Control is an illusion. We, humans, think we’re in control, but this can’t be further from reality. 

This week in the CIS framework our main focus will be control and even though the idea of control is an illusion… we can always try. 

If you’re new to the series head over to the first three parts here

Control 13 (Foundational) – Leaking Data

In this control we’re focusing on data protection, making sure our data avoids getting lost or leaked. 

DLP is a common acronym used in InfoSec when referring to data protection, it stands for two things… “Data Loss Prevention” and “Data Leak Prevention”. 

  • Leak – Leaky data means we’ve had an employee accidentally or consciously send data outside of the organization. 
  • Loss – Losing data can either be mass data exfiltration or encryption, for example, a ransomware attack where a hacker encrypts all your data is considered data loss. 

Surprisingly, many companies aren’t really aware of the secret or critical data they’re holding. This lack of understanding has changed due to all the different data breaches and their knock-on effects, but still, the security protecting our data is pretty horrible in most places. 

Here are a few subcontrols CIS recommends for protecting our data.

The two I’ll emphasize here are… 

  • Know Thyself: The first action any company needs to take when protecting its data is understanding what they’re actually holding. Mapping all the different data types and where that data is located is a key first step to understanding your data security needs. This data inventory will be something we commonly update and monitor, similar to the device management I mentioned in previous posts. The next step after the mapping is labeling. Now that we know what data we have, it’s time to label its importance (e.g. public, private, restricted, etc.).
  • No writing: A big no-no in data security is allowing your machines to “write” to external media (e.g. USBs). “Writing” is simply pulling info from my computer and duplicating it onto a portable USB, allowing the attacker to easily walk out the front door. By making a few configurations to your systems, so when someone tries to “write” to any external media it’s immediately blocked. 

Control 14 (Foundational) – Need to know

Many companies allow their employees full access to everything and basically, all companies allow the CEO access to whatever they want. 

My guess is that the admin that’s distributing access is either ignorant or avoiding awkward conversations with those that they have to take access away from.

The key to setting up a strong user access policy isn’t tech, but instead, its persuasion. As an admin, you need to convince the CEO and other higher-ups that allowing them to have ultimate access could lead to serious security issues. This sometimes awkward conversation should be focused on dissociating your trust in them from your distrust in their computer when they’re not around.

One way of limiting access is a “need to know” policy, which only allows employees access to exactly what’s needed for their job and nothing more. By combining “need to know” access with a strong encryption policy, you’re on your way to a safer future.

Here’s the long list of subcontrols recommended by CIS.  

Let’s dive into two

  • Enforce “Need to Know”: Access Control Lists will be your best friend when implementing any kind of limits on user access. This list will be what helps you keep tabs on who has access to what, but more importantly it will automagically limit their access. 
  • Detailed logging: All of your critical data should be stored in a safe place, but equally as important that data should be monitored closely. Whenever someone logs into a system with access to critical data that login should be monitored and whenever a file is slightly adjusted “file integrity” software should kick in notifying you of this change. 

Control 15 (Foundational) – Sketchy Wifi

Did you know during Trump’s 2016 presidential campaign during the Republican National Convention Avast played a little trick on the attendees? 

1,200 attendees connected to the phony “I VOTE TRUMP WIFI” network that sat outside the convention center and was being monitored by Avast. This experiment was simple, but powerful showing how easily attackers can leverage Wifi to hack us. 

Two main methods attackers use for a wireless attack are public wifi and dropping access points near their victim’s network. 

  • Public Wifi: Coffee shops and airports are an attacker’s best friend. When an employee uses any public wifi there’s a chance an attacker could inject some malicious code into their laptops, so once the employee is back at the mothership our attacker has a direct backdoor into the corporate network. 
  • Rogue or Twin: Wireless Access Points (WAPs) can be hidden away or placed in the parking lot, just close enough to reach gullible employees. Rogue WAPs are simply attacker devices placed around the network and “evil twins” are WAPs named identical to the genuine WAPs for the corporate network. The attackers hope that some employees will accidentally log on to their evil twin WAP, so they’re able to copy/paste those credentials into the correct WAP giving them access to the corporate network. 

Here’s a long list of ways to protect against evil twins and infested public wifi. 

The two I’ll emphasize are… 

  • Know thy WAPs: I’ll bundle two subcontrols into one for this point… Scanning and maintaining an inventory of WAPs on your network is a simple way to prevent rogue or evil twin WAPs from sneaking into your network. Like with most subcontrols it’s never enough to scan once, when scanning your network for WAPs make sure this happens on a recurring schedule, updating the inventory as needed. 
  • Encrypt the wifi: Wireless is all over the place and is unavoidable, which is a good and bad thing. You’ll want to make sure all the wireless traffic moving throughout your network is encrypted with WPA2 or whatever the next best wireless encryption is (WPA3…?)

Control 16 (Foundational) – Empty Accounts

Dedicated user accounts are being created all the time for services, contractors, shared projects, pen testers, etc. 

Most companies are good to add handing out accounts, but not cleaning them up once the employment, project, or whatever else is done. 

By leaving accounts dormant and not automagically disabling them, we’re allowing attackers to hide in plain sight. 

Here are a few tips on how to clean out your living room of dormant user accounts. 

The two that jumped out to me are… 

  • Automagic Disablement: Every account that’s created should be temporary and time-based, it doesn’t matter if it’s a service or employee account. Once a project has finished, an employee has left, or a contractor’s time has ended, all of these accounts should be automatically disabled, but not deleted. NEVER delete user accounts, only disable them, those pesky auditors will appreciate it. 
  • Logon Behaviour: If a user commonly logs in between 9 a.m. – 5 p.m. (EST) from Ohio, then when they log in at 3 a.m. (EST) from New Zealand, this should raise red flags. Mature InfoSec groups implement software that can spot abnormal behaviors in user accounts, so if our New Zealand scenario happens we’re able to catch it in real-time. 

This week was short and sweet, just like a French bulldog… See you next week my fellow humans.