Upload
denis-lloyd
View
228
Download
1
Embed Size (px)
Citation preview
Security Planning: An Applied Approach | 04/19/23 | 3
Gap Analysis
The difference between where you are and where you want to be: (For example:# malware infections/monthRate of finding illegal software, hardwareSecurity awareness training averages
Security Planning: An Applied Approach | 04/19/23 | 4
SEI/COBIT Level 4 Monitoring:Includes Metrics
Metrics inform management (and independent auditors) of the effectiveness of the security program
Monitoring achievement of control objective may be more important than perfecting security procedures
Security Planning: An Applied Approach | 04/19/23 | 5
Which metrics to use?
Business-DrivenAddresses specific business risks•Inherent industry risksTailored to organizationMeasures adherence to control objectives
Technology-DrivenAddresses recent threats observed by CERT•CERT: Computer Emergency Readiness TeamAddresses recent forensic data
Security Planning: An Applied Approach | 04/19/23 | 6
Monitoring Function: Business-Driven Metrics
TacticalMetrics
Opera-tional
Metrics
StrategicMetrics
Metrics
Executive mgmt is interested in risk, budget, policy.Review every 6 months-1 year
Determine effectiveness of security program: risk changes, compliance, incident response tests. Review quarterly to half-year
Technical details:E.g., firewall, logs, IPS, vulnerability tests.Review weekly.Automate statistics.
Security Planning: An Applied Approach | 04/19/23 | 7
Monitoring Function: Business-Driven Metrics
TacticalMetrics
Opera-tional
Metrics
StrategicMetrics
Metrics
Project Plan or Budget MetricsRisk performanceDisaster Recovery Test resultsAudit resultsRegulatory compliance results
Policy compliance metricsExceptions to policy/standardsChanges in process or system affecting riskIncident management effectiveness
Vulnerability Scan resultsServer config. standards complianceIDS monitoring resultsFirewall log analysisPatch mgmt status
Security Planning: An Applied Approach | 04/19/23 | 8
Which metrics?
Step 1: What are the most important security areas … threats …. regulation … to monitor in your organization?
Step 2: Which metrics make the most sense to collect. Can they be automated?
Step 3: Consider the 3 perspectives: strategic, tactical, operational metrics, relative to 3 audiences.
Security Planning: An Applied Approach | 04/19/23 | 9
Monitoring Function: MetricsRisk:The aggregate ALE% of risk eliminated, mitigated, transferred# of open risks due to inaction
Cost Effectiveness:What is: Cost of workstation security per userCost of email spam and virus protection per mailbox
Operational PerformanceTime to detect and contain incidents% packages installed without problem% of systems audited in last quarter
Organizational Awareness:% of employees passing quiz, after training vs. 3 months later% of employees taking training
Technical Security Architecture# of malware identified and neutralizedTypes of compromises, by severity & attack typeAttack attempts repelled by control devicesVolume of messages, KB processed by communications control devices
Security Process Monitoring:Last date and type of BCP, DRP, IRP testingLast date asset inventories were reviewed & updatedFrequency of executive mgmt review activities compared to planned
Security Planning: An Applied Approach | 04/19/23 | 10
Monitoring Function: Metrics cont’dSecurity Management Framework:Completeness and clarity of security documentationInclusion of security in each project planRate of issue recurrence
Compliance:Rate of compliance with regulation or policyRate of automation of compliance testsFrequency of compliance testing
Secure Software Development:Rate of projects passing compliance auditsPercent of development staff certified in securityRate of teams reporting code reviews on high-risk code in past 6 months
Incident Response Metrics# of Reported Incidents# of Detected IncidentsAverage time to respond to incidentAverage time to resolve an incidentTotal number of incidents successfully resolvedTotal damage from reported or detected incidentsTotal damage if incidents had not been contained in a timely manner
Security Planning: An Applied Approach | 04/19/23 | 11
Workbook: MetricsMetrics Selected
Category Metric Calculation & Collection Method
Period of Reporting
Strategic Cost of security/terminal
Information Tech. Group
1 year
Cost of incidents Incident Response totals
6 months
Tactical % employees passing FERPA quiz
Annual email requesting testing
1 year
% employees completing FERPA training
Two annual trainings with sign-in. Performance review
1 year
# Hours Web unavailable
Incident Response form 6 months
Opera-tional
# brute force attacks Incident Response form 1 month
# malware infections Incident Response form 1 month
Major Risks:FERPA Violation
Cracking Attempt
Web AvailabilityLunatic gunman
What are the most important areas to monitor in your organization?
Security Planning: An Applied Approach | 04/19/23 | 12
TECHNOLOGY-DRIVEN METRICS
SANS-Recommended
Critical Controls for Effective Cyber Defense
Security Planning: An Applied Approach | 04/19/23 | 14
Noticing inappropriate ‘additions’ to the network
New PCNew wireless
New AP
Security Planning: An Applied Approach | 04/19/23 | 15
Checking the security configuration of network
Patched? Legal software? Firewall on & security configured? Antivirus on and patched?Limit USB access?
WPA2 AES,EAP/TLS?
Withstands attacks?SQL, buffer overflow,cross-site scripting,clickjacking, …
MonitorNetwork?
Security Planning: An Applied Approach | 04/19/23 | 16
Noticing inappropriate actions
New sys admin or user acct
Transfer of confidential data or illegalpackets
Detect new network service
Security Planning: An Applied Approach | 04/19/23 | 17
SANS: Critical Controls for Effective Cyber Defense
Typical SANS Metric:
Temporarily install unauthorized software, hardware or configuration on a device. It should be: •found within 24 hours (or best: 2 minutes)•isolated within one hour confirmed by alert/email•reported every 24 hours until issue is resolved.
Security Planning: An Applied Approach | 04/19/23 | 18
SANS Critical Control 1:Inventory of Authorized Devices
Ensure all devices (with IP address) on network are known, configured properly, and patched. Scan network daily or use DHCP reports or passive monitoring. Compare results with baseline configuration.
Metric: Temporarily install unauthorized device.
Security Planning: An Applied Approach | 04/19/23 | 19
SANS: Critical Control 2:Inventory of Authorized Software
Ensure all software is approved and recently patched •Whitelist defines the permitted list of software. •Blacklist defines illegal software (e.g., IT tools). •Endpoint Security Suites (ESS) contain antivirus, antispyware, firewall, IDS/IPS, s/w white/blacklisting.
Metric: Temporarily install unauthorized software on a device.
Security Planning: An Applied Approach | 04/19/23 | 20
SANS Critical Control 3:Secure Configurations for Hardware &
SoftwareAll devices are hardened using recommended security configurations •Illegal software list exists, includes Telnet, VNC, RDP •New software is quarantined and monitored. •Imaged software is maintained in an updated state. Build secure images, and use configuration checking tools daily.
Metric: Temporarily attempt to change a set of random configurations.
Security Planning: An Applied Approach | 04/19/23 | 21
SANS Critical Control 4:Continuous Vulnerability Assessment
Run vulnerability scans on all systems at least weekly, preferably daily. Problem fixes are verified through additional scans.•Vulnerability scanning tools (updated) for: wireless, server, endpoint, etc.•Automated patch management tools notify via email when all systems have been patched.
Metric: If the scan does not complete in 24 hours, an email notification occurs.
Security Planning: An Applied Approach | 04/19/23 | 22
SANS Critical Control 5:Malware Defense
Antivirus/antispyware is always updated •Run against all data: shared files, server data, mobile data.
Additional controls: blocking social media, limiting external devices (USB), using web proxy gateways, network monitoring.• Endpoint security suites report tool is updated and active on all systems
Metric: For install of benign malware (e.g., security/hacking tool), antivirus prevents installation or execution or quarantines software• Sends an alert/email within one hour indicating specific device and owner
Security Planning: An Applied Approach | 04/19/23 | 23
SANS Critical Control 6:Application S/W Security
New application software is tested for security vulnerabilities:•Web vulnerabilities: buffer overflow, SQL injection, cross-site scripting, cross-site request forgery, clickjacking of code, and performance during DDOS attacks. •Input validated for size, type •No system error messages reported directly to user
Automated testing includes static code analyzers and automated web scanning.
Configurations include application firewalls and hardened databases.
Metric: An attack on the software generates a log/email within 24 hours (or less).
Automated web scanning occurs weekly or daily
Security Planning: An Applied Approach | 04/19/23 | 24
SANS Critical Control 7:Wireless Device Control
Wireless access points are securely configured with WPA2 protocol and AES encryption. • Extensible Authentication Protocol-Transport Layer Security (EAP/TLS)
provides mutual authentication. •Only registered, security-approved devices are able to connectWireless networks are configured for the minimum required radio footprint.
Metrics: Wireless intrusion detection systems detect available wireless access points and deactivate rogue access points within 1 hourVulnerability scanners can detect unauthorized wireless access points connected to the Internet.
Security Planning: An Applied Approach | 04/19/23 | 25
SANS Critical Control 8:Data Recovery Capability
Backups are maintained at least weekly and more often for critical data. Backups are encrypted and securely stored. Multiple staff can perform backup/recovery.
Metric: Test backups quarterly for a random sample of systems. This includes operating system, software, and data restoration.
Security Planning: An Applied Approach | 04/19/23 | 26
SANS Critical Control 9:Security Skills Assessment
Security awareness training: required for end users, system ownersSecurity training: necessary for programmers, system, security and network administrators
Metric: Test security awareness understanding
•Periodically test social engineering tests via phishing emails and phone call
•Employees who fail a test must attend a class
Security Planning: An Applied Approach | 04/19/23 | 27
SANS Critical Control 10:Secure Network Configurations
A configuration DB tracks approved configurations in config. mgmt. for network devices: firewalls, routers, switches. Tools perform rule set sanity checking for Access Control Lists.Two-factor identification is used for network devices.
Metric: Any change to the configuration of a network device is reported within 24 hours
Security Planning: An Applied Approach | 04/19/23 | 28
SANS Critical Controls
11. Control of Network Ports, Protocols and Services: Default Deny packets. Periodically review for restriction
Metric: Measure time to recognize added network service
12. Controlled Administrative Privilege: Minimal elevated privileges Passwords are complex, changed periodically, 2-factor
Metric: Measure time to recognize new sys admin
Security Planning: An Applied Approach | 04/19/23 | 29
SANS Critical Controls
13. Boundary Defense: Use firewall zones to filter incoming and outgoing traffic. Blacklist & whitelist network addresses
Metric: Measure time to recognize unauthorized packets
14. Analysis of Security Audit Logs: Server logs are write-only and archived for months. Firewalls log all allowed and blocked traffic. Unauthorized access attempts are logged
Metric: Measure time to recognize no log space
Security Planning: An Applied Approach | 04/19/23 | 30
SANS Critical Controls
15. Need to Know Access: Prevent exfiltration of data (e.g., to competitors)Classify data Use restrictive firewall configurationsLog access to confidential data
Metric: Measure time to recognize unauthorized access
16. Account Monitoring and Control: Terminated accounts -> removed
Expired password/ disabled/ locked out accounts, -> investigated
Failed logins -> lockouts
Inactivity -> locked sessions
Unusual time access -> alert
Data exfiltration recognized by keywords.
Metric: Measure time to recognize new/ changed user accounts
Security Planning: An Applied Approach | 04/19/23 | 31
SANS Critical Controls
17. Data Loss Prevention: Prevent exfiltration of proprietary or confidential info •Encrypt mobile and USB devices•Disable USB
Metric: Measure time to recognize transfer of confidential data file
18. Incident Response: Incident Response Plan defines who does what for various conditionsIRP includes contact information for third party contractors
Security Planning: An Applied Approach | 04/19/23 | 32
SANS Critical Controls
19. Secure Network Engineering: Separate zones exist: DMZ, middleware, private network •DMZ accessed through proxy firewall •DMZ DNS is in DMZ; internal DNS is in internal zone, …Emergency config. for restricted network is ready for quick deployment.
20. Penetration Tests: Penetration tests = vulnerability tests + attacker testsRed Team exercises test incident response team reactions
Metric: Measure false positive, false negative, true positive rate
Security Planning: An Applied Approach | 04/19/23 | 33
Question
The difference between where an organization performs and where they intend to perform is known as:
1. Gap analysis2. Quality Control3. Performance Measurement4. Benchmarking
Security Planning: An Applied Approach | 04/19/23 | 34
Question
The MOST important metrics when measuring compliance include:
1. Metrics most easily automated2. Metrics related to intrusion detection3. Those recommended by best practices4. Metrics measuring conformance to policy