Cybersecurity Domains: What Comprises a …02f9c3b.netsolhost.com/blog1/wp-content/uploads/Cybersecurity...Cybersecurity Domains: What Comprises a Cybersecurity Suite? ... Tools, Hardware

Cybersecurity Domains:

What Comprises a Cybersecurity Suite?

NDIA Cyber Forum - 15 May 2015

Agenda

• Define what is meant by a Cybersecurity Suite

• Understanding Internet Cybersecurity Fog

• Discuss Cybersecurity Controls and Compliance

• Illustrate the Hierarchy of Cybersecurity Needs

• Review the Key Cybersecurity Domains

– People, Processes, Tools, Hardware and Software

• Demonstrate New Approach to Cyber Education

Cyber Security “Fundamentals”

What is a “cyber suite” anyway?

It is the things we MUST have in place

properly AND keep maintained

It encompasses all of the people, processes,

practices, policy, tools, hardware and software

necessary for consideration in an effective

Cybersecurity Plan.

People Considerations

Training & Quality

• Training Program

– SOP

– Documentation

– HR Practices

• Legal

• Recruiting

• Certifications

– Practitioner v. Expert

• Experience

• Retention

Awareness

• Responsible Use

– Internet Usage

– Email Use

• Threat

– Anti-phishing

– Personal Devices

– CMS Handling / NDA

– Insider

• Physical Security

Policy, Process and Practice

Examples

Strategy and Processes

• NIST SP 800 Series

– Risk Management

Framework

– Cybersecurity Framework

• SANS Top 20

• Privacy by Design

• Proprietary System

Processes

• Organic Processes

Policies and Practices

• Policies

– Acceptable Use, User

Account, Remote Access,

Information Protection,

Special Access, Network

Connection, Email and

Password.

• Practices

– Implicit Deny, Least

Privilege, Job Rotation,

Mandatory Vacation, Time of

Day Restrictions, Privilege

Management

Tools, Hardware and Software

Examples• Standards, STIGs, Best

Practices

• Cybersecurity Toolkits

– Network Mappers

– Password Crackers

– Vulnerability Scanners

• All-in-One Software Suites

• Application Analysis/Monitoring

• IPS/IDS, SIEMS, Audit Logs

• Server Management

• Operating Systems

• Anti-virus / Anti-Malware

• Applications / Productivity

Software

• Firewalls,

• Routers,

• Servers (Email, Web, Proxy

Database)

• Wireless

• Workstations

• Mobile Devices

• Cloud IaaS

• Patch Panels, Cabling

• HVAC, Security Doors, Fences

• Biometric Readers

Kerberos

PKI

Token

Digital CertificateThin Clients

Biometrics

HIPPA

VPN IPSEC

SSL

Hardening

Cloud

XML Gateways

Secure Collaboration

Compliance

Secure Blades

H/W Crypto

SOX

DAC

RSBAC

FIPS 140-2

Trusted OS Guards

Cyber Security

SaaS

Wireless

Cybersecurity is Complex from a Technical PerspectiveWhich ones are inherent in the IA/CND/Cyber suite?

Internet Cybersecurity Fog

Cutting through the Cybersecurity Fog!

The threats are very real, and the news shows a small percentage.

If you aren’t already affected you will be. Will you report it?

Focus on business risk reduction and minimizing legal liabilities.

Adequate cyber protections are but one part – so is insurance…

You cannot buy cyber security, you must manage cyber as it changes.

Success comes with the right people, processes, training and tools.

“P6” principles always apply – as does strategic partnerships

Few can afford to go it alone – use a managed security service (MSS)

Stop concentrating on small cracks in the walls while the door is left open!

Fundamental Cybersecurity actions cut incidents by 95%

What MUST we do in Cyber?

10

Close the “cyber” barn door first versus fixing cracks in the wall!

Follow the Hierarchy of Cyber needs – mitigate, manage your way up

RE: Enforce hygiene, effective access control, use APLs, proactive security policy etc.

The BASICS – at least manage the top NSA 10 / SANS 20 mitigations!(How about just DOING the Cyber Hygiene Campaign top 5 actions!)

(e.g., 1 &2 - Inventory SW & HW, 3 - Secure CM, 4 – SCM/SIEM & 5 - enforce least privileges )

“cyber

cracks” at

most 5-6%

Lack of cyber hygiene causes

well over 90+% of all security

incidents!

*

*

Business Proprietary Information Not For Distribution Without Approval

Formal Government Practice / Compliance

NIST SP 800-53A Rev 4

• Security and Privacy Controls for Federal Information Systems and Organizations

– Used with FIPS 199/200 (Cat./level), 800-37 (RMF) and 800-39 (Managing risk)

• National Vulnerability database:

– http://web.nvd.nist.gov/view/800-53/home

• NIST Document:

– http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

http://web.nvd.nist.gov/view/800-53/home

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf


How does the NIST SP 800-53A work?

• Normally organizations have security plans in place– NIST SP 800-18 Guide for Developing Security Plan

• Otherwise:

– FIPS 199/200• Determine Categorization and Security level

– NIST SP 800-53A• Controls to be implemented

– STIGs• Tools for implementing security controls on software and

systems

• DISA website: http://iase.disa.mil/stigs/Pages/index.aspx

http://iase.disa.mil/stigs/Pages/index.aspx

Top 20 Controls (Version 5)

13http://www.sans.org/critical-security-controls/

http://www.sans.org/critical-security-controls/

Hierarchy of Cyber Needs

1 – Resiliency - Survival / Recovery+ Secure backup (Types / methods, various sites / levels)

+ Incident responses (company processes, comms with LE / FBI, etc)

+ Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc)

2 – Cyber foundation+ Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc)

+ Layered Defense - IA/CND strategy – WHAT capabilities are needed

+ Security Policy (privacy, social media, PII, etc) - enforcement aspects too

+ Monitoring / Know your baseline – SCM / SIEM.. + Tools – selection and integration

+ Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA

3 – Cyber Maintenance - Security Hygiene / CM / SOPs+ Manage Policy - social media - content & settings… restrict sharing / privileges = proactive monitoring

+ Maintain Cyber Security Suite – patches, upgrades, etc.. control system settings… & dashboard!

+ Standard operating procedures (SOPs).. USE / enforce them

+ Security training / education awareness – ALL levels – reinforce / Incentivize – pos & neg

4 – Applied cyber security (IA / CND / security capabilities best practices)Given the below best practices, cyber protections approach, then distill the key attributes for each

IA/CND capability, while following and tailoring for the company’s environment the install instructions of

the products… specific equipment settings for ‘secure’ sustainment / operations

Firewall, A/V Suite, IDS/IPS, Crypto, Key Mgmt, Mobile, Wireless, Network, Apps, Data Security, etc

5 – Cyber actualization - Compliance / Assessment / Analytics+ V&V / TE&C / C&A – formal proof -> residual risks -> cyber value proposition

+ KEY Compliance Activities – PII, PCI, HIPAA, etc + Forensics / Ethical hacker

+ Big Data / Predictive Analytics (integrate SCM / SIEM, IA/CND reports, etc.)

+ Pentesting / Security Testing (Recon, Enumeration, System Hack, Contingency Plan)

ApprenticeSec+, SSCP

Master8 yrs+

Journeyman5 yrs+, Sec+, CISSP

SMB Education Practicum

• Resiliency (General) • Secure Back-up- Processes and Configuration

• Disaster Recovery Planning

• Incident Response

• Contingency Planning

• Ethics and Operating Limitations (General)

• Policy, Guidance and Training (General)• Policy

• Guidance and SOPs

• Training

• Cybersecurity Toolkit (General)• Windows based toolsets

• Linux Kali Backtrack Installation

• Command Line Operations

• Network Mapping (General)• Tools and Demos

• Documenting and Storage Tools

• Anti-Malware/Antivirus (General)

• Identification and Access Management (IdAM) (General)• Passwords

• Access Control System Implementation

• Data at Rest

• VPN Set-up

• O/S Hardening (General)• Microsoft Windows 7

• Microsoft Windows 8

• Linux

• Updating and Patching (General)• Automatic Updating

• Test Environment

• Network Hardening (General)• Firewalls

• Routers

• Wireless Routers

• IDS/IPS

• SIEMs

• Vulnerability Scanning (General) • Nessus Scanner

• Retina Scanner

• Auditing (General)

• Cybersecurity Strategy (General)• NIST Cybersecurity Framework

• Layered Defense (Defense-in-Depth)

• Data-Centric Security Concept

• Application Hardening (General) • Website Hardening

• Software Hardening

• Database Hardening

• Portable Device Security (General)• PDAs

• IOS Devices - iPads, iPhones

• Android – Phones, Tablets

• Bluetooth Security

• Compliance (General)• SANS Top 20

• FIPS 199/200 - NIST SP 800-53

• STIG Implementation

• Cloud Security Essentials• SLE Agreement Planning

• Application Testing

• Risk Management• Risk Management Framework

Relating Cyber Needs, Top 20, and Education

Hierarchy of Needs SANS Top 20 SMB Education

Practicum

1. Resiliency 8. Data Recovery

18. Incident Response

Data Recovery, Incident

Response, Contingency Planning

2. Cyber Foundations 12/15. Control Privileges

14/16. Maint., Monitor, & Auditing

17. Data Protection

IdAM, Cybersecurity Strategy,

Security Policy, SIEM, Auditing,

Toolkits, Risk Management (RMF)

3. Cyber Maintenance 9. Training Manage Policy, Guidance and

Training (IT and Awareness),

Patching & Updating

4. Applied Cybersecurity 1-2. Inventory H/W S/W

3. Secure Configs H/W S/W

4. Vulnerability Assessment

5. Malware Defenses

6. Application Software Security

7. Wireless

10-11. Secure CM Network Limits

13. Boundary Defense

Network mapping, A/V, O/S

Hardening, Network Hardening

(Firewalls, Routers, Wireless,

IDS/IPS, SIEMS), Vulnerability

Scanning

5. Cyber Actualization 19. Secure Network Engineering

20. Penetration Testing

Basic Pentesting, Ethics and

Operating Limitations,

Cybersecurity Strategy

The Cyber Integrated ED Package

“Bottom up” skills building approach to accommodate cyber SKILLS dependencies

Cyber Essentials Course for SMBDeveloping security operators to fill the critical skills void.

1600

1200

1100

0800

Lunch Lunch

LunchLunch

Return

to officeResiliency Foundations

FoundationsFoundations Applied

Operations &

Maintenance

Actualization

& Review

& skills test

Applied

Cyber

Overview

Mon Tue Wed Thu Fri

SMB needs cyber operators! High volume & greatest need (Operations & Maintenance)Also have a MSS, then manage the 95% vulnerabilities on site & know when to ask for help!

[email protected]

Secu

rity

+ C

ert

pre

req

uis

ite

Module Design

Practicum Module Design

• Develop Self-Efficacy

– Limitations

– Critical Thinking

– Resourcing

• Leverage Internet

– Safe sites

– Clear the Fog

• Provide Insight

– Link to Salient Articles

• Demonstration Links

– Show “How and Why”

What it is Not

• A Training Tool for Certs

– Function and Concepts

– Not a Cram and Jam

• A Replacement for Trained

Personnel

– Designed for Security+

• A Recipe Book for Cyber

– Develops Chefs not Cooks

– Emphasizes “How to Think”

– Not the “What and Why”

• Stagnant

– Designed for change

FirewallsSMB Education Practicum

Demonstration-based Module


Focus Elements• Cybersecurity Perspective on:

– Function

– Operation

– Importance

– Variants

– Sources

– Considerations

– Avoidance

– Overview

– Step-by-step

– Output / Testing

– Analysis

– Documentation

– Troubleshooting

– Compliance

– Education

This is a demonstration-based module designed to provide practitioner-level instruction on the installation and implementation of various firewalls from a cybersecurity perspective.

Introduction


Function

• Firewalls simply refer to the group of components and software that serve as the fundamental barriers between internal network layers and external networks or the internet.

• Multiple types of firewalls exist and have varying qualities based on their type, location, and setting.

– Hardware based firewalls (Appliance)

• Advantage: usually faster and can handle larger throughput

• Disadvantage: set hardware may limit the number of interfaces it can include

– Software based firewalls (Client)

• Advantage: supports a flexible number of NIC’s easily added to the server running the software

• Disadvantage: possible configuration problems, memory limitations, disk space requirements, and number of CPUs supported

– Host-based Firewalls - like Windows Firewall with Advanced Security protect a singular host through the OS.

– Network Perimeter Firewalls – refer to those firewalls which are placed throughout a network or on various components such as proxy servers and bastion hosts

Home


Operation

• Operation

– Firewalls serve in a gatekeeping function filtering data packets based on IP addressing, port, protocol or connection state.

• Although routers can be set to perform the similar actions restricting traffic based on source IP address and destination IP address, a firewall is specifically designed as a network protection system with more security features

– Firewalls filter in accordance with rules set individually or as a part of a pre-programmed security setting using various technologies:

• Network Address Translation (NAT)– private internal addresses are mapped to public external IP addresses thereby masking the internal infrastructure preventing attack. NAT facilitates Virtual Private Network gateway functionality providing IPsec authentication and encryption for network traffic to traverse the firewall

• Access lists- operate similar to router access lists that filter incoming and outgoing IP addresses, ports or services in accordance with a prescribed rule set

• Packet Filtering- screening function based on protocol type, IP address and TCP/UDP port information located in the packet header

• Stateful Packet Inspection- is an anomaly recognition feature that compares the state of a given connection activity based on expected traffic in an established two-way session

• Application layer inspection-which refers to an application-aware firewall the detects when activity is incongruent with a particular application port protocol or previously established session. Incoming packets that enter a network via one port with corresponding outgoing packets on another port typically indicate adverse activity.

Home


Importance

• Host-based firewalls and network perimeter firewalls (typically appliance firewalls) formulate the fundamental barrier protection that segregates layers of a network and the individual hosts from one another or the external internet.

• Firewalls are located at central connections between networks and the internet.

• Firewall types, locations and settings should not be determined by practitioners but network planners and information security system planners

Home


Variants

• Firewall Types and Placement:– Host-based Firewalls - are firewalls that reside within a particular PC or workstation

– Proxy servers – are servers set outside of an internal network with increased hardening and decreased functionality that specifically only serve to access the internet or another network layer

– De-militarized Zones- where servers and hosts are dual-barricaded within a layer between an outside firewall and another internal firewall protecting an interior network layer

– Routers - can be set to perform firewall filtering-like functions

– Bastion hosts - where one host, typically well-hardened with significantly reduced functionality, serves as a go between to an outer zone or the internet

Home


Sources

• Modern commercial firewall software is typically a suite of products – Antivirus, Anti-malware tools and anti-phishing

• Searches for client firewalls yield dozens of free or proprietary software– Top-rated client firewalls for 2014 include (range from $19.99-$59.99):

• Norton Internet Security

• McAfee

• eScan Internet Security

• Bitdefender Internet Security

• Kapersky Internet Security

• Panda Internet Security

– Top-rated free firewall• ZoneAlarm

Home


Considerations

Before starting:• Ensure permission is granted before making any firewall setting changes

• Practitioners often update or implement firewalls only by direction– An understanding of the network security need required is essential

• Obtain copy of ruleset spreadsheet and remember to update – Utilization of a network map and identification of key software applications that will need to be

accounted for or configured to be compatible with any new firewall

• Determine which port numbers will be affected and need to change

• Don’t forget to open up any firewall ports that you modified so traffic can flow– Newer software will automatically do this

• Legacy software or hardware may require updating– Modify any product-side settings to be sure all software applications are functional

• Larger networks have licensing servers or proxy servers critical to software in use

Home


Avoidances

• Potential hazards we must avoid or be wary of:

– Settings incompatible with legacy software applications/hardware

– Too restrictive of settings preventing appropriate access or slowing system

– Passcode requirements not documented or secure enough (if applicable)

– Forgetting to re-boot the system after installation or adjustment prior to test

– Before starting, disable all firewalls on your machine, including the Windows 7 firewall.

• Ramifications / implications for error

– Complete lockout from firmware or software with improper passcode

– Network failure/degradation due to restriction on network traffic

– System freeze or lock-up if changing settings while active

• Documentation Hazards:

– Failure to properly record changes, password, settings

– Use of confusing entries resulting in other practitioner error or bad configuration data

• Potential for error / degree of damage

– High / low but must be fixed to allow functionality

Home


Overview

1. Gather all research data, any directives or policy information, specific directions, network locations, hardware and software components and determine scope of activity.

2. Choose security settings based on all available data

3. Create, modify or delete any rules that are necessary to meet the necessary requirements

4. Enable logging to view any denied incoming connections

5. Ensure the firewall is enabled

6. Perform testing to determine if firewall implementation meets the intended goal

7. Document activity in personal IT Logbook and required IT Department documentation or work execution log

Home


Demo: Step-by-step

• Due to the prevalence of Windows Firewalls and the clarity of the system interface we will demonstrate with Windows 7 – Advanced Firewall

• To get to the firewall settings select:– Windows 7

• Start => Control Panel => Systems and Security => Windows Firewall

– Windows 8• Settings => Control Panel => Systems and Security => Windows Firewall

Note: remember to disable any firewall software currently in place in order to execute any changes. Popular programs such as Norton and McAfee actively mange the Windows Firewall as part of their operation.

Home


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Demo: Step-by-step


Output / Testing

• Client Firewall Software utilize dashboards that indicate firewall status

• Vulnerability scan and network scanning tools are available

• Gibson Research Corporation offers a wide array of testing applications

– In this case ShieldsUP! is highly recommended:

– https://www.grc.com/x/ne.dll?bh0bkyd2

Home

https://www.grc.com/x/ne.dll?bh0bkyd2


Analysis

• How do you validate that the system is going to meet objective?– Testing of the firewall is essential to ensure it is functioning properly

• Validate for both incoming and outgoing traffic

• Attempt access in direct relation to the rule put in place

Home


Documentation

• Personal Logbook: Date Time, Name, Contact Info and Page #

– Activity, Name/Location, Task Source, and Actions taken• Activity: Verify Win 7 Firewall rules set IAW new security plan

• N/L: Asset FD00123; Front Desk Reception

• Task: Email dtd 10Dec14, D. Johnson directed

• Completed: check and verified all rules IAW with email– Changed rule XXX to XXX. Verified function @ 1430 on 16Dec14. Updated in IT log 1282 p.4

• Departmental Logging of Firewall installations and updates:

– Firewall rules for firewalls other than host firewalls should be documented thoroughly on a spreadsheet to include not only all the rules but the NAT translations as well. Old rules should be removed

– Network diagram shape for a firewall is a hexagon

– Include hostname, management IP, and device model

Home


Troubleshooting

• Utilize vendor proprietary troubleshooting guides:– Windows Firewall 7 – advanced:

• http://technet.microsoft.com/en-us/library/cc749386(v=ws.10).aspx

Home

http://technet.microsoft.com/en-us/library/cc749386(v=ws.10).aspx


Compliance / Best Practices

• Government:– NIST SP 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy

• http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

• Industry:– Microsoft Forefront website

• http://technet.microsoft.com/en-us/library/cc995156.aspx

Home

http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

http://technet.microsoft.com/en-us/library/cc995156.aspx


Education

• Furthering your education

– Online sources of reputable instruction:

• https://www.paloaltonetworks.com/services/education.html

• http://www.firewall.cx

– Certifications related to topic

• No general certification – proprietary-based installation cert

– Practice websites related to topic

• None

• Books related to the topic:

Stewart, J (2013) Network Security, Firewalls and VPNs.

ISBN-13: 978-1284031676 / ISBN-10: 1284031675

Home

https://www.paloaltonetworks.com/services/education.html

http://www.firewall.cx/news/162-Education/965-cisco-akhil-webinar-asa-firewall.html

Documents

Cybersecurity Domains: What Comprises a …02f9c3b.netsolhost.com/blog1/wp-content/uploads/Cybersecurity...Cybersecurity Domains: What Comprises a Cybersecurity Suite? ... Tools, Hardware