adammontville commented 5 years ago

Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization's systems, whether they are physically at an organization's facilities or not.

Measures

M1 = # of blacklisted url from phishtank or CTI report
M2 = # of blocked url (formal analytic or at)
M3 = time new url u1 available in CTI or Phishtank
M4 = time of url u1 added in DNS filter

Metrics

Boolean value = 0 if any active url from phishtank is allowed, otherwise 1
Coverage = M2/ M1
Freshness = M3/ M4 (biggar ratio is bad)

wmunyan commented 5 years ago

Inputs:

The organization's authoritative list of blacklisted URLs, those deemed not accessible from the organization's systems.
An authoritative source of known malicious URLs

Operations:

Perform the complement of the organization's blacklisted URLs (Input 1) to the authoritative list of malicious URLs (Input 2). Assemble the list of those malicious URLs which are not blacklisted by the organization (M1)

Measures:

M1 = The number of known malicious URLs which are not present in the organization's blacklisted URLs

Metrics:

If M1 > 1 this metric fails and the list generated by Operation 1 should be considered for addition to the organization's blacklisted URL list.

wmunyan commented 5 years ago

Inputs:

List of web clients/browsers installed in the organization by endpoint
Approved configuration(s) covering each web browser/client in Input 1 indicating whether or not the browser must utilize URL filtering

Operations:

. For each application instance (web browser/client) in Input 1, check the application's configuration against the appropriate approved configuration(s) from Input 2.

. Create a list of the application instances that meet the approved configuration (M1)

. Create a list of the application instances that that do not meet the approved configuration (M2) noting each deviation.

Measures:

M1 = List of application instances (web browser/client) that meet the approved configuration (compliant list)
M2 = List of application instances (web browser or email client) that do not meet the approved configuration (non-compliant list)
M3 = Count of compliant application instances (count of M1)
M4 = Count of non-compliant application instances (count of M2)
M5 = Total count of installed web browser and email client instances (count of Input 1)

Metrics:

Quality of URL-filter enforcement = M3 / M5

adammontville / cis-controls-71-measures

Subcontrol 7.4 #85

. For each application instance (web browser/client) in Input 1, check the application's configuration against the appropriate approved configuration(s) from Input 2.

. Create a list of the application instances that meet the approved configuration (M1)

. Create a list of the application instances that that do not meet the approved configuration (M2) noting each deviation.