what are the most critical 18 CIS security controls ?

The 18 CIS (Center for Internet Security) Critical Security Controls are a prioritized set of best practices designed to strengthen an organization's cybersecurity posture. These controls are divided into three categories: Basic, Foundational, and Organizational. Below is an overview of the controls:

Basic Controls (1–6):

These are foundational and should be implemented first to establish a strong security baseline:

1. Inventory and Control of Enterprise Assets: Maintain an accurate inventory of all enterprise hardware assets to identify unauthorized devices.
2. Inventory and Control of Software Assets: Track all software to prevent unauthorized or vulnerable applications.
3. Data Protection: Protect sensitive data through encryption, access control, and monitoring.
4. Secure Configuration of Enterprise Assets and Software: Ensure systems and software are securely configured to minimize vulnerabilities.
5. Account Management: Manage user accounts, including creating, monitoring, and revoking access as needed.
6. Access Control Management: Limit access rights based on job roles, enforce multi-factor authentication, and monitor access.

Foundational Controls (7–16):

These build upon the Basic controls to provide more detailed security measures:

1. Continuous Vulnerability Management: Regularly identify and address vulnerabilities in systems and software.
2. Audit Log Management: Collect, review, and retain logs to detect and analyze security incidents.
3. Email and Web Browser Protections: Implement safeguards against phishing, malicious links, and other email/browser-based threats.
4. Malware Defenses: Deploy tools to detect, prevent, and respond to malware infections.
5. Data Recovery: Develop robust backup and recovery processes to ensure data restoration after incidents.
6. Network Infrastructure Management: Securely manage network devices and configurations to reduce risks.
7. Network Monitoring and Defense: Use tools to monitor network traffic for suspicious activity and defend against threats.
8. Security Awareness and Skills Training: Educate employees on cybersecurity risks and best practices through regular training.
9. Service Provider Management: Evaluate third-party providers for secure handling of sensitive data.
10. Application Software Security: Assess and mitigate vulnerabilities in software developed or used by the organization.

Organizational Controls (17–18):

These focus on broader organizational practices for maintaining security:

1. Incident Response Management: Create a plan to detect, respond to, and recover from security incidents effectively.
2. Penetration Testing: Conduct regular penetration tests to identify weaknesses in systems, processes, or personnel.

These controls are designed to be flexible and applicable across various industries, helping organizations prioritize cybersecurity efforts based on their risk profiles[1][2][3].

Citations: [1] https://dev.to/awais_684/implement-cis-top-18-controls-in-your-organization-1j69 [2] https://hyperproof.io/cis-security-controls/ [3] https://www.kiteworks.com/risk-compliance-glossary/cis-controls-v8/ [4] https://www.impactmybiz.com/blog/cisv8-critical-security-controls/ [5] https://blog.netwrix.com/2022/09/16/top-cis-critical-security-controls-for-cyber-defense/ [6] https://www.securitymetrics.com/blog/whats-changed-cis-controls-v8 [7] https://embed-ssl.wistia.com/deliveries/3712ff62cfac074571eb6db3f089be0ca0e0a09c.webp?image_crop_resized=1280x720&sa=X&ved=2ahUKEwjBy_OH_c2KAxWQmYkEHaYnBVkQ_B16BAgEEAI[8] https://www.cisecurity.org/controls

debugging web application firewall errors

 The goal is to understand what is causing the request to fail on azure WAF. Example log :

AzureDiagnostics

| where ResourceProvider == "MICROSOFT.NETWORK"

| where Category == "ApplicationGatewayFirewallLog"

| where action_s == "Matched"

| project details_message_s, details_data_s

This will give and a 

details_message_s: Pattern match (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\)) at ARGS.

and some details_data_s

Copy those values to https://regex101.com/ to find where is fails.

https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/azure-waf-tuning-for-web-applications/3776133

creating images in ACR

 $CONTAINER_IMAGE_NAME="your_image_name:0.1"

$CONTAINER_REGISTRY_NAME = "your_registry_name"

 

az login --tenant "XXXXXXXXXXXXXXXXXX"

az account set --name azurecloud --subscription "XXXXXXXXXXXXXXXXXXXXXXXX"

 

#This will pick local files

az acr build --registry "$CONTAINER_REGISTRY_NAME" --image "$CONTAINER_IMAGE_NAME" --file "Dockerfile" .

#This will pick remote files

az acr build --registry "$CONTAINER_REGISTRY_NAME" --image "$CONTAINER_IMAGE_NAME" --file "Dockerfile.azure-pipelines" "https://github.com/poorleno1/container-apps-ci-cd-runner-tutorial.git"

various

az acr task create --registry "$CONTAINER_REGISTRY_NAME" --name updateimage --context https://github.com/poorleno1/container-apps-ci-cd-runner-tutorial.git --file Dockerfile.azure-pipelines --image "$CONTAINER_IMAGE_NAME" --commit-trigger-enabled false

--commit-trigger-enabled

Indicates whether the source control commit trigger is enabled.

Assign permissions to enterprise app using powershell

You might be required to add this storage account to Directory Reader role 

#find-module Microsoft.Graph.Authentication | install-module

Disconnect-Graph

Get-MgContext

Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All,RoleManagement.ReadWrite.Directory" -TenantId "XXXXXXXXXXXXXXXXXXXXXXXXX"

Select-MgProfile Beta

$MdId_Name = "ManagementAutomation"

$MdId_ID = (Get-MgServicePrincipal -Filter "displayName eq '$MdId_Name'").id

$graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

$graphScopes = @(

    "User.Read.All"

    "Mail.Send"

    "Mail.ReadWrite"

)

ForEach($scope in $graphScopes){

 

  $appRole = $graphApp.AppRoles | Where-Object {$_.Value -eq $scope}

 

  if ($null -eq $appRole) { Write-Warning "Unable to find App Role for scope $scope"; continue; }

 

 

 

   #Check if permissions isn't already assigned

  $assignedAppRole = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MdId_ID | Where-Object { $_.AppRoleId -eq $appRole.Id -and $_.ResourceDisplayName -eq "Microsoft Graph" }

 

 

 

  if ($null -eq $assignedAppRole) {

    New-MgServicePrincipalAppRoleAssignment -PrincipalId $MdId_ID -ServicePrincipalId $MdId_ID -ResourceId $graphApp.Id -AppRoleId $appRole.Id

  }else{

    write-host "Scope $scope already assigned"

  }

}

Assign administrator roles with PowerShell

 General approach is that you need to get RoleID and then assign enterprise app object ID to this RoleID:

Create an app using CLI:

$app_name = "Deployment app"

$app = az ad app create --display-name $app_name --query '{appId: appId, objectId: id}' --output json

$app = $app | ConvertFrom-Json

$cred = az ad app credential reset --id $app.appId --display-name "client-secret" --years 2

$enapp = az ad sp create --id  $app.appId --query '{appId: appId, objectId: objectId}' --output json 

$enappID = az ad sp show --id  $app.appId --query id --output tsv

Assign it to a role:

$AdminRoleObject = Get-AzureADDirectoryRole| where {$_.DisplayName -eq 'Application Administrator'} 

Add-AzureADDirectoryRoleMember -ObjectId $AdminRoleObject.ObjectId -RefObjectId $enappID

If RoleID do not exist ($AdminRoleObject is empty) enable it:

$template = Get-AzureADDirectoryRoleTemplate | where {$_.DisplayName -eq 'Privileged Role Administrator'} 

Enable-AzureADDirectoryRole -RoleTemplateId $template.ObjectId

Other, assign owner to subscription:

az role assignment create --assignee $app.appId --role "Owner" --scope "/subscriptions/$subscriptionID"

list open ports

 lsof -nP -iTCP -sTCP:LISTEN

ss -tunlp

netstat -tnlp

apt-get install procps

apt install net-tools

apt install iproute2 net-tools procps

#!/bin/bash # This script lists processes with open TCP ports by reading /proc/net/tcp and # matching socket inodes to file descriptors in /proc/[pid]/fd directories. # Function to convert hexadecimal port number to decimal. convert_port() { local hex_port=$1 echo $((16#$hex_port)) } echo "Processes with open TCP ports (based on /proc):" printf "%-8s %-20s %-6s\n" "PID" "Process Name" "Port" echo "-------------------------------------------" # Skip the header line from /proc/net/tcp by using tail. tail -n +2 /proc/net/tcp | while read -r line; do # Extract the local address (field 2) and the socket inode (field 10). local_address=$(echo "$line" | awk '{print $2}') inode=$(echo "$line" | awk '{print $10}') # If inode is empty, skip this line. if [[ -z "$inode" ]]; then continue fi # Extract the port (in hex) from the local_address (format: IP:PORT). port_hex=$(echo "$local_address" | cut -d':' -f2) port=$(convert_port "$port_hex") # Use find to look for file descriptors linking to this socket inode. pids=$(find /proc/[0-9]*/fd -lname "socket:\[$inode\]" 2>/dev/null | \ cut -d'/' -f3 | sort -u) # For each matching process, retrieve the process name. for pid in $pids; do if [ -f "/proc/$pid/comm" ]; then pname=$(cat /proc/$pid/comm) else pname="N/A" fi printf "%-8s %-20s %-6s\n" "$pid" "$pname" "$port" done done

List all processes:

#!/bin/bash

# This script lists all processes by scanning the /proc filesystem.

# Print header

printf "%-8s %-s\n" "PID" "Process Name"

printf "%-8s %-s\n" "--------" "----------------"

# Loop over directories in /proc that are numerical

for pid_dir in /proc/[0-9]*; do

    pid=$(basename "$pid_dir")

    

    # Check for the existence of the comm file which contains the process name

    if [ -f "$pid_dir/comm" ]; then

        proc_name=$(cat "$pid_dir/comm")

    else

        proc_name="N/A"

    fi

    

    printf "%-8s %-s\n" "$pid" "$proc_name"

done