IVS-09: Network Defense

PF v1.0 References:

Previous Version:

Control Statement

Define, implement and evaluate processes, procedures and defense-in-depth techniques for protection, detection, and timely response to network-based attacks.

Implementation Guidance

Vulnerabilities in a physical environment also apply in a virtual environment. Configuration flaws/vulnerabilities in the applications, firewalls, or networks will be vulnerable to exploits. Defense-in-depth techniques should be leveraged for both physical, logical, and administrative, etc., controls. Defense-in-depth techniques/insights that should be considered include:

  1. Deep packet analysis, traffic throttling, and black-holing.
  2. Ingress/egress traffic patterns may include media access control (MAC) spoofing and ARP poisoning attacks and/or distributed denial-of-service (DDoS) attacks.
  3. Perimeter firewalls implemented and configured to restrict unauthorized traffic.
  4. Security settings enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, and SNMP community strings).
  5. Develop capabilities to detect unauthorized (rogue) network devices in the network and disconnect quickly.

Auditing Guidance

  1. Interview the team to evaluate if they have defined processes and procedures for protection, detection and timely response to address network based attacks.
  2. Review evidence to establish that the defined processes and procedures have been implemented.
  3. Review evidence to establish that the processes and procedures are evaluated and validated periodically.
  4. Review evidence to establish that the processes and procedures are based upon a defense-in-depth.
  5. Review evidence to support the effective activation of incident response plans when necessary including the associated communication protocols.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.