SANS 20 Security Controls

Casey Wimmer

Security Capstone

2330 01

Pine Technical and Community College

May 9, 2016

In this paper I am going to talk about the 20 SANS Critical Security Controls. The

controls are an Inventory of Authorized and Unauthorized Devices, Inventory of Authorized and

Unauthorized Software, Secure Configurations for Hardware and Software on Mobile Devices,

Laptops, Workstations, and Servers and Continuous Vulnerability Assessment and Remediation,

Inventory of Application Software Security, Wireless Access Control, Data Recovery Capability,

Security Skills Assessment and Appropriate Training to Fill Gaps, and Secure Configurations for

Network Devices, Limitation and Control of Network Ports, Protocols, and Services, Controlled

the use of Administrative Privileges, Boundary Defense, Maintenance, Monitoring, and Analysis

of Audit Logs, and Controlled Access based on the need to know, Account Monitoring and

Control, Data Protection, Incident Response and Management, Secure Network Engineering,

Penetration Tests and Red Team exercises. These controls can be used to take inventory,

tracking, correcting, acquiring, accessing and taking action, as well as, installing, spreading and

execution malicious code. Also, I am going to be talking about how the controls are being used

in a business setting and some of the quick wins to more advanced ways to makeones systems

safe. As technology grows, black hats and some of the gray hats will become more advanced in

their hacking, so as a cyber-world we need to become more advanced and aware of how our

networks are set up and how much we should lock down systems to keep our information safe

and the needs of the business.

The first control is Inventory the Authorized and Unauthorized Devices. There are some

tools that will help one keep inventory of devices, these tools are Dynamic Host Configuration

Protocol (DHCP) server logging, automated asset inventory tool, asset inventory database,

inventory of information asset, network level authentication (802.1x), network access control,

and client certificates. Also, there are tools that help one keep track of devices, client certificates

and DHCP server logging. After performing inventory and tracking devices and users, it will

help one make the proper correcting to ones network.

One of the tools that is used most after is DHCP server logging. When one is looking at a

DHCP server logs, there will be fields that one will have to look at. Those are the identification

(ID), date, time, description, IP address, host name and Media Access Control (MAC) address

fields. The ID is the DHCP server event code, date is when the entry was logged, time is when

the entry was logged, description is what the entry was about, IP address is IP address of the

client, host name is the name of the client and MAC address is the address that is attached to the

network adapter hardware of the client. This log helps one keep track of what events are

happening. Another good tool that one can use is automated asset inventory tool. This tool helps

one build a preliminary asset inventory of all that is connected to the networks. There are active

tools and passive tools that come with this tool. The active tools scan the network ranges. Some

examples of active tools are Wireshark and Network Map (NMAP). Passive tools identify hosts

by looking at their traffic. Some examples are Firewalls, Intrusion Detection Systems (IDS) and

Intrusion Prevention System (IPS).

Most tools can help one keep track and inventory. One of the best tracking tool is

Network Access Control (NAC). NAC monitors authorized systems, so when an attack occurs it

can be moved to a separate Virtual Local Arena Network (VLAN) that has minimal access and,

so it will so minimal damage to the network. A good way to help secure ones network is to hand

out client certificates. The way the certificates are handed out is through a Certificate Authority

(CA). The certificates verifies and authenticates devices before they connect to the network.

The second control is how one will Inventory the Authorized and Unauthorized

Software. There are plenty of things one can do to help with the inventorying software’s. A

good quick way is to utilize Whitelisting technology. The Whitelist is an inventory list of

software on the network or systems, also they are called anti-virus suits. When a software tries to

run, the Whitelist will check and see if it is on the list and if it not on the list, it will kill it and not

let it run until it is on the list. One can get Whitelist technology from outside venders and this

technology can be expensive. A few examples of Whitelist technology are Avast and McAfee.

Those are a few of the common that we use every day, but for a business setting one will want to

use the more advance ones. Another quick way to keep inventory of software is to use file

integrity checking tools. These tools check and see if the software has been tampered with or

changed. This would help one to make a list of software on all systems, as well as, the versions

being used. An example of file integrity checking tools is Syscheck. The tool will make a list of

the software being used on the servers, workstations, and laptops that is on the network. The last

quick win is using strict change-control process. This process is used to control changes or

installation of software on any system on the network. Also, strict change-control process checks

for unrecognized binaries. The binaries would include Executable Files (.exe), Dynamic Link

libraries (DLL) and more. Also, it will check the folders and files that are compressed. The way

it checks is that it uses the file hash values that it has stored in its inventory lists.

A more developed way to inventory is to use software inventory tools. This tool makes a

list of the operating systems, servers, workstations, and laptops in use on the network. The tool

will record the type of software, version number and patch level. The software inventory tool

will check the version and applications installed on the systems and network. Also, one can use

the integrate software and hardware asset inventory list to put then into one location. That one

location, is where all the hardware and software will be tracked from. Another way that is better

than the quick wins is to track and/ or block all the dangerous file types. Some of those file types

are .exe, Compressed (.zip) and Microsoft Installation (.msi) files. Another way is to use virtual

machines and air-gapped systems to run applications for the business. Air-gapped is a separate

environment that is off ones network that is used to run software. If the application is a higher

risks it should be never be install on the network, they should be installed on an air-gapped

system.

For a business setting, make sure one make clients workstations that have non-persistent,

virtualized operating environments. This will help one restore them quickly and easier with less

down time. This way one will have a trusted snapshot that one can restore them to periodically.

This will make the risk of spreading dangerous software around that might have dangerous code

or files attached to the software. Deploy software that will sign software ID tags. A software ID

tag is an Extensible Markup Language (XML) file that is put with software to identify what

software it is. This will help provide list that can be used for software inventory list and asset

management. There are some solutions that the commercial solutions put together. Some of these

solutions are anti-spyware, personal firewall, host IDS’s and IPS’s. One are able to get some of

these products for free, but if one want the best of the best, one will have to spend a little money

to get good protection for one’s network. Gray lists define the rules for execution of specific

programs. One can do this by using certain users and certain times of the day for the programs to

run. This is a god way to help with unnecessary applications to be running on the network. If one

leave applications running, it can bog down ones systems and make it run slow. Also, one can

use White lists. White lists can be customized by using the applications executable path, hash, or

regular expression matching.

Control three is Securing Configurations for Hardware and Software on Mobile Devices,

Laptops, Work stations and Servers. When one is doing this, make sure to use a standard secure

configurations of all the OS’s. Also, make sure one harden all versions and applications that are

on one’s systems to make sure that there are no security concerns or vulnerabilities. A few good

idea to help harden ones system is to remove unnecessary accounts this will include service

accounts, disable or remove services that one don’t need to be running, configure non-executable

stacks and heaps. Heaps are information that is dynamically allocated variables are found and

stacks are where one can find the local variables, function parameters, and other functions that

are related can be found. Also, it’s a good idea to make patches and apply them to one’s system,

make sure ports that are not being used are closed or disabled and if the port is open but is being

used, but not all the time, one can still close it and open it when it needs to be used, put in IDS

and or IPS on one’s system, and install host-based firewalls. Another thing one should do is to

make sure that one’s firewalls are validated and refreshed daily, so that, one prevent attacks,

vulnerabilities, and it will help keep one’s security up to date.

Also, one can put in automated patch tools to help make sure the patched for application

and one’s system are put in. Sometimes it can be a bad thing because it can interrupt business

functions, so make sure the patches are good for one’s system. If the patch is interrupting

business production, take a look at the patch and see if one can make correction a different way,

without using the patch. Most of these patched will be coming for applications and OS software.

When an application or an OS software is outdated, older, unused or it can no longer be patched,

make sure one remove it or update it, so it will not be a security concern or make vulnerabilities.

Try to limit administration privileges to a few users that have the knowledge to modify the

configuration and apply it to the systems. This will help prevent people from changing the

configurations and make problems and vulnerabilities on the systems and network. Make sure

one follow a strict configuration that one build. When one builds an image, make sure it is

secure. This will help in prevent attacks and when a system is compromised, it should be re-

imaged with the secure build that one has created. After one have created secure images, make

sure one store the master on a server that is configured securely and is offline and air-gapped

from one’s system and production network. Copy images to secure media that can be moved

between the image storage and production network. One can use a USB or a portable hard drive.

A good way to help with the system secure is to buy systems that can be configured

securely out of the box using standardized images. This will help avoid software that one does

not need, decrease attack surface and decrease vulnerabilities on the system and devices. When

one’s system has remote administration servers, workstations, network devices and similar

equipment being used on one’s network, make sure one put them on secure channels for security

risk. When one put them on channels, do not use telnet, Virtual Network Computing (VNC) and

RDP as just a few of the channels because they have low level encryption. A good tool to have is

file integrity checking tools. These tools check to see of the systems critical files have not been

altered or tampered with. Also, these tools can show suspicious changes to the system. It will

show one the owner and the permissions that are changed to the files or directories. Another

good thing about these tools is that they will show one, if any, extra files that are on the system.

If there are extra files on the system, it can mean that there is malicious file on the system or

someone has hacked the system and it creates the files, which in turn would create a security

concern.

It’s a good idea to apply and test the automated configuration monitoring system. This

will measure all the secure configurations by using remote testing. An example of this tool is

Security Content Automation Protocol (SCAP). SCAP will alert one when there are changes that

are not authorized that happened on the system. Another good tool to have are system

configuration management tools. This tools will enforce and redeploy the configuration setting at

a time and date one input into the tools when one configure. A few examples are a tool from

Microsoft called Active Directory Group Policy Objects and a tool from Unix called Puppet.

A good quick way to check the system for vulnerabilities is to put in automated

vulnerabilities tools. When one set this tool up, one can configure it so that the tool will scan the

system on a daily or weekly basis and one can put a list together of the most crucial

vulnerabilities. This tool will rate the vulnerabilities on risk and produce risk scores of them.

When one use this tool make sure one use SCAP. SCAP looks for code-based and configuration-

based vulnerabilities on the system. If one bring the older scan and the new scan together, one

will be able to see if the vulnerability has been fixed. To achieve this, one will have to reach two

goals. These goals are to make sure the scans makes logs as they scan the system and make sure

one combine the older and newer scans together. When one is setting up these scans, make sure

one put them in authenticated mode when they run. Authenticated mode means that one have

authorized the software, applications or files to run. Also, make sure to put agents that run

locally at the end of the system to check the security configurations or one can put up remote

scanners that have administrative rights. Make sure that the authorized people have access to the

vulnerability management user interface. If one give the wrong people access, it could make

more vulnerabilities and security concerns and production will go down in the company.

Regularly check into the intelligence security services. Keep up on the emerging

exposures that are released and make sure the vulnerability scanning tool are up to date on the

organizations system. A good way to keep up on the patches one’s system is to install automated

patch management and software tools. Make sure the tools are used for OS’s, software and

applications patches. Before pushing out the patches to the network, make sure to test them in a

sandbox machine or a text environment. The reason one do this is to make sure the patch will not

affect production of the company and will not make any more vulnerabilities to the system and

network. If the patches that run in the test environment break some of the applications, one will

have to find another way to fix the vulnerabilities that the patch would have fixed without

affecting business production. When one are patching or fixing vulnerabilities, make sure to

patch or fix the ones that are high-risk first. To help determine this, look at the exploitability and

potential impact. When one has a bunch of patches, make sure to test them first then one is ready

to push them out, make sure one will phase them out. This will help to minimize the impact of

them on the company.

Control five is Malware Defenses. A good idea is to put in automated tools that will

monitor servers, workstations and mobile devices with anti-virus software, anti-spyware

software, personal firewalls and host-based IPS’s. The detections that the software detects can be

sent to an anti-malware tools or event log servers. Another good thing to have on the system is to

have anti-malware software. Anti-malware offers cloud-based infrastructure that is remote and is

in sync with the information file reputations or with the administration manually pushing the

updates to the network and all machines. Also, it will verify that all the machines and systems

has received the signature update or updates. Make sure that one configures laptops,

workstations, and servers, so that it will not automatically install the removable media that is

inserted. Some of the examples removable media are USB tokens, USB HD, CD/DVD, firewall

devices, external serial advanced technology attachment devices, and mounted network shares.

When removable media is inserted, make sure the workstations, laptops and servers is set up to

automatically run anti-malware scan on the media. This will provide more security to the

systems and help prevent malware and virus attacks.

Make sure to run software that will scan all email attachments for malicious code or if it

is not necessary for a business needs. They can do this by setting up a size limit on the emails

that can come in. Also, they can run web content filtering and email content filtering. Enable

anti-exploitation feature on workstations, laptops, and servers. There are a bunch of ways to do

this, but some of those are using Data Execution Prevention (DEP), Address Space Layout

Randomization (ASLR) and virtualization. A good tool to use is Mitigation Experience Toolkit

(EMET) because it can be set up to be put at the boarders of applications and software. Ensure to

limit the external devices that come on to the network. Make sure that people are using those that

are used for business purposes only and monitor the uses of these and the attempt uses of the

external devices. When one is using automated monitoring tools, make sure they are in behavior-

based mode than being in signature-based mode. Use network-based anti-malware tools. This

will allow one to identify executable in the networks traffic. Use others based detection modes

other than signature-based modes because they will identify and take out the malicious code

before they reach the endpoints. Establish an incident response process. If one establishes this, it

will supply the security team with malware samples that are not detected by the anti-malware

software. When the security team has the malicious samples, they can tear it apart and see what

the malicious code is and look at how it was made, so if it come up again, it will be easier to

detect. Also, it’s good to create “out-of-band” signatures. When a sample is found, the security

team will send it to their security company that they are outsourcing to, to create the signature

and then the outsourced security company will send it back and the security team for the business

will use it in their tools to help detect the malicious code if it come up again. This will help the

network team to establish trust when they go into the management function to apply the network

with resources. These will be later put on the enterprise by the administration.

I talked about the twenty SANS critical security controls. The controls were Inventory

of Authorized and Unauthorized Devices, Inventory of Authorized and Unauthorized Software,

Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,

and Servers, Continuous Vulnerability Assessment and Remediation, and Malware Defenses.

These controls can be used to take inventory, tracking, correcting, acquiring, accessing and

taking action, as well as, installing, spreading and execution malicious code. Also, I talked about

how the controls are being used in a business setting and some of the quick wins to some more

advanced ways to make the systems safe. Remember, as a company grows, they will be in need

for more increased security defenses.

Control six is Application Software Security. Control six is designed to help businesses

prevent detect and correct the security on the software applications. First, some of the quick wins

that will temporarily help are to make sure that the version of the application is still supported by

the vendor or company. If it is still supported, make sure all of the patched and security

recommendations are up-to-date with the vendor or company. If the version is not supported, one

will have to update to the version that is supported and ensure all the patched and security

recommendations are up-to-date. Another quick win is to deploy Wed Application Firewalls

(WAF’s). WAF’s inspect the traffic that is coming into the Web Application for the commonly

known web application attacks. One will have to something a little different for the non-web-

based applications, one will have to deploy an application or applications that specifically for

that software application. If the traffic is encrypted, the application should be able to decrypt the

traffic or should be placed behind to wait for it to be decrypted.

Ensure that all the in-house software that is developed is ran through explicit error

checking. This checking will record the size, data type and all the acceptable ranges and formats

for the application. Another way to help with the web-based applications is to run automated

remote web application scanners. This will help one check all the in-house and third party web

applications for the commonly known security weaknesses. Also, run tests for Denial-of-Service

(DoS) attacks and resource exhaustion attacks. DoS is an attack that will make ones software

applications not run properly by restricting the size and/or amount of resources that can be

requested. A DoS attack is an example of Uncontrolled Resource Consumption. Make sure to

configure the systems so that the end-users do not see the error messages of applications. This is

called output sanitation. Another good thing to do is to separate the production system from the

non-production systems. Production systems are systems that are used for the production of the

products or equipment. Non-production systems are systems that are not being used for the

production.

Some of the more advanced ways to secure ones applications are:

Deploy automated static code analysis software

o Scans the code for changes to all the in-house applications and third party

software and it will scan the application before it is deployed on the

system

Risk management process

o Determine the vulnerability that are high risk and correct them first

o Look at the vendors security process for the application, which includes

history of vulnerabilities, customer notification, patching, and remediation

Manual testing and inspection

o Review and test the input validations and the output encoding routers

Also, make sure to use standard hardening configurations templets that are only for

applications that rely on the database. Always test applications that are critical to the business

processes because one does not want to have any security problems. Ensure all the personnel that

are in the software development receive training in writing secure code for their development

environments. When deploying ones in-house developed applications, make sure there are not

any development artifacts are not on it and it cannot be accessed from the production setting. The

development artifacts are sample data, sample scripts, unused libraries, components, and

debugging codes and tools.

Lastly, to see if this control is working, businesses should ask these four questions, all of

these questions are yes or no answers or put the time in minutes according to the Council on

CyberSecurity.

1. Can the application system detect attacks and block them within 24 hours of

being detected?

2. Are all the internet facing applications scanned by web application vulnerability

scanners at least weekly?

3. How long does it take for alerts to be generated and sent to system administrators

that a vulnerability scan has or has not completed?

4. Are the vulnerabilities detected by the scanning tools fixed or remediated within

15 days of detection?

In order to help identify failure points, follow these three steps and they are to set up web

applications firewalls to protect connections to the internal web applications, make sure software

applications securely connect to the databases systems, and use code analysis and vulnerability

scanning tools to scan the application systems and database systems.

Control seven is Wireless Access Control. First, a few quick wins that will help secure

the wireless network are to ensure the wireless device that is connected to the network, matches

the authorized configuration and security profile that an individual has created beforehand. Also,

confirm that that each device has a documented owner of the connection and has defined the

business need for it to be connected to the network. Another quick win is to configure all the

network vulnerability scanning tools, so they will detect the wireless access points that are

connected to the wired network. A good idea is to disconnect all the unauthorized access points

and make a list of the devices that are reconciled from the authorized wireless access points. This

will help gather information on the devices and help detect them if they try to connect again.

Next, more advanced ways to help secure ones systems are to Deploy Wireless Intrusion

Detection Systems (WIDS) to help identify unauthorized devices, attack attempts and successful

attacks on the system. This helps to keep a log of the vulnerabilities and lets one take action to

the system to secure it. Also, let the WIDS monitor the traffic that passes to the wired network to

help catch the common attacks on networks. Confirm that the client machines that belong to

one’s network, will have access to the authorized wireless points. To be able to do this, one will

have to configure the devices to give them access to the certain wireless devices. In addition,

make sure to go into the hardware setting of the machines, to disable the wireless access on, that

don’t have business purposes for connecting to the wireless network. Always configure the

devices with passwords to lower the possibility that the user will override the configurations that

one puts on the device. Ensure that all wireless traffic leverages the use of Advanced Encryption

Standard (AES) with Wi-Fi Protected Access 2 (WPA2) security. Also, make certain that all

wireless networks are using Extensible Authentication Protocol-Transport Layer Security

(EAP/TLS). This provides protection and authentication that is mutual and EAP/TLS is an

authentication protocol. Make sure that peer-to-peer wireless network capabilities are disabled on

the devices that are not sure business purposes, but if it is for business purposes do not disable it.

Any wireless peripheral access of devices should be disabled on all the devices if it come on the

device. An example of this is Bluetooth. This can come with a huge security problem because

they are easy to hack and take control of because they do not have very good security on them or

people do not know how to use them properly, so it best to just disable them. An even more

advanced way to help with BYOD or other untrusted devices is to make separate VLAN’s for

them. When one does this, make sure that the internet access goes through the same boarder as

the corporate internet access. VLAN’s should be known as untrusted, filtered, and audited if they

access the enterprise network. To help understand this control and to help check to see if this

control is in place, use the following steps.

1. Ensure all the configurations on the wireless devices are hardened.

2. Hardened all the configurations that are controlled by the configuration management

system.

3. Make use the configuration management system is managing the wireless devices.

4. Make certain the wireless IDSs are monitoring the wireless communications.

5. Use the vulnerability scanners to scan the wireless devices for vulnerabilities.

6. Make sure the clients that are using wireless communication use the wireless

infrastructure securely.

Control eight is Data Recovery Capability. First, the some quick wins then to some more

advanced ways to back up ones data. The first quick win is to automatically back up each system

on a weekly basis, at least. If the system has more sensitive data on it, back it up more often.

Make sure to include the OS’s, application software, and data, but it does not need to be in the

same backup file or same back up software. This will help to restore system that have failed or

crashed more quickly and get it back up and running. Make certain to test the back-up data on a

regular basis to make sure it is working properly. The way to test the data is by using the data

restoration process. When storing the backup data, make sure all the back-up data is properly

protected when stored. Use physical security and encryption, plus it is a good idea to use remote

back-ups and cloud services. Also, when using key systems, one should have at least one

destination for the back-ups. It is always better to have more than one place to have copies of the

original back-up file, but remember to have the security configuration more advanced so no one

will get in that is not authorized. Make certain that there are not always being calls to it by the

OS. This will reduce the risk of attacks like cryptolockers. Cryptolocker is an attack that encrypts

or damages data on addressable data shared, which will include the back-up destinations. It is a

good idea to air gap the back-up data or make sure a copy is stored offline away from the

enterprise network.

One should be testing back up data on a monthly basis or at least one time per quarter. To

do this testing, one should have a testing team that will attempt to restore five systems using the

backup data in either a physical or virtual testing environment. When doing the testing, make

sure to test and see if they are compatible with Operating Systems (OS) and Applications. It is a

good idea to make diagrams of the entities because it will make it easier to implement, test the

controls, and identify vulnerabilities or faults in the systems. A control system is where a device

or a group of devices manage, command, direct or regulate other systems or devices. The

diagram below shows how this control is implemented in two easy steps and how the different

devices work together.

Figure 1: 2 Step Process

These two steps are:

1. Make sure the business systems backup their data on a daily basis.

2. The backups are stored offline on a secure storage device

Control nine is Security Skills Assessment and Appropriate Training to Fill Gaps. People’s

actions is an important role in the success or failure of the enterprise. Also, people provide

important functions at the stages of implementation, operation, use, and over sight of each

application. Some examples are that end users can become victims of social engineering attempts

like phishing, security analysts that have a hard time to keep up with the new information of

expulsions and vulnerabilities, and system owners and executives who do not understand how

the CyberSecurity role plays in the operation and has no way to make relevant investment

decisions reasonably. Black hats are aware of these issues that the public and businesses have, so

they will plan their attacks accordingly. Even companies that have good defenses in place always

have to be increasing their readiness to new vulnerabilities.

There are a few quick wins that will help train employees and those are using the gap

analysis, implement the necessary training and put in an online security awareness program. Gap

analysis is where one looks at the skills and behaviors employees need to improve on. Obtaining

this information will help build a baseline for training and awareness of all employees. Also, this

will help the employees develop more skills and help adept their skills they have now. After one

has developed their baseline of the employees, implement the necessary training. It is a good

idea to use senior staff and to use outside sources to deliver the training. The reason one will use

senior staff to help train the employees is to show the employees that the upper management

cares enough to take the time to come and train them. The seniors at the business sets the tone for

the employees, so if the seniors are upbeat, excited, and caring it will make the employees feel

good and want to work harder.. Using outside sources to train is necessary because they are

specifically trained in skills businesses want their employees to excel in or to be more successful

with. Another way to help train employees, where there is a small number of employees, is to use

online training and/or conference training. The last quick win to use is putting in an online

security awareness program for the employees. The online program will help keep the employees

up to date on the common intrusions that can be blocked by individual actions. Implement short

convenient modules for the employees to complete. As the person that is creating the modules,

ensure they are up to date with the latest attack techniques, set a date for the employees to have

the modules done, and keep an eye on the progress of the modules of all the employees, so that

they are completing them.

Make sure to test the employees periodically because this will improve awareness and

validate their levels. If an employee fails one of the tests, make a specific training for them, but

make sure to inform them that it is not a punishment and it is to help them improve. Place

security skill assessments for all the mission critical role. Using this will help one identify the

skill gaps. If an individual has skill gaps, there are third parties that have stuff online that can

help improve and master their skills.

To make an enterprise-wide training program effective, use the Holistic approach and

make sure to look at the policy and technology as training employees. The Holistic approach is

all about developing a person as a whole. Senior management should put in technical controls to

help reduce mistakes. Also, focus on training employees that one cannot control technically.

Ensure to keep in mind the cost and outcome of the training. To do this make sure to keep the

training prioritized, focuses on what needs to be accomplished and specific focus on the

businesses critical roles and jobs first. Use the list that the Council on CyberSecurity developed,

which is based on the 2012 Task Force on Cyber Skills established by the Secretary of Homeland

Security according to the Council on CyberSecurity.

1. System and Network Penetration Testers.

2. Application Penetration Testers.

3. Security Monitoring and Event Analysts.

4. Incident Responders In-depth.

5. Counter-Intelligence and Insider Threat Analysts.

6. Risk Assessment Engineers.

7. Secure Coders and Code Reviews.

8. Security Engineers Architectures and Design.

9. Security Engineers and Operations.

10. Advanced Forensics Analysts.

Control ten is secure configurations for the network devices such as firewalls, routers and

switches. A quick win is to compare the standard configuration with the configuration of the

devices that are connected to the network. All the configurations should be documented,

reviewed, and approved by the change control board of the organization. Ensure to log all the

new configurations rules that are beyond a baseline-hardened configuration that will allow traffic

to flow through the security devices on the network. These devices includes firewalls and

network-based IPs. When one documents the new configurations make sure to include the

specific reason of the change in the business, the person or people that are responsible for the

business need, and the amount of time the change is needed. Another way to help with the

securing the network configurations for network devices is to use automated tools that will look

at the standing devices configurations to detect if there is change to it. Sometimes it necessary to

use two factor authentication and encrypted sessions to manage network devices. An example of

this is a Common Access Card (CAC). A CAC is a chipped card that is inserted into a computer

allowing an individual to login with either a password or Personal Identification (PIN) Number

then allowing access to the network. Ensure all the stable versions of the security-related updates

ae installed on each device, but make sure totes t the updates before they are installed on the

devices on the network. One will want to test them before because if an update interrupts the

business function, then the update is not adequate for the businesses devices. If it is not a good

update for the device, one will have to look into what the update is for and find another way to

incorporate the update. One will want to keep an eye on the network infrastructure that is

separated from the network using VLAN’s. It is even better to put those devices on a completely

different physical connection for management sessions.

These six steps show how the different systems work together.

1. Harden the devices configurations that are part of the production devices

2. Harden the devices configurations that is stored in secure configuration management

system

3. Make sure the management systems validates all the configuration on the devices on the

production network

4. Ensure the patch management system applies updates that were tested to the production

network

5. Make sure to use two factor authentication systems for administrative accesses to the

production network

6. Make certain the proxy, firewall, and network monitoring systems analyze all the

connection to the production network at all times

Also, to test the effectiveness of the automated implementation of this control, one should ask

these questions and record them down as yes, no or time in minutes according to the Council on

CyberSecurity.

1. How long does it take to detect configuration changes to a network system?

2. How long does it take the scanners to alert the organizations administrators that an

unauthorized configuration change has occurred?

3. How long does it take to block/quarantine unauthorized changes on network systems?

4. Are the scanners able to identify the location, department, and other critical details

about the systems where unauthorized changes occurred?

Lastly, to be able to help sort through all of the data to get the most relevant data, one should ask

these questions and record them in business units according to the Council on CyberSecurity.

1. What is the percentage of network devices that are not currently configured with a

security configuration that matches the organization’s approved configuration

standard?

2. What is the percentage of network devices whose security configuration is not

enforced by the organization’s technical configuration management applications?

3. What is the percentage of network devices that are not up to date with the latest

available operating system software security patches?

4. What is the percentage of network devices do not require two-factor authentication to

administer the device?

In this paper, I talked about the six through ten SANS Critical Security Controls. The

controls were Inventory of Application Software Security, Wireless Access Control, Data

Recovery Capability, Security Skills Assessment and Appropriate Training to Fill Gaps, and

Secure Configurations for Network Devices. These controls can be used to help track, detect,

report, prevent, and backup data and help with training of employees. Also, I talked about how

the controls are being used in a business setting and about some quick wins to more advanced

ways to make the systems safe. As technology grows, black hats and some of the gray hats will

become more advanced in their hacking, so as a cyber-world we need to become more advanced

and aware of how our networks are set up and how much we should lock down systems to keep

our information safe and the needs of the business. Always remember, to keep up to date on all

the new security vulnerabilities and always expand ones knowledge.

Control 11 is limitation and control of network ports, protocols, and services. There are

several quick wins that will help put limitations and controls in place and those are to only make

sure the ports, protocols and services that are used for business needs are running on each system

because if one have unauthorized ports, protocols and services open it could create

vulnerabilities. Put in host-based firewalls and/or port filtering tools on the end systems to help

filter traffic coming through. Ensure to include the default deny rule that has the ports and

services allowed and will drop the rest. The default deny rule is that the administrator will make

a list of the services that is allowed and that is denied. Also, apply automated port scans on a

regular basis. This should be used against all key services and known effective baseline an alert

will generate, if a change to the baseline is not on the approved organizations baseline. The last

quick win is to ensure all the services are up-to-date, remove, and uninstall all the unnecessary

components from the systems. This will help with making sure there is no services that can

create vulnerabilities on the systems.

There are more advanced ways to help limit and control the ones ports, protocols, and

services on the systems. Be sure to look at all the servers that is visible from the internet or on

untrusted network. If a server is visible from the internet or is on an untrusted network, move it

to a VLAN and give it a private address, if it is not required for a business needs. Also, put

critical services on different logical or physical host machines like DNS, file, mail, web and

database servers. Lastly, put in firewalls for applications in front of the critical servers to check,

verify, and validate the traffic to the server, unauthorized services or traffic should be blocked or

an alert should be generated and reviewed by security personnel.

To help test this control, one should look at the following questions and put the answers in

time in minutes or yes or no status.

1. How long does it take systems to identify any new unauthorized listening network ports

that are installed on network systems?

2. How long does it take for alerts to be generated about new services being installed? \

3. Are alerts then sent every 24 hours until the listening network port has been disabled or it

has been authorized by change management?

4. Do alerts indicate the location, department, and other details about the system where

authorized and unauthorized network ports are running?

To help automate the collection of the relevant data, one should gather the following data in

business units.

1. What is the percentage of the organizations systems that are not currently running a host

based firewall?

2. How many unauthorized are currently running on the organizations business systems?

3. How many deviations from approved service baselines have been discovered recently on

the organizations business systems?

The following list describes this control in four steps to help identify the potential failure

points.

Step 1- Activate scanner analyzes production systems for unauthorized ports, protocols, and

services.

Step 2- Regularly update system baselines based on the required services of the business.

Step 3- The activate scanners should validate what ports, protocols, and services that are

blocked or allow by the application firewall.

Step 4- The activate scanners should also validate the accessible ports, protocols and services

that the business systems protect with host-based firewalls.

Control 12 is controlled the use of administrative privileges. One should keep the

administrative privileges to a minimum and use the accounts when it is required. The use of

administrative privileges functions and monitor for anomalous behavior should be the focus of

the auditing. A good idea is to put in automated tools to take inventory of all the administrative

accounts and the tool should verify that the privileges are authorized by a senior executive on

desktops, laptops and servers. One should create the administrative password with complex

passwords that have numbers, letters, and alternative characters that are mixed together. It is

okay to use passwords that include dictionary words and special characters, but that have to be a

reasonable length. When one is deploying new devices on to the network, ensure to change the

passwords on the applications, operating systems (OS), routers, firewalls, wireless access points,

and other systems. Also, all service accounts should have difficult-to-guess passwords and be

changes on a regular basis as users and administrative passwords. For passwords to be repeated,

there have to be at least a six month period.

All passwords should be encrypted or hashed while they are in storage. The hashes

should follow the National Institute of Standards and Technology (NIST) Special Publication

(SP) 800-132 or some similar guidance. The only people that should have access to these files

that contain the hashed or encrypted files should have super-user privileges. Use Access Control

Lists (ACLs) to ensure that the administrative accounts using the system for administrative

purposes only and not to read emails, create documents or going onto the internet. It is best to

configure the web browsers to never run when someone is logged into administrative accounts.

Ensure all the administrative and users have different and unique passwords by the policies that

are put in place and user awareness. Any employee that requires administrative access needs to

be given their own account. One should use the “administrator” in Windows or “root” in Unix

for emergencies only. For the system administrator, use the Domain administrator accounts and

not the local administrative accounts. Make sure to have the tool create an alert and a log entry

when a new account is added or removed from the domain administrative group and or when a

new local administrator account is added on the system. By configuring, the system to generating

an alert and a log entry when a failed login attempt happens when logging into an administrative

account is to make sure there is no unauthorized person trying to get access to the administrative

account.

Use multi-factor authentication for all administrative accounts because it will make it

harder for people to get access to administration accounts. A few techniques one can use for

multi-factor authentication are smart cards with certificates, One Time Password (OTP) tokens,

and Biometrics. Biometrics is the identification of a person by using their biological features.

Some of the devices include face scanners, hand scanners, finger scanners, retina or iris scanner,

and voice scanners. When using multi-factor certificate-based authentication, make sure all the

private keys are protected by strong passwords or stored on a trusted and secure hardware tokens.

When using a machine for administrate-level accounts, ensure it is blocked remotely or locally.

Instead of doing that, administrators should use a logged and non-administrator account. When

they are logged on, they are able to use administrative privileges by using such tools ad RunAS

in Windows and Sudo in Linux/Unix. Each time a user used their own administrator account,

they will have to enter a password because it is different from their user account they are logged

in as.

Control 13 is boundary defense. There are a few quick wins that can help in the boundary

defense more quickly than the more advanced ways, but the more advanced ways will help long

term. One quick win is to limit or deny data flow to known malicious IP addresses, blacklists,

and or limit access to trusted sites, whitelists. To help verify that blacklist addresses are not

sending any data is by using a bogon source IP address, which are non-routable or unused IP

addresses, to send packets. These bogon addresses can be found on the internet. The last quick

win is when one are using a Demilitarized Zone (DMZ) networks, be sure to configure the

monitoring systems to inventory at minimum the packet header information, but preferred to

have inventory the full packet header and the payloads of traffic designated for or that passes

through the network boarder. Some more advanced ways are to put a Sender Policy Framework

(SPF) to help lower the chances of getting spoofed emails. To do this, all one has to do is to

deploy SPF records in the DNS and enable the receiver-side verification in the mail servers.

Deploy IDS servers that are network-based on the Internet and extract DMZ system and

networks will identify unusual attack mechanisms and detect compromised systems.

One should put in network-based IPS devices to help with blocking the known bad

signatures or behavior attacks. These IDS will delay the amount of time it will take for someone

to react to the attack. Before one deploys these IPS’s, make sure to include techniques other than

signature-based detection. One should include virtual machines and or sandbox-based

approaches. Build network perimeters and put them on the system, so that the outgoing web, file

transfer protocol (FTP), and secure shell traffic that is on the internet. The proxy server should

support individual TCP sessions, blocking specific URL’s, domain names, and IP addresses to

implement a blacklists. One should use two-factor authentication on all remote login access.

Make sure to include, VPN’s, dial-up, and all other forms that allow access with a login into the

internal systems. The enterprise should manage all the enterprise devices that are logging in

remotely. The enterprise should manage it with controlling the configuration of each remote

control, installing software, and the patch levels. One should build a minimum security standards

to the network and should do a security scan before it has access for all third-party devices. The

third party devices include subcontractors, and vendors. Scan the network for back-channel

connections to the internet that bypasses the DMZ. One should include unauthorized VPN

connections, dual-homed hosts that are connected to the network, dial-up modems, and other

mechanism networks. Devise internal network segmentation schemes to limit traffic to those

services that are needed for businesses use through the whole internal network. By putting this

in, it will help limit access to insider, untrusted subcontractors, and malware spreading on the

network. To help with an attacker from moving around a compromised systems, make sure the

DMZ systems are only communicating with private network systems using application proxies or

application-aware firewalls that are on approved channels. One should use built-in firewalls to

track mechanisms to identify TCP sessions that last an unusually long time for the organizations

and firewall devices, in turn will alert the personnel with the source and destination addresses

that are apart of these long sessions. This will identify channels filtering data through a firewall.

Lastly, to detect anomalous activity, deploy NetFlow collection and analysis to the DMZ

network. NetFlow was developed by Cisco for monitoring and collecting network traffic flow

data by NetFlow-enabled routers and switches.

The following steps will show how the devices work together and how these steps will

help identify the potential failure points of this control.

1. Hardened devices configuration applied to production devices.

2. Two-factor authenticated systems required for administrative access to

production devices.

3. Production network devices send events to log management and correlation

system.

4. Network monitoring system analyzes network traffic.

5. Network monitoring system sends events to log management and correlation

system.

6. Outbound traffic passes through and it is examined by network proxy devices.

7. Network systems scanned for potential weaknesses.

Control 14 is maintenance, monitoring, and analysis of audit logs. There are some quick

wins that will help. Use two synchronized time sources that all servers and network equipment

get the time information on a regular basis. The two time sources should be Coordinate Universal

Time (UTC) and Network Time Protocol (UTP). Be sure to look at the audit log setting for all

hardware devices and software to include a date, timestamp, source addresses, destination

addresses, and other useful elements of packets and or transaction. The systems need to record

logs in a standardized format like syslog entries or like the common event expression outlined.

There is tools that can be put in to convert the logs in the format of the system cannot do it. Make

sure all the systems logs has enough space to store the logs. These logs should be digitally signed

and archived on a daily basis. Build a log retention police because this will help make sure that

the logs are being kept for a period of time. On average, systems can be compromises for several

months without even know, so it is a good rule of thumb to make sure the logs are being kept

longer that 3 months. It is good to keep the longs for six months or longer. Have either security

personnel or system administration or both do every other week logs reports to try to find the

anomalies. An anomaly is something that us out of the ordinary from the set standard. If one is

found, the person that is looking for into the anomaly be sure to document the findings.

Configure all the firewalls, network-based IP’s, and inbound and outbound proxies that

are network boundary devices to log all the traffic arriving at the devices even if it is allowed or

blocked. To lower the chance for an attacker to change the logs that are stored on the local

computer that is compromised, make sure the logs are being written in on write-only devices or

logging servers that are running on separate machines away from the host that is creating the

event log. Also, put in Security Incident and Event Management (SIEM) or a similar log analysis

tools that do log aggregation and consolidation from multiple machines and also for correlation

and analysis. When using the SIEM, security, personnel, and system administration should put

together common events from the systems, so it will be easier to determine unusual activity,

avoid false positives, faster to identify anomalies and giving the analysist with none important

alerts. Ensure to keep an eye on the service creation events and be sure to turn on the process

tracking logs. Attackers use the PsExec function to help spread from system to system in

Windows systems. Creation of service events is unusual and should be looked at closely and the

process tracking cane used to help with incident handling. Be sure that the log collection system

does not lose events during the peak activity. Also, ensure the system detects and alerts if an

event loss happens. An example of an event loss is when a volume exceeds the capacity of the

log collection system.

Answer the following questions in yes or no answers or time in minutes, to help test the

effectiveness of the automated implementation of this control.

1. Does each system log appropriately to a central log management system?

2. Does each log event generated included a date, timestamp, source address,

destination address and other details about the packet?

3. If a system fails to log properly, how long does it take for an alert about the

failure to be sent?

4. If a system fails to log properly, how long does it take for enterprise personnel to

receive the alert about the failure?

The information one will gather from the following questions will help the automated collection

of relevant data and it should be done in business units.

1. What percentage of the organizations systems do not currently have comprehensive

logging enabled in accordance with the organizations standards?

2. What percentage of the organization’s systems are not currently configured to centralize

their logs to a central log management system?

3. How many anomalies and or events of interest have been discovered in the organizations

logs recently?

Lastly, there are four steps that will help identify the potential failure points in this control and

how they work together to do this.

Step 1- Production systems generate logs and send them to a centrally managed log

database system.

Step 2- Production systems and log database systems pulls synchronized time with

central time management systems.

Step 3- Logs analyzed by a log analysis system.

Step 4- Log analysis examine data generated by log analysis system.

Control 15 is controlled access based on the need to know. There is a quick win to help

right away, but the more advanced way are the best to use. The quick win is to find all the

sensitive data that are on separate VLANS by using firewall filtering. Data that is sensitive,

should be encrypted if it is going over less-trusted networks. Now on to the advanced ways, to

access sensitive data, one should use special authentication and should enforce detailed audit

logging for access to nonpublic data on the system. Segment data on the servers based on trust

levels. When data goes over a low trust level, the data should be encrypted. Put in host-based

Data Loss Prevention (DLP) need to be applied to ACL’s when data is copied off a server. After

the data is copied off the server and been copied to the desktop system, the ACL’s will be no

longer enforced and the user will be able to send it to whomever.

To help test the effectiveness of this control, one should answer these two questions in

either yes or no answers or time in minutes.

1. Can the system detect all attempts by users to access files on the local systems or

network-accessible files shares without the appropriate privileges?

2. How long does it take the system to generate an alert or e-mail for administrative

personnel of a user inappropriately accessing the file shares?

Automate the collection of relevant data from these systems, one should answer the

following questions in business units.

1. What percentage of the organization’s data sets have not been classified in

accordance with the organizations data standards?

2. What percentage of sensitive data sets are not configured to require logging of

access to the data set?

3. What percentage of the organization’s business systems are not utilizing host-

based DLP software applications?

Figure 1. Five steps

The figure above shows the five steps in a business setting and how the different system

work together. The five steps that will help identify potential failure points in this control are:

1. An appropriate data classification system and permissions baselined applied to

production data systems.

2. Access appropriately logged to a log management system.

3. Proper access control applied to portable media and USB drives.

4. Active scanner validates, checks access and checks data classification.

5. Host-based encryption and data-loss prevention validates and checks all access

requests.

In this paper, I talked about the 11 through 15 SANS Critical Security Controls. The

controls were limitation and control of network ports, protocols, and services, controlled the use

of administrative privileges, boundary defense, maintenance, monitoring, and analysis of audit

logs, and controlled access based on the need to know. These controls were used to help detect,

track, control, manage, prevent, analyze and correct access to data. Also, I am going to be talking

about how the controls are being used in a business setting. Also, I talked about using some

quick wins to more advanced ways to make the systems safe. As technology grows, black hats

and some of the gray hats will become more advanced in their hacking, so as a cyber-world we

need to become more advanced and aware of how our networks are set up and how much we

should lock down systems to keep our information safe and the needs of the business. Always

remember, to keep up to date on all the new security vulnerabilities and always expand ones

knowledge.

Control 16 is account monitoring and control. First, there are some quick wins that will

help make the system more secure. First, ensure to look over the systems and disable and

accounts that are not associated with a business process or owner. Make sure all the accounts

expiration dates associated. All systems should create a report that has a list of locked-out

accounts, disabled accounts, all accounts that have exceeded that maximum password age, and

accounts that has passwords that never expire. Be sure to build and follow the process for

revoking access by disabling accounts that are no longer being used or the employee was

terminated. Next, all accounts that have been logged on for a certain period of time without

activity, should be automatically logged off. This will help with the security risks and

vulnerabilities. Any unattended workstations should be configured with screen locks to limit

access to the systems. If one keeps up on monitoring accounts, one will be able to find dormant

accounts on the systems. For all the non-administrator accounts, they should contain passwords

that have letters, numbers, and special characters, should be changed every 90 days, have a

minimum age of one day and not be allowed to use the previous fifteen passwords as the new

password. Lastly, configure the accounts to lock up if the max number of login attempts was

reached. When that happens, the account will lock for a standard period of time.

Some more advanced ways to help with securing ones system is to have all managers

match active employees and contractors with each accounts that belongs to the managed staff.

One should use audit logging to monitor attempts to deactivate accounts and should use active

directory or Lightweight Directory Access Protocol (LDAP) for all accounts to access through.

To help determine a user’s typical account usage, use a normal-time-of-day access and access

duration. There should be reports generated that will indicate unusual hours or has went over the

normal login duration. One should use a flagging system to flag user’s credentials from

computers that the user would not normally work from. All accounts that have access to sensitive

data or systems, should use multi-factor authentication to gain access. Also, for all users that

have access to web services, their accounts should go over an encrypted channel and a password

hash files are being stored securely if the centralized service is not employed. One should use

encrypted channels for transmission of passwords over a network. Finally, all passwords of all

users should be using encrypted or hashed files that cannot be accessed without root or

administrative privileges. Make sure to audit the access to passwords systems.

To help see if the control is being effective, answer the following questions.

1. Does the system audit and report on valid and invalid log-ins to user accounts?

2. Does the system audit and report on valid and invalid log-ins to network and security

devices user accounts?

3. Does the system lock users out after five invalid attempts?

4. Do user account passwords expire at least every 90 days?

5. Does the system report on dormant accounts that have been used for configurable period

of time?

6. How long does it take to send an alert or email to administrative personnel that the

comparison report has been created (time in minutes)?

The following questions will help one automate the monitoring and control of the user accounts.

1. How many invalid attempts to access user accounts have been detected within a period of

time?

2. How many accounts have been locked out within a period of time?

3. How many attempts to gain access to password files in the system have been detected

within a period of time?

4. Perform authorized password cracking against password files and identify the number of

administrator accounts passwords that are cracked during the attempt. Remediate any

compromised passwords immediately.

5. Is an automated list of user accounts on the system created daily and compared to a

baseline (Yes or No)?

6. How long does it take to send an alert or e-mail to administrative personnel that the

comparison report has been created (time in minutes)?

The following test will are techniques that gain access to user accounts and these should

be performed three time, periodically. Also when doing these tests, they should be performed

from a widely multiple distributed systems on the organizations network to be sure that the user

accounts controls are working and in place.

Attempt to configure weak user accounts passwords that are non-compliant with

established policy. Verify that the system does not allow weak passwords to be used,

Attempt to re-use a user account password that was previously used for the account.

Verify that the system requires unique new passwords during each update.

Attempt to capture passwords by monitoring network traffic to server resources.

Remediate any instances where passwords are transmitted in clear text.

Attempt to gain access to password files stored on each system. If successful, identify

whether passwords are cryptographically secured.

Control 17 is data protection. This control is important because data can be found in

many different places. The way one can protect ones data is to keep up where data is at, make

sure it is encrypted, integrity protection and using Data Loss Prevention (DLP) techniques. When

using encryption, it can be used when data is being transferred or as it is be stored. Encryption

keys should be stored on secure servers or Hardware Security Modules (HSM’s). To businesses

if sensitive data is lost, it could turn into a potential threats to the business or a national security

incident. The controls of DLP’s are based on policy and will include the classification of

sensitive data, finding data across the network, enforcing controls, reporting, and auditing to

make sure the compliance of the policies. There are four quick ways to secure ones data and

then there are more advanced ways. For mobile devices and systems that have sensitive data on

them, deploy hard drive encryption software to help protect the devices and systems. Also, check

to see if the cryptographic devices and software are using publicly-vetted algorithms. Publicly-

vetted algorithms are algorithms that every system or user, depending on their level, knows and a

cryptographic devices or software are devices or software that encrypts data. One should do an

assessment of data to help identify sensitive data or information that has the application of

encryption and integrity control. The last quick win is to help with data protection, review the

cloud provider security practices.

Some more advances ways are to discover unauthorized attempts to withdraw data that is

across network boundaries and help block these transfers and alerting the security personnel by

deploying tools that are automated on the network perimeters that will monitor sensitive

information, keywords, and document characteristics. One should run scans on servers to check

and see if there is sensitive data in clear text by using automated tools. When one is moving data

between networks, ensure one is using secure, authenticated and, encrypted mechanisms. On the

other hand, if a business does not have a need for these devices, be sure that one configures that

system, so that it does not write data to USB tokens or USB hard drives. If ones system does

require these devices, configure the enterprise software to allow only specific USB devices that

can be accessed and the data should be automatically encrypt that is being placed on these

devices. Always keep and inventory of these authorized devices, so that one will know what is

allowed. One should Data Loss Prevention (DLP) solutions that are network-based to watch and

control the flow of data or a network. DLP solutions are solutions that detect possible data

breaches and alert security personnel. Any data that exceeds the normal traffic pattern, should be

logged and action should be taken to address them. Only Approved Certificate Authorizes (CAs)

issues the certificates on the enterprise and ensure one reviews and verifies each CAs Certificate

Practices Statement (CPS) and Certificate Policy (CP). For the protection of sensitive data,

annually review the key length and algorithms that are in use. On the systems, there should be

the monitoring of traffic that is leaving the organization and detecting that unauthorized uses of

encryption. Hackers will use encrypted channels to bypass the security devices. It is very

important that one is able to identify these connections, terminate the connection and remediate

the system. Any file transfer and email exfiltration websites should be blocked because ones

system could get a virus or a trojan horse if an employee opens an email on their personal email.

Determine the roles and responsibilities that are related to the management of encryption keys

that are on the network and define the processes of the lifecycles. Implement Hardware Security

Modules (HSMs) to help protect the private keys or Key Encryption Keys.

This control is important because data can be found in many different places.

The following five steps will show how the processes described above works together and puts

them in order.

1. Data encryption systems ensures that appropriate hard disks are encrypted.

2. Sensitive network traffic encrypted.

3. Data connections monitored at the network perimeter by monitoring systems.

4. Stored data scanned to identify where sensitive data information is stored.

5. Offline media encrypted.

To test the effectiveness of this control, answer the following questions or statements in time in

minutes or yes or no answers.

Does the system identify and report on authorized data being exfiltrated, whether

via network file transfers or removable media?

Does the system identify the attachment of unencrypted USB tokens and requires

encrypted tokens?

Does the systems store cryptographic key material securely?

Does the system use only NIST approves encryption algorithms?

Within one hour of data exfiltration event or attempt, enterprise administrative

personnel must be alerted by the appropriate monitoring system.

Do alerts notifying of data exfiltration also note the system and location where the

event or attempt occurred?

Are the systems able to identify the location, department, and other critical details

about where the sensitive data originated from?

How long does it take before a data leakage risk has been remediated from the

time it was detected?

The following question helps one gather information to help automate the protection of data by

using cryptography and DLP functions.

How many unauthorized data exfiltration attempts have been detected within a period of

time by DLP software?

How many plaintext instances of sensitive data have been detected with in a period of

time by automated scanning software?

How many attempts to access known file transfer and e-mail exfiltration websites have

been detected within a period of time?

Control 18 is incident response and management. There are six quick wins for this

control and they are to make sure there are incident response procedures written down that

defines the roles of personnel for incident handling. This should define the phases of incident

handling. One should write down assigned job titles and duties to specific individuals for

handling computer and network incidents. Thirdly, determine the management personnel that

will support the incident handling process that are in key decision-making roles. Forth, one

should put standards in place for the time it should take for the system administrators and other

personnel to report anomalous events to the incident handling team. Also, there should be

mechanisms for the reporting and the kinds of information that is included in the notification.

One should notify the right Community Emergency Response Team with the legal or regulatory

requirements for the involvement of the organization in the computer incidents. There should be

a document that is built and kept up with the information of the third-party information that will

be used to report a security incident. In regards to reporting anomalies on a computer and

incidents to the incident handling team, the information should be published for all personnel,

which includes employees and contractors. An advanced way is to ensure to periodically conduct

incident response scenarios sessions for the incident response handling personnel. This will help

to make sure that they are up-to-date with the current threats, risks, and their responsible in

supporting the incident handling team. Also, this will help to see what needs to be fixed in the

process, what is working perfect or what personnel need to be trained more.

Make sure to have an incident response plan in place because if one does not have on in

place, it will be too late to develop procedures, report data collection, management

responsibility, legal protocols, and communication strategies that will allow the business to

understand, manage and recover from an incident. There are six steps that will help implement

this control and identify the potential failure points of this control.

1. Incident handling policies and procedures educate workforce members as to their

responsibilities during an incident.

2. Some workforce members designed an incident handlers.

3. Incident handling policies and procedures educate management as to their responsibilities

during an incident.

4. Incident handlers participate in incident handling scenarios tests.

5. Incident handler’s reports incident to management.

6. The organizations reports incidents to outside law enforcement and the appropriate

Computer Emergency Response Team, if necessary.

Control 19 is secure network engineering. There is one quick win to help and this quick

win is to implement a network that has a minimum of three-tier architecture. The three-tier

architecture can include a DMZ middleware and a private network. Any system that can be

accesses from the Internet should be on a DMZ, but the DMZ should not have any sensitive data

on it. Systems with sensitive data on it should never be accessed form the Internet and it should

be in a private network. The DMZ and the private network should be communicating through an

application proxy on the middleware tier. There are three advanced ways and they are that one

should configure the system to rapid deploy new ACL’s, rules, signatures, blocks, black holes,

and other defensive measures. A black hole is a filter technique that filters out bad traffic that

one does not want. A DNS should be deployed in a hierarchical structure with all of the internal

network clients machines configured to send the requests to the Internet. If the DNS cannot

resolve a forward request, the DNS should send it to the DNS server on the protected DMZ. The

DNS servers that are on the protected DMZ should be the only ones that should send requests to

the Internet. One should segment the enterprise network into multiple separate trusted zones to

provide more specific controls of the system access and additional intranet boundary defenses.

There are six steps that will help identify potential failure points and how to implement

this control.

1. Network engineering policies and procedures dictate how network systems function to

include Dynamic Host Configurations Protocols (DHCP) systems.

2. DHCP servers provide IP addresses to systems on the network.

3. Network devices perform DNS look-ups to internal DNS servers.

4. Internal DNS servers perform DNS look-ups to external DNS servers.

5. Network engineering policies and procedures dictate how a central network management

system functions.

6. Central network management systems configure network devices.

Control 20 is penetration tests and Red Team exercises. There are a few quick wins that

one should do are to be sure to do regular internal and external penetration test to help identify

vulnerabilities and the attack vectors used by hackers to exploit ones systems successfully. The

testing can occur from inside and outside the network. This simulates attacks from inside and

outside the network. The account that is being used for the penetration testing should be

monitored to make sure it is being used for the right purposes. Also after the account is done

doing the testing, it should be put back to the normal functions or be removed. Some more

advanced ways. The Red team should periodically run exercises to test the readiness of the

organization to identify and stop stacks or to respond quickly and effectively. If there is a

presence of an unprotected system information or artifacts that could be used by hackers, one

should encrypt that information. This includes network diagrams, configuration files, older

penetration test reports, emails or documents containing passwords or other data that is critical to

system operations. Next, ensure to plan out clear goals of each penetration tests with blended

attacks in mind, identify the goal machine or target asset. Advanced Persistent Threat (APT)-

style attacks. Implement multiple vectors, often social engineering can be combined with a web

or network exploitation. The Red Team manual or the automated testing that captures all the

pivoted and multi-vector attacks will be a more realistic view of the security postures and the risk

to security assets. A good idea is to use the penetration testing tools and the vulnerability

scanning tools together. The reason one should use these tools together is because the

vulnerability scans will be a starting point and the penetration testing tools come after to test the

vulnerabilities that were found and to help secure the systems. Putin place a scoring method to

help determine the results of the Red Team exercises. This will help compare the results over

time of doing these exercises. Implement a test bed that duplicates the production environment

for each specific penetration tests and Red Team attacks that are against elements that are not

typically tested in production. The elements can be attacks against supervisory controls and data

acquisitions and other control systems.

The following seven steps will help one implement this control and identify potential

failure points in this control.

1. Penetration testers perform penetration tests of production systems.

2. Automated pen-testing tools perform penetration test of production systems.

3. Automated pen-testing tools inform penetration testers of vulnerabilities discovered.

4. Penetration testers perform more extensive penetration tests of test lab systems.

5. Auditors evaluate and inspect the work that is performed by the penetration testers.

6. Auditors evaluate and inspect the work performed by penetration testers.

7. Penetration testers generate reports and statistics about vulnerabilities that have been

discovered.

The following picture helps explain the steps explained above.

Figure 1. Seven Steps

In this paper, I am talked about the 16 through 20 SANS Critical Security Controls. The

controls were account monitoring and control, data protection, incident response and

management, secure network engineering, penetration tests and Red Team exercises. These

controls can be used to help detect, track, control, manage, prevent, analyze and correct access to

data. Also, I am going to be talking about how the controls are being used in a business setting. I

going to talk about them from using some quick wins to more advanced ways to make the

systems safe. As technology grows, black hats and some of the gray hats will become more

advanced in their hacking, so as a cyber-world we need to become more advanced and aware of

how our networks are set up and how much we should lock down systems to keep our

information safe and the needs of the business.

Resources

Synergies Systems - Network Solutions Roseville, Sacramento. (n.d.). Retrieved January

21, 2016, from http://ssnetworks.net/network-solutions/8-securityadvisor/27-inventory-of-

authorized-and-unauthorized-devices.

More About DHCP Audit and Event Logging. (n.d.). Retrieved January 21, 2016, from

https://technet.microsoft.com/en-us/library/dd759178.aspx.

D2L, security capstone, Martials, CSC-5-Course Reading

Common Weakness Enumeration. (n.d.). Retrieved February 11, 2016, from

https://cwe.mitre.org/data/definitions/400.html

What do you mean by a holistic approach? (n.d.). Retrieved March 03, 2016, from

http://www.boastl.com/content/what-do-you-mean-holistic-approach

What is NetFlow? - Definition from WhatIs.com. (n.d.). Retrieved March 24, 2016, from

http://whatis.techtarget.com/definition/NetFlow-Cisco

One Time Password (OTP). (n.d.). Retrieved March 19, 2016, from

http://www.gemalto.com/techno/otp

What is biometrics? (n.d.). Retrieved March 19, 2016, from

http://www.computerhope.com/jargon/b/biometri.htm

National Institute of Standards and Technology. (n.d.). Retrieved May 04, 2016, from

http://www.nist.gov/

Kanagasingham, P. (n.d.). SANS Institute InfoSec Reading Room. Retrieved May 4,

2016, from https://www.sans.org/reading-room/whitepapers/dlp/data-loss-prevention-32883