Mike Davis, ElecEngr / MSEE, CISSP / CISO, MA Mgmt, SysEngr

Cyber Security / Risk Management Consultant (enthusiast!)

Mike.davis.sd@gmail.com

Doug MagedmanMS Cybersecurity and IA, MS OA/HSI, BS-BME,

SPAWAR HQ Technical Authority

dougmagedman@hotmail.com

Cutting through the fog of cybersecurity

Preparing security operators for what “REALLY” matters in Cyber!

COMPLEXITY

“easy button”

Cyber Workforce Bottom Line:Small businesses are the backbone of USA – they need security operators, not ‘ninjas’!

Those with a “Security+ / SSCP” knowledge ands skills that minimize 95% of all incidents.

SD ISC2 and SD IEEE

mailto:glenn@sciap.orgmailto:dougmagedman@hotmail.com

Cutting through the CyberSecurity Fog!B.L.U.F. – Bottom Line Up Front

The threats are very real, and the news shows a small percentageIt does not just happen to the other guy – YOU WILL be / ARE affected.

Focus on business risk reduction and minimizing legal liabilitiesAdequate cyber protections are but one part – so is insurance…

You can not buy cyber security, you must manage cyber – many parts.The standard IA/Security suite is pretty good – IF maintained well in operation

“P6” principles still applies – as does strategic partnerships Few can afford to go it alone – use a managed security service (MSS)

Don’t fix cracks in the cyber walls, while the barn door is open!Keeping your cyber suite well maintained cuts incidents by 95%

What MUST we do in Cyber?

3

Close the “cyber” barn door first, versus fixing cracks in the wall!

Follow the Hierarchy of Cyber needs – mitigate, manage your way up RE: Enforce hygiene, effective access control, use APLs, proactive security policy etc.

The BASICS – at least manage the top NSA 10 / SANS 20 mitigations!(How about just DOING the Cyber Hygiene Campaign (*) top 5 actions!)

(e.g., 1 &2 - Inventory SW & HW, 3 - Secure CM, 4 – SCM/SIEM & 5 - enforce least privileges )

(*) https://www.cisecurity.org/about/CyberCampaign2014.cfm )

“cyber cracks” at most 5%

Lack of cyber hygiene causes well over 90+% of all security incidents!

*

**

https://www.cisecurity.org/about/CyberCampaign2014.cfm

Cyber Workforce Chasm

1 - Companies say they can not find ‘qualified cyber workers’ (e.g., a non specific request)

2 - Educational entities / institutions providing decent levels of degreed / certified people.

So why is there a communication chasm between supply and demand?

Any cyber educational effort must address three aspects of providing cyber skills:

1 – Cyber “qualified workers” come in MANY types and levels - not one “cyber guy”(32 levels by NIST’s ‘NICE’ Cyber Ed framework (#) / and the ‘volume’ need is at mid / entry level )

2 - Fix the notion that people with degrees / certifications do not have useable skills

3 – Cyber workforce conversant in risk management (impacts that their actions cause)

# = NIST / NICE National Cybersecurity Workforce Frameworkhttp://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx

Cyber education providers must educate the hiring managers to close the gap!

http://niccs.us-cert.gov/sites/default/files/documents/files/DraftNationalCybersecurityWorkforceFrameworkV2.xlsx

SO… what really does matter in Cyber?

It’s NOT about expensive new cyber capabilities / “toys”but more about the interoperability “glue” (distributed trust, resiliency, automation, profiles)

You can NOT buy cyber, so do the cyber BASICS well!!!An achievable 90-95% reduction in security incidents – stabilize the environment!

CYBER is fundamentally all about TRUST and DATA( Identity, authentication, secure comms - -- provenance, quality, pedigree, assured)

90+% of security incidents are from lack of doing the basics! USE effective Security Continuous Monitoring (SCM / SIEM) – a MUST DO!With enforced: cyber hygiene, enterprise access control, & reduced complexity (APLs)Shift from only protecting the network, to the DATA security itself – information centric view

Embrace your Risk Management Plan (RMP) – LIVE IT!Have an enforceable security policy – what is allowed / not – train to itKNOW your baseline - Protect the business from the unknown risks as wellEmploy a due diligence level of security – then manage & transfer residual risks!

Kerberos

PKI

Token

Digital CertificateThin Clients

Biometrics

HIPPA

VPN IPSEC

SSL

Hardening

Cloud

XML Gateways

Secure Collaboration

Compliance

Secure Blades

H/W Crypto

SOX

DAC

RSBAC

FIPS 140-2

Trusted OS Guards

Cyber Security

SaaS

Wireless

Cyber Security is Complex from a Technical PerspectiveWhat factors must be addressed in A Cyber Operator Course?

What does it take to minimize the “95%” of most security incidents!

(From an IBM security brief)

7

IA/Security Axiomsto consider / accommodate / educate

• Security and complexity are often inversely proportional.

• Security and usability are often inversely proportional.

• Good security now is better than perfect security never.

• A false sense of security is worse than a true sense of insecurity.

• Your security is only as strong as your weakest link.

• It is best to concentrate on known, probable threats, first

• Security is an investment (insurance), not an expense with an RoI

• Security is directly related to the education and ethics of your users.

• Security is a people problem – users stimulate problems, at all levels.

• Security through obscurity is weak & We can NOT always add security later

http://www.avolio.com/papers/axioms.html

Work through all these in your “Risk Management Plan!”

Who says what we MUST DO?From a business DUE CARE / due diligence level

Collectively: NIST… NSA… SANS… etc - the following slides provide details

http://www.avolio.com/papers/axioms.html

NIST’s “absolutely necessary”

Security activitiesNIST - National Institute of Standards and Technology

• Protect information/systems/networks from damage by viruses, spyware, and other malicious code. (IA suite, A/V, etc)

• Provide security for your Internet connection / ISP

• Install and activate software firewalls on all your business systems

• Patch your operating systems and applications

• Make backup copies of important business data/information

• Control physical access to your computers and network components

• Secure your wireless access point and networks

• Train your employees in basic security principles

• Require individual user accounts for each employee on business computers and for business applications

• Limit employee access to data and information, and limit authority to install software

8

While these are the KEY cyber activates, there are more to accommodate in a ‘due diligence’ cyber state.

Key Hierarchy of needs activities

NIST’s “Highly Recommended” Practiceshttp://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf

• Policy / practice for email attachments and requests for sensitive information

• Policy / practice for web links in email, instant messages, social media, or other means

• Policy / practice for popup windows and other hacker tricks

• Doing online business and secure banking

• Recommended personnel practices in hiring employees

• Security considerations for web surfing, prohibited sites

• Policy / practice for downloading software from the Internet

• How to get help with information security when you need it

• How to dispose of old computers, media and fax machines

• How to protect against Social Engineering, data loss prevention

9

WHAT, “more to do?” YES, but most are related to standard IA/CND mitigations...

Key Hierarchy of needs activities

NSA IAD top ten controls

10

1 - Application whitelisting - only run approved apps (that SysAdmin reviews)

2 - Control Administrative privileges - minimize escalation, enforce least privilege

3 – Limit workstation-to-workstation communications– thwart the “pass-the-hash”

4 – Use Anti-virus File Reputation Services – leverage cloud-based threat databases

5 – Enable Anti-Exploitation Features - for example, MS Windows EMET

6 – Implement Host Intrusion Prevention System Rules – focus on threat behaviors

7 – Set a Secure Baseline Configuration – layered security, standard images, etc

8 – Use Web Domain Name Service (DNS) Reputation – Screen URLs, intrusion alerts

9 – Use/Leverage Software improvements – software / OS upgrade and patch policy

10 – Segregate Networks and functions – based on role, functionality – monitor sections, then isolate when attacked

http://www.sans.org/security-resources/IAD_top_10_info_assurance_mitigations.pdf

Key Hierarchy of needs activities

https://www.google.com/url?q=http://www.sans.org/security-resources/IAD_top_10_info_assurance_mitigations.pdf

SANS top 20 controls (ver 3)

11

1: Inventory of Authorized and Unauthorized Devices2: Inventory of Authorized and Unauthorized Software3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches5: Boundary Defense6: Maintenance, Monitoring, and Analysis of Security Audit Logs7: Application Software Security8: Controlled Use of Administrative Privileges9: Controlled Access Based on the Need to Know10: Continuous Vulnerability Assessment and Remediation11: Account Monitoring and Control12: Malware Defenses13: Limitation and Control of Network Ports, Protocols, and Services14: Wireless Device Control15: Data Loss Prevention16: Secure Network Engineering17: Penetration Tests and Red Team Exercises18: Incident Response Capability19: Data Recovery Capability20: Security Skills Assessment and Appropriate Training to Fill Gaps

http://www.sans.org/critical-security-controls/

Key Hierarchy of needs activities

http://www.sans.org/critical-security-controls/

Top 35 Mitigations

12http://www.asd.gov.au/infosec/top35mitigationstrategies.htm

At least 85% of the targeted cyber intrusions the Australian Signals Directorate responds to could be prevented by following the Top 4 mitigation strategies :• use application whitelisting to help prevent malicious software and other unapproved

programs from running• patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web

browsers• patch operating system vulnerabilities• minimize the number of users with administrative privileges.

Examples of Targeted Cyber Intrusions mitigation strategies :Disable local administrator accounts; Multi‐factor authentication; Network segmentation and segregation; Application based workstation firewall; Host‐based Intrusion Detection/Prevention System; Centralized and time‐synchronized logging; Whitelisted email content filtering; Web domain whitelisting for all domains; Workstation application security configuration hardening; User education; Computer configuration management ; Server application security configuration hardening; Antivirus software with up to date signatures; Enforce a strong passphrase policy; ETC; Etc; etc..

Key Hierarchy of needs activities

http://www.asd.gov.au/infosec/top35mitigationstrategies.htm

Top 25 SW development errors

13

[1] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [2] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') [3] Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [4] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [5] Missing Authentication for Critical Function [6] Missing Authorization [7] Use of Hard-coded Credentials [8] Missing Encryption of Sensitive Data [9] Unrestricted Upload of File with Dangerous Type [10] Reliance on Untrusted Inputs in a Security Decision [11]Execution with Unnecessary Privileges [12]Cross-Site Request Forgery (CSRF) [13] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [14] Download of Code Without Integrity Check [15] Incorrect Authorization [16] Inclusion of Functionality from Untrusted Control Sphere [17]Incorrect Permission Assignment for Critical Resource [18] Use of Potentially Dangerous Function [19] Use of a Broken or Risky Cryptographic Algorithm [20]Incorrect Calculation of Buffer Size [21] Improper Restriction of Excessive Authentication Attempts [22] URL Redirection to Untrusted Site ('Open Redirect') [23] Uncontrolled Format String [24] Integer Overflow or Wraparound [25] Use of a One-Way Hash without a Salt

http://cwe.mitre.org/top25/

Must BUILD IA INThis starts with SW.. AND

Applies to Apps / Services

Key Hierarchy of needs activities

http://cwe.mitre.org/top25/

Cyber Hygiene – the many faces of neglectOur IA/CND/Security cyber suite is quite good – IF maintained!

Equipment settings(FW, A/V, IDS, etc)Monitor / enforce

Standard operating procedures (SOPs)USE / enforce them

Social media Content & settings

Restrict sharing / privileges

Security EducationALL levels – reinforce

Incentivize – good vs bad

Privacy and “PII”Enforce policy (note - “EU” is stricter)

Incident reportingNo incident too smallNotify USCERT / FBI

Forbes top threats for 2013: “MOST” have “CM / hygiene” AND / or “access control “aspects

Social Engineering; APTs; Internal Threats; BYOD / mobile malware; HTML5; Botnets; CLOUD infrastructure, & Precision Targeted Malware

Controlled AccessEnforce least privilege

Separate / rotate duties

Know your security baselineAND employ SCM / SIEM

Maintain Cyber SuitePatches, upgrades, etc

(compliance == securityWill lack of cyber hygiene

continue to put you at MUCH greater risk?

Key Hierarchy of needs activities

Security Main FactorsWow… Given ALL these guides - What MUST WE DO?

• Implement the NIST “absolutely necessary” elements – first and foremost to protect your data (Encryption and back ups)

• Effective passwords – still the bane of basic security… and policy is still poor!

(tokens / two-factor IA&A should be used for critical data / processes)

• Securing the client, fortifying the browser… buying trusted business apps, services… the browser / client is THE largest malware entry point!

• Minimal security suite: antivirus, firewall, IDS, VPN, connection security

• Monitoring tools… need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / COOPs, etc

• Enforce a living security policy – quantify actual risks, strict need to know,

• DATA protection - encryption and access control - minimize IP loss, data loss prevention

• A robust and adaptive security strategy = risk management plan (RMP)– to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc

15

Our Cyber Security operator course collates all these guides and mapsKey Hierarchy of needs activities

16

• Vision

– Provide the framework / resource for Applied Cybersecurity at the technical level

• Mission

– Provide introductory education to promote Cyber Awareness

– Create a San Diego area consortium for Applied Cybersecurity Education

• Objectives

– Seek Industry and Government endorsement (IEEE, ISSA/ISC2, NICE, etc..)

– Develop a Standard Cyber “needs” training template / syllabus for ALL to use…

– Community Outreach

• Develop Targeted Curriculum for Initial Cybersecurity Introduction for SO/HO

• Develop Targeted Curriculum for Applied Cyber security (Security + level education)

• Develop Target Curriculum for Advanced Cybersecurity Topics

Course Purpose and Intent

ACMEcyberApplied Cybersecurity Methodologies and Education (ACME) – Cyber Solutions

Why Technical Level Application?

• IT Professionals lack applied cyber skills– Certs and degrees but no practical experience

• Small/medium sized businesses have needs but no idea of scope– Raise awareness for getting basics covered

• Availability and cost of training– Boot Camp education and certification doesn’t work– SANS conference training is way too long and costly

• SANS Boot Camp for Cyber Essentials - Austin, Tx Apr 28-3May $4,895.00

– Where are all the local Cybersecurity education resources?• UCSD, National University, Coleman College – Not applied cyber curriculums

What are trying to accomplish?

• Develop urgency for generating professional demand– Know when to call a consultant

• Establish and create a basic weeklong curriculum– Addresses all the basics of Cybersecurity– Provides 90-95 percent defense

• “Closing the Barn Door”– Foster interest in development of Cyber Professionals in SD

• Teach how to think about Cybersecurity– Create chefs rather than cooks following recipes

Our Cyber Ed Approach

• Modular

– Don’t have to spend inordinate amount of time searching

– Just in time training

• Leverages existing information on Internet

– Focuses on key considerations (chef)

– Directs operators to the source of the recipes (cook)• Alleviates outdating of material and develops self-sufficiency

• “Cuts Through the Cybersecurity Fog” alleviating confusion

– Fosters understanding rather than procedure

– Promotes self-efficacy and self -reliance

MS / BS

Cyber

CISSP / GISP / CISO / etc

forensics / ethical hacker / etc

Firewall / cloud security/

Crypto & Key mgmt / “*”

Security+ “and” Skills development

Awareness Education

STEM (grades 7-12)

Curriculum &

Resources

Linked / leveraged

(on-line, companies,

colleges, etc)

Advanced

Targeted

Foundational

(KEY break point is providing

“cyber operators”!)

Expands the pool for

advanced education

Small business

security course

& practicum

Education levels

(“*” = IDS/IPS, anti-virus, wireless, application development, cloud, web/mobile code, mobile, etc…)

Cyber Education triangle“clarifying the fog of cyber security through targeted training”

Notional Cyber education roadmap(Authoritative sources, categorized, mapped to CSF)

Targeted / focusedTrained / proven KSA

Cyber Operator

NICE CyberSecurityWorkforce Framework 2.0(lists 30+ types of SMEs!)

NSA CAEAccreditationFocus areas

NISTSPs & ‘must do’requirements

SANS top 20Top 35 MitigationsOWASP top 10Top 25 SW errors

CustomerAwarenessAND Demand

CERT areas / KSAsGrouped & alignedSupport key IA needs

Align Needs / AreasClarify / map certs tospecific demand areas

Curriculum MAPObjectives Quantified KSAs

Cyber Needs PaperCenter & align KSAswith security needsto also educate leaders

foundation Inputs / factors Key artifacts outcome

NIST / Whitehouse

Cybersecurity framework (CSF)

Target environment

Cyber capabilities – KSA decomposition(Objective = Support Business Risk Management – prioritized vulnerability reductions)

Overall Cyber Security Factors

Main functional Areas / buckets

KEY capabilities / products / processes / methods = KSAs

Security testing

processes products policy

SW/appsservices

Compliance

Web / active code Data

IA/CND& crypto/key mgmt

C&A(V&V)

Mobile / wireless

RISKAssessment

Network(client / server / router)

(2) requirements analysis Assessment Pen testing

C&ASecurity design

people

+ From NICE framework = (1) functions… (2) cyber skills (KSAs)

(1) Provision Analyze O&M / support Collect Investigate Protect & defend

Tools

O&M/supportSys Admin & CM/hygiene

IA&A

ALL geared to specific positions / types (manager, project lead, Cyber SME / ISSE) And with some aspect of technical level (apprentice, journeyman, master)

Policy

Threats

Hierarchy of Cyber Needs(i.e..…Maslow Triangle…)

Where if you don’t take care of the level before the one you are operating in, focusing on, then your efforts are for the most part mute, as you are in a higher risk status until the earlier level is satisfied!

1 – Resiliency - Survival / recovery+ Secure backup (Types / methods, various sites / levels)+ Incident responses (company processes, comms with LE / FBI, etc) + Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc)

2 – Cyber foundation+ Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc) + Layered Defense - IA/CND strategy – WHAT capabilities are needed + Security Policy (privacy, social media, PII, etc) - enforcement aspects too+ Monitoring / Know your baseline – SCM / SIEM.. + Tools – selection and integration + Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA

3 – Cyber Maintenance - security Hygiene / CM / SoPs+ Manage Policy - social media - content & settings… restrict sharing / privileges = proactive monitoring+ Maintain Cyber Security Suite – patches, upgrades, etc.. control system settings… & dashboard!+ Standard operating procedures (SOPs).. USE / enforce them+ Security training / education awareness – ALL levels – reinforce / Incentivize – pos & neg

4 – Applied cyber security (IA / CND / security capabilities best practices)Given the below best practices, cyber protections approach, then distill the key attributes for each IA/CND capability, while following and tailoring for the company’s environment the install instructions of the products… specific equipment settings for ‘secure’ sustainment / operations = Firewall, A/V suite, IDS/IPS, Crypto, Key mgmt., Mobile, wireless, Network, apps, data security, etc

5 – Cyber actualization - compliance / assessment / analytics+ V&V / TE&C / C&A – formal proof -> residual risks -> cyber value proposition+ KEY compliance activities – PII, PCI, HIPAA, etc + Forensics / ethical hacker+ Big data / predictive analytics (integrate SCM / SIEM, IA/CND reports, etc…l)+ Pen / security testing (of all cyber capabilities, backup, PW, etc)

ApprenticeBASICs

MasterOptimized Value

JourneymanOperations

KSA / practicum based on small business security

NSA IAD top 10 factorsTop 20 security controlsTop 35 mitigations

The Cyber Integrated ED Package

“Bottom up” / needs approach to effective cyber SKILLS training (practicum)!

Not everyone needs, nor can afford, a “cyber ninja”!

Module Components

• Description of module topic and intended educational objective

• Threat / Implication of not taking appropriate action within

module

• Key Considerations that are the essential concepts to understand

• Implementation aspects that must be accommodated for success

• Best Practices sanctioned by National or Industry guidance

• Demonstration material or websites that can be used in training

• National/Industry websites to be used as official reference sources

• References that can be used for furthering education

Modules are tailored into slides for that course and sector focusUsing SCORM methods and a “LMS” to tie all materials together

Cyber Essentials Course for SMBDeveloping security operators to fill the critical skills void.

(Key skills to mitigate top 10/20/35 mitigations, with a Security + SSCp Cert knowledge level)

1600

1200

1100

0800

Lunch Lunch

LunchLunch

Return to office

Resiliency Foundations

FoundationsFoundations Applied

Operations & Maintenance

Actualization& Review& skills test

Applied

Cyber Overview

Mon Tue Wed Thu Fri

SMB needs cyber operators! High volume & greatest need (Operations & Maintenance)Also have a MSS, then manage the 95% vulnerabilities on site & know when to ask for help!

Mike.Davis.SD@gmail.com

Secu

rity

+ C

ert

pre

req

uis

ite

Major Hierarchy Areas

Building Resiliency

Foundational Cyber Defense

Cyber Operations & Maintenance

Advanced Applied Cyber

Actualization

Building Resiliency

Foundational Cyber Defense

- Software

Foundational Cyber Defense

- Hardware

Cyber Operations & Maintenance

Applied Cyber – IA/CND/Security

Cyber Actualization

• V&V / TE&C / C&A – formal proof / assessments

• KEY compliance activities – PII, PCI, HIPAA, etc

• Pen testing… and security testing (of all cyber capabilities,

backup, PW, etc)

• Forensics / ethical hacker

• Big data / predictive analytics

• (integrate SCM / SIEM, IA/CND reports, etc…l)

• Higher level certifications; CISSO, etc..

PROCESSWhere’s your data? Who has it? Is it safe?

• Recent Symantec Threat Report states that 82% of data that was either lost or stolen could have been avoided if the business followed a simple cyber security plan.

• The Verizon data breach report stated that 87% of all security incidents could have been easily preventedby implementing known patches/controls published over 6 months earlier

• Where the security basics are fairly well known, but not implemented well, OR verified …

– 1 Use Strong Passwords and Change Them Regularly

• Be very aware that - POOR PASSWORDS GIVE A FALSE SENSE OF SECURITY!!!

– 5 Remove Unused Software and User Accounts;• Delete / securely wipe everything on replaced equipment (yes, faxes / copiers too!)

– 6 Establish Physical Access Controls for KEY Computer Equipment / rooms

– 7 Create Backups for Important Files, Folders, and Software – also store off-site

– Enforce the Principle of Least Privilege - strict access controls, need to know

– Develop and use a data centric security approach – DLP is good, but more is needed

– Ensure all staff receive basic online security training and instruction in your policies

– Take security breaches seriously – isolate any compromised systems from the network and involve an IT security professional if necessary to ensure the malware is fully removed

35# = Top 12 SMB security recommendations from US Chamber of Commerce Cyber guide

POLICYWhat’s your legal, statutory liability? Can you be sued?

• 2 Be vigilant opening E-Mail Attachments and Internet Downloads (scan / DMZ?)

• 10 Access to Sensitive and Confidential Data.. and limit authority to install software

• 11 Establish and Follow a Security Financial Risk Management Plan (RMP); Maintain Adequate Insurance Coverage

• 12 Get Technical Expertise and Outside Help When You Need It

• Make Security Policies a clear, well communicated and enforced priority

• Ensure all compliance aspects are supported by policy, tools, users and management, as it’s more that “just” an audit process (PCI, SOX, HIPAA, etc)

• Decide whether computers, laptops and software are to be supplied by your company, or by your staff – and reflect these decisions in your policies, purchasing and processes

• Document a simple acceptable-use policy for any computer that is used for company business or media that is used to store or transport company data

• Create an acceptable password-strength policy and ensure that all computers and other IT equipment are password protected

• Require that all security incidents are promptly reported and managed to a business stakeholder and formal “CERT” entity

36

There is a legal perspective of “minimal level of security” wrt “due diligence”

Security Main FactorsWow… Given ALL these guides - What MUST WE DO?

• Implement the NIST “absolutely necessary” elements – first and foremost to protect your data (Encryption and back ups)

• Effective passwords – still the bane of basic security… and policy is still poor!

(tokens / two-factor IA&A should be used for critical data / processes)

• Securing the client, fortifying the browser… buying trusted business apps, services… the browser / client is THE largest malware entry point!

• Minimal security suite: antivirus, firewall, IDS, VPN, connection security

• Monitoring tools… need to manage CM/hygiene, track users / data, provide alerts (SCM/SIEM) supports preplanned SoPs / COOPs, etc

• Enforce a living security policy – quantify actual risks, strict need to know,

• DATA protection - encryption and access control - minimize IP loss, data loss prevention

• A robust and adaptive security strategy = risk management plan (RMP)– to keep pace with the fast-evolving nature of IT security, including cloud services / SLAs, etc

37

Collectively, with industry, academia and government teaming,

we can “implement” small business security effectively / affordably!

+ Resiliency = Survival / recovery

+ Secure backup

(Types / methods, various sites / levels)

+ Incident responses

(company processes, comms with LE / FBI, etc)

+ Recovery Plan

( COOP / BCP, phases of recovery, hot / mirror

site, etc)

Building Resiliency

Data Center Loss of Operation

Risk Description

Preventing interruption of data processing, as well as outright loss of data associated with any level of processing disruption or outright electrical power failure, is essential to maintaining business continuity.

Proper data backup and recovery planning, coupled with the required investment, policies, and training, can maintain the organization’s continuity of business, resulting in continued profitable operation while meeting commitments to customers/clients.

..

39

Data Center Loss of Operation:

Threats / Implications

• Loss of data associated with the failure of a data processing system or possibly an entire data center can shut an entire enterprise down.

Similarly, without electrical power backup and recovery planning and investment, the enterprise can quickly experience loss of both critical data and vital data processing capacity, despite the facility and its data processing systems being physically intact.

• Legal liabilities associated with a data processing system shutdown or outright electrical failure include corruption or outright loss of Intellectual Property (IP) belonging to both the target business and its clients. Additional liabilities include the delay or necessary outright cancellation of deliverables due to the inability to recover lost data and continue processing.

40

Data Center Continuity of

Operations: Key ConsiderationsFor Data Backup:1. Type of data to be backed up. Management must decide which data is mission-critical and must

be able to be recovered immediately.

2. Frequency of data backups. This will be affected by Management decisions on data loss impact (effect on organization of losing one hour’s or one day’s data vs. one week’s data

3. Amount of data to be backed up. This will depend upon the number of Users in the organization as well as their data processing activity level (ie, number of documents or transactions generated daily). Increased data backup volume may result in increased costs.

4. Security and Encryption. Data transferred through any unprotected medium must be encrypted.

5. Incremental vs. Full Backup. Management must direct whether the total entire data infrastructure must be completely backed up during each storage operation, or whether a ”differential” backup of only new or recently changed data is sufficient.

This concept also leads to the question of data retention. One retention issue is at what point the data storage media can be reused (overwritten with new data). Some organizations backup data for 3-12 months at a time, after which the backup media is “rotated” (reused and overwritten).

41

Data Center Continuity of

Operations: ImplementationFor Data Backup:

1. Backup hardware. Magnetic tape backup, often in convenient cartridge form, is the most popular..

Other alternatives include the use of Redundant Array Independent Disk (RAID) arrays of

continuously active hard drives, as well as disk-based backup such as DVDs.

2. Backup software must be selected that provides fully automated (unattended) backup functionality.

Offsite (“Cloud”) data backup:

• Backup to an offsite location that provides 24/7 data access and recovery capability can eliminate

or reduce the consequences of local natural disasters, power failures, or User error or outright

sabotage.

• Management should select an offsite backup vendor that has a successful history of providing

backup and recovery to enterprises roughly similar in size to the one you wish to protect.

• Select a “dedicated” offsite server or server array for your backup storage. Dedicated servers,

though more costly than “shared” storage, will provide better performance.

• Your offsite backup vendor should be located within the continental U.S, particularly if your

enterprise is involved with U.S. Government contracts.

42

• Cost recovery and damages

• Effectively terminating a corrupt employee

• Good cyber-citizenship and domain leadership

• Due diligence, CYA in liability, legal process

• Avoid ending up on a cyber-mooch list (easy pickings)

• Support FBI, US CERT, etc in data collection to stop

hackers, nation states - build new rules / laws

• California Civil Code section 1798.81.5

Recovery / incident response Why Bother?

What do I do BEFORE being attacked?

• Have IT staff enable computer and network logging and

actually READ the logs

• Have backups and logs stored offline – (can’t change them!)

• Treat every cyber-incident as potentially malicious until it is

determined that it is not

• Regularly confirm compliance with policies and procedures

• Consistently backup data and test that backup worked

• Train end-users

• Plan for incident response, have a written checklistBTW, Got your identity stolen? Contact the ID theft resource center

1 (888) 400-5530 http://www.idtheftcenter.org/

What Will This Cost?

• Hardware/Software– Image or retain hard drives from employees who leave under less than amicable

circumstances or who had access to confidential data

– Take offline or image and then restore from backup compromised servers

• Invest in strong backup technology to include offline storage of

important computer and network logs.

• Invest in basic training in IT security for your IT staff or retain an

IT consultant with security skills who can be available in an

emergency.

• Create acceptable computer use policies and procedures and

disseminate to all employees

• Optional: IT Security Audit; system upgrades; incident response

planning.

Recovery Plan- Key Considerations

• Utilize the NIST 800-34 Contingency Planning Guide to

develop your plan

• Develop the Recovery Plan in accordance with your specific

system

• Place Incident Response Plan in a readily accessible location

• Properly secure all associated data, software and codes

necessary to get back online securely

• Train and regularly practice incident response and recovery

with IT Personnel

• Update plans and support materials regularly and when

changes occur within the system

BCP / COOP(basic process / elements)

47

1 - Impact analysis (Business Impact Analysis, BIA)business objectives, threats, scenarios, etc

2 - Identification of top risks and mitigating strategies

3 - Risk Identification Matrix - Roles and Responsibilities

4 - Solution design (key data & time frames)

5 - Resource reallocation - e.g. skills matrix

6 - Implementation (execution of design elements)

7 - Testing and organization acceptance

8 - Maintenance (of Plan, solutions & organizational recovery)

Pre Planning for environmental failures of all kinds

What’s a BCP worth?

48

A study by Datapro Research Company in 2004 found that 43 percent of

companies hit by severe crises never reopen, and that another 29 percent fail

within two years.

According to FEMA, of all the businesses damaged by Hurricane Andrew in

1992, 80 percent of those lacking a business continuity plan (BCP) failed within

two years of the storm.

SO Why do BCP’s themselves fail?

1. A one-size-fits-all solution; don’t accommodate legal aspects

2. Deficiencies in the tests; e.g., sequence of BCP task and strategies

3. Inadequate maintenance; changes in rules, organization not updates

4. Lack of senior management involvement; no champion

5. No enterprise wide accountability and coordination;

6. Operations take a backseat to technology; people aspects also rule

7. No clear leadership structure or management contingency plans; and

8. Rash cost reduction campaigns that eliminate the BCP.

Even a small risk reduction is valued at $millions,

possibly betting your business on recovery!

+ Access control (PW, CAC, enforce least privilege, separate /

rotate duties, etc)

+ Layered Defense - IA/CND strategy – WHAT capabilities are

needed

+ Security Policy (privacy, social media, PII, etc) - enforcement

aspects too

+ Monitoring / Know your baseline – SCM / SIEM..

+ Tools – selection and integration

+ Business Risk Management / Assessment (RMF / COBIT) /

requirements analysis with an AoA

Foundational Cyber Defense

Access ControlFoundation for granting legitimate identification and authentication

• Focus on access control models, methodology and techniques

• Introduce basic cryptology concepts through password development

Key Considerations

– Identification and Authentication Methods

• Passwords, Tokens, Biometrics, and BYOD

• Password Management

– Access Control Models

• Discretionary Access Control Originator based

• Mandatory Access Control Clearance based

• Role-based Access Control Function based

– Access Control Methods

• Administrative Password controls

• Physical Work areas restrict user access to network

• Technical Software controls that restrict access

– Separation of Duties

51

The Ingredients of an Attack

Motive + Means + Opportunity = ATTACK!

Security

Controls And

Policies

Vulnerabilities

Assets

Good security

controls can stop

certain attacks

Poor Security

policies could

let an attack

through

NO security policies or

controls could be disastrous

Non

Malicious

Threats

Malicious

Threats

Natural

Disasters

Motives

and

Goals

Methods

and

Tools

Methods

and

Tools

Methods

and

Tools

Layered Defense

52

Physical

Data Link

Network

Transport

Session

Presentation

Application

Event Detect/Correlation

Event Response

Layered Defense

53

kernel

Ring 1

OperatingSystem

Ring 2

File System Drivers

Ring 3

E-mail Client

Ring 0OperatingSystem

Protection RingsTrusted Computing Base (TCB) All the protection mechanisms inside the

computer, including hardware, firmware and

software, the combination of which is

responsible for enforcing a security policyEnforcement of

least privilege:

Security Policy

54

Is it a Policy, a Standard or a Guideline?

What's in a name? We frequently hear people use the names "policy", "standard", and "guideline“

A policy is typically a document that outlines specific requirements or rules that must be met. In

the information/network security realm, policies are usually point-specific, covering a single area.

For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use

of the computing facilities.

A standard is typically collections of system-specific or procedural-specific requirements that

must be met by everyone. For example, you might have a standard that describes how to harden a

Windows NT workstation for placement on an external (DMZ) network. People must follow this

standard exactly if they wish to install a Windows NT workstation on an external network segment.

A guideline is typically a collection of system specific or procedural specific "suggestions" for best

practice. They are not requirements to be met, but are strongly recommended. Effective security

policies make frequent references to standards and guidelines that exist within an organization

NIST SP 800-14, Generally Accepted Principles and Practices

http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

SANS - LOTs of great templates!!!

http://www.sans.org/security-resources/policies/

https://www.google.com/url?q=http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf&sa=U&ei=WYlZU_eOKMSZyATB7IKwCQ&ved=0CCkQFjAC&sig2=4o6oppETraVXx0xZymiHng&usg=AFQjCNERBixloD4A0nNa4AyKw5yHBsdLcQhttp://www.sans.org/security-resources/policies/

Basics of a Security Policy

55http://www.giac.org/paper/gsec/1863/basics-security-policy/103278

http://www.nchica.org/hipaaresources/Security/GeneralPolicy.doc

Scope

Risk Management

Information Security Definitions

Information Security Responsibilities

Information Classification

Computer And Information ControlPassword Control Standards

Social Media, Etc…

http://www.giac.org/paper/gsec/1863/basics-security-policy/103278http://www.nchica.org/hipaaresources/Security/GeneralPolicy.doc

Continuous Monitoring Overview

• Continuous Monitoring Trends– RMF Step 6 – Monitor Security Controls

– Redefining Risk Management

– DHS CM Reporting Metrics

– Cyberscope

• CM Guidelines, SP 800-137– ISCM Fundamentals

– Organization-wide Approach

– Elements of Organization-wide CM Program

– Continuous Monitoring Process

• Automation – Automation Domains

– SCAP & OCIL

– Continuous Asset Evaluation, Situational Awareness and Risk Scoring (CEASARS)

• CM Implementation

SCM - Risk Management Redefined

OODA Loop

Risk Management Strategy: 1. How the organization plans to assess,

respond to, and monitor risk2. Oversight required to ensure effectiveness

of RM strategy

Program Management1. Defined by how business

processes are prioritized 2. Types of information needed

to successfully execute those business processes

Monitoring System Level Controls and Security Status Reporting

1. Security Alerts2. Security Incidents3. Identified Threat

Activities

ISCM Criteria

Security Continuous monitoring (SCM)

59

- What is SCM anyway?SCM is ongoing observance with intent to provide warning. A SCM capability is the ongoing observance

and analysis of the operational states of systems to provide decision support regarding situational awareness and

deviations from expectations

SCM is a risk management approach to Cybersecurity that maintains a picture of an organization’s

security posture, provides visibility into assets, leverages use of automated data feeds, monitors effectiveness of

security controls, and enables prioritization of remedies.http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/DULANY%20-%20CM%20Brief16%20Mar.pdf

An Enterprise SCM technical reference model (based on Continuous Asset Evaluation, Situational Awareness and Risk Scoring Reference Architecture Report)

http://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdf

SCM is a cyber / risk management tool and provides added due diligence

stopping short of “get out of jail free” – keeps you from being the low hanging fruit!

- What good is it? MANY ‘ROI” benefits: Real-time awareness of security posture, cyber benchmarking, complements

audit / compliance efforts, improves cyber performance, and reduces risk expose – simples risk management overall..

Third party IV&V monitors of “hygiene” “AND” potential new threats!http://raw.rutgers.edu/docs/wcars/23wcars/presentations/Mike%20Cangemi-The_Benefits_of_Continuous_Monitoring_edited_final_8-11[1].pdf

- WHO does this now, where do I go for help? DISA and DHS have efforts in play already (DHS is funding continuous monitoring as a service (CMaaS)).

State department DID early SCM several years ago, reduced C&A costs over 90%http://www.disa.mil/scm http://www.gao.gov/new.items/d11149.pdf

http://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/

- SCM is mandated for government entities (FISMA / DOD CIO / DHS / others)

http://scap.nist.gov/events/2011/cm_workshop/presentations/pdf/DULANY - CM Brief16 Mar.pdfhttp://csrc.nist.gov/publications/drafts/nistir-7756/Draft-NISTIR-7756_second-public-draft.pdfhttp://raw.rutgers.edu/docs/wcars/23wcars/presentations/Mike Cangemi-The_Benefits_of_Continuous_Monitoring_edited_final_8-11[1].pdfhttp://www.disa.mil/scmhttp://www.gao.gov/new.items/d11149.pdfhttp://www.nextgov.com/cybersecurity/2013/01/dhs-pick-6-billion-tab-cyber-surveillance-systems-every-department/60445/

TOOLS - Unmonitored

Environment Threats / Implications

Unmonitored data processing systems increase the risk of tampering or

outright loss of confidential data during cyber attacks. Severe legal

liabilities may result from loss of Intellectual Property (IP) belonging to

both the target business and its clients, leakage of competitive marketing

and other strategic data, compromise of financial and sensitive personal

information (including medical data), and resultant damages from loss

of business.

Should a cyber security breach occur that results in loss or theft of

customer data, additional threats may emerge from potential negligence

lawsuits once legal discovery determines that the data processing

systems involved were not being monitored.

60

How to pick tools

• Read reviews

• Identify assets and data that you want to protect before picking tools– NISTIR 7621 Worksheets can help you

• Consider a combination of free and pay

• Consider Software as a Service (SAAS) tools

• Establish budget for purchase, installation and monitoring

• Consider all in one solution or managed security services provider– Caveat, single point of failure

• Consider initial cost set up time and maintenance costs

Selecting SMB Security Tools

• Selecting the right security tools and finding those tools at a reasonable price is difficult for SMB’s.

• SMB’s should look for tools that:

– Prevent loss of data to remove potential legal liability

– Prevent loss of “work hours” removing malware

– Are free with support or low cost

– Easy to set up and monitor

• Take the time to properly set up and monitor the tools you choose

Cyber Security Environment

“Tools” Implementation

“BEST OF BREED” RECOMMENDATION FOR

CYBER SECURITY TOOL: SPLUNK

Website: http://www.splunk.comSynopsis: Splunk inputs security-related data in a number of formats. It then processes the data and converts it into usable reports and displays. Metaphorically speaking, Splunk monitors with its “sonar” the entire system “ocean” that your corporate “ship” is navigating, instead of only casting a few “hooks overboard” to trap a specified series of malware threats. Splunk is used to monitor “insider” behavior anomalies, as well as threats exterior to the User network.

Splunk Whitepaper: Make Machine Data a Strategic Asset

http://www.splunk.com/web_assets/pdfs/secure/Splunk_Executive_Brief.pdf

Splunk derives operational intelligence in diverse environments utilizing a large suite of approximately 540 add-ons/apps (https://apps.splunk.com/apps).

63

http://www.splunk.com/http://www.splunk.com/web_assets/pdfs/secure/Splunk_Executive_Brief.pdfhttps://apps.splunk.com/apps

Cyber Security Environment

“Tools” Implementation

EXAMPLE PLUGIN FOR CYBER SECURITY TOOL SPLUNK - WINDOWS “EVENT CODES LOOKUP”

Website: http://apps.splunk.com/app/411/

Synopsis: This Splunk add-on provides a custom lookup to provide a human readable description of each EventCode encountered in the Windows Security Event Logs of Windows 2000, XP, 2003, Vista, 2008, and 7. In addition it adds two custom workflows to allow you to quickly lookup all Windows EventCodes on EventID.net and Google.com.

This will facilitate analysis of security-related and other system events on a selected host machine.

64

http://apps.splunk.com/app/411/

Not all Security Tools Are Equal!

65

Do the research on products – a FREE may not be a good deal!

MALWARE / AnitVirus Products need to improve – some more dramatically than others.

Tested products slipped performance by 6% on average from 2009 to 2010. Thus the

notion that ―you‘re fine as long as you keep your AV updated - is completely false. Note that in most cases we found considerable differences between a vendor‘s corporate product and their consumer

version. It is not safe to assume the results are identical

http://www.nsslabs.com/research/endpoint-security/anti-malware/

- Malware protection is far from commodity, with effectiveness ranging between 54% and

90%, a 36% spread.

- Cybercriminals have between a 10% - 45% chance of getting past your AV with Web

Malware (depending on the product).

- Cybercriminals have between 25% - 97% chance of compromising your machine using

exploits (depending on the product).

- Expect use of exploits to increase since it is far more effective than traditional malware

Browsers are not equal either… turns out MS IE 11 is much better than most… (99+%)https://www.nsslabs.com/system/files/public-report/files/Browser%20Security%20Comparative%20Analysis%20-

%20Socially%20Engineered%20Malware.pdf

http://www.nsslabs.com/research/endpoint-security/anti-malware/https://www.nsslabs.com/system/files/public-report/files/Browser Security Comparative Analysis - Socially Engineered Malware.pdf

Risk Management

66

Enterprise Risk management (ERM)

is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect

of uncertainty on objectives, whether positive or negative) followed by coordinated and

economical application of resources to minimize, monitor, and control the probability and/or

impact of unfortunate events or to maximize the realization of opportunities. Risks can come

from uncertainty in financial markets, threats from project failures (at any phase in design,

development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents,

natural causes and disasters as well as deliberate attack from an adversary, or events of

uncertain or unpredictable root-cause

The risk equation, formula is: Risk = (Vulnerability x Threat x Impact) / Probability- Vulnerability = An error or a weakness in the design, implementation, or operation of a system.

- Threat = An adversary that is motivated to exploit a system vulnerability and is capable of doing so

- Impact = the likelihood that a vulnerability will be exploited or that a threat may become harmful.

- Probability = likelihood already factored into impact.

There are also many types of risk to consider, accommodate:- Strategic – Goals of the Organization

- Operational – Processes that Achieve Goals

- Financial – Safeguarding Assets

- Compliance – Laws and Regulations

- Reputational – Public Image

Many ERM frameworks

67

COSO Integrated Control Framework; Australia/New Zealand Standard (ASS/NZS

4360:2004); ISO Risk Management 31000 / 27005; Risk Management Framework for

Critical Infrastructure Protection; CRAMM (CCTA Risk Analysis and Management

Method); Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE);

COBIT 5 / Risk IT (by ISACA) and EBIOS (French: Expression des besoins et

identification des objectifs de sécurité)

Even as RMF & COBIT / Risk IT are popular choices – there are MORE

The NIST RMF ERM process has the following

activities related to managing organizational risk.

ISACA’s “Risk IT”also an excellent reference / source

69

National/Industry Guidance

NIST 800-30 - Guide for Conducting Risk Assessments

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

NIST 800-37 - Applying the Risk Management Framework to Federal Information Systems

http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

NIST 800-39 - Managing Enterprise Risk: An Integrated System Life Cycle Approach

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdfhttp://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdfhttp://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

The Integrated ERM Approach + Small / Medium Business (SMB) - THE ANSWER +

RMP

Company Vision(business success factors)

C&A / V&V(effective / automated)

Security Policy(mobile, social media, etc)

Education / Training(targeted, JIT, needs based)

Known Baseline(security architecture)

CMMI / Sustainment(SoPs / processes)

MSS / vCISO(3rd party IV&V support)

Data Centric Security(DLP, reputation based methods)

Insider Threat

Company Intel(open source, FB, etc)

SCM / SIEM(monitor / track / mitigate)

Cyber insurance(broker & legal council)

Privacy by Design(manage PII, HIPAA, compliance) )

Enterprise Risk Management (ERM) Plan (RMP) model (RMF / COBIT & Risk IT)

AND IAW the NIST Cybersecurity Framework (CAR / ESA)

Cyber Maintenance - security Hygiene / CM / SoPs

+ Manage Policy - social media - content & settings…

restrict sharing / privileges = proactive monitoring

+ Maintain Cyber Security Suite – patches, upgrades, etc..

control system settings… & dashboard!

+ Standard operating procedures (SOPs).. USE / enforce

them

+ Security training / education awareness – ALL levels –

reinforce / Incentivize – pos & neg

Cyber Operations & Maintenance

Operations and Maintenance Support

• Auditing

– Present basic IDS/IPS and Monitoring Software techniques for event

trend analysis

• Policies and Guidance

– Provide key considerations and templates for policy development

– Show how to establish basis for constraining workforce behaviors

– Set the guidelines for which IT Staff will operate together

• Training

– Provide educational basis for workforce diligence and vigilance

– Ensures IT Staff perform congruently to assure security

The IA/CND/cyber suite is generally made of both “IA” and “IA

enabled” components (many will have multiple instantiations):

The “IA” products are: firewall (FW), Anti-virus (A/V) (both host

and client), intrusion detection system (IDS) (and some have

active / protection measure thus an IPS), crypto & key

management, and virtual private network (VPN) devices.

The “IA enabled” products: operating systems (OS), database

management systems (DMS), network management systems

(NMS) and web browsers are addressed under the “network”

module.. We also include mobile, wireless, data security, software

and applications as well.

Applied Cyber – IA/CND/Security

Network Security

74

NSA’s Manageable Network Plan

Milestone 1: Prepare to Document

Milestone 2: Map Your Network

Milestone 3: Protect Your Network (Network Architecture)

Milestone 4: Reach Your Network (Device Accessibility)

Milestone 5: Control Your Network (User Access

Milestone 6: Manage Your Network, Part I (Patch Management)

Milestone 7: Manage Your Network, Part II (Baseline Management)

Milestone 8: Document Your Network

The NSA’s Manageable Network Plan

is a series of milestones to take an unmanageable and insecure network and make it

manageable, more defensible, and more secure.

The Plan is consistent with the Consensus Audit Guidelines (CAG) (www.sans.org/cag ) and

will enable you to more easily implement any regulatory requirements you may have.

Do first

http://www.sans.org/cag

Network Mgmt PlanMilestone 1: Prepare to Document

75

How / where is your IT & IA suite documented? Does it contains diagrams and use a

blog/BB. Do you have a configuration management (CM) process?

Use a blog or bulletin board to notify admins of changes, and a wiki to document information

Make sure your documentation approach is easy to use. Automate updates - consider using

RSS feeds to keep other admins apprised of the changes… (metric - Can management and users easily

read your documentation?)

Sufficient level of detail – does your documentation support rollback of an unwanted change

to a device, or to rebuild a device that had a catastrophic failure

ensure that everything has a timestamp, so you know when it was last valid

Backup your documentation repository on a regular basis… dally using differential,

weekly full baseline. Ensure the files are scanned and kept off-line, key operational files should be

read-only and not available on the corporate network.

Encrypt everything of value / importance. Ensures confidentiality and integrity.

Have hard copies of the key start-up information and sequence, and emergency procedures.

Network Mgmt PlanMilestone 2: Map Your Network

76

In order to have any sort of control over your network, you first need to know where

everything is.

Create an accurate map of your current network (network topology) and is stored in a way

that is secure, but yet still allows easy updates as network changes occur…. Include any devices

connected by wireless, and connections to any clouds, external networks, and the Internet…

How do you map / assess ALL devices on the network? Consider the network security

scanner “Nmap” or arpwatch or ??? (or require users to register their devices (NetReg)… Also do a

physical inventory! (ALL devices (computers, printers, routers, gateways, etc.) on your network,

including host name, role, MAC address, service tag, physical location, and OS/firmware?))

Develop a list of all protocols running (PPSM).. consider Wireshark, tcpdump, and/or

WinDump

Must have a CM / change management process in place too… strongly suggest tuning your

security continuous monitoring (SCM) capability to your specific key IA/CND device settings and

allowed protocols and services..

Don’t forget the physical routes as most VLANs connection paths are needed for

troubleshooting, planning maintenance. Every asset needs to have a specific POC for ownership.

Implement an IT / IA inventory that manages the full life-cycle of all tracked entities.

Network Mgmt PlanMilestone 3: Protect Your Network (Network Architecture)

77

A sound network architecture protects your high-value assets by limiting access to them,

provides important functionality consistent with your business model, and ensures business continuity in

the event of a disaster. Your network should be designed to keep any damage to it contained.

Identify all your current network enclaves (and VLANs, VMs), which users on your network

have access to what types of information, and identify all high-value assets and then all choke points.

Ensure the network sections can be separated and isolated and there is strict access control

throughout the network (enforce least privilege – need to know).. Microsoft AD (using profiles) and

router ACLs are but a few methods.

Ensure the ‘trust boundaries” are well laid out and strictly controlled. .. and LIMIT THEM…

At a minimum, there should be trust boundaries between your internal network, the extended enterprise

and the internet (e.g., putting all your publicly-accessible assets into DMZs (demilitarized zones).

Place key security capabilities at the network choke points and limit internet access points to

the network. Place security gateways, proxies, or firewalls at your network choke points so that traffic

over them can be monitored and controlled. Ensure you secure the virtual machines / processes as well ..

(follow NIST Special Publication 800-125 = Guide to Security for Full Virtualization Technologies.

. For guidance on migrating legacy systems, see “DoD Legacy System Migration Guidelines”

at ( www.sei.cmu.edu/library/abstracts/reports/99tn013.cfm).

Network Mgmt PlanMilestone 4: Reach Your Network (Device Accessibility)

78

Make sure EVERY device (all computers, printers, routers, gateways, etc) on your network can be

properly and easily accessed (either remotely or physically) and administered in a secure manner

: For Windows machines, implement Active Directory.

: Windows Group Policy is a powerful way to securely configure and administer the

machines in a Windows network domain.

: To configure and administer non-Windows machines on your network, consider using

Puppet. For more information on Puppet, see www.puppetlabs.com.

:For any devices that cannot be accessed on a regular basis, such as laptops and other mobile

devices, develop a plan to administer them. Consider using a network access control solution .

No insecure administration protocols. Do not use insecure, clear-text protocols (telnet, rsh, ftp, tftp,

etc.) to administer devices. Use SSH instead of telnet or rsh. Use SCP or SFTP instead of ftp. If using

SNMP, use SNMPv3 and its security features (versions 1 and 2 are insecure). No unacceptable security

dependencies. A critical device should never be administered from a less

critical device

Remote administration. Are your admins able to administer your network from home or from outside

your network? If so, make sure that that connection is extremely secure

Physical security. Not just anyone should be able to walk up and access your network devices in an

administrative mode

Network Mgmt PlanMilestone 5: Control Your Network (User Access)

79

Establish non-privileged user accounts for all normal users: normal users should

never have administrative privileges.

: Not everyone will be able to be a normal user, but limit the number of users with

administrative privileges to an absolute minimum.

:If a user only requires privileged access to certain directories or applications, use Windows

Group Policy to grant that access instead of giving the user local admin privilege..

:Consider using Windows Delegation to give some domain admin privileges to those users that

require it, without giving them full access. For operating systems other than Windows, use sudo

or Role-Based Access Control (RBAC).

No Internet or e-mail from privileged accounts. Letting users with local admin, root, or other

elevated privileges surf the Internet or read e-mail is a VERY serious security risk

Segregate admin roles. Administrative accounts at any level should only be used to administer

computers at that level.

Users installing software. Users with non-privileged accounts will not be able to install software.

Effective and enforced security policy - Employees may need to be reminded that they are not entitled

to have unfiltered Internet access and install whatever software

Expiration dates on accounts. Consider setting expiration dates (quarterly or yearly).. disable the day

folks leave..

Full administrative privileges on your network will have access to all its data. Are those individuals

properly vetted in your hiring process? Are they periodically reinvestigated

Network Mgmt PlanMilestone 6: Manage Your Network, Part I (Patch Management)

80

Establish a patch management process for ALL the operating system and application software on all the

workstations, servers, and network infrastructure devices (e.g., routers, firewalls, etc.).

: Prioritize your patch management. All of your systems should be patched regularly, but those

systems and applications that handle data from untrusted sources (such as the Internet) must be patched

more often. In addition, critical patches must be applied whenever they are released.

: Patching your laptops and other mobile devices may be difficult, because they may not be

regularly connected to your network. The plan to administer these devices (developed in Milestone 4)

should include regular patching. Alternatively, consider using a network access control solution, to

: As much as possible, patching should be automatic. Remember that a reboot may be

required for a patch to be properly applied. Be careful patching your servers, however, so they dont

all reboot at once and affect your network availability.

: For the Windows operating system and Microsoft applications, use Windows Server

Update Services (WSUS) or an automated commercial solution.

Review after patching your systems, to verify that the patches were applied correctly. As

a sanity check, use different tools than those used for pushing out the patches.

“USE” NIST Special Publication 800-40: Creating a Patch and Vulnerability Management Program

: Non-Microsoft updates. How will you update and patch non-Microsoft applications, such as Adobe

Acrobat? What about device drivers and Web browser plug-ins.. again, use WSUS

Network Mgmt PlanMilestone 7: Manage Your Network, Part II (Baseline Management)

81

Create an approved application list for each class of device on your network

(client workstations, servers, etc.). For each application, specify its name and

specific version, the reason it was approved, and the network ports and protocols it uses (if applicable).

:Establish the criteria and process for getting an application on the approved list.

: The reason for having an application on the approved list should never be just Because

so-and-so wants it. The application should always be justified by a business case, like We need

Adobe Flash on our Internet-conn websites use it.

: Before an application is added to the approved list, it should be researched for any

security issues. Consider how much minimum of vulnerabilities. In addition, consider whether the

application conflicts with any of your existing security policies, and how easily it can be updated.

: Before an application is added to the approved list, it should be tested to make sure it

works with the other applications in the baseline and that it wont interfere with your network.

Consider setting up a small, isolated subnet for this testing.

: Once an application is added to the approved list, your patch management process from

Milestone 6 will need to be updated appropriately.

: Implement restrictions so that only those applications that have been approved are

allowed to execute on your network. Consider using application whitelisting

Create device (workstation, server, router, etc.) baselines.

Network Mgmt PlanMilestone 7: Manage Your Network, Part II (Baseline Management)

82

Securing Web browsers. Properly securing the Web browsers in your workstation baselines

is extremely important:For suggestions on securing Web browsers, see

www.us-cert.gov/reading_room/securing_browser

USE The Microsoft Baseline Security Analyzer (MBSA)

The Center for Internet Security (http://cisecurity.org) provides benchmarks and tools for

checking that your operating systems, applications, and devices (including Windows, Linux,

Solaris, Apple, Oracle, Cisco, etc.) are configured securely

Backing up offline. With the same password problems.

Hardware configurations. Do the baselines for your devices also include their hardware

configurations?

Some things to consider in this area might be disabling wireless cards, setting the boot order in the

BIOS to hard drive only, and creating BIOS passwords. In addition, make sure that your systems

support signed BIOS updates

Reimaging devices. Consider reimaging your devices on a regular basis (for example, every 6 months)

Consider setting your workstations to automatically reboot on a regular basis (for

example, every night) to keep any small problems from accumulating, clear up any memory issues

http://www.us-cert.gov/reading_room/securing_browser

Network Mgmt PlanMilestone 8: Document Your Network

83

Document full procedures to rebuild servers and other important devices on the network, in case of

catastrophic failure.

Document all administrative processes and procedures used on your network. Obviously, an exhaustive

list of what to document cannot be provided because each network will be different. However, for ANY

network, four very important procedures to document are:

How to add a new user

How (and when) to remove a user

How to add a new system

How to remove a system

Completeness. Consider the following scenario to determine if your documentation is complete and up-

to-date: Suppose one of your most knowledgeable admins cannot be contacted for an extended period of

time. Will your network grind to a halt? Will it explode in chaos? What does that admin know that is not

written down?

Hard copy. Keep hard copies of your processes and procedures on hand, in case of emergencies. Keep

duplicate copies at your continuity of operations site, in case of more serious emergencies.

Always followed. The documented procedures should always be followed. Are they? Are new network

admins required to become familiar with and use this documentation?

All documentation must be reviewed periodically (for example, annually) and updated as necessary.

Consider occasionally hiring a technical writer to gather, clarify, and maintain your documentation.

Router and Firewall

Security Configuration

84

• Enable Intrusion Detection System (IDS). This will detect known high-risk

attempted intrusions.

• Log data packets “trying” to go to ports you have closed.

• Enable “Boot Time Protection”. This will prevent attacks on your PC

during the sensitive bootup interval.

• Enable “Web Filtering”. This will further restrict hostile content from

reaching your PC.

• Enable “Bad Website Filtering”. Websites known to deliver hostile content

are blocked.

• Block “VB Scripts”. VB Scripts are often used to deliver hostile content.

• Block “ActiveX Downloads”. Hackers use these powerful small programs

to deliver hostile content. NOTE: Many legitimate software programs are

themselves ActiveX programs !

Server-side Vulnerabilities :Web Applications Cross-Site Protection

Network Administrators

• For Internet browsers, disable access to data sources across domains to avoid cross-site scripting attacks.

• Ensure that no un-trusted sites are in the Trusted sites or Local intranet zones as these zones have weaker security settings than the other zones.

Developers

• Validate User textbox input to avoid cross-site scripting attacks

• Follow good application coding security practices

ALL

• Follow OWASP Web / XML security best practices

85

Server-side Vulnerabilities :

Web Applications PHP Protection

• Use latest version of PHP

• Develop with the latest PHP release and a hardened configuration (see above)

• Validate all input according to the variable type it is being assigned

• Follow OWASP (Open Web Application Security Project) secure coding guidance (more details on a later slide)

• Test your apps using the OWASP Testing Guide with tools like WebScarab, Firefox's Web Developer Toolbar, Greasemonkey, and the XSS Assistant

• Use a testing environment and test applications before deploying

• Train/hire developers with security experience and certifications

86

87

Server-side Vulnerabilities :

Server Virtualization Protection

• Follow same practices for securing real machines as virtualized Machines

• Monitor v-switches and virtual network

• Segment network based on data protection requirements

• Principle of least privilege – unnecessary services turned off,

• necessary services reduced in privileges

• Require secure user authentication when accessing resources across the network

• Secure backup and disaster recovery resources from internal attack

• Encrypt communications across your virtualized network

• Encrypt “virtual snapshots”

88

Server-side Vulnerabilities:Backup Software Protection

• Ensure the latest vendor supplied software patches are installed on the clients and servers.

• The ports being used by backup software should be firewalled from any untrusted network, especially the Internet.

• Data should be encrypted when stored on backup media and while being transported across the network.

• Host- or network-based firewalls should be run to limit the accessibility of a system's backup software to ensure that only the appropriate backup hosts can communicate on the backup server ports.

• Segregate your network to create a separate backup network VLAN.

• Backup media should be stored, tracked and monitored like other IT assets to deter and detect theft or loss.

• Backup media should be securely erased, or physically destroyed at the end of its useful life.

89

Server-side Vulnerabilities :

Database Software Protection

• Ensure that all DBMS patches are up to date.

• Remove/change default passwords on the database's privileged and system accounts before deploying the system on the network. Lists of default accounts are readily available on the Internet.

• Rotate passwords

• Use minimal privileges.

• Use stored procedures where possible. Remove/disable unnecessary stored procedures.

• Set length limits on any form fields to minimize the possibility of buffer overflow attacks.

• Use database activity monitoring tools

– They operate independently of the DBMS

• Encrypt database

90

Client-side Vulnerabilities :

Web Browser Protection

• Configuration control is critical– Use Active directory or other tools to monitor configurations

• Restrict desktop User browsing privileges to avoid attacks from hostile websites

• Block ActiveX downloads if Internet Explorer is being Used

• Restrict so-called “cookies” (tracking text files)

• Train Users in proper website security practices

• Always update desktop web browser software with newest security updates

• Use pop up blockers and script blocking tools like no script

• Always update Adobe Flash Player, Java and Adobe PDF Reader browser plugins with latest versions

• Never browse the web with an admin account or from servers

• Use multiple browsers, where needed– i.e. Internet Explorer for banking and Firefox for general browsing

• Consider a more effective bolt-in access control add-on (re: HP’s free “Polaris”)– http://en.wikipedia.org/wiki/HP_Polaris_(computer_security)

91

Client-side Vulnerabilities :

Office Software Protection

• Keep the systems updated with all the latest patches and service packs. If possible enable Automatic Updates on windows systems.

• Do not open attachments from unknown. Practice caution when opening unexpected e-mail attachments even from known sources.

– Use content management systems to share files

• To avoid opening documents from unknown web sites do not “click browse”. “Click browsing” is a habit of browsing the web by clicking on links in e-mails or online forums. Use the bookmark feature in every browser to create links to your frequently used web sites.

• Disable the Internet Explorer feature of automatically opening Office documents.

• Configure Outlook and Outlook Express with enhanced security.

• Use intrusion prevention/detection systems and anti-virus and malware detection software to prevent malicious server responses and documents from reaching end users.

• Use mail and web filtering systems at the network perimeter to prevent malicious Office documents from reaching end-user systems.

Client-side Vulnerabilities: Email Client Protection

• Remove all e-mail client software from production server systems, or where otherwise unnecessary.

• Do not to run any email client on servers or workstations with confidential information unless you use encryption.

• Use the latest version of the email client and enable the automatic update feature provided by the application or operating system.

• Do not run the email client as an administrative user, or other user account with elevated privileges. – If you absolutely must run email while logged on as Administrator on Windows system, use tools like

Microsoft’s “Drop My Rights” for lowering privileges available to the email application.

• Do not open any email messages from unknown or suspicious sender

• Do not answer junk mail (spam), even if there is an option to unsubscribe

• View email messages as plain text, or with as little formatting as possible: HTML and RTF (two common enhanced formatting schemes for email messages) can allow scripting and other avenues for exploitation

• Do not open any attachments without scanning them first with anti-virus

• Configure your email client to not send return receipts or read confirmations

• For secure email exchange use digital signatures or/and encryption

92

Same rules apply to Mac!More built in, and easier to implement

93

Mac OS X Built-in Security aspectshttp://www.apple.com/macosx/what-is/security.html

Mac OS X Security configuration guideshttps://ssl.apple.com/support/security/guides/

The truth about APPLE security http://www.macworld.com/article/140873/2009/06/apple_java_security.htmlMacs are plagued with as many (and sometimes more) vulnerabilities as other operating systems. These are the doors attackers use to

exploit our systems, and Macs are far from invulnerable. But in the real world, Macs suffer from far fewer compromises

Mac Security Threats: How Vulnerable Is Apple?http://www.time.com/time/business/article/0,8599,2075218,00.htmlMac Protector is real, … So is it time for Mac aficionados to admit defeat and install security software? … Some are running utilities

from Symantec and Sophos. The vast majority, however, including professional savants like Macworld editors, said they still don't…..

Experts weigh in on Mac vs. PC securityhttp://news.cnet.com/8301-27080_3-10444561-245.htmlESET released the results of a survey in November related to awareness of cybercrime in the U.S. More than 1,000 people responded that

while both PC and Mac users perceive the Mac as being safer, Mac users are victims of cybercrime just as frequently as PC users.

http://www.thexlab.com/faqs/malspyware.htmlhttp://www.infosecurity-us.com/view/6841/security-and-malware-threats-to-mac-and-apple-products-are-on-the-rise-/

Ensure your Mac security set-ups are indeed adequate, common

http://www.apple.com/macosx/what-is/security.htmlhttps://ssl.apple.com/support/security/guides/http://www.macworld.com/article/140873/2009/06/apple_java_security.htmlhttp://www.time.com/time/business/article/0,8599,2075218,00.htmlhttp://news.cnet.com/8301-27080_3-10444561-245.htmlhttp://www.thexlab.com/faqs/malspyware.htmlhttp://www.infosecurity-us.com/view/6841/security-and-malware-threats-to-mac-and-apple-products-are-on-the-rise-/

Software / application security

94

Fix the 25 software development errors!

SW / Appsmore than development – it’s managed use.. Mobile, etc!

Social media

Peer-to-peer

Email

Cloud

Browser

Active code (Java, etc)

Application Abuse :

The World of Web 2.0

Instant Messaging, Social Media, Facebook, Twitter etc

• Protect like other applications

– Patching

– User training

– Monitoring

• Same risks as email like social engineering, phishing, bogus links etc

• Possible source of data leakage from malicious insider

• Malware -- Worms, viruses, and Trojans transferred through instant

Messaging.

• Data not encrypted in transit

• Another way to get into your systems

• Don’t use with admin/privileged account

95

96

Application Abuse :The World of Web 2.0

PEER-TO –PEER (P2P) MUSIC / FILE SHARING PROGRAMS : RISKS

• Illegal sharing of copyrighted material or confidential data

• Exposure of users to unwanted illicit content

• Distribution and execution of malware (viruses, spyware, bots, etc.)

• Network overload

• Network surveillance by cybercriminals

IMPLEMENT PRINCIPLE OF LEAST PRIVILEGE!

• Turn on Egress filtering

• Use Data Loss prevention tools

• Monitor Firewall and Intrusion Detection System logs, including outbound

• Disable the Simple File Sharing feature (Windows XP)

• Monitor system for presence of unknown executables and unauthorized modification of system files

Email Security Configuration

• Use the latest version of the email client (such as Thunderbird) and enable the automatic update feature provided by the application or operating system.

• Use Anti-Virus (AV) software with the latest update (virus signatures). Configure the anti-virus software to monitor files in real-time if possible, and configure automatic daily update of AV software, if possible.

• TRAIN ALL USERS TO QUESTION ALL HYPERLINKS WITHIN EMAILS– AS AN OPTION, TRAIN USERS AND EMPLOYEES TO COPY SUSPECT

LINKS AND PASTE INTO SEARCH ENGINES FOLLOWED BY THE EXPRESSION “COMPLAINTS”

• Remove all e-mail client software from production server systems, or where otherwise unnecessary

97

Browser and Web Surfing Security

OWASP Top Ten Web/XML Risks

98

1: Injection

2: Cross-Site Scripting (XSS)

3: Broken Authentication and Session Management

4: Insecure Direct Object References

5: Cross-Site Request Forgery (CSRF)

6: Security Misconfiguration

7: Insecure Cryptographic Storage

8: Failure to Restrict URL Access

9: Insufficient Transport Layer Protection

10: Unvalidated Redirects and Forwards

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Mitigating OWASP top 10 without any code

http://www.rakkhis.com/2011/03/mitigating-owasp-top-10-without-any.html

OWASP Top 10 And Security Flaw Root Causes

http://www.slideshare.net/marco_morana/owasp-top-10-and-security-flaws

Browser and Web Surfing Security

Use the Open Web Application Security Project (OWASP) resources for secure Web application development:

+ Secure Web application development guide (www.owasp.org/index.php/Category:OWASP_Guide_Project)

+ Web application testing guide (www.owasp.org/index.php/Category:OWASP_Testing_Project)

+ Developing your own security controls can le