why not does it have access.

Talk to your peers and look at your vendors to help establish the best practice settings should be for the server firewall and document it.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

CIS Safeguard 4.3 requires the configuration of automatic session locking on assets. For general purpose operating systems, the period must not exceed 15 minutes, and for mobile devices it should not be longer than 2 minutes.

Going back to Safeguard 1.1 you have your inventory of devices which includes the mobile devices and computers that have the potential to store or process data for your business. So if you are allowing personal devices to store or process your data then they must be inventoried and connected to a device manager to allow you to configure and ensure this setting is established and active.

It doesn't matter if you're working at home, an airport, or at a conference and you're just stepping away for a few minutes. The key thing is teaching the culture that your computer or mobile device should be locked if you're not using it, so #LockItUp.

Getting your team to live in a cybersecurity culture takes time but is a critical step to promoting cybersecurity. It starts with training and setting expectations. When you're not training your team then that culture will be the Wild West and another episode of the Blame Game.

If you are using a local Technology provider then they can push and manage this policy, otherwise Active Directory, Microsoft Entra ID (Azure AD), Mobile Device Managers, Microsoft Intune and others all have group policies or settings you can establish to ensure this is established and it's already included in what you are paying.

Safeguard 4.3 is required for every implementation group and if you're requiring it today then it's past time to educate and activate the settings.

If you don't require it and a laptop is breached or stolen, then you should assume that any potential data on it could be compromised and that may trigger a breach notification depending on the data and your local regulations.

Looking for a jump start - Download CIS's Secure Configuration Management Template at (https://lnkd.in/e4xYfNye)

CIS Safeguard 4.2 calls for you to establish and maintain a secure configuration process for network infrastructure. This includes the review and documentation when significant changes occur or at least once a year.

Before starting we have to rewind to Safeguard 1.1 which requires you to establish and maintain an asset inventory including your network infrastructure inventory. You can't continue until that is completed.

Next is you have to create a standard baseline configuration for each type of network device and if you are working with multiple vendors for each type of device then you should have a documented baseline configuration for each as every vendor does things differently.

Once you have your baselines, then regular audits should be completed to assess the device configuration against these baselines. In the past I have seen these audits completed as part of the technology alignment process or by using configuration management tools like Liongard that can automate the process.

Your process next needs to include a strict change management process that requires review and approval for any configuration modifications. This has to be well-documented, authorized, and align with the established best practices. Any change management process should also account for the process of approval and completing firmware updates.

Using a centralized logging and monitoring tool for your network devices to track and analyze events in real-time will help you ensure you stay on top of the process and finally performing regular reviews of the baseline to ensure they are current and account any new emerging threats or changes in the network infrastructure as a whole.

The most important thing here is to acknowledge that your way may not be the best way and to use any trusted resources or community you are a member of to gain feedback.

Looking for a jump start - Download CIS's Secure Configuration Management Template at (https://lnkd.in/e4xYfNye)

Control 4 is looking for the secure configuration of your assets (end user devices including portable and mobile, network devices, IoT devices, and servers) and your software (operating systems and applications).

To establish and maintain a secure configuration process for your assets and software, we need to develop a comprehensive security policy outlining the requirements for secure configurations.

Conducting a thorough inventory of assets (Safeguard 1.1) and software (Safeguard 2.1), we will define secure configuration baselines, adhering to best practices and industry standards (like CIS Controls).

Automation tools should be utilized whenever possible to enforce these baselines, reducing human error.

You should prioritize strong authentication measures and implement a robust patch management system. Regular security reviews must be conducted, while comprehensive documentation be maintained and annually updated.

Employees are required to receive training to ensure compliance.

The policy and documentation should be reviewed promptly whenever significant changes occur or at minimum once a year.

Looking for a jump start - Download CIS's Secure Configuration Management Template at (https://lnkd.in/e4xYfNye)

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.

Safeguard 3.14 is the final safeguard of Control 3, and is the only safeguard that has the security function for detection. We've outlined the data process and data inventory, retention and how to dispose of data securely, data flows and encryption. It's only fitting that Safeguard 3.14 will call for logging of sensitive data access, including the modification and disposal of data.

Logging all actions involving sensitive data, including access, modification and disposal, is vital to prompt detection and response to malicious activity. Data access logs can also be helpful for post-attack investigations and analyses, and for holding culprits accountable.

On Windows File Server you can audit file access events by going to the properties of the target folder/file, security > advanced, auditing, add, and set the audit permissions you want to log. This is not enabled by default, so if you don't know set it, you're not getting these logs.

There are also a number of tools out there that can scan your files and track the changes both within Windows Servers and cloud storage as well.

Like Safeguard 3.13, 3.14 is only required if you are looking to achieve Implementation Group 3, but like many that aren't required for Implementation Group 1 this is one that you should consider enabling for the folders and files that contain your sensitive data. If you have the drive space for the logs, collecting the data will only help you if you need to do an audit or look to identify security breaches.

Get a summary of all of CIS Control Safeguards 1-3 we've reviewed here at https://lnkd.in/eW5UBTxf and stay tuned as we start to dive into Control 4 on Securing Configuration and Enterprise assets and software.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-ciscontrol-activity-7089298477649641472-t3ul?utm_source=share&utm_medium=member_desktop