CIS Control 12: Network Infrastructure Management


Networks form a critical core for our modern-day society and businesses. These networks are comprised of many types of components that make up the networks’ infrastructure. Network infrastructure devices can be physical or virtual and include things such as routers, switches, firewalls, and wireless access points. Unfortunately, many devices are shipped from manufacturers with “default” configuration settings and passwords that, if deployed as-is, can significantly weaken an organization’s network infrastructure.

Even if network devices are hardened with non-default configurations and strong passwords, over time, these devices will be targeted by new vulnerabilities that are discovered by security researchers.

Key Takeaways for Control 12

Enterprises should ensure the teams implementing and operating the network infrastructure have processes and procedures in place that include capabilities for having a secure network infrastructure. These processes and procedures include, but are not limited to:

  1. developing a network security architecture,
  2. implementing a continuous security improvement process,
  3. creating and evolving a network security maturity model,
  4. developing and maintaining network architecture diagrams and documentation,
  5. , ensuring no default settings or passwords for network devices, and
  6. implementing a patch and vulnerability management program for network infrastructure devices.

Control 12 is designed to help organizations enable and maintain more secure network infrastructure.

Safeguards for Control 12

12.1) Ensure Network Infrastructure is Up-to-Date

Description: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly or more frequently to verify software support.

Notes: The security function associated with this safeguard is Protect.

12.2) Establish and Maintain a Secure Network Architecture

Description: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability at a minimum.

Notes: The security function associated with this safeguard is Protect.

12.3) Securely Manage Network Infrastructure

Description: Securely manage network infrastructure. Example implementations include version-controlled infrastructure-as-code and the use of secure network protocols, such as SSH and HTTPS.

Notes: The security function associated with this safeguard is Protect.

12.4) Establish and Maintain Architecture Diagrams

Description: Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually or when significant enterprise changes occur, that could impact this Safeguard.

Notes: The security function associated with this safeguard is Govern.

12.5) Centralize Network Authentication, Authorization, and Auditing (AAA)

Description: Centralize network AAA.

Notes: The security function associated with this safeguard is Protect.

12.6) Use of Secure Network Management and Communication Protocols

Description: Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).

Notes: The security function associated with this safeguard is Protect.

12.7) Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Description: Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.

Notes: The security function associated with this safeguard is Protect.

12.8) Establish and Maintain Dedicated Computing Resources for all Administrative Work

Description: Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise’s primary network and not be allowed internet access.

Notes: The security function associated with this safeguard is Protect.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skill Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing



Source link