1( C ) M A R C H A N Y 2 0 1 7

( C ) M A R C H A N Y 2 0 1 7 2

VA TECH CYBER SECURITY STRATEGY

University has 3 main business processes

Academic, Administrative, Research

Academic

Open access needed – THE ISP MODEL

Administrative

Traditional corporate security model

Research

Hybrid

Open access

Restricted research, e.g. ITAR

( C ) M A R C H A N Y 2 0 1 7

VA TECH IT SECURITY STRATEGY

Based on ISO 27002, NIST 800-53 Standards

BYOD

All students required to purchase their own computers, bring their own smartphones. We’ve been doing this since 1984

Protect sensitive data regardless of location

Business process defines and trumps the security process if there is a conflict

IT and Business processes must adapt to new situation

Don’t care what comes in the net. Worry about what leaves the net.

( C ) M A R C H A N Y 2 0 1 7 4

( C ) M A R C H A N Y 2 0 1 7 5

( C ) M A R C H A N Y 2 0 1 7 6

( C ) M A R C H A N Y 2 0 1 7 7

( C ) M A R C H A N Y 2 0 1 7 9

WHY 20 CRITICAL CONTROLS?

Subset of the Priority 1 items in NIST 800-53

Mapping of 27002->800-53->20 Critical Controls

http://www.systemexperts.com/assets/tutors/SystemExperts-SANS20-1.pdf

Technical controls only, not operational controls

Have to start somewhere

Focus is ASSURANCE not compliance!

( C ) M A R C H A N Y 2 0 1 7 10

THE 20 CRITICAL CONTROLS: 1-3

1. Inventory of authorized and unauthorized devices

Reduce the ability of attackers to find and exploit unauthorized and unprotected

systems: Use active monitoring and configuration management to maintain an

up-to-date inventory

2. Inventory of authorized and unauthorized software

Identify vulnerable or malicious software to mitigate or root out attacks: Devise a

list of authorized software for each type of system, and deploy tools to track

software installed (including type, version, and patches)

3. Secure configurations for hardware and software on laptops, workstations,

and servers

Prevent attackers from exploiting services and settings that allow easy access

through networks and browsers: Build a secure image that is used for all new

systems deployed to the enterprise

( C ) M A R C H A N Y 2 0 1 7 11

THE 20 CRITICAL CONTROLS: 4-5

4. Continuous Vulnerability Assessment and Remediation

Proactively identify and repair software vulnerabilities reported by security

researchers or vendors: Regularly run automated vulnerability scanning tools

against all systems and quickly remediate any vulnerabilities

5. Malware Defenses

Block malicious code from tampering with system settings or contents,

capturing sensitive data, or spreading

( C ) M A R C H A N Y 2 0 1 7 12

THE 20 CRITICAL CONTROLS: 6-10

6. Application Software Security

Neutralize vulnerabilities in web-based and other application software:

Vendor Application Security Questionnaire

7. Wireless Device Control

Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if it matches an authorized configuration and security profile and has a documented owner and defined business need.

8. Data Recovery Capability (validated manually)

9. Security Skills Assessment and Appropriate Training To Fill Gaps (validated manually)

10. Secure configurations for network devices such as firewalls, routers, and switches

Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device.

( C ) M A R C H A N Y 2 0 1 7 13

THE 20 CRITICAL CONTROLS: 11-13

11. Limitation and Control of Network Ports, Protocols, and Services

Allow remote access only to legitimate users and services: Apply host-based

firewalls and port-filtering and scanning tools to block traffic that is not explicitly

allowed

12. Controlled Use of Administrative Privileges

Protect and validate administrative accounts on desktops, laptops, and servers to

prevent two common types of attack:

13. Boundary Defense

Control the flow of traffic through network borders, and police content by looking

for attacks and evidence of compromised machines:

( C ) M A R C H A N Y 2 0 1 7 14

THE 20 CRITICAL CONTROLS: 14-15

14. Maintenance, Monitoring and Analysis of Audit Logs

Use detailed logs to identify and uncover the details of an attack, including the

location, malicious software deployed, and activity on victim machines:. Store

logs on dedicated servers, and run biweekly reports to identify and document

anomalies.

15. Controlled Access Based On Need to Know

Prevent attackers from gaining access to highly sensitive data: Carefully identify

and separate critical data from information that is readily available to internal

network users. Establish a multilevel data classification scheme based on the

impact of any data exposure, and ensure that only authenticated users have

access to nonpublic data and files.

( C ) M A R C H A N Y 2 0 1 7 15

THE 20 CRITICAL CONTROLS: 16-20

16. Account Monitoring and Control

Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner.

17. Data Loss Prevention

Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers.

18. Incident Response Capability (validated manually)

19. Secure Network Engineering (validated manually)

Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Allow rapid deployment of new access controls to quickly deflect attacks.

20. Penetration Tests and Red Team Exercises (validated manually)

( C ) M A R C H A N Y 2 0 1 7 16

IMPLEMENTATION TIPS

Secure upper management backing

Do a 20 Critical Controls Gap Analysis

Sample Gap Analysis – Quick & Dirty version

Find out who at your organization has the information needed by a particular control

Get access to the info

Pick 2-4 controls at a time,

Rinse, lather and repeat

This is a 3-5 year project.

( C ) M A R C H A N Y 2 0 1 7 17

SAMPLE GAP ANALYSIS

( C ) M A R C H A N Y 2 0 1 7 18

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

YOU HAVE THE ANSWERS ALREADY

1. Inventory of authorized and unauthorized device

Obtain from your network management group

2. Inventory of authorized and unauthorized software

Obtain from software purchasing group

3. Secure configurations for hardware and software on laptops, workstations, and servers

Policy

4. Continuous Vulnerability Assessment and Remediation

IT Security Office runs weekly scans against critical servers

5. Malware Defense

IT Security Office

( C ) M A R C H A N Y 2 0 1 7 19

CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #1

( C ) M A R C H A N Y 2 0 1 7 20

Courtesy J. Tarala, E. Cole

YOU HAVE THE ANSWERS ALREADY

6. Application Software Security

Security Questionnaires

7. Wireless Device Control

Network management group

8. Data Recovery Capability (validated manually)

Network Backup service, departmental backup process

9. Security Skills Assessment & Appropriate Training To Fill Gaps (validate manually)

Secure the Human

10. Secure configurations for network devices such as firewalls, routers, and switches

Network Management Group

( C ) M A R C H A N Y 2 0 1 7 21

YOU HAVE THE ANSWERS ALREADY

11. Limitation and Control of Network Ports, Protocols, and Services

Policy, Standards, Individual Departmental guidelines

12. Controlled Use of Administrative Privileges

Policy, Standards, Individual Departmental guidelines

13. Boundary Defense

Policy, Standards, define the boundary!

14. Maintenance, Monitoring and Analysis of Audit Logs

Standard Sysadmin practice, SIEM, Syslog server

15. Controlled Access Based On Need to Know

Business process rules, Identity Mgt process

( C ) M A R C H A N Y 2 0 1 7 22

YOU HAVE THE ANSWERS ALREADY

16. Account Monitoring and Control

HR Policies/process, Identity Mgt process

17. Data Loss Prevention

Sensitive Data protection policy/standards, network forensics

18. Incident Response Capability (validated manually)

IT Security Office, Upper Mgt approval

19. Secure Network Engineering (validated manually)

Network mgt group configuration rules

20. Penetration Tests and Red Team Exercises (validated manually)

( C ) M A R C H A N Y 2 0 1 7 23

SUMMARY

Need an operational plan to implement a Security Framework?

Use the 20 Critical Security Controls

It’s auditable, strengthens your overall defensive posture

References

http://www.auditscripts.com/free-resources/critical-security-controls/ - CSC documents,

excellent gap analysis spreadsheets

https://www.cisecurity.org/critical-controls.cfm - home page for the CSC

http://security.vt.edu/policies/critical_security_controls.html -

VA Tech short version gap analysis

( C ) M A R C H A N Y 2 0 1 7 24

CONTACT INFO

Randy Marchany

VA Tech IT Security Office and Lab

1300 Torgersen Hall

620 Drillfield Dr.

Blacksburg, VA 24061

540-231-9523

marchany@vt.edu

Twitter: @randymarchany

Blogs: randymarchany.blogspot.com

http://www.securitycurrent.com/en/writers/randy-marchany

( C ) M A R C H A N Y 2 0 1 7 25