The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Now that you know what assets you have in your inventory lists, its time to start protecting them.

CIS Control Safeguard 3.1 is to Establish and Maintain a Data Management Process. The process should address data sensitivity, data ownership, how data is handled, data retention limits, and disposal requirements. This process should be reviewed and updated on an annual basis or when significant changes occur within the data or types of data being stored.

I always started Control 3, with you guessed it an inventory of everywhere data is being stored (it's actually Safeguard 3.2). It was not uncommon to discover that data was in OneDrive, Google Drive, Box.com, Dropbox, on local hard drives, usb drives, etc. That is a nightmare to try to understand, let alone establish a process with it.

So in our internal Data Usage Policies we outlined where and what types of data could be stored where. Each type of data then outlined the criteria outlined in this process.

If it contained trade secrets, business information, employee data, client records, PII, PHI, or other data deemed confidential it was labeled High or Critical, listing who owned, where the data was handled, and how it was retained and backed up.

The same exercise was completed for the Medium and Low data sensitive classifications. This was all documented in the Internal Data Usage Policy which every employee had to read and sign off on that they understood annually or anytime a change occurred.

For compliance here you need to have your processes and policies typed up and documented. It's not hard once you know where and how your data is being stored and accessed. Getting control over how your data is being stored however may be your biggest battle if end users have never had any restrictions before.

Remember to educate why it's important to know how data is being stored, why it's required for security compliance, and ultimately why everyone is responsible for ensuring the company stays secure. You'll have pushback from a few people - but with leadership buy-in, they will adopt.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-secureit-activity-7072793568058204160-YzoX?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

We have now reviewed 15 of the 153 Safeguards, completing Controls 1 and 2 which are based on inventory control.

CIS Control Safeguard 2.7 is the Allowlist of Authorized Scripts, or the measure of using technical controls, such as digital signatures and version control to ensure only authorized scripts such as .ps1, .py, .etc or others are allowed to execute. Here you have to reassess bi-annually at the least and before you scare yourself, this safeguard is only required for Implementation Group 3 compliance.

Two quick tools I know do this well are ThreatLocker and Ivanti Zero-Trust Network Access (ZTNA). There are likely others out there, but I would start my search with these two products if you are looking for compliance here.

While there are methods to block the use of Powershell in windows via Applocker Policy, you would have to duplicate the steps and process for other applications like CMD that may enable batch scripts to run, or other scripting services that may be installed. So in combination with 2.5 you can likely get away with just blocking Powershell and Batch scripts as the Software allowlist would not have authorized any similar programs that can run scripting locally.

I would still point back to the two applications above for your ease and peace of mind just knowing its still working.

The bottom line is for Control 2, you have to maintain a current and accurate inventory of all applications on any of your assets and then have the ability to allowlist and block the software, libraries, and scripts you don't want to run.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-safeguards-activity-7072291885871951872-L7ye?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

Today we are going to review 2.5 and 2.6, which are using technical controls to establish an Allowlist for Software (2.5) and Libraries (2.6). Both are requirements for Implementation Group 2 and both require at minimum a bi-annual reassessment.

Looking at Software you need to ensure that only authorized software can execute or be accessed, or #Whitelisting.

Microsoft Windows Defender's Application Control allows organizations to control what applications are installed, and you can also use Microsoft Intune for Whitelisting as well.

Some Remote Monitoring and Management Tools like N-able's N-Central offer Application Compliance.

I really love what Danny Jenkins and the team at ThreatLocker have done with application allowlisting and if you have to check off this compliance requirement, you should check them out.

Safeguard 2.6 takes it a step further with Allowlisting of Libraries such as .dll, .ocx, .so, .etc or the files that are loaded into a system process.

Microsoft Windows Defender Application Control policy 19 enables policy enforcement for .NET applications and dynamically loaded libraries - only supported on Win 10 v1803 and newer or Server 2019 and newer.

I would again recommend looking at the #ZeroTrust Model at Threatlocker as it will check off the boxes of 2.5, 2.6, and 2.7 which we will look at tomorrow.

Join the conversation online at - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7071953394730463232-gyLU?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

We kick off the week with Safeguard 2.4 which Is utilizing an automated software inventory tool when possible to automate the discovery and documentation of installed software.

Safeguard 2.4 is only required with #ImplementationGroup2 and #IG3but if by utilizing a tool to automate your #SoftwareInventory you will also check off Safeguard 2.1.

STOP!!!

It's very possible you are already using a tool that does this. The majority of Remote Monitoring and Management Tools (RMM) as they maintain a list of systems for remote access, they will typically provide you an inventory of software installed on each system. RMMs typically are targeting your Windows, Macs, or Linux systems and some may also dive into your mobile devices with Mobile Device Management add-ons. In order to comply you do need to maintain the software inventory for all company assets.

Tools like Microsoft #Intune, N-able N-Central, ConnectWise, Kaseya, Autotask Corporation, Barracuda MSP, Syncro, NinjaOne, ManageEngine all likely provide some sort of a list functionality within the other functions.

Liongard or Netwrix Corporation expands on what the RMM does but can focus on more in-depth analysis and historical records of what software was installed, versions, and more.

No matter what tool you find or choose to implement it is critical to ensure that there is integration into the inventory/documentation tool that you are using to ensure compliance with Safeguard 2.1.

Again, while 2.4 is not required for IG1 this really is a no-brainer to incorporate and typically is a low-cost add-on if you're not already doing it.

Join the conversation at https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7071611390171475968-uHHt?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

Safeguard 2.3 is the last safeguard in Control 2 that is required for all three Implementation Groups. How you address unauthorized software is up to you. You can choose to authorize it, remote it, or provide a documented exception and this should be reviewed at least Monthly.

Like Safeguards 2.1 and 2.2 this is not a huge ask and it should be something that is already part of your monthly processes. If it's not then time to create that policy and start documenting your software inventory to identify what is and what is not authorized.

While the easiest thing may be to say authorize all software, you and I both know that is not why we are in the #CyberSecurity field. Ensuring we know what we have to protect, and having the policies to back us up when we need it are critical to our success.

You have your Software Inventory including its business use case and you've ensured all of the software is currently supported. I would start with the process that all software install requests have to be supported by a ticket outlining what you have to inventory including the business use case. A manager can approve it or not.

Ensuring end users don't have install rights eliminate the possibility of Bob just downloading and installing that classic Napster or Limewire (yes I dated myself) application.

Now you think well then I have to connect in and install every time an update or this or that and that's more time then it's worth.

I'm going to call out CyberFOX and their #AutoElevate tool, which is a #PrivilegedAccessManagement #PAM tool that will audit User Access Controls (UAC) events to see what applications are being installed and updated, create rules based on UAC events, automate ticket requests, and remove the local admin rights to protect your users and data. If you are looking to comply with CIS Controls or any compliance standard, take a look at https://lnkd.in/g8CWFDe8

To check off Safeguard 2.3, all you have to have is the documentation on how you address unauthorized software, when its reviewed, and a library of the documented exceptions.

Join the Conversation - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7070451518717505536-dCzT?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of #Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

Safeguard 2.2 is one that while it is common sense, has to be in writing. Ensuring that authorized software is currently supported is critical as application #zerodayvulnerabilities for outdated software is well documented and is used as a method to access your network and data.

2.2 calls that only currently supported software is used and stored in the software inventory (2.1). If software is unsupported, but is required for the business then an exception detailing mitigating controls and risk acceptance must be documented (for those still running those legacy applications). Without that documentation it must be inventoried as unauthorized. Software Support should be checked at least monthly, or more frequently.

In reality as long as the application is the current version it's supported and assumed the most secure version available. Not saying to install every update on day 1, but updates that disclose a zeroday vulnerability should be reviewed and escalated for deployment.

Remember 2.2 is requiring that you ensure the software is currently supported, even some old versions are supported typically for a couple of years after release. Windows 10 is still supported by Microsoft until 2025. Intuit QuickBooks Desktop 2020 actually just ended its support period on May 31, 2023.

So while when you initially look at 2.2, you can think how am I going to check this off. It's just making sure you know what is installed and supported in regards to the authorized software in use across your assets.

Of course your best practice should be to always ensure all software is patched and updated, including the Operating System, applications, and mobile apps.

Continue to follow the #CyberEducationMonth tag and learn other Educational Tips and Tricks on keeping your network and data secure.

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7069718527959552001-oKYh?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and SecureIT.

We begin our review of CIS Control 2.x which covers the #Inventory and #Control of #Software Assets. Every organization should actively manage (inventory, track, and correct) all software (Operating Systems and Applications) on the network so that only authorized software is installed and can execute.

Not much has changed in 20 years, employees will go out and find a software title that resolves an issue or streamlines a process for themselves and install it. It could be the traditional WinZip application or a Photo Editor. It also could be their favorite game or within the Modern Workspace, if the workstation is shared with a family member a tool for their school, work, or play.

What has changed is more of the software titles in use today are web-based, but there are still more then enough downloading and installing for this to be a concern.

Safeguard 2.1 requires you to establish and maintain a software inventory. It must include at least the title, publisher, initial install/use date, business purpose for each entry, the URL, App Store(s), version(s), deployment mechanism, and the decommission date. It requires review and update of the inventory at least bi-annually.

How many times have you installed and removed an application the same day or a week later? Let's be real this is a challenge to complete without some sort of automated tool. That tool has to have privileges on the computer that will allow it to even query and report on the list.

The easiest way to check this off is the use of a Remote Monitoring and Management (RMM) Tool or Microsoft Intune as they will provide you a current software listing that you can maintain. The issue here comes into the fact that most RMM tools only retain records for up to 90 days, and even then you may have challenges looking back in time if you have to recall past records.

To check this box you can maintain the classic spreadsheet and manually review your systems no less than twice a year.

Remember you need to do this for all assets from Safeguard 1.1, so that includes all end-user devices, network devices, IoT devices, and servers.

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-cybersecurity-safeguards-activity-7069718527959552001-oKYh?utm_source=share&utm_medium=member_desktop

The Center for Internet Security Controls or #CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 #Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and #SecureIT.

Wrapping up Control 1 with Safeguard 1.5 which is only required for Implementation Group 3 (#IG3), which calls for the use of a passive asset discovery tool. The passive tool needs to identify assets connected to the network, which should be reviewed at least weekly.

If we go back to Safeguard 1.3, it called for an Active Discovery Tool to identify assets connected to the network. It's important to note that an active scanner directly interacts with endpoints by querying them with test traffic packets and reviewing each response to find vulnerabilities.

Safeguard 1.5 is now looking for a Passive Discovery Tool to do the same. Passive scanners “silently” glean network data to detect weaknesses without actively interacting with endpoints.

It's important to note that to be IG3 certified you will need both the processes and tools in place to do both the Active and Passive Discovery.

The bottom line is your inventory is step 1 and is critical for data and cybersecurity frameworks. "You can't protect what you don't know" (Scott Davis). The inventory is the foundation to your knowledge.

So ensure you are looking at your asset inventory including end user devices, network devices, IoT devices, servers, and any other asset that can store or process data. Understand what types of data may be found on the asset and why its wherever its needed.

Knowing your inventory, means you are already steps ahead nefarious actors that are trying to find a way into your network and data.

Next we will review Control 2, which is you guessed it Inventory and Control of Software Assets. Yup, more inventorying.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-safeguards-secureit-activity-7069349248886038528--x2R?utm_source=share&utm_medium=member_desktop