Implementing SANS Top 20 Critical Security Controls with ConsoleWorks

(1)

Implementing SANS To

p 20 Critical Security

Controls

with ConsoleWorks®

The following whitepaper summarizes TDi Technologies interpretation of the SANS Top 20 Critical Security Controls and how ConsoleWorks, developed by TDi Technologies, addresses each control in whole or in part. TDi provides solutions to a global customer base with key verticals including Financial Services, Healthcare, Telecommunications, Utilities, and Government. The company’s solutions help customers reduce operating costs, meet compliance requirements, secure the IT foundation, and improve IT Service delivery. TDi Technologies is the first solution provider to offer a unified enterprise IT operations solution for Privileged Access Management, Baseline

Configuration Management, Event Monitoring and Remediation, and Logging over the IT foundation. The company’s patented technology provides automation, optimization, control and management capabilities that dramatically improve the ability of IT to meet the demands of the business.

From SANs:

“In 2008, the U.S. National Security Agency (NSA), began an effort that took an "offense must inform defense" approach to prioritizing a list of the controls that would have the greatest impact in improving risk posture against real-‐world threats. A consortium of U.S. and international agencies quickly grew, and was joined by experts from private industry and around the globe. Ultimately, recommendations for what became the Critical Security Controls (CSCs) were coordinated through the SANS Institute.

The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" -‐ security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and

automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.”

ConsoleWorks® -‐ Continuous, Automated Protection & Monitoring

ConsoleWorks monitors, manages, logs, remediates, and secures physical (routers, switches, servers, and so on) and logical (SANs and applications, for example) and virtual infrastructures at the lowest level, in real-‐time and in all machine states, including operating, service, configuration, and maintenance modes. It accomplishes this without using agents and does not rely on the Operating System to be present in order to monitor and manage the infrastructure. ConsoleWorks uses a unique blend of connector, centralized web server, and out-‐of-‐band

“The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology

infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.”

(2)

technologies to implement a robust, no-‐worry, lights-‐out management solution.

ConsoleWorks addresses the need for a single-‐source management by providing the ability to stop, start, run, load firmware, reboot, and monitor assets – enabling console operations for system administrators anytime, anyplace, and anywhere they can connect to the ConsoleWorks server.

ConsoleWorks is designed to minimize operational disruptions, downtime, and mean-‐time-‐to-‐repair. It can automatically trigger operator-‐specified actions as soon as it detects a known or user-‐defined condition on a monitored asset. On its own or when partnered with legacy notification applications, ConsoleWorks can phone, fax, page, and email appropriate personnel and provide them with critical information when it’s needed and as it happens.

ConsoleWorks Unified Dashboard – Centralized Management of People, Processes, and Systems

ConsoleWorks brings together technologies and other related information for processing into a unified dashboard. ConsoleWorks logs and monitors, 24x7, in real-‐time, all incoming log sources, including those from people (down to the keystroke), processes and systems.

All log files collected and aggregated by ConsoleWorks are Date/Time stamped using a common base Date and Time, thus eliminating the problems caused by unsynchronized clocks. Log files can be viewed individually or interlaced with other log files in Date/Time order at the sub-‐second level using TDi Technologies’ patented timestamp mechanism in ConsoleWorks.

This normalization helps shorten the remediation process in determining the source of an issue.

The unified dashboard encapsulates ConsoleWorks’ secure role based / privileged access control, baseline

configuration management, event detection and log aggregation with a sophisticated integration engine containing its Intelligent Event Modules (IEMs). IEMs apply intelligence to the information being monitored from devices, 3rd party application event log files, SNMP traps, and Syslog so that the information can be processed and acted on in a meaningful way. Adding to that, ConsoleWorks’ customer specific knowledge base captures customer specific remediation steps for a particular Event – together enabling faster remediation.

On the front end, ConsoleWorks integration engine facilitates the integration with almost any 3rd party software application such as Identity Management, Change Management, Password Management systems. On the backend, ConsoleWorks facilitates Incident Response and Compliance / Regulatory Reporting, etc.

(3)

ConsoleWorks Functionality

ConsoleWorks functionality includes the following features:

• Agentless, persistent monitoring

• Asset access secured using role-‐based or task-‐based user privileges • Scanning of incoming data streams for pre-‐defined text patterns

• Complete intelligence gathering, including capture of source and account IDs, incident context, and commands

and their outcomes

• Centralized command and control for physical, logical and virtual console connections, Syslog messages, SNMP

traps, and other streams of information within your cyber infrastructure

• Connections secured using SSL and SSH encryption

• Automatic, securable logging of all data flows to and from monitored assets

• All asset activity logged and the logs digitally signed to make it easier to detect modifications

• Color-‐coded logs from different information sources facilitating drill-‐down analyses in aggregated log views • Hassel-‐free, large-‐scale deployments

• Multiple users granted simultaneous access to a single console

• Single user granted Read and Write access to several systems simultaneously • Automated incident recognition and response

• Complete event lifecycle management: Recognition, Notification, and Remediation

• Events consolidated from all data sources using a common natural time, independent of asset vendor or type • Events prioritized by severity, set initially by OEMs and 100% customizable by users

• Real-‐time, customizable graphs and charts for reporting and business intelligence • Sub-‐second timeframe for more insightful granularity

• Easy-‐to-‐understand dashboards, displays, and views into the health • Summary and overview event mapping with drill-‐down capability Privileged Access Management

Remote Access to Legitimate Users / Protecting and Validating Administrative Accounts on Servers – ConsoleWorks is a unique solution with advanced security capabilities that manage user access to assets. ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code-‐based attacks (malware, viruses, etc.); monitor all remote activity in real-‐time; and enforces authorized remote user access rights.

Prevent Unauthorized Access – ConsoleWorks users must properly authenticate themselves to ConsoleWorks -‐ accessing it without proper authentication is not possible. Once authenticated to ConsoleWorks, then the users role-‐ based security profile determines the method as well as which assets a user may access or be "Aware" of.

ConsoleWorks would retain a predefined username/password, PKI Certificate, or other credentials that ConsoleWorks would use to connect the user to the asset with based on the assets capabilities.

Effectively, ConsoleWorks "owns" the actual connectivity to an asset, can control the access to the asset by the users using ConsoleWorks so it can also determine how a user is connected to the asset. Some users may be required to enter or know a username and password while others are restricted from knowing a username and password -‐ the method used is configured in ConsoleWorks for a given security profile.

ConsoleWorks is essentially a PROXY for all types of user access to cyber assets. ConsoleWorks "owns" the access to all shared accounts on each cyber asset. The user authenticates to ConsoleWorks; then, ConsoleWorks, based on the user’s role-‐based security profile, is granted access to the shared account -‐ not the asset.

Preventing Unauthorized Access to Sensitive Data – The fine-‐grained, role based privilege model in ConsoleWorks gives client’s business units control over assets with which each user may interact. Least privilege automatically defaults to deny and supports command-‐by-‐command privileged grants for absolute control over electronic access to systems and sensitive data. This enables it to manage/control what an actor may see, how they may access the asset and log all their activity down to the keystroke and response. It also allows ConsoleWorks to alert and alarm on user activity, black list or whitelist or abstract commands they may use or execute. ConsoleWorks would see the users command and then decide based on security role whether or not to send the command to the asset. It may also handle the authentication on the asset on behalf of the user -‐ eliminating the need for the user to know a privileged username/password combination on the asset -‐ this is particular useful for a device where only one privileged

(4)

account exist -‐ ConsoleWorks knows who is using the privileged account and can audit back to the user of ConsoleWorks even though a share account is in use.

Wireless Device Control – For wireless devices, ConsoleWorks scans for the SSID of the wireless network and knows about the connections by recognizing the MAC address and whether that it is a good or bad login key. ConsoleWorks then captures the access port messages and monitors the content for nefarious activity.

White list / Blacklist – ConsoleWorks can be customized to control the application of white list commands. Specifically, it can be configured to apply to a specific role, user, device name or type, or by any term or value specified by the ConsoleWorks administrator.

Specific commands could be allowed or disallowed based on the following classifications:

• Secret • Confidential

• Regulatory Restricted

ConsoleWorks can also implement a black list of disallowed or restricted commands or characters. Under this access control approach, the user could be given seemingly unfettered access to a managed asset. If one of these black listed commands is executed, ConsoleWorks could be configured to automatically end the user's connection and send an email to Security to apprehend this internal threat, as an example.

ConsoleWorks can also integrate to an identify management system. Current callouts and integrations to Radius SecureID two-‐factor authentication, Active Directory, LDAP or other UNIX PAM modules are supported.

End to End Monitoring and Management

Active Monitoring – ConsoleWorks is a unique solution with advanced security capabilities that are actively monitoring user access to assets. ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code-‐based attacks (malware, viruses, etc.); monitor all remote activity in real-‐time; and enforces only authorized remote user access rights.

Third-‐party monitoring applications such as anti-‐virus, anti-‐spyware, vulnerability scanners, patch management systems, change management systems and many more can be integrated with ConsoleWorks for a unified

management and monitoring portal. Rules for access can be automated based on the organizations security policies. Real-‐time Notification of Events Received from 3rd Party Applications – ConsoleWorks monitors 24x7 and logs and monitors, in real-‐time, all incoming log sources, including those from vulnerability scanners. ConsoleWorks IEMs (Intelligent Event Modules) contain the definitions of known / documented Events provided by the Vendor, Event context information, definitions and suggested solutions, and much more.

All log files collected and aggregated by ConsoleWorks are Date/Time stamped using a common base Date and Time, thus eliminating the problems caused by unsynchronized clocks. Log files can be viewed individually or interlaced with other log files in Date/Time order at the sub-‐second level using TDi Technologies’ patented timestamp mechanism in ConsoleWorks. Evidence of potentially compromised machines can be identified through Alerts and Alarms.

Uncovering Details of an Attack – ConsoleWorks is agnostic about the source of information. Any information source can be managed and monitored as long as it generates data. Sources like net flow, identity management, databases, applications, and other data sources are treated in the same manner as devices that are managed and monitored by ConsoleWorks. ConsoleWorks monitors these logs in the context of all other managed applications or hardware. Its ability to aggregate error conditions across all log files enables administrators to view multiple log files, in context, to help in root cause analysis. In many cases, issues have been resolved before other solutions have been notified that an Event has occurred.

ConsoleWorks sees an incoming message that is important. An Event is defined for that message and when detected, ConsoleWorks determines who did it, what the message was, what the description was and saves that information. From there, additional context of remediation actions, best practices, links to vendor documentation, etc. can be added to that Event.

Helping Prevent Code-‐based Attacks -‐ ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code-‐based attacks (malware, viruses, etc.); monitor all remote activity in real-‐time; and enforces only authorized remote user access rights.

(5)

Logging of Updates to 3rd_{Party Applications – ConsoleWorks logs all people and system activity for the systems that} it manages. As changes are made to a system or software on a system, ConsoleWorks is monitoring and logging those changes.

This normalization helps shorten the remediation process in determining the source of an issue.

Knowledge Gaps -‐ ConsoleWorks "learns" about Events from the experts so that less trained people can apply the knowledge of better-‐trained people/experts. As Events are remediated by experts, ConsoleWorks captures their keystroke input and resulting output. That remediation session can be tagged as the “Best Practice” in the

ConsoleWorks knowledge base for the remediation of that particular Event. In the future, if that Event re-‐occurs, this previously tagged “Best Practice” is automatically made available, by ConsoleWorks, to reference. Alternatively, this session can also be used to automate resolution when possible to do so, through ConsoleWorks Actions.

User knowledge of Events can be incorporated into this IEM knowledgebase. ConsoleWorks "learns" about Events from the experts so that less trained people can apply the knowledge of better-‐trained people/experts.

Baseline Configuration Management

Configuration Management -‐ Once a baseline configuration for accounts, software, ports and services is established for a cyber asset and a schedule defined for regular checks, all configuration comparison results are logged in ConsoleWorks for each asset. As such, changes in configurations are kept by ConsoleWorks as long as required, for future reference or compliance purposes.

Changes in configurations, identified by ConsoleWorks, create notification Events in the system. These notifications can be used to alert a change management system, user or other personnel. ConsoleWorks accomplishes this by executing Actions that have been defined by the customer. These Actions can send notifications of the asset affected, along with the approved and new baselines, and any changes detected between the two.

ConsoleWorks can easily identify the accounts, patch level, services, and settings for the assets that it manages. Once collected, ConsoleWorks can use this information as part of the approved configuration baseline. Once that baseline configuration is established for a cyber asset and a schedule defined for regular checks, all configuration comparison results are logged for each asset. Changes in baseline configurations are kept by ConsoleWorks as long as required, for future reference.

Baseline checks can be evaluated based on a control / test system to deter if any deviations have been introduced. If so, these changes to the configuration create notification Events in the system. Notifications can be used to Alert a change management system, user or other personnel. ConsoleWorks uses Actions to send notifications of the asset affected, along with the approved and new baselines and any changes detected between the two.

Comparing & Validating Secure Configurations Against Standards & Document Deviations -‐ ConsoleWorks can collect firewall, router, switch and other network device configurations for each type of device that it manages. Once collected, ConsoleWorks can use this information as part of the approved configuration baseline. Once that baseline configuration is established and a schedule is defined to execute regular checks, all configuration comparison results are logged in ConsoleWorks, for each asset. Approvals for the change are also documented. Changes in baseline configurations and resulting approvals are kept by ConsoleWorks as long as required, for future reference.

Tracking Installed Software– Once a baseline of authorized software for each system type has been established, the ConsoleWorks Baseline Configuration Management module has the ability to run scheduled comparisons of current software type, version and patches installed versus the baseline that was previously established. Changes that are identified by ConsoleWorks will create notification Events that may be used to Alert a change management system, user or other personnel.

Establishing Baseline Configurations for Patches – Once the patch level has been updated on a test system, for example, other similarly configured devices can be checked to ensure that the same patches have been installed. If not, a Notification Event is triggered and Alerts are sent to the appropriate personnel.

ConsoleWorks BCM can also be used to perform regular checks on devices to ensure that Autorun has been disabled. If not, an Event is triggered and notification sent to the appropriate personnel.

Documenting that the Backup and Restoration Test Occurred – ConsoleWorks Baseline Configuration Management module can be used to trigger a system or command that runs on a scheduled basis – such as a backup command. Events that notify the appropriate personnel of the need for the restoration test can be triggered.

(6)

ConsoleWorks then logs that the backup command was run and the test notification was sent (as Events) for future compliance reporting purposes.

Monitoring for Unnecessary Software, Ports & Services -‐ Once a baseline of authorized software, ports, services, accounts, etc., for each system type has been established, the ConsoleWorks Baseline Configuration Management module has the ability to run comparisons of current configurations versus the baseline that was previously

established. Any differences that are identified by ConsoleWorks will create notification Events that may be used to Alert a change management system, user or other personnel.

ConsoleWorks Mapping to the SANS Top 20 Critical Cyber Security Controls

The following table documents each of the SANS Top 20 Critical Cyber Security Controls along with a more detailed description of a typical application of the Control. TDi Technologies has mapped each of the 20 Controls to a ConsoleWorks module and a feature within that module that address that control in whole or in part. Each of the modules and feature is outline above and referenced in the table.

1. Inventory of Authorized and Unauthorized Devices

Critical Security

Control Description Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up-‐to-‐date inventory of devices connected to the enterprise network, including servers, workstations, laptops and remote devices.

Any time a new device is installed on a network, the risks of exposing the network to unknown vulnerabilities or hampering its operation are present. Malicious code can take advantage of new hardware that is not configured and patched with appropriate security updates at the time of installation. Attackers can use these vulnerable systems to install backdoors before they are hardened. In automating critical control 1, it's critical for all devices to have an accurate and up-‐to-‐ date inventory control system in place. Any device not in the database should be prohibited from connecting to the network. Some organizations maintain asset inventories by using specific large-‐ scale enterprise commercial products or by using free solutions to track and sweep the network periodically. To evaluate the implementation of Control 1 on a periodic basis, the evaluation team will connect hardened test systems to at least 10 locations on the network. This will include a selection of subnets associated with DMZs, workstations, and servers.

ConsoleWorks Module

/ Feature End to End Monitoring & Management_{Baseline Configuration Management} – Active Monitoring NSA Assessment Very High

2. Inventory of Authorized and Unauthorized Software

Control Description Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorized or unnecessary software.

An organization without the ability to inventory and control its computer's installed programs makes its systems more vulnerable to attack. Furthermore, poorly controlled machines are more likely to be running software that is unneeded for business purposes, introducing potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this potential threat, an organization should scan a network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications, pulling information about the patch level of each installed program. This ensures that it's the latest version and that it leverages standardized application names, like those found in the Common Platform Enumeration (CPE) specification. In addition to inventory checks, tools that implement whitelists (allow) and blacklists

(deny) of programs are included in many modern end-‐point security suites. To evaluate the

implementation of Control 2 on a periodic basis, the team must move a benign software test program that is not included in the authorized software list on 10 systems on the network. The team must then

(7)

verify that the software is blocked and unable to run. ConsoleWorks Module

/ Feature Baseline Configuration Management_{Privileged Access Management}_{– White list / Blacklist} – Tracking Installed Software NSA Assessment Very High

3. Secure Configuration s for Hardware & Software on Laptops, Workstations, and Servers

Control Description Prevent attackers from exploiting services and settings that allow easy access through networks and browser: Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system.

Default configurations of software are often geared to ease-‐of-‐deployment and ease-‐of-‐use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network-‐accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization. To evaluate the implementation of Control 3 on a periodic basis, an evaluation team must move a benign test system (one that does not contain the official hardened image, but does contain additional services, ports, and configuration files changes) onto the network. The evaluation team must then verify that the systems generate an alert or e-‐mail notice regarding the changes to the software.

ConsoleWorks Module / Feature

Baseline Configuration Management – Validating a Secure Configuration

NSA Assessment Very High

4. Continuous Vulnerability Assessment and Remediation

Critical Security Control Description

Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours.

Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines identified by the asset inventory system must be scanned for vulnerabilities. To evaluate the implementation of Control 4 on a periodic basis, the evaluation team must verify that scanning tools have successfully completed their weekly or daily scans.

End to End Monitoring and Management – Real-‐time Notification of Events Received

NSA Assessment Very High

5. Malware Defenses

Control Description Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading: Use automated anti-‐virus and anti-‐spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-‐malware tools on all machines on a daily basis. Prevent network devices from using auto-‐run programs to access removable media.

(8)

organizations via Web browsing, e-‐mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's contents, capture sensitive data, and spread to other systems. To ensure anti-‐virus signatures are up-‐to-‐date, effective organizations use automation. They use the built-‐in administrative features of enterprise endpoint security suites to verify that anti-‐virus, anti-‐ spyware, and host-‐based Intrusion Detection Systems (IDS) features are active on every managed

system. They also run automated assessments daily and review the results to find and mitigate

systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed, attempted to be installed, executed, or attempted to be executed, on a computer system. To evaluate the implementation of Control 5 on a periodic basis, the evaluation team must move a benign software test program appearing to be malware onto a system and make sure it is properly discovered and remediated. ConsoleWorks Module

/ Feature End to End Monitoring and Management_{End to End Monitoring and Management} – Helping Prevent Code-‐based Attacks _{– Logging of Updates to 3}rd_{Party Applications}

Baseline Configuration Management – Establishing Baseline Configurations

NSA Assessment High Medium

6. Application Software Security

Control Description Neutralize vulnerabilities in web-‐based and other application software: Carefully test internally developed and third-‐party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type).

Criminal organizations frequently attack vulnerabilities in both web-‐based and non-‐web-‐based application software. In fact, it's a top priority for criminals.

Application software is vulnerable to remote compromise in three ways: • It does not properly check the size of user input

• It fails to sanitize user input by filtering out potentially malicious character sequences • It does not initialize and clear variables properly

To avoid attacks, internally developed and third party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application-‐level software attack, and must generate an alert or send e-‐mail to enterprise

administrative personnel. To evaluate the implementation of Control 6 on a monthly basis, an evaluation team must use a web application vulnerability scanner to test software security flaws.

/ Feature End to End Monitoring and Management – Real-‐time Notification of Events NSA Assessment High

7. Wireless Device Control

Control Description Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if they match an authorized configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.

Attackers who gain wireless access to an organization from nearby parking lots have initiated major data thefts. This allows attackers to bypass an organization to maintain long-‐term access inside a target. Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems. The system must be capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's

(9)

systems or connected to its networks. To evaluate the implementation of Control 7 on a periodic basis, the evaluation team staff must configure unauthorized but hardened wireless clients and wireless access points to the organization's network. It must also attempt to connect them to the

organization's wireless networks. These access points must be detected and remediated in a timely manner.

/ Feature Privileged Access Management – Wireless Device Control NSA Assessment High

8. Data Recovery Capability

Minimize the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly: back up sensitive systems more often. Regularly test the restoration process.

When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and datum from the backup are all intact and functional.

/ Feature Baseline Configuration ManagementOccurred – Documenting that the Backup and Restoration Test

NSA Assessment Medium

9. Security Skills Assessment and appropriate Training to Fill Gaps

Control Description Find assessment program, map training against the skills required for each job, and use the knowledge gaps, and fill them with exercises and training: Develop a security skills results to allocate resources effectively to improve security practices.

An organization hoping to find and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement, not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness.

/ Feature End to End Monitoring and Management – Knowledge Gaps NSA Assessment Medium

10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch

configurations against standards for each type of network device. Ensure that any

deviations from the standard configuration are documented and approved and that any temporary deviations are undone when the business need abates.

Attackers penetrate defenses by searching for electronic holes in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic on that network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices, which determine whether they are consistent or in conflict and provide an automated check of network filters. Additionally, these commercial tools

(10)

search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies. To evaluate the implementation of Control 10 on a periodic basis, an evaluation team must make a change to each type of network device plugged into the network. At a minimum, routers, switches, and firewalls need to be tested. If they exist, IPS, IDS, and other network devices must be included.

/ Feature Baseline Configuration ManagementDocumenting Deviations – Comparing Configurations Against Standards &

11. Limitation and Control of Network Ports, Protocols, and Services

Allow remote access only to legitimate users and services: Apply host-‐based firewalls and port-‐filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.

Attackers search for remotely accessible network services that are vulnerable to exploitation. Many software packages automatically install services and turn them on as part of the installation of the main software package. When this occurs, the software rarely informs a user that the services have been enabled. Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each

discovered open port. The system must be capable of identifying any new unauthorized listening

network ports that are connected to the network. To evaluate the implementation of Control 11 on a periodic basis, the evaluation team must install hardened test services with network listeners on ten locations on the network, including a selection of subnets associated with DMZs, workstations, and servers.

/ Feature Privileged Access Management_{Baseline Configuration Management} – Remote Access to Legitimate Users _{– Monitoring for Unnecessary Software, Ports &}

Services

12. Controlled Use of Administrative Privileges

Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious email attachment, or file, or to visit a malicious website, and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow Federal Desktop Core Configuration (FDCC) standards.

The most common method attackers use to infiltrate a target enterprise is through an employee's own misuse of administrator privileges. An attacker can easily convince a workstation user to open a malicious e-‐mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built-‐in operating system features can extract lists of accounts with superuser privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely. To evaluate the implementation of Control 12 on a periodic basis, an evaluation team must verify that the organization's password policy is enforced and administrator accounts are carefully controlled. The evaluation team does this by creating a temporary, disabled, limited privilege test account on ten different systems. It then attempts to change the password on the account to a value that does not meet the organization's password policy.

(11)

13. Boundary Defense

Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: Establish multilayered boundary defenses by relying on firewalls, proxies, demilitarized zone (DMZ), perimeter networks, and other network based tools. Filter inbound and outbound traffic, including through business partner networks (“Extranets”).

By attacking Internet-‐facing systems, attackers can create a relay point to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of

compromised machines, boundary defenses should be multi-‐layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-‐based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability-‐scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted. To evaluate the implementation of Control 13 on a periodic basis, an evaluation team must test boundary devices. This is done by sending packets from outside a trusted network, which ensures that only authorized packets are allowed through the boundary. All other packets must be dropped.

/ Feature End to End Monitoring & Management – Uncovering Details of an Attack NSA Assessment High Medium

14. Maintenance, Monitoring, and Analysis of Security Audit Logs

Control Description Use detailed logs to identify and malicious software deployed, and activity on victim machine: Generate standardized logs uncover the details of an attack, including the location, for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers and run biweekly reports to identify and document anomalies.

At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs aren't reviewed,

organizations don't know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-‐based systems. To evaluate the implementation of Control 14 on a periodic basis, an evaluation team must review the security logs of various network devices, servers, and hosts. ConsoleWorks Module

/ Feature End to End Monitoring and Management – Uncovering Details of an Attack NSA Assessment Medium

15. Controlled Access Based on Need to Know

Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure and ensure that only authenticated uses have access to nonpublic data and files.

Some organizations do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built-‐in separation of administrator accounts from non-‐administrator

(12)

accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e-‐mail for administrative personnel. This includes information on local systems or network accessible file shares. To evaluate the

implementation of Control 15 on a periodic basis, the evaluation team must create test accounts with limited access and verify that the account is unable to access controlled information.

/ Feature Privileged Access Management – Preventing Unauthorized Access to Sensitive Data NSA Assessment Medium

16. Account Monitoring and Control

Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that confirm to FDCC standards.

Attackers frequently impersonate legitimate users through inactive user accounts. This method makes it difficult for network watchers to identify attackers' behavior. Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Security personnel can configure systems to record more detailed information about account access and utilize homegrown scripts or third-‐party log analysis tools to analyze this information. The system must be capable of identifying unauthorized user accounts when they exist on the system. To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed daily.

Privileged Access Management – Preventing Unauthorized Access

NSA Assessment Medium

17. Data Loss Prevention

Control Description Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework.

The loss of protected and sensitive data is a serious threat to business operations, and potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices. These include, but are not limited to, a lack of effective policy architectures and user error. The phrase "Data Loss Prevention" (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. The system must be capable of identifying unauthorized datum leaving the organization's systems whether via network file transfers or removable media. To evaluate the implementation of Control 17 on a periodic basis, the evaluation team must attempt to move test datum sets (that trigger DLP systems but do not contain sensitive data) outside of the trusted computing environment via both network file transfers and via removable media.

/ Feature Privileged Access ManagementApplications and Systems – Centralized Management of People, Processes,

NSA Assessment Medium Low

Implementing SANS Top 20 Critical Security Controls with ConsoleWorks