( c ) m a r c h a n y 2 0 1 7 · 3/20/2017 · implementation tips secure upper management backing...
TRANSCRIPT
1( C ) M A R C H A N Y 2 0 1 7
( C ) M A R C H A N Y 2 0 1 7 2
VA TECH CYBER SECURITY STRATEGY
University has 3 main business processes
Academic, Administrative, Research
Academic
Open access needed – THE ISP MODEL
Administrative
Traditional corporate security model
Research
Hybrid
Open access
Restricted research, e.g. ITAR
( C ) M A R C H A N Y 2 0 1 7
VA TECH IT SECURITY STRATEGY
Based on ISO 27002, NIST 800-53 Standards
BYOD
All students required to purchase their own computers, bring their own smartphones. We’ve been doing this since 1984
Protect sensitive data regardless of location
Business process defines and trumps the security process if there is a conflict
IT and Business processes must adapt to new situation
Don’t care what comes in the net. Worry about what leaves the net.
( C ) M A R C H A N Y 2 0 1 7 4
( C ) M A R C H A N Y 2 0 1 7 5
( C ) M A R C H A N Y 2 0 1 7 6
( C ) M A R C H A N Y 2 0 1 7 7
( C ) M A R C H A N Y 2 0 1 7 9
WHY 20 CRITICAL CONTROLS?
Subset of the Priority 1 items in NIST 800-53
Mapping of 27002->800-53->20 Critical Controls
http://www.systemexperts.com/assets/tutors/SystemExperts-SANS20-1.pdf
Technical controls only, not operational controls
Have to start somewhere
Focus is ASSURANCE not compliance!
( C ) M A R C H A N Y 2 0 1 7 10
THE 20 CRITICAL CONTROLS: 1-3
1. Inventory of authorized and unauthorized devices
Reduce the ability of attackers to find and exploit unauthorized and unprotected
systems: Use active monitoring and configuration management to maintain an
up-to-date inventory
2. Inventory of authorized and unauthorized software
Identify vulnerable or malicious software to mitigate or root out attacks: Devise a
list of authorized software for each type of system, and deploy tools to track
software installed (including type, version, and patches)
3. Secure configurations for hardware and software on laptops, workstations,
and servers
Prevent attackers from exploiting services and settings that allow easy access
through networks and browsers: Build a secure image that is used for all new
systems deployed to the enterprise
( C ) M A R C H A N Y 2 0 1 7 11
THE 20 CRITICAL CONTROLS: 4-5
4. Continuous Vulnerability Assessment and Remediation
Proactively identify and repair software vulnerabilities reported by security
researchers or vendors: Regularly run automated vulnerability scanning tools
against all systems and quickly remediate any vulnerabilities
5. Malware Defenses
Block malicious code from tampering with system settings or contents,
capturing sensitive data, or spreading
( C ) M A R C H A N Y 2 0 1 7 12
THE 20 CRITICAL CONTROLS: 6-10
6. Application Software Security
Neutralize vulnerabilities in web-based and other application software:
Vendor Application Security Questionnaire
7. Wireless Device Control
Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if it matches an authorized configuration and security profile and has a documented owner and defined business need.
8. Data Recovery Capability (validated manually)
9. Security Skills Assessment and Appropriate Training To Fill Gaps (validated manually)
10. Secure configurations for network devices such as firewalls, routers, and switches
Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device.
( C ) M A R C H A N Y 2 0 1 7 13
THE 20 CRITICAL CONTROLS: 11-13
11. Limitation and Control of Network Ports, Protocols, and Services
Allow remote access only to legitimate users and services: Apply host-based
firewalls and port-filtering and scanning tools to block traffic that is not explicitly
allowed
12. Controlled Use of Administrative Privileges
Protect and validate administrative accounts on desktops, laptops, and servers to
prevent two common types of attack:
13. Boundary Defense
Control the flow of traffic through network borders, and police content by looking
for attacks and evidence of compromised machines:
( C ) M A R C H A N Y 2 0 1 7 14
THE 20 CRITICAL CONTROLS: 14-15
14. Maintenance, Monitoring and Analysis of Audit Logs
Use detailed logs to identify and uncover the details of an attack, including the
location, malicious software deployed, and activity on victim machines:. Store
logs on dedicated servers, and run biweekly reports to identify and document
anomalies.
15. Controlled Access Based On Need to Know
Prevent attackers from gaining access to highly sensitive data: Carefully identify
and separate critical data from information that is readily available to internal
network users. Establish a multilevel data classification scheme based on the
impact of any data exposure, and ensure that only authenticated users have
access to nonpublic data and files.
( C ) M A R C H A N Y 2 0 1 7 15
THE 20 CRITICAL CONTROLS: 16-20
16. Account Monitoring and Control
Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner.
17. Data Loss Prevention
Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers.
18. Incident Response Capability (validated manually)
19. Secure Network Engineering (validated manually)
Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Allow rapid deployment of new access controls to quickly deflect attacks.
20. Penetration Tests and Red Team Exercises (validated manually)
( C ) M A R C H A N Y 2 0 1 7 16
IMPLEMENTATION TIPS
Secure upper management backing
Do a 20 Critical Controls Gap Analysis
Sample Gap Analysis – Quick & Dirty version
Find out who at your organization has the information needed by a particular control
Get access to the info
Pick 2-4 controls at a time,
Rinse, lather and repeat
This is a 3-5 year project.
( C ) M A R C H A N Y 2 0 1 7 17
SAMPLE GAP ANALYSIS
( C ) M A R C H A N Y 2 0 1 7 18
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
YOU HAVE THE ANSWERS ALREADY
1. Inventory of authorized and unauthorized device
Obtain from your network management group
2. Inventory of authorized and unauthorized software
Obtain from software purchasing group
3. Secure configurations for hardware and software on laptops, workstations, and servers
Policy
4. Continuous Vulnerability Assessment and Remediation
IT Security Office runs weekly scans against critical servers
5. Malware Defense
IT Security Office
( C ) M A R C H A N Y 2 0 1 7 19
CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #1
( C ) M A R C H A N Y 2 0 1 7 20
Courtesy J. Tarala, E. Cole
YOU HAVE THE ANSWERS ALREADY
6. Application Software Security
Security Questionnaires
7. Wireless Device Control
Network management group
8. Data Recovery Capability (validated manually)
Network Backup service, departmental backup process
9. Security Skills Assessment & Appropriate Training To Fill Gaps (validate manually)
Secure the Human
10. Secure configurations for network devices such as firewalls, routers, and switches
Network Management Group
( C ) M A R C H A N Y 2 0 1 7 21
YOU HAVE THE ANSWERS ALREADY
11. Limitation and Control of Network Ports, Protocols, and Services
Policy, Standards, Individual Departmental guidelines
12. Controlled Use of Administrative Privileges
Policy, Standards, Individual Departmental guidelines
13. Boundary Defense
Policy, Standards, define the boundary!
14. Maintenance, Monitoring and Analysis of Audit Logs
Standard Sysadmin practice, SIEM, Syslog server
15. Controlled Access Based On Need to Know
Business process rules, Identity Mgt process
( C ) M A R C H A N Y 2 0 1 7 22
YOU HAVE THE ANSWERS ALREADY
16. Account Monitoring and Control
HR Policies/process, Identity Mgt process
17. Data Loss Prevention
Sensitive Data protection policy/standards, network forensics
18. Incident Response Capability (validated manually)
IT Security Office, Upper Mgt approval
19. Secure Network Engineering (validated manually)
Network mgt group configuration rules
20. Penetration Tests and Red Team Exercises (validated manually)
( C ) M A R C H A N Y 2 0 1 7 23
SUMMARY
Need an operational plan to implement a Security Framework?
Use the 20 Critical Security Controls
It’s auditable, strengthens your overall defensive posture
References
http://www.auditscripts.com/free-resources/critical-security-controls/ - CSC documents,
excellent gap analysis spreadsheets
https://www.cisecurity.org/critical-controls.cfm - home page for the CSC
http://security.vt.edu/policies/critical_security_controls.html -
VA Tech short version gap analysis
( C ) M A R C H A N Y 2 0 1 7 24
CONTACT INFO
Randy Marchany
VA Tech IT Security Office and Lab
1300 Torgersen Hall
620 Drillfield Dr.
Blacksburg, VA 24061
540-231-9523
Twitter: @randymarchany
Blogs: randymarchany.blogspot.com
http://www.securitycurrent.com/en/writers/randy-marchany
( C ) M A R C H A N Y 2 0 1 7 25