CIS Control 12: Boundary Defense

The focus of this control is to ensure that the entry points into the network are clearly defined and monitored. Network boundaries in today’s environment do not have a clear edge, and are typically no longer defined as a single ingress point protected by a firewall and edge routers of the past. Today, the network perimeter extends well beyond this gateway into the organization, and encompasses the cloud when using AWS, ASURE, or other services. A network edge is also the reach of a wireless network radio signal, and the VPN endpoints with more users working at home. This CISO must have a clear understanding of each network edge and the risks associated with each edge.

The CIS states this Control is critical:

“Attackers focus on exploiting systems that they can reach across the Internet, including not only DMZ systems but also workstations and laptop computers that pull content from the Internet through network boundaries. Threats such as organized crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and Internet-accessing client machines to gain initial access into an organization. Then, with a base of operations on these machines, attackers often pivot to get deeper inside the boundary to steal or change information or to set up a persistent presence for later attacks against internal hosts. Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organization’s network to another, exploiting vulnerable systems on extranet perimeters.”

The journey of implementing the CIS Controls continues with understanding the boundaries of a the network and defining how access should be controlled. Organizations are directed to deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed. The two specific sub-controls that are part of Implementation Group 1 (IG1) are:

For CIS Control 12, Tenable products allow the organization to actively and passively discover networks. Using the same methods as discussed in Control 9, active scanning allows for TCP port enumeration and network mapping efforts. Along with Control 1, network addresses can be discovered and documented. A valuable aid in this process is to use passive scanning around the network to identify systems that access the network from different locations. Both of these efforts contribute greatly to this control.

To further assist organizations the CIS Control 9/12: Monitoring Ports, the "Services and Network Boundaries" dashboard focuses on the tracking of active ports, services, and protocols. Tenable Security Center is able to routinely scan the network for open ports and services. Nessus scanners are capable of scanning internal and external assets to map out subnets that are in use on the network. Tenable Security Center can also use passive detection to discover subnets that are not being scanned.

https://www.tenable.com/sc-dashboards/cis-control-912-monitoring-ports-services-and-network-boundaries

The CAS provides guidance on how to assess the organization's progress in this journey. This guide illustrates how the CISO can effectively measure cybersecurity success. Shown below are the CIS Control 12 IG levels and requirements: