[sacm] CIS Control References for ECP
Adam Montville <adam.w.montville@gmail.com> Tue, 11 September 2018 02:09 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D4E3130E58 for <sacm@ietfa.amsl.com>; Mon, 10 Sep 2018 19:09:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTJPtuDZNmPo for <sacm@ietfa.amsl.com>; Mon, 10 Sep 2018 19:09:11 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF99130DCF for <sacm@ietf.org>; Mon, 10 Sep 2018 19:09:11 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id x197-v6so44246285oix.5 for <sacm@ietf.org>; Mon, 10 Sep 2018 19:09:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:message-id:date :cc:to; bh=7h/wBesostNqE2mndn7byONWBAecFv3LM+OZSaA7GPs=; b=e5Ysoyqk7H3H5QD/2iU4/nsHfVb8L6bWwWnRgJLCKdmPmCbV0W7gHJtc0O8UuL0foJ mLOqAceYd4rsfYSSjtNO9kgZqMtqZNatzUWo92Elm7F1gm0ffyPiA+V1JcrL6DCCNmTs NxetCfjj3wMVOu2BXgQcHxLpSdQ0NLvthFofdS6jkafGQcFRUsw0hZkZyg15z+7+BbIM Nq2EaQSju0oav5xQBG4kGT5T3YeWDym+GQuNURFy54qSFDMjn5MU4UiPhCvqufyefAB8 TZCq9be992jM4Ss6OCarwY8fxqPJCd8Nh8f121Bpok3wv+2zFmfZXZWX1aidhI6/Y1tl wtvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:cc:to; bh=7h/wBesostNqE2mndn7byONWBAecFv3LM+OZSaA7GPs=; b=KOJ2u7iNmxJlYH051EBSFQp1hicAQkW9M7BEkzbf9CExpxmOIO+oMeaVxt8gal63AT Sox83//R35OaWHdTqlDqh8aaBRDm/hlU4+2GdVS5P6pEduZ/w0Ku6ipmqGdBFIwSj4s9 k4Xbj6rrLYZqLwhFwiu7Spykp2FFn3NZHQrUL41N3/ypMOZSswnmV3yH43zqyow8BmBm RVE3qK0DTmBTbNKX1/xFenqZJ0znpP7df7/m8F5ZGQquNn/yCCBlS8XU79TGn6Q3TdiH 1bCl7BHXGvjTL0dlRHo0Jbv3uWbHEQ5RJQ9uo+tYhnvL9w7G44WWOuQvURMjbb2TvPna pFYw==
X-Gm-Message-State: APzg51ATdzBqW6DS2v6xB2ka/3Kb9VpiMV1jA6/DW+XhD7hBqd3HMVRP RQxKZvheqTaq/TStBMOiW/c=
X-Google-Smtp-Source: ANB0VdY6Cf6DmtSmiFx6Fe9KTxvC/g0fvXih1lmkYDdLuy2NApgzk80HDp6SLS6FCOWx8lS6UZ06JA==
X-Received: by 2002:aca:5b88:: with SMTP id p130-v6mr25386519oib.247.1536631750633; Mon, 10 Sep 2018 19:09:10 -0700 (PDT)
Received: from afv.lan (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id b125-v6sm15687659oia.38.2018.09.10.19.09.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Sep 2018 19:09:09 -0700 (PDT)
From: Adam Montville <adam.w.montville@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <03C84D25-A657-4795-9F17-992B32F4C23A@gmail.com>
Date: Mon, 10 Sep 2018 21:09:05 -0500
Cc: "<sacm@ietf.org>" <sacm@ietf.org>
To: "Haynes Jr., Dan" <dhaynes@mitre.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sacm/aHqL4U7HmIC51lZDNHf6KaYKt74>
Subject: [sacm] CIS Control References for ECP
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2018 02:09:14 -0000
Danny, I previously indicated that I would provide some reference information in the ECP Security Considerations. Rather than call out each specific control, I thought I'd try this approach first. The following is modified text intended to replace section 13.2.1. Let me know what you think. [START] The EPCP profile is in and of itself a countermeasure for a compromised endpoint. A primary defense for an endpoint is to run up to date software configured to be run as safely as possible. Ensuring that anti-virus signatures are up to date and that a firewall is configured are also protections for an endpoints that are supported by the current NEA specifications. Additionally, endpoints that have hardware cryptographic modules provisioned by the enterprise, in accordance with [IEEE-802-1ar], can protect the private keys used for authentication and help prevent adversaries from stealing credentials that can be used for impersonation. Future versions of the EPCP may want to discuss in greater detail how to use a hardware cryptographic module, in accordance with [IEEE-802-1ar], to protect credentials and to protect the integrity of the code that executes during the bootstrap process. In general, it is recommended that endpoint protections, including those endpoints running EPCP components, be part of an enterprise-wide security program, as informed by a reputable framwork, such as the [CIS Controls]. Such frameworks generally require hardware and software inventory management (CIS Controls 1 and 2 repsectively), vulnerability management (CIS Control 3), privilege/credential management (CIS Control 4), configuraiton management (CIS Controls 5 and 11), and logging/monitoring (CIS Control 6) as the foundation for any reasonable security program. Thus, EPCP not only supports such security programs, but is best applied as a covered entity under such programs, as this security considerations section details. [END] Kind regards, Adam
- [sacm] CIS Control References for ECP Adam Montville