ETSI TR 103 305-1-2016 CYBER Critical Security Controls for Effective Cyber Defence Part 1 The Critical Security Controls (V2 1 1).pdf

1、 ETSI TR 103 305-1 V2.1.1 (2016-08) CYBER; Critical Security Controls for Effective Cyber Defence; Part 1: The Critical Security Controls TECHNICAL REPORT ETSI ETSI TR 103 305-1 V2.1.1 (2016-08)2 Reference RTR/CYBER-0012-1 Keywords Cyber Security, Cyber-defence, information assurance ETSI 650 Route

2、des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.or

3、g/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in

4、contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of st

5、atus. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx

6、 Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI

7、. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks

8、 of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 305-1 V2.1.1 (2016-08)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Exe

9、cutive summary 4g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 7g34 Critical Security Controls . 8g34.0 Structure of the Critical Security Controls Document 8g34.1 CS

10、C 1: Inventory of Authorized and Unauthorized Devices 8g34.2 CSC 2: Inventory of Authorized and Unauthorized Software 10g34.3 CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers . 12g34.4 CSC 4: Continuous Vulnerability Assessment and Remediat

11、ion . 14g34.5 CSC 5: Controlled Use of Administrative Privileges . 16g34.6 CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs . 18g34.7 CSC 7: Email and Web Browser Protections . 20g34.8 CSC 8: Malware Defenses 22g34.9 CSC 9: Limitation and Control of Network Ports, Protocols, and Services .

12、 24g34.10 CSC 10: Data Recovery Capability 25g34.11 CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 26g34.12 CSC 12: Boundary Defense 28g34.13 CSC 13: Data Protection 31g34.14 CSC 14: Controlled Access Based on the Need to Know 33g34.15 CSC 15: Wireless Acc

13、ess Control 35g34.16 CSC 16: Account Monitoring and Control . 36g34.17 CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps . 38g34.18 CSC 18: Application Software Security . 41g34.19 CSC 19: Incident Response and Management . 42g34.20 CSC 20: Penetration Tests and Red Team Exerc

14、ises . 44g3Annex A: Evolving An Attack Model for the Critical Security Controls . 47g3Annex B: Attack Types 49g3History 50g3ETSI ETSI TR 103 305-1 V2.1.1 (2016-08)4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The inform

15、ation pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the E

16、TSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the

17、updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). The present document is part 1 of a multi-part deliverable covering the Critical Security

18、Controls for Effective Cyber Defence, as identified below: Part 1: “The Critical Security Controls“; Part 2: “Measurement and auditing“; Part 3: “Service Sector Implementations“; Part 4: “Facilitation Mechanisms“. Modal verbs terminology In the present document “should“, “should not“, “may“, “need n

19、ot“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive summary The present docum

20、ent captures and describes the top twenty Enterprise industry level cybersecurity best practices that provide enhanced cyber security, developed and maintained by the Center for Internet Security (CIS) (formerly the Council on CyberSecurity) as an independent, expert, global non-profit organization.

21、 The CIS provides ongoing development, support, adoption, and use of the Critical Security Controls i.1. The Controls reflect the combined knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem. This ensures that the Controls are an effective an

22、d specific set of technical measures available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of those attacks. The Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventi

23、ng or disrupting attackers follow-on actions. The defences identified through these Controls deal with reducing the initial attack surface by hardening device configurations, identifying compromised machines to address long-term threats inside an organizations network, disrupting attackers command-a

24、nd-control of implanted malicious code, and establishing an adaptive, continuous defence and response capability that can be maintained and improved. The five critical tenets of an effective cyber defence system as reflected in the Critical Security Controls are: Offense informs defence: Use knowled

25、ge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defences. Include only those controls that can be shown to stop known real-world attacks. ETSI ETSI TR 103 305-1 V2.1.1 (2016-08)5 Prioritization: Invest

26、first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in a computing environment. Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and secur

27、ity officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly. Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures,

28、and to help drive the priority of next steps. Automation: Automate defences so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics. Introduction The evolution of cyber defence is increasingly challenging. Massive data

29、losses, theft of intellectual property, credit card breaches, identity theft, threats to privacy, denial of service - these have become endemic. Access exists to an extraordinary array of security tools and technology, security standards, training and classes, certifications, vulnerability databases

30、, guidance, best practices, catalogues of security controls, and countless security checklists, benchmarks, and recommendations. But all of this technology, information, and oversight has become a veritable “Fog of More:“ competing options, priorities, opinions, and claims that can paralyze or distr

31、act an enterprise from vital action. Business complexity is growing, dependencies are expanding, users are becoming more mobile, and the threats are evolving. New technology brings great benefits, but it also means that data and applications are now distributed across multiple locations, many of whi

32、ch are not within the organizations infrastructure. In this complex, interconnected world, no enterprise can think of its security as a standalone problem. Focus is needed to establish priority of action, collective support, and keeping knowledge and technology current in the face of rapidly evolvin

33、g problems and an apparently infinite number of possible solutions. The most critical areas need to be addressed and the first steps taken toward maturing risk management programs. This includes a roadmap of fundamentals, and guidance to measure and improve the implementation defensive steps that ha

34、ve the greatest value. These issues led to, and drive, the Critical Security Controls. The value is determined by knowledge and data - the ability to prevent, alert, and respond to the attacks that are plaguing enterprises today. Initiating Implementation Some of the Critical Security Controls, in p

35、articular CSC 1 through CSC 5, are foundational, and are the primary recommended actions to be taken. This is the approach taken by, for example, the DHS Continuous Diagnostic and Mitigation (CDM) Program. A similar approach is recommended by the Australian Signals Directorate (ASD) with their “Top

36、Four Strategies to Mitigate Targeted Intrusions“ - a well-regarded and demonstrably effective set of cyber-defense actions that map very closely into the CIS Critical Security Controls. ETSI ETSI TR 103 305-1 V2.1.1 (2016-08)6 1 Scope The present document describes a specific set of technical measur

37、es available to detect, prevent, respond, and mitigate damage from the most common to the most advanced of cyber attacks. The measures reflect the combined knowledge of actual attacks and effective defences. The present document is technically equivalent and compatible with The Center for Internet C

38、ybersecurity i.1. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, onl

39、y the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following reference

40、d documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 The Center for Internet Cybersecurity: “Critical Security Controls for Effective Cyber Defense Version 6.0,“ October 15, 2015. NOTE: Available at https:/ww

41、w.cisecurity.org/critical-controls.cfm. i.2 NIST SP 800-57 Part 1-Rev. 4: “Recommendation for Key Management“. i.3 IEEE 802.1X-2010: “Port Based Network Access Control“. i.4 ETSI TR 103 305-2: “CYBER; Critical Security Controls for Effective Cyber Defence; Part 2: Measurement and auditing“. 3 Defini

42、tions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: Critical Security Control (CSC): specified capabilities that reflect the combined knowledge of actual attacks and effective defences of experts that are maintained by the Cent

43、er for Internet Security NOTE: Found at the website https:/www.cisecurity.org/critical-controls.cfm. quick win: actions that can be relatively easily taken with minimal resources that have a significant cyber security benefit ETSI ETSI TR 103 305-1 V2.1.1 (2016-08)7 3.2 Abbreviations For the purpose

44、s of the present document, the following abbreviations apply: 802.1x Institute of Electrical and Electronic Engineers Standard for Port-based Network Access Control i.3 ACK ACKnowledge ACL Access Controls List AES Advanced Encryption Standard APT Advanced Persistent Threat ASD Australian Signals Dir

45、ectorate ASLR Address Space Layout Randomization BYOD Bring Your Own Device C2 Command and Control CCETMCommon Configuration Enumeration CD Compact Disc CDM Continuous Diagnostic and Mitigation CERT Computer Emergency Response Team CIS Center for Internet Security CPETMCommon Platform Enumeration CS

46、C Critical Security Control or Capability CVECommon Vulnerability Enumeration CVSS Common Vulnerability Scoring System DBIR Data Breach Investigations Report DEP Data Execution Prevention DHCP Dynamic Host Configuration Protocol DHS Department of Homeland Security DLP Data Loss Prevention DMZ DeMili

47、tarized ZoneDNS Domain Name System DVD Digital Versatile Disc or Digital Video Disc EAP Extensible Authentication Protocol EMET Enhanced Mitigation Experience Toolkit HSM Hardware Security Modules HTTP Hypertext Transfer Protocol ICMP Internet Control Message Protocol ID IDentifier IDS Intrusion Det

48、ection System IP Internet Protocol IPS Intrusion Prevention System IPSEC Internet Protocol Security IPv6 Internet Protocol version 6 ISO International Organization for Standardization IT Information Technology LAN Local Area Network LDAP Lightweight Directory Access Protocol MAC Media Access Control

49、 NAC Network Access Control NIST National Institute of Standards and Technology OTP One Time Password OVALOpen Vulnerability and Assessment Language OWASP Open Web Application Security Project RDP Remote Desktop Protocol SCADA Supervisory Control and Data Acquisition SCAP Security Content Automation Program SEM Security Event Manager SIEM Security Information Event Management or Security Incident Event Management SIM Subscriber Information Module SP Special Publication SPF Sender Policy Framework SQL Structured Query LanguageSSL Secure Sockets L