Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings The Small Things Control

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

A quick anecdote:

I ran into a guy while grocery shopping this weekend. I lost contact with him in a completely different state and organization about seven years ago. He was a brilliant new operator then and we had both assessed into a very selective organization at the same time.

I admired his calm and quiet demeanor (which was a little intimidating at first) and I have thought of him many times since. Then, there he was, in the store looking at me quizzically as I turned around to pick up some oranges. I was immediately excited, relieved, and determined not to lose contact with him again.

We are both a little older, with kids and more senior in our respective fields (both the same fields). But he was the same guy, calm and collected. I put my contact info into his phone and arranged a family get together. I’m thrilled to get to know him again and introduce our families.

Lesson here? If you like/admire/enjoy someone, Don’t Lose Contact. If you’re lucky enough to get a second chance, Make It Happen. People are numerous, good people who vibe with your style are exceedingly rare and should be jealously guarded.

Quote I’m Musing

“Well-being is realized by small steps, but it’s no small thing.”

-Zeno of Citium

Richard Carlson is famous for “Don’t sweat the small stuff”. He’s not wrong, but sometimes our execution may be off. The key is not in realizing that we don’t need to sweat the “small stuff” but in identifying the irrelevant from the essential small things.

If we don’t focus on the important small stuff, the important details add up in a big way; we end up in a place that isn’t where we want to be.

Reflection on Controls 3

Control 3 has A LOT in it. Walking through the entirety of it again reminded me that it’s not all or nothing. I think it’s important to realize that when we’re establishing a program, we (and our program) start as beginners. For compliance, only the first six safeguards are needed to get us moving and compliant. Quick and effective wins create momentum, momentum helps us create habits. Habits are what build robust and effective programs.

To this end, I’m going to section the rest of the controls off by the implementation groups (IG 1, 2, 3). IG 1 for small to medium capacity with limited IT and cybersecurity knowledge. IG 2 for medium capacity having dedicated cybersecurity teams for protecting information security and IT systems. IG 3 is the most complex to implement, requires cybersecurity experts that specialize in different areas. Systems and data belonging to IG3 are usually subject to oversight.

CIS Critical Security Control #4

Secure Configuration of Enterprise Assets and Software

Preconfigured settings are for ease of use and installation, not security.

Most of our fresh software installs for applications, operating systems, etc. come preconfigured in an insecure manner. Pulling from our risk strategy and frameworks like CIS Benchmarks or NIST’s NCP lets us tailor our baselines to align with organizational policies and vision.

What is it?

I like to think of cyber and information security in a layered construct. Establishing multiple layers of security improves our overall effectiveness at imposing cost to would-be malicious actors or even negligent benign inside threats. It helps to slow and delay a threat long enough for us to neutralize it. Control 4 builds off 1-3 in securely configuring our assets and software we’ve already identified.

Note: Initial configuration, while essential, isn’t the end. We must continually manage our assets through updates, upgrades, and additional interoperability requirements as we evolve our infrastructure.

Implementation Group 1 (Essential Cyber Hygiene)

Safeguards 1-7

4.1 Establish and Maintain a Secure Configuration Process

Implementation Note: Protecting our assets by establishing and documenting our process for asset and software configurations that adhere to our policies and standards. Then update them as our enterprise evolves. Use the benchmarks we talked about above to start with and adapt based on risk and program strategies.

4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure

Implementation Note: Just like 4.1 Protecting our assets using the same benchmarks, organizational policies, and strategies; this time for our network devices. I think this could easily be wrapped up into 4.1 by adding “Network Infrastructure” or a little flavor text instead of creating a separate safeguard.

4.3 Configure Automatic Session Locking on Enterprise Assets

Implementation Note: Firewalls are a Protection foundation for many organizations and enterprises. Essential here is to also update and maintain our protections by regularly updating our ACLs, rules, and agents. This should be only one of several layers of protection we employ for our infrastructure. Think about castle defense. We should have a mote, a draw bridge, walls, a hedge maze, guards, and escape routes (cold, warm, hot sites and backups).

4.4 Implement and Manage a Firewall on Servers

Implementation Note: Protect the organization with a retention policy informed by regulatory compliance, common sense, and operational need. ALSO think about data disposal here, maximum retention timelines as well as minimum. Also, clearly articulate what doesn’t need to be retained. When it’s time to #letitgo, make sure to follow the next safeguard.

4.5 Implement and Manage a Firewall on End-User Devices

Implementation Note: This is one of those easily forgotten elements of protection. End-User devices must survive contact with everyday use by end-users. Help in every way possible to protect and enable business operations without allowing traffic outside of the services and ports we’ve explicitly allowed. Additionally, these devices don’t always stay on the home network. We must establish a quarantine and inoculation process that doesn’t make someone non-mission capable when they get back.

4.6 Securely Manage Enterprise Assets and Software

Implementation Note: Protect our assets through version control. Identify mission-essential protocols and block the rest (especially TELNET and HTTP) if you can.

It’s not only about keeping software up to date and patched, but also understanding how the software and assets interact. An update to one piece of software from the vendor may change the way it interacts with another of our assets and create a vulnerability. In that case, we rollback the changes until we can mitigate the vulnerability.

4.7 Manage Default Accounts on Enterprise Assets and Software

Implementation Note: Are we detecting a theme yet? Default just about anything is going to leave us vulnerable. Protect our assets by deactivating default accounts, especially admin or root accounts!

Implementation Group 2 (Foundation Building)

IG 1 + Safeguards 8-11

4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Implementation Note: This loosely falls under the “defaults are bad” category. Preinstalled software (bloatware?) that doesn’t serve a purpose for our enterprise can be removed as part of our baseline image. Additionally, we can protect our enterprise by identifying unneeded services and either securing them (RDP) or disabling them.

4.9 Configure Trusted DNS Servers on Enterprise Assets

Implementation Note: Domain Name System (DNS) is hugely important. Do you remember Google’s IP? Its 8.8.8.8 but it’s easier to just type google.com. These servers translate names to IP addresses so users don’t have to remember octets and we can just tell them to go to internal names like “GO finance”. Properly protecting them is important. SANS has a framework that we could start from.

4.10 Enforce Automatic Device Lockout on Portable End-User Devices

Implementation Note: Protecting end-user devices, similar to our session lockouts from 4.3. This entails defining a threshold for the number of attempts on devices before locking the device down. CIS recommends no more than 20 failed authentication attempts on laptops. No more than 10 failed authentication attempts on mobile devices. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

4.11 Enforce Remote Wipe Capability on Portable End-User Devices

Implementation Note: This is one of those methods that seem draconic at first but make more and more sense once you suspend disbelief and delve further into the changing character of office workers and the evolution towards remote working. More and more organization-owned devices are becoming transient in their work location. Being able to remote wipe the device if it becomes unaccountable helps us keep our resources secure and business operating effectively.

Implementation Group 3 (Complex and Tailored Expertise)

IG 1, IG 2 + Safeguard 12

4.12 Separate Enterprise Workspaces on Mobile End-User Devices

Implementation Note: We should create a separate enterprise workspace on our users’ mobile devices. Specifically, regarding network settings, emails, apps, and webcams. This helps prevent attackers who gain access to our user’s personal applications from accessing our corporate files or proprietary data.

Why Should We Care About Control #4?

We can’t build everything ourselves. Especially when we’re starting out. Automation and controls are key. Capabilities we bring in from external sources (even ones our devs build) aren’t configured to our bespoke needs. Default settings and credentials are widely available on the internet for public viewing and exploitation.

We need to protect our business functions and enable opportunities via compliance by having systems and processes in place to onboard, assess, and baseline any asset introduced to our enterprise. Doing so without unnecessarily interfering with operations is our goal.

We are in the business of protecting revenue, not inhibiting it.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.