Subcontrol 12.4 - Githubissues

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 12.4 #21

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization's network boundaries.

Measures

# of total unauthorized TCP/UDP ports(using formal analytics) = M1 = 2 * SUM from 𝑖=1 to n(# 𝑜𝑓 𝑢𝑛𝑎𝑢𝑡ℎ𝑜𝑟𝑖𝑧𝑒𝑑 𝑝𝑜𝑟𝑡 𝑖𝑛 𝑏𝑜𝑢𝑛𝑑𝑎𝑟𝑦 𝑑𝑒𝑣𝑖𝑐𝑒 𝑖)
M2= # of sent unique(in terms of port and device) probe
M3 = # of total unauthorized TCP/UDP ports(using formal analytics)
M4 = #of detected traffic to unauthorized TCP/UDP port
# of whitelisted application

Metrics/KEI

Measuring the detectability of connections to unauthorized TCP or UDP ports Coverage = M2/ M3
Quality Measure(Detectability) =M4/M3
Same as TCP/UDP port

This seems like a simple configuration measure.

wmunyan commented 5 years ago

Very similar to 9.4

Inputs:

List of endpoints (boundary devices) to scan
A policy (or set of policies, potentially individually per endpoint) indicating the ports and/or protocols that are allowed to pass across network boundaries

Operations:

For each endpoint, retrieve the firewall policy
For each firewall policy, enumerate both the ports which allow communication, and any configuration of a default deny rule (could that be a default?)

Measures:

M1 = For an endpoint's firewall policy, 1 if all of the described open ports are in the allowed list
M2 = For an endpoint's firewall policy, 1 if a default deny rule exists and is enforced.

Metrics:

M1 AND M2

adammontville commented 5 years ago

Inputs:

List of endpoints to scan (assumed capable of hosting firewall/port-filtering software)
A policy (or set of policies, potentially individually per endpoint) indicating the ports that are allowed to be open

Operations:

For each endpoint, retrieve the firewall policy
For each firewall policy, enumerate both the ports which allow communication, and any configuration of a default deny rule (could that be a default?)

Measures:

M1 = For an endpoint's firewall policy, 1 if all of the described open ports are in the allowed list
M2 = For an endpoint's firewall policy, 1 if a default deny rule exists and is enforced.
M3 = Total number of endpoints
M4 = Logical AND of M1 and M2 for that endpoint

Metrics:

M4 / M3 - simple ratio of correctly configured endpoints vs. total number of endpoints, where the goal is to get to 1.00.