Filetype Excel XLSX | Posted on 08 Jul 2022 | 3 years ago
Authentication
digital resources
206x Filetype XLSX File size 0.39 MB Source: www.rule4.com
Sheet 1: Controls
| Function | ID | Control Type | Control Detail | Control Status | Control Grade | Function Grade | ||||||||||||||
| IDENTIFY IDENTIFY | IDN-1 | Plan, Inventory & Process Maintenance | Ensure that an accurate inventory of systems, services, and data assets is maintained, and that an up-to-date copy of this inventory is maintained outside of the environment being protected. | Critical Coverage Gaps / No Capabilities | F | #NAME? | Rule4 Ransomware Readiness Tool Overview This tool is intended to serve as a guide to general ransomware readiness by providing grade-based assessments on a scale specifically developed for this tool. Controls are referenced in relation to the NIST Cybersecurity Framework (CSF) functions, but are not intended to be explicit mappings to the CSF. The Control ID, Control Type, and Control Detail columns provide a set of controls that when operated at a high level of maturity should help to greatly reduce both the likelihood and impact of a ransomware event. Controls are classified as one of three general types, which are: - Plan, Inventory & Process Maintenance: Controls and mechanisms to reduce ransomware risk tied to preparation and planning - Threat Monitoring, Mitigation & Reduction: Controls intended to reduce or identify and react to threats common to ransomware - Backup & Recovery Survivability: Controls that are closely coupled with backup solution design and operation to reduce ransomware risk It is suggested this tool be used as a starting point for organizations, and that they perform their own risk rating and adjustments if deemed appropriate relative to their environment. To use the tool, simply score each yellow cell in the yellow Control Status column (E). Attribution © 2021 Rule4, Inc. All rights reserved. Redistribution and use, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions must retain the above copyright notice, this list of conditions, and the following disclaimer: "THIS TOOL IS PROVIDED BY RULE4 AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RULE4 BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS TOOL, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." 2. All advertising materials mentioning features or use of this tool must display the following acknowledgement: "This product includes a tool developed by Rule4." 3. Neither the name of Rule4 nor the names of its contributors may be used to endorse or promote products derived from this tool without specific prior written permission. |
|||||||||||||
| IDN-2 | Plan, Inventory & Process Maintenance | Ensure that appropriate levels of threat and risk assessment activities have been performed to help identify control weaknesses or gaps in across functions relative to production business processes and data. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| IDN-3 | Plan, Inventory & Process Maintenance | Ensure that data with privacy, compliance, or other regulatory protections that may result in adverse effects to the organization even if the data is recoverable are protected with sufficient controls based on organizational risk planning. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| IDN-4 | Plan, Inventory & Process Maintenance | Understand the level of risk introduced by partners with elevated levels of connectivity to the organization, and ensure that suitable “quick disconnect” plans exist to mitigate threats associated with partner compromise to prevent spread. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| IDN-5 | Threat Monitoring, Mitigation & Reduction | Ensure that vendor alerts are subscribed to for systems and services handling production data or workloads to enable proactive vulnerability mitigation based on vendor announcements and patch or workaround release. At a minimum, all exposed systems/services and perimeter infrastructure must be included. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| IDN-6 | Plan, Inventory & Process Maintenance | Incorporate scenario planning for a complete environment ransomware event, such that all systems and services, including backup systems and software, are unavailable. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PROTECT PROTECT PROTECT PROTECT PROTECT PROTECT PROTECT | PRO-1 | Plan, Inventory & Process Maintenance | Operate a comprehensive patch management program that addresses all devices, systems, appliances, and other equipment — anything network connected or connectable — in the environment. | Critical Coverage Gaps / No Capabilities | F | #NAME? | ||||||||||||||
| PRO-2 | Threat Monitoring, Mitigation & Reduction | Ensure that all systems are protected by a centrally managed antivirus platform, ideally coupled with EDR capabilities that include behavioral assessment and threat-mitigation capabilities. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-3 | Threat Monitoring, Mitigation & Reduction | Ensure that network-based IDS/IPS solutions are in place to monitor traffic related to production assets for concerns or threats. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-4 | Threat Monitoring, Mitigation & Reduction | Access to backup servers and backup applications should require multi-factor authentication for access (including RDP access on internal networks). | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-5 | Threat Monitoring, Mitigation & Reduction | Deploy host-based intrusion detection and prevention capabilities on high-risk/critical assets. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-6 | Plan, Inventory & Process Maintenance | Enforce periodic data retention procedures to remove data that is retained past its defined retention period to reduce both risk and recovery efforts. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-7 | Threat Monitoring, Mitigation & Reduction | Enforce egress controls to limit or prohibit direct outbound access for systems where there is no business or technical need for such connectivity. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-8 | Threat Monitoring, Mitigation & Reduction | Enforce strong segmentation and traffic filtering between higher-risk production assets handling sensitive data and other resources in the environment to the absolute minimum necessary. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-9 | Threat Monitoring, Mitigation & Reduction | Use a malicious DNS blocking service for all external queries to minimize the threat of compromise due to visiting known malicious sites, as well as to render command & control traffic less likely to succeed. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-10 | Plan, Inventory & Process Maintenance | Perform periodic reviews to ensure that only the minimum necessary access is permitted related to exposed services, partner connections, and client VPN connections. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-11 | Backup & Recovery Survivability | Use unique accounts for on-disk data access and modification of backup data on backup infrastructure and services. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-12 | Backup & Recovery Survivability | Prohibit general user and administrative groups from accessing (not to mention writing or modifying) data on volumes where backups are stored. This includes ensuring domain administrator or equivalent access is limited. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-13 | Backup & Recovery Survivability | Take offline or unmount data volumes storing backup data when not in use. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-14 | Backup & Recovery Survivability | Backup infrastructure is segmented from general network access, and does not present SMB/CIFS shares to networks (including administrative shares). This includes isolating network-based storage connectivity. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-15 | Backup & Recovery Survivability | Backups include point-in-time recovery options that span at least several week and month periods (a single, most-recent backup is generally not considered sufficient). | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-16 | Backup & Recovery Survivability | Where possible, create backups by pulling from, versus pushing to, backup/storage infrastructure, to limit access to backup infrastructure services. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-17 | Backup & Recovery Survivability | Configure volume shadow copies and other system-level controls, which may provide recovery options in some scenarios but should not be depended on (as they are often targeted for deletion by malicious software). | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-18 | Backup & Recovery Survivability | Vigilantly patch backup software and supporting operating systems, and protect them with an antivirus solution. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-19 | Backup & Recovery Survivability | Use snapshots of backup data and/or critical systems to supplement backups. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-20 | Backup & Recovery Survivability | Use off-site backups in some form, such as cloud or tape, to provide a last resort recovery path/capability for production data and data with defined retention requirements. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-21 | Backup & Recovery Survivability | Ensure all off-site backups have sufficient controls in place to prevent unauthorized modification or removal in the event of control failures within the primary operating and backup environment. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-22 | Backup & Recovery Survivability | Store physical backup copies and archives in a secured facility with appropriate access controls, climate controls, and independence from primary storage facilities or personnel. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-23 | Backup & Recovery Survivability | Store cloud storage backups and/or replication data in a manner that completely separates logical controls and access from the primary environment. Access should be bound to a service layer over a secure transport, and storage must leverage a mechanism to provide time-based immutability of written data for at least 30 days. Technologies such as object storage with object locking can be used to meet this objective. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-24 | Backup & Recovery Survivability | Periodically inventory data for criticality and cross-check with current backup procedures to verify inclusion, on at least a monthly basis. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-25 | Backup & Recovery Survivability | Where backups are encrypted, maintain decryption keys in a secure location with no dependency on environment access, and ideally in multiple locations, with one location off-site. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-27 | Backup & Recovery Survivability | Similar to encryption keys, maintain a reasonable amount of “bootstrap” software and license key information in an isolated environment/location in order to support more rapid recovery in the event of a significant ransomware event. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| PRO-27 | Backup & Recovery Survivability | Depending on recovery time and point objectives (RTOs and RPOs), ensure an appropriate amount of cold spare infrastructure to better position the organization to tolerate adverse events exists. This is likely to include some amount of server, storage, and client compute capability | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| DETECT | Det-1 | Threat Monitoring, Mitigation & Reduction | Ensure that procedures exist and that there is tracking of performance of those procedures for core security monitoring functions (critical system log reviews, vulnerability announcements, patch compliance, AV/EDR alerts, IDS/IPS alerts, backup failures, etc.) | Critical Coverage Gaps / No Capabilities | F | #NAME? | ||||||||||||||
| Det-2 | Backup & Recovery Survivability | Require that production backup failures create a ticket that requires human intervention to resolve. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| Det-3 | Threat Monitoring, Mitigation & Reduction | Perform full-network vulnerability scans to identify gaps in patch compliance at least monthly. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| Det-4 | Backup & Recovery Survivability | Ensure that alerts are configured for all access to critical backup service and data protection layers by interactive means (RDP, etc.) | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| Det-5 | Threat Monitoring, Mitigation & Reduction | Ensure that ransomware-detection capabilities in particular generate mandatory rapid-response actions regardless of the source of alert (IDS/IPS, AV/EDR, etc.) and generate a ticket. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| RESPOND RESPOND RESPOND | RSP-1 | Plan, Inventory & Process Maintenance | Ensure that there is an accurate and current incident response process that is distributed to essential team members, and that has been practiced/drilled, ideally including a large-scale ransomware scenario. | Critical Coverage Gaps / No Capabilities | F | #NAME? | ||||||||||||||
| RSP-2 | Plan, Inventory & Process Maintenance | Document key contact information in an out-of-band channel to the environment the response would be for, in the event it is needed during an incident. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| RSP-3 | Plan, Inventory & Process Maintenance | Define starting point/reference structures for scalable response structures based on the National Incident Management System Incident Command System (NIMS ICS) structure as part of preparation efforts. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| RSP-4 | Plan, Inventory & Process Maintenance | Task a subset of likely incident response leaders and key participants with completion of the freely available NIMS ICS 100 and ICS 200 certifications to gain familiarity with NIMS ICS-based response methods. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| RSP-5 | Plan, Inventory & Process Maintenance | Prepare an incident “go bag” (or bags) for organizational incident response. Often supported by or based on an incident response kit, this should include online tools, services, or platforms that can facilitate improved incident response coordination, in addition to things such as Wi-Fi hotspots, two-way radios, or other suitability equipment based on incident response planning. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| RSP-6 | Plan, Inventory & Process Maintenance | Perform inventories and refreshes of prepared incident response support material (response kits, contact information, service readiness reviews, etc.) at least biannually. | Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| RSP-7 | Backup & Recovery Survivability | Pre-establish a lightweight secondary business communication service using separate domains, accounts, and passwords — i.e., completely separate from the production environment. This is advisable as a low-cost and quick-to-scale readiness method, but is dependent on organizational size, complexity, methods of work (local/remote), RTOs, and RPOs. For example, if an organization uses M365, this would result in creating a separate tenant with a different DNS domain. This environment would be used to coordinate recovery and restoration efforts. Inclusion of chat functionality such as Teams or Slack is advisable. |
Critical Coverage Gaps / No Capabilities | F | ||||||||||||||||
| RECOVER | REC-1 | Backup & Recovery Survivability | Ensure that backup recovery methods are tested at least quarterly, including both local and cloud recovery methods (as defined in disaster recovery and business continuity planning). | Critical Coverage Gaps / No Capabilities | F | #NAME? | ||||||||||||||
no reviews yet
Please Login to review.
