I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
This control includes nine (9) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are three (3) IG1 control and five (5) IG2 controls. This means that, at a minimum, we want to:
- Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.
- Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.
- Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
You don’t have to worry about a data breach if you’re not storing the data – if you don’t absolutely need it, don’t keep it! Once you have determined what data is required for business operations, you’ll need to document that inventory. This should include a description of the data types (e.g. NPPI, ePHI, PCI, etc.), the locations (both physical and logical – onsite and with third parties), the owner of the data (internal department responsible for receipt, processing, and storage), and retention schedules.
The second sub-control is meant to reduce the likelihood of compromise for those rarely used, but often very sensitive systems. This could be an accounting system that is only used for report generation a few times a year, or something along those lines. This data is critical, and is needed for business operations, but is not needed 24/7. By removing this system from the network, you can reduce the attack surface to in-person attacks, which should be significantly lower risk. I have seen this implemented as a kiosk-style workstation and as a virtual machine that IT powers-on for the few instances where it is needed. This concept can also be useful when looking at systems that may be used more frequently, but by very few people – visualizing the system and implementing network ACLs to reduce exposure is always a great thing to do.
Using “approved cryptographic mechanisms” is a fancy way of saying use strong encryption.
Minimizing the data stored will not only help implement CIS CSC 13, but will reduce headaches across most controls.
Relevant News Stories
Relevant Tools
| Commercial | Open-Source & “Freemium” |
| Titus DLP | OpenDLP |
| Symantec DLP | Ngrep |
| McAfee DLP | Wireshark |
| Digital Guardian DLP | Tshark/TCPDump |
| Fortinet FortiGate DLP | Nemesis/Hping3 |
| Varonis Data Classification Engine | Scapy |
The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #13 page here.
The Personal Blog of Sean Goodwin 