Critical security controls from ETSI 📚 Guide

What is a European Telecommunications Standards Institute (ETSI)?

Before we talk about the recommended security controls, let’s talk about ETSI and what it means. As mentioned above, ETSI is a non-profit and fully standardized entity of communication and information domain. The body is responsible for establishing policies concerning the development and testing of ICT systems, services, and applications.

It came into being in 1988 as a result of the European Commission’s proposal. The founding body here is the European Conference of Postal and Telecommunications Administrations. 

The body has earned the tag of ESO Or European Standards Organization by European Union and is assigned to support the EU regulation during the construction of fully harmonized European standards.

Some of the ETSI standards shaped by group are 4G, 3G, 5G, GSM, TETRA, and DECT.

Some of the most concerning sectors for ETSI are Content Delivery, Home & Office networks, ICT, Wireless Systems, Connecting Things, Transportation, Public Safety, and Interoperability.

Even though the key functional area for ETSI is the EU, it has gained global recognition with over 900 members from 65 countries. Many leading players in the ICT domain are linked with this entity.

‍

ETSI’s Experience in Cybersecurity

Over the years, ETSI has understood that system security is not limited to hardware. The rapid penetration of cloud-based tools and advanced networks forced this entity to keep cybersecurity a priority. Hence, it formed the Technical Committee Cyber.

The committee emphasizes the implementation of CIS Controls in information communication as these controls are highly viable to protect ICT solutions against cyber risks. ETSI released Critical Security Control report to guide the players in this industry to strengthen their cyber defense with the use of the best approaches.

ETSI has a vast understanding of cybersecurity and uses this understanding to fabricate TC Cyber. The report is the best possible way to understand what value the effective implementation of Critical Security Controls will bring to the table. The report is well-constructed; any non-technical person can easily understand how to prevent an attack from taking place and which tactics to adopt if an attack occurs at all.

As the CIS controls are updated regularly, ETSI TC Cyber reports are also continuously updated. This way, the institute manages to bring the best and updated understanding of security enablement aids to the industry. These reports are so extensive and feature updated data that they are enough to meet GDPR compliance.

Since its inception, ETSI has launched many reports. For instance, TR 103-305- 1 report gives emphasis on seizing the right kind of actions that are enough to trim the attacks on networks and systems. The next report, TR 103 305-2, talked about the significance of the use of security control in reducing the risks in IoT and mobile devices.  

All in all, ETSI is doing a great job of reducing cyber risk in the information and communication domain.  

‍

20 Best Practices In Cybersecurity At The Enterprise Industry Level

Whether it’s the cybersecurity in the inventory hardware or maintenance of audit logs, the document explains cybersecurity extensively.

There are twenty practices explained and categorized in three sections. The first section is Basic and features six practices. These practices are of the highest importance and should be adopted in any ecosystem without fail.

The second category is Foundational, and it features ten practices. These ten practices are also generic and must be used in all leading organizations. The last category, Organizational, features highly technical practices and is complex.

Regardless of the category, every control in the document features:

• A small description explaining what the respective control means
• A table explaining which all actions need to be taken while ensuring effective implementation of those controls  
• An array of dependable tools and procedures that are required for the deployment of those controls
• A crisp Sample Entity Relationship Diagram to understand the control deployment and activation

Let’s understand these controls in detail.

‍

1: Inventory and Control of Hardware Assets

Description

This control aims to organize/manage the hardware collection/inventory of the network so that device access is fully authorized and under control. This control focuses on managing access to avoid unauthorized device usage.

Importance of this contro

Cyberpunks are aggressively hunting down vulnerable network-based resources that they can use to break into the system. Mostly, devices that are operational outside an enterprise network are preferred because these devices are not properly protected.

In addition, cyberpunks also try to misuse the new hardware lacking enough security patches. Most of the hardware is deployed followed by security patches. But, if the hardware is installed in the evening, the security patching is mostly due for the next working day. This creates an opportunity for cyberpunks as they can use such non-patched hardware to gain access to the network or digital assets.

Managing such resources is a great challenge for many enterprises as the network ecosystem is generally very intricate and evolving. The security control recommends a way to control such devices and take care of their recovery, backup, and incident response.

Some of the key actions to take here are:

• Using an active discovery tool to find out which all devices are linked to a given network and update the asset inventory accordingly.
• Using a passive access discovery solution so that you can easily find out the tools linked to the network and update them automatically.
• Effectively manage the asset inventory information to make sure that details like machine name, network address, data asset owner details, and many more are recorded and managed.
• Resolve unwanted or unauthorized assets at an early stage. Such devices should be easily identified and isolated immediately.

Recommended procedures, tools, and applications

The concerning tools and technologies for this control are related to procedural and technical actions that it demands. Mainly, it uses tools that are sufficient enough to take care of hardware inventory management.

Depending upon the requirements, some organizations use devices capable of managing the hardware, software, and information, while others can use devices deployed for managing huge databases. As IT asset management is a continuous job, enterprises have to keep on using updated and modern IT asset management devices.

Along with these active tools, organizations are recommended to use passive tools that can be easily paired with switch-span ports to monitor the data flow in the network.

2: Inventory and Control of Software Assets

Description

The control instructs organizations to actively monitor and rectify all digital solutions or applications deployed on the network, and make sure that only verified software is used by the network. Also, it promotes the elimination of outdated software and controls unauthorized access.

Importance of this control

Outdated or legacy software is of great help for cyberpunks because they are easy to exploit. Using the vulnerabilities of outdated software versions, bad actors can easily extract data from media files, web pages, and other resources. Hackers can use such software to create a backdoor entry to the network ecosystem of an organization.  

It’s being observed that such software is crucial for planning zero-day attacks, which are hard to control. With the lack of adequate understanding, an organization can end up losing critical assets just because of outdated software. This control instructs organizations to eliminate such software as early as possible so that vulnerabilities are easy to identify and damage is under control.

Here are a few recommended actions to take according to this control.  

• Effectively maintain the authorized software inventory that might include every software to make a business run.
• Make sure that the software you’re using is offered by a trusted vendor. Software that doesn’t have the backing of any verified vendor should be eliminated at an early stage.
• Adopt the practice of application whitelisting so that all software is only executed by authorized access.
• Eliminate or isolate high-risk applications both at the physical and logical levels so that risks are contained at an early stage.

Recommended procedures, tools, and application

As mentioned above, whitelisting is one of the most recommended techniques to control the risks involved with outdated software. To apply this technique, various commercial whitelisting tools, along with application execution solutions, are used. We have a wide range of asset inventory tools to choose from. While you’re planning to pick an asset inventory tool, make sure that the tool is capable of processing the risks of multiple applications in one go.

The security control also instructs that whitelisting should be a part of multiple security suites of a given ecosystem. Solutions are firewalls, IDS, anti-virus, anti-spyware, and many more can be used in combination for white and blacklisting of the applications. 

To experience the best possible results, the control recommends using customized whitelisting that should follow the executable path, expression matching, and hashing. Adding a greylisting makes things way better because it permits the administration to define rules for a specific application.

3: Continuous Vulnerability Management

Description

The goal of this control is to make sure that every new piece of information is continuously monitored so that vulnerabilities are easily detected and early remediation is offered.

Importance of this control

Cyberpunks crave new or freshly-added information so that they can exploit them and conduct a successful attack. They hunt down this new information in software updates, threat bulletins, patches, security advisories, and other resources. This is why organizations are recommended to keep an eye on vulnerabilities continuously. 

This control explains why the organization must conduct periodic vulnerability scans and the best actions to take. Early vulnerability detection and remediation resolves tons of hassles going forwards.

• The control recommends the below-mentioned actions to take for effective vulnerability management.
• Automate vulnerability scanning and use a tool to make sure nothing is ever missed. The tool should be SCAP compliant and must scan all the network-based systems.
• Applications should experience authenticated vulnerability scanning bots at the local and remote levels. 
• Users must go through a ‘Dedicated Assessment’ and must be granted a verified account to access systems and information to avoid unwanted access.
• The use of automated patch management tools for every operating system is a protection strategy that this control recommends. Users must ensure that all the operating systems are running on updated versions.
• A risk rating process is preferred to make sure that risks with the highest priorities are getting immediate attention.

Recommended procedures, tools, and processes

Vulnerability scanning has to be a non-negotiable aspect of system security and organizations must pick vulnerability scanning tools according to their needs and requirements. Many find remote scanning tools effective while few recommend using dedicated tools. The control explains that the tool selection should be based on the fact that the tool is capable of identifying the security flaw at each stage and platform.

Languages like CVE, OVAL, CPETM, and many more should be well supported by the tool picked. Regardless of the tool picked, organizations are highly recommended to use a verified login process and frequent scanning to perform result–driven vulnerability scanning.  

4: Controlled Use of Administrative Privileges

Description

This control emphasizes heavily using standardized tools and processes to manage the administrative access/privileges granted for a given network, application, or system.

Importance of this control  

In an organization, users are granted access privileges according to their roles and responsibilities. This user privilege is crucial from an operational point of view as it can keep unwanted access at bay. Cyberpunks are equipped with techniques to exploit unmonitored admin privileges and steal sensitive business information and data. For instance, they can access an unattended workstation and use uncontrolled user access privileges to download files and steal data from the concerned workstation.  

Threat actors can use the access to download software like keyloggers to track further device usage. Using this tool, it’s easy to decode access passwords and gain admin-like access to the concerned device and use it according to personal preferences. This control explains the dangers of loosely coupled user access privileges and processes to fix them.

Below-mentioned are the recommended actions to take to apply this security control.

• Effectively maintain the admin accounts inventory and use fully automated tools to manage local accounts.
• Change default passwords immediately and set up a strong admin password. Make sure the password is a combination of special characters, digits, and symbols so that it’s hard to guess.
• Use MFA for all the administrative accounts and make sure that the access is carried out in a fully encrypted ecosystem.  
• Don’t make scripting tools easily accessible and start using administrative access to them.  

Recommended procedure, tools, and technology  

Many high-end operating systems feature in-built features that are capable of extracting the details of accounts featuring the highest possible user privileges, used for individual and domain-specific systems. To control the usage of such accounts, it’s strongly recommended to extract the details of email readers and browsers. Operating systems can have password configuration preference and discard easy–to–guess passwords. Devices like iPhone and Macbook even recommend pre-built strong passwords.

5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Description

As per these security controls, the organization must have a highly rigorous configuration management policy in place to effectively manage, devise and implement robust security configurations of servers, workstations, laptops, and smartphones.

Importance of this control

Every data-driven device is offered with some default settings to promote ease of usage. These settings are standardized and are common for all. However, these basic settings are bliss for cybercriminals as they can exploit them to gain access to their respective devices.  

These basic settings are mainly concerned with a login password, port settings, general settings, and account controls. Organizations are strongly recommended to discard these default settings and enter customized inputs, even though configuration settings are tough.

Along with strong and customized configuration settings, continual configuration management is highly recommended to avoid setting duplications. This way, the attack surface reduces, and organizations manage to enjoy better network accessibility.  

The security control explains certain action-worthy practices to reduce configuration risks.

• Protect the devices by using secured configuration settings and record them for future use.
• Reduce the configuration risks by maintaining secure image usage across all the systems.
• Store all the master images on fully configured servers.

Recommended procedures, tools, and procedures

Organizations are highly recommended to refer CIS Benchmarks Program and The NIST Checklist Program while deciding the security benchmarks for all the software and systems used. Certain tweaking, according to local policies, is recommended to make sure security benchmarks are relevant. For any complex ecosystem, it’s wise to adopt more than one security configuration so that more flexibility is attained.  

To avoid task repetition and tediousness involved in the process, organizations are strongly recommended to use paid or open-source management solutions that will integrate seamlessly with the existing systems and manage the configuration.

6: Maintenance, Monitoring, and Analysis of Audit Logs

Description

The focus of the 6th critical security control from ETSI is on audit logs. As per the control, audit logs should be collected, managed, and analyzed in a way that they are useful to determine an attack’s occurrence possibilities.  

Importance of this control

Inadequate security logs are a boon for threat actors as it allows them to remain hidden and plan an attack. When security audits are not detailed, end-users find themselves hand-tied because they can’t do anything despite knowing that they are under attack. A lack of robust audit logs will help an attacker to get noticed for a very long time. Besides early attack detection, audit logs are useful for meeting multiple compliances.  

Have a look at certain actions to take while accessing this security control implementation.

• Take the help of a minimum of three synchronized time sources for all the network and server devices, so that information from these resources are collected at regular intervals.  
• Make sure local logging is active on all the concerning networking and other devices.
• Try to use central logging management tools so that all the audit logs are stored in a unified place and are easy-to-access

Recommended procedures, tools, and systems

Almost all the leading networking solutions, firewalls, systems, and other digital resources have default logging capabilities. As a user, you must activate this logging capability and make sure that the audit logs are stored on centralized servers.

If you’re using tools like VPN, firewalls, and proxies, make sure that they all are configured in a way that they are supporting verbose logging.

The server-based operating system must be configured to keep access logs so that it’s easy to find out who all are accessing server-based tools. The use of SIEM tools is a great practice to adopt for audit logs. To do accurate attack detection, using correlation tools is highly recommended as they allow you to access audit logs further for inspection.

7: Email and Web Browser Protections

Description

The security control instructs enterprises to use strong web browsers and email–based communication to deviate attackers from the resources and reduce the attack surface.

Importance of this control

The most commonly used entry points for hackers are browsers and email clients. Cyberpunks know tactics to misuse an internet user to access something malicious using a web browser or download an attack mean via a corrupt email. Emails and browsers are the most common social engineering targets. By improving their security, it’s easy to trim down the attack risks.  

Some email and browser protection practices are quoted below.

• Always make sure that the browsers and email clients you’re using are fully supported and verified.
• Use network-based URL filtering to control the connectivity to an unverified website or webpage.
• DNS filtering is a great way to avoid malicious traffic and requests.
• Make sure that unwanted files are not penetrating the system and try to block them.
• Email attachment sandboxing is preferred to block malicious attachments.

Recommended procedures, tools, and processes

Cybercriminals have multiple means to exploit web browsers and emails. For instance, they can create corrupted web pages to steal visitors’ data. Phishing email mostly features malicious links and attachments to exploit user data.

To avoid the risks attached, it’s recommended to use only verified web browser plugins and ditch the default browser settings. Popup blockers are great tools to avoid the reach of malicious content to the browser. DNS filtering will block the reach of malicious content at the network level.  

For emails, ETSI recommends using spam-filtering tools to avoid the excessiveness of malicious emails. DMARC approach is also a viable way to avoid phishing and spam emails.

8: Malware Defenses

Description

In malware defense security control, ETSI explains that organizations must adopt practices to avoid the spread of corrupted codes while automating the data collection, performing remedial actions, and creating a moving defense mechanism.

Importance of this control

Internet assets and software are the targets of corrupted software to exploit the saved data and information. The concerning aspect of malicious software is its swift adaptability and deeper penetration into the system. In no time, such software can disturb the entire software. With sound malware defense, it’s easy to integrate swiftly with the Incident Response system and offer effective remedial solutions.

Some of the preferred actions here are:

• Using a fully managed anti-malware tool to watch out for the health of servers, networks, and workstations.
• Updating anti-malware and antivirus tools so that the best and most modern security is in place.

Recommended procedures, tools, and technology

Organizations use automation for updating antivirus signatures. Also, conducting fully automated assessments are useful to do early detection of corrupted codes. The only concerning aim of this control is to block corrupted applications so that respective damage is controlled. To make this happen, the use of Bash and Windows PowerShell is recommended.

9: Limitation and Control of Network Ports, Protocols, and Services

Description

The security control suggests controlling or correcting the use of network-related ports, servers, protocols, and networks so that the attack surface area is as less as possible.

Importance of this control

Attackers are on a constant hunt for vulnerable applications that can grant them access to network services. Vulnerabilities, raised from ill-configured web servers, DNS servers, mail servers, and print services, are the root cause of many hassles. Cybercriminals can exploit these services and plan a successful attack.  

Below-mentioned actions can prevent the risks involved.  

• Link active ports, protocols, and services to asset inventory so that they are always monitored. 
• Permit only verified ports, services, and protocols over your networks.
• Conduct regular port scanning to avoid the use of corrupted ports.

Recommended procedures, tools, and technology

Port scanning tools are great resources to find risk and open ports.

10: Data Recovery Capabilities

Description

Every tool or process that is involved in sensitive information handling must have robust data recovery capabilities.

Importance of this control

As an attack is conducted, certain configuration modification happens. With data recovery, it’s easy to acquire lost configuration settings. Some of the most recommended actions are:

• Taking regular backups.
• Test backup data storage.
• Use enough security practices to safeguard the backups resources.

Recommended procedures, tools, and technologies

It’s recommended to carry out backup evolution once in the quarter and make sure that the backup has to be intact.

11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Description

Take the help of effective configuration management tools to implement and manage the security configurations for network resources.

Importance of this control

The use of default configuration is a great risk for any network infrastructure. The ease of deployment has to pay off by putting your information at risk. Actions like maintaining security configuration for network devices, identification of document traffic configuration rules, and using automated tools for detecting changes are useful to implement this security control.

Recommended procedures, tools, and technologies

The use of commercial tools that can help in evaluating the network filtering devices is highly recommended by this security control.

12: Boundary Defence

Description

Track the information flow across the networks featuring varying trust levels to avoid data damage.

Importance of this control

The prime target of a cybercriminal is the device using which s/he can use the internet easily. Attacks, carried out by fully organized hacking groups, can provide success to an attack by exploiting the architectural boundaries.

Actions like maintaining network boundaries, conducting network scans, knowing and blocking malicious IP addresses, and denying communications happening across the open ports.

Recommended procedures, tools, and technologies

The foundation of this control is control 9 which features more recommendations. For instance, the key focus here is internal network segmentation that helps in preventing intruders.

13: Data Protection

Description

Data exfiltration prevention is a must, and viable tools and processes must be in place to maintain the integrity of the sensitive data.

Importance of this control  

Data is omnipresent, and organizations should use viable tools to prevent data theft using encryption and data loss. The use of cloud computing and mobile devices has increased data risks. Data exfiltration has to be stopped with means like:

• Maintaining the inventory of mission-critical information.
• Eliminate sensitive information.
• Block unmonitored network traffic.

Recommended procedures, tools, and technologies

Organizations must mark information as sensitive, based on the data it’s carrying. Data analysis is the first step to making it happen. Labels like Public, Confidential, and Sensitive are preferred for data categorization.

14: Controlled Access Based on the Need to Know

Description

Viable tools and processes used for tracking, preventing, and correcting critical assets should be used for controlling access.

Importance of this control

Encryption is the traditional way to protect data. But, it fails to prevent data exfiltration. Physical theft is also a way to gain unauthorized access to the data. Data movement, scores the system or network, has to be fully protected and preferred actions are:

• Activate firewall filtration.
• Apply encryption on every data that is moving
• Use network-based data segmentation.
• Use active discovery tools.

Recommended procedures, tools, and technologies

A wide range of encryption and key management tools are there to use. One must also try a DLP solution to prevent data exfiltration.

15: Wireless Access Control

Description

Use of wireless security tools on WLAN, client systems, and access points to prevent unauthorized access.

Importance of this control

A major part of data theft is happening because bad actors can access resources functional over unprotected wireless systems. According to this security control, it’s easy to control access on the wireless network by:

• Using wireless vulnerability scanning tools.
• Keep records of wireless access.
• Avoid unauthorized access.

Recommended procedures, tools, and technologies

Wireless scanning, theft discovery, and risk detection tools are of great help here. In addition, it’s mandatory to observe the wireless traffic and analyze it for the presence of risks.

16: Account Monitoring and Control

Description

Manage the system and application lifecycle to reduce attack opportunities.

Importance of this control

Mostly, an inactive user account is preferred by hackers to exploit a system. This control explains how an organization can reduce attacks by maintaining the records of authentication systems, having a fully centralized authentication system, and using MFA.

Recommended procedures, tools, and technologies

Logging capabilities are present in most of the leading operating systems and it’s important to record the configuration systems so that it’s easy to find out how account access is used.

17: Implement Security Awareness and Training

Description

It’s important to find out all the specific skills, knowledge, and abilities related to the functional roles of an organization.

Importance of this control

Along with the technicalities of an attack, the nature or behavior of the concerned people also plays a crucial role in the success of an attack. Hence, this control explains that it’s important to carry out gap analyses and conduct security awareness programs to avoid the risks.

Recommended procedures, tools, and technologies

Conducting enterprise-wide training programs with enough awareness is of great help here. An annual cybersecurity training program must be in place.

18: Application Software Security

Description

This control recommends managing the life cycle of all the in-house software so that security weaknesses are nowhere to be seen.

Importance of this control

Web-based and application-based vulnerabilities act as a foundation for any attack. Many factors play their roles to give birth to vulnerability. Regardless of the reasons, this control recommends building a secure coding process, performing explicit error checking, and software versions are well supported.

Recommended procedures, tools, and technologies

The use of application scanning and testing tools is highly recommended here. Vulnerability assessment has to be the priority.

19: Incident Response and Management

Description

Have a viable incident response & management system to protect the concerning information so that risks are identified quickly and damage is fully controlled.

Importance of this control

There is no point in having a strategy in place when an incident takes place. With practices like documenting the incident response activities, having dedicated incident response professionals, and having organization-wide standards, incident response & management are improved.

Recommended procedures, tools, and technologies

The use of periodic scenario-based training and fine-tuning of threats is highly recommended.

20: Penetration Tests and Red Team Exercises

Description

To test the existing defense mechanism of an organization using a simulated attack.

Importance of this control

No defense mechanism is effective and organizations should test its efficacy from time to time using simulated attacks. These attacks are useful to find out the loopholes in existing systems and create a better version.

• While you aim to do so, here are a few actions to take.
• Use penetration testing and conduct regular testing.
• Carry out Periodic Red Teem exercises.
• Include unprotected systems in testing.

Recommended procedures, tools, and technologies

Penetration and Red Team tests are expensive, complex, and are still recommended. These practices bring great value and help in strengthening the defensive mechanism. Referring to OWASP and PCI Testing controls is recommended.