Top 20 Critical Security Controls

(1)

Complianc

e Guide

Top 20 Critical

Security Controls

July 2015

01

02

03

04

Introduction

1 How

Rapid7

Can

Help

2 Rapid7 Solutions for the Critical Controls

3 About

Rapid7

11

(2)

01

INTRODUCTION

The Need for a Risk-Based Approach

A common factor across many recent security breaches is that the targeted enterprise was compliant, meaning they passed their Payment Card Industry (PCI) audit, yet customer data was still compromised. Simply being compliant is not enough to mitigate probable attacks and protect critical information. In today’s constantly evolv-ing threat landscape, organizations need to focus on securing the business first and documenting the process to show compliance second, not the other way around. While there’s no silver bullet, organizations can reduce chances of compromise by moving from a compliance-driven to a risk management approach to security.

What are the Top 20 Critical

Security Controls?

In 2008, the SANS Institute, a research and education organization for security professionals, developed the Top 20 Critical Security Controls (CSCs) to address the need for a risk-based approach to security. Prior to this, security standards and requirements frameworks were predominantly compliance-based, with little relevance to the real-world threats they are intended to address. The Controls are prioritized to help organizations focus security efforts to have the greatest impact in improving their risk posture. In 2013, the stewardship of the Con-trols was transferred to the Council on CyberSecurity, an independent, global non-profit entity.

The Critical Controls’ Two

Guiding Principles

“Prevention is ideal but detection is a must”

While controls that prevent attacks against networks and systems are essential, con-trols that detect and thwart attackers inside a network that has already been breached are also needed. Through fast detection of compromised machines, organizations can prevent follow-on attack activities that would have otherwise resulted in financial and reputational losses. Rapid7 UserInsight addresses this very need – to detect secu-rity incidents and intruder behavior quickly and effectively, before attacjers can cause damage.

“Offense informs defense”

The Controls is a consensus list developed by experts with deep knowledge of actual attacks, current threats and effective defensive techniques. This ensures that only controls that can be shown to detect, prevent and mitigate known real-world attacks are included. Leveraging over 200,000 open source community members and industry-leading security researchers, Rapid7’s security data and analytics solu-tions are informed by deep understanding of the threat landscape and attacker methods.

According to the US State Depart-ment, organizations can achieve more than 88% risk reduction through rigorous automation and measurement of the Controls.

(3)

Rapid7 security solutions help organizations implement the Top 20 Critical Security Controls and thwart real-world attacks. The table below outlines how Rapid7 products and services align to each of the controls.

Critical Security Control Nexpose Metasploit AppSpider UserInsight _ServicesRapid7

1 Inventory of Authorized _{and Unauthorized Devices}

_

2 Inventory of Authorized _{and Unauthorized Software}

_

3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops,

Workstations, and Servers



4 Continuous Vulnerability Assessment _{and Remediation}

_

5 Malware Defenses

_

6 Application Software Security

_

7 Wireless Access Control

_

8 Data Recovery Capability

_

9 Security Skills Assessment and _{Appropriate Training to Fill Gaps}

_

10 Secure Configurations for Network Devices such as Firewalls, Routers, and

Switches



11 Limitation and Control of Network Ports, _{Protocols, and Services}

_

12 Controlled Use of Administrative _Privileges

_

13 Boundary Defense

_

14 Maintenance, Monitoring, and Analysis _{of Audit Logs}

_

15 Controlled Access Based on the Need _{to Know}

_

16 Account Monitoring and Control

_

17 Data Protection

_

18 Incident Response and Management

_

19 Secure Network Engineering

_

20 Penetration Tests and Red Team Exercises

_

02

(4)

03

RAPID7 SOLUTIONS FOR

THE CRITICAL CONTROLS

As displayed in the chart on the previous page, Rapid7 has products and services to address the majority of the Controls. At the highest level, Rapid7 can perform an assessment of your organization’s current state against the Critical Control, identify gaps in your security program, and provide guidance on implementing missing controls. The following pages provide more detail on how each control can be addressed by Rapid7 solutions.

CSC 1: Inventory of Authorized and Unauthorized Devices

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

Control Description How Rapid7 Can Help

CSC 1-1 Deploy an automated asset

inventory discovery tool. • Nexpose automatically scans the entire network to discover every system with an IP address and assembles an asset inventory. CSC 1-2 Deploy dynamic host

configuration protocol (DHCP) server logging.

• Nexpose connects to DHCP servers to automatically discover new systems connecting to the network.

• UserInsight analyzes DHCP logs for all systems on the network and automatically maps hosts and users to IP addresses.

CSC 1-4 Maintain an asset inventory of all systems connected to the network.

• Nexpose provides visibility into all assets (servers, workstations, mobile devices, etc.) Including IP address and name, and it also enables assets to be tagged with additional context, e.g. asset owner.

CSC 2: Inventory of Authorized and Unauthorized Software

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

CSC 2-2 Devise a list of authorized

software and version. • Nexpose provides a complete list of software and version used within the enterprise, which can be used to determine which software is authorized.

CSC 2-3 Perform regular scanning for

unauthorized software. • Nexpose provides fully customizable policy scanning to detect pres-ence of unauthorized software.

• UserInsight inventories every process on the network and identifies anomalous software that is rare or unique and unsigned.

CSC 2-4 Deploy software inventory tools

(5)

CSC 2-5 Integrate software and hardware

inventory systems. • Nexpose provides a unified view of operating system, installed soft-ware, services, vulnerabilities, and policies for each asset.

CSC 3: Secure Configurations for Hardware and Software

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

CSC 3-1 Establish and ensure the use of standard secure configurations of your operating systems.

• Nexpose automatically scans all systems on the network to check their compliance with secure configuration standards.

CSC 3-2 Implement automated patching

tools and processes. • Nexpose automates task of assessing applications and operating systems for vulnerabilities, which are prioritized for patching. CSC 3-3 Limit administrative privileges to

very few users. • UserInsight monitors users with administrative privileges and alerts on new domain admins and account privilege escalation. CSC 3-10 Deploy system configuration

management tools. • Nexpose scans every Windows server to verify use of configuration management tools such as Microsoft GPMS and SCCM.

CSC 4: Continuous Vulnerability Assessment and Remediation

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and mini-mize the window of opportunity for attackers.

In addition to the specific solutions listed below, Rapid7 can provide a fully-managed, cloud based vulnerability manage-ment service operated on a monthly or quarterly basis.

CSC 4-1 Run automated vulnerability

scanning tools. • Nexpose automatically scans all systems on the network for vulner-abilities and misconfigurations, which are prioritized for remediation based on risk.

CSC 4-2 Correlate event logs with information from vulnerability scans.

• Nexpose provides pre-built integration with SIEM solutions for corre-lating vulnerability scan results with events logs.

• UserInsight correlates vulnerability data with event logs to provide additional context to each vulnerability.

CSC 4-3 Perform vulnerability scanning

in authenticated mode. • Nexpose uses domain admin credentials to perform authenticated scans on systems and provides ability to manage credentials centrally. CSC 4-4 Subscribe to vulnerability

intelligence services. • Nexpose is automatically updated with the latest vulnerabilities and exploits on a weekly basis and within 24 hours for critical updates. CSC 4-6 Carefully monitor logs

associated with any scanning activity.

• UserInsight detects all scanning activity, both legitimate and illegiti-mate, via honeypots deployed on the network.

CSC 4-7 Compare the results from

back-to-back vulnerability scans. • Nexpose provides vulnerability trend charts and reports to show prog-ress, and ability to manage and report on vulnerability exceptions. CSC 4-10 Establish a process to

risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability.

• Nexpose prioritizes vulnerabilities using risk scores that take into account exploit exposure and asset criticality.

(6)

CSC 5: Malware Defenses

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

CSC 5-1 Employ automated tools to continuously monitor workstations, servers, and mobile devices.

• Nexpose checks that anti-malware software is installed, enabled and up-to-date on every Windows workstation.

• UserInsight detects malicious processes on endpoints and correlates data from anti-malware solutions with user activity.

CSC 5-2 Employ anti-malware software that offers a remote, cloud-based centralized infrastructure.

• UserInsight checks all endpoint processes against a cloud-based central database of known malware, and identifies rare and unique processes.

CSC 5-3 Configure laptops, workstations, and servers so that they will not auto-run content from removable media.

• Nexpose provides fully customizable policy scanning to audit whether autoplay is allowed on devices.

CSC 5-5 Scan and block all e-mail

attachments. • Nexpose scans every Windows workstation to verify e-mail clients are configured to block attachments with certain file types. CSC 5-6 Enable anti-exploitation features. • Nexpose checks DEP, ASLR and SEHOP is enabled, and EMET is

installed and up-to-date on every Windows server and workstation. CSC 5-7 Limit use of external devices to

those that have a business need. • Nexpose connects to DHCP servers to automatically discover unknown devices connecting to the network. CSC 5-8 Ensure that automated

monitoring tools use behavior-based anomaly detection.

• UserInsight monitors and analyzes activity across the network, end-points, cloud services and mobile devices to detect unusual behavior. CSC 5-11 Detect hostname lookup for

known malicious C2 domains. • UserInsight monitors the network for DNS queries to known malicious domains and newly registered internet domains.

CSC 6: Application Software Security

Manage the security lifecycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

CSC 6-1 For all acquired application software, check the version is still supported.

• Nexpose automatically scans all software on the network for vulner-abilities and identifies relevant patches to be applied.

CSC 6-4 Test web applications for

common security weaknesses. • AppSpider dynamically scans and tests web applications for vulner-abilities.

• Metasploit automates web app testing for OWASP Top 10 vulnerabili-ties.

CSC 6-6 Maintain separate environments for production and

nonproduction systems.

• UserInsight provides ability to configure network zone policies for separate production and nonproduction systems, and detect policy violations.

CSC 6-7 Test in-house-developed web and other application software prior to deployment.

• Rapid7 can perform manual penetration testing on web and mobile applications to identify security weaknesses.

CSC 6-9 For applications that rely on a database, use standard hardening configuration templates.

(7)

CSC 7: Wireless Access Control

The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANs), access points, and wireless client systems.

In addition to the solution listed below, Rapid7 can help with this control by performing wireless penetration testing to assess the security of wireless network infrastructure and identify rogue access points.

CSC 7-2 Detect wireless access points

connected to the wired network. • Nexpose scans the entire network for wireless access points and provides ability to detect presence of unauthorized access points.

CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

CSC 9-3 Implement an online security

awareness program. • Rapid7 can provide customizable online security awareness training modules, with reporting system to monitor progress of learners. CSC 9-4 Validate and improve awareness

levels through periodic tests. • Metasploit provides ability to simulate phishing campaigns to measure user susceptibility and effectiveness of security awareness training.

CSC 10: Secure Configurations for Network Devices

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploit-ing vulnerable services and settexploit-ings.

CSC 10-1 Compare firewall, router, and switch configuration against standard secure configurations.

• Nexpose provides fully customizable policy scanning to assess configu-ration of network devices such as firewalls, routers, and switches. CSC 10-3 Use automated tools to verify

standard device configurations. • Nexpose automatically scans network devices to check their compli-ance with secure configuration standards.

CSC 11: Limitation and Control of Network Ports, Protocols, and Services

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

CSC 11-1 Ensure that only ports, protocols, and services with validated business needs are running on each system.

(8)

CSC 11-2 Apply host-based firewalls or port filtering tools on end systems.

• Nexpose provides fully customizable policy scanning to audit whether Windows firewall is on and configured securely.

CSC 11-3 Perform automated port scans

on a regular basis. • Nexpose automatically scans all servers, including their ports, proto-cols and services, to check their compliance with secure configuration policies.

CSC 11-4 Uninstall and remove any unnecessary components from the system.

• Nexpose checks obsolete services are disabled on every Windows server, and compilers, libraries and desktop applications are not installed.

CSC 11-6 Operate critical services on separate physical or logical host machines.

• Nexpose scans every Windows server to verify that a single critical role, such as DNS, file, mail, web and database, is installed.

CSC 12: Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

CSC 12-1 Minimize administrative

privileges. • _•UserInsight monitors users with administrative privileges. _{Nexpose scans every Windows server to verify that services are run} with non-admin accounts.

CSC 12-2 Use automated tools to inventory

all administrative accounts. • UserInsight provides visibility of all administrative accounts on the network, on local systems, and corporate cloud services. CSC 12-3 Configure all administrative

passwords to be complex. • Nexpose provides fully customizable policy scanning to audit pass-words for minimum level of complexity.

• Metasploit tests password strength through online brute-force attacks, offline password cracking, and credentials re-use testing.

CSC 12-4 Change all default passwords. • Nexpose scans the entire network for systems using default creden-tials.

CSC 12-5 Ensure that all service accounts have long and difficult-to-guess passwords.

• UserInsight provides visibility of all service accounts on the network.

• Nexpose provides ability to audit passwords for minimum level of complexity.

CSC 12-6 Passwords should be hashed or

encrypted in storage. • Nexpose provides fully customizable policy scanning to audit pass-words including whether password encryption is enabled. CSC 12-8 Each person requiring

administrative access should be given his/her own separate account.

• UserInsight detects users sharing administrative accounts.

• Nexpose checks that admin credentials are unique on every Windows server and workstation.

CSC 12-9 Configure operating systems so that passwords cannot be re-used within a time frame of six months.

• Nexpose provides the ability to audit passwords including minimum amount of time before passwords can be reused.

CSC 12-10 Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators' group.

• UserInsight provides visibility of all administrative accounts on the network and alerts on new domain administrator accounts. CSC 12-11 Configure systems to issue

a log entry and alert when unsuccessful login to an administrative account is attempted.

(9)

CSC 13: Boundary Defense

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-dam-aging data.

CSC 13-1 Deny communications with

known malicious IP addresses. • UserInsight alerts on network access to/from known malicious IP addresses.

• Nexpose checks URL filtering and reputation scanning are enabled on web browsers for every Windows workstation.

CSC 13-10 Devise internal network segmentation schemes to limit traffic to only those services needed for business use.

• Metasploit automates task of testing network segmentation is opera-tional and effective.

• UserInsight provides ability to configure network zones and detect network traffic that violates defined user access policies.

CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

CSC 14-3 Ensure adequate storage space for the logs generated on a regular basis.

• UserInsight collects a wide variety of system and network logs and continuously stores copies of them in a secure, scalable cloud plat-form.

CSC 14-4 Make sure that logs are kept for

a sufficient period of time. • Userlnsight retains security incident data from the day the solution is installed and makes the data readily available for investigation. CSC 14-5 Run bi-weekly reports that

identify anomalies in logs. • UserInsight automatically analyzes log data against user behavior baselines and alerts on any anomalies or suspicious activities. CSC 14-7 For all servers, ensure that logs

are written to dedicated logging servers.

• UserInsight collects logs and continuously stores copies of them in a secure, scalable cloud where they cannot be manipulated by an attacker.

CSC 14-8 Deploy a SIEM or log analytic tools for log aggregation and consolidation.

• UserInsight collects logs, correlates events by user, machine and IP, and analyzes for anomalies and suspicious activities with low false positives.

CSC 15: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to ac-cess these critical assets based on an approved classification.

CSC 15-2 Enforce detailed audit logging

for access to nonpublic data. • UserInsight provides visibility of all authentication activity on assets classified as restricted, and alerts on access from a new user or source.

CSC 15-3 Segment the network based on

trust levels. • Metasploit automates task of testing network segmentation is opera-tional and effective.

(10)

CSC 16: Account Monitoring and Control

Actively manage the life-cycle of system and application accounts – their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them.

CSC 16-1 Review all system accounts. • UserInsight provides visibility of all active user accounts across the organization, including domain, local, and cloud service accounts. CSC 16-6 Configure screen locks on

systems. • Nexpose provides fully customizable policy scanning to audit screen lock configurations, including amount of idle time before screen lock is applied.

CSC 16-8 Require that all

non-administrator accounts have strong passwords.

• Nexpose provides fully customizable policy scanning to audit pass-words for minimum level of complexity including length and required characters.

CSC 16-9 Use and configure account

lockouts. • Nexpose provides fully customizable policy scanning to audit account lockout configurations, including attempt threshold and lockout dura-tion.

CSC 16-11 Monitor attempts to access

deactivated accounts. • UserInsight alerts on authentication attempts to disabled accounts. CSC 16-13 Profile each user's typical

account usage. • UserInsight monitors user account activity, and alerts on access from an unusual location or from multiple locations within a short period of time.

CSC 16-17 Verify that all password files are

encrypted or hashed. • Nexpose provides fully customizable policy scanning to audit pass-words including whether password encryption is enabled.

CSC 17: Data Protection

The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

CSC 17-8 Configure systems so that they

will not write data to USB drives. • Nexpose provides fully customizable policy scanning to audit whether autoplay is allowed on devices. CSC 17-12 Monitor all traffic leaving the

organization. • UserInsight provides visibility into cloud services such as Office 365, Google Apps, Box and AWS, which may be used for data exfiltration.

CSC18: Incident Response and Management

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

CSC 18-1 Ensure that there are written

incident response procedures. • Rapid7 can perform an assessment of the organization's current pre-paredness and help them to develop an incident response plan. CSC 18-4 Devise standards for incident

reporting. • UserInsight provides ability to map incident investigation findings to an interactive timeline and produce a final report for communication. CSC 18-7 Conduct periodic incident

(11)

CSC 19: Secure Network Engineering

Make security an inherent attribute of the enterprise by specifying, designing, and building-in features that allow high confidence systems operations while denying or minimizing opportunities for attackers.

CSC 19-4 Segment the enterprise network into multiple, separate trust zones.

• Metasploit automates task of testing network segmentation is opera-tional and effective.

• UserInsight provides ability to configure network zones and detect network traffic that violates defined user access policies.

CSC 20: Penetration Tests and Red Team Exercises

Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

In addition to the solutions described below, Rapid7 can address this control by performing penetration tests to simulate real-world attack vectors and uncover security weaknesses from the attacker’s perspective.

CSC 20-1 Conduct regular external and

internal penetration tests. • Metasploit provides ability to discover hosts, exploit systems, brute-force passwords, and simulate other attacker methods. CSC 20-5 Plan clear goals with blended

attacks in mind. • Metasploit provides ability to conduct and manage social engineering campaigns as part of a penetration test. CSC 20-6 Use vulnerability scanning and

penetration testing tools in concert.

(12)

Rapid7 is a leading provider of security data and analytics solutions that enable organizations to implement an active, analytics-driven approach to cyber security. We combine our extensive experience in security data and analytics and deep insight into attacker behaviors and techniques to make sense of the wealth of data available to organizations about their IT environments and users. Our solutions empower organizations to prevent attacks by providing visibility into vulnerabilities and to rapidly detect compromises, respond to breaches, and correct the underlying causes of attacks. Rapid7 is trusted by more than 3,900 organizations across 90 countries, including 30% of the Fortune 1000.

For more information, please visit www.rapid7.com.

04