Subcontrol 9.4 - Githubissues

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 9.4 #15

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed [check comments].

Measures

None provided. (Implied by metrics/KEI?)

Metrics/KEI

Coverage, M1 = # of illegal port / total port (active testing)

Firewall or port-filtering software is installed
Software is enabled/running
Only authorized holes are poked

wmunyan commented 5 years ago

Inputs:

List of endpoints to scan
A policy (or set of policies, potentially individually per endpoint) indicating the ports that are allowed to be open

Operations:

For each endpoint, retrieve the firewall policy
For each firewall policy, enumerate both the ports which allow communication, and any configuration of a default deny rule (could that be a default?)

Measures:

M1 = For an endpoint's firewall policy, 1 if all of the described open ports are in the allowed list
M2 = For an endpoint's firewall policy, 1 if a default deny rule exists and is enforced.

Metrics:

M1 AND M2

adammontville commented 5 years ago

We could assume that the list of endpoints are "hosts" to firewall software.

I think we also have M3 = total number of endpoints, and for each endpoint we want to further measure M4 = Logical AND of M1 and M2 for that endpoint.

A metric could then be: M4 / M3. This would be a simple ratio of correctly configured endpoints vs. total number of endpoints, where the goal is to get to 1.00.

adammontville commented 5 years ago

Inputs:

List of endpoints to scan (assumed capable of hosting firewall/port-filtering software)
A policy (or set of policies, potentially individually per endpoint) indicating the ports that are allowed to be open

Operations:

For each endpoint, retrieve the firewall policy
For each firewall policy, enumerate both the ports which allow communication, and any configuration of a default deny rule (could that be a default?)

Measures:

M1 = For an endpoint's firewall policy, 1 if all of the described open ports are in the allowed list
M2 = For an endpoint's firewall policy, 1 if a default deny rule exists and is enforced.
M3 = Total number of endpoints
M4 = Logical AND of M1 and M2 for that endpoint

Metrics:

M4 / M3 - simple ratio of correctly configured endpoints vs. total number of endpoints, where the goal is to get to 1.00.