You are here

CIS Controls - picture

Priority # 1 – Manage Devices on Your Network

The first 5 CIS Controls

CIS notes that it is important to make a formal, conscious, top-level decision to make the CIS Controls part of the organization’s standard for cybersecurity. Senior management and the Board of Directors should be onboard for support and accountability and should implement the first 5 CIS Controls in their organizations as a minimum requirement.

  • CIS Control 1 - Inventory of Authorized & Unauthorized Devices
  • CIS Control 2 - Inventory of Authorized & Unauthorized Software
  • CIS Control 3 - Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers
  • CIS Control 4 - Continuous Vulnerability Assessment & Remediation
  • CIS Control 5 - Controlled Use of Administrative Privileges

* CIS is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. 

CIS Control 1

This week we start by taking a more in-depth look at CIS Control 1.

CIS Control 1
Inventory of Authorized and Unauthorized Devices

Scope
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

Basic question every corporate leader should be able to answer (Cyber Hygiene Campaign):
What is connected to our systems and networks?

The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices. The CIS Controls (formerly known as Critical Security Controls) are a prioritized list and highly focused set of actions you can follow to protect and defend your company against cyberthreats. The CIS Controls have been developed after studying actual attacks and effective defenses.

Hackers are constantly looking for ways to connect to your systems

The public Internet is a lawless place crowded with potential attackers targeting your organization. Hackers are continuously scanning networks to find vulnerabilities to compromise your systems. They wait for new and unprotected systems to be attached to your network, look for devices that come and go off your network, and attack when you are most vulnerable.

Attackers continuously scanning your network - picture

Figure 1: Attackers continuously scanning your network

It can even be the case that you have attackers on your private network. These might be guests on your company Wi-Fi or untrustworthy employees. 

A dedicated network for physical security devices

Your physical security devices are a primary target for hackers. By gaining control of them, they are able to get the access needed to commit more serious offences. For example, hackers could be able to open doors, view the position of security personnel, turn off alarms and remove recorded evidence from the security management system.

Managing control of all devices plays a vital role in your cybersecurity defense.

Zenitel recommendation

To get better control of your physical security devices Zenitel recommends to use a dedicated network for these devices. This will reduce the risk of:

  • Disloyal employees accessing the physical security system
  • External hackers getting access, as you would have more layers of defense

BYOD (bring your own device), where employees bring personal devices into work and connect to them to the company’s network, is increasingly more common. Such devices can already be compromised and used to infect internal resources. You do not want these devices on the same network as your physical security system.

Cybersecurity making headlines

1.5 million CCTV cameras hacked
Over the last year, an increasing amount of cyberattacks has showed that many companies have not taken CIS Control #1 seriously. For the sake of convenience, they have connected their physical security device to public internet without adequate safeguards, allowing hackers to take control of their systems. In October 2016, ifsecglobal.com reported the largest cyberattack in history when hackers took control of 1.5 million CCTV cameras that were connected to public Internet. This has been a big wakeup call for the physical security industry. Link: https://www.ifsecglobal.com/hijack-surveillance-cameras-wake-up-call-security-industry/

Detect and manage devices

CIS recommends having a system in place to actively detect and manage devices. A typical system for detecting and managing devices such as PCs, IP cameras and intercoms is illustrated in figure 2, to the right.Typical setup to detect and manage devices - picture

The network switch detects when a new device joins the network. Before access to any network resources is given, the network switch authenticates the devices using IEEE802.1x. During this process, the device uses Radius Authentication & Authorization towards an AAA server to ensure that the devices’ credentials are verified, thereby allocating the correct authorization level to network resources.

In addition to authentication and authorization, the network switch reports information about the device and access given to the AAA server using Radius Accounting. The AAA server then maintains a log of the inventory of all hardware devices, both those that are authorized and unauthorized from gaining access.

Your wired LAN network is vulnerable

Every company knows that they must protect access to their Wi-Fi networks. A hacker can gain easy access to their computer network if the Wi-Fi is not secured. Why then do they not have the same concern for their wired networks? It is just as important to protect your wired network as the Wi-Fi networks.

Physical security devices are by their nature often placed in public areas such as gates, doors, fences, and parking areas. Such locations are especially vulnerable to attack. By simply disconnecting the physical security device, an attacker can use the device network access interface to gain access to the system.

CIS recommends at a minimum to use IEEE802.1X to protect the access to both your Wi-Fi and wired networks. IEEE802.1X is a method where devices are authenticated and then authorized to get access to network resources. The authentication can be used with symmetric keys (username and password) as well as asymmetric keys (Public Key Infrastructure (PKI) with certificates and private keys).

Zenitel fact box
Zenitel has kept IP security at the forefront for over 11 years and in 2010 became the first IP intercom vendor to implement IEEE 802.1X network access control. We stay on top of the latest vulnerabilities with regular software upgrades to ensure our systems provide secure, reliable communication

Use air gapping for unsecured parts of your network

For mission-critical systems where risks need to be reduced to a minimum, you should consider an air gap solution.

An air gap is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.

Zenitel’s air gap solution

The Zenitel’s air gap solution is used when you need to place an intercom in an unsecure area. We would then use the TCIA-2 IP-Analogue intercom. The TCIA-2 connects to the Zenitel air gap gateway solution that are placed in a secure area.

Zenitel`s air gap solution - image

Figure 3 Zenitel's air gap solution

The vandal-resistant Analog over IP intercom combines the network security of an analog intercom with the audio features of an IP intercom. This keeps your IP network port in a protected area. This is an ideal solution for Building Security and Public Environments where you don't want to expose your physical IP network, yet still require all the audio features of an IP Intercom, such as HD voice quality, Open Duplex, Active Noise Cancellation, MEMS microphone,  and our unique speaker grill design.

Terminology

CIS® (Center for Internet Security®)
CIS is a forward-thinking nonprofit entity that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and verified by a volunteer global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing & Analysis Center (MS-ISAC®), the go-to resource for cyber-threat prevention, protection, response, and recovery for state, local, tribal, and territorial governments.

CIS® Controls
This is a prioritized list of highly focused actions you can follow to protect and defend your company against cyber threats. The CIS Controls have been developed after studying actual attacks and effective defenses.

The Internet
The Internet is a network of networks linking millions of private, public, academic and business networks to reach billions of users. The Internet uses the TCP/IP set of network protocols and began as a U.S Department of Defense network to link scientists and university professors around the world.

The Internet - picture

Figure 4: The Internet - The Network of Networks

AAA server (Authentication, Authorization and Accounting)
An AAA server is used to manage user credentials and network access. AAA servers were first used to manage internet access for data modem. It is now used to manage network access for many technologies including Wi-Fi, wired, xDSL, VPN and more. An AAA server allows an enterprise to manage user credentials from one central location.

Radius (Remote Authentication Dial In User Service)
Radius is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service. Authentication and authorization characteristics in RADIUS are described in RFC 2865 while accounting is described by RFC 2866.

IEEE802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control. It provides an authentication and authorization mechanism to devices wishing to attach to a LAN or WiFi network.

Location: Global

Can you spot our station!

Meet us at APTA Atlanta

Visit Zenitel at APS 2017

Zenitel Cybersecurity Hardening Guide