Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jim Purcell – Senior IT Auditor, UT System

Published byCurtis Skinner Modified over 9 years ago

Similar presentations

Presentation on theme: "Jim Purcell – Senior IT Auditor, UT System"— Presentation transcript:

1 Jim Purcell – Senior IT Auditor, UT System
Critical Security Controls: Planning, Implementing, and Auditing with DEMO! Tennessee Higher Education Information Technology Symposium – April 2015 Jim Purcell – Senior IT Auditor, UT System

2 Problem Statement Data breaches & disclosures are becoming more common
PrivacyRights.org (updated weekly) JP Morgan Chase Dairy Queen US Investigation Services The UPS Store Community Health Systems Albertsons Grocery Stores SuperValue Stores University of California Santa Barbara Vibram USA Or – “Mommy, why does everybody have a bomb?” (Prince – 1999) - do search of .edu’s

3

4 Understanding the Critical Security Controls
Prioritizing Defenses with the Critical Security Controls

5 Information Assurance Frameworks
There are a number of industry groups also trying to address the issues Numerous frameworks have been established, such as: NIST NIST Core Framework ISO Series CoBIT IT Assurance Framework (ITAF) IT Baseline Protection Manual Consensus Audit Guidelines / Critical Security Controls Many, many others

6 One Option: Critical Security Controls
Began as a collaboration between the US Air Force, National Security Agency, & the SANS Institute in 2008 Originally developed as a tool for organizations responsible for NIST Priorities for which controls will make the most impact to stop dedicated attackers Written in response to compromised US government agencies & contractors Collaborative effort by over 100 different government, military, & civilian experts Based on Risk Analysis of most common attacks

7 Council on CyberSecurity
Official home of the Critical Security Controls CEO is Jane Lute, former Deputy Secretary of DHS Not for Profit group responsible for managing the Critical Security Controls (CSCs) Director of the CSCs is Tony Sager Mission: “The Council on CyberSecurity is an independent, global organization committed to an open and secure Internet.”

8

9 Project Guiding Principles
Defenses should focus on addressing the attack activities occurring today, Enterprise must ensure consistent controls across to effectively negate attacks Defenses should be automated where possible Specific technical activities should be undertaken to produce a more consistent defense Root cause problems must be fixed in order to ensure the prevention or timely detection of attacks Metrics should be established that facilitate common ground for measuring the effectiveness of security measures

10 Mandiant’s Attack Lifecycle Model
Mandiant (FireEye) Organized Crime Nation State Well staffed and well funded

11 The Critical Security Controls
1. Inventory of authorized and unauthorized devices 2. Inventory of authorized and unauthorized software 3. Secure configurations for hardware and software on laptops, workstations, and servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Device Control 8. Data Recovery Capability 9. Security Skills Assessment and Appropriate Training To Fill Gaps 10. Secure configurations for network devices such as firewalls, routers, and switches Implement in order – priority and they build on each other

12 The Critical Security Controls
11. Limitation and Control of Network Ports, Protocols, and Services 12. Controlled Use of Administrative Privileges 13. Boundary Defense 14. Maintenance, Monitoring and Analysis of Audit Logs 15. Controlled Access Based On Need to Know 16. Account Monitoring and Control 17. Data Protection 18. Incident Response & Management 19. Secure Network Engineering 20. Penetration Tests and Red Team Exercises

13 Categories of Sub-Controls
Quick Wins (QW) Improved Visibility and Attribution (Vis/Attrib) Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene) Advanced (Adv) QW – not easy, but biggest bang for buck Vis/Attrib – Monitoring – who is doing what to whom Config – basic blocking and tackling Adv – doable, but hard to do today – need better technology

14 What the Critical Controls are NOT
The primary goal of the Critical Security Controls is defense Mostly Technical and Operational Controls NOT a Comprehensive Security Framework (like NIST ) Do NOT address Management Controls Policy Risk Assessment Personnel Issues (i.e. Background Checks) Budget/Contracts Etc… Do NOT address Physical Controls Natural Disasters Alternate Datacenter RM is built into the Critical Controls! NIST is a Framework, but thousands of controls

15 An “On Ramp” to Compliance
The primary goal of the Critical Security Controls is defense However, by prioritizing these controls, an organization is also making steps towards achieving compliance with other standards & regulations Mappings currently exist between the CSCs and: NIST rev4 ISO Control Catalog The Australian DSD’s Top 35 HIPAA / HITECH Act The NSA’s Manageable Network Plan

16 Prioritizing Defenses with the Critical Security Controls
Critical Security Control #1: Inventory of Authorized & Unauthorized Devices Prioritizing Defenses with the Critical Security Controls

17 Critical Security Control #1
Inventory of Authorized and Unauthorized Devices Exploit this Control is Meant to Stop: Exploits due to lack of implemented controls on unknown (un-inventoried) devices Business goal of this control: Only authorized systems should be on the organization’s network.

18 Sample Attack Tool: Armitage Fast and Easy Hacking!!!
Frontend for Metasploit - – Fast and Easy Hacking – show video

19 Breach Case Study: Bit9 Security whitelisting vendor, Bit9, was breached (2/13) Breach due to the fact that they did not install controls on machines that were not in their inventories Attackers breached their network, compromising machines where they had not installed their whitelisting product As a result of the breach a code signing certificate was abused, and malicious code was signed with their certificate

20 Defenses: Quick Win Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization’s public and private network(s). Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed. Deploy dynamic host configuration protocol (DHCP) server logging, and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information. Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network. Preventive and detective controls

21 Defenses: Visibility & Attribution
Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network.

22 Defenses: Config & Hygiene
Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems. Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access.

23 Defenses: Advanced Utilize client certificates to validate and authenticate systems prior to connecting to the private network. Implement PKI – Microsoft – built into Server

24 Minimum Control Sensors
In order to effectively implement & automate this control, organization must have the following sensors: An Asset Inventory Database An Active Device Scanner A Passive Device Scanner A Network Access Control (NAC) System A Public Key Infrastructure (PKI) DHCP Server Logging / Alerting / Analytics System

25 Baselines & Operational Processes
In order to effectively implement, automate, or audit this control, organizations must have the following baselines: An Approved Device Asset Inventory An Approved Information Asset Inventory This control necessitates the implementation of the following governance processes as pre-requisites for implementing the control: A Procurement / Asset Acquisition Process A Change Management Process

26 Entity Relationship Diagram (ERD)

27 Sample Tool: ForeScout CounterACT
ForeScout CounterACT™ is a platform that provides continuous security monitoring and mitigation. It allows IT organizations to efficiently address numerous access, endpoint compliance and threat management challenges even within today’s complex, dynamic and expansive enterprise networks. Taking advantage of next-gen network access control (NAC) capabilities, CounterACT delivers both real-time intelligence and policy-based control to preempt threats and remediate problems while preserving business productivity.

28 Tools for Automation The following tools have been identified as being able to automate the implementation of this tool: Spiceworks ManageEngine OSSIM BSA Visibility (Insightix) IPSonar (Lumeta) CCM, IP360 (nCircle) SecureFusion (Symantec) CounterAct (ForeScout Technologies) Nessus & SecurityCenter (Tenable) LANSurveyor (Solarwinds) What’s Up Gold (IPSwitch)

29 Tools that can be Scripted
While the following tools are not automated by nature, they can be scripted to automate this control: Nmap / Ndiff

30 Sample Automation Script: Nmap
nmap –sL –sn –oX network_baseline.xml /24 nmap –sL –sn –oX network_current.xml /24 ndiff network_baseline.xml network_current.xml > nmap_differences.txt send –f –u “nmap Inventory Alert” –m “Please see attached alert.” –s mail.sans.org:25 –a nmap_differences.txt

31 Evaluating Critical Control #1
Business goal of this control: Only authorized systems should be on the university network. Systems to be tested: Active device scanner Passive device scanner Network inventory & alerting systems 802.1x based authentication system/Network Access Control Security Event/Information Management (SEIM) system Test to perform: Add hardened systems to the network to see if they are identified & isolated from the network

32 Core Evaluation Test Place ten unauthorized devices on various portions of the organization’s network unannounced to see how long it takes for them to be detected They should be placed on multiple subnets Two should be in the asset inventory database Devices should be detected within 24 hours Devices should be isolated within 1 hour of detection Details regarding location, department should be recorded

33 Effectiveness Metrics
ID Testing/Reporting Metric Response 1a How long does it take to detect new devices added to the organization’s network? Time in Minutes 1b How long does it take the scanners to alert the organization’s administrators that an unauthorized device is on the network? 1c How long does it take to isolate/remove unauthorized devices from the organization’s network? 1d Are the scanners able to identify the location, department, and other critical details about the unauthorized system that is detected? Yes/No Time Based Security - Schwartau, Winn (buy used on Amazon)

34 Automation Metrics How many unauthorized devices are presently on the organization’s network (by business unit)? How long, on average, does it take to remove unauthorized devices from the organization’s network (by business unit)? What is the percentage of systems on the organization’s network that are not utilizing Network Access Control (NAC) to authenticate to the organization’s network (by business unit)? What is the percentage of systems on the organization’s network that are not utilizing Network Access Control (NAC) with client certificates to authenticate to the organization’s network (by business unit)?

35 Standards Mapping Assurance Standard References NIST 800-53 rev. 4
CA-7: Continuous Monitoring CM-8: Information System Component Inventory IA-3: Device Identification and Authentication SA-4: Acquisition Process SC-17: Public Key Infrastructure Certificates SI-4: Information System Monitoring PM-5: Information System Inventory NIST Core Framework (2014) ID.AM-1: Asset Management ID.AM-3: Asset Management PR.DS-3: Data Security ISO 27002:2013 Annex A A.8.1.1: Inventory of assets A.9.1.2: Access to networks and network services A : Network controls

36 Demo – SpiceWorks – ManageEngine - TripWire
Scan for systems. Alerts Reports

37 Gap Analysis Tools http://www. auditscripts
Gap Analysis Tools Other Resources

38

Download ppt "Jim Purcell – Senior IT Auditor, UT System"

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Network security policy: best practices

Network security policy: best practices
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.

ACME ACME Solutions Inc. You Focus on Your Business & We Focus on Your IT.
NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.

NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Similar presentations

Ads by Google