この記事について
米国のCenter for Internet Security, Inc. (CIS)が提供する、サイバーセキュリティのための支援ツールやサービス群を小分けにして考察します。
今回は、CIS Controlsのセーフガードを解釈するためのコツと手法の紹介です。CIS Controlsに限った話ではありませんが、フレームワークの要求事項が自組織の何に相当しうるのか、解釈が割れることは多々あるかと思います。
そもそも絶対的な解はないはずなので、ここでは"最適解"を得るためのヒントや手法を挙げます。
この投稿の読者想定
組織のITセキュリティを体系的に強化すべく、CISのスイートを有効活用したいが、それぞれの違いや関係性がよくわからない方(投稿者自身を含む)。
基本構造
本題の前に、前提知識の整理です。
CIS Controlsは、18のコントロール(要するに大分類)と、その配下の153のセーフガードから構成されます。セーフガードは、ISO的な日本語に例えると"管理策"でしょうか。
| コントロール | コントロールの詳細 | セーフガード |
|---|---|---|
| コントロール 1 | HOGE | セーフガード 1.1 |
| コントロール 1 | HOGE | セーフガード 1.2 |
| 省略 | ||
| コントロール 18 | HOGE | セーフガード 18.5 |
またセーフガードは、資産タイプ、セキュリティ機能、IG1~3への割当て、といった属性値が付与されています。
| セーフガード | 資産タイプ | セキュリティ機能 | IG1~3への割当て | セーフガードの詳細 |
|---|---|---|---|---|
| セーフガード 1.1 | デバイス | 特定 | IG1、IG2、IG3 の全て | HOGE |
| セーフガード 1.2 | デバイス | 対応 | IG1、IG2、IG3 の全て | HOGE |
| 省略 | ||||
| セーフガード 18.5 | ネットワーク | 検知 | IG3 のみ | HOGE |
属性
- 資産タイプ
- 対象となる資産の種類(例:デバイス、ソフトウェア、データ、文書など)
- セキュリティ機能
- NISTが定義するサイバーセキュリティ対策の必須機能(ガバナンス、識別、防御、検知、対応、復旧)との関係性
- IG1~3への割当て
- IG(Implementation Group)とはCISが定義する組織の"ペルソナ"であり、大規模且つ専門的な人材が揃う組織はIG3とされる
セーフガードを理解するうえで、属性値からそのセーフガードの特性を推測することは重要です。例えばIG1~3全てに要求されるセーフガードであれば「かなり基礎的な策であり、他のセーフガードの実装に対しても、大きな影響を及ぼすのではないか?」といった具合です。
セーフガードを読み解く
ここから本題です。セーフガードを読み解くための、補助的なアプローチを幾つか紹介します。簡素な表現のものから、一文に条件を複数挙げるものまで色々とタイプがあり、解釈に詰まった時はこれらのアプローチを使い分けると良いかと思います。
その1 セーフガードの要素を分解する
冒頭の1.1は特にそうですが、そもそも長文で要素が多く、自身の理解を含め、このままでは関係者がイメージを一致させることが困難です。
Image source: Center for Internet Security (CIS), "CIS Critical Security Controls Navigator", licensed under CC BY-NC-SA 4.0.
そこでセーフガード毎に、以下の観点での分析をお勧めします。
関係者間で、シンプルな会話ができるようにしたい
→ 1.セーフガードの文中に含まれる多数の要件を、YES/NOの二択で回答できるレベルの要素にばらす
ばらした要素が独り歩きしないようにしたい
→ 2.各要素同士の文脈上の関係(AND/OR)は、なんらかの方法で維持する
ばらした要素ごとに、できるだけ関係者の解釈を一致させたい
→ 3.実施しない場合、どのようなリスクやデメリットがあるか明確にする
→ 4.実施する場合、課題となりうる点を明確にする
この1~4をスクリプトにして、GPTに解析してもらった結果が以下です。複数人の関係者でも、すれ違いを最小に抑えて会話ができるレベルになっていると思います。
その2 セーフガード同士の依存関係を調べる
その1におけるアプローチは、一つのセーフガードの中に含まれる要素毎の分析でしたが、別の視点として、セーフガード同士の関係性を理解することも重要です。
簡単な例として、セーフガードの10.1と10.2を例にとります。
10.1 マルウェア対策ソフトウェアを導入し維持する
10.2 マルウェア対策のシグネチャ自動更新を設定する
そもそも10.1という行為が未整備な組織において、10.2は成立しないはずです。仮にそのような評価となる場合、導入・維持は部分的だが、それらについては自動更新が設定されている、という事なのでしょう。
このように、セーフガードには相互の関係が存在します。セーフガード群の評価結果において、矛盾を探し出すためのヒントとなるでしょう。
尚、これを考える上では、CAS (CIS Controls Assessment Specification) で定義されるパラメータの Dependencies(依存関係) が参考になります。一覧化すると以下です。
| title | Dependencies | Dependencies |
|---|---|---|
| 1.1: Establish and Maintain Detailed Enterprise Asset Inventory | none | |
| 1.2: Address Unauthorized Assets | 1.1: | |
| 1.3: Utilize an Active Discovery Tool | 4.1: | |
| 1.4: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory | 1.1: | |
| 1.5: Use a Passive Asset Discovery Tool | 4.2: | 12.4: |
| 2.1: Establish and Maintain a Software Inventory | none | |
| 2.2: Ensure Authorized Software is Currently Supported | 2.1: | |
| 2.3: Address Unauthorized Software | 1.1: | 2.1: |
| 2.4: Utilize Automated Software Inventory Tools | 1.1: | 2.3: |
| 2.5: Allowlist Authorized Software | 1.1: | 2.1: |
| 2.6: Allowlist Authorized Libraries | 2.1: | 2.5: |
| 2.7: Allowlist Authorized Scripts | 2.1: | 4.1: |
| 3.1: Establish and Maintain a Data Management Process | none | |
| 3.2: Establish and Maintain a Data Inventory | 1.1: | |
| 3.3: Configure Data Access Control Lists | 3.2: | 4.1: |
| 3.4: Enforce Data Retention | 3.1: | 3.2: |
| 3.5: Securely Dispose of Data | 3.1: | 3.2: |
| 3.6: Encrypt Data on End-User Devices | 1.1: | 2.1: |
| 3.7: Establish and Maintain a Data Classification Scheme | 3.1: | 3.2: |
| 3.8: Document Data Flows | 3.1: | 3.2: |
| 3.9: Encrypt Data on Removable Media | 1.1: | 2.1: |
| 3.10: Encrypt Sensitive Data in Transit | 3.2: | 4.1: |
| 3.11: Encrypt Sensitive Data At Rest | 1.1: | 2.1: |
| 3.12: Segment Data Processing and Storage Based on Sensitivity | 3.2: | 12.4: |
| 3.13: Deploy a Data Loss Prevention Solution | 2.1: | 3.2: |
| 3.14: Log Sensitive Data Access | 1.1: | 2.1: |
| 4.1: Establish and Maintain a Secure Configuration Process | 2.1: | |
| 4.2: Establish and Maintain a Secure Configuration Process for Network Infrastructure | 2.1: | |
| 4.3: Configure Automatic Session Locking on Enterprise Assets | 1.1: | 2.1: |
| 4.4: Implement and Manage a Firewall on Servers | 1.1: | 2.1: |
| 4.5: Implement and Manage a Firewall on End-User Devices | 1.1: | 2.1: |
| 4.6: Securely Manage Enterprise Assets and Software | 1.1: | 2.1: |
| 4.7: Manage Default Accounts on Enterprise Assets and Software | 1.1: | 2.1: |
| 4.8: Uninstall or Disable Unnecessary Services on Enterprise Assets and Software | 1.1: | 2.1: |
| 4.9: Configure Trusted DNS Servers on Enterprise Assets | 1.1: | 4.1: |
| 4.10: Enforce Automatic Device Lockout on Portable End-User Devices | 1.1: | |
| 4.11: Enforce Remote Wipe Capability on Portable End-User Devices | 1.1: | |
| 4.12: Separate Enterprise Workspaces on Mobile End-User Devices | 1.1: | 2.1: |
| 5.1: Establish and Maintain an Inventory of Accounts | 2.1: | |
| 5.2: Use Unique Passwords | none | |
| 5.3: Disable Dormant Accounts | 5.1: | |
| 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts | 5.1: | |
| 5.5: Establish and Maintain an Inventory of Service Accounts | 6.6: | |
| 5.6: Centralize Account Management | 1.1: | 2.1: |
| 6.1: Establish an Access Granting Process | none | |
| 6.2: Establish an Access Revoking Process | none | |
| 6.3: Require MFA for Externally-Exposed Applications | 2.1: | 4.1: |
| 6.4: Require MFA for Remote Network Access | 1.1: | 4.1: |
| 6.5: Require MFA for Administrative Access | 4.1: | 5.1: |
| 6.6: Establish and Maintain an Inventory of Authentication and Authorization Systems | 1.1: | 2.1: |
| 6.7: Centralize Access Control | 1.1: | 2.1: |
| 6.8: Define and Maintain Role-Based Access Control | 5.1: | |
| 7.1: Establish and Maintain a Vulnerability Management Process | none | |
| 7.2: Establish and Maintain a Remediation Process | none | |
| 7.3: Perform Automated Operating System Patch Management | 1.1: | 2.1: |
| 7.4: Perform Automated Application Patch Management | 1.1: | 2.1: |
| 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets | 1.1: | 2.1: |
| 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets | 1.1: | 2.1: |
| 7.7: Remediate Detected Vulnerabilities | 1.1: | |
| 8.1: Establish and Maintain an Audit Log Management Process | none | |
| 8.2: Collect Audit Logs | 1.1: | 4.1: |
| 8.3: Ensure Adequate Audit Log Storage | 1.1: | |
| 8.4: Standardize Time Synchronization | 1.1: | |
| 8.5: Collect Detailed Audit Logs | 1.1: | |
| 8.6: Collect DNS Query Audit Logs | 4.1: | |
| 8.7: Collect URL Request Audit Logs | 1.1: | 4.1: |
| 8.8: Collect Command-Line Audit Logs | 1.1: | 4.1: |
| 8.9: Centralize Audit Logs | 1.1: | 2.1: |
| 8.10: Retain Audit Logs | 4.1: | 8.9: |
| 8.11: Conduct Audit Log Reviews | none | |
| 8.12: Collect Service Provider Logs | 4.1: | 15.1: |
| 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients | 2.1: | |
| 9.2: Use DNS Filtering Services | 1.1: | 4.1: |
| 9.3: Maintain and Enforce Network-Based URL Filters | 1.1: | 2.1: |
| 9.4: Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | 1.1: | 2.1: |
| 9.5: Implement DMARC | 2.1: | |
| 9.6: Block Unnecessary File Types | 1.1: | 4.1: |
| 9.7: Deploy and Maintain Email Server Anti-Malware Protections | 1.1: | 4.1: |
| 10.1: Deploy and Maintain Anti-Malware Software | 1.1: | 2.1: |
| 10.2: Configure Automatic Anti-Malware Signature Updates | 10.1: | |
| 10.3: Disable Autorun and Autoplay for Removable Media | 1.1: | 4.1: |
| 10.4: Configure Automatic Anti-Malware Scanning of Removable Media | 4.1: | 10.1: |
| 10.5: Enable Anti-Exploitation Features | 1.1: | 4.1: |
| 10.6: Centrally Manage Anti-Malware Software | 1.1: | 2.1: |
| 10.7: Use Behavior-Based Anti-Malware Software | 1.1: | 2.1: |
| 11.1: Establish and Maintain a Data Recovery Process | none | |
| 11.2: Perform Automated Backups | 1.1: | 2.1: |
| 11.3: Protect Recovery Data | 1.1: | 2.1: |
| 11.4: Establish and Maintain an Isolated Instance of Recovery Data | 1.1: | 4.1: |
| 11.5: Test Data Recovery | 1.1: | |
| 12.1: Ensure Network Infrastructure is Up-to-Date | 1.1: | |
| 12.2: Establish and Maintain a Secure Network Architecture | 12.4: | 2.1: |
| 12.3: Securely Manage Network Infrastructure | 1.1: | 4.2: |
| 12.4: Establish and Maintain Architecture Diagram(s) | none | |
| 12.5: Centralize Network Authentication, Authorization, and Auditing (AAA) | 2.1: | |
| 12.6: Use of Secure Network Management and Communication Protocols | 4.2: | 12.2: |
| 12.7: Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure | 1.1: | 2.1: |
| 12.8: Establish and Maintain Dedicated Computing Resources for All Administrative Work | 1.1: | 4.2: |
| 13.10: Perform Application Layer Filtering | 1.1: | 2.1: |
| 13.11: Tune Security Event Alerting Thresholds | 13.1: | |
| 13.1: Centralize Security Event Alerting | 1.1: | 2.1: |
| 13.2: Deploy a Host-Based Intrusion Detection Solution | 1.1: | 2.1: |
| 13.3: Deploy a Network Intrusion Detection Solution | 1.1: | 12.4: |
| 13.4: Perform Traffic Filtering Between Network Segments | none | |
| 13.5: Manage Access Control for Remote Assets | 1.1: | 4.1: |
| 13.6: Collect Network Traffic Flow Logs | 1.1: | 4.2: |
| 13.7: Deploy a Host-Based Intrusion Prevention Solution | 1.1: | 2.1: |
| 13.8: Deploy a Network Intrusion Prevention Solutions | 1.1: | 12.4: |
| 13.9: Deploy Port-Level Access Control | 1.1: | |
| 14.1: Establish and Maintain a Security Awareness Program | none | |
| 14.2: Train Workforce Members to Recognize Social Engineering Attacks | none | |
| 14.3: Train Workforce Members on Authentication Best Practices | none | |
| 14.4: Train Workforce on Data Handling Best Practices | none | |
| 14.5: Train Workforce Members on Causes of Unintentional Data Exposure | none | |
| 14.6: Train Workforce Members on Recognizing and Reporting Security Incidents | none | |
| 14.7: Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates | none | |
| 14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks | none | |
| 14.9: Conduct Role-Specific Security Awareness and Skills Training | none | |
| 15.1: Establish and Maintain an Inventory of Service Providers | none | |
| 15.2: Establish and Maintain a Service Provider Management Policy | none | |
| 15.3: Classify Service Providers | 15.1: | 15.2: |
| 15.4: Ensure Service Provider Contracts Include Security Requirements | 15.1: | 15.2: |
| 15.5: Assess Service Providers | 15.1: | 15.2: |
| 15.6: Monitor Service Providers | 15.1: | 15.2: |
| 15.7: Securely Decommission Service Providers | 15.1: | 15.2: |
| 16.1: Establish and Maintain a Secure Application Development Process | none | |
| 16.2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities | none | |
| 16.3: Perform Root Cause Analysis on Security Vulnerabilities | 16.2: | |
| 16.4: Establish and Manage an Inventory of Third-Party Software Components | 2.1: | |
| 16.5: Use Up-to-Date and Trusted Third-Party Software Components | 16.4: | |
| 16.6: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities | 16.2: | |
| 16.7: Use Standard Hardening Configuration Templates for Application Infrastructure | 4.1: | 4.2: |
| 16.8: Separate Production and Non-Production Systems | none | |
| 16.9: Train Developers in Application Security Concepts and Secure Coding | none | |
| 16.10: Apply Secure Design Principles in Application Architectures | 16.1: | |
| 16.11: Leverage Vetted Modules or Services for Application Security Components | 2.1: | |
| 16.12: Implement Code-Level Security Checks | 2.1: | |
| 16.13: Conduct Application Penetration Testing | 2.1: | |
| 16.14: Conduct Threat Modeling | 2.1: | |
| 17.1: Designate Personnel to Manage Incident Handling | none | |
| 17.2: Establish and Maintain Contact Information for Reporting Security Incidents | none | |
| 17.3: Establish and Maintain an Enterprise Process for Reporting Incidents | none | |
| 17.4: Establish and Maintain an Incident Response Process | none | |
| 17.5: Assign Key Roles and Responsibilities | 17.4: | |
| 17.6: Define Mechanisms for Communicating During Incident Response | 17.4: | |
| 17.7: Conduct Routine Incident Response Exercises | 17.4: | |
| 17.8: Conduct Post-Incident Reviews | 17.4: | |
| 17.9: Establish and Maintain Security Incident Thresholds | 17.4: | |
| 18.1: Establish and Maintain a Penetration Testing Program | none | |
| 18.2: Perform Periodic External Penetration Tests | 18.1: | |
| 18.3: Remediate Penetration Test Findings | 18.2: | |
| 18.4: Validate Security Measures | 18.1: | |
| 18.5: Perform Periodic Internal Penetration Tests | 18.1: |
今回はここまで。ありがとうございました。