Priority # 1 – Manage Devices on Your Network
The first 5 CIS Controls
CIS notes that it is important to make a formal, conscious, top-level decision to make the CIS Controls part of the organization’s standard for cybersecurity. Senior management and the Board of Directors should be onboard for support and accountability and should implement the first 5 CIS Controls in their organizations as a minimum requirement.
- CIS Control 1 - Inventory of Authorized & Unauthorized Devices
- CIS Control 2 - Inventory of Authorized & Unauthorized Software
- CIS Control 3 - Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers
- CIS Control 4 - Continuous Vulnerability Assessment & Remediation
- CIS Control 5 - Controlled Use of Administrative Privileges
* CIS is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats.
CIS Control 1
This week we start by taking a more in-depth look at CIS Control 1.
CIS Control 1
Basic question every corporate leader should be able to answer (Cyber Hygiene Campaign):
The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices. The CIS Controls (formerly known as Critical Security Controls) are a prioritized list and highly focused set of actions you can follow to protect and defend your company against cyberthreats. The CIS Controls have been developed after studying actual attacks and effective defenses.
Hackers are constantly looking for ways to connect to your systems
The public Internet is a lawless place crowded with potential attackers targeting your organization. Hackers are continuously scanning networks to find vulnerabilities to compromise your systems. They wait for new and unprotected systems to be attached to your network, look for devices that come and go off your network, and attack when you are most vulnerable.
Figure 1: Attackers continuously scanning your network
It can even be the case that you have attackers on your private network. These might be guests on your company Wi-Fi or untrustworthy employees.
A dedicated network for physical security devices
Your physical security devices are a primary target for hackers. By gaining control of them, they are able to get the access needed to commit more serious offences. For example, hackers could be able to open doors, view the position of security personnel, turn off alarms and remove recorded evidence from the security management system.
Managing control of all devices plays a vital role in your cybersecurity defense.
To get better control of your physical security devices Zenitel recommends to use a dedicated network for these devices. This will reduce the risk of:
BYOD (bring your own device), where employees bring personal devices into work and connect to them to the company’s network, is increasingly more common. Such devices can already be compromised and used to infect internal resources. You do not want these devices on the same network as your physical security system.
|Cybersecurity making headlines|
1.5 million CCTV cameras hacked
Detect and manage devices
CIS recommends having a system in place to actively detect and manage devices. A typical system for detecting and managing devices such as PCs, IP cameras and intercoms is illustrated in figure 2, to the right.
The network switch detects when a new device joins the network. Before access to any network resources is given, the network switch authenticates the devices using IEEE802.1x. During this process, the device uses Radius Authentication & Authorization towards an AAA server to ensure that the devices’ credentials are verified, thereby allocating the correct authorization level to network resources.
In addition to authentication and authorization, the network switch reports information about the device and access given to the AAA server using Radius Accounting. The AAA server then maintains a log of the inventory of all hardware devices, both those that are authorized and unauthorized from gaining access.
Your wired LAN network is vulnerable
Every company knows that they must protect access to their Wi-Fi networks. A hacker can gain easy access to their computer network if the Wi-Fi is not secured. Why then do they not have the same concern for their wired networks? It is just as important to protect your wired network as the Wi-Fi networks.
Physical security devices are by their nature often placed in public areas such as gates, doors, fences, and parking areas. Such locations are especially vulnerable to attack. By simply disconnecting the physical security device, an attacker can use the device network access interface to gain access to the system.
CIS recommends at a minimum to use IEEE802.1X to protect the access to both your Wi-Fi and wired networks. IEEE802.1X is a method where devices are authenticated and then authorized to get access to network resources. The authentication can be used with symmetric keys (username and password) as well as asymmetric keys (Public Key Infrastructure (PKI) with certificates and private keys).
|Zenitel fact box|
|Zenitel has kept IP security at the forefront for over 11 years and in 2010 became the first IP intercom vendor to implement IEEE 802.1X network access control. We stay on top of the latest vulnerabilities with regular software upgrades to ensure our systems provide secure, reliable communication|
Use air gapping for unsecured parts of your network
For mission-critical systems where risks need to be reduced to a minimum, you should consider an air gap solution.
An air gap is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.
|Zenitel’s air gap solution|
The Zenitel’s air gap solution is used when you need to place an intercom in an unsecure area. We would then use the TCIA-2 IP-Analogue intercom. The TCIA-2 connects to the Zenitel air gap gateway solution that are placed in a secure area.
Figure 3 Zenitel's air gap solution
The vandal-resistant Analog over IP intercom combines the network security of an analog intercom with the audio features of an IP intercom. This keeps your IP network port in a protected area. This is an ideal solution for Building Security and Public Environments where you don't want to expose your physical IP network, yet still require all the audio features of an IP Intercom, such as HD voice quality, Open Duplex, Active Noise Cancellation, MEMS microphone, and our unique speaker grill design.
CIS® (Center for Internet Security®)
CIS is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and verified by a volunteer global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center (MS-ISAC®), the go-to resource for cyber-threat prevention, protection, response, and recovery for state, local, tribal, and territorial governments.
This is a prioritized list of highly focused actions you can follow to protect and defend your company against cyber threats. The CIS Controls have been developed after studying actual attacks and effective defenses.
The Internet is a network of networks linking millions of private, public, academic and business networks to reach billions of users. The Internet uses the TCP/IP set of network protocols and began as a U.S Department of Defense network to link scientists and university professors around the world.
Figure 4: The Internet - The Network of Networks
AAA server (Authentication, Authorization and Accounting)
An AAA server is used to manage user credentials and network access. AAA servers were first used to manage internet access for data modem. It is now used to manage network access for many technologies including Wi-Fi, wired, xDSL, VPN and more. An AAA server allows an enterprise to manage user credentials from one central location.
Radius (Remote Authentication Dial In User Service)
Radius is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. Authentication and authorization characteristics in RADIUS are described in RFC 2865 while accounting is described by RFC 2866.
IEEE 802.1X is an IEEE Standard for port-based Network Access Control. It provides an authentication and authorization mechanism to devices wishing to attach to a LAN or WiFi network.