Let's explore Center for Internet Security Controls or CISControls, which have become an industry standard to help businesses and organizations of all sizes maintain a best practice standard of Cybersecurity controls.

Safeguard 4.12 wraps up our journey through Control 4, which covers securing your configuration of enterprise assets and software. Safeguard 4.12 specifically calls for a separate enterprise workspace on mobile end-user devices.

This is where a virtual "work profile" is created on a mobile device that keeps the end users personal apps separate from your work apps and data. While both Apple configuration profile and Android Work Profile work out of the box, VMware's Workspace One is one of numerous Mobile Device Management Platforms that can help you check this box off.

For the majority of businesses and organizations this is overkill unless you are working with lots of confidential or top secret data. Eve the Safeguard 4.12 is only required if you are looking to achieve Implementation Group 3 Status.

If you can check off 4.1 through 4.11 then you are in a very good state, even without meeting 4.12.

Safeguard 4.12 is also related to NIST 800-53 Revision 5 in AC-19(5) on Full Device or Container-based encryption ad SC-39 on Process Isolation. You can also find it in NIST 800-171 Revision 2 in 3.1.19 on Encrypting CUI on mobile devices and mobile computing platforms.

If you're in the CMMC conversation then look for it in under Access Control (AC) level 2.

The Center for Internet Security Controls or hashtag#CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of hashtag#Cybersecurity controls.

Today we explore CIS Control Safeguard 4.11 which just like 4.10 is one that everyone should consider applying but is only required in Implementation Groups 2 and 3. Safeguard 4.11 is the enforcement of remote wipe capability on portable end-user devices.

Yes, the ability to remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as a lost or stolen device, or when an individual no longer supports the enterprise.

This isn't new, in fact Exchange I remember at least back to Exchange Server 2010 where if E-Mail was connected to the device we had the capability of remote wipe. With Exchange ActiveSync v16.1 you have the Wipe Data or the Account Only Remote Wipe Device which is important. With Native iOS or Android device the Wipe Data wipes all data on the device including photos, personal files, and so on. The Account Only Remote Wipe Device command will only wipe the native mail app's exchange ActiveSync mail, calendar, and account data.

And yes, if you have Microsoft 365, Exchange Server, and even Google Workspace has functionality to remote wipe portable end-user devices. So if you're using one of those services, pull out your CIS Checklist and mark it off 4.11 as compliant!

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 4.10 is a no brainer today, especially as more and more of us are working remotely. 4.10 requires enforcement of automatic device lockout on portable end-user devices. So for example for laptops, do not allow more than 20 failed authentication attempts, tablets and smartphones the requirement is no more than 10 failed attempts.

If you're working with Apple Configuration Manager it's maxFailedAttempts or Microsoft Intune it's called Device Lock. Every Mobile Device Manager MDM provider has this functionality.

If you're not striving for Implementation Group 2 or 3 compliance, simply documenting these requirements in your Mobile Device or Remote Work policy gets you started in the right direction.

This requirement is more than just requiring a password on a device when using Outlook but that is a critical component that you should have as well.

So why is this critical?

First let's be honest users are not the best at Locking their computers when they are away (CIS Control 4.3). I've seen unlocked and unaccompanied devices at conferences, hotels, airports, and everywhere in between. If it's locked or unlocked setting up device lockout can limit the damage by your users.

Here the goal is to prevent brute force login attempts on a device that has been stolen, without the added automatic device lockout feature you're enabling the thief an unlimited amount of attempts to guess your password - that is probably just under the keyboard or inside the battery compartment (yes I have found them there).

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 4.9 requires you to configure trusted DNS Servers on your assets.

The DNS (Domain Name System) plays a critical role while directing web traffic. If you wanted to go to LinkedIn.com, DNS takes the domain name and returns the IP address that is associated with the name so that you're browser takes you to the correct page.

Not all DNS servers are created equal. Using an untrustworthy or unknown DNS server exposes you to risk including malware and phishing attacks. Some public wifi networks will require you to use their specified DNS server, so a VPN may be required if you're doing a lot of secure surfing on public networks.

Sure we all can use Google's free 8.8.8.8 or 8.8.4.4, Comcast's 75.75.75.75 or 75.75.76.76, but when protecting your business paid DNS services give you an edge and some functionality you won't get with a free solution.

Cisco Umbrella, TitanHQ, Zscaler, DNSFilter are some of the solutions that can provide you secure and trusted DNS solutions that can work both in and out of your office for today's modern workforce.

The bottom line here is when someone types in Microsoft.com we want them to find Microsoft.com and be secure in knowing their credentials are going to the correct place. DNS hijacking is a form of DNS attack where an attacker manipulates how DNS queries are resolved and redirect end users to their malicious websites over the legitimate sites.

So while this Safeguard is only required for IG2 and IG3 adding a solution that can protect users against this threat is an easy add on that works wherever the user is working.

Safeguard 4.8 is required for Implementation Groups 2 and 3, but is a great policy for everyone to deploy as it calls for the uninstallation or disabling of any unnecessary services on your company devices or within software applications.

Besides the point of if it's not needed then why is it there?

Leaving unnecessary services and software (components) on your devices means you have to manage those components and that includes patching, security concerns, and often times the added costs of the components themselves.

File sharing services, web application modules, service functions, server roles, old Apple Quicktime software (end of life in 2016), Adobe Flash (end of life in 2020), and so many others that were common tools for us as users.

Also think about your administrative habits. How many times have we left LANScanner, Putty, or other tools on windows servers just so they were there when we needed them? When was the last time you updated or reviewed those services.

How many years are you going to maintain that old SQL Server or Exchange Server?

You can see why there is the threat here. Services on systems create potential security risks, so if it's not needed uninstall it, disable it, and block those the services on your firewall already.

For compliance here you want to have two things.

First, you want to call out to Safeguard's 1.1, 2.1 which was your computer and software inventory, and have a process that reviews any services which those systems or applications use. Are those services still needed today? Document them!

Second, ensure your Acceptable use policy outlines that any installation of services like FTP, HTTP, SFTP, RDP (even on port 3390) and ohh so many others must be approved and documented by IT first. Especially, if you don't have a tool that scans your network and looks for these open ports and services.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

Next up with Safeguard 4.7 we have to manage those pesky default accounts on your assets and software. This includes root, administrator, guest, and the other built-in or configured vendor accounts.

Managing these accounts is not rocket science, but is something most of us are not doing a good job with.

First disable the accounts that are not required, and if it's a vendor that only signs in once a quarter, then it's disabled until they need to login and have a documented process to validate the person who needs to login is actually still with that vendor.

The next piece is the stale password threats that these default accounts carry. If you're using basic passwords then sure resetting them every 90 days or whatever may be necessary but let's be honest you don't have time to reset all of them on a regular cadence and if you do, human error may cause a mistake.

The same is true for any applications that may have default accounts for the vendor or my favorite are those off the domain systems that run the HVAC or physical access systems. Just sitting there oftentimes with no security controls and an outdated Operating System.

"If it's on your network, can process your data, then it's your responsibility to ensure it is secure."

Microsoft LAPS (Local Administrator Password Solution) is a great tool (AND ITS FREE) that can provide the management of those local account passwords of domain joined computers and store these passwords in AD protected by ACL. LAPS will randomly generate passwords that are automatically changed on managed machines that are at least Windows 7 or Windows Server 2008 and newer.

The bottom line is we all have to stop using the same password on every workstation, or domain admin account out there. Use a secure password management solution that meets your (and your teams) needs while updating the default account credentials on a regular basis.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

Safeguard 4.6 requires you to securely manage your assets and software. Example implementations include managing configuration through version-controlled-infrastrcuture-as-code and accessing administrative interfaces over secure network protocols, such as SSH (Secure Shell) and Hypertext Transfer Protocol Secure (HTTPS).

You should not use insecure management protocols such as Telnet (Teletype Network) and HTTP, unless it is operationally essential.

Infrastructure-as-code help you ensure that changes are reviewed by someone on your team before being implemented into production to reduce the risk of mistakes or vulnerabilities from being introduced into the system. It also enables you to track changes in real time and to roll back to a previous version to maintain the integrity of the system.

The big takeaway with Safeguard 4.6 is to disable Telnet and HTTP if it's not required, you should also consider disabling other outdated technologies like POP, IMAP, SMTP, TLSv1.0, TLSv1.1, and many others. Disabling of them will force your teams to use the approved and secure management interfaces.

For each asset, you want to document how you should be connecting to the asset and if any legacy or unsupported services or interfaces are required for it to function.

Remember you shouldn't document the processes, the map (configuration data), and the key (credentials) in the same place.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.

Today's Modern Workforce requires a different approach to Cybersecurity and securing workstations then it did just five years ago.

This is why CIS Safeguard 4.5 is so important, as it requires the implementation and management of a host-based firewall or port-filtering tool on end-user devices. It also requires a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

The good thing is most default configurations like Windows Defender Firewall in Windows 10 will block everything unless there's an exception rule created - so by even just enabling the default configuration. The issue comes into play if you start customizing and forget to ensure there is still a default-deny rule placed in your custom settings.

The majority of the Remote Monitoring and Management Tools (RMMs) including Microsoft Intune provide the ability to configure these settings and most will alert you if the setting changes (if enabled).

I would recommend ensuring your Windows Defender Firewall with Advanced Security log is enabled and configured so you can have a historical record of when the firewall was disabled/enabled/etc. Tools like Netwrix Corporation or Liongard may provide you a third-party method of tracking these changes as well.

The historical record is important as you want to be able to prove to an auditor that you have the policy and automation setup to establish the firewall, but also the historical records showing it continues to stay active and protecting your end users.

I want to personally thank you for following along and if you learned something new or found this content to be valuable please like and share. Since I have started this journey I am seeing more education around CIS Security and its framework throughout the industry.