
Identify Assets
The number one critical security control for effective cyber defense is "Inventory of authorized and unauthorized devices" per The CIS Critical Security Controls for Effective Cyber Defense. It is crucial to take device inventory, perhaps utilizing asset tags, automated inventory discovery tools and a content management database. Validating your inventory contains what you think it does is equally important and that is the premise behind this solution. External (public facing, internet accessible) devices, and especially websites, are prime targets for attackers since they reside on the internet and thus can be accessed from anywhere in the world. This ubiquity is a requirement for many organizations while simultaneously one of the most overlooked elements from a security standpoint.
Validate Services
If you are familiar with the likes of Heartbleed, Shellshock, Drupalgeddon 2 & 3, POODLE, and CVE-2020-0609/CVE-2020-0610, ask yourself how long it took your organization to be able to answer these questions with confidence:
- How many machines do we have that are running OpenSSL and...
- What version of OpenSSL are they on?
- Which servers are running with exposed cgi-bin functionality?
- Do our websites currently support SSLv3, TLS1.0, TLS1.1?
- How many IIS webservers are we hosting?
- How many RDP services are running externally?