CAF Outcome B4.b: Secure Configuration

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You securely configure the network and information systems that support the operation of essential functions.

Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Credential Access Protection

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

User Account Control

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Boot Integrity

Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Password Policies

Set and enforce secure password policies for accounts.

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Limit Software Installation

Block users or groups from installing unapproved software.

Restrict Library Loading

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...

Privileged Process Integrity

Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

Environment Variable Permissions

Prevent modification of environment variables by unauthorized users and groups.

• Strength of password-based authentication (SR 1.7)

  ISA/IEC 62443-3-3:2013

• Authenticator feedback (SR 1.10)

  ISA/IEC 62443-3-3:2013

• Mobile code (SR 2.4)

  ISA/IEC 62443-3-3:2013

• General purpose person-to-person communication restrictions (SR 5.3)

  ISA/IEC 62443-3-3:2013

• Authenticator management (SR 1.5)

  ISA/IEC 62443-3-3:2013

• Unsuccessful login attempts (SR 1.11)

  ISA/IEC 62443-3-3:2013

• Least functionality (SR 7.7)

  ISA/IEC 62443-3-3:2013

• Input validation (SR 3.5)

  ISA/IEC 62443-3-3:2013

• Disable access account after failed remote login attempts (4.3.3.6.7)

  ISA/IEC 62443-2-1:2009

• Identify the industrial automation and control systems (4.2.3.4)

  ISA/IEC 62443-2-1:2009

• Establish and document a patch management procedure (4.3.4.3.7)

  ISA/IEC 62443-2-1:2009

• Integrate cyber security and process safety management (PSM) change management procedures (4.3.4.3.5)

  ISA/IEC 62443-2-1:2009

• Change default passwords (4.3.3.5.7)

  ISA/IEC 62443-2-1:2009

• Require re-authentication after remote system inactivity (4.3.3.6.8)

  ISA/IEC 62443-2-1:2009

• Define and test security functions and capabilities (4.3.4.3.1)

  ISA/IEC 62443-2-1:2009

• Control system component inventory (SR 7.8)

  ISA/IEC 62443-3-3:2013

• Concurrent session control (SR 2.7)

  ISA/IEC 62443-3-3:2013

• Network and security configuration settings (SR 7.6)

  ISA/IEC 62443-3-3:2013

• Wireless use control (SR 2.2)

  ISA/IEC 62443-3-3:2013

• Session lock (SR 2.5)

  ISA/IEC 62443-3-3:2013

• Use control for portable and mobile devices (SR 2.3)

  ISA/IEC 62443-3-3:2013

• Software and information integrity (SR 3.4)

  ISA/IEC 62443-3-3:2013

• Restrictions on software installation (12.6.2)

  ISO 27001:2013

• System changes control procedures (14.2.2)

  ISO 27001:2013

• Verify, review, and evaluate information security continuity (17.1.3)

  ISO 27001:2013

• Network controls (13.1.1)

  ISO 27001:2013

• Technical review of applications after operating platform changes (14.2.3)

  ISO 27001:2013

• Installation of software on operational systems (12.5.1)

  ISO 27001:2013

• Restrictions on changes to software packages (14.2.4)

  ISO 27001:2013

• Controls against malware (12.2.1)

  ISO 27001:2013

• Secure development environment (14.2.6)

  ISO 27001:2013

• Change management (12.1.2)

  ISO 27001:2013