Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stopping Breaches on a Budget How the Critical Security Controls Can Help You September 2016, Data Connectors Dante LoScalzo,

PublishAlberta Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "Stopping Breaches on a Budget How the Critical Security Controls Can Help You September 2016, Data Connectors Dante LoScalzo,"— Presentation transcript:

1 Stopping Breaches on a Budget How the Critical Security Controls Can Help You September 2016, Data Connectors dloscalzo@controlscan.com Dante LoScalzo, Sr. Mgr., Security Consulting Services

2 © ControlScan 2016 - Confidential 2 A bit about me ControlScan SCS overview Offensive Security Testing Services Penetration Testing, Social Engineering, etc. Compliance and Audit Services PCI HIPAA Introductions

3 © ControlScan 2016 - Confidential 3 Common themes on penetration tests 90% of our “wins” can be mitigated No improvement Year after year, common factors persist How can we help move the needle on improvement? Cost-effective approach Discussion Overview

4 © ControlScan 2016 - Confidential 4 Framework focused on defense Created in response to real-world attacks Developed with input of many industry experts SANS Institute, US and Australian governments, and more Guidance on implementation and tracking Prioritization of key controls Detailed approach “Measures” or metrics to track Overview of CIS CSC

5 © ControlScan 2016 - Confidential 5 “Foundational Cyber Hygiene” Covers the 90% (probably more) Complex and difficult, but not as tough as they appear Long term benefits outweigh short term “pain” Should be in place before implementing other controls No such thing as a “security silver bullet” Top 5: The “Almost” Silver Bullet

6 © ControlScan 2016 - Confidential 6 Know thyself Can’t defend what you don’t know about Authorized and Unauthorized Track what you have and address what you don’t Also helpful/critical for other processes Control 1: Device Inventory

7 © ControlScan 2016 - Confidential 7 Where to look for devices: Actively scan Nmap with ndiff or diff Spiceworks Open Audit (www.open-audit.org) DHCP logs Network switches Netdisco Prevent unauthorized connections Network Level Authentication (802.1x) Client certificates Implementing Control 1

8 © ControlScan 2016 - Confidential 8 Let the data dictate controls Often no cost-effective solution: Open Source and free solutions are kludgy MDM solutions are pricey Provision your own mobile devices Legally owning the device can solve other problems Key factors to consider: Not worth permitting what you can’t manage Employee-owned devices carry untold risk Malware, malware, malware BYOD: Inventory Headache

9 © ControlScan 2016 - Confidential 9 Requires solid implementation of Control 1 Know Thyself (again, but even more!) Patch everything you need Forbid what you don’t Develop a baseline List the software permitted in your organization AppLocker Enforce Application whitelisting Limit exposure of legacy software/systems Control 2: Software Inventory

10 © ControlScan 2016 - Confidential 10 Ease into application whitelisting Start with limiting execution to specific directories C:\Windows C:\Program Files and C:\Program Files(x86) Most malware runs from user profile directories! Application whitelisting on a budget: Software Restriction Policies (older) AppLocker Controlling Software

11 © ControlScan 2016 - Confidential 11 Applies to hardware and software Low-hanging fruit first: For users, standardize workstation/laptop builds For servers, lock down remote administration Images, images, images Windows Active Directory Group Policies Linux CFEngine, Lynis and puppet Control 3: Secure Configuration

12 © ControlScan 2016 - Confidential 12 Operating System Baselines CIS Benchmarks Nessus plugins Scan frequently and leverage results to improve Authenticated or “trusted” scans Can augment the software inventory process Ties in with Control 4 Software configuration easy wins Disable Javascript in Acrobat No Flash or Java without special dispensation Configuration Hardening: Where to begin

13 © ControlScan 2016 - Confidential 13 A step beyond vulnerability scanning Address, remediate, rinse, repeat Authenticated or trusted scanning is a must Automate patch management Don’t forget software non-native to the operating system Adobe, Java, productivity applications Web server platforms Stay alert Leverage public information sources, get in front of “criticals” and “highs” Track Know what’s remediated or an accepted risk Control 4: Vulnerability Management

14 © ControlScan 2016 - Confidential 14 Dual logins for administrators Strong monitoring of M/A/Cs to adminstrative accounts/groups MFA where possible, strong passwords where not Isolate admin functions Better to have separate physical boxes, but VMs better than nothing No more local admins! Hamstrings attacker ability to move laterally through environment Control 5: Administrative Credentials

15 © ControlScan 2016 - Confidential 15 “What gets measured gets managed” – Peter Drucker CIS provided metrics to assist with measuring performance Detailed measures for each control Thresholds for different risk levels Can provide guidance on SIEM and other monitoring solution configuration Tracking with Measures

16 © ControlScan 2016 - Confidential 16 Windows and Unix Account change events, including passwords Logon and logoff events, successful and failed Service status (start, stop, restart, failure) Critical file access events Log wipes Web Servers Brute force login attempts, excessive login fails Brute force attempts to discover content Service status Injection code in URL (SQL, JavaScript, HTML) But still: What to look for? (More low-hanging fruit)

17 © ControlScan 2016 - Confidential 17 CSCs are not easy, but worth the effort These top 5 will prevent 90% (and likely more) of what attackers will throw at you Security doesn’t have to cost a ton of money A lot of native functionality to assist Security is a process, not a product Take-Aways

18 © ControlScan 2016 - Confidential 18 Critical Security Controls https://www.cisecurity.org/critical-controls.cfm Open Source Mobile Device Management http://searchmobilecomputing.techtarget.com/answer/Are-there-any-open-source-mobile-device-management-tools CFEngine https://cfengine.com/ Lynis https://cisofy.com/lynis/ puppet https://puppet.com Software Restriction Policies https://technet.microsoft.com/en-us/library/hh994620(v=ws.11).aspx Links

19 © ControlScan 2016 - Confidential 19 AppLocker https://technet.microsoft.com/en-us/library/dd759117(v=ws.11).aspx Disabling JavaScript in Acrobat http://www.zdnet.com/article/adobe-turn-off-javascript-in-pdf-reader/ Links (continued)

20 For a copy of this deck or information on our services, feel free to reach out: Dante LoScalzo dloscalzo@controlscan.com Thank you!

Download ppt "Stopping Breaches on a Budget How the Critical Security Controls Can Help You September 2016, Data Connectors Dante LoScalzo,"

Similar presentations

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
A Federated Approach to Systems Management Todd Nugent Mike Huffstatler Sr. Product Specialist Systems Engineer.

A Federated Approach to Systems Management Todd Nugent Mike Huffstatler Sr. Product Specialist Systems Engineer.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.

1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Security Management prepared by Dean Hipwell, CISSP

Security Management prepared by Dean Hipwell, CISSP
Delivering Security for Mobile Device and Mobile Application Management INSERT MSP LOGO HERE.

Delivering Security for Mobile Device and Mobile Application Management INSERT MSP LOGO HERE.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.

Similar presentations

Ads by Google