• No results found

Critical Security Controls

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Critical Security Controls"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

Critical Security Controls

Session 2:

The Critical Controls

Chris Beal

Chief Security Architect | MCNC [email protected]

@mcncsecurity on Twitter

© 2014 MCNC – General Use v1.0

(2)

The Critical Security Controls

The Critical Security Controls Effective Cyber Defense for

Version 5.1

(3)

The Critical Security Controls

(4)

CSC 1

What?

Inventory of Authorized and Unauthorized Devices

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

Why?

You cannot secure devices that you don’t know about, and you cannot

protect yourself from devices that you don’t know are sitting on your

network.

(5)

CSC 1

How?

Inventory of Authorized and Unauthorized Devices

ID # Description Category

CSC 1-1

Deploy automated asset inventory discovery tool & use it to conduct asset inventory to

find devices on the network.

Quick Win

CSC 1-2

Enable DHCP server logging and use logs to detect unknown systems connecting to the

network.

Quick Win

CSC 1-3

Keep asset inventory updated as new devices are acquired and added to the network.

Quick Win

CSC 1-4

Maintain asset inventory of all systems connected to the network, including network

address, device name, device purpose, and asset owner.

Visibility

CSC 1-5

Deploy network level authentication (via 802.1x) to control which devices are allowed to

connect to the network.

Config

CSC 1-6

Deploy Network Access Control (NAC) to monitor authorized systems and ease

remediation of unauthorized systems.

Config

CSC 1-7

Utilize client certificates to validate and authenticate systems prior to connecting to

network.

Advanced

(6)

CSC 2

What?

Inventory of Authorized and Unauthorized Software

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that

unauthorized and unmanaged software is found and prevented from installation or execution.

Why?

You cannot secure applications that you don’t know about, and you cannot

protect yourself from applications that you don’t know are installed on your

systems.

(7)

CSC 2

How?

Inventory of Authorized and Unauthorized Software

ID # Description Category

CSC 2-1

Deploy application whitelisting technology.

Quick Win

CSC 2-2

Maintain list of authorized software and versions. Use file integrity checking software to

ensure that authorized software has not been modified.

Quick Win

CSC 2-3

Scan for unauthorized software deployments and alert when found.

Quick Win

CSC 2-4

Deploy software inventory tools and track deployed software.

Visibility

CSC 2-5

Integrate software and hardware inventories.

Visibility

CSC 2-6

Closely monitor and/or block dangerous file types (exe, zip, msi)

Config

CSC 2-7

High risk applications required for business use should be segregated with VMs or air-

gapped systems.

Advanced

CSC 2-8

Configure client workstations with non-persistent operating environments.

Advanced

CSC 2-9

Only deploy software with signed software ID tags.

Advanced

(8)

CSC 3

What?

Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Why?

Many systems are vulnerable in their default states. Unused services, default accounts, open ports, etc. can be abused and should be appropriately

secured.

(9)

CSC 3

Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers

ID # Description Category

CSC 3-1

Create and use standard, secure OS configurations.

Quick Win

CSC 3-2

Implement automated patching tools for both OS and applications.

Quick Win

CSC 3-3

Limit administrative privileges to small number of users that require them.

Quick Win

CSC 3-4

Follow strict configuration management processes to build and maintain secure systems.

Quick Win

CSC 3-5

Store master images securely and continuously monitor them to ensure that they remain

secure.

Quick Win

CSC 3-6

Negotiate contracts to buy systems configured securely out of the box.

Visibility

CSC 3-7

Do all remote administration of systems over secure channels

Config

CSC 3-8

Use file integrity checking tools to ensure that critical system files have not been altered.

Config

CSC 3-9

Implement and test automated configuration monitoring tools to measure all secure

configuration elements.

Advanced

CSC 3-10

Deploy system configuration management tools (AD GPO, Puppet, etc.) to automatically

enforce and redeploy desired configuration settings.

Config

(10)

CSC 4

What?

Continuous Vulnerability Assessment and Remediation

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Why?

… Changes aren’t permanent

But change is …

(11)

CSC 4

Continuous Vulnerability Assessment and Remediation

ID # Description Category

CSC 4-1

Run vulnerability scanning tools against all systems on network on a weekly (or more

frequent) basis.

Quick Win

CSC 4-2

Correlate event logs with information from vulnerability scans.

Quick Win

CSC 4-3

Perform vulnerability scanning in authenticated mode to determine true vulnerability

picture of systems.

Quick Win

CSC 4-4

Subscribe to vulnerability intelligence services to stay aware of emerging exposures.

Quick Win

CSC 4-5

Deploy automated patch management & software update tools to keep systems updated.

Visibility

CSC 4-6

Monitor logs associated with vulnerability scans.

Visibility

CSC 4-7

Use results of vulnerability scans to ensure that identified exposures have been

addressed.

Config

CSC 4-8

Measure the delay in patching new vulnerabilities to ensure that systems are being

patched within agreed upon timeframes.

Config

CSC 4-9

Evaluate patches in a test environment before deploying them to critical systems.

Config

CSC 4-10

Establish a process to evaluate risk of patching (or not patching) vulnerabilities.

Config

(12)

CSC 5

What?

Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

Why?

Malware is pervasive and used in the majority of modern attacks and data

breaches in order to compromise systems and account credentials.

(13)

CSC 5

Malware Defenses

ID # Description Category

CSC 5-1

Use automated tools such as anti-virus, anti-spyware, host-based firewalls, and host-based

IPS to continuously monitor systems for indicators of malware.

Quick Win

CSC 5-2

Use anti-malware software that offers remote, cloud-based centralized management

infrastructure to share intelligence and update managed systems.

Quick Win

CSC 5-3

Disable “auto-run” feature for removable media and network shares.

Quick Win

CSC 5-4

Automatically scan removable media for malware upon connection to a system.

Quick Win

CSC 5-5

Scan all email and block messages containing malicious content.

Quick Win

CSC 5-6

Enable features such as DEP, ASLR, containerization, etc.

Quick Win

CSC 5-7

Limit use of external devices to only where it is required.

Quick Win

CSC 5-8

Ensure that automated monitoring tools use behavior-based anomaly detection in

addition to signature based detection.

Visibility

CSC 5-9

Use network-based malware scanning tools to detect and filter network traffic.

Visibility

CSC 5-10

Implement IR process to collect malware samples found to be running that were not

caught by existing malware defenses.

Advanced

CSC 5-11

Enable DNS query logging to detect lookups for known bad sites.

Advanced

(14)

First Five Quick Wins

1.   Application Whitelisting

CSC 2

2.   Use of Standard, Secure System Configurations

CSC 3

3.   Patch Application Software Within 48 Hours

CSC 4

4.   Patch System Software Within 48 Hours

CSC 4

5.   Reduce Number of Users With Administrative

(15)

The Top 4 Strategies

The Top 4 Strategies to Mitigate Targeted Cyber Intrusions (the Strategies) are the most effective security controls an organization can implement at

this point in time based on the our current visibility of the cyber threat environment. The Defence Signals Directorate (DSD) assesses that

implementing the Top 4 will mitigate at least 85% of the

intrusion techniques that the Cyber Security Operations Centre (CSOC) responds to.

http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm

(16)

AUS DSD Top 4 Strategies

1.   Application Whitelisting

Explicitly define the applications that are allowed to run on a system

2.   Patch Applications

Keep applications updated

3.   Patch the Operating System

Keep the OS and core components updated

4.   Minimize Administrative Privileges

(17)

Key Takeaways

•  You don’t have to invent this yourself!

–  The Critical Security Controls are real- world tested & proven to be effective for defending your assets

•  The Critical Security Controls are a Map, not necessarily turn-by-turn directions

–  You need to plan the best route for your journey based on your environment

–  You have to decide which controls are right for your environment and prioritize them

•  Start with the “First Five Quick Wins”

and “Top 4 Strategies”

(18)

Key Takeaways

•  Multi-Factor Authentication

•  Monitoring / Visibility

(19)

The Critical Security Controls

References

Download now ( PDF - 19 Page - 2.38 MB )

Related documents

What are Qualified Devices?

Qualified Devices do not include any device that is: (1) designated as a server and not used as a personal computer, (2) an Industry Device, or (3) not managed (as defined in

Hydropower in the Himalayan hazardscape : strategic ignorance and the production of unequal risk

6. Discussion: Challenging the Production of Unequal Risk through Knowledge Co-Production With this paper I have sought to explain why considerations of hazard potential and dam

The Offshore Oil and Gas Industry Report in Insurance Part One

18 Moody’s estimates that property insurance coverage is “15-25 percent higher for rigs operating in shallow water and up to 50 percent higher for deepwater rigs.” 19 This is

Comments of the Truck Renting and Leasing Association On Tax Reform Submitted to the Senate Finance Committee

tax code, many companies, including TRALA members, depend on tax provisions that were designed to incentivize companies to invest in new equipment and grow their businesses and

Physical, Operational and Economic Resilience of Coastal Energy Networks

A storm impact model simulates a joint 0.5% annual probability event of combined wave height and extreme water level for 15 1DH profiles in the study area (Sizewell, eastern

Unit-5 Quality Management Standards

CONTINUAL IMPROVEMENT OF THE QUALITY MANAGEMENT SYSTEM Measurement, analysis and improvement Product Input Output Management responsibility Resource management Clause 5

Soalan K1

Rajah 10 menunjukkan satu proses yang berlaku dalam tumbuhan hijau.. Diagram 10/Rajah 10 What is

NONLINEAR MARKET DYNAMICS BETWEEN STOCK RETURNS AND TRADING VOLUME: EMPIRICAL EVIDENCES FROM ASIAN STOCK MARKETS

We employ the smooth transition autoregressive model with the percentage change in trading volume as the transition variable to capture the nonlinear movement between stock