diff --git a/infosec/cis_18_controls.md b/infosec/cis_18_controls.md new file mode 100644 index 0000000..3f5f18b --- /dev/null +++ b/infosec/cis_18_controls.md @@ -0,0 +1,646 @@ +# CIS 18 Controls Cheatsheet + +## Overview + +The CIS Controls are a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. This cheatsheet provides a quick reference to the 18 CIS Controls (v8), implementation guidance, and mappings to major frameworks. + +## CIS Controls Summary + +| # | Control | Category | Purpose | +|---|---------|----------|---------| +| 1 | Inventory and Control of Enterprise Assets | Basic | Know what's on your network | +| 2 | Inventory and Control of Software Assets | Basic | Know what's running on your network | +| 3 | Data Protection | Basic | Protect sensitive information | +| 4 | Secure Configuration of Enterprise Assets and Software | Basic | Reduce the attack surface | +| 5 | Account Management | Basic | Manage access rights | +| 6 | Access Control Management | Basic | Limit user privileges | +| 7 | Continuous Vulnerability Management | Foundational | Find and fix vulnerabilities | +| 8 | Audit Log Management | Foundational | Collect and review logs | +| 9 | Email and Web Browser Protections | Foundational | Secure common attack vectors | +| 10 | Malware Defenses | Foundational | Block and detect malicious code | +| 11 | Data Recovery | Foundational | Plan for the worst | +| 12 | Network Infrastructure Management | Foundational | Secure network devices | +| 13 | Network Monitoring and Defense | Foundational | Detect and prevent attacks | +| 14 | Security Awareness and Skills Training | Foundational | Human firewall | +| 15 | Service Provider Management | Foundational | Secure your supply chain | +| 16 | Application Software Security | Foundational | Develop secure applications | +| 17 | Incident Response Management | Organizational | Prepare and practice | +| 18 | Penetration Testing | Organizational | Test your defenses | + +## Detailed Controls with Implementation Guidance + +### CIS Control 1: Inventory and Control of Enterprise Assets + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 1.1 | Establish Asset Inventory | Use automated tools (CMDB, network scanning, etc.) | +| 1.2 | Address Unauthorized Assets | Implement NAC or 802.1x port security | +| 1.3 | Utilize DHCP Logging | Configure DHCP servers to log lease information | +| 1.4 | Use Dynamic Host Configuration Protocol (DHCP) | Standardize IP assignment | +| 1.5 | Use a Passive Asset Discovery Tool | Deploy passive monitoring tools | + +**Key Tools:** +- Network scanners (Nmap, Nessus) +- Asset management systems (ServiceNow, Lansweeper) +- NAC solutions (Cisco ISE, FortiNAC) +- CMDB systems + +**Framework Mappings:** +- NIST CSF: ID.AM-1, ID.AM-2, ID.AM-5 +- ISO 27001: A.8.1.1, A.8.1.2 +- NIST 800-53: CM-8, PM-5 +- GDPR: Article 30 + +### CIS Control 2: Inventory and Control of Software Assets + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 2.1 | Establish Software Inventory | Deploy software inventory tools | +| 2.2 | Ensure Authorized Software is Currently Supported | Track EOL/EOS dates | +| 2.3 | Address Unauthorized Software | Implement application whitelisting | +| 2.4 | Utilize Automated Software Inventory Tools | Use agent-based inventory tools | +| 2.5 | Allow Only Authorized Software | Implement application control | +| 2.6 | Allow Only Authorized Libraries | Control libraries and dependencies | +| 2.7 | Allow Only Authorized Scripts | Implement script control (PowerShell, etc.) | + +**Key Tools:** +- Software inventory tools (Microsoft SCCM, Lansweeper) +- Application whitelisting (AppLocker, Carbon Black) +- Package managers with inventory capabilities +- Script control (PowerShell execution policies) + +**Framework Mappings:** +- NIST CSF: ID.AM-2, PR.DS-6, PR.IP-1 +- ISO 27001: A.12.6.2, A.8.1.1, A.8.1.2 +- NIST 800-53: CM-7, CM-8, SA-4 +- PCI DSS: 2.4, 6.2 + +### CIS Control 3: Data Protection + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 3.1 | Establish Data Management Process | Implement data classification | +| 3.2 | Establish Data Inventory | Document sensitive data locations | +| 3.3 | Configure Data Access Control Lists | Implement need-to-know permissions | +| 3.4 | Enforce Data Retention | Deploy automated policies | +| 3.5 | Securely Delete Data | Implement secure deletion tools | +| 3.6 | Encrypt Data on End-User Devices | Deploy full-disk encryption | +| 3.7 | Establish Data Classification | Define sensitivity levels | +| 3.8 | Document Data Flows | Map how data moves through systems | +| 3.9 | Encrypt Data in Transit | Implement TLS for communications | +| 3.10 | Encrypt Sensitive Data at Rest | Deploy database/storage encryption | +| 3.11 | Encrypt Sensitive Data in Use | Utilize privacy-preserving technologies | +| 3.12 | Segment Data Processing and Storage | Separate sensitive data environments | +| 3.13 | Deploy a Data Loss Prevention Solution | Implement DLP tools | +| 3.14 | Log Sensitive Data Access | Monitor access to classified data | + +**Key Tools:** +- DLP solutions (Symantec, Digital Guardian) +- Encryption tools (BitLocker, VeraCrypt) +- Data classification tools (Microsoft AIP, Titus) +- Access monitoring tools + +**Framework Mappings:** +- NIST CSF: PR.DS-1, PR.DS-2, PR.DS-5, PR.PT-2 +- ISO 27001: A.8.2.1, A.8.2.2, A.8.2.3, A.10.1.1 +- NIST 800-53: SC-8, SC-28, MP-2, MP-3, MP-4 +- GDPR: Articles 5, 6, 25, 32 +- PCI DSS: 3.1, 3.2, 3.4, 3.5, 3.6 + +### CIS Control 4: Secure Configuration of Enterprise Assets and Software + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 4.1 | Establish Secure Configuration Process | Document hardening standards | +| 4.2 | Establish Secure Configuration Management | Use secure baselines | +| 4.3 | Configure Automatic Session Locking | Set screen timeout policies | +| 4.4 | Implement Strong Authentication | Use MFA where possible | +| 4.5 | Implement Secure Boot | Enable secure boot on systems | +| 4.6 | Securely Manage Enterprise Assets | Use trusted software/images | +| 4.7 | Manage Default Accounts | Change defaults, disable when possible | +| 4.8 | Uninstall or Disable Unnecessary Services | Remove unneeded services | +| 4.9 | Configure Trusted DNS Servers | Use secure DNS providers | +| 4.10 | Enforce Secure Configuration | Monitor and enforce compliance | +| 4.11 | Apply Host-Based Firewalls | Deploy on all endpoints | +| 4.12 | Separate Management Network | Isolate management traffic | + +**Key Tools:** +- Configuration management (Chef, Puppet, Ansible) +- Secure configuration scanners (CIS-CAT, Nessus) +- Group Policy/MDM solutions +- Baseline management tools + +**Framework Mappings:** +- NIST CSF: PR.IP-1, PR.PT-3 +- ISO 27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4 +- NIST 800-53: CM-2, CM-6, CM-7, IA-5 +- PCI DSS: 2.2, 2.3, 2.6 + +### CIS Control 5: Account Management + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 5.1 | Establish Account Management Process | Document user lifecycle | +| 5.2 | Use Unique Passwords | Implement password policies | +| 5.3 | Disable Dormant Accounts | Auto-disable after inactivity | +| 5.4 | Restrict Administrator Privileges | Limit admin accounts | +| 5.5 | Establish Account Monitoring | Alert on suspicious activities | +| 5.6 | Centralize Account Management | Use directory services | +| 5.7 | Implement MFA for Privileged Users | Require strong auth for admins | +| 5.8 | Implement MFA for Remote Network Access | Secure VPN/external connections | +| 5.9 | Implement MFA for Internet-Accessible Services | Protect external services | + +**Key Tools:** +- Identity Management (Active Directory, Okta) +- Privileged Access Management (CyberArk, BeyondTrust) +- MFA solutions (Duo, RSA) +- Account monitoring tools + +**Framework Mappings:** +- NIST CSF: PR.AC-1, PR.AC-4, PR.AC-7 +- ISO 27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6 +- NIST 800-53: AC-2, AC-3, AC-6, IA-2, IA-5 +- PCI DSS: 7.1, 7.2, 8.1, 8.2, 8.3 + +### CIS Control 6: Access Control Management + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 6.1 | Establish Access Control Management Process | Define access request/approval process | +| 6.2 | Establish Access Revoking Process | Document termination procedures | +| 6.3 | Require MFA for Externally-Exposed Applications | Protect public-facing services | +| 6.4 | Require MFA for Remote Network Access | Secure remote connections | +| 6.5 | Require MFA for Administrative Access | Use strong auth for all privileged actions | +| 6.6 | Establish An Access Governance Process | Implement periodic reviews | +| 6.7 | Centralize Access Control | Use single access platform | +| 6.8 | Define Acceptable Use | Create policy for proper system use | +| 6.9 | Control Credential Disclosure | Protect secrets | + +**Key Tools:** +- Role-based access control systems +- Identity Governance solutions (SailPoint, Saviynt) +- Access certification tools +- PAM solutions + +**Framework Mappings:** +- NIST CSF: PR.AC-1, PR.AC-3, PR.AC-4 +- ISO 27001: A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1 +- NIST 800-53: AC-1, AC-2, AC-3, AC-5, AC-6, AC-17 +- PCI DSS: 7.1, 7.2, 8.3 + +### CIS Control 7: Continuous Vulnerability Management + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 7.1 | Establish Vulnerability Management Process | Define scanning schedule | +| 7.2 | Establish a Remediation Process | Document patching procedures | +| 7.3 | Perform Automated Operating System Patch Management | Use patch management tools | +| 7.4 | Perform Automated Application Patch Management | Automate app updates | +| 7.5 | Perform Automated Vulnerability Scans | Schedule regular scans | +| 7.6 | Remediate Detected Vulnerabilities | Track and manage fixes | +| 7.7 | Utilize Industry-Recommended Vulnerability Sources | Subscribe to advisory feeds | + +**Key Tools:** +- Vulnerability scanners (Nessus, Qualys, OpenVAS) +- Patch management (WSUS, SCCM, Ivanti) +- Vulnerability management platforms +- Threat intelligence feeds + +**Framework Mappings:** +- NIST CSF: ID.RA-1, ID.RA-2, PR.IP-12 +- ISO 27001: A.12.6.1, A.12.6.2, A.14.2.3 +- NIST 800-53: RA-3, RA-5, SI-2 +- PCI DSS: 6.1, 6.2, 11.2 + +### CIS Control 8: Audit Log Management + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 8.1 | Establish Audit Log Management | Define logging strategy | +| 8.2 | Collect Audit Logs | Configure logging for all assets | +| 8.3 | Ensure Adequate Audit Log Storage | Size storage appropriately | +| 8.4 | Standardize Time Synchronization | Implement NTP | +| 8.5 | Collect Detailed Audit Logs | Capture comprehensive events | +| 8.6 | Collect DNS Query Logs | Monitor DNS activity | +| 8.7 | Collect URL Request Logs | Track web browsing | +| 8.8 | Collect Command-Line Audit Logs | Monitor command execution | +| 8.9 | Centralize Audit Logs | Aggregate to SIEM | +| 8.10 | Retain Audit Logs | Define retention period | +| 8.11 | Conduct Audit Log Reviews | Regular log analysis | +| 8.12 | Collect Service Provider Logs | Include cloud services | + +**Key Tools:** +- SIEM solutions (Splunk, ELK Stack, QRadar) +- Log aggregation tools (NXLog, Syslog-ng) +- NTP servers +- Log storage solutions + +**Framework Mappings:** +- NIST CSF: PR.PT-1, DE.CM-1, DE.CM-3, DE.CM-7 +- ISO 27001: A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4 +- NIST 800-53: AU-2, AU-3, AU-6, AU-7, AU-8, AU-9, AU-11, AU-12 +- PCI DSS: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7 + +### CIS Control 9: Email and Web Browser Protections + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | Keep updated | +| 9.2 | Use DNS Filtering Services | Block malicious domains | +| 9.3 | Maintain Network-Based URL Filters | Implement web filtering | +| 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | Control plugins | +| 9.5 | Implement DMARC | Enable email authentication | +| 9.6 | Block Unnecessary File Types | Filter risky attachments | +| 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | Scan emails for threats | + +**Key Tools:** +- Secure email gateways (Proofpoint, Mimecast) +- DNS filtering (Cisco Umbrella, Quad9) +- Web proxies (Zscaler, Blue Coat) +- Email authentication (DKIM, SPF, DMARC) + +**Framework Mappings:** +- NIST CSF: PR.DS-6, PR.DS-7, DE.CM-5 +- ISO 27001: A.13.1.1, A.13.1.2 +- NIST 800-53: SC-7, SC-8 +- PCI DSS: 1.3, 4.1, 5.1, 5.3 + +### CIS Control 10: Malware Defenses + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 10.1 | Deploy and Maintain Anti-Malware Software | Install on all endpoints | +| 10.2 | Configure Automatic Anti-Malware Signature Updates | Enable auto-updates | +| 10.3 | Disable Autorun and Autoplay for Removable Media | Prevent auto-execution | +| 10.4 | Configure Automatic Anti-Malware Scanning | Schedule regular scans | +| 10.5 | Enable Anti-Exploitation Features | Use OS security features | +| 10.6 | Centrally Manage Anti-Malware Software | Deploy management console | +| 10.7 | Use Behavior-Based Anti-Malware Software | Implement advanced protection | + +**Key Tools:** +- Endpoint protection platforms (CrowdStrike, Symantec, Microsoft Defender) +- Application whitelisting +- Behavioral analysis tools +- Anti-exploitation (EMET, Windows Defender Exploit Guard) + +**Framework Mappings:** +- NIST CSF: DE.CM-4, DE.CM-5, PR.DS-5 +- ISO 27001: A.12.2.1 +- NIST 800-53: SI-3, SI-4, SI-8 +- PCI DSS: 5.1, 5.2, 5.3 + +### CIS Control 11: Data Recovery + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 11.1 | Establish Data Recovery Process | Document backup procedures | +| 11.2 | Perform Automated Backups | Schedule regular backups | +| 11.3 | Protect Recovery Data | Secure backup infrastructure | +| 11.4 | Establish Secure Recovery Process | Document restoration procedures | +| 11.5 | Test Data Recovery | Regular restore testing | + +**Key Tools:** +- Backup solutions (Veeam, Veritas, Commvault) +- Cloud backup (AWS Backup, Azure Backup) +- Immutable storage +- Air-gapped backups + +**Framework Mappings:** +- NIST CSF: PR.IP-4, RC.RP-1 +- ISO 27001: A.12.3.1, A.17.1.2, A.17.1.3 +- NIST 800-53: CP-9, CP-10 +- PCI DSS: 9.5, 9.6, 9.7, 12.10.1 + +### CIS Control 12: Network Infrastructure Management + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 12.1 | Ensure Network Infrastructure is Up-to-Date | Patch networking devices | +| 12.2 | Establish Network Infrastructure Management Process | Document procedures | +| 12.3 | Securely Manage Network Infrastructure | Use secure protocols | +| 12.4 | Establish and Maintain Dedicated, Secure Management Network | Separate management plane | +| 12.5 | Centralize Network Authentication, Authorization, and Auditing | Implement AAA | +| 12.6 | Use Standard Secure Signaling and Transport Protocols | Secure communications | +| 12.7 | Ensure Remote Devices Utilize a VPN | Secure remote connections | +| 12.8 | Establish and Maintain Dedicated Computing Resources for Critical Networks | Segment sensitive functions | + +**Key Tools:** +- Network management platforms (Cisco, Aruba, Juniper) +- AAA servers (RADIUS, TACACS+) +- Network configuration management +- VPN solutions + +**Framework Mappings:** +- NIST CSF: PR.AC-5, PR.PT-4 +- ISO 27001: A.13.1.1, A.13.1.3 +- NIST 800-53: AC-17, AC-18, IA-3, SC-7, SC-8 +- PCI DSS: 1.1, 1.2, 1.3, 2.2 + +### CIS Control 13: Network Monitoring and Defense + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 13.1 | Centralize Security Event Alerting | Implement SIEM | +| 13.2 | Deploy a Host-Based IDS or IPS | Install endpoint detection | +| 13.3 | Deploy a Network-Based IDS, IPS or NDR | Monitor network traffic | +| 13.4 | Perform Traffic Filtering | Deploy firewalls | +| 13.5 | Manage Access Control for Remote Assets | Control remote connections | +| 13.6 | Collect Network Traffic Flow Logs | Capture NetFlow | +| 13.7 | Deploy a Network-Based DLP | Monitor for data exfiltration | +| 13.8 | Deploy a Network-Based Sandbox | Analyze suspicious files | +| 13.9 | Deploy Port-Level Access Control | Implement 802.1X | +| 13.10 | Perform Application Layer Filtering | Use web application firewalls | +| 13.11 | Tune Security Event Alerting Thresholds | Reduce false positives | + +**Key Tools:** +- Network IDS/IPS (Suricata, Snort, Cisco) +- SIEM solutions (Splunk, QRadar) +- NDR solutions (Darktrace, ExtraHop) +- NetFlow analyzers +- Next-gen firewalls + +**Framework Mappings:** +- NIST CSF: DE.AE-1, DE.AE-2, DE.AE-3, DE.CM-1, DE.CM-7 +- ISO 27001: A.12.4.1, A.13.1.1, A.13.1.2 +- NIST 800-53: SI-4, AU-6 +- PCI DSS: 10.6, 11.4, 11.5 + +### CIS Control 14: Security Awareness and Skills Training + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 14.1 | Establish Security Awareness Program | Document training strategy | +| 14.2 | Train Workforce Members | Implement regular training | +| 14.3 | Train Workforce on Authentication Best Practices | Password/MFA education | +| 14.4 | Train Workforce on Data Handling Best Practices | Sensitive data procedures | +| 14.5 | Train Workforce on Causes of Unintentional Data Exposure | Prevent mistakes | +| 14.6 | Train Workforce on Recognizing and Reporting Security Incidents | Incident reporting process | +| 14.7 | Train Workforce on How to Identify and Report Phishing Attacks | Phishing recognition | +| 14.8 | Train Workforce on Secure Use of Social Media | Social media risks | +| 14.9 | Train Workforce on Secure Use of Mobile Devices | Mobile security | + +**Key Tools:** +- Security awareness platforms (KnowBe4, Proofpoint) +- Phishing simulation tools +- Learning management systems +- Training content providers + +**Framework Mappings:** +- NIST CSF: PR.AT-1, PR.AT-2, PR.AT-5 +- ISO 27001: A.7.2.2, A.7.2.3 +- NIST 800-53: AT-1, AT-2, AT-3 +- PCI DSS: 12.6, 12.6.1, 12.6.2 + +### CIS Control 15: Service Provider Management + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 15.1 | Establish Service Provider Management Process | Document vendor management | +| 15.2 | Establish Service Provider Requirements | Define security expectations | +| 15.3 | Monitor Service Provider Compliance | Regular reviews | +| 15.4 | Ensure Service Provider Contracts Include Security Requirements | Contract requirements | +| 15.5 | Assess Service Providers | Due diligence process | +| 15.6 | Monitor Service Provider Security | Ongoing validation | +| 15.7 | Securely Decommission Service Providers | Offboarding process | + +**Key Tools:** +- Vendor risk management platforms +- Contract management systems +- Security questionnaires +- Continuous monitoring tools + +**Framework Mappings:** +- NIST CSF: ID.SC-1, ID.SC-2, ID.SC-3, ID.SC-4, ID.SC-5 +- ISO 27001: A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2 +- NIST 800-53: SA-9, SA-12 +- PCI DSS: 12.8, 12.8.1-5, 12.9 + +### CIS Control 16: Application Software Security + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 16.1 | Establish Application Security Program | Document SDLC security | +| 16.2 | Perform Application Classification | Assess application criticality | +| 16.3 | Implement Secure Software Development Practices | Secure coding standards | +| 16.4 | Establish a Secure Software Development Lifecycle | Include security in SDLC | +| 16.5 | Use Up-to-Date and Trusted Third-Party Components | Manage dependencies | +| 16.6 | Establish Secure Coding Practices | Developer guidelines | +| 16.7 | Use Standard Hardening Configuration Templates | Application hardening | +| 16.8 | Separate Production and Non-Production Systems | Environment segregation | +| 16.9 | Train Developers in Application Security Concepts and Secure Coding | Developer education | +| 16.10 | Apply Secure Design Principles in Application Architectures | Security architecture | +| 16.11 | Leverage Vetted Modules or Services | Use proven components | +| 16.12 | Implement Code-Level Security Checks | SAST/DAST | +| 16.13 | Conduct Application Penetration Testing | Security testing | +| 16.14 | Conduct Threat Modeling | Identify attack vectors | + +**Key Tools:** +- SAST tools (SonarQube, Checkmarx) +- DAST tools (OWASP ZAP, Burp Suite) +- Dependency scanners (OWASP Dependency-Check) +- SCA tools (Snyk, Black Duck) + +**Framework Mappings:** +- NIST CSF: PR.DS-7, PR.IP-2 +- ISO 27001: A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.5, A.14.2.6, A.14.2.8 +- NIST 800-53: SA-3, SA-4, SA-8, SA-11, SA-15, SA-16 +- PCI DSS: 6.3, 6.4, 6.5, 6.6 + +### CIS Control 17: Incident Response Management + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 17.1 | Establish Incident Response Process | Document IR plan | +| 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | Define escalation paths | +| 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | Report procedures | +| 17.4 | Establish and Maintain An Incident Response Process | IR workflows | +| 17.5 | Assign Key Roles and Responsibilities | Define IR team | +| 17.6 | Define Mechanisms for Communicating During Incident Response | Communication plans | +| 17.7 | Conduct Routine Incident Response Exercises | Tabletop exercises | +| 17.8 | Conduct Post-Incident Reviews | Lessons learned process | +| 17.9 | Establish and Maintain Security Incident Thresholds | Event classification | + +**Key Tools:** +- Incident response platforms (TheHive, RTIR) +- Digital forensics tools +- Threat intelligence platforms +- Communication platforms + +**Framework Mappings:** +- NIST CSF: RS.RP-1, RS.CO-1, RS.AN-1, RS.MI-1, RS.MI-2, RC.RP-1 +- ISO 27001: A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A.16.1.6, A.16.1.7 +- NIST 800-53: IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7, IR-8 +- PCI DSS: 12.10, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6 + +### CIS Control 18: Penetration Testing + +| Safeguard | Description | Implementation | +|-----------|-------------|----------------| +| 18.1 | Establish Penetration Testing Program | Document testing strategy | +| 18.2 | Perform Regular External Penetration Tests | Test external perimeter | +| 18.3 | Perform Regular Internal Penetration Tests | Test internal network | +| 18.4 | Validate Security Measures | Verify control effectiveness | +| 18.5 | Document Penetration Testing Results | Report all findings | +| 18.6 | Test Critical Systems and Services | Focus on key assets | +| 18.7 | Remediate Penetration Test Findings | Fix identified issues | +| 18.8 | Use Qualified Penetration Testers | Engage skilled professionals | +| 18.9 | Conduct Application Penetration Testing | Test web applications | +| 18.10 | Conduct Physical Penetration Testing | Test physical security | + +**Key Tools:** +- Penetration testing tools (Metasploit, Nmap, Burp Suite) +- Vulnerability scanners (Nessus, OpenVAS) +- Social engineering tools (SET, Gophish) +- Physical penetration testing equipment + +**Framework Mappings:** +- NIST CSF: ID.RA-1, DE.CM-8 +- ISO 27001: A.14.2.8, A.18.2.1, A.18.2.3 +- NIST 800-53: CA-8, RA-5, SA-11 +- PCI DSS: 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4 + +## Framework Mapping Matrix + +| CIS Control | NIST CSF | ISO 27001 | NIST 800-53 | PCI DSS | HIPAA | GDPR | +|-------------|----------|-----------|-------------|---------|-------|------| +| 1. Inventory and Control of Enterprise Assets | ID.AM-1, ID.AM-2 | A.8.1.1, A.8.1.2 | CM-8, PM-5 | 2.4, 9.9, 11.1 | §164.310(d) | Art 30, 32 | +| 2. Inventory and Control of Software Assets | ID.AM-2, PR.DS-6 | A.12.6.2, A.8.1.1 | CM-7, CM-8 | 2.4, 6.2 | §164.310(d) | Art 30 | +| 3. Data Protection | PR.DS-1, PR.DS-2, PR.DS-5 | A.8.2.1-3, A.10.1.1 | SC-8, SC-28, MP-2-4 | 3.1-6, 4.1-2 | §164.312(a)(2)(iv) | Art 5, 6, 25, 32 | +| 4. Secure Configuration of Enterprise Assets and Software | PR.IP-1, PR.PT-3 | A.12.1.2, A.14.2.2-4 | CM-2, CM-6, CM-7 | 2.2, 2.3, 2.6 | §164.310(c) | Art 25, 32 | +| 5. Account Management | PR.AC-1, PR.AC-4, PR.AC-7 | A.9.2.1-6 | AC-2, AC-3, AC-6, IA-2, IA-5 | 7.1, 7.2, 8.1-3 | §164.308(a)(3), §164.308(a)(4) | Art 25, 32 | +| 6. Access Control Management | PR.AC-1, PR.AC-3, PR.AC-4 | A.9.1.1-2, A.9.2.3, A.9.4.1 | AC-1-6, AC-17 | 7.1, 7.2, 8.3 | §164.308(a)(4) | Art 25, 32 | +| 7. Continuous Vulnerability Management | ID.RA-1, ID.RA-2, PR.IP-12 | A.12.6.1-2, A.14.2.3 | RA-3, RA-5, SI-2 | 6.1, 6.2, 11.2 | §164.308(a)(1)(ii)(A) | Art 32 | +| 8. Audit Log Management | PR.PT-1, DE.CM-1, DE.CM-3 | A.12.4.1-4 | AU-2-3, AU-6-12 | 10.1-7 | §164.308(a)(1)(ii)(D), §164.312(b) | Art 30, 32 | +| 9. Email and Web Browser Protections | PR.DS-6, PR.DS-7, DE.CM-5 | A.13.1.1-2 | SC-7, SC-8 | 1.3, 4.1, 5.1, 5.3 | §164.308(a)(5)(ii)(B) | Art 32 | +| 10. Malware Defenses | DE.CM-4, DE.CM-5, PR.DS-5 | A.12.2.1 | SI-3, SI-4, SI-8 | 5.1-3 | §164.308(a)(5)(ii)(B) | Art 32 | +| 11. Data Recovery | PR.IP-4, RC.RP-1 | A.12.3.1, A.17.1.2-3 | CP-9, CP-10 | 9.5-7, 12.10.1 | §164.308(a)(7) | Art 32 | +| 12. Network Infrastructure Management | PR.AC-5, PR.PT-4 | A.13.1.1, A.13.1.3 | AC-17-18, IA-3, SC-7-8 | 1.1-3, 2.2 | §164.312(a)(1) | Art 32 | +| 13. Network Monitoring and Defense | DE.AE-1-3, DE.CM-1, DE.CM-7 | A.12.4.1, A.13.1.1-2 | SI-4, AU-6 | 10.6, 11.4, 11.5 | §164.308(a)(1)(ii)(D), §164.312(b) | Art 32 | +| 14. Security Awareness and Skills Training | PR.AT-1, PR.AT-2, PR.AT-5 | A.7.2.2-3 | AT-1, AT-2, AT-3 | 12.6, 12.6.1-2 | §164.308(a)(5) | Art 32, 39 | +| 15. Service Provider Management | ID.SC-1-5 | A.15.1.1-3, A.15.2.1-2 | SA-9, SA-12 | 12.8, 12.8.1-5, 12.9 | §164.308(b) | Art 28, 32 | +| 16. Application Software Security | PR.DS-7, PR.IP-2 | A.14.1.1, A.14.2.1-2, A.14.2.5-6, A.14.2.8 | SA-3-4, SA-8, SA-11, SA-15-16 | 6.3-6 | §164.312(a)(1) | Art 25, 32 | +| 17. Incident Response Management | RS.RP-1, RS.CO-1, RS.AN-1, RS.MI-1-2, RC.RP-1 | A.16.1.1-7 | IR-1-8 | 12.10, 12.10.1-6 | §164.308(a)(6) | Art 33, 34 | +| 18. Penetration Testing | ID.RA-1, DE.CM-8 | A.14.2.8, A.18.2.1, A.18.2.3 | CA-8, RA-5, SA-11 | 11.3, 11.3.1-4 | §164.308(a)(8) | Art 32 | + +## Implementation Priorities by Organization Size + +### Small Organizations (Limited Resources) + +**Essential Controls to Implement First:** +1. CIS Control 1: Inventory and Control of Enterprise Assets +2. CIS Control 2: Inventory and Control of Software Assets +3. CIS Control 3: Data Protection (focus on encryption) +4. CIS Control 4: Secure Configuration (basic hardening) +5. CIS Control 5: Account Management (focus on privileged accounts) +6. CIS Control 7: Continuous Vulnerability Management (basic patching) +7. CIS Control 10: Malware Defenses (endpoint protection) +8. CIS Control 11: Data Recovery (basic backup strategy) +9. CIS Control 14: Security Awareness Training (basic program) + +**Implementation Tips:** +- Use free/open source tools where possible +- Focus on cloud-based security solutions with minimal infrastructure +- Implement managed security services for areas requiring expertise +- Prioritize protecting the most critical systems and data +- Consider outsourcing complex controls + +### Medium Organizations (Moderate Resources) + +**Implementation Order:** +1. Implement all Basic controls (1-6) thoroughly +2. Implement Foundational controls (7-16) with focus on: + - CIS Control 7: Continuous Vulnerability Management + - CIS Control 8: Audit Log Management + - CIS Control 10: Malware Defenses + - CIS Control 11: Data Recovery + - CIS Control 12: Network Infrastructure Management + - CIS Control 13: Network Monitoring and Defense +3. Begin implementing Organizational controls (17-18) + +**Implementation Tips:** +- Establish formal security program with dedicated resources +- Implement automation where possible +- Consider hybrid of in-house and outsourced security services +- Establish metrics to measure control effectiveness + +### Large Organizations (Significant Resources) + +**Implementation Approach:** +1. Implement all 18 CIS Controls comprehensively +2. Focus on automation and integration +3. Establish continuous monitoring and improvement +4. Customize controls for industry-specific requirements +5. Implement advanced capabilities within each control + +**Implementation Tips:** +- Develop custom security architecture aligned with controls +- Implement defense-in-depth strategy +- Establish centralized security operations capability +- Integrate controls with risk management program +- Establish control validation and testing program + +## Implementation Challenges and Solutions + +| Challenge | Description | Potential Solutions | +|-----------|-------------|---------------------| +| **Resource Constraints** | Limited budget, staff, or time | Start with critical controls, use free tools, consider managed services | +| **Technical Complexity** | Some controls require specialized expertise | Outsource complex controls, invest in training, use simplified solutions | +| **Legacy Systems** | Older systems may not support modern security | Implement compensating controls, isolate legacy systems, prioritize replacement | +| **Organizational Resistance** | User pushback to security measures | Focus on user experience, demonstrate business value, executive sponsorship | +| **Lack of Visibility** | Incomplete view of environment | Implement asset discovery tools, start with known assets, incremental improvement | +| **Monitoring Fatigue** | Too many alerts, not enough analysts | Tune detections, prioritize alerts, automate responses where possible | +| **Integration Challenges** | Making tools work together | Select integration-friendly solutions, use APIs, standardize data formats | +| **Measuring Effectiveness** | Difficulty proving control value | Establish baseline metrics, track improvements, use maturity models | + +## CIS Controls Implementation Roadmap + +### Phase 1: Foundation (Months 1-3) +- Complete initial asset inventory (CIS 1, 2) +- Implement basic account controls (CIS 5) +- Deploy endpoint protection (CIS 10) +- Establish backup solution (CIS 11) +- Begin security awareness program (CIS 14) + +### Phase 2: Basic Security Posture (Months 4-6) +- Implement secure configurations (CIS 4) +- Establish vulnerability management (CIS 7) +- Deploy basic log management (CIS 8) +- Secure email and web browsing (CIS 9) +- Document incident response procedures (CIS 17) + +### Phase 3: Enhanced Protection (Months 7-12) +- Implement data protection controls (CIS 3) +- Enhance access control (CIS 6) +- Secure network infrastructure (CIS 12) +- Deploy network monitoring (CIS 13) +- Review vendor security (CIS 15) + +### Phase 4: Advanced Capabilities (Months 13-18) +- Implement application security (CIS 16) +- Conduct penetration testing (CIS 18) +- Enhance and refine all controls +- Establish metrics and reporting +- Integrate with risk management + +## Key Performance Indicators by Control + +| Control | Key Metrics | Target Values | +|---------|-------------|---------------| +| **1. Inventory** | % of assets inventoried, Unauthorized device detection time | >95% inventoried, <24h detection | +| **2. Software Inventory** | % of software inventoried, % of unauthorized software | >95% inventoried, <2% unauthorized | +| **3. Data Protection** | % of sensitive data encrypted, data loss incidents | >99% encrypted, 0 incidents | +| **4. Secure Configuration** | % of systems with secure baseline, configuration drift rate | >95% compliant, <5% drift | +| **5. Account Management** | % of accounts reviewed, dormant account count | 100% reviewed annually, <5% dormant | +| **6. Access Control** | Excessive privilege rate, access review completion | <5% with excessive rights, 100% reviewed | +| **7. Vulnerability Management** | Mean time to patch critical vulnerabilities, scan coverage | <7 days MTTR, >98% coverage | +| **8. Audit Logging** | Logging coverage, log retention compliance | >98% coverage, 100% retention compliance | +| **9. Email/Web Protection** | Phishing simulation success rate, malware blocked | <5% click rate, >99% block rate | +| **10. Malware Defense** | Endpoint protection coverage, detection time | >99% coverage, <1 hour detection | +| **11. Data Recovery** | Backup success rate, recovery time objective achievement | >99% success, 100% RTO met | +| **12. Network Management** | Network device compliance, unauthorized change rate | >98% compliance, <1% unauthorized | +| **13. Network Monitoring** | Alert triage time, true positive rate | <30 min triage, >80% true positive | +| **14. Security Training** | Training completion rate, knowledge assessment scores | >95% completion, >85% score | +| **15. Service Providers** | % of providers assessed, contract compliance | 100% assessed, 100% compliant | +| **16. Application Security** | % of apps security tested, critical vulnerability remediation | 100% critical apps tested, <7 days remediation | +| **17. Incident Response** | Mean time to respond, exercise completion | <4 hours MTTR, ≥2 exercises annually | +| **18. Penetration Testing** | Test coverage, findings remediation rate | 100% critical systems, >95% remediation |