CIS Control 1: The Beginning of Basic Cybersecurity

The CIS Critical Controls were developed as a framework to not only ensure the successful realization of basic cybersecurity hygiene, but to lead to the planning and implementation of a robust security protocol. To build any cybersecurity protection schemata, it is necessary to know the extent of what it is you are protecting. This is the stated purpose of Control 1.

CIS Control 1 Overview: Inventory of Authorized and Unauthorized Devices

Critical Control 1 states: “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access” (CISv.7). This control is not so much intended to prevent unauthorized access, although a complete inventory with attendant policy enforcement will do just that. Instead, it is devised so an organization may be certain of what devices are on the network, so they may be effectively defended. Then these devices will not be the unknown gap in the defensive perimeter that allows a devastating attack to execute on an unsuspecting network. Compiling a detailed asset inventory may seem like an intimidating task for an organization of any size, especially if this is a first-time endeavor.  However, Control 1 is segmented into eight subcontrols designed to give form to the mission at hand. 

CIS Control 1 Subcontrols 1.1 - 1.5 (Click to Enlarge)

CIS Control 1 Subcontrols

Subcontrols 1.1 and 1.2 recommend the use of both active and passive automated tools to identify device assets so they may be updated as needed and added to the hardware asset inventory. Anything with an IP address must be counted. This includes printers, copy machines, and even automated vending machines if they connect to the network. This asset inventory is also not limited to what is always attached to the network. Virtual Private Networks (VPNs) and mobile devices must also be inventoried, and these types of connections typically come and go on a network. Whether physical or virtual, if it has an IP address and ever connects to the network, it should be included as an asset. There are many such tools at varying price points, so that an organization will typically be able to devise a method that  both works within their current framework and is financially feasible as well. 

Subcontrol 1.3 advises Dynamic Host Configuration Protocol (DHCP) to be used to assign IP addresses.  This automates IP allocation and is no small part of an IP address management system that aids in updating the hardware asset inventory and helps keep it updated.  Subcontrols 1.4 and 1.5 focus on the maintenance of a detailed hardware asset inventory, whether or not the device is connected and whether or not the device is authorized to be connected.  An inventory should at least indicate if an asset is portable, the name of the device, and the IP number.  Including MAC addresses and serial numbers is a good practice to start with and maintain and can also be used to prove ownership for insurance purposes.  Whatever information an organization deems necessary to keep in the asset inventory, it must be noted that this procedure is dynamic and ongoing for the lifecycle of any device.  Records must also be kept of devices as they are deprecated and removed from the network or recommissioned and returned to the network.  This is a priority on par with keeping updated blueprints and maintenance information for an organization’s physical and logical topology.

CIS Control 1 Subcontrols 1.6 - 1.8 (Click to Enlarge)

Subcontrol 1.6 suggests steps to take in dealing with unauthorized devices.  When an organization obtains the actual number of unauthorized devices currently connected to their network, they may also discover the need to update current policies and procedures for IoT (Internet of Things) devices. Such policies and procedures may take the form of employee education of various types, as well as clearly delineated employee agreements as to what is, and is not allowed on the network. ATP (Advanced Persistent Threats) and other hackers wait on the internet for such unauthorized devices to gain an entry point into a network, or to use as a pivot point if the network is already compromised. It is unfortunate but true that attack avenues are always evolving, and one of the most commonly used avenues of malware delivery is via email spear-phishing campaigns aimed at the unwary employee, or through the connection of an unauthorized and unprotected device such as a smart phone or laptop.

Once this inventory is complete, subcontrols 1.7 and 1.8 mention steps to take towards ensuring company control of which devices are authorized to connect to the network. Port-level controls are a necessity, along with proper switch configurations, and both should be tied to the device asset inventory. This should help ensure only authorized devices may connect to the network.   

Certainly this is a task that requires time, attention to detail, and commitment.  It is not as exciting as other defensive processes, but proper implementation will lead to the best execution of the other 19 Controls, as well as add to the overall improvement of an organization’s defense posture by increasing efficiency and response time and reducing the network attack surface.     

Conclusion and Next Steps

The CIS Critical Controls are not rigid, but may be implemented in the ways that best suit an organization’s needs and acceptable risk. Neither are the CIS Critical Controls weighted equally.  Critical Control 1 is as important and essential to the support of any cybersecurity posture as a foundation is to the support of a house. A variety of studies show that CIS Control implementation is proven to prevent around  90% of network attacks.  That renders the return on investment undeniable, and the importance cannot be overstated to management and board members.

Alpine Security remains committed to fostering cybersecurity awareness globally and locally while providing our specialized services to organizations and individuals alike. Pursuant to that commitment, Alpine Security offers a free consultation on our Enterprise Security Audit (ESA) Service. 

The ESA is based on the Top 20 Critical Controls published by the Center for Internet Security. The ESA is intended to provide a comprehensive picture of where an organization currently falls in Critical Control Implementation, while also delineating a roadmap for full implementation. With the increase in variety and methods of attack on organizations of all sizes and types, defensive uncertainty is a luxury no security-conscious entity can afford.

Institutional Safeguards and the Human Element

Phishing emails from a CEO to an Executive Assistant with urgent tasks (scams) are on the rise

Does your organization welcome questions from employees? Would an employee feel comfortable questioning their supervisor about a task? How often do you push a job down the chain and expect it to “just get done?” The urgency of business demands that employees be able to carry out tasks without question. Unfortunately, that same urgency can lead to the exact conditions that cybercriminals exploit daily to the tune of billions of dollars. These exploits and a lack of focus on institutional safeguards to prevent them mostly go unnoticed within organizations until they become the target of a cyber-attack.

When discussing the method of how cybercriminals operate, it is often easy to take the “that could never happen to me” mentality. We’ve all heard the story of someone’s uncle who was catfished out of his life savings by someone from another country whom he never met, but is the love of his life.  While the need for human connection may not be every individual’s weak point, everyone has at least one.  In the business environment, humans are invariably the weak link in the security chain. Cybercriminals are particularly adept at manipulating the human element to extort money, intellectual property, and resources.

Here we will explore a case study involving a recent incident response that Alpine Security performed. In this incident, the company in question was targeted using email spoofing and phishing attacks resulting in losses of over $20k. This particular scam is noteworthy because it highlights a technique that is on the rise in recent months and illustrates how cybercriminals often use human and institutional weaknesses to fulfill their goals.

Initial Phishing Email to Elicit a Response

In the first phase of this attack, the criminal used a Gmail account designed to look like it was coming from the supervisor of the targeted employee, e.g., first.last@gmail.com. Seeing the name in the email address, the employee did not suspect that the email did not originate from their actual boss. The email explained that the supervisor wanted to give away some eBay gift cards to a vendor but was tied up and would like the employee to go and pick them up quickly. The employee responded and followed instructions to purchase $2,000 in eBay gift cards.  She was then instructed to scratch off the back of the cards and send images of the codes to the email account. As luck would have it, she sent the codes via text rather than email, enabling her company to catch the scam before the codes were leaked, but it was a very close call.

2nd Phishing Email. Attacker sent this email after they received a response to the first email.

At first glance, it is easy to assume that we, in the same position, would have noticed one of the several red flags that this story illustrates. However, understanding the physiology of this kind of attack allows us to fully grasp how easy it is to fall victim to this type of scam. In this case, the criminal had two factors to their advantage; the first of which is the appeal to authority. Many employees are not going to question their boss when asked to perform a task as long as the job seems somewhat reasonable. If this is a task the employee has performed before, they may not think twice about doing it at all. If you work in a marketing or sales department picking up some gift cards might not be an out of the ordinary request. The appeal to authority can be just enough to make the employee second guess their suspicion and take an action they otherwise may not have. Furthermore, company cultures often do not promote open communication and freedom to question. Therefore, the employee may not feel empowered to raise concerns if they suspect something is amiss. Couple that with the second advantage the criminal is exploiting - urgency, and you have a recipe for social engineering. The “supervisor” is in a hurry and needs their assistant to perform a task quickly. If the employee has doubts, this may be the nudge they need to forget those doubts, get the job done, and “just be a team player.”

Employers should not underestimate physiological factors that play into these types of scams. It is human nature to want to be helpful and do your job well. It is often an institutional weakness to expect employees to carry out tasks without question or to put too little safeguards in place to prevent the compromise of one employee from costing the company money. It is natural to want to blame the employee for being careless, but the truth is that her actions were precisely what her boss would have expected had he been the one who sent the request.

If the attack had stopped here, it would have been merely a lesson learned for the company to be more careful. Unfortunately, it didn’t.

In phase two of the attack, the criminal sent an executive in the same company an email that appeared to come from another person within the company. The executive clicked a link in the email which prompted them to input their Office 365 username and password. Thinking this was merely a standard password prompt the employee complied and completed their work.

Unbeknownst to them, the login page they had input their credentials to was fake (spoofed), allowing the hacker to capture their credentials. The attacker quietly logged into the account and remotely set up a rule to automatically mark any emails from the finance department as read and send them to a hidden folder. They then sent an email to the finance department asking why an invoice to a company had not been paid. Over the next several days they were able to pose as the company executive and trick the finance department into fraudulently processing over $20K in fake invoices.

Both of these cases have human error as a common element, but stronger institutional safeguards are the only real tool to defeat human error. What would happen if we put a straightforward safeguard in place in either of these cases? What if a phone call and passphrase, or digitally signed email were required to initiate a wire transfer? What if the employees had training on how to detect spoofed emails? 

In a third case, a client of Alpine Security received the same email requesting that they purchase iTunes gift cards. This was particularly interesting because the employee had recently bought gift cards for a similar giveaway. However, in this case, the company had a safeguard in place that a transaction like this needed to be approved verbally by the employee's supervisor. When she contacted them, they quickly detected the email was a hoax and were able to move on with no loss of money and little lost time.

How well would your organization handle an event like this? In the fast-paced world of cybercrime, no company is too small or too big to be a target. Stories like this happen every day. For the unprepared, they can bankrupt an organization or cause severe operational impacts. For a prepared company, they are a blip on the radar and something to talk about after you hit your next team milestone.  

Does your institution have the training and safeguards in place to weather a cyber attack? Alpine Security has the tools to help. We offer a full range of private training for organizations to assist in cybercrime prevention as well as penetration testing, vulnerability assessment, and social engineering campaigns. Want to see how ready your company is for a cyber attack? Do not wait for the bad guys to test you. Let us help!

Author Bio

Isaac (on the left) hiking in Vietnam

Isaac Wright is a Cybersecurity Analyst and Trainer with Alpine Security. A veteran of the US Air Force, Isaac has more than 15 years’ experience in electronics maintenance and security.  He holds degrees in Electronics Systems and Education and Training Management as well as a master instructor certification.  Isaac has a long history of maintaining, hacking, modding, and using electronics systems from networks and computers to radios and consumer electronics.  Isaac has leveraged his expertise to advise CIOs in large multi-site organizations on vulnerability management and risk mitigation. 

When not teaching or analyzing network traffic, Isaac loves to play board games with family, fish, camp, and experience everything the world has to offer.  An avid traveler, Isaac has been to more than 15 countries and especially enjoys Asia.