How do attackers exploit the absence of this control?
Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and domain name system (DNS) servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing a user or administrator that the services have been enabled. Attackers scan for such issues and attempt to exploit these services, often attempting default user IDs and passwords or widely available exploitation code.How to Implement, Automate, and Measure the Effectiveness of this Control
- Quick wins: Host-based firewalls or port filtering tools should be applied on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
- Quick wins: Automated port scans should be performed on a regular basis against all key servers and compared to a known effective baseline. If a new port is found open, an alert should be generated and reviewed.
- Visibility/Attribution: Any server that is visible from the Internet or an untrusted network should be verified, and if it is not required for business purposes it should be moved to an internal VLAN and given a private address.
- Configuration/Hygiene: Services needed for business use across the internal network should be reviewed quarterly via a change control group, and business units should re-justify the business use. Sometimes services are turned on for projects or limited engagements, and should be turned off when they are no longer needed.
- Configuration/Hygiene: Operate critical services on separate physical host machines, such as DNS, file, mail, web, and database servers.
- Advanced: Application firewalls should be placed in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized services or traffic should be blocked and an alert generated.
Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls
CM-6 (a, b, d, 2, 3), CM-7 (1), SC-7 (4, 5, 11, 12)Associated NSA Manageable Network Plan Milestones and Network Security Tasks
Milestone 3: Network ArchitectureSecurity Gateways, Proxies, and Firewalls
Procedures and Tools to Implement and Automate this Control
Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. This list of services and their versions are compared against an inventory of services required by the organization for each server and workstation in an asset management system such as those described in Critical Control 1. Recently added features in these port scanners are being used to determine the changes in services offered by scanned machines on the network since the previous scan, helping security personnel identify differences over time.Control 11 Metric:
The system must be capable of identifying any new unauthorized listening network ports that are connected to the network within 24 hours, alerting or sending e-mail notification to a list of enterprise personnel. Every 24 hours after that point, the system must alert or send e-mail about the status of the system until the listening network port has been disabled or has been authorized by change management. The system service baseline database and alerting system must be able to identify the location, department, and other details about the system where authorized and unauthorized network ports are running. While the 24-hour timeframe represents the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting, with notification about an unauthorized open port on the network sent within two minutes.Control 11 Test:
To evaluate the implementation of Control 11 on a periodic basis, the evaluation team must install hardened test services with network listeners on 10 locations on the network, including a selection of subnets associated with DMZs, workstations, and servers. The selection of these systems must be as random as possible and include a cross-section of the organization's systems and locations. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the newly installed services within 24 hours of the services being installed on the network. The team must verify that the system provides details of the location of all of the systems where test services have been installed.Control 11 Sensors, Measurement, and Scoring
Sensor: Host-based firewallsMeasurement: Verify that all systems have a host-based firewall installed and operating.
Score: Percentage of systems for which the host-based firewall can be verified to be functioning.
Sensor: Automated network scans
Measurement: Ensure that the solutions for Critical Controls 3 and 10 are being leveraged to monitor changes to services on protected systems.
Score: Pass/Fail.