Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 13

In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browser Protections
• CSC 8: Malware Defenses
• CSC 9: Limitation and Control of Network Ports, Protocols and Services
• CSC 10: Data Recovery Capability
• CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• CSC 12: Boundary Defense

CSC 13: Data Protection

The Control

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

The Attack

Data protection is the key to why security is so important. In the triad of CIA (Confidentiality, Integrity and Availability) perhaps the most critical component is the confidentiality of the data organizations have on their products, customers or business ventures. Integrity and availability are important as well, but when a breach occurs and organizational data is leaked to the world, it can be one of the biggest hits to a company’s reputation. A lot of controls work together, and CSC 13 does share similarities with CSC 12: Boundary Defense. For that purpose this post will focus less on the components that overlap and more on the unique metrics that organizations can implement to improve security. 

For my example attack in this blog post, I will show a policy violation surrounding data loss prevention (DLP). Often this is not done out of malicious intent, but I have seen this situation in real organizations.

There are several scenarios where employees may access sensitive data and inadvertently break DLP policies exposing secure information, such as:

• Downloading a file
• Printing data
• Saving a screenshot

Figure 1: Saved data

Often the information systems which are configured to house sensitive data are also configured with strong security mechanisms to prevent unauthorized access to data. When data is downloaded, printed  or copied in any form from the environment, the security controls protecting the data are generally no longer in place. As a result, if an attacker can gain access to employee’s workstations through some attack such as email phishing, then the attacker would be able to access the data much easier than trying to break into the system where the data is most protected.

The Solution

For the above scenario, it takes a combination of technology and policy in order to effectively secure data. Organizations should employ defense-in-depth in order to protect data as much as possible and assume that it is possible for data to leak from its primary secured storage locations. A few of these defense-in-depth technologies/policies include:

• Encrypting data as rest
  • Strong encryption key management
• Full disk encryption (FDE) on mobile devices
• Restrict access to file upload and transfer sites
• Disable USB write access
• Implement a network-based DLP solution configured on a network SPAN port

Additionally, organizations should periodically scan for data on systems which it is not intended to be on employee workstations. This can be done with a continuous monitoring tool but should be validated occasionally with full system scans to identify RegEx patterns which match the privileged information the company is attempting to protect (i.e. credit cards or social security numbers).

A strong method to go about validating that data is protected within the organization includes:

• Implementing strong technology solutions to prevent the leaking of privileged information
• Consistent staff training of privileged data handling processes and policies
• Making sure that data is only where it is intended and is encrypted

The next post will cover CSC 14: Controlled Access Based on the Need to Know.