ETSI TR 103 305-1 V2.1.1 (2016-08)

ETSI TR 103 305-1 V2.1.1 (2016-08)






TECHNICAL REPORT
CYBER;
Critical Security Controls for Effective Cyber Defence;
Part 1: The Critical Security Controls

---------------------- Page: 1 ----------------------
2 ETSI TR 103 305-1 V2.1.1 (2016-08)



Reference
RTR/CYBER-0012-1
Keywords
Cyber Security, Cyber-defence, information
assurance

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 305-1 V2.1.1 (2016-08)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Executive summary . 4
Introduction . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definitions and abbreviations . 6
3.1 Definitions . 6
3.2 Abbreviations . 7
4 Critical Security Controls . 8
4.0 Structure of the Critical Security Controls Document . 8
4.1 CSC 1: Inventory of Authorized and Unauthorized Devices. 8
4.2 CSC 2: Inventory of Authorized and Unauthorized Software . 10
4.3 CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,
and Servers . 12
4.4 CSC 4: Continuous Vulnerability Assessment and Remediation . 14
4.5 CSC 5: Controlled Use of Administrative Privileges . 16
4.6 CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs . 18
4.7 CSC 7: Email and Web Browser Protections . 20
4.8 CSC 8: Malware Defenses. 22
4.9 CSC 9: Limitation and Control of Network Ports, Protocols, and Services . 24
4.10 CSC 10: Data Recovery Capability . 25
4.11 CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches . 26
4.12 CSC 12: Boundary Defense. 28
4.13 CSC 13: Data Protection . 31
4.14 CSC 14: Controlled Access Based on the Need to Know . 33
4.15 CSC 15: Wireless Access Control . 35
4.16 CSC 16: Account Monitoring and Control . 36
4.17 CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps . 38
4.18 CSC 18: Application Software Security . 41
4.19 CSC 19: Incident Response and Management . 42
4.20 CSC 20: Penetration Tests and Red Team Exercises . 44
Annex A: Evolving An Attack Model for the Critical Security Controls . 47
Annex B: Attack Types . 49
History . 50


ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 305-1 V2.1.1 (2016-08)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
The present document is part 1 of a multi-part deliverable covering the Critical Security Controls for Effective Cyber
Defence, as identified below:
Part 1: "The Critical Security Controls";
Part 2: "Measurement and auditing";
Part 3: "Service Sector Implementations";
Part 4: "Facilitation Mechanisms".
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The present document captures and describes the top twenty Enterprise industry level cybersecurity best practices that
provide enhanced cyber security, developed and maintained by the Center for Internet Security (CIS) (formerly the
Council on CyberSecurity) as an independent, expert, global non-profit organization. The CIS provides ongoing
development, support, adoption, and use of the Critical Security Controls [i.1]. The Controls reflect the combined
knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem. This
ensures that the Controls are an effective and specific set of technical measures available to detect, prevent, respond,
and mitigate damage from the most common to the most advanced of those attacks.
The Controls are not limited to blocking the initial compromise of systems, but also address detecting
already-compromised machines and preventing or disrupting attackers' follow-on actions. The defences identified
through these Controls deal with reducing the initial attack surface by hardening device configurations, identifying
compromised machines to address long-term threats inside an organization's network, disrupting attackers' command-
and-control of implanted malicious code, and establishing an adaptive, continuous defence and response capability that
can be maintained and improved. The five critical tenets of an effective cyber defence system as reflected in the Critical
Security Controls are:
• Offense informs defence: Use knowledge of actual attacks that have compromised systems to provide the
foundation to continually learn from these events to build effective, practical defences. Include only those
controls that can be shown to stop known real-world attacks.
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 305-1 V2.1.1 (2016-08)
• Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the
most dangerous threat actors, and that can be feasibly implemented in a computing environment.
• Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and
security officials to measure the effectiveness of security measures within an organization so that required
adjustments can be identified and implemented quickly.
• Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the
effectiveness of current security measures, and to help drive the priority of next steps.
• Automation: Automate defences so that organizations can achieve reliable, scalable, and continuous
measurements of their adherence to the Controls and related metrics.
Introduction
The evolution of cyber defence is increasingly challenging. Massive data losses, theft of intellectual property, credit
card breaches, identity theft, threats to privacy, denial of service - these have become endemic. Access exists to an
extraordinary array of security tools and technology, security standards, training and classes, certifications, vulnerability
databases, guidance, best practices, catalogues of security controls, and countless security checklists, benchmarks, and
recommendations.
But all of this technology, information, and oversight has become a veritable "Fog of More:" competing options,
priorities, opinions, and claims that can paralyze or distract an enterprise from vital action. Business complexity is
growing, dependencies are expanding, users are becoming more mobile, and the threats are evolving. New technology
brings great benefits, but it also means that data and applications are now distributed across multiple locations, many of
which are not within the organization's infrastructure. In this complex, interconnected world, no enterprise can think of
its security as a standalone problem.
Focus is needed to establish priority of action, collective support, and keeping knowledge and technology current in the
face of rapidly evolving problems and an apparently infinite number of possible solutions. The most critical areas need
to be addressed and the first steps taken toward maturing risk management programs. This includes a roadmap of
fundamentals, and guidance to measure and improve the implementation defensive steps that have the greatest value.
These issues led to, and drive, the Critical Security Controls. The value is determined by knowledge and data - the
ability to prevent, alert, and respond to the attacks that are plaguing enterprises today.
Initiating Implementation
Some of the Critical Security Controls, in particular CSC 1 through CSC 5, are foundational, and are the primary
recommended actions to be taken. This is the approach taken by, for example, the DHS Continuous Diagnostic and
Mitigation (CDM) Program. A similar approach is recommended by the Australian Signals Directorate (ASD) with
their "Top Four Strategies to Mitigate Targeted Intrusions" - a well-regarded and demonstrably effective set of cyber-
defense actions that map very closely into the CIS Critical Security Controls.
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 103 305-1 V2.1.1 (2016-08)
1 Scope
The present document describes a specific set of technical measures available to detect, prevent, respond, and mitigate
damage from the most common to the most advanced of cyber attacks. The measures reflect the combined knowledge
of actual attacks and effective defences.
The present document is technically equivalent and compatible with The Center for Internet Cybersecurity [i.1].
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] The Center for Internet Cybersecurity: "Critical Security Controls for Effective Cyber Defense
Version 6.0," October 15, 2015.
NOTE: Available at https://www.cisecurity.org/critical-controls.cfm.
[i.2] NIST SP 800-57 Part 1-Rev. 4: "Recommendation for Key Management".
[i.3] IEEE 802.1X-2010: "Port Based Network Access Control".
[i.4] ETSI TR 103 305-2: "CYBER; Critical Security Controls for Effective Cyber Defence;
Part 2: Measurement and auditing".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
Critical Security Control (CSC): specified capabilities that reflect the combined knowledge of actual attacks and
effective defences of experts that are maintained by the Center for Internet Security
NOTE: Found at the website https://www.cisecurity.org/critical-controls.cfm.
quick win: actions that can be relatively easily taken with minimal resources that have a significant cyber security
benefit
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TR 103 305-1 V2.1.1 (2016-08)
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
802.1x Institute of Electrical and Electronic Engineers Standard for Port-based Network Access Control
[i.3]
ACK ACKnowledge
ACL Access Controls List
AES Advanced Encryption Standard
APT Advanced Persistent Threat
ASD Australian Signals Directorate
ASLR Address Space Layout Randomization
BYOD Bring Your Own Device
C2 Command and Control
TM
CCE Common Configuration Enumeration
CD Compact Disc
CDM Continuous Diagnostic and Mitigation
CERT Computer Emergency Response Team
CIS Center for Internet Security
TM
CPE Common Platform Enumeration
CSC Critical Security Control or Capability
®
CVE Common Vulnerability Enumeration
CVSS Common Vulnerability Scoring System
DBIR Data Breach Investigations Report
DEP Data Execution Prevention
DHCP Dynamic Host Configuration Protocol
DHS Department of Homeland Security
DLP Data Loss Prevention
DMZ DeMilitarized Zone
DNS Domain Name System
DVD Digital Versatile Disc or Digital Video Disc
EAP Extensible Authentication Protocol
EMET Enhanced Mitigation Experience Toolkit
HSM Hardware Security Modules
HTTP Hypertext Transfer Protocol
ICMP Internet Control Message Protocol
ID IDentifier
IDS Intrusion Detection System
IP Internet Protocol
IPS Intrusion Prevention System
IPSEC Internet Protocol Security
IPv6 Internet Protocol version 6
ISO International Organization for Standardization
IT Information Technology
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
MAC Media Access Control
NAC Network Access Control
NIST National Institute of Standards and Technology
OTP One Time Password
®
OVAL Open Vulnerability and Assessment Language
OWASP Open Web Application Security Project
RDP Remote Desktop Protocol
SCADA Supervisory Control and Data Acquisition
SCAP Security Content Automation Program
SEM Security Event Manager
SIEM Security Information Event Management or Security Incident Event Management
SIM Subscriber Information Module
SP Special Publication
SPF Sender Policy Framework
SQL Structured Query Language
SSL Secure Sockets Layer
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TR 103 305-1 V2.1.1 (2016-08)
SYN SYNchronize
TCP Transmission Control Protocol
TLS Transport Layer Security
URL Uniform Resource Locator
USB Universal Serial Bus
VLAN Virtual Local Area Network
VNC Virtual Channel Network
VPN Virtual Private Network
WAF Web Application Firewall
WIDS Wireless Intrusion Detection System
WPA2 Wi-Fi Protected Access II
XCCDF Extensible Configuration Checklist
® TM ® TM
NOTE: CPE , CVE , OVAL and CCE are trademarks of The MITRE Corporation operating as a non-profit
Federally Funded Research and Development Center (FFRDC) of the U.S. Department of Homeland
® ®
Security. See http://stixproject.github.io/legal/. Both CVE and OVAL are registered service marks.
This information is given for the convenience of users of the present document and does not constitute an
endorsement by ETSI of the product named. Equivalent products may be used if they can be shown to
lead to the same results.
4 Critical Security Controls
4.0 Structure of the Critical Security Controls Document
The presentation of each Critical Security Control in the present document includes:
• A description of the importance of the Control (Why is This Control Critical) in blocking or identifying
presence of attacks and an explanation of how attackers actively exploit the absence of this control.
• A chart of the specific actions ("sub-controls") that organizations are taking to implement, automate, and
measure effectiveness of this control.
• Procedures and Tools that enable implementation and automation.
• Sample Entity Relationship Diagrams that show components of implementation.
In addition to the present document, ETSI TR 103 305-2 [i.4], can be referenced for implementing each control.
4.1 CSC 1: Inventory of Authorized and Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices
are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
Why Is This Control Critical?
Attackers, who can be located anywhere in the world, are continuously scanning the address space of target
organizations, waiting for new and unprotected systems to be attached to the network. Attackers also look for devices
(especially laptops) which come and go off of the enterprise's network, and so get out of synch with patches or security
updates. Attacks can take advantage of new hardware that is installed on the network one evening but not configured
and patched with appropriate security updates until the following day. Even devices that are not visible from the
Internet can be used by attackers who have already gained internal access and are hunting for internal jump points or
victims. Additional systems that connect to the enterprise's network (e.g. demonstration systems, temporary test
systems, guest networks) should also be managed carefully and/or isolated in order to prevent adversarial access from
affecting the security of enterprise operations.
As new technology continues to come out, BYOD (bring your own device) - where employees bring personal devices
into work and connect them to the enterprise network - is becoming very common. These devices could already be
compromised and be used to infect internal resources.
Managed control of all devices also plays a critical role in planning and executing system backup and recovery.
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TR 103 305-1 V2.1.1 (2016-08)
Table 1: CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 1: Inventory of Authorized and Unauthorized Devices
Family Control Control Description
System 1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary
inventory of systems connected to an organization's public and private network(s). Both
active tools that scan through IPv4 or IPv6 network address ranges and passive tools
that identify hosts based on analyzing their traffic should be employed.
System 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy
dynamic host configuration protocol (DHCP) server logging, and use this information to
improve the asset inventory and help detect unknown systems.
System 1.3 Ensure that all equipment acquisitions automatically update the inventory system as
new, approved devices are connected to the network.
System 1.4 Maintain an asset inventory of all systems connected to the network and the network
devices themselves, recording at least the network addresses, machine name(s),
purpose of each system, an asset owner responsible for each device, and the
department associated with each device. The inventory should include every system
that has an Internet protocol (IP) address on the network, including but not limited to
desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.),
printers, storage area networks, Voice Over-IP telephones, multi-homed addresses,
virtual addresses, etc. The asset inventory created should also include data on whether
the device is a portable and/or personal device. Devices such as mobile phones,
tablets, laptops, and other portable electronic devices that store or process data should
be identified, regardless of whether they are attached to the organization's network.
System 1.5 Deploy network level authentication via 802.1x to limit and control which devices can be
connected to the network. The 802.1x should be tied into the inventory data to
determine authorized versus unauthorized systems [i.3].
System 1.6 Use client certificates to validate and authenticate systems prior to connecting to the
private network.

CSC 1 Procedures and Tools
This Control includes both technical and procedural actions, united in a process that accounts for and manages the
inventory of hardware and all associated information throughout its life cycle. It links to business governance by
establishing information/asset owners who are responsible for each component of a business process that includes
information, software, and hardware. Organizations can use large-scale, comprehensive enterprise products to maintain
IT asset inventories. Others use more modest tools to gather the data by sweeping the network, and manage the results
separately in a database.
Maintaining a current and accurate view of IT assets is an ongoing and dynamic process. Organizations can actively
scan on a regular basis, sending a variety of different packet types to identify devices connected to the network. Before
such scanning can take place, organizations should verify that they have adequate bandwidth for such periodic scans by
consulting load history and capacities for their networks. In conducting inventory scans, scanning tools could send
traditional ping packets (e.g. ICMP Echo Request) looking for ping responses to identify a system at a given IP address.
Because some systems block inbound ping packets, in addition to traditional pings, scanners can also identify devices
on the network using transmission control protocol (TCP) synchronize (SYN) or acknowledge (ACK) packets. Once
they have identified IP addresses of devices on the network, some scanners provide robust fingerprinting features to
determine the operating system type of the discovered machine.
In addition to active scanning tools that sweep the network, other asset identification tools passively listen on network
interfaces for devices to announce their presence by sending traffic. Such passive tools can be connected to switch span
ports at critical places in the network to view all data flowing through such switches, maximizing the chance of
identifying systems communicating through those switches.
Many organizations also pull information from network assets such as switches and routers regarding the machines
connected to the network. Using securely authenticated and encrypted network management protocols, tools can
retrieve MAC addresses and other information from network devices that can be reconciled with the organization's asset
inventory of servers, workstations, laptops, and other devices. Once MAC addresses are confirmed, switches should
implement 802.1x and NAC to only allow authorized systems that are properly configured to connect to the network
[i.3].
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TR 103 305-1 V2.1.1 (2016-08)
Wireless devices (and wired laptops) may periodically join a network and then disappear, making the inventory of
currently available systems very dynamic. Likewise, virtual machines can be difficult to track in asset inventories when
they are shut down or paused. Additionally, remote machines accessing the network using virtual private network
(VPN) technology may appear on the network for a time, and then be disconnected from it. Whether physical or virtual,
each machine using an IP address should be included in an organization's asset inventory.
CSC 1 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will
be easier to identify how to implement them, test the controls, and identify where potential failures in the system might
occur.

Figure 1
4.2 CSC 2: Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is
installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation
or execution.
Why Is This Control Critical?
Attackers continuously scan target organizations looking for vulnerable versions of software that can be remotely
exploited. Some attackers also distribute hostile web pages, document files, media files, and other content via their own
web pages or otherwise trustworthy third-party sites. When unsuspecting victims access this content with a vulnerable
browser or other client-side program, attackers compromise their machines, often installing backdoor programs and bots
that give the attacker long-term control of the system. Some sophisticated attackers may use zero-d
...