Embed Size (px)
Citation preview
Critical Security Controls: Planning, Implementing, and Auditing with DEMO!
Tennessee Higher Education Information Technology Symposium – April 2015Jim Purcell – Senior IT Auditor, UT System
Problem Statement
• Data breaches & disclosures are becoming more common• PrivacyRights.org (updated weekly)– JP Morgan Chase– Dairy Queen– US Investigation Services– The UPS Store– Community Health Systems– Albertsons Grocery Stores– SuperValue Stores– University of California Santa Barbara– Vibram USA
• Or – “Mommy, why does everybody have a bomb?” (Prince – 1999)
Understanding the Critical Security Controls
Prioritizing Defenses with the Critical Security Controls
Information Assurance Frameworks
• There are a number of industry groups also trying to address the issues
• Numerous frameworks have been established, such as:– NIST 800-53– NIST Core Framework– ISO 27000 Series – CoBIT– IT Assurance Framework (ITAF)– IT Baseline Protection Manual– Consensus Audit Guidelines / Critical Security Controls– Many, many others
One Option: Critical Security Controls
• Began as a collaboration between the US Air Force, National Security Agency, & the SANS Institute in 2008
• Originally developed as a tool for organizations responsible for NIST 800-53
• Priorities for which controls will make the most impact to stop dedicated attackers
• Written in response to compromised US government agencies & contractors
• Collaborative effort by over 100 different government, military, & civilian experts
Council on CyberSecurity
• Official home of the Critical Security Controls• CEO is Jane Lute, former Deputy Secretary of DHS• Not for Profit group responsible for managing the Critical
Security Controls (CSCs)• Director of the CSCs is Tony Sager• Mission: “The Council on CyberSecurity is an independent,
global organization committed to an open and secure Internet.”
Project Guiding Principles
1. Defenses should focus on addressing the attack activities occurring today,
2. Enterprise must ensure consistent controls across to effectively negate attacks
3. Defenses should be automated where possible4. Specific technical activities should be undertaken to
produce a more consistent defense5. Root cause problems must be fixed in order to
ensure the prevention or timely detection of attacks6. Metrics should be established that facilitate common
ground for measuring the effectiveness of security measures
Mandiant’s Attack Lifecycle Model
http://intelreport.mandiant.com/
The Critical Security Controls
1. Inventory of authorized and unauthorized devices2. Inventory of authorized and unauthorized software3. Secure configurations for hardware and software on laptops, workstations,
and servers4. Continuous Vulnerability Assessment and Remediation5. Malware Defenses6. Application Software Security7. Wireless Device Control8. Data Recovery Capability9. Security Skills Assessment and Appropriate Training To Fill Gaps10. Secure configurations for network devices such as firewalls, routers, and switches
The Critical Security Controls
11. Limitation and Control of Network Ports, Protocols, and Services12. Controlled Use of Administrative Privileges13. Boundary Defense14. Maintenance, Monitoring and Analysis of Audit Logs15. Controlled Access Based On Need to Know16. Account Monitoring and Control17. Data Protection18. Incident Response & Management19. Secure Network Engineering20. Penetration Tests and Red Team Exercises
Categories of Sub-Controls
• Quick Wins (QW)• Improved Visibility and Attribution (Vis/Attrib)• Hardened Configuration and Improved Information Security
Hygiene (Config/Hygiene)• Advanced (Adv)
What the Critical Controls are NOT
• The primary goal of the Critical Security Controls is defense– Mostly Technical and Operational Controls– NOT a Comprehensive Security Framework (like NIST 800-53)
• Do NOT address Management Controls – Policy– Risk Assessment– Personnel Issues (i.e. Background Checks)– Budget/Contracts– Etc…
• Do NOT address Physical Controls– Natural Disasters– Alternate Datacenter– Etc…
An “On Ramp” to Compliance
• The primary goal of the Critical Security Controls is defense• However, by prioritizing these controls, an organization is also
making steps towards achieving compliance with other standards & regulations
• Mappings currently exist between the CSCs and:– NIST 800-53 rev4– ISO 27002 Control Catalog– The Australian DSD’s Top 35– HIPAA / HITECH Act– The NSA’s Manageable Network Plan
Critical Security Control #1:Inventory of Authorized & Unauthorized
DevicesPrioritizing Defenses with the Critical Security Controls
Critical Security Control #1
• Inventory of Authorized and Unauthorized Devices
• Exploit this Control is Meant to Stop:– Exploits due to lack of implemented controls on unknown
(un-inventoried) devices
• Business goal of this control:– Only authorized systems should be on the organization’s
network.
Sample Attack Tool: ArmitageFast and Easy Hacking!!!
http://www.fastandeasyhacking.com/media
Breach Case Study: Bit9
• Security whitelisting vendor, Bit9, was breached (2/13)• Breach due to the fact that they did not install controls
on machines that were not in their inventories• Attackers breached their network, compromising
machines where they had not installed their whitelisting product
• As a result of the breach a code signing certificate was abused, and malicious code was signed with their certificate
Defenses: Quick Win1. Deploy an automated asset inventory discovery tool and use
it to build a preliminary asset inventory of systems connected to an organization’s public and private network(s). Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.
2. Deploy dynamic host configuration protocol (DHCP) server logging, and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information.
3. Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network.
Defenses: Visibility & Attribution
4. Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. – The inventory should include every system that has an
Internet protocol (IP) address on the network. – The asset inventory created must also include data on
whether the device is a portable and/or personal device. – Devices such as mobile phones, tablets, laptops, and other
portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network.
Defenses: Config & Hygiene
5. Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.
6. Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access.
Defenses: Advanced
7. Utilize client certificates to validate and authenticate systems prior to connecting to the private network.
Minimum Control Sensors
• In order to effectively implement & automate this control, organization must have the following sensors:1.An Asset Inventory Database2.An Active Device Scanner3.A Passive Device Scanner4.A Network Access Control (NAC) System5.A Public Key Infrastructure (PKI)6.DHCP Server7.Logging / Alerting / Analytics System
Baselines & Operational Processes
• In order to effectively implement, automate, or audit this control, organizations must have the following baselines:
1. An Approved Device Asset Inventory2. An Approved Information Asset Inventory
• This control necessitates the implementation of the following governance processes as pre-requisites for implementing the control:
1. A Procurement / Asset Acquisition Process2. A Change Management Process
Entity Relationship Diagram (ERD)
Asset InventoryDatabase
Public Key Infrastructure (PKI)
Computing Systems
Network AccessControl (NAC)
Passive DeviceDiscovery
Active DeviceDiscovery
DHCP Server
Alerting / Reporting Analytics System
Sample Tool: ForeScout CounterACT
Tools for Automation
The following tools have been identified as being able to automate the implementation of this tool:– Spiceworks– ManageEngine – OSSIM– BSA Visibility (Insightix)– IPSonar (Lumeta)– CCM, IP360 (nCircle)– SecureFusion (Symantec)– CounterAct (ForeScout Technologies)– Nessus & SecurityCenter (Tenable)– LANSurveyor (Solarwinds)– What’s Up Gold (IPSwitch)
Tools that can be Scripted
While the following tools are not automated by nature, they can be scripted to automate this control:– Nmap / Ndiff
Sample Automation Script: Nmap
nmap –sL –sn –oX network_baseline.xml 10.1.1.0/24
nmap –sL –sn –oX network_current.xml 10.1.1.0/24
ndiff network_baseline.xml network_current.xml > nmap_differences.txt
sendEmail –f [email protected] –u “nmap Inventory Alert” –m “Please see attached alert.” –s mail.sans.org:25 –a nmap_differences.txt
Evaluating Critical Control #1
• Business goal of this control:– Only authorized systems should be on the university network.
• Systems to be tested:– Active device scanner– Passive device scanner– Network inventory & alerting systems– 802.1x based authentication system/Network Access Control– Security Event/Information Management (SEIM) system
• Test to perform:– Add hardened systems to the network to see if they are identified
& isolated from the network
Core Evaluation Test
• Place ten unauthorized devices on various portions of the organization’s network unannounced to see how long it takes for them to be detected– They should be placed on multiple subnets– Two should be in the asset inventory database– Devices should be detected within 24 hours– Devices should be isolated within 1 hour of detection– Details regarding location, department should be recorded
Effectiveness Metrics
ID Testing/Reporting Metric Response
1a How long does it take to detect new devices added to the organization’s network?
Time in Minutes
1b How long does it take the scanners to alert the organization’s administrators that an unauthorized device is on the network?
Time in Minutes
1c How long does it take to isolate/remove unauthorized devices from the organization’s network?
Time in Minutes
1d Are the scanners able to identify the location, department, and other critical details about the unauthorized system that is detected?
Yes/No
Automation Metrics
1. How many unauthorized devices are presently on the organization’s network (by business unit)?
2. How long, on average, does it take to remove unauthorized devices from the organization’s network (by business unit)?
3. What is the percentage of systems on the organization’s network that are not utilizing Network Access Control (NAC) to authenticate to the organization’s network (by business unit)?
4. What is the percentage of systems on the organization’s network that are not utilizing Network Access Control (NAC) with client certificates to authenticate to the organization’s network (by business unit)?
Standards Mapping
Assurance Standard ReferencesNIST 800-53 rev. 4 CA-7: Continuous Monitoring
CM-8: Information System Component InventoryIA-3: Device Identification and AuthenticationSA-4: Acquisition ProcessSC-17: Public Key Infrastructure CertificatesSI-4: Information System MonitoringPM-5: Information System Inventory
NIST Core Framework (2014) ID.AM-1: Asset ManagementID.AM-3: Asset ManagementPR.DS-3: Data Security
ISO 27002:2013 Annex A A.8.1.1: Inventory of assetsA.9.1.2: Access to networks and network servicesA.13.1.1: Network controls
Demo – SpiceWorks – ManageEngine - TripWire
1. Scan for systems.2. Alerts3. Reports
Gap Analysis Toolshttp://www.auditscripts.com/free-resources/critical-security-controls/
Other Resourceshttp://www.counciloncybersecurity.org/critical-controls/http://www.sans.org/critical-security-controlshttps://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
