My home shall be CIS Critical Controls compliant.

This is my pledge.

I don’t just mean Implementation Group 1 (IG1), either. IG1 comprises the least amount of controls which CIS deems as “Essential Cyber Hygiene”. My home network deserves nothing less than IG3, or every single CIS Critical Control. During my recent parental leave, my network has consistently and flawlessly streamed countless episodes of Shark Tank. For this, I owe it some love.

For those unacquainted, there are 18 “CIS Controls” which are each broken up into various “Safeguards”. Please see this nice navigator CIS provides. I will go through these controls sequentially and implement every safeguard in my home network. My goal is to make implementation as painless & simple as possible.

Control 1 - Inventory & Control of Enterprise Assets

There are 5 safeguards for this control.

1.1 Establish and Maintain Detailed Enterprise Asset Inventory

I begin my asset inventory with a stroll through the house. Everything with the potential to “store or process data”, in the words of CIS, gets written on a notepad. What may be an enormous task to an enterprise is quite simple in a home. I can pretty much walk around and see everything that might be connected to my WiFi. Most of my devices are on WiFi aside from a couple things I have right near my firewall.

After writing down all the devices I expect to see on my network, I login to my home’s pfSense firewall and check out DHCP leases. Comparing my list to DHCP leases, everything matches up. Based on this info, I can begin a decent asset inventory. In fact, by setting up static DHCP assignments and adding notes on each entry, I can pretty much maintain an asset inventory through the pfSense’s DHCP service. This works for me because everything on my network uses DHCP.

One potential issue is transient devices. I think it would be lame to disallow guests from connecting to my WiFi so I need a way to track these devices’ existence, however briefly they may be connected to my network. DHCP doesn’t necessarily work as the entries disappear once the reservation expires. Anyways, I think this issue will be addressed by other CIS controls and for now, I have a solid asset inventory for my own stuff.

1.2 Address Unauthorized Assets

For this safeguard, I have identified an elite pfSense extension. ARPWATCH. This extension, coupled with some sort of notification mechanism, is effective at alerting me whenever something new pops up on my network. I’ve been using Pushover which is nifty and allows me to go through alerts from an app or web browser. This safeguard specifically calls out addressing these assets “on a weekly basis”. With arpwatch and mobile notifications, I can address them immediately by deciding on an action. For me, the new devices popping up are usually family coming over and hopping on WiFi so the action I take is nothing at all.

1.3 Utilize an Active Discovery Tool

What I’m gonna do here is use nmap and the pushover API. There may be pfsense extensions or other tools that will automate this all for me but I would like to do it myself. I would also like to experiment more with nmap to see how different assets on my network respond to different scan types. In particular, I’m curious how some IoT devices on my network will respond. What is the best series of scans for full coverage? Are there devices that are practically invisible to scans? These are some questions I’d like to address over time in a separate project, and perhaps I’ll update this safeguard as I do that.

1.4 Use DHCP Logging to Update Enterprise Asset Inventory

See 1.1….. this is what I’m doin!!!! As stated, everything is DHCP, so I’m using it almost exclusively to feed my inventory. If something happens to try to join my network with a static IP, I should be able to see them because of safeguards 1.2, 1.3, and 1.5.

1.5 Use a Passive Asset Discovery Tool

Zeek has a plugin for pfsense so that is what I’m going with. For those unfamiliar, Zeek is a NSM tool that generates different types of logs for network traffic. After installing and trying it out, I’m pleased to say there is something wrong with it. This is pleasing to me because I get to try and fix it. It is automatically set up via cron to send a pushover alert every hour with a summary of that hour’s conn log. However, something about the script is broken causing me to receive Python error alerts every hour instead of Zeek logs. Also, there doesn’t seem to be a convenient way to adjust the notification behavior to do different logs, or filters of logs.

SUMMARY

To summarize my plan for Control 1 - Inventory and Control of Enterprise Assets

  • 1.1 Write down assets and use DHCP static assignments with notes to maintain a list of assets
  • 1.2 Arpwatch
  • 1.3 Future Project: develop some nice nmap scripts and send filtered results via pushover API
  • 1.4 DHCP service on pfSense
  • 1.5 Zeek, with a future project where I improve its notification system and try fixing bugs