I've decided to start a new series on how to apply the Center for Internet Security (CIS) 18 to get to IG1 (Implementation Group 1, or in other words, Cyber Hygiene) for smaller organizations. As we all know, small businesses don't have large budgets to put towards Cybersecurity, and very rarely have any kind of dedicated IT personnel for these kinds of tasks. As such, I'm going to try and be in depth on how to configure and maintain tools when I recommend them.
Without further ado, let's kick it off!
1.1: Establish and Maintain Detailed Enterprise Asset Inventory
The first subcontrol of IG1 is to establish and maintain a detailed enterprise assset inventory. Keeping in mind that we are only looking at IG1, we don't need an automated method to do so. That will come in IG2 (which I'll start a series on after I complete discussing IG1).
So what's the best way to do this? Honestly? Excel. Or if your business doesn't have access to Excel, we can use one of the free options out there. LibreOffice is a good option. If you're looking at using Cloud related options, I'd start to recommend being a little more careful just because most cloud office systems, like Google Sheets, are not encrypted. We're looking at a complete listing of your hardware that is available in the clear.
That's not to say that using Google is unsecure, as they have very good security controls in place. However, I would highly recommend enabling Multi-factor Authentication (which we will discuss in Control 6) for your account if you are doing this, and not enabling sharing with just the link.
I have developed a template that you can use for tracking your hardware list that is compliant with CISv8.
One last thing before we move on to the next subcontrol. This enterprise asset list must be updated at least annually, but I'd recommend biannually at the most. If you can, I'd recommend verifying the list quarterly.
1.2 Address Unauthorized Assets
This is going to be a mixture of a technical and an administrative control. Administratively, we are going to want a policy and a procedure that details how we will deal with unauthorized assets. Unauthorized assets might be something installed by an attacker, or perhaps an employee trying to make their job easier. Either way, without it being tracked and approved, no asset should be connected to your network. One of the most common unauthorized assets are rogue Wireless Access Points.
Our policy should detail, in short, that unauthorized assets are not allowed to be connected to the network. This can be in the form of an Acceptable Use Policy (AUP) that your employees must sign. Our procedure should discuss how we will discover unauthorized assets and how we will react to them.
In the early stages of your implementation of CIS (in other words, during IG1), we will likely discover them using weekly audits. At least each week (or as often as you would like otherwise!), you should look at all network access ports within your location to see if any unauthorized devices are there. How do we know if it is unauthorized? Well, your Hardware Asset list from subcontrol 1.1 silly!
When you react to them, the most common method is to disconnect it from your network. This is also going to be the easiest method. Simply disconnect and confiscate the asset. If any employee asks where it is, you will know who your culprit is and you should deal with the incident according to your policy. This could be a writeup, or whatever you determine is acceptable.
The other options you could have is to deny access to the network remotely. This could be done by turning off a port in a switch, or updating a allow/deny list in your router. Lastly, you could quarantine the asset, which is most commonly done with additional cybersecurity tools you likely don't have at this point. We will discuss those in more detail as we progress through our IG1/IG2 series.
I hope you enjoyed this post, and I plan to write a new part of this series each week. Each week will cover a new control. After we work our way through all 18 IG1 controls, we'll start looking at IG2. Once we complete all IG2 controls, we'll work our way through IG3.
If you have any questions, don't hesitate to reach out through one of the methods in my Contact Me page.
Read the next post in the series here