This is a presentation introducing the SANS Institute's 20 Security Controls and the Australian Government's Top 35 Mitigation Strategies that I gave to The Small Business Technology Consulting Group in St Paul MN on November 13, 2012
2. Cultivating Security, 2012
Quick Discussion Question: What do you
think of when it comes to information
security?
[audience participation time]
3. Cultivating Security, 2012
One thing to keep in mind:
In the world of information security,
CIA = Confidentiality, Integrity and
Availability
Though sometimes it refers to a certain government agency.
4. Cultivating Security, 2012
What do we mean by Information Security?
“the processes and methodologies designed to protect
print, electronic, or any other forms of
confidential, private and sensitive information or data
from unauthorized
access, use, misuse, disclosure, destruction, modificatio
n, or disruption.”
SANS Institute
“Preservation of confidentiality, integrity and availability
of information.”
ISO 27000
5. Cultivating Security, 2012
Are there any models or standards for Information
Security that might be helpful?
I thought you’d never ask. . .
6. Cultivating Security, 2012
• NIST 800-53 + National Institute of Standards and Tech.
• FISMA = Federal Information Security Management Act
• DIACAP = DoD Information Assurance Certification and Accreditation
Process
• SOX = Sarbanes-Oxley Act of 2002
• GLBA = or Gramm-Leach-Bliley Act
• PCI-DSS = Payment Card Industry Data Security Standard
• NERC = North American Electric Reliability Corporation
• CIP = Certified IRBProfessional
• ISO 27000 Series = Int’l Org. for Standardization
• HITECH Act of 2009
There’s no
shortage of
standards to
consider:
8. Cultivating Security, 2012
While there might not be consensus on the issue, there
is an increasing recognition that every organization
needs to have a strategy for defense.
Organizations are learning to assess their information
security risks, and then to implement appropriate
information security controls based on their needs, and
using guidance and suggestions where relevant.
10. Cultivating Security, 2012
“A lot of times, enterprises just don’t know where and
how, or what to do. Where’s the next dollar best
spent?”
“This is about priority.”
Tony Sager, former head of the NSA’s Systems &
Network Attack Center, now with the SANS Institute
12. Cultivating Security, 2012
First, one more quick definition:
Security controls are safeguards designed to
avoid, counteract or minimize risks.
13. Cultivating Security, 2012
Recent Events in the History of Controls:
Starting in 2008, the Office of the Secretary of Defense
asked the NSA for help with its cybersecurity posture.
NSA was brought in because of their understanding of
how cyber attacks worked and because the DoD was
interested in fending off actual attacks rather than
developing a theoretical approach to security.
14. Cultivating Security, 2012
Since the early 2000s, the NSA had been working
on a list of security controls that were most
effective in stopping known attacks.
The key: “no control should be made a priority
unless it could be shown to stop or mitigate a
known attack.”
15. Cultivating Security, 2012
The second key: NSA was already working on
collaboration with two nonprofit organizations:
The SANS Institute — a cooperative research and
education organization, “the most trusted and by far the
largest source of information security training and
security certification in the world.
The Center for Internet Security — “works on enhancing
cyber security readiness and response of public and
private sector entities.”
16. Cultivating Security, 2012
Eventually, more than 100 public and private
organizations joined in, as well as a few companies
involved in incident response, including McAfee and
Mandiant.
The two main elements:
1) The only justification for a control was actual attack
information.
2) The feeling among the participants that they were
active contributors to protecting the country.
17. Cultivating Security, 2012
The clear consensus:
Just 20 Critical Controls could address the
most prevalent attacks that
government, industry, and the private sector face.
18. Cultivating Security, 2012
The test:
The Department of State put the 20
Critical Controls up against the 3,085
attacks it underwent in 2009.
20. Cultivating Security, 2012
On Nov 05 of this year, a new international consortium
was launched to help government agencies and the
private sector prioritize security defenses. Called the
Consortium for CyberSecurity Action (CCA), it bases its
recommendations on the most recent update of the 20
Critical Controls.
21. Cultivating Security, 2012
Spoiler Alert:
Most of these controls are standard
procedure or “Best Practices” in network
administration.
Chances are that you’ve implemented many
of them yourself.
There really shouldn’t be any surprise here.
OK then, here we go . . .
22. Cultivating Security, 2012
The Main Event: the 20 Critical Controls
1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on all devices:
mobile, laptops, workstatons, servers
4 Continuous Vulnerability Assessment and Remediation
23. Cultivating Security, 2012
5 Malware defenses
6 Application Software Security
7 Wireless Device Control
8 Data Recovery Capability
9 Security Skills Assessment and Training to Fill Gaps
10 Secure Configurations for Network Devices
11Limitation and Control of Network Ports, Protocols and Services
24. Cultivating Security, 2012
12 Controlled Use of Administrative Privileges
13 Boundary Defense
14 Maintenance, Monitoring and Analysis of Audit Logs
15 Controlled Access Based on Need-to-Know
16 Account Monitoring and Control
17 Data Loss Prevention
25. Cultivating Security, 2012
18 Incident Response and Management
19 Secure Network Engineering
20 Penetration Tests and Red Team Exercises
26. Cultivating Security, 2012
So what about Implementation?
In a mature environment, chances are you already have
most, if not all, of these 20 Critical Controls in place.
But what about smaller organizations?
You can make concrete, measurable steps in improving
your networks by putting into place, over time, some or
most (if not all) of these controls. Yes it takes time, but
it pays off. Remember:
27. Cultivating Security, 2012
Keep your eye on the prize:
The State Department saw a
reduction of more than 88%
in attacks on their systems in the
first year.
28. Cultivating Security, 2012
So what about those Australians Down Under?
Independently of the research we’ve discussed, the
Australians developed a list of the Top 35 Mitigation
Strategies that they present in order of overall effectiveness.
Like the 20 Critical Controls, these rankings are based on DSD’s
analysis of reported security incidents and detected
vulnerabilities.
29. Cultivating Security, 2012
For the sake of time, let’s just consider the Top Four Controls
or Mitigating Strategies:
• Use application whitelisting to help prevent malicious
software and other unapproved programs from running
• Patch applications such as PDF readers, Java, and web
browsers
• Patch operating systems vulnerabilities
• Minimize the number of users with administrative
privileges
30. Cultivating Security, 2012
According to the DSD’s Strategies to Mitigate
Targeted Cyber Intrusions,
over 85% of cyber intrusions could be
defeated
if organizations implemented just the first four of
these strategies.
31. Cultivating Security, 2012
These two initiatives provide clear examples of
what’s meant by “Defense in Depth”
Defense in depth is the concept of protecting a
computer network with a series of defensive
mechanisms such
that if one mechanism fails, another will already be in
place to thwart an attack.
SANS Institute
32. Cultivating Security, 2012
Thanks very much for your attention.
Any questions or commnt?
Q and A
Roger Hagedorn
Email: roger@cultivatingsecurity.com
Blog: www.cultivatingsecurity.com
33. Cultivating Security, 2012
Resources
The 20 Controls
http://www.sans.org/critical-security-controls/
The Australian Government’s 35 Controls
http://www.dsd.gov.au/infosec/top35mitigationstrateg
ies.htm
The Center for Internet Security
http://www.cisecurity.org
Editor's Notes
FISMA and ISO = the Fed GovtSOX = publicly traded companiesGLBA = regulates banks and investment co.sNERC = the power gridCIP = committees charged with determining if a research project conforms to ethical principleCobit is largely used by the audit community
Speaking of guidance and suggestions…
Tony Sager is the retired chief operation officer of NSA’s Information Assurance Directorage and he now heads up the CCA, the Consortium for CyberSecurity Action, just founded days ago.
The rest of this presentation will focus on controls
Dod = Department of Defense
The CIA’s Tom Donahue, who worked with the White House cyber policy team, made this remark
In other words, use knowledge of actual attacks that have compromised systems to provide the foundation to build effective defenses.
There was some tweaking, they implemented automated capabilities to enforce the controls
There was some tweaking, they implemented automated capabilities to enforce the controls, continuous monitoring: auditing so that adjustments can be made / implemented quickly2011: Department of Homeland Security mandated the implementation of these controls across the governmentAlso in 2011, the UK’s Center for the Protection of NaitonalInfrastrutureannouned that all government agencies would adopt these controls as their framework for securing their infrastructure.
Maintain an asset inventory, watch for unknown and unauthorized devicesMaintain a white list of approved software. This helps in maintaining/patching the software and eliminates attack vectors based on unused/unmaintained softwareBuild a secure image and maintain it. If anything becomes compromised, reimage it. Standardized images = hardened versions of OS and the apps installed. See NIST, NSA, and CIS for examplesSubscribe to vulnerability inelligence services to stay on top of security patches and exposed vulnerabilities and patch ASAP. Run automated vulnerability scans, keep and correlate event logs
5 implement anti-malware solution that auto-updates and auto-scans, scan everything—email—at the gatewayProtect web apps by using web application firewalls that inspect all traffic; explicit error checking; source code checking. Lock down, remove all unused code or scriptsWPA2 with AES encryption, Wireless intrusion detection systems to identify rogue devices, do a site surveyProper backups, and off-site backups Automation, encryptionThink end-users and social engineering, spear-phishing attacks on sysadmins and CEOs, Develop Security Awareness programsFirewalls, switches and routers (the earlier control was about endpoints)Think FTP—who uses it today? Lock it down. Use firewalls on all endpoints, perform port scanning regularly Remove any unnecssary services
Inventory all administrative accounts. For anyone who should had admin privliges, use 2 accounts. Complex passwords for all admin accounts. No default passwords on anything. Use access control lists to ensure that admin accounts are only used for admin duties (no web surfing, no gmail )Multi-layered boundary defenses, using firewalls, proxies, DMZ, and IPS and IDS. Filter outbound traffic as well as in-bound Everybody’s favorite, but without it, hackers can hide their location, software and activities Classify your data according to sensitivity and segment your network accordingly. Audit access. VLANs Watch for legit but inactive accounts. Review all accounts, disable anything not associated with a business process and owner, audit for terms and us contractors; auto-log off anyone after period of inactivity Use hard drive encryption, watch for exfiltration, scan for PII, lock down use of USB devices
The time to put together an incident response plan is BEFORE any incident has happened. Identify key players and their roles. Develop written incident response procedures Hackers, once inside, will map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation. Don’t give them anything to find: design a 3-tier network (DMZ, middleware, private network) Any system accessible from the Internet should be on the DMZ but DMZ systems should never contain any sensitive information—use an application proxy to get from DMZ inside Set up an internal DNS server. Have separate trust zones inside your network Say yes to pen tests and vulnerability scanning.
At the Coop, it’s taken me more than a year.
DSD = Australian Government’s Defense Signals Directorate, a part of their Department of Defense Intelligence and Security
Surprisingly similar to the 20 critical controls, though with a heavier focus on application whitelisting, using app locker or 3rd part solutions