introduction - web view03-05-2015 · for sql or oracle use built in transaction logging...

SANS 20 Critical Controls – Quick WinsPriorities and Recommendations

Provided by the

Prepared by: Doug Selix, WCIA IT Security ConsultantAndrew Fischer, Silver Lake Water and Sewer DistrictDavid Dalan, City of Walla WallaDave Read, Thurston Regional Planning CouncilTerry Peterson, SNOCOM 911Worth Norton, City of Marysville

© Copyright March, 2013 by Washington Cities Insurance Authority. All rights reserved.

This material was prepared by Washington Cities Insurance Authority (WCIA) for the exclusive use of its employees and staff and WCIA-member cities and entities. No part of this material may be reproduced in any form whatsoever, incorporated into any information retrieval system, electronic or mechanical, or distributed to third parties, without the express, written permission of WCIA, the copyright holder.

Prima Washington has received permission to distribute this material to its members only.

ContentsIntroduction...................................................................................................................................................................4

Group Priority - 1...........................................................................................................................................................5

Control No. 13 – Boundary Defense..........................................................................................................................5

Group Priority - 2...........................................................................................................................................................9

Control No. 12 – Controlled Use of Administrative Privilege.....................................................................................9

Group Priority - 3.........................................................................................................................................................19

Control No. 4 – Continuous Vulnerability Assessment and Remediation................................................................19

Group Priority - 4.........................................................................................................................................................24

Control No. 8 – Data Recovery Capability................................................................................................................24

Group Priority - 5.........................................................................................................................................................27

Control No. 5 – Malware Defenses..........................................................................................................................27

Group Priority - 6.........................................................................................................................................................34

Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs.................................................................34

Group Priority - 7.........................................................................................................................................................39

Control No. 16 – Account Monitoring and Control..................................................................................................39

Group Priority - 8.........................................................................................................................................................47

Control No. 2 – Inventory of Authorized and Unauthorized Software.....................................................................47

Group Priority - 9.........................................................................................................................................................50

Control No. 3 – Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers..........50

Group Priority - 10.......................................................................................................................................................56

Control No. 1 – Inventory of Authorized and Unauthorized Devices.......................................................................56

General Recommendations.........................................................................................................................................60

Group Priority - 11.......................................................................................................................................................61

Control No. 19 – Secure Network Engineering........................................................................................................61

Group Priority - 12.......................................................................................................................................................63

Control No. 10 – Secure Configurations for Network Devices such as Firewalls, Routers, and Switches.................63

Group Priority - 13.......................................................................................................................................................65

Control No. 9 – Security Skills Assessment and Appropriate Training to Fill Gaps...................................................65

Group Priority - 14.......................................................................................................................................................67

Control No. 11 – Limitation and Control of Network Ports, Protocols, and Services...............................................67

2


Group Priority - 15.......................................................................................................................................................69

Control No. 7 – Wireless Device Control..................................................................................................................69

Group Priority - 16.......................................................................................................................................................71

Control No. 15 – Controlled Access Based on the Need to Know............................................................................71

Group Priority - 17.......................................................................................................................................................73

Control No. 6 – Application Software Security.........................................................................................................73

Group Priority - 18.......................................................................................................................................................75

Control No. 17 – Data Loss Prevention....................................................................................................................75

Group Priority - 19.......................................................................................................................................................77

Control No. 18 – Incident Response and Management...........................................................................................77

Group Priority - 20.......................................................................................................................................................80

Control No. 20 – Penetration Tests and Red Team Exercises..................................................................................80

3


Introduction

The Technical workgroup came together two times during May 2013. They evaluated the SANS 20 Critical Controls, prioritized them, and developed technical solution recommendations for the Top 10 most important controls. Members should consider this guidance if they are missing any of these Critical Controls.

4


Group Priority - 1Control No. 13 – Boundary DefenseRisk: Attackers focus on exploiting systems that they can reach across the

Internet, including not only DMZ systems but also workstation and laptop computers that pull content from the Internet through network boundaries. Threats such as organized crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and Internet-accessing client machines to gain initial access into an organization. Then, with a base of operations on these machines, attackers often pivot to get deeper inside the boundary to steal or change information or to set up a persistent presence for later attacks against internal hosts. Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organization’s network to another, exploiting vulnerable systems on extranet perimeters.

GOALS:To control the flow of traffic through network borders and police content by looking for attacks and evidence of compromised machines, boundary defenses should be multi-layered, relying on firewalls, proxies, DMZ perimeter networks, and network-based IPS and IDS. It is also critical to filter both inbound and outbound traffic.

____________________________________________________Reference: SANS What Works for Critical Control 13: https://www.sans.org/critical-security-controls/vendor-solutions/control/13

5


https://www.sans.org/critical-security-controls/vendor-solutions/control/13

Control No. 13 – Boundary Defense – Quick Win No. 1

13.1 Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (white lists). Tests can be periodically carried out by sending packets from bogon source IP addresses (unroutable or otherwise unused IP addresses) into the network to verify that they are not transmitted through network perimeters. Lists of bogon addresses are publicly available on the Internet from various sources, and indicate a series of IP addresses that should not be used for legitimate traffic traversing the Internet.

13.1 - Recommendations:Recommended Products or Services

Member’s with No IT Staff Member’s With IT StaffConsider using a Security as a Service Vendor (Required)a) Zscalarb) Solutionaryc) Secure Worksd) Security on Demande)

Consider installing a firewall device with paid service subscriptions for AV, IPS, Web Filtering (UTM class firewalls) (Required) such as:

a) Fortinetb) Dell Sonicwallc) Palo Alto

Consider installing a firewall device with paid service subscriptions for AV, IPS, Web Filtering (UTM class firewalls) (Required) such as:

a) Fortinet 60 Seriesb) Dell Sonicwall TZ Seriesc) Barracuda NG Series

Configure Segmented Network (Required)a) Public access WIFI or Wireless goes on the

DMZ or on a public network, not on the internal network.

b) Remote access only with VPN on the Firewallc) Outsource all web servers or install them on

the DMZ.

Configure Segmented Network (Required)a) Public access WIFI or Wireless goes on the

DMZ or on a public network, not on the internal network.

b) Remote access only with VPN on the Firewallc) Outsource web servers

Consider adding next generation network threat monitoring appliance or services (optional)

a) FireEyeb) GFI Lancopec) Snortd) Suricata

Consider adding monitoring and response servicea) MK Hamilton & Associates (optional)b)

Consider implementing a Web Application firewall (WAF) (optional)

a) Barracudab) Modsecurityc) Impervad) Cloudflair

NOTE: The required boarder defense recommendations can be accomplished by implementing and using the features in a modern UTM firewall appliance or Managed Security Service.

6


Control No. 13 – Boundary Defense – Quick Win No. 2

13.2 On DMZ networks, monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) should be configured to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured Security Event Information Management (SEIM) or log analytics system so that events can be correlated from all devices on the network.


Member’s with No IT Staff Member’s With IT StaffConsider using a Security as a Service vendor for SIEM function (e.g. log file aggregation and assessment) or install a SIEM tool managed and monitored by a local support vendor. (Optional)

Consider installing a SIEM tool managed and monitored by member IT staff

a) Solar winds Kiwi Syslogb) McAfee Nitro

Control No. 13 – Boundary Defense – Quick Win No. 313.3 To lower the chance of spoofed e-mail messages, implement the Sender

Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers.


Member’s with No IT Staff Member’s With IT StaffConsider using a Software as a Service vendor for e-Mail

a) Google Gmailb) Microsoft Office 365

Consider using a Software as a Service vendor for e-Maila) Google Gmailb) Microsoft Office 365

If you operate you own Exchange server adding a Spam filter or implement a UTM Firewall spam filter feature (Required)

a) Barracudab) Iron Portc) GFI

If you operate you own Exchange server adding a Spam filter or implement a UTM Firewall spam filter feature (Required)

a) Barracudab) Iron Portc) GFI

NOTE: The required boarder defense recommendations can be accomplished by implementing and using the features in a modern UTM firewall appliance or service.

7


8


Group Priority - 2Control No. 12 – Controlled Use of Administrative PrivilegeRisk: The misuse of administrator privileges is a primary method for attackers to

spread inside a target enterprise. Two very common attacker techniques take advantage of uncontrolled administrative privileges. In the first, a workstation user, running as a privileged user, is fooled into opening a malicious e-mail attachment, downloading and opening a file from a malicious website, or simply surfing to a website hosting attacker content that can automatically exploit browsers. The file or exploit contains executable code that runs on the victim’s machine either automatically or by tricking the user into executing the attacker’s content. If the victim user’s account has administrative privileges, the attacker can take over the victim’s machine completely and install keystroke loggers, sniffers, and remote control software to find administrator passwords and other sensitive data. Similar attacks occur with e-mail. An administrator inadvertently opens an e-mail that contains an infected attachment and this is used to obtain a pivot point within the network that is used to attack other systems. The second common technique used by attackers is elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine. If administrative privileges are loosely and widely distributed, the attacker has a much easier time gaining full control of systems, because there are many more accounts that can act as avenues for the attacker to compromise administrative privileges. One of the most common of these attacks involves the domain administration privileges in large Windows environments, giving the attacker significant control over large numbers of machines and access to the data they contain.

GOALS:Secure administrative privileges to only those with documented business requirements, with the standard being non-administrative access.

Reference: SANS What Works for Critical Control 12: https://www.sans.org/critical-security-controls/vendor-solutions/control/12

9



Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 112.1 Use automated tools to inventory all administrative accounts and validate

that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive.


Member’s with No IT Staff Member’s With IT StaffEstablish Clear Policy (Required)

a) Limit Admin Accounts (Domain, Local)b) Never use Admin accounts for email or Browsingc) Administrator’s get 2 accounts, one for admin

work only, the other for normal user activity like email and browsing

Establish Clear Policy (Requiired)a) Limit Admin Accounts (Domain, Local)b) Never use Admin accounts for email or

BrowsingAdministrator’s get 2 accounts, one for admin work only, the other for normal user activity like email and browsing

Implement tools to dump Active Directory accounts, security groups, resource groups (Required)

a) AD Managerb) Spice Worksc) Hyenad) Just look at local users and administrator’s

groups in AD


a) Script Logic Desk Top Authorityb) AD Managerc) Spice Worksd) Hyenae) Power Shell Script

Audit active user accounts against active employee list from HR at least quarterly. Keep records of these audits. (Required)


Use a script or log aggregation SIEM tool to alert on administrator account use (Required)

a) Free script from Andrew Fischerb) Spice Works

Use a script or log aggregation SIEM tool to alert on administrator account use (Required)

a) Free script from Andrew Fischerb) Spice Works

10


Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 212.2 Configure all administrative passwords to be complex and contain letters,

numbers and special characters intermixed with no dictionary words present in the password. Strong passwords should be of a sufficient length to increase the difficultly it takes to crack the password. Pass phrases containing multiple dictionary words, along with special characters, are acceptable if they are of a reasonable length.


Member’s with No IT Staff Member’s With IT StaffEstablish clear policy and include in vendor agreement and Statement of Work. (Required)

a) Configure Active Directory to enforce policyb) Establish checklists (require in vendor contract)

for new device configurationc) Limit use of administrative accounts.

Establish clear policy (Required)a) Comply with appropriate portion of the State

of WA OCIO IT Security Standardsb) Configure Active Directory to enforce policyc) Establish checklists for new device

configurationd) Limit use of administrative accounts.

Implement Microsoft Active Directory or some similar technology to manage user accounts and permissions that includes password enforcement features (Required)Zentyal is a pretty solid small business server alternative to Microsoft

Implement Microsoft Active Directory or some similar technology to manage user accounts and permissions that includes password enforcement features (Required)

NOTE: Below is an example of Microsoft Group Policy Settings to implement this control:

11


http://www.zentyal.org/

Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 312.3 Configure all administrative-level accounts to require regular password

changes on a frequent interval tied to the complexity of the password.



a) Configure Active Directory to enforce policyb) Establish checklists (require in vendor

contract) for new device configurationc) Limit use of administrative accounts.

Establish clear policy (Required)a) Comply with appropriate portion of the

State of WA OCIO IT Security Standardsb) Configure Active Directory to enforce

policyc) Establish checklists for new device





12



Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 412.4 Before deploying any new devices in a networked environment, organizations

should change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to a difficult-to-guess value.


Member’s with No IT Staff Member’s With IT StaffSupport Vendor agreements should stipulate this requirement for all new technology

Policy should stipulate this requirement

New technology installation checklists should be developed that include this requirement. Checklists should be used and signed by the technician who configures new things. Completed checklists should be retained to support future audits.

13


Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 512.5 Ensure all service accounts have long and difficult-to-guess passwords that are

changed on a periodic basis, as is done for traditional user and administrator passwords, at a frequent interval of no longer than 90 days.


Member’s with No IT Staff Member’s With IT StaffNot something these people can change (COTS vendor install sets these up).

Worth coming up with content:

Consider deploying an enterprise class password vault that has the ability to manage service accounts like:

a) Thycotic Secret Serverb) ManageEngine Password Manager Proc) Quest Privileged Account Manager


14


Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 612.6 Passwords for all systems should be stored in a well-hashed or encrypted

format, with weaker formats eliminated from the environment. Furthermore, files containing these encrypted or hashed passwords required for systems to authenticate users should be readable only with super-user privileges.


Member’s with No IT Staff Member’s With IT StaffRequire vendors implement password encryption features on all systems, applications, and devices are turned on.

Ensure password encryption features on devices and systems is turned on

Implement a password vault for manual passwords Implement an enterprise class password vault for manual passwordsConsider deploying an enterprise class password vault that has the ability to manage service accounts like:

a) Thycotic Secret Serverb) ManageEngine Password Manager Proc) Quest Privileged Account Manager

15


Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 712.7 Utilize access control lists to ensure that administrator accounts are used only

for system administration activities, and not for reading e-mail, composing documents, or surfing the Internet. Web browsers and e-mail clients especially must be configured to never run as administrator.


Member’s with No IT Staff Member’s With IT StaffDo not create email inboxes for any administrator accounts (Required)

Do not create email inboxes for any administrator accounts (Required)

Administrators must have a normal user account in addition to administrator accounts. The normal account is the only account that is allowed to use email or browse the Internet. They should never use an administrative account for these functions. (Required)

Administrators must have a normal user account in addition to administrator accounts. The normal account is the only account that is allowed to use email or browse the Internet. They should never use an administrative account for these functions. (Required)

Implement UTM Firewall Active Directory integration with LDAP. Alternatively the UTM Firewall could have a workstation client agent that passes the user name to the firewall. In both cases the firewall would have an access control to disallow internet access to administrative accounts. (Required)

Implement UTM Firewall Active Directory integration with LDAP. Alternatively the UTM Firewall could have a workstation client agent that passes the user name to the firewall. In both cases the firewall would have an access control to disallow internet access to administrative accounts. (Required)

If no active directory implement a client/host based firewall with account restriction features. (Optional)

If no active directory implement a client/host based firewall with account restriction features. (Optional)

16


Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 812.8 Through policy and user awareness, require that administrators establish

unique, different passwords for their administrator and non-administrator accounts. Each person requiring administrative access should be given his/her own separate account. Administrative accounts should never be shared. Users should only use the Windows “administrator” or Unix “root” accounts in emergency situations. Domain administration accounts should be used when required for system administration instead of local administrator accounts.


Member’s with No IT Staff Member’s With IT StaffImplement controls, such as dedicated administrative OU’s, that have unique password requirements

Implement controls, such as dedicated administrative OU’s, that have unique password requirements

Control No. 12 – Controlled Use of Administrative Privilege – Quick Win No. 912.9 Configure operating systems so that passwords cannot be re-used within a

certain timeframe, such as six months.



a) Configure Active Directory to enforce policyb) Establish checklists (require in vendor

contract) for new device configurationc) Limit use of administrative accounts.







17



18


Group Priority - 3Control No. 4 – Continuous Vulnerability Assessment and RemediationRisk: Vulnerabilities in operating systems and software provides ample

opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain. Organizations that do not scan for vulnerabilities and address discovered flaws proactively face a significant likelihood of having their computer systems compromised.

GOALS:Find and mitigate known vulnerabilities quickly and consistently


19



Control No. 4 – Continuous Vulnerability Assessment and Remediation – Quick Win No. 14.1 Run automated vulnerability scanning tools against all systems on their

networks on a weekly or more frequent basis using a SCAP-validated vulnerability scanner that looks for both code-based vulnerabilities (CVE) and configuration-based vulnerabilities (CCE). Where feasible, vulnerability scanning should occur on a daily basis using an up-to-date vulnerability scanning tool. Any vulnerability identified should be remediated in a timely manner, with critical vulnerabilities fixed within 48 hours.

4.1 - Recommendations:

Recommended Products or ServicesMember’s with No IT Staff Member’s With IT Staff

Use services such as WCIA Qualys Vulnerability Scan Service or use local support vendor to perform quarterly internal vulnerability scans using products in the other column.

Consider implementing a vulnerability scanning toola) Nessusb) Nexposec) GFI Languardd) Qualyse)

Consider acquiring a Managed Security Service that includes this capability.

a) GFI Cloudb) Zscaler

Use services such as WCIA Qualys Vulnerability Scan Service

Consider using services to perform security assessmentsa) IO Activeb) MK & Associatesc) See MSSR Section at the end of this report.

20


Control No. 4 – Continuous Vulnerability Assessment and Remediation – Quick Win No. 24.2 Event logs should be correlated with information from vulnerability scans to

fulfill two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools themselves is logged. Second, personnel should be able to correlate attack detection events with earlier vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable.



N/A for this class environment, Vendor would use manual methods to perform correlation if needed.

Use SIEM tool automation or a manual method to perform correlation if needed.

Control No. 4 – Continuous Vulnerability Assessment and Remediation – Quick Win No. 34.3 Utilize a dedicated account for authenticated vulnerability scans. The

scanning account should not be used for any other administrative activities and tied to specific IP addresses. Ensure only authorized employees have access to the vulnerability management user interface and that roles are applied to each user.



N/A to this class of environment For general vulnerability scans use “unauthenticated” scans to determine what an attacker can doFor general vulnerability scans use an “administrator” account to examine as much of your environment as possible. In this case use a unique name so that testing logs can be filtered from attack logs.To determine what kind of damage an internal authorized user can do, assign a “real user account” and run the scan against the target.

21


22


Control No. 4 – Continuous Vulnerability Assessment and Remediation – Quick Win No. 44.4 Subscribe to vulnerability intelligence services in order to stay aware of

emerging exposures.



Use WCIA Security Awareness Training Follow US-Cert, MS-ISAC, ICS-ISAC, Twitter Feeds from ITSec leaders

Read SANS Newsbytes news letter Follow vendor update/alerts for new vulnerability and patchesUse WCIA Security Awareness TrainingSuggested lists of information security resources on Twitter:http://www.forhacsec.com/2011/06/16/itinfosec-who-to-follow-on-twitter/http://wefollow.com/interest/infosecFollow Mike Hamilton on Twitter, SeattleOIS

23


http://wefollow.com/interest/infosec

http://www.forhacsec.com/2011/06/16/itinfosec-who-to-follow-on-twitter/

http://www.forhacsec.com/2011/06/16/itinfosec-who-to-follow-on-twitter/

Group Priority - 4Control No. 8 – Data Recovery CapabilityRisk: When attackers compromise machines, they often make significant

changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine.

GOALS:Have a trusted data recovery capability that is tested on a reoccurring basis.


24



Control No. 8 – Data Recovery Capability – Quick Win No. 1

8.1 Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. To help ensure the ability to rapidly restore a system from backup, the operating system, application software, and data on a machine should each be included in the overall backup procedure. These three components of a system do not have to be included in the same backup file or use the same backup software. All backup policies should be compliant with any regulatory or official requirements.


Backup is intended to be a protection against loss or damage of the computers where data is located. This can be damage caused by a building fire, water pipe leak, equipment failure, human error, or natural disaster. It can also be caused by an attacker who alters or damages data on a device. Backup can be performed using tape or disk technology. If using removable media (e.g. tape or disk cartridges) make sure that they are encrypted and stored away from the building where they were created in a secure location.

If using disk-to-disk backup, make sure that the devices are separated. If you are located in Western Washington consider having one copy of your backup in Eastern Washington – we are expecting a large earthquake in Western Washington.

If using tape backup, make sure that you replace your tapes based on manufacture recommendations. Tape will wear out and is notoriously unreliable. Good Reference Document at Iron Mountain.


Group 1 and 2 members should use an on-line backup service. Good Article in PC Magazine

a) Iron Mountainb) Carbonitec) State of WA, CTS Service

Use a good backup solution to perform disk-to-disk backup of all systems and data.

a) Symantec Backup Execb) Microsoft Server Backup Services

If using Tape backup, store them off-site in secure location

For virtual environments be sure you backup up your Host Computer images. Consider solutions like:

a) VMware VSphereb) Quest VRanger

For SQL or Oracle use built in transaction logging features to make incremental backups that are then copied by the disk-to-disk solutionUse in conjunction with NAS and SAN storage solutions that perform deduplication and extreme compression to two devices located in two different regions.

25


http://www.pcmag.com/article2/0,2817,2288745,00.asp

http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-Articles/A/A-Best-Practices-Checklist-for-Backup-Tapes.aspx

http://www.ironmountain.com/Knowledge-Center/Reference-Library/View-by-Document-Type/General-Articles/A/A-Best-Practices-Checklist-for-Backup-Tapes.aspx

Control No. 8 – Data Recovery Capability – Quick Win No. 2

8.2 Data on backup media should be tested on a regular basis by performing a data restoration process to ensure that the backup is properly working.

NOTE: WCIA does not insure the loss of your data. They insure only the loss of tangible things.



Include these exercises in service level agreements with service vendors

Develop recovery checklists and test plans. Establish a schedule of testing at least annual for disk based backup, more frequently for tape based backupTrain staff on how to do this, then perform at least annual exercise.

Control No. 8 – Data Recovery Capability – Quick Win No. 38.3 Key personal should be trained on both the backup and restoration processes.

To be ready in case a major incident occurs, alternative personnel should also be trained on the restoration process just in case the primary IT point of contact is not available.



Include these exercises in service level agreements with service vendors

Develop recovery checklists and test plans. Establish a schedule of testing at least annual for disk based backup, more frequently for tape based backupTrain staff on how to do this, then perform at least annual exercise.

26


Group Priority - 5Control No. 5 – Malware DefensesRisk: Malicious software is an integral and dangerous aspect of Internet

threats, targeting end users and organizations via web browsing, e-mail attachments, mobile devices, and other vectors. Malicious code may tamper with the system’s contents, capture sensitive data, and spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system.

GOALS:Anti-virus and anti-spyware software, collectively referred to as anti-malware tools, help defend against these threats by attempting to detect malware and block its execution.


27



Control No. 5 – Malware Defenses – Quick Win No. 15.1 Employ automated tools to continuously monitor workstations, servers, and mobile devices

for active, up-to-date anti-malware protection with anti-virus, anti- spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. The endpoint security solution should include zero-day protection such as network behavioral heuristics.



All servers and workstations should have up-to-date endpoint protection systems. Current vendors provide “EndPoint Defensive Suites” of defensive tools. Members should consider implementing full suites.

a) Symantecb) Microsoft Essentialsc) Kasperskyd) Sophose) Web Root security servicef) McAfee

All servers and workstations should have up-to-date endpoint protection systems. Current vendors provide “EndPoint Defensive Suites” of defensive tools. Members should consider implementing full suites.


Consider having your service vendor administer, monitor, and respond to alerts from this system

Configure endpoint defense system to include host based intrusion protection as well as traditional AV and Malware capability.


Configure endpoint defense system to allow only trusted software to run (white listing, or application control). If your end point defense does not include this capability add a best of breed product in this area.

a) Bit9b) End point defense application control

featuresRequire alternative mitigating controls that included

a) Limiting administrator permissions (e.g. end users should never have administrative rights)

b) Identifying allowed software with endpoint defense enforcement

c) Implement these features in policy

Configure all defensive systems to alert 24x7 and make sure someone is on call to respond to these alerts. Configure systems to “fail safe” when alerts do occur. (optional)

28


Suggested Policy Statements regarding endpoint defense anti-virus and anti-malware features:Your IT Policy should include the following requirements:

It is the policy of <Your Organization> to acquire an up-to-date version of an anti-virus and anti-malware defensive tools, keep the tools current with paid subscriptions, and install the tool on all servers, workstations, and mobile devices used by any employee of the <Your Organization> to conduct the business of the <Your Organization>.

It is the policy of <Your Organization> to require all contractors who are authorized to connect contractor owned equipment to the <Your Organization> network to have an up-to-date version of an anti-virus and anti-malware defensive tool, keep the tool current with paid subscriptions, and install the tool on all servers, workstations, and mobile devices used by any employee of the <Your Organization> to conduct the business of the <Your Organization>.

It is the policy of <Your Organization> to configure anti-virus and anti-malware systems to perform full scans on any newly inserted CD, DVD, or any USB device before that device is allowed to operate. Full scans of workstations, desktop, laptop, or mobile devices must be performed at least weekly. A log of all scan results must be retained for at least 90 days.

29


Control No. 5 – Malware Defenses – Quick Win No.

5.2 Employ anti-malware software and signature auto-update features or have administrators manually push updates to all machines on a daily basis. After applying an update, automated systems should verify that each system has received its signature update.



All servers and workstations should have up-to-date endpoint protection systems


All servers and workstations should have up-to-date endpoint protection systems


Consider having your service vendor administer, monitor, and respond to alerts from this system



Configure endpoint defense system to allow only trusted software to run (white listing, or application control). If your end point defense does not include this capability add a best of breed product in this area.

a) Bit9b) End point defense application control

featuresRequire alternative mitigating controls that included

a) Limiting administrator permissions (e.g. end users should never have administrative rights)

b) Identifying allowed software with endpoint defense enforcement

c) Implement these features in policy

Configure all defensive systems to alert 24x7 and make sure someone is on call to respond to these alerts. Configure systems to “fail safe” when alerts do occur. (optional)

30


Control No. 5 – Malware Defenses – Quick Win No. 35.3 Configure laptops, workstations, and servers so that they will not auto-run content from

USB tokens (i.e., “thumb drives”), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media. If the devices are not required for business use, they should be disabled.



Instruct local support vendor to configure devices, operating systems, and end point defense systems to achieve this control

Configure devices, operating systems, and end point defense systems to achieve this control

Control No. 5 – Malware Defenses – Quick Win No. 4

5.4 Configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted.



Instruct local support vendor to configure end point defense systems to achieve this control

Configure end point defense systems to achieve this control

31



5.5 All e-mail attachments entering the organization’s e-mail gateway should be scanned and blocked if they contain malicious code or file types unneeded for the organization’s business. This scanning should be done before the e-mail is placed in the user’s inbox. This includes e-mail content filtering and web content filtering.



Select a UTM Firewall that includes this capability or use SaaS email services (Required)

Select a UTM Firewall that includes this capability, dedicated spam filter, or use SaaS email services (Required)


5.6 Apply anti-virus scanning at the Web Proxy gateway. Content filtering for file-types should be applied at the perimeter.



Select a UTM Firewall that includes this capability, dedicated perimeter or client based web traffic filter, (Required)

Select a UTM Firewall that includes this capability, dedicated perimeter or client based web traffic filter, (Required)

Consider a web based service for remote uses Consider a web based service for remote uses

32



5.7 Deploy features and toolkits such as Data Execution Prevention (DEP) and Enhanced Mitigation Experience Toolkit (EMET), products that provide sandboxing (e.g., run browsers in a VM), and other techniques that prevent malware exploitation.



Support vendor must ensure DEP is activated on servers Ensure DEP is activated on servers

Control No. 5 – Malware Defenses – Quick Win No. 85.8 Limit use of external devices to those that have business need. Monitor for

use and attempted use of external devices.



Establish a policy that says staff only uses approved devices.

Establish a policy that says staff only uses approved devices.

NOTE: We do not see a practical way to mitigate this risk for this class of environment

Use end point defense tools to monitor, restrict, and alert

33


Group Priority - 6Control No. 14 – Maintenance, Monitoring, and Analysis of Audit LogsRisk: Deficiencies in security logging and analysis allow attackers to hide

their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damage done may be irreversible. Sometimes logging records are the only evidence of a successful attack. Many organizations keep audit records for compliance purposes, but attackers rely on the fact that such organizations rarely look at the audit logs, so they do not know that their systems have been compromised. Because of poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.

GOALS:Collection and analysis audit logs.


34



Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs – Quick Win No. 114.1 Organization should include at least two synchronized time sources (i.e.,

Network Time Protocol – NTP) from which all servers and network equipment retrieve time information on a regular basis so that timestamps in logs are consistent.


Member’s with No IT Staff Member’s With IT StaffUse USNO NTP Network Time Servers located at the UW http://tycho.usno.navy.mil/NTP/

Use USNO NTP Network Time Servers located at the UW http://tycho.usno.navy.mil/NTP/

Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs – Quick Win No. 2

14.2 Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.


Member’s with No IT Staff Member’s With IT StaffInstruct local support vendor to consider this control if implementing a service or appliance for SIEM or log aggregation

Consider this control if implementing a service or appliance for SIEM or log aggregation

35


http://tycho.usno.navy.mil/NTP/

http://tycho.usno.navy.mil/NTP/

Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs – Quick Win No. 314.3 Ensure that all systems that store logs have adequate storage space for the

logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis.


Member’s with No IT Staff Member’s With IT StaffStorage sizing and data organization should consider this requirement

Storage sizing and data organization should consider this requirement

Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs – Quick Win No. 414.4 Develop a log retention policy to make sure that the logs are kept for a sufficient period of

time. As APT (advanced persistent threat) continues to stealthily break into systems, organizations are often compromised for several months without detection. The logs must be kept for a longer period of time than it takes an organization to detect an attack so they can accurately determine what occurred.


Member’s with No IT Staff Member’s With IT StaffFollow the Washington State Secretary of State’s record retention policy and standards for this class of data.

Follow the Washington State Secretary of State’s record retention policy and standards for this class of data.

36


Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs – Quick Win No. 514.5 All remote access to a network, whether to the DMZ or the internal network

(i.e., VPN, dial-up, or other mechanism), should be logged verbosely.


Member’s with No IT Staff Member’s With IT StaffLocal support vendor must implement this class of logging when installing the VPN remote access solution (UTM Firewall provides this capability)

Wherever your VPN remote access solution connects to the perimeter this class of logging must be performed.

Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs – Quick Win No. 6

14.6 Operating systems should be configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions. Failed logon attempts must also be logged. Quick wins: Security personnel and/or system administrators should run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings.


Member’s with No IT Staff Member’s With IT StaffLocal support vendor must turn on “file access logging” features in file server operating systems

turn on “file access logging” features in file server operating systems

If you are running a service or SIEM log aggregation tool use it to provide reports and alerts as appropriate to the needs of the organization

Use a SIEM tool to provide reports and alerts as appropriate to the needs of the organization

37


Control No. 14 – Maintenance, Monitoring, and Analysis of Audit Logs – Quick Win No. 714.7 Security personnel and/or system administrators should run biweekly reports

that identify anomalies in logs. They should then actively review the anomalies, documenting their findings.


Member’s with No IT Staff Member’s With IT StaffIf you are running a service or SIEM log aggregation tool use it to provide reports and alerts as appropriate to the needs of the organization


38


Group Priority - 7Control No. 16 – Account Monitoring and ControlRisk: Attackers frequently discover and exploit legitimate but inactive

user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers. Accounts of contractors and employees who have been terminated have often been misused in this way.

GOALS:Detect misuse and eliminate it


39



Control No. 16 – Account Monitoring and Control – Quick Win No. 116.1 Review all system accounts and disable any account that cannot be associated

with a business process and owner.





groups in AD





Control No. 16 – Account Monitoring and Control – Quick Win No. 2

16.2 All accounts should have an expiration date associated with the account.



This control should be used with great care. It is appropriate for temporary employee or vendor accounts.

This control should be used with great care. It is appropriate for temporary employee or vendor accounts.

40


Control No. 16 – Account Monitoring and Control – Quick Win No. 316.3 Systems should automatically create a report on a daily basis that includes a

list of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire. This list should be sent to the associated system administrator in a secure fashion.



If you are running a service or SIEM log aggregation tool use it to provide reports and alerts as appropriate to the needs of the organization



16.4 Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor.



Establish a new employee and employee exit procedure that includes “timely” notification to IT when these events occur.

Establish a new employee and employee exit procedure that includes “timely” notification to IT when these events occur.

41


Control No. 16 – Account Monitoring and Control – Quick Win No. 516.5 Regularly monitor the use of all accounts, automatically logging off users after

a standard period of inactivity.



Local support vendor must use GPO, or equivalent feature, to set screen saver settings to comply with this requirement and disallow users to override this setting. Automatic lock-out should be set to Washington State OCIO IT Security Standards.

Use GPO, or equivalent feature, to set screen saver settings to comply with this requirement and disallow users to override this setting. Automatic lock-out should be set to Washington State OCIO IT Security Standards.


16.6 Monitor account usage to determine dormant accounts that have not been used for a given period, such as 45 days, notifying the user or user’s manager of the dormancy. After a longer period, such as 60 days, the account should be disabled.





groups in AD





42


43


Control No. 16 – Account Monitoring and Control – Quick Win No. 716.7 When a dormant account is disabled, any files associated with that account should be

encrypted and moved to a secure file server for analysis by security or management personnel.



Establish business procedures to accomplish this control using tools provided by the local support vendor.

Establish business procedures to accomplish this control using tools provided by IT.

44



16.8 All non-administrator accounts should be required to have strong passwords that contain letters, numbers, and special characters, be changed at least every 90 days, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password. These values can be adjusted based on the specific business needs of the organization.



Establish clear policy and include in vendor agreement and Statement of Work. (Required)

a) Configure Active Directory to enforce policyb) Establish checklists (require in vendor contract)

for new device configurationc) Limit use of administrative accounts.








45




16.9 Account lockout should be used and configured such that after a set number of failed login attempts the account is locked for a standard period of time.



Local support vendor must configure the operating system to implement this control

Configure the operating system to implement this control

46


Group Priority - 8Control No. 2 – Inventory of Authorized and Unauthorized SoftwareRisk: Unauthorized scans on network detects vulnerable versions of

software. There is also a danger of hostile web pages, documents, media files and other web content . This content can cause a machine to be compromised by simply clicking on a file or webpage. Zero day attacks are also a risk and without proper knowledge or control of the software deployed, defenders cannot properly secure their assets.

GOALS:Have an accurate inventory of all software, and perform inventory scans to quickly identify unauthorized software and known software.


47



Control No. 2 – Inventory of Authorized and Unauthorized Software – Quick Win No. 12.1 Devise a list of authorized software that is required in the enterprise for each

type of system, including servers, workstations, and laptops of various kinds and uses. This list should be tied to file integrity checking software to validate that the software has not be modified.



The support vendor should have tools that can produce this information. Require this be done periodically, suggest semi-annually and review it.

Use a tool, there are lots of free ones, that will scan the network and identify and report software that is currently installed. Use this information to keep only what is required on each device to perform its function. Tools from these vendors are recommended:

a) Spiceworksb) Kasperskyc) GFI Languardd) Bit9e) Heynaf) Script Logicg) Symantec

Develop and use checklists for new device image builds that only installs what is required. Consider using Group Policy to control


48


Control No. 2 – Inventory of Authorized and Unauthorized Software – Quick Win No. 22.2 Perform regular scanning and generate alerts when unapproved software is

installed on a computer. A strict change control process should also be implemented to control any changes or installation of software to any systems on the network.



Implement controls to disallow users the ability to install software that is not approved.

Implement controls to disallow users the ability to install software that is not approved


Use a tool, there are lots of free ones, that will scan the network and identify and report software that is currently installed. Use this information to keep only what is required on each device to perform its function. Tools from these vendors are recommended:

a) Spiceworksb) Kasperskyc) GFI Languardd) Bit9e) Heynaf) Script Logicg) Symantec


49


Group Priority - 9Control No. 3 – Secure Configurations for Hardware and Software on Laptops, Workstations, and ServersRisk: Networks are searched by attackers looking for systems that were

configured with vulnerable software installed from manufactures and resellers, making them immediately vulnerable to exploitation. Default configurations often leave extraneous services that are exploitable in their default state.

GOALS:Defenses against these automated exploits include: procuring computer and network components with the secure configurations already implemented, deploying such preconfigured hardened systems, updating these configurations on a regular basis, and tracking them in a configuration management system.


50



Control No. 3 – Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers – Quick Win No. 1

3.1 Strict configuration management should be followed, building a secure image that is used to build all new systems that are deployed to the enterprise. Any existing system that becomes compromised is re-imaged with the secure build. Regular updates to this image are integrated into the organization’s change management processes. Images should be created for both workstations and servers.



Have the local support contractor demonstrate how they meet this control and document the process in the service level agreement.

Implement virtual servers and standards server build images. Use Virtual environment image backup tools to make secure copies of servers that can be restored if a server is compromised.Develop server and workstation build checklists and follow them for all new equipment. Provide the checklist to hardware vendors and have machines configured to your standard.Implement change control procedures for image checklists and image masters

51



3.2 System images must have documented security settings that are tested before deployment, approved by an organization change control board, and registered with a central image library for the organization or multiple organizations. These images should be validated and refreshed on a regular basis (e.g., every six months) to update their security configuration in light of recent vulnerabilities and attack vectors.




Implement ITL based change control procedures for image masters and changes to servers. Approved changes to servers, including patch management, should be performed on image masters.Develop server and workstation build checklists and follow them for all new equipment. Provide the checklist to hardware vendors and have machines configured to your standard.Perform vulnerability scanning on master images at an appropriate interval.

52



3.3 Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system, such as those released by the NIST, NSA, Defense Information Systems Agency (DISA), Center for Internet Security (CIS), and others. This hardening would typically include removal of unnecessary accounts, disabling or removal of unnecessary services, and configuring non-executable stacks and heaps. Such hardening also involves, among other measures, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and erecting host-based firewalls.



Have the local support contractor agree to follow operating system manufacturer guidelines for “medium security” configuration of servers and workstations.

Configure servers and workstations following NIST and operating system manufacture guidance for “medium security”.Talk with manufactures when new versions of these products come out to get the latest guidance. Take classes to learn how to configure new versions.

53


Control No. 3 – Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers – Quick Win No. 43.4 The master images themselves must be stored on securely configured servers,

with integrity checking tools and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network. Images should be tested at the hot or warm disaster recovery site if one is available.




Server and Workstation images should be stored near the production site in a secure logical and physical location. Images should be included in the backup strategy with the backup media stored off-site in a secure location with significant regional separation.

Server and Workstation images should be stored at the member site, not at the local vendor site. Images should be included in the backup strategy with the backup media stored off-site in a secure location

Disaster Recovery documentation must be provided that details how to use these images for recovery of servers or workstations.

Disaster Recovery documentation must be provided that details how to use these images for recovery of servers or workstations. This is similar to new device build checklist but not the same.

Implement ITL based change control procedures for image masters and changes to servers. Approved changes to servers, including patch management, should be performed on image masters.Implement integrity checking tools to ensure the approved image has not been altered before it is used. Consult the SANS Vendor Solutions link above for vendor products that perform this control.

54



3.5 Run the last version of software and make sure it is fully patched. Remove outdated or older software from the system.



This control requires that software be kept current – e.g. the last version. And it requires that the software be patched. This includes all software, not just the operating system, that is on a master image.

This control requires that software be kept current – e.g. the last version. And it requires that the software be patched. This includes all software, not just the operating system, that is on a master image.

The local support vendor should be retained to perform routine maintenance that includes software update and patching.

Use products discussed earlier for patch management and vulnerability management tools to make sure servers, workstations, and image masters are kept current.

55


Group Priority - 10Control No. 1 – Inventory of Authorized and Unauthorized DevicesRisk: Many criminal groups and nation-states deploy systems that continuously

scan address spaces of target organizations, waiting for new and unprotected systems to be attached to the network. The attackers also look for laptops not up to date with patches because they are not frequently connected to the network. One common attack takes advantage of new hardware that is installed on the network one evening and not configured and patched with appropriate security updates until the following day. Attackers from anywhere in the world may quickly find and exploit such systems that are accessible via the Internet. Furthermore, even for internal network systems, attackers who have already gained internal access may hunt for and compromise additional improperly secured internal computer systems. Some attackers use the local nighttime window to install backdoors on the systems before they are hardened.

GOALS:1) Have an accurate inventory of all systems, and perform inventory scans

to quickly identify unauthorized machines and known assets.2) Quickly address inconsistencies.3) A good Inventory is the basis for other SANS Controls.


56



Control No. 1 – Inventory of Authorized and Unauthorized Devices – Quick Win No. 1

1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization’s public and private network(s). Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.



The support vendor should have tools that can produce this information. Require this be done periodically, suggest semi-annually and review it.

Use a tool that will scan the network and identify and report devices that are currently installed. Use this information to keep only what is required on each device to perform its function. Tools from these vendors are recommended:

a) Spiceworksb) Kasperskyc) GFI Languardd) Bit9e) PRTGf) Script Logicg) Fortineth) Nessesi) Nmapj) Mexposek) Qualys

57


Control No. 1 – Inventory of Authorized and Unauthorized Devices – Quick Win No. 21.2 Deploy DHCP Server logging, and utilize a system to improve the asset inventory and

help detect unknown systems through this DHCP information.



Recommended Border Defense solutions will have the ability to be DHCP servers and maintain these logs. The server must be configured to keep them or a SIEM solution must be in place to aggregate logs.

Implement previous recommendations for a SIEM tool and have it keep DHCP logs to implement this control.


Implement access point Network Access Control (NAC) 802.1x using authentication certificates to keep unknown devices off of production VLAN’s. Configure a VLAN for guest access to the Internet and route all unknown devices there.

Control No. 1 – Inventory of Authorized and Unauthorized Devices – Quick Win No. 31.3 All equipment acquisitions should automatically update the inventory system as

new, approved devices are connected to the network. A robust change control process can also be used to validate and approve all new devices.



Maintain manual device inventory records. Implement ITIL based changed management proceses.Implement a basic change management process that requires the local support vendor to get approval for any change they make to the production environment. Keep records of these changes.

Consider using a helpdesk or IT management tool that includes inventory control.

58


59


General Recommendations

Due to time constraints the Working Group did not develop specific recommendations for the following controls. Members should follow these priorities as they consider investments in security improvements. Recommendations for vendor solutions provided by SANS were considered reasonable by the Technical Workgroup.

60


Group Priority - 11Control No. 19 – Secure Network EngineeringRisk: Many controls in this document are effective but can be

circumvented in networks that are poorly designed. Without a carefully planned and properly implemented network architecture, attackers can bypass security controls on certain systems, pivoting through the network to gain access to target machines. Attackers frequently map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation.

GOALS:A robust, secure network engineering process must be employed to complement the detailed controls being measured in other sections of this document.


61



Control No. 19 – Secure Network Engineering – Quick Win No. 119.1 The network should be designed using a minimum of a three-tier architecture

(DMZ, middleware, and private network). Any system accessible from the Internet should be on the DMZ, but DMZ systems never contain sensitive data. Any system with sensitive data should reside on the private network and never be directly accessible from the Internet. DMZ systems should communicate with private network systems through an application proxy residing on the middleware tier.

62


Group Priority - 12Control No. 10 – Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesRisk: Attackers take advantage of the fact that network devices may

become less securely configured over time as users demand exceptions for specific and temporary business needs, as the exceptions are deployed, and as those exceptions are left in place when the business need is no longer applicable. Making matters worse, in some cases, the security risk of the exception is neither properly analyzed nor measured against the associated business need. Attackers search for electronic holes in firewalls, routers, and switches and use those to penetrate defenses. Attackers have exploited flaws in these network devices to gain access to target networks, redirect traffic on a network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission. Through such actions, the attacker gains access to sensitive data, alters important information, or even uses one compromised machine to pose as another trusted system on the network.

GOALS:Have network devices secured appropriately.


63



Control No. 10 – Secure Configurations for Network Devices such as Firewalls, Routers, and Switches – Quick Win No. 110.1 Compare firewall, router, and switch configuration against standard secure

configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system.

Control No. 10 – Secure Configurations for Network Devices such as Firewalls, Routers, and Switches – Quick Win No. 210.2 At network interconnection points—such as Internet gateways, inter-

organization connections, and internal network segments with different security controls—implement ingress and egress filtering to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols should be blocked with default-deny rules by firewalls, network-based IPS, and/or routers.

64


Group Priority - 13Control No. 9 – Security Skills Assessment and Appropriate Training to Fill GapsRisk: Any organization that hopes to be ready to find and respond to

attacks effectively must find the gaps in its knowledge and provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision-makers about where security awareness needs to be improved, and can also help determine proper allocation of limited resources to improve security practices.

GOALS:Training is also closely tied to policy and awareness. Policies tell people what to do, training provides them the skills to do it, and awareness changes behaviors so that people follow the policy. Training should be mapped against the skills required to perform a given job. If after training, users are still not following the policy, that policy should be augmented with awareness.


65



Control No. 9 – Security Skills Assessment and Appropriate Training to Fill Gaps – Quick Win No. 19.1 Perform gap analysis to see which security areas employees are not adhering

to and use this as the basis for an awareness program. Organizations should devise periodic security awareness assessments to be given to employees and contractors on at least an annual basis in order to determine whether they understand the information security policies and procedures, as well as their role in those procedures.

Control No. 9 – Security Skills Assessment and Appropriate Training to Fill Gaps – Quick Win No. 29.2 Develop security awareness training for various personnel job descriptions.

The training should include specific, incident-based scenarios showing the threats an organization faces, and should present proven defenses against the latest attack techniques.

Control No. 9 – Security Skills Assessment and Appropriate Training to Fill Gaps – Quick Win No. 39.3 Awareness should be carefully validated with policies and training. Policies tell

users what to do, training provides them the skills to do it, and awareness changes their behavior so that they understand the importance of following the policy.

66


Group Priority - 14Control No. 11 – Limitation and Control of Network Ports, Protocols, and ServicesRisk: Attackers search for remotely accessible network services that are

vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and domain name system (DNS) servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing a user or administrator that the services have been enabled. Attackers scan for such issues and attempt to exploit these services, often attempting default user IDs and passwords or widely available exploitation code.

GOALS:Have access to network ports, protocols and services documented so that they are only used with strong business requirements.


67



Control No. 11 – Limitation and Control of Network Ports, Protocols, and Services – Quick Win No. 111.1 Any service that is not needed should be turned off for 30 days and after 30

days uninstalled from the system.

Control No. 11 – Limitation and Control of Network Ports, Protocols, and Services – Quick Win No. 211.2 Host-based firewalls or port filtering tools should be applied on end systems,

with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Control No. 11 – Limitation and Control of Network Ports, Protocols, and Services – Quick Win No. 311.3 Automated port scans should be performed on a regular basis against all key

servers and compared to a known effective baseline. If a change that is not listed on the organization’s approved baseline is discovered, an alert should be generated and reviewed.

Control No. 11 – Limitation and Control of Network Ports, Protocols, and Services – Quick Win No. 411.4 All services should be kept up to date and any unnecessary components

uninstalled and removed from the system.

68


Group Priority - 15Control No. 7 – Wireless Device ControlRisk: Major thefts of data have been initiated by attackers who have

gained wireless access to organizations from outside the physical building, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.

GOALS:Ensure each wireless device that is connected to the network matches an authorized configuration and security profile. Access should be denied where there is not match. Do not use home type wireless access points, they often lack central management capability. Vulnerability scanning should look for wireless devices.

Reference: SANS What Works for Critical Control 7:https://www.sans.org/critical-security-controls/vendor-solutions/control/7

69



Control No. 7 – Wireless Device Control – Quick Win No. 1

7.1 Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and profile.

Control No. 7 – Wireless Device Control – Quick Win No. 27.2 Ensure that all wireless access points are manageable using enterprise

management tools. Access points designed for home use often lack such enterprise management capabilities, and should therefore be avoided in enterprise environments.

Control No. 7 – Wireless Device Control – Quick Win No. 3

7.3 Network vulnerability scanning tools should be configured to detect wireless access points connected to the wired network. Identified devices should be reconciled against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.

70


Group Priority - 16Control No. 15 – Controlled Access Based on the Need to KnowRisk: Some organizations do not carefully identify and separate their most

sensitive data from less sensitive, publicly available information on their internal networks. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. In several high-profile breaches over the past two years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.

GOALS:Access granted to only those with a need to know, segregate sensitive data.


71



Control No. 15 – Controlled Access Based on the Need to Know – Quick Win No. 115.1 Any sensitive information should be located on separated VLANS with proper

firewall filtering. All communication of sensitive information over less-trusted networks needs to be encrypted.

72


Group Priority - 17Control No. 6 – Application Software SecurityRisk: Attacks against vulnerabilities in web-based and other application

software have been a top priority for criminal organizations in recent years. Application software that does not properly check the size of user input, fails to sanitize user input by filtering out unneeded but potentially malicious character sequences, or does not initialize and clear variables properly could be vulnerable to remote compromise. Attackers can inject specific exploits, including buffer overflows, SQL injection attacks, cross-site scripting, cross-site request forgery, and click jacking of code to gain control over vulnerable machines.

GOALS:To avoid such attacks, both internally developed and third-party application software must be carefully tested to find security flaws. For third-party application software, enterprises should verify that vendors have conducted detailed security testing of their products. For in-house developed applications, enterprises must conduct such testing themselves or engage an outside firm to conduct it.


73



Control No. 6 – Application Software Security – Quick Win No. 16.1 Protect web applications by deploying web application firewalls (WAFs) that

inspect all traffic flowing to the web application for common web application attacks, including but not limited to cross-site scripting, SQL injection, command injection, and directory traversal attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed.

74


Group Priority - 18Control No. 17 – Data Loss PreventionRisk: In recent years, attackers have exfiltrated more than 20 terabytes of often

sensitive data from DoD and defense industrial base organizations (e.g., contractors doing business with the DoD), as well as civilian government organizations. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet in most cases, the victims were not aware that significant amounts of sensitive data were leaving their systems because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers. The loss of control over protected or sensitive data by organizations is a serious threat to business operations and a potential threat to national security. While some data are leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, a lack of effective policy architectures, and user error. Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or nonexistent.

GOALS:Data loss prevention refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Over the last several years, there has been a noticeable shift in attention and investment from securing the network to securing systems within the network, and to securing the data itself. DLP controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.


75



76


Control No. 17 – Data Loss Prevention – Quick Win No. 1

17.1 Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.

77


Group Priority - 19Control No. 18 – Incident Response and ManagementRisk: Considerable damage has been done to organizational reputations

and a great deal of information has been lost in organizations that do not have fully effective incident response plans in place. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place

GOALS:Avoid Liability associated with “Data Breach Notification”


78



Control No. 18 – Incident Response and Management – Quick Win No. 118.1 Ensure that there are written incident response procedures that include a

definition of personnel roles for handling incidents. The procedures should define the phases of incident handling.

Control No. 18 – Incident Response and Management – Quick Win No. 218.2 Assign job titles and duties for handling computer and network incidents to

specific individuals.

Control No. 18 – Incident Response and Management – Quick Win No. 318.3 Define management personnel who will support the incident handling process

by acting in key decision-making roles.

Control No. 18 – Incident Response and Management – Quick Win No. 418.4 Devise organization-wide standards for the time required for system

administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. This reporting should also include notifying the appropriate Community Emergency Response Team in accordance with all legal or regulatory requirements for involving that organization in computer incidents.

79


Control No. 18 – Incident Response and Management – Quick Win No. 518.5 Maintain information on third party contact information to be used to report

a security incident (i.e., maintain an e-mail address of [email protected] or have a web page http://organization.com/security)

Control No. 18 – Incident Response and Management – Quick Win No. 618.6 Publish information for all personnel, including employees and contractors,

regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities.

80


http://organization.com/security

Group Priority - 20Control No. 20 – Penetration Tests and Red Team ExercisesRisk: Attackers penetrate networks and systems through social engineering and by

exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. Most organizations do not exercise their defenses, so they are uncertain about their capabilities and unprepared for identifying and responding to attack.

GOALS:Penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than a vulnerability assessment. Vulnerability assessments focus on identifying potential vulnerabilities, while penetration testing goes deeper with controlled attempts at exploiting vulnerabilities, approaching target systems as an attacker would. The result provides deeper insight into the business risks of various vulnerabilities by showing whether and how an attacker can compromise machines, pivot to other systems inside a target organization, and gain access to sensitive information. Red team exercises go further than penetration testing. Red team exercises have the goals of improved readiness of the organization, better training for defensive practitioners, and inspection of current performance levels. Independent red teams can provide valuable and objective insights about the existence of vulnerabilities and about the efficacy of defenses and mitigating controls already in place and even those planned for future implementation.


81



Control No. 20 – Penetration Tests and Red Team Exercises – Quick Win No. 120.1 Conduct regular external and internal penetration tests to identify

vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well as from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.

Control No. 20 – Penetration Tests and Red Team Exercises – Quick Win No. 220.2 If any user or system accounts are used to perform penetration testing, those

accounts should be carefully controlled and monitored to make sure they are only being used for legitimate purposes.

82


introduction - web view03-05-2015 · for sql or oracle use built in transaction logging...

Documents