Controls Report 4-18-2024

REPORT
CYBER CONTROLS
CLIENT
GANESH TECHNOLOGIES
DATE: 4/18/2024
Summary Report
4/18/2024
Level 1
Multi-factor Authentication
Require multi-factor authentication for all remote access and cloud-based services.
External Email Flag

Flag all email received from external email addresses with a bright colored flag.
Minimize Email Malware Exposure

Enable automatic email attachment malware detection and remediation.
Enable SPF or DKIM

Implement the Sender Policy Framework (SPF) or Domain Key Identified Mail (DKIM).
Created by TitanDef - CYBER CONTROLS 1 of 39

Summary Report
4/18/2024
Restrict Local Admin Access

Ensure that end users do not have local admin rights on their respective end-point devices. (e.g. laptop, desktop)
Account Password Lockout

Use and configure account password lockouts such that after a set number of failed login attempts, the account is locked
for a standard period of time (30 to 60 minutes). Allow the account to unlock automatically after the lockout period.
Deploy Operating System Patch Management Tools

Deploy software update tools to ensure that the operating systems are running the most recent security updates.
Implement Security Awareness Training

Create security awareness training for all workforce members to complete on an annual basis.
Deploy Next-Gen Endpoint Protection Software

Deploy next-gen endpoint protection software on all endpoint devices within your organization.
Deploy Third Party Software Patch Management Tools

Deploy software update tools to ensure that third-party software on all systems runs the most recent security updates
provided by the software vendor.

Summary Report
4/18/2024
Ensure Regular Automated Data Backups

Ensure that all critical system data is automatically backed up on regular basis.
SCADA - Portable Storage Device

Disable use of Portable Storage Devices on the SCADA systems.
Cyber Insurance
Obtain and maintain adequate cyber insurance coverage for risk like network security & privacy liability, media liability,
business interruption and errors and omissions.

Summary Report
4/18/2024
Level 2
Hardware Asset Inventory

Maintain an accurate and up-to-date inventory of all physical technology assets.
Adopt Cyber Security Policy

A cybersecurity or Information Security policy is established, communicated, and adopted.
Regulatory Frameworks
An industry framework has been identified, adopted, and actively used for cyber risk management? (NIST, CIS, ISO)
Deploy SIEM or Log Analytic tool

Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.
Restrict Default Accounts and Passwords

Remove (where feasible) or rename the default accounts within all new software and hardware components. Then change
the default password to a complex password that is consistent with administrative-level password requirements.
Software Asset Inventory

Maintain an accurate and up-to-date inventory of all software assets with a mapping to business use.

Summary Report
4/18/2024
Admin Passwords Complexity

Configure all administrative passwords to be complex and contain letters, numbers, and special characters intermixed, and
with no dictionary words present in the password.
Dedicated Administrative Accounts

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities.
Lock Workstation Sessions After Inactivity

Automatically lock workstation sessions after a standard period of inactivity.
Supported Email and Browser Clients

Ensure that only current and approved web browsers and email clients are used within the organization.
Restrict Email Attachment File Types

Block all e-mail attachments entering the organization's e-mail gateway if the file types are not on the approved list.
Ensure Next-Gen Endpoint Protection Software and Signatures are Updated

Ensure that the organization's endpoint protection software updates its scanning engine and signature database on a
regular basis / real-time basis.

Summary Report
4/18/2024
Maintain and Enforce Network-Based URL Filters (on network)

Enforce network-based URL filters that limit a system's ability to connect to websites not approved by the organization.
Ensure All Account Passwords Have An Expiration Date

Ensure that all account passwords have an expiration date that is monitored and enforced. (except some service accounts)
Report Phishing
Configure email client with a "Report Phish" button/mechanism, so employees can flag suspicious emails.
Backdoor & Vendor Interfaces

Ask the SCADA vendor to provide all backdoor and vendor interface connections.
Controlled Use of Removable Devices

Only issue encryption enabled corporate owned USB devices and block all other portable storage devices (including phones)
from connecting/accessing company endpoints.
Mobile Privacy Policy

Have a privacy policy that accurately describes what your mobile app and your servers do with data.

Summary Report
4/18/2024
Segregate Wireless Networks

Create and use a separate wireless network (guest) for personal, Bring Your Own Device (BYOD), or untrusted devices
(visitors).
Encrypt All Wireless Traffic

Leverage Advanced Encryption Standard (AES) to encrypt all wireless data in transit.
Use Multifactor Authentication For All Cloud Services

Ensure that administrative accounts for cloud services use two-factor authentication and differ from internal administrator
accounts.
Secure Access to Physical IT Equipment

Secure all locations with critical IT equipment using physical locks or proximity access card systems. Restrict access to a
few authorized employees and deactivate access on termination.
Disable Peer-to-Peer Wireless Communication

Prevent wireless clients (end-points) from directly communicating with each other.
Conditional Access
Apply and user conditional access policies to enables user app access and sessions to be monitored and controlled in real
time based on access and session policies.

Summary Report
4/18/2024
Level 3
Active Hardware Asset Discovery Scan

Update the hardware asset inventory by utilizing an active discovery tool to identify devices connected to the organization's
network.
Cyber Security Budget

An annual budget is earmarked for cyber spending. Individual(s) within the organization have been assigned IT security roles
and responsibilities
Third Party Asset Inventory

Inventory and maintain information on all vendor/third-party-owned devices that reside on your network.
Third Party Risk - New Vendor Contracts

Third party cyber risk is assessed for all new vendor contracts.
Active Software Asset Discovery Scan

Update the software asset inventory by utilizing an automated scan tool to identify software currently installed and in use.
Authenticated Vulnerability Scan

Perform authenticated vulnerability scanning.

Summary Report
4/18/2024
Automated Vulnerability Scan

Utilize a vulnerability scanning tool to automatically scan all corporate systems on a periodic basis to identify vulnerabilities.
Protect Dedicated Scan Account

Use a dedicated non-human account for authenticated vulnerability scans, which should not be used for any other
administrative activities.
Vulnerability Notification
Sign-up for automated email alerts from Common Vulnerabilities and Exposure (CVE) data sources.
Password Repository
Use a commercial off-the-shelf password repository to store administrative passwords and tightly control access to this
repository.
Use Multifactor Authentication For All Administrative Access

Use multi-factor authentication for all administrative account access.
Sandbox All Email Attachments

Use sandboxing to analyze and block inbound email attachments with malicious behavior.

Summary Report
4/18/2024
Identify Secure Configurations

Maintain standard security configuration standards for all authorized operating systems, network devices, security
appliances, and software.
Activate Audit Logging

Ensure that local logging has been enabled on all systems and networking devices.
Ensure Protection of Backups

Ensure that backups are properly protected via physical security and encryption (only for sensitive data).
Open File Shares

Perform a scan for open file shares across the enterprise. Identify all shared file locations that can be accessed by everyone
without access restrictions.
Block Macros from Untrusted Sources

Configure automatic blocking of all macros embedded within documents received from internet/external sources.
Restrict "Auto-run" Content on Devices

Configure devices to not auto-run content from removable media.

Summary Report
4/18/2024
Secure Disposal
Develop procedures to wipe hard drives and remove configuration and all related information from assets ready to be
retired.
Disable Unnecessary Connections

Disable all connections that are not necessary or critical to the operation of the SCADA systems.
Operator Accounts
Do not allow shared operator accounts. If there is a system limitation maintain a way to track the operator based on shift/
schedule or logical access path.
Phishing Campaign
Develop a phishing awareness training program that includes simulated phishing campaigns targeted at your own
employees.
Encrypt Mobile Data in Transit

Ensure sensitive data is protected in transit.
Jailbroken or Rooted Device Check

Apps should consider adding code to check for jailbroken and rooted phones, and not allow use from compromised phones.

Summary Report
4/18/2024
Encrypt the Hard Drive of All Endpoints

Utilize approved whole disk encryption software to encrypt the hard drive of all endpoints.

Summary Report
4/18/2024
Level 4
Vulnerability Remediation Timeline

Establish and follow vulnerability remediation timelines based on the criticality score of each identified vulnerability.
Integrate Software and Hardware Asset Inventories

The software inventory system should be tied into the hardware asset inventory so all devices and associated software are
tracked from a single location
Use Unique Passwords

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use
passwords that are unique to that system
Log and Alert on Unsuccessful Administrative Account Login

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.
Maintain Secure Configurations

Maintain secure images or configurations for all systems in the enterprise based on the organization’s approved
configuration standards.
Service Account Repository (SAR)

Maintain a centralized repository and provisioning mechanism for all service accounts.

Summary Report
4/18/2024
Perform Complete System Backups

Backup should include the operating system, application software, and data on a machine. Schedule backups on a weekly,
daily and hourly basis based on data sensitivity and classification.
Test Data on Backup Media

Test data integrity on backup media on a regular basis (at least quarterly rotating test) by performing a data restoration
process to ensure that the backup is properly working.
DDoS Mitigation
Purchase a cloud-based anti-DDoS solution to filter or divert malicious DDoS traffic.
Block Web Based Email Services & Cloud Storage Solutions

Block access to all third-party web-based email services (e.g. Gmail, Hotmail) and file-sharing services (e.g. Dropbox) unless
specifically approved for corporate use.
Use a Wireless Intrusion Detection System

Deploy a wireless intrusion detection system (WIDS) on public use Wi-Fi networks.
Bring Your Own Device (BYOD) Policy

Develop a BYOD policy that covers Mobile Device Management rules, enrollment process, authentication parameters, restrict
use of personal email for business, and acceptable use.

Summary Report
4/18/2024
Encrypt or Hash all Authentication Credentials

When storing passwords apply a hash function along with a salting mechanism for each password.
Disable Dormant Accounts

Monitor account usage to determine dormant accounts, notifying the user or user's manager. Disable such accounts if not
needed, or document and monitor exceptions.
Periodic Access Reviews

Create an easy to understand access list showing user account, application, access descriptions (read, update insert,
delete) and periodically have all accounts reviewed by managers.
Third Party Reporting For Cyber Incidents

Assemble and maintain contact information for Law Enforcement and Information Sharing and Analysis Centers (ISAC)
partners for cyber incident reporting.
Securely Handle Credentials on Mobile Devices

Handle password credentials securely on the device.
Mobile Application Permissions

Mobile application developers declare device permissions (calendar, contacts, location, photos) that are required by the
business need in the mobile app. User device information that is not supported by a business need is not collected.

Summary Report
4/18/2024
Cloud Connections
Encrypt all information stored outside the premises of the organization in the cloud, and ensure secure access to data
stored in the cloud (e.g. using secure web browser connections).

Summary Report
4/18/2024
Level 5
DHCP Logging
Enable Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools.
Third Party Data Protections - Data Transmission

Move data between partner networks (or third parties) using secure, authenticated, and encrypted mechanisms
Uninstall Unapproved Software

Unauthorized software, freeware, or risky software once identified are uninstalled within a defined number of days since
identification.
Vulnerability Remediation
Compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated per required
timeframes.
Log and Alert on Changes to Administrative Group Membership

Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned
administrative privileges.
Separate Production and Non-Production Systems

Maintain separate environments for production and nonproduction systems. Developers should not have unmonitored
access to production environments.

Summary Report
4/18/2024
Use of DNS Filtering Services

Use DNS filtering services to help block access to known malicious domains. Log all URL requests.
Maintain Inventory of Active Ports, Services and Protocols

Maintain an inventory of all active ports, services, and protocols needed for your environment.
Ports, Services and Protocols for COTS systems

Perform a port scan BEFORE and AFTER installing a COTS (Commercial off the shelf) application on your hardened system.
Disable any ports, services or protocols which were not mentioned in the COTS documentation as required.
Deny Communications with Known Malicious IP Addresses

Deny communications with known malicious or unused Internet IP addresses.
Deploy Network-based IDS Sensor

Deploy network-based Intrusion Detection Systems (IDS) sensors.
Deploy Network-Based Intrusion Prevention Systems

Deploy network-based Intrusion Prevention Systems (IPS).

Summary Report
4/18/2024
Print Queue Logging

Configure network printers(MFPs) to log details of files printed (names), user who printed and other details like day/time of
print jobs.
Disable Wireless Peripheral Access

Disable wireless peripheral access of devices (such as Bluetooth, NFC), unless such access is required for a documented
business need.
Configure Centralized Point of Authentication

Configure access for all accounts through Single Sign On (SSO) authentication where possible, including network, security,
and third party cloud systems.
Establish Automated Process for Revoking Access

Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination
or change of responsibilities (job roles) of an employee or contractor .
Temporary Accounts
All application test accounts, contractor accounts, and third-party accounts must have; a) Owner identified that is an
employee/contractors manager, b) the expiry date set during provisioning.
Document SCADA Network Map

Document the SCADA network and clearly outline all internet, wireless (satellite uplink), modem/dial-up, vendor connections
and intranet connectivity to the SCADA network.

Summary Report
4/18/2024
Use Strong Authentication and Session Management for Mobile

Implement user authentication, authorization and session management correctly.
Cloud Storage Access

Validate appropriate configurations for cloud storage access (S3 buckets should never have a public access policy).
Secure Development
Ensure web application developers use secure coding practices like OWASP Top 10.

Summary Report
4/18/2024
Level 6
Cyber Risk Management

Cyber risk management processes are established and actively managed.
Third Party Risk - Vendor Inventory

An inventory of all IT vendors/Third Parties is maintained and periodic assessments are prioritized based on the extend of
cyber risk with each vendor and results of prior vendor assessment.
Whitelisting
Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all
unauthorized software is blocked.
Firecall/Breakglass for Third Party

Implement privileged account on demand usage for third party support instead of always on.
Securely Store Master Images

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure
that only authorized changes to the images are possible.
Enterprise Change Control

Establish an enterprise-wide change control process.

Summary Report
4/18/2024
Enable Detailed Logging

Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses,
destination addresses, and other useful elements.
Implement Automated Configuration Drift Monitoring Systems

Utilize a configuration monitoring system to verify all security configuration elements and alert when unauthorized changes
occur.
Subscribe to URL-Categorization service

Subscribe to URL categorization services to ensure that they are up-to-date with the most recent website category
definitions available. Uncategorized sites shall be blocked by default.
Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies

Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR)
that are available in an operating system.
Centralize Anti-malware Logging

Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and
alerting.
Perform Regular Automated Port Scans

Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a
system.

Summary Report
4/18/2024
External Port Scan - Entire Range

Periodically port scan against the entire range of external IPs you have assigned. (Not just specific external IP address
ranges)
Host Segregation
Operate critical services on separate physical or logical host machines, such as DNS, DHCP, file, mail, web, and database
servers.
Firewall Rule Management

Tag and inventory your firewall rules.
Firewall Rule Cleanup

Monitor rule usage biannually and consider dropping unused and overlapping rules.
Jump Servers
If 2FA is not feasible, consider restricting administration to geographically disparate (at least 2) or independently-hosted
administrative jump stations and implementing 2FA on those jump servers.
Deploy Web Application Firewalls (WAFs)

Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application
for common web application attacks.

Summary Report
4/18/2024
Detect Wireless Access Points Connected to the Wired Network

Configure wireless network scanning tools (Snort, Kismet, nmap) to detect and alert on unauthorized wireless access points
connected to the wired network.
BYOD Enterprise Mobility Management

Use an Enterprise Mobility Management (EMM) solution with Mobile Device Management (MDM), Mobile Application
Management (MAM), and MCM (Mobile Content Management) capabilities and secure container.
BYOD Remote Wipe

Remote wipe corporate data/email from BYOD devices on storage container desginated to hold corporate data upon
employee termination
Encrypt Transmittal of Username and Authentication Credentials

Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted
channels.
Document Incident Response Procedures

Ensure that there are written incident response plans, procedures, and playbooks (runbooks) that define the roles of
personnel as well as phases of incident handling/management.
Assign Job Titles and Duties for Incident Response

Assign job titles and duties for handling computer and network incidents to specific individuals.

Summary Report
4/18/2024
Protect Sensitive Data on Mobile Device

Identify and protect sensitive data on mobile devices.

Summary Report
4/18/2024
Level 7
Password Blacklist
Implement a password blacklist that checks against known weak passwords before a new password is allowed for use.
Automate Inventory of Administrative Accounts

Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only
authorized individuals have elevated privileges.
Use of Dedicated Machines For All Administrative Tasks

Ensure administrators use a dedicated machine for all administrative tasks.
Pre-shared Keys
Treat pre-shared keys like TACACS+, RADIUS, SNMP community strings like an administrator password and set character
length and complexity matching the admin password requirements or more.
Service Account Login

Disable "Log on locally" and "Allow logon through terminal services" for all service accounts.
Service Account Password Rotation

Rotate the password to the service accounts on a set frequency, while not automatically forcing them to change the
password every xx days.

Summary Report
4/18/2024
Automated Identification of Service Accounts

Use a privileged access management software to automatically scan and identify all service accounts used within your
environment.
Drift Remediation
Establish configuration drift remediation timelines based on risk ranking.
Auditing Service Accounts

Configure systems to issue a log entry and alert on specific logon events for all service accounts.
Synchronized Time Sources

Use at least three synchronized time sources from which all servers and network devices retrieve time information on a
regular basis so that timestamps in logs are consistent.
Ensure Adequate Storage for Logs

Ensure that all systems that store logs have adequate storage space for the logs generated.
Log Review
On a regular basis, review logs to identify anomalies or abnormal events.

Summary Report
4/18/2024
Central Log Management

Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
Browser and Email client configurations

Maintain and deploy a secure baseline configuration for web-browsers and email clients. Restrict end users from being able
to change browser settings and install plug-ins.
Ensure Backups Have At least One Offline Copy

Ensure that all backups have at least one backup copy destination that is completely offline (USB - removable storage) and
not accessed via any computer on your network.
Scan for PCI, PII and Confidential Data

Use an automated data scanning tool to perform periodic scans of PCI, PII and other confidential data stored in clear text.
Network Based Data Loss Protection (DLP)

Deploy a network-based DLP solution that detects and automatically blocks data like PCI, PII, or marked with classification
tags from leaving the network (Web and Email).
Endpoint Data Loss Protection (DLP)

Deploy an endpoint-based DLP tool on all endpoints and monitor the alerts/incidents for potential data loss events.

Summary Report
4/18/2024
Print Job Processing

Configure printers to release print jobs when a user accepts the print job at the physical printer.
Segment the Network Based on Sensitivity

Segment sensitive parts of your network into separate zones, with specific security protocols, applied to each zone.
Encrypt All Confidential Information in Transit

Encrypt all confidential data transmitted across internal and external networks. e.g., web, email, cloud transfers, etc.
Cloud IDaaS
Use single sign-on or federated credentials for cloud service access.
Airgap SCADA Network

Airgap your SCADA network from the corporate network.
Use Breadcrumbs/Canary
Deploy breadcrumbs across your environment with alerts set when credentials, systems or data is accessed.

Summary Report
4/18/2024
Secure Mobile API

Keep the backend APIs (services) and the platform (server) secure.
Secure Third Party Libraries for Mobile Application

Secure data integration with third-party services and applications in your mobile application.

Summary Report
4/18/2024
Level 8
Change Control
Establish and follow a strict change procedure for security appliance configuration and all firewall rules.
Deny Unauthorized Assets

Ensure that unauthorized assets are either denied, removed from the network or quarantined by placing them on a guest
network.
Scan for Unauthorized Connections across Trusted Network Boundaries

Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are
accessible across the boundary.
Apply Static and Dynamic Code Analysis Tools

Apply static and dynamic analysis tools to verify that secure coding practices are being adhered to for internally developed
software.
Maintain an Inventory of Sensitive Information

Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization's technology
systems, including those located onsite or at a remote service provider.
Classify Data
Analyze and classify all your data based on the sensitivity of the information. Data security categories might include
restricted, confidential, internal use, and public.

Summary Report
4/18/2024
Encrypt Sensitive Information at Rest

Encrypt all sensitive information at rest.
Role Based Access Control

Identify roles and responsibilities that mirror the organizational chart and create access role profiles for each role. Assign
users to each role rather manage access for individuals.
Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication

Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer
Security (EAP/TLS), which requires mutual, multi-factor authentication.
Physical Security for Remote Connection Sites

Identify unmanned or unguarded remote connection sites (into SCADA network) and minimize live access points at remote
unguarded sites. Where feasible monitor with motion censors or cameras if the connection is absolutely necessary.
User Behavior Analysis

Alert when users deviate from normal behavior, such as time-of-day, workstation location, duration and actions performed.
Cloud Access Controls

Allow access to cloud solutions only from the company's IP address ranges. Never allow cloud access directly from the
internet.

Summary Report
4/18/2024
Disable Fax Capabilities

Secure Configs: Disable the electronic faxing capabilities of MFP printers. Disable port 9100 and all internet enabled
printing.
Print from RAM

If the printer allows you to bypass its internal hard drive, print directly from RAM. When disposing of a printer sanitize the
internal hard drive.

Summary Report
4/18/2024
Level 9
Third Party - Vendor Assessments

Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm
they are meeting their contractual obligations.
Record Privileged Account Session

Monitor and record sessions for privileged account activity involving sensitive data or systems
Apply Host-based Firewalls or Port Filtering

Apply host-based firewalls or port filtering tools on servers/endpoints, with whitelists configured that drop all traffic except
those services and ports that are explicitly allowed.
Use Automated Tools to Verify Standard Device Configurations and Detect Changes
Compare all network device configurations against approved baselines and alert when any deviations are discovered.
Manage Network Infrastructure Through a Dedicated Network

Use a dedicated network to manage network infrastructure.
Configure Monitoring Systems to Record Network Packets

Logs from your firewalls, IPS/IDS, and DMZ should flow to your log collection system.

Summary Report
4/18/2024
Analyze and Monitor Log from Security Appliances

Monitor and analyze logs from boundary defense tools to include high-risk events.
Deploy Host-Based Intrusion Detection Systems

Deploy HIDS (Host Intrusion Detection Systems) on on critical infrastructure which is either perimeter facing, houses
sensitive data or processes sensitive information.
Log Interruption Alerts

Ensure that the log collection system(s) does not lose log data, and that the system detects and automatically alerts if log
collection is interrupted.
Deploy Application Layer Filtering (ALF) Proxy Server

Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is
configured to filter unauthorized connections and data.
Use Data Classification Labels

Use graphic designed company logo templates for all MS office documents with footer labels like Internal Use, Confidential
and Restricted.
Enforce Detail Logging for Access or Changes to Sensitive Data/Program Files

Enforce detailed audit logging for access to sensitive data or changes to sensitive data or system files.

Summary Report
4/18/2024
Implement Decoys
Enumerate your IT environment and plant decoy endpoints, servers, devices into your environment with alerts configured to
fire on each of these decoys.
Mobile Tamper-Detection Technologies

Configure alerts when someone tries to tamper with your code or inject malicious code.
Conduct Periodic Incident Scenario Sessions for Personnel

Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to
maintain awareness and comfort in responding to real world threats.
Safeguard Cloud Access Keys

Create unique access keys for each external service, rotate them every 60 days and restrict access following the principle of
least privilege.
Cloud Logging
Make sure to turn on security logging and monitoring to see unauthorized access attempts and other issues.
Segment Publicly Accessible Applications from Internal Network

To minimize the impact of an attacker pivoting between compromised systems, only allow DMZ systems to communicate
with private network systems via application proxies or application-aware firewalls.

Summary Report
4/18/2024
Level 10
Network Access Control

Ensure only authorized devices can connect to the network.
Authenticate Hardware Assets

Use client certificates to authenticate hardware assets connecting to the organization's trusted network.
Threat Intelligence
Cyber threat intelligence is received from information sharing forums and sources
Security Exceptions Process

An Information Security Policy Exception process handles requests from the business/IT for documented exceptions from
InfoSec policy requirements.
Compliance Requirements
Establish a compliance function/department dedicated to meeting applicable compliance requirements.
Third Party - Vendor Risk Remediation

For critical security risks identified with vendors, urge them to implement controls and track remediation progress.

Summary Report
4/18/2024
Off Network URL filtering

Implement a mechanism to provide URL filtering for company provided end-points when off-network. (Home, airport,
travelling)
Implement DMARC
Implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification.
Deploy NetFlow Collection on Networking Boundary Devices

NetFlow collection and analysis tools should be deployed.
Decrypt Network Traffic at Proxy

Decrypt all encrypted network traffic at the boundary proxy to analyze the content.
Enable Firewall Filtering Between VLANs

Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate.
Geo Fencing
Use geo fenced decoy files that provide geo-location data and intelligence when opened.

Summary Report
4/18/2024
Create Incident Scoring and Prioritization Schema

Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to
define frequency of status updates and escalation procedures.
Threat Hunting
Perform a periodic threat hunting investigation based on known Indicators of Compromise (IOC) or Indicators of Attack
(IOA)
Conduct Regular External and Internal Penetration Tests

Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to
exploit enterprise systems successfully.
Product Pen Testing

Conduct web application pen tests, mobile application pen tests before any new websites, mobile application, or core
functionality revolving around new technology is launched (e.g. 5G/SCADA, etc).
CASB for Cloud

Use a cloud access security broker (CASB) that sits between cloud service users and cloud applications, and monitors all
activity and enforces security policies.
Cloud Provider SOC Reports

Organizations should require that all their cloud service providers share an SSAE 18 SOC 3/FedRAMP/other Compliance
report that states that they achieved compliance. (if available)

Controls Report 4-18-2024

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Controls Report 4-18-2024

Uploaded by

Copyright:

Available Formats

REPORT

External Email Flag

Minimize Email Malware Exposure

Enable SPF or DKIM

Created by TitanDef - CYBER CONTROLS 1 of 39

Restrict Local Admin Access

Account Password Lockout

Deploy Operating System Patch Management Tools

Implement Security Awareness Training

Deploy Next-Gen Endpoint Protection Software

Deploy Third Party Software Patch Management Tools

Created by TitanDef - CYBER CONTROLS 2 of 39

Ensure Regular Automated Data Backups

SCADA - Portable Storage Device

Created by TitanDef - CYBER CONTROLS 3 of 39

Hardware Asset Inventory

Adopt Cyber Security Policy

Deploy SIEM or Log Analytic tool

Restrict Default Accounts and Passwords

Software Asset Inventory

Created by TitanDef - CYBER CONTROLS 4 of 39

Admin Passwords Complexity

Dedicated Administrative Accounts

Lock Workstation Sessions After Inactivity

Supported Email and Browser Clients

Restrict Email Attachment File Types

Ensure Next-Gen Endpoint Protection Software and Signatures are Updated

Created by TitanDef - CYBER CONTROLS 5 of 39

Maintain and Enforce Network-Based URL Filters (on network)

Ensure All Account Passwords Have An Expiration Date

Backdoor & Vendor Interfaces

Controlled Use of Removable Devices

Mobile Privacy Policy

Created by TitanDef - CYBER CONTROLS 6 of 39

Segregate Wireless Networks

Encrypt All Wireless Traffic

Use Multifactor Authentication For All Cloud Services

Secure Access to Physical IT Equipment

Disable Peer-to-Peer Wireless Communication

Created by TitanDef - CYBER CONTROLS 7 of 39

Active Hardware Asset Discovery Scan

Cyber Security Budget

Third Party Asset Inventory

Third Party Risk - New Vendor Contracts

Active Software Asset Discovery Scan

Authenticated Vulnerability Scan

Created by TitanDef - CYBER CONTROLS 8 of 39

Automated Vulnerability Scan

Protect Dedicated Scan Account

Use Multifactor Authentication For All Administrative Access

Sandbox All Email Attachments

Created by TitanDef - CYBER CONTROLS 9 of 39

Identify Secure Configurations

Activate Audit Logging

Ensure Protection of Backups

Open File Shares

Block Macros from Untrusted Sources

Restrict "Auto-run" Content on Devices

Created by TitanDef - CYBER CONTROLS 10 of 39

Disable Unnecessary Connections

Encrypt Mobile Data in Transit

Jailbroken or Rooted Device Check

Created by TitanDef - CYBER CONTROLS 11 of 39

Encrypt the Hard Drive of All Endpoints