Stopping Breaches on a Budget How the Critical Security Controls Can Help You September 2016, Data Connectors Dante LoScalzo, Sr. Mgr., Security Consulting Services

© ControlScan Confidential 2 A bit about me ControlScan SCS overview Offensive Security Testing Services Penetration Testing, Social Engineering, etc. Compliance and Audit Services PCI HIPAA Introductions

© ControlScan Confidential 3 Common themes on penetration tests 90% of our “wins” can be mitigated No improvement Year after year, common factors persist How can we help move the needle on improvement? Cost-effective approach Discussion Overview

© ControlScan Confidential 4 Framework focused on defense Created in response to real-world attacks Developed with input of many industry experts SANS Institute, US and Australian governments, and more Guidance on implementation and tracking Prioritization of key controls Detailed approach “Measures” or metrics to track Overview of CIS CSC

© ControlScan Confidential 5 “Foundational Cyber Hygiene” Covers the 90% (probably more) Complex and difficult, but not as tough as they appear Long term benefits outweigh short term “pain” Should be in place before implementing other controls No such thing as a “security silver bullet” Top 5: The “Almost” Silver Bullet

© ControlScan Confidential 6 Know thyself Can’t defend what you don’t know about Authorized and Unauthorized Track what you have and address what you don’t Also helpful/critical for other processes Control 1: Device Inventory

© ControlScan Confidential 7 Where to look for devices: Actively scan Nmap with ndiff or diff Spiceworks Open Audit ( DHCP logs Network switches Netdisco Prevent unauthorized connections Network Level Authentication (802.1x) Client certificates Implementing Control 1

© ControlScan Confidential 8 Let the data dictate controls Often no cost-effective solution: Open Source and free solutions are kludgy MDM solutions are pricey Provision your own mobile devices Legally owning the device can solve other problems Key factors to consider: Not worth permitting what you can’t manage Employee-owned devices carry untold risk Malware, malware, malware BYOD: Inventory Headache

© ControlScan Confidential 9 Requires solid implementation of Control 1 Know Thyself (again, but even more!) Patch everything you need Forbid what you don’t Develop a baseline List the software permitted in your organization AppLocker Enforce Application whitelisting Limit exposure of legacy software/systems Control 2: Software Inventory

© ControlScan Confidential 10 Ease into application whitelisting Start with limiting execution to specific directories C:\Windows C:\Program Files and C:\Program Files(x86) Most malware runs from user profile directories! Application whitelisting on a budget: Software Restriction Policies (older) AppLocker Controlling Software

© ControlScan Confidential 11 Applies to hardware and software Low-hanging fruit first: For users, standardize workstation/laptop builds For servers, lock down remote administration Images, images, images Windows Active Directory Group Policies Linux CFEngine, Lynis and puppet Control 3: Secure Configuration

© ControlScan Confidential 12 Operating System Baselines CIS Benchmarks Nessus plugins Scan frequently and leverage results to improve Authenticated or “trusted” scans Can augment the software inventory process Ties in with Control 4 Software configuration easy wins Disable Javascript in Acrobat No Flash or Java without special dispensation Configuration Hardening: Where to begin

© ControlScan Confidential 13 A step beyond vulnerability scanning Address, remediate, rinse, repeat Authenticated or trusted scanning is a must Automate patch management Don’t forget software non-native to the operating system Adobe, Java, productivity applications Web server platforms Stay alert Leverage public information sources, get in front of “criticals” and “highs” Track Know what’s remediated or an accepted risk Control 4: Vulnerability Management

© ControlScan Confidential 14 Dual logins for administrators Strong monitoring of M/A/Cs to adminstrative accounts/groups MFA where possible, strong passwords where not Isolate admin functions Better to have separate physical boxes, but VMs better than nothing No more local admins! Hamstrings attacker ability to move laterally through environment Control 5: Administrative Credentials

© ControlScan Confidential 15 “What gets measured gets managed” – Peter Drucker CIS provided metrics to assist with measuring performance Detailed measures for each control Thresholds for different risk levels Can provide guidance on SIEM and other monitoring solution configuration Tracking with Measures

© ControlScan Confidential 16 Windows and Unix Account change events, including passwords Logon and logoff events, successful and failed Service status (start, stop, restart, failure) Critical file access events Log wipes Web Servers Brute force login attempts, excessive login fails Brute force attempts to discover content Service status Injection code in URL (SQL, JavaScript, HTML) But still: What to look for? (More low-hanging fruit)

© ControlScan Confidential 17 CSCs are not easy, but worth the effort These top 5 will prevent 90% (and likely more) of what attackers will throw at you Security doesn’t have to cost a ton of money A lot of native functionality to assist Security is a process, not a product Take-Aways

© ControlScan Confidential 18 Critical Security Controls Open Source Mobile Device Management CFEngine Lynis puppet Software Restriction Policies Links

© ControlScan Confidential 19 AppLocker Disabling JavaScript in Acrobat Links (continued)

For a copy of this deck or information on our services, feel free to reach out: Dante LoScalzo Thank you!