Applying a Practical, Evidence-Based Approach to Cybersecurity Controls
There's a significant lack of research into which cybersecurity practices are actually effective at preventing or mitigating cyberattacks. Traditional cybersecurity standards often present lengthy lists of controls without providing evidence or explanation for their selection. This creates a challenging and often overwhelming environment for organizations that need to implement impactful security measures without unlimited resources. CACR and like-minded researchers and policy-makers are working to bridge this gap by championing an evidence-based approach to cybersecurity.
CACR has begun to fill the evidence-based practice gap by clawing together and analyzing any systematic studies we can find. For example, in CACR’s work to build Cybertrack, the State of Indiana’s local government cybersecurity assessment program, we knew we needed to build an efficient assessment methodology structured around a doable, meaningful standard. To do that, we could not reasonably pick up any “off the shelf” cybersecurity control standard and apply it whole hog. Even the CIS Controls—which are well prioritized, developed by a diverse community of cybersecurity experts, and written in a way that is understandable to security practitioners—would present a vast and costly amount of work for most local government organizations to implement.
To get to sanity, we conducted research to identify an evidence-based, highly prioritized subset of the CIS Controls’ Safeguards. We set out to identify “gold standard” systematic studies whose results point to a small set of proven high-power controls. To meet this gold standard, we had to develop confidence in the validity of the methodology used in each candidate source. As such, we considered and eliminated a number of sources (including many government sources) that lacked any publicly available documentation of their methodology. We found three studies that qualified: the CIS Community Defense Model, the Microsoft Digital Defense Report, and the Australian Signals Directorate’s Essential Eight (referenced below). Notably, each of these three used a different methodology. We mapped the identified controls to the appropriate CIS Safeguards and scored them: safeguards received a score for each appearance in a gold standard study. Thus, those safeguards that appear in more gold standard studies received a higher score. This research resulted in an evidence-based, prioritized list of the CIS Safeguards, with 12 safeguards making up the top-scoring group that are now the major focus of the tactical-level standard for the Cybertrack assessment.
This evidence-based methodology provides a new perspective for creating effective security practices. While the Transformative Twelve aren't the only worthwhile controls, they represent a significant victory for practicality in a landscape filled with unprioritized standards.
The Transformative Twelve (T12)
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
Retain data according to the enterprise’s documented data management process. Data retention must include both minimum and maximum timelines.
Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
Require MFA for remote network access.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.
Deploy and maintain anti-malware software on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
The OT22 – Prioritizing Operational Technology (OT)
Using the exact same approach as the T12, we evaluated, translated, and triangulated six sources (referenced below) to identify the most proven—impactful cybersecurity controls for OT-rich environments. This process resulted in the "OT22," a set of 22 highly-scoring safeguards that are fundamental and impactful for OT environments.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.
Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactor implementation of this Safeguard.
Require MFA for remote network access.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.
Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Establish and maintain a documented data recovery process that includes detailed backup procedures. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum.
