Embed Size (px)
Citation preview
HOW TO BE A ONE MANSECURITY TEAM
SMALL BUDGET-HIGH RESPONSIBILITY
PAGE 2
THE THREAT IS REALREGARDLESS OF SIZE
Some organizations have higher threat due to size, type of business, or social profile.
US Government
Brand Names (Mc Donald's, Nike, Bayer)
Healthcare
CPA Firms
CC Processors/Banks
Small Companies (considered vulnerable)
Home Users
Your Webcam IOT’s-Home Wireless, Networked Children's Toys
PAGE 3
COMPLIANCE REQUIREMENTSARE THE SAME REGARDLESS OF
ORGANIZATIONAL SIZE
FISM/NIST 800-53 (462 Pages with hundreds of required policies and procedures followed by a Risk Assessment and a POA&M) Note: NIST 800-53 R5 may be a big game changer because it sheds the Feds and adds privacy.
PCI Report Of Compliance Template (191 Pages)
HIPAA (42 Security Standards not including having to do Addressable Risk Assessments)
PAGE 4
THE IMPOSSIBLE DREAM
Some organizations are really just too small and can only implement and maintain pieces.
Small independent Dental/Medical Office/Small business
PAGE 5
SO HOW TO BE A ONE MANSECURITY TEAM
Inventory your environment and break down the data into Public, Sensitive, Confidential(PII/PHI), Top Secret –This helps with DR/BC planning later.
Determine Security Level (High/Moderate/Low)
Create a security dashboard
Create a security management program(SMP)
Policies and Procedures
The tools, oh got to have tools even if you have a limited budget.
Documentation!
PAGE 6
DATA BREAKDOWN
PAGE 7
SECURITY LEVELS-RISK
Low – Everyone has equal access rights, no change control, and a level of brand damage. (small web development firm)
Moderate – Organization where they may experience large financial loss, go out of business, brand damage, and people may wish that they had died. (most companies)
High – Someone can die. (medical systems, dams, nuclear weapons, etc.)
PAGE 8
DAILY SECURITY DASHBOARDLOG BOOK INCLUDES SOME
WEEKLY ITEMS Network Outages
Global Security – securitynewswire.com/SecurityFocus.com
Desktop Maintenance
CCTV motion detect emails and server closet temp (webcams)
IPS/IDS Reviews - Attacks
SIEM Reviews
Email Reviews - DLP, high users, and Spam
Bandwidth check and high users
New Software/Hardware detection and review
Other – FTP, RSA, USB
Public Website Check
Last photo of the day
Buildingmaintenancechecking thermostat
Sign-in sheetReplacement?
PAGE 9
SAMPLE DAILY SECURITYDASHBOARD
PAGE 10
SECURITY MANAGEMENTPROGRAM
IT COMES FROM COMPLIANCE AND GENERAL SECURITYREQUIREMENTS
PAGE 11
SAMPLE SMP TASK
It can also just be a simple routine security task in plain text – Weekly, 14 days, 30 days, 90 days,6 months, or a year
PAGE 12
COMPLIANCE MAY DICTATEPOLICIES AND PROCEDURES
(FISMA?)
Normally, your Access Control Policy and Procedure will address all appropriate control items
Note: Low, Moderate, and High levels
PAGE 13
COMPLIANCE MAY DICTATEPOLICIES AND PROCEDURES
(FISMA?)
Note: Purpose, Scope, etc. in both sections
PAGE 14
LIST OF FREE TOOLS
SpiceWorks – All in one tool box (ITIL pieces, SIEM can run on a desktop)
Security Onion Network Security Monitoring on Linux VMWare or Stand Alone Linux
ManageEngine Win App – 5 free nodes SIEM and Log analysis
AlienVault OSSIM SIEM, Scanner, event manager, and more VMWare or Stand Alone Linux
OSSEC – IDS Agent reports to Security Onion or OSSIM
Open DNS – Internet Access control, i.e. porn, Facebook, etc.
Netscan (freeware version) - General node scans, remote login, uptimes, software info, access to drives (no graphic)
Splunk Free or Splunk Light (low $) is also a good solution to look at
PAGE 15
SPICEWORKSDON’T BET YOUR LIFE ON IT
NOT 100% ACCURATE, BOUNCES, FREQUENTREBOOTS NEEDED
Has many ITIL Elements
Hardware/Software Inventory Enterprise and Machine - Not 100%
Help Desk Ticket System
SIEM of Network and individual Windows Systems – Event Consolidation
Reports systems off line, alerts, software added, and a lame IDS
Many reports like USB reports and bandwidth
Reports critical and important updates (news)
Consolidates from multiple instances from multiple networks
Has constant popup ads (risk) and database problems
Detailed information about nodes, including last login, hard drive space, purchase dates, uptimes, model information, etc.
Runs on Windows
PAGE 16
SPICEWORKS
PAGE 17
SECURITY ONIONSHOULD YOU BUY SNORT?
SEVERAL GOOD TOOLS
Supports OSSEC
PAGE 18
MANAGEENGINE5 NODES FREE PER SEGMENT
Great for monitoring databases and OWA
Runs on Windows
PAGE 19
ALIENVAULT OSSEMNoisy network vulnerability scans and a possible replacement if you don’t have money for Nessus
Learning curve is high
PAGE 20
OSSECGREAT TOOL
• Agent runs on servers and desktops• Some machines like AD are very noisy• Notifies of system changes• Notifies of failed logins• Rule sets can be changed to look for specific file changes• Sends alerts to programs like Security Onion - then sends email• Good for PCI on a budget
PAGE 21
DOCUMENTATIONIF YOU DON’T DOCUMENT IT,
IT NEVER HAPPENED!
Find a network drive
If possible, set up an encrypted audit server with lots of disk space
Choose the main compliance standard you need to follow like FISMA or HIPAA
Set up a file structure related to the compliance standard
Only you, the auditor, has access to the files
PAGE 22
EXAMPLE OF FILESTRUCTURE FOR HIPAA
PAGE 23
INFORMATION SYSTEM ACTIVITY REVIEW§164.308(A)(1)(II)(D)
Media Wiping Documentation using cell phone
PAGE 24
SUMMARY
Threat is constant
Compliance requirements are constant
Some organizations can only implement small pieces
Data Classification - >Security Levels
Security Dashboard, SMP, Compliance/Policies -Procedures
Free Tools
Documentation
