Upload
lecong
View
221
Download
0
Embed Size (px)
Citation preview
Cybersecurity Domains:
What Comprises a Cybersecurity Suite?
NDIA Cyber Forum - 15 May 2015
Agenda
• Define what is meant by a Cybersecurity Suite
• Understanding Internet Cybersecurity Fog
• Discuss Cybersecurity Controls and Compliance
• Illustrate the Hierarchy of Cybersecurity Needs
• Review the Key Cybersecurity Domains
– People, Processes, Tools, Hardware and Software
• Demonstrate New Approach to Cyber Education
Cyber Security “Fundamentals”
What is a “cyber suite” anyway?
It is the things we MUST have in place
properly AND keep maintained
It encompasses all of the people, processes,
practices, policy, tools, hardware and software
necessary for consideration in an effective
Cybersecurity Plan.
People Considerations
Training & Quality
• Training Program
– SOP
– Documentation
– HR Practices
• Legal
• Recruiting
• Certifications
– Practitioner v. Expert
• Experience
• Retention
Awareness
• Responsible Use
– Internet Usage
– Email Use
• Threat
– Anti-phishing
– Personal Devices
– CMS Handling / NDA
– Insider
• Physical Security
Policy, Process and Practice
Examples
Strategy and Processes
• NIST SP 800 Series
– Risk Management
Framework
– Cybersecurity Framework
• SANS Top 20
• Privacy by Design
• Proprietary System
Processes
• Organic Processes
Policies and Practices
• Policies
– Acceptable Use, User
Account, Remote Access,
Information Protection,
Special Access, Network
Connection, Email and
Password.
• Practices
– Implicit Deny, Least
Privilege, Job Rotation,
Mandatory Vacation, Time of
Day Restrictions, Privilege
Management
Tools, Hardware and Software
Examples• Standards, STIGs, Best
Practices
• Cybersecurity Toolkits
– Network Mappers
– Password Crackers
– Vulnerability Scanners
• All-in-One Software Suites
• Application Analysis/Monitoring
• IPS/IDS, SIEMS, Audit Logs
• Server Management
• Operating Systems
• Anti-virus / Anti-Malware
• Applications / Productivity
Software
• Firewalls,
• Routers,
• Servers (Email, Web, Proxy
Database)
• Wireless
• Workstations
• Mobile Devices
• Cloud IaaS
• Patch Panels, Cabling
• HVAC, Security Doors, Fences
• Biometric Readers
Kerberos
PKI
Token
Digital CertificateThin Clients
Biometrics
HIPPA
VPN IPSEC
SSL
Hardening
Cloud
XML Gateways
Secure Collaboration
Compliance
Secure Blades
H/W Crypto
SOX
DAC
RSBAC
FIPS 140-2
Trusted OS Guards
Cyber Security
SaaS
Wireless
Cybersecurity is Complex from a Technical PerspectiveWhich ones are inherent in the IA/CND/Cyber suite?
Internet Cybersecurity Fog
Cutting through the Cybersecurity Fog!
The threats are very real, and the news shows a small percentage.
If you aren’t already affected you will be. Will you report it?
Focus on business risk reduction and minimizing legal liabilities.
Adequate cyber protections are but one part – so is insurance…
You cannot buy cyber security, you must manage cyber as it changes.
Success comes with the right people, processes, training and tools.
“P6” principles always apply – as does strategic partnerships
Few can afford to go it alone – use a managed security service (MSS)
Stop concentrating on small cracks in the walls while the door is left open!
Fundamental Cybersecurity actions cut incidents by 95%
What MUST we do in Cyber?
10
Close the “cyber” barn door first versus fixing cracks in the wall!
Follow the Hierarchy of Cyber needs – mitigate, manage your way up
RE: Enforce hygiene, effective access control, use APLs, proactive security policy etc.
The BASICS – at least manage the top NSA 10 / SANS 20 mitigations!(How about just DOING the Cyber Hygiene Campaign top 5 actions!)
(e.g., 1 &2 - Inventory SW & HW, 3 - Secure CM, 4 – SCM/SIEM & 5 - enforce least privileges )
“cyber
cracks” at
most 5-6%
Lack of cyber hygiene causes
well over 90+% of all security
incidents!
*
*
Business Proprietary Information Not For Distribution Without Approval
Formal Government Practice / Compliance
NIST SP 800-53A Rev 4
• Security and Privacy Controls for Federal Information Systems and Organizations
– Used with FIPS 199/200 (Cat./level), 800-37 (RMF) and 800-39 (Managing risk)
• National Vulnerability database:
– http://web.nvd.nist.gov/view/800-53/home
• NIST Document:
– http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Business Proprietary Information Not For Distribution Without Approval
How does the NIST SP 800-53A work?
• Normally organizations have security plans in place– NIST SP 800-18 Guide for Developing Security Plan
• Otherwise:
– FIPS 199/200• Determine Categorization and Security level
– NIST SP 800-53A• Controls to be implemented
– STIGs• Tools for implementing security controls on software and
systems
• DISA website: http://iase.disa.mil/stigs/Pages/index.aspx
Top 20 Controls (Version 5)
13http://www.sans.org/critical-security-controls/
Hierarchy of Cyber Needs
1 – Resiliency - Survival / Recovery+ Secure backup (Types / methods, various sites / levels)
+ Incident responses (company processes, comms with LE / FBI, etc)
+ Recovery Plan - COOP / BCP (phases of recovery, hot / mirror site, etc)
2 – Cyber foundation+ Access control (PW, CAC, enforce least privilege, separate / rotate duties, etc)
+ Layered Defense - IA/CND strategy – WHAT capabilities are needed
+ Security Policy (privacy, social media, PII, etc) - enforcement aspects too
+ Monitoring / Know your baseline – SCM / SIEM.. + Tools – selection and integration
+ Business Risk Management / Assessment (RMF / COBIT) / requirements analysis with an AoA
3 – Cyber Maintenance - Security Hygiene / CM / SOPs+ Manage Policy - social media - content & settings… restrict sharing / privileges = proactive monitoring
+ Maintain Cyber Security Suite – patches, upgrades, etc.. control system settings… & dashboard!
+ Standard operating procedures (SOPs).. USE / enforce them
+ Security training / education awareness – ALL levels – reinforce / Incentivize – pos & neg
4 – Applied cyber security (IA / CND / security capabilities best practices)Given the below best practices, cyber protections approach, then distill the key attributes for each
IA/CND capability, while following and tailoring for the company’s environment the install instructions of
the products… specific equipment settings for ‘secure’ sustainment / operations
Firewall, A/V Suite, IDS/IPS, Crypto, Key Mgmt, Mobile, Wireless, Network, Apps, Data Security, etc
5 – Cyber actualization - Compliance / Assessment / Analytics+ V&V / TE&C / C&A – formal proof -> residual risks -> cyber value proposition
+ KEY Compliance Activities – PII, PCI, HIPAA, etc + Forensics / Ethical hacker
+ Big Data / Predictive Analytics (integrate SCM / SIEM, IA/CND reports, etc.)
+ Pentesting / Security Testing (Recon, Enumeration, System Hack, Contingency Plan)
ApprenticeSec+, SSCP
Master8 yrs+
Journeyman5 yrs+, Sec+, CISSP
SMB Education Practicum
• Resiliency (General) • Secure Back-up- Processes and Configuration
• Disaster Recovery Planning
• Incident Response
• Contingency Planning
• Ethics and Operating Limitations (General)
• Policy, Guidance and Training (General)• Policy
• Guidance and SOPs
• Training
• Cybersecurity Toolkit (General)• Windows based toolsets
• Linux Kali Backtrack Installation
• Command Line Operations
• Network Mapping (General)• Tools and Demos
• Documenting and Storage Tools
• Anti-Malware/Antivirus (General)
• Identification and Access Management (IdAM) (General)• Passwords
• Access Control System Implementation
• Data at Rest
• VPN Set-up
• O/S Hardening (General)• Microsoft Windows 7
• Microsoft Windows 8
• Linux
• Updating and Patching (General)• Automatic Updating
• Test Environment
• Network Hardening (General)• Firewalls
• Routers
• Wireless Routers
• IDS/IPS
• SIEMs
• Vulnerability Scanning (General) • Nessus Scanner
• Retina Scanner
• Auditing (General)
• Cybersecurity Strategy (General)• NIST Cybersecurity Framework
• Layered Defense (Defense-in-Depth)
• Data-Centric Security Concept
• Application Hardening (General) • Website Hardening
• Software Hardening
• Database Hardening
• Portable Device Security (General)• PDAs
• IOS Devices - iPads, iPhones
• Android – Phones, Tablets
• Bluetooth Security
• Compliance (General)• SANS Top 20
• FIPS 199/200 - NIST SP 800-53
• STIG Implementation
• Cloud Security Essentials• SLE Agreement Planning
• Application Testing
• Risk Management• Risk Management Framework
Relating Cyber Needs, Top 20, and Education
Hierarchy of Needs SANS Top 20 SMB Education
Practicum
1. Resiliency 8. Data Recovery
18. Incident Response
Data Recovery, Incident
Response, Contingency Planning
2. Cyber Foundations 12/15. Control Privileges
14/16. Maint., Monitor, & Auditing
17. Data Protection
IdAM, Cybersecurity Strategy,
Security Policy, SIEM, Auditing,
Toolkits, Risk Management (RMF)
3. Cyber Maintenance 9. Training Manage Policy, Guidance and
Training (IT and Awareness),
Patching & Updating
4. Applied Cybersecurity 1-2. Inventory H/W S/W
3. Secure Configs H/W S/W
4. Vulnerability Assessment
5. Malware Defenses
6. Application Software Security
7. Wireless
10-11. Secure CM Network Limits
13. Boundary Defense
Network mapping, A/V, O/S
Hardening, Network Hardening
(Firewalls, Routers, Wireless,
IDS/IPS, SIEMS), Vulnerability
Scanning
5. Cyber Actualization 19. Secure Network Engineering
20. Penetration Testing
Basic Pentesting, Ethics and
Operating Limitations,
Cybersecurity Strategy
The Cyber Integrated ED Package
“Bottom up” skills building approach to accommodate cyber SKILLS dependencies
Cyber Essentials Course for SMBDeveloping security operators to fill the critical skills void.
1600
1200
1100
0800
Lunch Lunch
LunchLunch
Return
to officeResiliency Foundations
FoundationsFoundations Applied
Operations &
Maintenance
Actualization
& Review
& skills test
Applied
Cyber
Overview
Mon Tue Wed Thu Fri
SMB needs cyber operators! High volume & greatest need (Operations & Maintenance)Also have a MSS, then manage the 95% vulnerabilities on site & know when to ask for help!
Secu
rity
+ C
ert
pre
req
uis
ite
Module Design
Practicum Module Design
• Develop Self-Efficacy
– Limitations
– Critical Thinking
– Resourcing
• Leverage Internet
– Safe sites
– Clear the Fog
• Provide Insight
– Link to Salient Articles
• Demonstration Links
– Show “How and Why”
What it is Not
• A Training Tool for Certs
– Function and Concepts
– Not a Cram and Jam
• A Replacement for Trained
Personnel
– Designed for Security+
• A Recipe Book for Cyber
– Develops Chefs not Cooks
– Emphasizes “How to Think”
– Not the “What and Why”
• Stagnant
– Designed for change
FirewallsSMB Education Practicum
Demonstration-based Module
Business Proprietary Information Not For Distribution Without Approval
Focus Elements• Cybersecurity Perspective on:
– Function
– Operation
– Importance
– Variants
– Sources
– Considerations
– Avoidance
– Overview
– Step-by-step
– Output / Testing
– Analysis
– Documentation
– Troubleshooting
– Compliance
– Education
This is a demonstration-based module designed to provide practitioner-level instruction on the installation and implementation of various firewalls from a cybersecurity perspective.
Introduction
Business Proprietary Information Not For Distribution Without Approval
Function
• Firewalls simply refer to the group of components and software that serve as the fundamental barriers between internal network layers and external networks or the internet.
• Multiple types of firewalls exist and have varying qualities based on their type, location, and setting.
– Hardware based firewalls (Appliance)
• Advantage: usually faster and can handle larger throughput
• Disadvantage: set hardware may limit the number of interfaces it can include
– Software based firewalls (Client)
• Advantage: supports a flexible number of NIC’s easily added to the server running the software
• Disadvantage: possible configuration problems, memory limitations, disk space requirements, and number of CPUs supported
– Host-based Firewalls - like Windows Firewall with Advanced Security protect a singular host through the OS.
– Network Perimeter Firewalls – refer to those firewalls which are placed throughout a network or on various components such as proxy servers and bastion hosts
Home
Business Proprietary Information Not For Distribution Without Approval
Operation
• Operation
– Firewalls serve in a gatekeeping function filtering data packets based on IP addressing, port, protocol or connection state.
• Although routers can be set to perform the similar actions restricting traffic based on source IP address and destination IP address, a firewall is specifically designed as a network protection system with more security features
– Firewalls filter in accordance with rules set individually or as a part of a pre-programmed security setting using various technologies:
• Network Address Translation (NAT)– private internal addresses are mapped to public external IP addresses thereby masking the internal infrastructure preventing attack. NAT facilitates Virtual Private Network gateway functionality providing IPsec authentication and encryption for network traffic to traverse the firewall
• Access lists- operate similar to router access lists that filter incoming and outgoing IP addresses, ports or services in accordance with a prescribed rule set
• Packet Filtering- screening function based on protocol type, IP address and TCP/UDP port information located in the packet header
• Stateful Packet Inspection- is an anomaly recognition feature that compares the state of a given connection activity based on expected traffic in an established two-way session
• Application layer inspection-which refers to an application-aware firewall the detects when activity is incongruent with a particular application port protocol or previously established session. Incoming packets that enter a network via one port with corresponding outgoing packets on another port typically indicate adverse activity.
Home
Business Proprietary Information Not For Distribution Without Approval
Importance
• Host-based firewalls and network perimeter firewalls (typically appliance firewalls) formulate the fundamental barrier protection that segregates layers of a network and the individual hosts from one another or the external internet.
• Firewalls are located at central connections between networks and the internet.
• Firewall types, locations and settings should not be determined by practitioners but network planners and information security system planners
Home
Business Proprietary Information Not For Distribution Without Approval
Variants
• Firewall Types and Placement:– Host-based Firewalls - are firewalls that reside within a particular PC or workstation
– Proxy servers – are servers set outside of an internal network with increased hardening and decreased functionality that specifically only serve to access the internet or another network layer
– De-militarized Zones- where servers and hosts are dual-barricaded within a layer between an outside firewall and another internal firewall protecting an interior network layer
– Routers - can be set to perform firewall filtering-like functions
– Bastion hosts - where one host, typically well-hardened with significantly reduced functionality, serves as a go between to an outer zone or the internet
Home
Business Proprietary Information Not For Distribution Without Approval
Sources
• Modern commercial firewall software is typically a suite of products – Antivirus, Anti-malware tools and anti-phishing
• Searches for client firewalls yield dozens of free or proprietary software– Top-rated client firewalls for 2014 include (range from $19.99-$59.99):
• Norton Internet Security
• McAfee
• eScan Internet Security
• Bitdefender Internet Security
• Kapersky Internet Security
• Panda Internet Security
– Top-rated free firewall• ZoneAlarm
Home
Business Proprietary Information Not For Distribution Without Approval
Considerations
Before starting:• Ensure permission is granted before making any firewall setting changes
• Practitioners often update or implement firewalls only by direction– An understanding of the network security need required is essential
• Obtain copy of ruleset spreadsheet and remember to update – Utilization of a network map and identification of key software applications that will need to be
accounted for or configured to be compatible with any new firewall
• Determine which port numbers will be affected and need to change
• Don’t forget to open up any firewall ports that you modified so traffic can flow– Newer software will automatically do this
• Legacy software or hardware may require updating– Modify any product-side settings to be sure all software applications are functional
• Larger networks have licensing servers or proxy servers critical to software in use
Home
Business Proprietary Information Not For Distribution Without Approval
Avoidances
• Potential hazards we must avoid or be wary of:
– Settings incompatible with legacy software applications/hardware
– Too restrictive of settings preventing appropriate access or slowing system
– Passcode requirements not documented or secure enough (if applicable)
– Forgetting to re-boot the system after installation or adjustment prior to test
– Before starting, disable all firewalls on your machine, including the Windows 7 firewall.
• Ramifications / implications for error
– Complete lockout from firmware or software with improper passcode
– Network failure/degradation due to restriction on network traffic
– System freeze or lock-up if changing settings while active
• Documentation Hazards:
– Failure to properly record changes, password, settings
– Use of confusing entries resulting in other practitioner error or bad configuration data
• Potential for error / degree of damage
– High / low but must be fixed to allow functionality
Home
Business Proprietary Information Not For Distribution Without Approval
Overview
1. Gather all research data, any directives or policy information, specific directions, network locations, hardware and software components and determine scope of activity.
2. Choose security settings based on all available data
3. Create, modify or delete any rules that are necessary to meet the necessary requirements
4. Enable logging to view any denied incoming connections
5. Ensure the firewall is enabled
6. Perform testing to determine if firewall implementation meets the intended goal
7. Document activity in personal IT Logbook and required IT Department documentation or work execution log
Home
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
• Due to the prevalence of Windows Firewalls and the clarity of the system interface we will demonstrate with Windows 7 – Advanced Firewall
• To get to the firewall settings select:– Windows 7
• Start => Control Panel => Systems and Security => Windows Firewall
– Windows 8• Settings => Control Panel => Systems and Security => Windows Firewall
Note: remember to disable any firewall software currently in place in order to execute any changes. Popular programs such as Norton and McAfee actively mange the Windows Firewall as part of their operation.
Home
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Demo: Step-by-step
Business Proprietary Information Not For Distribution Without Approval
Output / Testing
• Client Firewall Software utilize dashboards that indicate firewall status
• Vulnerability scan and network scanning tools are available
• Gibson Research Corporation offers a wide array of testing applications
– In this case ShieldsUP! is highly recommended:
– https://www.grc.com/x/ne.dll?bh0bkyd2
Home
Business Proprietary Information Not For Distribution Without Approval
Analysis
• How do you validate that the system is going to meet objective?– Testing of the firewall is essential to ensure it is functioning properly
• Validate for both incoming and outgoing traffic
• Attempt access in direct relation to the rule put in place
Home
Business Proprietary Information Not For Distribution Without Approval
Documentation
• Personal Logbook: Date Time, Name, Contact Info and Page #
– Activity, Name/Location, Task Source, and Actions taken• Activity: Verify Win 7 Firewall rules set IAW new security plan
• N/L: Asset FD00123; Front Desk Reception
• Task: Email dtd 10Dec14, D. Johnson directed
• Completed: check and verified all rules IAW with email– Changed rule XXX to XXX. Verified function @ 1430 on 16Dec14. Updated in IT log 1282 p.4
• Departmental Logging of Firewall installations and updates:
– Firewall rules for firewalls other than host firewalls should be documented thoroughly on a spreadsheet to include not only all the rules but the NAT translations as well. Old rules should be removed
– Network diagram shape for a firewall is a hexagon
– Include hostname, management IP, and device model
Home
Business Proprietary Information Not For Distribution Without Approval
Troubleshooting
• Utilize vendor proprietary troubleshooting guides:– Windows Firewall 7 – advanced:
• http://technet.microsoft.com/en-us/library/cc749386(v=ws.10).aspx
Home
Business Proprietary Information Not For Distribution Without Approval
Compliance / Best Practices
• Government:– NIST SP 800-41 Revision 1: Guidelines on Firewalls and Firewall Policy
• http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
• Industry:– Microsoft Forefront website
• http://technet.microsoft.com/en-us/library/cc995156.aspx
Home
Business Proprietary Information Not For Distribution Without Approval
Education
• Furthering your education
– Online sources of reputable instruction:
• https://www.paloaltonetworks.com/services/education.html
• http://www.firewall.cx
– Certifications related to topic
• No general certification – proprietary-based installation cert
– Practice websites related to topic
• None
• Books related to the topic:
Stewart, J (2013) Network Security, Firewalls and VPNs.
ISBN-13: 978-1284031676 / ISBN-10: 1284031675
Home