ID #,Control,CIS Safeguards Reference,Implementation Group,Requirement,Vendor Question:,Tips & Examples,MITRE ATT&CK [reference],Impacted MITRE ATT&CK Techniques (See CIS Community Defense Model v2.0 for additional information),ISO/IEC 27002,ISA/IEC 62443,Threat Actor Examples [reference] 001,Inventory,1.1,1,Have an inventory that details network and computer hardware.,Does the product include a hardware manifest which details all computer and network hardware included?,"An inventory should include physical computing assets which are components of the delivered system such as network switches, computers, or firewalls.","DS0039 [1] T0838 [2] T0836 [3] T0843 [4] T0848 [5]","Modify Alarm Settings, Modify Parameter, Program Download, Rogue Master",5.9,CR 7.8 Control system component inventory,"A physical inventory is the first step to understanding what devices exist that need to be secured, which can then lead to a prioritization of security and an assessment of how to secure devices at risk. A lack of such an inventory means that systems may be left unsecured or unpatched. An incomplete physical inventory can also lead to malicious, rogue devices [6] or a lack of understanding of interdependencies. For example, in the Target data breach [7], attackers entered through the HVAC system and leveraged the connectivity between that system and the broader network to compromise point-of-sale terminals" 002,Inventory,2.1,1,Provide a software bill of materials (SBOM) for the product.,Provide a software bill of materials (SBOM) for the product.,"Ensure that no unauthorized software is used/enabled. Specifically identify and document software which accepts network connections.","M0817 [18 DS0039 [9] T0862 [10]","I/O Image, Manipulate I/O Image, Modify Controller Tasking, Modify Program, Supply Chain Compromise",5.9,N/A,"""The 2022 annual report from Sonatype shows an average 742% annual increase in software supply chain attacks over the past three years. The impact of these attacks has been widespread, as shown by the Solarwinds, Codecov, and the log4j attacks."" [11] Additional details are in the 12 May 2021 U.S. Executive Order 14028 [12] and from CISA [13]." 003,Inventory,2.2,1,Security vulnerabilities in vendor provided software must be patched.,Will the product receive software security patches throughout the product's intended lifecycle?,"Describe the expected patching cycle for security vulnerabilities discovered in the product, the recommended patching timetable, and the patching method used.",M1051 [14],"Abuse Elevation Control Mechanism, Malicious Browser Extensions, Bypass User Account Control, TCC Manipulation, Brute Force: Password Guessing, Credentials from Password Stores, Password Managers, Data from Configuration Repository, Drive-by-Compromise, Event Triggered Execution, Exploit Public-Facing Application, Exploitation for Credential Access, Exploitation for Privilige Escalation, Exploitation of Remote Services, Firmware Corruption, Hijack Execution Workflow, Office Application Startup, Pre-OS Boot, Software Development Tools, Supply Chain Compromise, Unsecured Credentials",5.9,NDR 3.10 – Support for updates,"WannaCry (one of the most well-known strains of ransomware) spread using the Windows vulnerability referred to as MS17-010, which hackers were able to take advantage of using the exploit EternalBlue….Microsoft actually became aware of EternalBlue and released a patch (a software update to fix the vulnerability). However, those who didn’t apply the patch (which was most people) were still vulnerable to EternalBlue Link [15]." 004,Inventory,2.2,1,Software must run on supported versions of operating systems throughout the intended product lifecycle.,Will software components of the product be supported on operating systems supported by the operating system vendor throughout the product's intended lifecycle?,"Do not use end-of-life operating systems such as Windows XP, Server 2003 or Vista. They no longer receive security patches and are vulnerable to compromise. Have a plan to migrate to a new OS version if the OS vendor will not support the deployed version throughout the intended operational life cycle of the product.","M0928 [16] M0954 [17]","Autorun Image, Replication Through Removable Media",5.9,N/A,See J4 - use of end of life software leaves one vulnerable to attacks which are not easily patched 005,Data Protection,3.3,1,The product must provide a mechanism to prevent unauthorized access to data.,Can access to data be restricted to prevent unauthorized access?,File system permissions are a simple and widely supported mechanism for accomplishing this.,"M0801 [18] M0927 [19] M0922 [20]","Activate Firmware Update Mode, Change Operating Mode, Default Credentials, Detect Operating Mode, Device Restart/Shutdown, Execution through API, Hardcoded Credentials, Modify Alarm Settings, Module Firmware, Point & Tag Identification, Program Download, Program Upload, Remote Services, System Firmware, Valid Accounts, Change Credential, External Remote Services, Data Destruction, Data from Information Repositories, Data from Local System, Indicator Removal on Host, Masquerading, Project File Infection, Service Stop, Theft of Operational Information","5.10, 5.15, 8.3","FR1 - Identification and authentication control CR 1.1 - Human user identification and authentication FR2 - Use Control",Chinese e-commerce giant Alibaba suffered a major data breach when it failed to apply sufficient forms of data protections which resulted in a non-malicious web crawler scraping up sensitive information from the service. Link [21]. 006,Secure Configuration,4.6,1,Remote maintenance must use secure communication channels.,Are all communications methods used for remote maintenance using encryption?,Use secure communications methods such as SSH or HTTPS for remote maintenance activities.,T0822 [22],External Remote Services,,"CR 3.1 – Communication Integrity ","The OT systems of the Maroochy Water Services, Australia, were compromised via its radio communication ability and maliciously commanded to create overflows of sewage waste. Link [23]." 007,Secure Configuration,4.7,1,It must be possible to either change credentials of or disable any default accounts.,"Can default accounts be disabled or their credentials changed, including encryption keys?","For operating system accounts such as Windows accounts, the built-in password change mechanisms are sufficient to qualify. Other accounts such as web application accounts should also be possible to change.",T1078.001 [24],"Account Manipulation, Create Account, OS Credential Dumping, Remote Desktop Protocol, Domain Accounts, Command and Scripting Interpreter, Brute Force, Valid Accounts, Windows Service, Default Accounts, ","8.2, 8.9","NOTE: There is some talk of “least functionality” in CR7.7, but in this context “Components shall provide the capability to specifically restrict the use of unnecessary functions, ports, protocols and/or services.” not accounts."," Stuxnet infected WinCC machines via a hardcoded database server password. Link [25]." 008,Secure Configuration,4.8,2,It must be possible to disable services or functionality which is not necessary for the proper functionality of the product in its installed application.,Can unused functionality be disabled such that it is unavailable?,"This can be achieved by a variety of means, including disabling services, uninstalling software, disabling software which listens on network ports, or explicitly blocking port numbers using host firewall rules.",T1210 [26],Exploitation of Remote Services,8.9,N/A,"Stuxnet, malware specifically created to damage OT propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service (SMB) vulnerabilities, neither of which are necessary on all machines. Link [27], Link [28]." 009,Account Management,5.2,1,Accounts must use unique credentials or it must be possible to configure them to use unique credentials.,Can all accounts be configured to use different credentials?,Use unique passphrases or keys for each account.,T1110.004 [29],"Credential Dumping, Valid Accounts, Domain Accounts, Brute Force",5.17,"CR 1.1 – Human user identification and authentication CR 1.3 – Account Management CR 1.5 - Authenticator management",Threat group Chimera uses passwords obtained from previous breaches to compromise new victims. Link [30]. 010,Account Management,5.3,1,Disable unused accounts,"Can accounts be disabled, including unused default accounts?","This should apply to operating system accounts as well as other accounts on the system. Built-in mechanisms for disabling Windows or Linux accounts can be used to meet this requirement. For example: - Windows command prompt: net user /active:no - Red Hat Enterprise Linux: ipa user-disable - Generic Linux environments: usermod --lock --expiredate 1970-01-02 ",M0936 [31],"Account Manipulation, Create Account, OS Credential Dumping, Remote Desktop Protocol, Domain Accounts, Command and Scripting Interpreter, Brute Force, Valid Accounts, Windows Service",,"CR 1.3 – Account Management NOTE: This does not specifically mention disabling unused account","One of the oldest exploited issues. At LBNL in 1987, Markus Hess used the unused account of Colonel Abrens in order to evade detection by system administrators. This was documented in The Cuckoo's Egg on page 152" 011,Account management,5.4,1,Users of the system must use accounts with limited privileges when logging in.,Can user accounts have their privileges restricted?,"""Administrator"" or ""root"" accounts should not be used as day-to-day user accounts on computer systems. Windows and Linux systems provide the ability to operate with reduced privileges via UAC and sudo mechanisms respectively. These mechanisms provide the ability to limit privileges during normal use, but escalate privileges via authentication prompt when required.",M0926 [32],"Account Manipulation, Create Account, OS Credential Dumping, Domain Accounts, Command and Scripting Interpreter, Valid Accounts, Windows Service","5.15, 8.2","CCSC 3: Least privilege FR 2: Use Control CR 2.1 – Authorization enforcement ","Many examples here, but a notable one is the Sony Pictures breach of 2014, where the attacker's data mangling tool would wipe out the host's MBR if the tool had administrative rights. Link [33]" 012,Access Control Management,6.4,1,Remote network access requires multifactor authentication.,Does the product support multifactor authentication for remote access?,"Institutional policy and procedures may define specific allowed or required multifactor authentication mechanisms. Some common ones include Duo, Time Based One Time Passwords (TOTP), or hardware U2F tokens.","T1110 [34] M1032 [35]","Account Manipulation, Create Account, Remote Desktop Protocol, Domain Accounts, Brute Force",6.7,CR 1.5 – Authenticator management,"Ukraine’s power grid OT was affected by a malicious actor (SandWorm) through their ability to ‘brute force’ the utility’s exposed RPC service. Link [36], Link [37]." 013,Access Control Management,6.5,1,Administrative access must use multifactor authentication,Does the product require multifactor authentication for administrative access or can it be configured to require it?,,"M0926 [38] M1032 [39]",,8.2,CR 1.5 – Authenticator management,See J13 - this is an additional layer of security that can prevent improper access 014,Patching,7.3,1,"For systems connected to the internet, operating systems must be capable of being configured to automatically apply updates.","When connected to the internet, can the product software be configured to automatically apply security updates?","For operational systems, it may be undesireable to take the risk of configuring a system to do so, however the capability should exist and vendor requirements should not prevent this.",T1021 [40],Remote Services,8.8,N/A,"WannaCry (one of the most well-known strains of ransomware) spread using the Windows vulnerability referred to as MS17-010, which hackers were able to take advantage of using the exploit EternalBlue….Microsoft actually became aware of EternalBlue and released a patch (a software update to fix the vulnerability). However, those who didn’t apply the patch (which was most people) were still vulnerable to EternalBlue Link [41]." 015,Patching,7.7,2,Security patches for vendor software must be available promptly upon discovery of a vulnerability.,Does the vendor have a vulnerability management and disclosure process which details patch release timelines?,A common practice is to have a vulnerability disclosure statement which provides these details. Vendors may simply provide reference to this document.,"T1021 [42] T1021.001 [43]","Remote Services, for example Remote Desktop Protocol",8.8,"EDR 3.10 – Support for updates HDR 3.10 – Support for updates ",See J15 - disclosure of vulnerabilities and a patch release timeline is critical for ensuring relevant software is up to date 016,Audit log management,8.2,1,"The product must produce logs which provide necessary information for event analysis and incident investigations. At minimum, these must include system logins and usage of elevated privileges.","Does the product keep a record of important events, particularly login activity and usage of elevated privileges?","Minimally, events indicating successful/failed authentication attempts and usage of elevated privileges must be collected. It may also be important to collect additional items such as DNS lookups, command line execution logs, URL request logs, encryption certificate details, or API request details.","T1027.005 [44] T1562.002 [45] T1562.003 [46] T1654 [47]","Indicator Removal on Host, Disable Windows Event Logging, Impair Command History Logging, Log Enumeration",8.15,"CR 2.8 - Auditable events CR 2.9 - Audit storage capacity CR 2.10 - Response to audit processing failures CR 2.11 - Timestamps CR 2.12 - Non-Repudiation ",The UK's National Cyber Security Centre has stated that many investigations have been hindered due to lack of sufficient logging. Link [48]. 017,Audit log management,8.9,2,Logs from the system must be able to be forwarded to a central logging system. ,Does the product store logs in a way that allows them to be forwarded to log aggregation systems?,"Sending logs and alerts to a central repository enables faster detection of issues and ensures records are available after an incident has occurred. Common logging formats such as syslog provide a standardized way to consume, manage, send, and retain logs programmatically both on and off of the source hosts. Non-standard or application-specific logging formats can still provide this, however they will often require additional processing.","T1027.005 [49] T1562.002 [50] T1562.003 [51] T1654 [52]","Indicator Removal on Host, Disable Windows Event Logging, Impair Command History Logging, Log Enumeration",,N/A,"Sophos: ""Cybercriminals Disabled or Wiped Out Logs in 82% of Attacks with Missing Telemetry in Cases Analyzed for Sophos Active Adversary Report "" Link [53]." 018,Malware defenses,10.1,1,Deploy anti-malware software and enable it.,Does the product allow for the installation of anti-malware software on common operating systems which are network connected?,Built-in offerings such as Windows Defender qualify for this requirement.,"T1543 [54] T1059 [55] T1027 [56] T1014 [57]","Create or Modify System Process, Command and Scripting Interpreter, Obfuscated Files or Information, Rootkit",8.7,"HDR 3.2 – Protection from malicious code NDR 3.2 – Protection from malicious code SAR 3.2 – Protection from malicious code ","Ransomware example: the city of Baltimore was hit by a type of ransomware named RobbinHood, which halted all city activities, including tax collection, property transfers, and government email for weeks. This attack has cost the city more than $18 million so far, and costs continue to accrue. The same type of malware was used against the city of Atlanta in 2018, resulting in costs of $17 million. Link [58]." 019,Malware defenses,10.2,1,Configure automatic updates for anti-malware software,Can malware definitions be updated automatically where applicable?,"As malware techniques change over time, anti-malware defenses must change as well. Definition updates must be enabled in order for the defenses to remain effective.","TA0003 [59] T1098 [60] T1059 [61] T1027 [62]","Account Manipulation, Command and Scripting Interpreter, Obfuscated Files or Information",8.7,N/A,See J19 - keeping anti-malware up to date to maximize its effectiveness 020,Malware defenses,10.3,1,Disable autorun and autoplay for removeable media,Do any computer systems which are components of the product have autorun or autoplay enabled for removeable media?,"There are multiple ""autorun"" and ""autoplay"" mechanisms in modern operating systems that are important to take account of. For example, Microsoft sysinternals includes the ""autoruns"" utility, which is a useful way to check these on Windows systems: Link [20]","T1119 [63] T1092 [64]","Automated Collection, Communication Through Removable Media ",7.10,N/A,See J19 - disabling autorun prevents malware from being automatically run when media is connected. Link [65] 021,Data Recovery,11.2,1,There must be a mechanism available to automatically back up and restore data necessary for the product to function. This restoration mechanism should be available to the responsible staff without third-party intervention under degraded operating conditions.,"Are there backup mechanisms in place which can be used to automatically back up and restore data necessary for the product to function? Can this mechanism be used to restore functionality by authorized staff without outside intervention?","Software configuration files are a common example of data necessary for products to function. Standard backup and recovery mechanisms such as Windows backup or rsync can often be configured to suffice for this requirement.",TA0010 [66],Exfiltration,8.13,"CR 7.3 – Control system backup CR 7.4 – Control system recovery and reconstitution ","1. T-Mobile’s Sidekick phone’s servers operators (Danger) did not have functioning backups/restore strategy, and the servers failed; customers lost all data if they turned their phones off or the battery expired prior to the system being restored: Link [67]. 2. Even though Colonial Pipeline paid the ransom after their cyberattack, the decryptor key/app they received from the ransomware gang was performing too slowly to get operations back online, hence they were forced to resort to restoring from their own backups: Link [68]." 022,Network Infrastructure Management,12.1,1,Network devices which are included as components of the product should be capable of being patched to fix security vulnerabilities.,Do all network devices included with the product provide a mechanism of patching security vulnerabilities?,"i.e., vpn, router and/or switch firmware","TA0004 [69] T1190 [70] T1133 [71]","Privilege Escalation, Initial Access, Persistence",,NDR 3.10 – Support for updates,"Toyota Financial Services (TFS) was breached by the Medusa ransomware gang in November, 2023; security analysts following the incident noted that the Citrix Gateway endpoint used by TFS’s German office was public and had not been updated since August 2023, making it exploitable to the critical Citrix Bleed (CVE-2023-4966) vulnerability. Link [72]." 023,Network Infrastructure Management,12.4,2,Provide a network diagram describing the system components and their interaction mechanisms.,Does the product documentation include a network diagram describing key networked components and their interactions?,"Documentation is important to ensuring all aspects of the network are properly configured. This documentation would prove invaluable when upgrading/repalcing components. Ideally this would reference port numbers and protocols used for network communications.","T5190 [73] T1595 [74]","Active Scanning, Network Trust Dependencies",,N/A,"Improper setup of network infrastructure can lead to improper function of relevant cybersecurity controls, leading to increased cyber risk. See J24 and J22 for examples of the effects of ransomware attacks." ,,,,,,,,,,, ,Version: 2024-09-23,,,,,,,,,,