Key Takeaways for Control 9
Reduce your attack surface. So much of control 9 is about limiting the external attack surface of a system. This is always the first step in securing an endpoint.
Duplication with other controls. Everything being done in control 9 is going to be accomplished by completing other controls elsewhere. I would probably leave this one for last as it’s the least impactful (due to duplication) out of any of the controls.
Requirement Listing for Control 9
1. ASSOCIATE ACTIVE PORTS, SERVICES AND PROTOCOLS TO ASSET INVENTORY
Description: Associate active ports, services, and protocols to the hardware assets in the asset inventory.
Notes: Utilize the same technology, or at least the same asset database which you are using in Control 2 (specifically 2.5). A more advanced integration would be to tie the ports and protocols to the applications and then associate the applications with a business unit if possible. This would also relate to control 11.2, which asks to associate traffic configuration rules on the network to a business unit.
2. ENSURE ONLY APPROVED PORTS, PROTOCOLS AND SERVICES ARE RUNNING
Description: Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.
Notes: Create the baseline of what is listening on the systems. Over time, you can comb through the results and make sure nothing is out of the ordinary. As you are going through that process, new ports should trigger an investigation if they are not expected. Using a vulnerability scanner such as IP360 or a tool like Tripwire Enterprise to list out ports will make this much easier on the security teams. …More