Upload
rafel-ivgi
View
37
Download
16
Embed Size (px)
Citation preview
Implementing &Auditing 20 CriticalSecurity Controls.D e f e n s i a
2 0 1 2
Rafel IvgiThis book introduces the 20 most critical securitycontrols that any CIO must implement in his networkenvironment in order to survive the current cyber-attacks of this era.
1 | P a g e
TABLE OF CONTENTS
TABLE OF CONTENTS ..................................................................................................................... 1
Introduction to Security Controls .................................................................................................... 9
Insider versus outsider threats ..................................................................................................... 9
Insider attacks Sophistication vs. Motivation Matrix:........................................................... 10
General Risk Threat Agents, Distribution and Motives ............................................................ 16
Conclusions ........................................................................................................................... 26
US federal Guidelines, Recommendations & Requirements..................................................... 26
FISMA - Federal Information Security Management Act..................................................... 26
FISMAs RISK MANAGEMENT FRAMEWORK (RMF) ................................................. 27
United States Government Configuration Baseline (USGCB).................................................. 28
The Security Content Automation Protocol (SCAP)................................................................. 28
NIST: FIPS 200 AND SP 800-53 - IMPLEMENTING INFORMATION SECURITYSTANDARDS AND GUIDELINES......................................................................................... 30
The 20 critical controls.............................................................................................................. 38
Most commonly implemented controls ..................................................................................... 38
Least commonly implemented controls..................................................................................... 39
The Process.................................................................................................................................... 39
How to create strategy for data protection and prioritize the implementation of security ........ 39
The common inventory of Information Security Threats to an Organization: ...................... 40
The Organizational Data Lifecycle: ...................................................................................... 40
Creating a security strategy to protect the data per system: .................................................. 41
Creating an organizational scale data security strategy:........................................................ 42
Controls based on the likelihood of security threats.................................................................. 45
Risk Management.................................................................................................................. 45
Calculating Risks, Security Metrics and Risk Measurement Tools ...................................... 45
Implement specific techniques and tools to protect data and systems....................................... 47
Protecting Data ...................................................................................................................... 47
Common DRM techniques .................................................................................................... 48
Technologies DRM is used to Protect: .................................................................................. 48
2 | P a g e
DRM and documents............................................................................................................. 48
Watermarks ........................................................................................................................... 49
Laws regarding DRM............................................................................................................ 49
Digital Millennium Copyright Act ........................................................................................ 49
Audit the identified and implemented controls to ensure that they operate effectively and thatthey comply with established standards .................................................................................... 58
Preventing physical intrusions....................................................................................................... 59
Using Mantraps ......................................................................................................................... 59
Spinning Glass Doors ............................................................................................................ 59
Turnstiles ............................................................................................................................... 60
Combining man traps with security cameras and facial recognition......................................... 61
Using swipe based biometric authorization devices.................................................................. 63
Strong Authentication................................................................................................................ 64
Combining Fingerprint swipe with PIN code:....................................................................... 64
Fingerprint Swipe + Magnetic Card ...................................................................................... 64
Keyboard with Security......................................................................................................... 65
Not Secure ............................................................................................................................. 65
Secure .................................................................................................................................... 65
Extremely Secure................................................................................................................... 66
Using white noise generators to disturb eavesdropping ............................................................ 66
Low Cost Hardware Solutions............................................................................................... 66
IPhone Applications .................................................................................................................. 68
Studio Six Digital - AudioTools - Generator......................................................................... 68
Rabble Noise Generator ........................................................................................................ 69
Features ..................................................................................................................................... 69
Distortion & Reverberation Generator .................................................................................. 70
Laptop & PC Configurations......................................................................................................... 71
VDI............................................................................................................................................ 71
Motivations for VDI.............................................................................................................. 71
Poll Results: Is VDI More Expensive Than PC?................................................................... 72
Annual Facilities Costs PC vs. VDI ...................................................................................... 72
Comparing Endpoint PC Security to VDI Security............................................................... 73
3 | P a g e
VDI Security Comparison: Citrix XenDesktop vs. VMWare View...................................... 74
Data as a service ........................................................................................................................ 76
Benefits.................................................................................................................................. 76
Security.................................................................................................................................. 77
PC Metal Locking ..................................................................................................................... 77
Disabling Internal/External USB, DVD, CD-ROM Boot ......................................................... 78
Setting Bios Passwords ............................................................................................................. 81
User Account Control............................................................................................................ 81
Internet Explorers 9 Protected Mode ................................................................................... 84
Memory Protection Mechanisms............................................................................................... 84
Security Cookie (Canary) ...................................................................................................... 84
SafeSEH ................................................................................................................................ 85
Address space layout randomization (ASLR) ....................................................................... 87
Visualization of ASLR Changes to system Memory per Boot.............................................. 88
NX (No eXecute Hardware DEP) ...................................................................................... 88
DEP and ASLR Protection Activation State: ........................................................................ 90
Data Execution Prevention - DEP ......................................................................................... 92
DEP, ASLR, IE Protected Mode and UACs Impact on Security in Windows: ................... 92
Encrypting Laptops ................................................................................................................... 93
Managed Solution Mcafee / Symantec............................................................................... 93
Encryption Product Comparison for Apple Macintosh ......................................................... 93
Product Feature Comparison Table ....................................................................................... 94
Layering & Partition Type Support ............................................................................................... 95
Modes of operation........................................................................................................................ 96
Non-Managed - TrueCrypt .................................................................................................... 97
Setting Laptops Out of Organization Personal Firewall Policy ......................................... 99
Network Equipment .................................................................................................................... 102
Understanding Layer 2 & 3 Security....................................................................................... 102
Layer 3+ Security .................................................................................................................... 155
An example of the right way to divide VLANs to matching logical business units............ 157
Maximizing Your Network Security with Private VLANs (PVLAN) .................................... 158
4 | P a g e
Configuring PVLAN ........................................................................................................... 161
Upgrading Router/Switch Firmware ....................................................................................... 163
Buying new equipment, new security features........................................................................ 165
Secure Configuration Management (SCM)................................................................................. 167
Introduction ............................................................................................................................. 167
Maintenance systems........................................................................................................... 167
Mapping supported devices..................................................................................................... 170
Inventory Scanner................................................................................................................ 171
Completing the gaps with scripts ............................................................................................ 176
Creating Device Groups (Security Level, Same Version) ................................................... 177
Creating Policies...................................................................................................................... 177
Attachments and Guidelines................................................................................................ 179
Auditing to verify security in practice..................................................................................... 187
Case Studies Summary: Top 10 Mistakes - Managing Windows Networks............................... 192
The shoemaker's son always goes barefoot...................................................................... 192
Domain Administrators on Users VLAN ............................................................................ 192
Domain Administrator with a Weak Password ................................................................... 193
Domain Administrator without the Conficker Patch (MS08-067) ...................................... 194
(LM and NTLM v1) vs. (NTLM v.2)...................................................................................... 195
Pass the Hash Attack ............................................................................................................... 197
Daily logon as a Domain Administrator.............................................................................. 198
Using Domain Administrator for Services .......................................................................... 198
Managing the network with Local Administrator Accounts ............................................... 199
The NetLogon Folder .......................................................................................................... 199
LSA Secrets & Protected Storage........................................................................................ 201
Cached Logons .................................................................................................................... 205
Password History................................................................................................................. 206
Users as Local Administrators............................................................................................. 206
Forgetting to Harden: RestrictAnonymous=1 ..................................................................... 207
Weak Passwords / No Complexity Enforcement ................................................................ 207
Guess what the password was? (gma )............................................................................. 207
5 | P a g e
Firewalls ...................................................................................................................................... 208
Understanding Firewalls (1, 2, 3, 4, 5 generations)................................................................. 208
First generation: packet filters ............................................................................................. 208
Second generation: "stateful" filters .................................................................................... 209
Third generation: application layer...................................................................................... 209
Application firewall............................................................................................................. 209
The Common Firewalls Limits .......................................................................................... 211
Implementing Application Aware Firewalls ....................................................................... 212
Securely Enabling Applications Based on Users & Groups................................................ 214
High Performance Threat Prevention.................................................................................. 216
Checkpoint R75 Application Control Blade..................................................................... 218
Utilizing Firewalls for Maximum Security ............................................................................. 220
Implementing a Back-Bone Application-Aware Firewall....................................................... 220
Network Inventory & Monitoring ............................................................................................... 220
How to map your network connections? ................................................................................. 220
How to discover all network devices?................................................................................. 221
How to discover all cross-network installed software? ........................................................... 221
NAC ............................................................................................................................................ 222
The Problem: Ethernet Network......................................................................................... 222
What is a NAC originally? .................................................................................................. 223
Todays NAC?..................................................................................................................... 223
Why Invent Todays NAC?................................................................................................. 223
Dynamic Solution for a Dynamic Environment .................................................................. 224
Did We EVER Manage Who Gets IP Access?.................................................................... 224
What is a NAC?................................................................................................................... 224
Simple Explanation ............................................................................................................. 225
Goals of NAC...................................................................................................................... 225
NAC Approaches................................................................................................................. 226
General Basic NAC Deployment ........................................................................................ 228
NAC Deployment Types: .................................................................................................... 228
NAC Acceptance Tests........................................................................................................ 229
6 | P a g e
NAC Vulnerabilities............................................................................................................ 230
The common attack Bypassing & Killing the NAC ......................................................... 231
Open Source Solutions ........................................................................................................ 232
SIEM - (Security Information Event Management) .................................................................... 238
SIEM Capabilities ............................................................................................................... 238
SIEM Architecture .................................................................................................................. 239
SIEM Logics........................................................................................................................ 242
Planning for the right amounts of data .................................................................................... 243
Introduction ......................................................................................................................... 243
SIEM Benchmarking Process.............................................................................................. 244
The Baseline Network ......................................................................................................... 246
SIEM Storage and Analysis................................................................................................. 249
Baseline Network Device Map............................................................................................ 251
EPS Calculation Worksheet ................................................................................................ 252
Common SIEM Report Types ................................................................................................. 252
Custom Reports ................................................................................................................... 253
Defining the right Rules Its all about the rules.................................................................... 253
IDS/IPS........................................................................................................................................ 254
IPS Types ................................................................................................................................ 255
Detection Methods .................................................................................................................. 255
Signature Catalog: ................................................................................................................... 256
Alert Monitoring: .................................................................................................................... 257
Security Reporting:.................................................................................................................. 258
Alert Monitor:.......................................................................................................................... 259
Anti-Virus:............................................................................................................................... 260
Web content protection & filtering.............................................................................................. 260
Session Hi-Jacking and Internal Network Man-In-The-Middle.............................................. 260
XSS Attack Vector .............................................................................................................. 260
The Man-In-The-Middle Attack Vector .............................................................................. 261
HTML5 and New Client-Side Risks ....................................................................................... 266
Cookie/Repository User Tracking....................................................................................... 266
7 | P a g e
User TraceBack Techniques................................................................................................ 268
MAC ADDRESS Detection Of All Network Interfaces via JAVA .................................... 269
XSS + Browser Location Services ...................................................................................... 270
Use your power to protect and enforce GPO........................................................................ 273
Choosing, Implementing and Testing Web Application Firewalls ......................................... 280
Detecting Web Application Firewalls ................................................................................. 280
Bypassing Web Application Firewalls ................................................................................ 283
HTTP Parameter Pollution (HPP) ....................................................................................... 283
Examples: ............................................................................................................................ 284
Circumvention of default WAF filtering mechanisms ........................................................ 286
High Level Distributed Denial of Service ............................................................................... 296
Protecting DNS Servers & Detecting DNS Enumeration Attacks .......................................... 300
Detecting Sub Domains....................................................................................................... 303
Securing Web Servers ................................................................................................................. 304
Components of a generic web application system................................................................... 305
Multi-tier architecture.............................................................................................................. 306
Securing Virtual Hosts Preventing Detection of Virtual Hosts ........................................ 307
Protecting against Google Hacking ..................................................................................... 308
Securing IIS 7/7.5 + Microsoft SQL Server 2008................................................................... 310
IIS Dynamic IP Restrictions Module: The mod_evasive of IIS .......................................... 310
Hardening IIS SSL with IISCrypto Disabling Weak Ciphers .......................................... 311
Hardening IIS 7.5 on Windows 2008 Server R2 SP1.......................................................... 312
Apache Hardening............................................................................................................... 316
Mod_Evasive Anti-D.O.S Apache Module...................................................................... 317
SELinux Optional Hardening:.............................................................................................. 318
SELinux Apache Hardening................................................................................................ 318
SELinux for other services (Experts Only) ............................................................................. 319
Enable Hardened HTTP ...................................................................................................... 319
Email protection & filtering ........................................................................................................ 322
Sending Spoofed Emails Bypassing SPF with a 8$ Domain............................................ 325
VPN Security............................................................................................................................... 326
8 | P a g e
Identifying VPNs & Firewalls (Fingerprinting VPNS)........................................................... 326
Offline password cracking................................................................................................... 327
VPN IKE User Enumeration ............................................................................................... 330
VPN PPTP User Enumeration............................................................................................. 331
VPN Clients Man-In-The-Middle Downgrade Attacks........................................................... 332
Downgrade Attacks - IPSEC Failure................................................................................... 332
Downgrade Attacks PPTP ................................................................................................ 332
PPTP:................................................................................................................................... 333
PPTP Brute Force................................................................................................................ 333
Hacking VPNs with Aggressive Mode Enabled .................................................................. 334
Endpoint Security ........................................................................................................................ 341
Penetration tests and red team exercises ..................................................................................... 341
Implementing identity & access management creating backups, BCP & DRP .......................... 341
Security Metrics .......................................................................................................................... 342
Incident Reponses........................................................................................................................ 342
Creating an audit ......................................................................................................................... 342
Conclusions ................................................................................................................................. 343
9 | P a g e
Introduction to Security Controls
Insider versus outsider threats
External: external threats originate from sources outside of the organization and itsnetwork of partners. Examples include former employees, lone hackers, organizedcriminal groups, and government entities. External agents also include environmentalevents such as floods, earthquakes, and power disruptions .Typically, no trust or privilegeis implied for external entities.
Internal: Internal threats are those originating from within the organization. Thisencompasses company executives, employees, independent contractors, interns, etc. ., aswell as internal infrastructure. Insiders are trusted and privileged (some more thanothers).
Partners aka External Insiders/Trusted Business Partners (TBP): Partners include anythird party sharing a business relationship with the organization. This includes suppliers,vendors, hosting providers, outsourced IT support, etc... some level of trust and privilegeis usually implied between business partners
External Internal Partner Incident Distribution from the Last 8 Years:
As we can see, the rise in the amount of external attacks is rising every year, whereas the amountof internal attacks is reduced along the years.
It is critical not to confuse the reference for internal as the factor the malicious intension comesfrom and not the source of the attack. For example, a remote external attacker can take over onemachine and use it to execute internal network attacks. In this example, the attacker is stillexternal, even though the type of attack is an internal network attack.
10 | P a g e
Insider attacks Sophistication vs. Motivation Matrix:
Examining Six Cases of Insider Originated Incident:
11 | P a g e
Organizational Divisions Influence vs. Interest in inspected Incidents:
12 | P a g e
Types of internal Agents by Percent:
13 | P a g e
14 | P a g e
15 | P a g e
16 | P a g e
General Risk Threat Agents, Distribution and Motives
Threat Categories in Practice Over time:
17 | P a g e
Distribution of threat agent type by stolen records:
Distribution by motive:
18 | P a g e
Distribution by origin organization type:
Distribution by origin geo-location:
19 | P a g e
Malware Functionality:
20 | P a g e
Hacking Methods Used:
Hacking Vectors Used:
21 | P a g e
Social Engineering Types Percentage:
Social Engineering Vectors Percentage:
Social Engineering Targets Percentage:
Compromised Assets Percentage:
22 | P a g e
23 | P a g e
Targeted vs. Opportunistic in All vs. Large Organizations:
Time from initial attack to data exfiltration until compromise discovery:
24 | P a g e
Breach Discovery Methods:
Breached Organizations Information Security vs. PCI-DSS and Common Standards:
25 | P a g e
26 | P a g e
Conclusions1. Attacks are aimed at all companies, large companies are targeted with more attacks2. External attacks mainly originates from organized crime groups3. Most attacks originate from east Europe4. Attacks mostly involve personal or financial gain5. The rise in the last years is in external hacking and malware infiltration6. Hacking software were mostly Keyloggers and backdoors7. Hacking methods were mostly password guessing and use of stolen credentials8. Hacking Vectors were mostly remote access and backdoors9. social engineering attacks were mostly by pretexting & bribery on the phone and in
person of regular employees and cashiers10. Hacked machines were mostly Point-Of-Sale and desktop workstations11. Most organizations were attacked randomly, large ones were targeted12. It mostly took minutes to successful penetration, minutes for data exfiltration and months
to discover the incidents13. Most breaches were reported by law agencies and third party fraud detection14. Most organization were very far from being compliant to security standards
US federal Guidelines, Recommendations &Requirements
FISMA - Federal Information Security Management Act
FISMA final requirements specification is available at:http://csrc.nist.gov/drivers/documents/FISMA-final.pdf
FISMAs VisionTo promote the development of key security standards and guidelines to support theimplementation of and compliance with the Federal Information Security Management Actincluding:
Standards for categorizing information and information systems by mission impact Standards for minimum security requirements for information and information systems Guidance for selecting appropriate security controls for information systems Guidance for assessing security controls in information systems and determining security
control effectiveness Guidance for the security authorization of information systems
27 | P a g e
Guidance for monitoring the security controls and the security authorization ofinformation systems
FISMAs Objectives The implementation of cost-effective, risk-based information security programs The establishment of a level of security due diligence for federal agencies and contractors
supporting the federal government More consistent and cost-effective application of security controls across the federal
information technology infrastructure More consistent, comparable, and repeatable security control assessments A better understanding of enterprise-wide mission risks resulting from the operation of
information systems More complete, reliable, and trustworthy information for authorizing officials--
facilitating more informed security authorization decisions More secure information systems within the federal government including the critical
infrastructure of the United States
FISMAs RISK MANAGEMENT FRAMEWORK (RMF)
28 | P a g e
United States Government Configuration Baseline(USGCB)
United States Government Configuration Baseline (USGCB) evolved from the FDCC - FederalDesktop Core Configuration.
USGCB is a Federal government-wide initiative that provides guidance to agencies on whatshould be done to improve and maintain an effective configuration settings focusing primarily onsecurity.
The USGCB offers the latest revisions of the most hardened windows environment securitysettings, which have been tested to enable sufficient usability:
Hardened and Compliant Microsoft Windows Group Policy Collectionhttp://usgcb.nist.gov/usgcb/content/gpos/USGCB-GPOs.zip
Hardened and Compliant Microsoft Windows Security Settings Specification Excelhttp://usgcb.nist.gov/usgcb/documentation/USGCB-Windows-Settings.xls
The Security Content Automation Protocol (SCAP)
The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize theformat and nomenclature by which software flaw and security configuration information iscommunicated, both to machines and humans.
SCAP is a multi-purpose framework of specifications that support automated configuration,vulnerability and patch checking, technical control compliance activities, and securitymeasurement. Goals for the development of SCAP include standardizing system securitymanagement, promoting interoperability of security products, and fostering the use of standardexpressions of security content.
SCAP version 1.2 is comprised of eleven component specifications in five categories:
1. Languages. The SCAP languages provide standard vocabularies and conventions forexpressing security policy, technical check mechanisms, and assessment results. TheSCAP language specifications are Extensible Configuration Checklist Description Format(XCCDF), Open Vulnerability and Assessment Language (OVAL), and Open ChecklistInteractive Language (OCIL).
2. Reporting formats. The SCAP reporting formats provide the necessary constructs toexpress collected information in standardized formats. The SCAP reporting formatspecifications are Asset Reporting Format (ARF) and Asset Identification. Although
29 | P a g e
Asset Identification is not explicitly a reporting format, SCAP uses it as a key componentin identifying the assets that reports relate to.
3. Enumerations. Each SCAP enumeration defines a standard nomenclature (namingformat) and an official dictionary or list of items expressed using that nomenclature. TheSCAP enumeration specifications are Common Platform Enumeration (CPE),Common Configuration Enumeration (CCE), and Common Vulnerabilities andExposures (CVE).
4. Measurement and scoring systems. In SCAP this refers to evaluating specificcharacteristics of a security weakness (for example, software vulnerabilities and securityconfiguration issues) and, based on those characteristics, generating a score that reflectstheir relative severity. The SCAP measurement and scoring system specifications areCommon Vulnerability Scoring System (CVSS) and Common Configuration ScoringSystem (CCSS).
5. Integrity. An SCAP integrity specification helps to preserve the integrity of SCAPcontent and results. Trust Model for Security Automation Data (TMSAD) is the SCAPintegrity specification.
SCAP utilizes software flaw and security configuration standard reference data. Thisreference data is provided by the National Vulnerability Database (NVD), which is managedby NIST and sponsored by the Department of Homeland Security (DHS).
The latest full specification of SCAP is available at:http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf
The latest SCAP content for Windows 7, Windows 7 Firewall, and Internet Explorer 8http://usgcb.nist.gov/usgcb/content/scap/USGCB-Major-Version-1.2.x.0.zip
Obtaining FISMA, NIST and SCAP compliant Security Checklists:
30 | P a g e
Example download link:http://iase.disa.mil/stigs/os/windows/u_windows_2008_r2_dc_v1r3_stig_benchmark_20120127.zip
NIST: FIPS 200 AND SP 800-53 - IMPLEMENTINGINFORMATION SECURITY STANDARDS ANDGUIDELINES
NISTs SP 800-53 focuses on the selection and implementation of appropriate security controlsfor an information system or a system-of-systems. These are important tasks that can have majorimplications on the operations and assets of an organization as well as the welfare of individualsand the Nation.
Security controls are the management, operational, and technical safeguards or countermeasuresemployed within an organizational information system to protect the confidentiality, integrity,and availability of the system and its information. There are several important questions thatshould be answered by organizational officials when addressing the security considerations fortheir information systems:
31 | P a g e
What security controls are needed to adequately mitigate the risk incurred by the use ofinformation and information systems in the execution of organizational missions andbusiness functions?
Have the selected security controls been implemented or is there a realistic plan for theirimplementation?
What is the desired or required level of assurance (i.e., grounds for confidence) that theselected security controls, as implemented, are effective in their application?
The answers to these questions are not given in isolation but rather in the context of an effectiveinformation security program for the organization that identifies, mitigates as deemed necessary,and monitors on an ongoing basis, risks arising from its information and information systems.
SECURITY CONTROL ORGANIZATION AND STRUCTURE
Security controls described in this publication have a well-defined organization and structure. Forease of use in the security control selection and specification process, controls are organized intoseventeen families.
Each security control family contains security controls related to the security functionality of thefamily. A two-character identifier is assigned to uniquely identify each security control family.In addition, there are three general classes of security controls: management, operational, andtechnical.
Table 1-1 summarizes the classes and families in the security control catalog and the associatedsecurity control family identifiers:
32 | P a g e
NIST 800-53 Risk Management Framework and the information security standardsand guidance documents associated with each activity:
33 | P a g e
NIST 800-53 Security Control Selection Process:
34 | P a g e
NIST 800-53 Security Control Baselines:
35 | P a g e
NIST 800-53 Security Control Priority & Baseline Allocation Examples:
36 | P a g e
NIST 800-53 Mapping Specified Security Controls to ISO 27001:
NIST 800-53 Controls Table is available at:http://csrc.nist.gov/groups/SMA/fasp/documents/security_controls/SP800-53Table.xls
Security Test and Evaluation (ST&E) Plan Template is available at:http://csrc.nist.gov/groups/SMA/fasp/documents/security_controls/App_CA_STE_Plan_Template_030408.doc
37 | P a g e
38 | P a g e
The 20 critical controls1. Live Monitoring and Real-Time Alerting of security events and anomalies (SIEM
integrated into AD, IPS, Automatic Inventory and etc)2. Data Recovery Capability3. Effective network segmentation and compartmentalization of management and
administration networks4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches5. Applying suitable, different reoccurring automatic update/patching policies for all
software on all asset types (endpoint, server, laptop, mission critical, internet exposed)6. Revoking and limiting local administrator privileges in all systems, especially endpoints7. Boundary Defense8. Policy Hardening Utilizing Group Policy For Security9. Implementation of an IDM (Identity Management) & SSO for all users, combined with a
strong authentication (two-factor).10. Implementing a Back-Bone Application-Aware Firewall (Limitation and Control of
Network Ports, Protocols, and Services by User * MAC * IP)11. Inventory of Authorized and Unauthorized Devices12. Data Loss Prevention13. Security Skills Assessment and Appropriate Training to Fill Gaps14. An incident response policy to minimize all potential risks during a breach15. Inventory of Authorized and Unauthorized Software16. Device Control Management MDM (Mobile Device Management), Wireless/Cellular
Modems, Mobile Storage, Digital Cameras17. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers18. Malware Defenses (AV, HIPS)19. Controlled Access Based on the Need to Know20. Penetration Tests and Red Team Exercises
Most commonly implemented controls
Most commonly implemented controls1. Firewall on External Network (Internet)2. Endpoint Security (Anti-Virus + Basic Device Control)3. Boundary Defense4. Data Recovery Capability5. Malware Defenses6. Penetration Tests and Red Team Exercises7. Continuous Vulnerability Assessment and Remediation8. Controlled Use of Administrative Network Privileges9. Network Account Monitoring and Control10. Controlled Access Based on Need to Know
39 | P a g e
Least commonly implemented controls1. Protect equipment from unauthorized access2. Secure offices and rooms3. Secure the physical perimeter of the organizations buildings (internally)4. Track the location of removable computer media5. Manage visitor access to secure areas within the buildings6. Measure security compliance at a third-party facility7. Restrict access to the facility from the delivery or loading area8. Protect unattended equipment9. Apply digital signatures to protect the authenticity and integrity of electronic information10. Detect unauthorized access to physical facilities
The Process
How to create strategy for data protection andprioritize the implementation of security
40 | P a g e
The common inventory of Information Security Threats to anOrganization:
The Organizational Data Lifecycle:
41 | P a g e
Creating a security strategy to protect the data per system:
1. Defining the organizational approach to securitya. Organizations Risk Appetiteb. Current/Future Insurance coverage plans
2. Mapping all the organizational data systemsa. Inspecting Documentationsb. Requesting Information from Team Leaders and System Mangersc. Network Scanning Mapping Forgotten systems
3. Inspecting the regulations the organization must comply toa. Government Regulations (DoD, CC, FIPS, NIST SP 800-37,NIST 800-53(A),
FISMA)b. Industry Standards and Regulations (ISO17799/BS7799, ITIL/ISO-IEC 20000
and COBIT)c. International Regulations (ISO 27001, PCI-DSS, SOX, COSO, HIPPA , BITS
(banking industry standards))
4. Assigning numerical values to systems data by importance
DataAcquisition/
Creation
DataStorage
Data UseData
Sharing/Modifying
DataDestructing
42 | P a g e
a. System/Asset quantified value by regulation requirements (by what theregulation considers sensitive data, i.e. customer names, address, email DB)
b. Identifying The Critical Data Of Each Data System - System/Asset quantifiedvalue by systems customer availability requirements (i.e. customer,minor/major business partner, internal use, backup/DR)
i. System/Asset quantified value by data sensitivity defined by SystemManager/Data Owner together with the CISO
c. Identifying The Data Usage, accessibility and Usability Requirements Of EachData types of each System
5. Analyzing system threats and attack vectors to the dataa. Is the data encrypted? Where is the key located? Who has access to the key?b. Is the system under real-time security monitoring?c. What are the availability requirements of the system?d. Which networks the system is exposed to?e. Does the system get security updates automatically?f. Which services does the system listen on?g. How many people have privileged access to the system?h. Is the system integrated with a strong authentication mechanism?
6. Prioritizing work process and defining Data Protection Requirements by data value andregulation requirements
a. Data Protection Requirements of Most enforced regulationsb. Data Protection Requirements of Most business enabling regulationsc. Aligning to the managements organizational approach to securityd. Researching remediation solutions and determining their TCO for 5-10 years
7. Confronting the results with managementa. Setting up recurring meetings with management regarding information security
(Yearly Plan, Strategic Plan, Current & Emerging Threats, Discovered Incidents)b. Presenting the calculated risk (by ALE, ARO)c. Presenting the potential set of remediation solutions vs. costs requiredd. Establishing decisions per threat or/and per systeme. Requesting corrections to the current budget
Creating an organizational scale data security strategy:
1. Defining the organizational approach to securitya. Organizations Risk Appetite and Data Leakage approachb. Current/Future Insurance coverage plans
43 | P a g e
2. Mapping the major organizational data systems
3. Inspecting the regulations the organization must comply toa. Government Regulations (DoD, CC, FIPS, NIST SP 800-37,NIST 800-53(A),
FISMA)b. Industry Standards and Regulations (ISO17799/BS7799, ITIL/ISO-IEC 20000
and COBIT)c. International Regulations (ISO 27001, PCI-DSS, SOX, COSO, HIPPA , BITS
(banking industry standards))
4. Assigning numerical values to major systems data by importancea. System/Asset quantified value by regulation requirements (by what the
regulation considers sensitive data, i.e. customer names, address, email DB)b. Identifying The Critical Data Of Each Data System - System/Asset quantified
value by systems customer availability requirements (i.e. customer,minor/major business partner, internal use, backup/DR)
44 | P a g e
i. System/Asset quantified value by data sensitivity defined by SystemManager/Data Owner together with the CISO
5. Identifying and Detecting the highest common denominator in data attributes:a. Highest intersecting Data Accessibility (Setup Complexity, Training Complexity,
Access Complexity, Client/Clientless, OS, Networks, Entities, Formats, TimeFrames, Access Level)
b. Highest intersecting Data Sharing requirements (Setup Complexity, TrainingComplexity, Sharing Complexity, Networks, Entities, Formats)
c. Highest intersecting Data types of each System (DOC, XLS, PPT, PDF,TXT,Data in Databases, i.e. Credit Card Information)
d. Most common size of a single data unit/file
6. Analyzing system threats and attack vectors to the dataa. Is the data encrypted? Where is the key located? Who has access to the key?b. How is the data used? Over which networks?c. Where is the data stored permanently? Temporarily? (Clients Outlook? Laptops?
Are laptops encrypted?)d. How is the data shared? With whom?e. What types/formats is the data used with? Modifiable/Writable (DOC, XLS) or
Read Only (PDF, XPS)?f. Does the data contain identifying information? (Authors, Watermarks, Digital
Signature)g. Does each single copy of the data is generated and marked for each specific
entity it is shared with?h. Are the major systems providing the data under real-time security monitoring?i. What are the availability requirements of the data/system?j. How many people have privileged access to the data/system?k. Is the data access system integrated with a strong authentication mechanism?l. Is the data protected with a DRM (Digital Rights Management) solution?m. Is the data protected with a DLP (Data Leakage Prevention) solution?n. What are the possible data exfiltration vectors for the specific data types and
existing environments? (Internet , Cellular Internet, Wireless, Bluetooth, MassStorage (DOK, Camera, USB HDD), CD, DVD, Screen Capture, Physical ScreenPhoto)
7. Prioritizing work process and defining Data Protection Requirements by data value andregulation requirements
a. Data Protection Requirements of Most enforced regulationsb. Data Protection Requirements of Most business enabling regulationsc. Aligning to the managements organizational approach to securityd. Considering the major usability requirements collected from data owners
45 | P a g e
e. Researching remediation solutions and determining their TCO for 5-10 years
8. Operating the managementa. Setting up recurring meetings with management regarding information security
data protection strategy (Yearly Plan, Strategic Plan, Current & EmergingThreats, Discovered Data Security Incidents)
b. Presenting the overall cross-organizational calculated risk (by ALE, ARO)c. Presenting the potential set of cross-organizational remediation solutions vs.
costs requiredd. Establishing decisions per threat or/and per major data systeme. Requesting corrections to the current budget
Controls based on the likelihood of security threats
Risk Management
Calculating Risks, Security Metrics and Risk MeasurementTools
1. BITS Key Risk Measurement Tool
46 | P a g e
47 | P a g e
Implement specific techniques and tools to protect dataand systems
Protecting Data
DRM - Digital Rights Management
Digital rights management (DRM) is a class of access control technologies that are used by hardwaremanufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital
content and devices after sale.
DRM is any technology that inhibits uses of digital content that are not desired or intended by the content
provider. Copy protections which can be circumvented without modifying the file or device, such as serial
numbers or key files are not generally considered to be DRM.
DRM also includes specific instances of digital works or devices. Companies such
as Amazon, AOL, Apple Inc., the BBC, Microsoft and Sony use digital rights management protections.
Works can become permanently inaccessible if the DRM scheme changes or if the service is
discontinued. Proponents argue that digital locks should be considered necessary to prevent "intellectual
property" from being copied freely, just as physical locks are needed to prevent personal property from
being stolen.
48 | P a g e
Digital locks placed in accordance with DRM policies can also restrict users from doing something
perfectly legal, such as making backup copies of CDs or DVDs, lending materials out through a library,
accessing works in the public domain, or using copyrighted materials for research and education under fair
use laws.
Common DRM techniques1. Restrictive Licensing Agreements: The access to digital materials, copyright and public domain
are controlled. Some restrictive licenses are imposed on consumers as a condition of entering a
website or when downloading software.
2. Encryption
3. Scrambling of expressive material
4. Embedding of a tag (digital watermarking): This technology is designed to control access and
reproduction of online information. This includes backup copies for personal use.
Technologies DRM is used to Protect:1. DRM and film2. DRM and television3. DRM and music4. Audio CDs5. Internet music6. Computer games7. E-books
DRM and documents
Enterprise digital rights management (E-DRM or ERM) is the application of DRM technology to thecontrol of access to corporate documents such as Microsoft Word, PDF, and AutoCAD files, emails,
and intranet web pages rather than to the control of consumer media.
E-DRM, now more commonly referenced as IRM (Information Rights Management), is generally intended
to prevent the unauthorized use (such as industrial or corporate espionage or inadvertent release) of
proprietary documents. IRM typically integrates with content management system software.
DRM has been used by organizations such as the British Library in its secure electronic delivery service to
permit worldwide access to substantial numbers of rare (and in many cases unique) documents which, for
legal reasons, were previously only available to authorized individuals actually visiting the Library's
document Centre at Boston Spa in England.
49 | P a g e
Watermarks
Digital watermarks are features of media that are added during production or distribution. Digital
watermarks involve data that is arguably steganographically embedded within the audio or video data.
Watermarks can be used for different purposes that may include:
recording the copyright owner
recording the distributor
recording the distribution chain
identifying the purchaser of the music
Watermarks are not complete DRM mechanisms in their own right, but are used as part of a system for
Digital Rights Management, such as helping provide prosecution evidence for purely legal avenues of
rights management, rather than direct technological restriction.
Laws regarding DRM
Digital Millennium Copyright ActIn 1998 the Digital Millennium Copyright Act (DMCA) was passed in the United States to impose criminalpenalties on those who make available technologies whose primary purpose and function is to circumventcontent protection technologies.
IRM Information Rights Management
Information Rights Management (IRM) is a term that applies to a technology which protects sensitiveinformation from unauthorized access. It is sometimes referred to as (E-DRM) or Enterprise Digital Rights
Management. This can cause confusion because Digital Rights Management (DRM) technologies are
typically associated with business to consumer systems designed to protect rich media such as music and
video. IRM is a technology which allows for information (mostly in the form of documents) to be remotecontrolled. This means that information and its control can now be separately created, viewed, edited &distributed. Some existing IRM systems have been ongoing development of DRM style systems; however a
true IRM system will have some important differences and is typically used to protect information in a
business to business model, such as financial data, intellectual property and executive communications.
IRM currently applies mainly to documents and emails.
IRM technologies allow for several levels of security. Functionality offered by IRM usually comprises:
Industry standard encryption of the information.
Strong in use protection, such as controlling copy & paste, preventing screen shots and printing.
A rights model/policy which allows for easy mapping of business classifications to information.
Offline use allowing for users to create/access IRM sealed documents without needing network access
for certain periods of time.
50 | P a g e
Full auditing of both access to documents as well as changes to the rights/policy by business users
An example of IRM in use would be to secure a sensitive engineering document being distributed in an
environment where the document's recipients could not necessarily be trusted. Alternatively, an e-mail
could be secured with IRM, so if it accidentally is forwarded to an untrusted party, only authorized users
would gain access. Note that a well-designed IRM system will not limit the ability for information to be
shared; rather rules are only enforced when people attempt to gain access. This is important as often people
share sensitive information with users who should legitimately have access but don't, and the technology
needs to facilitate the easy request of access back to the business owners.
IRM is far more secure than shared secret passwords; key management is used to protect the information
whilst it is at rest on a hard disk, network drive or other storage device. Crucially IRM continues to protect
and control access to the document when it is in use. Functionality such as preventing screen shots,
disallowing the copying of data from the secure document to an insecure environment and guarding the
information from programmatic attack, are key elements of an effective IRM solution.
Seclore Technology from India has made very promising and authentic tools for IRM. Zafesoft Inc., a
Silicon Valley (California) company has created a solution for securing documents and the information in
them as well as images (including medical images).
Information Rights Management is also known by the following names:
Enterprise Rights Management
Enterprise DRM or Enterprise Digital Rights Management
Document Rights Management
Intelligent Rights Management
Common IRM Solutions:
1. Covertix SmartCipher - Information Rights Management solutions2. Seclore Technology - Information Rights Management solutions3. Zafesoft Inc. - Information Security and Rights Management solutions4. Microsoft - Rights Management solutions5. Secure Islands - Rights Management solutions
51 | P a g e
Product Example: Secure Islands IQPROTECTOR FILE PROTECTION
System Architecture:
Feature Set:
Feature Benefit
Automatic classification at content creation
100% content identification accuracy, simple deployment,
no repository scanning required
Automatic protection based on central policy
Enterprise has complete control over what, why, when and
how to protect data, completely transparent to the end user
Content marking classification-driven
addition of visual labels to documents
Increase security awareness by visualizing document
classification, raise both compliance and user
accountability
Scanner Mode Server
Classification and encryption of pre-existing content on
file servers, NAS, SAN, and ECM repositories
Optional user classification enabling the Increased user accountability, added classification
52 | P a g e
Feature Benefit
user to decide the type of classification
required for a given document or mail
accuracy
Extends AD-RMS file format support (multi
format)
Protection for additional file formats, without application
integration
Protection of client- or application-based
content
Applies RMS protection on files and data exported from
applications without integration
Metadata labeling for DLP, FCI, eDiscovery,
archiving
Lowers the burden on DLP by accurately identifying,
classifying and tagging sensitive enterprise data early in
the data lifecycle to allow effective DLP enforcement
Protect documents upon access Apply AD-RMS protection on pre-existing content
Extendable to other encryption schemes
Conversion of AD-RMS protected data to other protection
schemes
Audit and report on every action on files
everywhere
Monitoring and audit mechanisms operate throughout the
information lifecycle
53 | P a g e
Management Panel:
DLP - Data Leakage Prevention
Data Loss Prevention (DLP) is a computer security term referring to systems that enable organizations toreduce the corporate risk of the unintentional disclosure of confidential information. These system identify,monitor, and protect confidential data while in use (e.g. endpoint actions), in motion (e.g. networkactions), and at rest (e.g. data storage) through deep content inspection, contextual security analysis oftransaction (attributes of originator, data object, medium, timing, recipient/destination and so on) and witha centralized management framework.
Vendors Semantics:
1. Data Leak Prevention2. Information Leak Detection and Prevention (ILDP)3. Information Leak Prevention (ILP)4. Content Monitoring and Filtering (CMF)5. Information Protection and Control (IPC)6. Extrusion Prevention System7. Identification & Prevention of Data Exfiltration
Deployment and Coverage
Network DLP (aka Data in Motion )
54 | P a g e
Typically a software or hardware solution that is installed at network egress points near the
perimeter. It analyzes network traffic to detect sensitive data that is being sent in violation of
information security policies.
Storage DLP (aka Data at Rest )
Data-loss prevention of stored data typically involves a Data Security Software installed on your
computer to prevent unauthorized access to the data stored on your hard drive and USB/External
drives.
Endpoint DLP (aka Data in Use )
Such systems run on end-user workstations or servers in the organization. Like network-based
systems, endpoint-based can address internal as well as external communications, and can
therefore be used to control information flow between groups or types of users (e.g. 'Chinese
walls'). They can also control email and Instant Messaging communications before they are stored
in the corporate archive, such that a blocked communication (i.e., one that was never sent, and
therefore not subject to retention rules) will not be identified in a subsequent legal discovery
situation.
Endpoint systems have the advantage that they can monitor and control access to physical devices
(such as mobile devices with data storage capabilities) and in some cases can access information
before it has been encrypted.
Some endpoint-based systems can also provide application controls to block attempted
transmissions of confidential information, and provide immediate feedback to the user. They have
the disadvantage that they need to be installed on every workstation in the network, cannot be used
on mobile devices (e.g., cell phones and PDAs) or where they cannot be practically installed (for
example on a workstation in an internet caf).
55 | P a g e
Open Source Solutions:
OpenDLP
56 | P a g e
57 | P a g e
MyDLP Community Edition
58 | P a g e
Audit the identified and implemented controls to ensurethat they operate effectively and that they comply withestablished standards
1. Feature and Acceptance Testing1.1. Verify the features designed in the controls work properly.
For example, verify that only the specifically defined websites are protected by the WebApplication Firewalls and that the ones which are not compatible are not harmed.
2. Recurring Vulnerability Assessment2.1. Verify Patching Systems work properly in practice2.2. Verify passwords match complexity requirements in practice2.3. Recurring verification of personnel alertness to security events
3. Penetration Testing3.1. Verify logs quality in practice3.2. Verify Real-Time Protection/Response Systems work properly in practice3.3. Verify Real-Time/Scheduled Alerting mechanisms work properly in practice
59 | P a g e
Preventing physical intrusions
Using MantrapsA man trap aka interlock aka air locks is a small space having two sets of interlocking doors such thatthe first set of doors must close before the second set opens. Identification may be required for each door,
sometimes even possibly different measures for each door. For example, a key may open the first door, but
a personal identification number entered on a number pad opens the second.
Other methods of opening doors include proximity cards or biometric devices such as fingerprint readers
or iris recognition scans. Metal detectors are often built in in order to prevent entrance of people carrying
weapons. Such use is particularly frequent in banks and jewelry shops.
Mantraps may be configured so that when an alarm is activated, all doors lock and trap the suspect between
the doors in the "dead space" or lock just one door to deny access to a secure space such as a data center or
research lab.
An Effective man trap will only physically contain one person at a time in order to avoid Tail-Gatingor Piggy-Backing.
Spinning Glass Doors
60 | P a g e
Turnstiles
61 | P a g e
Combining man traps with security cameras and facialrecognitionIt is very effective to combine a man trap with a close camera, this results in a time stamped close-up facepicture of everyone who entered and left the secure area.
In addition, it is extremely effective to combine the man traps camera results with facial recognitionsolutions in order get a full protection and detection security system.
62 | P a g e
63 | P a g e
Using swipe based biometric authorization devices
Not SecureWhen you use a fingerprint biometrics device, after its scans your fingerprint, the fingerprintstays on the device, can be re-used and also replicated and stolen.
SecureFingerprint Swipe-Scanners, are secure, since you physical delete/run-over your ownfingerprint when you swipe your finger.
Extremely Secure Full Hand SwipeFull Hand Fingerprint is very hard to obtain and extremely challenging to spoof. Notice that thissolution is also swipe based and doesnt risk the users fingerprint.
64 | P a g e
Strong Authentication
Combining Fingerprint swipe with PIN code:
Fingerprint Swipe + Magnetic Card
Not Secure
65 | P a g e
Secure
Keyboard with Security
Not Secure
Secure
66 | P a g e
Extremely Secure
Using white noise generators to disturb eavesdropping
Low Cost Hardware Solutions1. Make other noise coming into an area less distracting or2. To reduce the chance of overhearing adjacent conversations or3. To reduce the chance of having your conversation overheard by someone else.4. to aid in alleviating the effects of tinnitus by providing a low-level broad-band noise to helpachieve the "habituation" of tinnitus.
67 | P a g e
Common Technical Specifications: Weight: 12 oz. (340.2 g) Audio Frequency Range: 300Hz - 3KHz Output Sound Level: MAX 92 dB @ 4 ft. Power: two 9 volt alkaline batteries or AC transformer (120 or 240 VAC)
68 | P a g e
IPhone Applications
Studio Six Digital - AudioTools - Generator
Sine Wave1000Hz 6.85dBu10k 6.87dBu31Hz 6.75dBu
Pink NoiseFull bandwidth -20.0dBuOctave band 1k -31.0dBuoctave band 125 -31.0dBuOctave band 31 -31.0dBuOctave band 16k -31.0dBu
White Noise
Full band -28.9dBuOctave bands vary
Square Wave
63Hz 3.43dBu1000Hz 3.44dBu
69 | P a g e
Rabble Noise Generator
FeaturesWas designed by TSCM/counter-surveillance professionals and will protect you against all types of
eavesdropping when used in correspondence with the recommendations.
Employs a new approach to the problem of conversation protection. Uses a new, speech-like noise
which, in the most of cases, has proven to be more efficient when compared to white noise.
The noise has been 'compiled' using real human conversations and is similar to the noise of a 'rabble'
in busy public places. This type of noise is the most effective when creating interference to voice
recorders and listening devices, especially when the size of the protective device is critical.
Kinds of listening devices rendered useless by the new Rabbler: Voice recorders Radio microphones GSM/3G bugs Body-carried video cameras - watches, ties, etc. (jamming of acoustics) Wired microphones Any other type of audio surveillance
The Rabbler creates additional barrier interference which masks your speech. It is when a certain
noise level is reached that listening devices will record or transmit information, it is extremely
difficult, or impossible, to extract the speech component. Since the generator creates a 'speech-like'
noise, the cleaning of this sound is extremely difficult or most likely impossible, if the level of noise is
sufficient.
70 | P a g e
Distortion & Reverberation Generator
DRUID D-06
Top-of-the-line protection system. This is the only device in the world which can give 100%
protection to your conversations against interception or recording. The DRUID D-06 creates powerful
interference against all kinds of listening devices! Even if a person is standing next to the participants,
they will not be able to understand what is being said. The headsets allow the users to hear each other
clearly while the DRUID's central unit produces interference. Powered from 220V or the internal
rechargeable battery with a resource time of 36 hours. The unit is supplied in a carry case.
Not all listening devices can be detected by existing methods. The DRUID D-06 is a unique system
for providing protection of human's speech.
Remotely controlled radio microphones, wired microphones, passive resonators, miniature voice
recorders practically all these devices cannot be detected by conventional methods. Even a modern
cellular phone may contain a digital voice recorder; this means that any phone lying on the desktop
could be used by an adversary to record a conversation.
The generated audio interference cannot be cleared by any noise-clearance methods. At the same time
the produced interference does not create any inconvenience to the participants of the negotiation
thanks to the special headsets. The DRUID headset allows users to hear each other with crystal clear
quality.
71 | P a g e
Laptop & PC Configurations
VDI
Motivations for VDI
72 | P a g e
Poll Results: Is VDI More Expensive Than PC?
Annual Facilities Costs PC vs. VDI
73 | P a g e
Comparing Endpoint PC Security to VDI SecurityParameter PC VDI Thin Client/Chip PC
Allows working locally ifnetwork is down
Easy to maintain security
Hardware RenewalComplete Hardware should berenewed every (~800$) 5 years
Complete Hardware should berenewed every (~400$) 8+
yearsPrivilege Escalation Allows Taking Over Endpoint Taking Over An Entire Server
Full Compatibility withExternal devices, Smart CardsPhysical Security Is NOT A
RiskNo Hard Disk Encryption Is
RequiredEndpoint Backup & Roaming
Profiles is not a mustNot Vulnerable to Boot Kits
and MBR/Bios Viruses
74 | P a g e
VDI Security Comparison:Citrix XenDesktop vs. VMWare View
Security Feature VMWare View 4.6 Citrix XenDesktop 5
Client AuthenticationMethods
Active DirectoryKerberos Realm in
mixed AD/MITKerberos environments
RSA SecurIDX.509 Certificate
Active DirectoryKerberos Realm in mixed AD/MIT Kerberos environments
RSA SecurIDX.509 Certificate
Support for 2-factorauthentication?
Yes Yes
Controlredirection/mapping oflocal host hard drives
Yes Yes
Control Host Clipboardredirection for text
copy/pasteYes Yes
Control Host Clipboardredirection for files and
folders?
No, files and folderscannot be copied
between host and viewusing PCoIP
Yes
Full Screen only modewith no toggle to local
host OS
Yes, but only withhardware thin client
Yes, but only with type 1 deployment
Single sign-on support Yes Yes
Granular USBredirection control
No, just basic usbredirect on or off
Yes, very granular criteria including: VID, PID, REL,Class, SubClass, Prot tags in the USB device descriptor
field
Alow Read-only accessto USB Hard drives
No, but you can useGPO MSFT policies to
accomplish this
Yes, very granular criteria including: VID, PID, REL,Class, SubClass, Prot tags in the USB device descriptor
fieldCommunication Protocol
UsedRDP or PCoIP ICA
Are communicationsencrypted natively
Yes, if using PCoIP toa Windows 2008
security server. AES128-bit SSL
Yes, if connecting to a Citrix security gateway. AES 128-bit SSL
VDI communications canrun over a 3rd party
SSLVPN connection?Yes Yes
VDI can USB sync iOSdevices like iPhone and
iPadYes Yes
Ability to run VDI clientin offline or local mode
Yes, as a type 2hypervisor (i.e.
application on anexisting OS)
Yes, as a type 1 bare metal hypervisor (i.e. boot directlyinto VDI client) The install of XenClient offline mode
requires you to destroy or overwrite your current host OS. Italso requires hardware virtualization found only on Intel
75 | P a g e
vPro family of CPU's. The benefit is that it has betterperformance because it is access the hardware directly and
not through a guest OS like a type 2 hypervisor. Thepotential drawback is that it dedicates that host to being justa XenClient unless you enable dual booting. In some casesthis is actually a plus since it solves the security issues that
come with having a guest OS that VDI runs on top off.
Ability to manage offlineVDI clients
Yes, you can also forcethe user to periodicallycheck-in their VDI so itis properly backed up
and updated.
No, but automated backups are performed by the client
Ability to encrypt VDIfiles and folders on the
guest OSYes
Yes, called XenVault. Uses up to 256-bit AES encryption.Can be wiped centrally/remotely if needed
Lockout VDI ifcommunication to serveris lost for X time period?
Yes Unknown
Microsoft ActiveDirectory is required forpolicy settings of VDI?
No Yes
Control mapping to hostdrives
Yes, RDP only Yes
Built-in bandwidthprotocol management
Yes, using PCoIP Yes, Limit bandwidth per session
Restrict access based ontime/location/device type
No Yes
Restrict VDIfunctionality based on
time/location/device typeNo Yes
IPv6 Support No NoFIPS 140-2 Compliant Yes Yes
VDI Security BestPractices Whitepaper
PublishedYes Yes
Embedded firewall atVDI headend
Yes, vShield Yes, Citrix Secure Gateway
VDI Anti-virus offload tovirtual appliance
Yes, vShield Endpointrequired. Removesrequirement for AVclients on each VDI
host.
Yes, using integration with Mcafee MOVE A/V. Removesrequirement for AV clients on each VDI host
Supports multiple ADforests and multiple AD
domainsYes Yes
As you can see, both vendors have compelling offers with their own strengths and weaknesses. Idon't see a huge security advantage of one over the other. Instead, your choice will depend onyour specific requirements more than anything else. Technology changes rapidly, especially inthe VDI space, so be sure to validate what I have here with other sources or the vendors
76 | P a g e
themselves. If you see something that has become no longer true please post a comment and I willupdate this posting. If you know of some security comparisons I should have included please postthem as well.
Data as a serviceData as a service, or DaaS, is a cousin of software as a service. Like all members of the "as a Service"(aaS) family, DaaS is based on the concept that the product, data in this case, can be provided on demand to
the user regardless of geographic or organizational separation of provider and consumer. Additionally, the
emergence of service-oriented architecture (SOA) has rendered the actual platform on which the data
resides also irrelevant. This development has enabled the recent emergence of the relatively new concept of
DaaS.
Traditionally, most enterprises have used data stored in a self-contained repository, for which software was
specifically developed to access and present the data in a human-readable form. One result of this paradigm
is the bundling of both the data and the software needed to interpret it into a single package, sold as a
consumer product. As the number of bundled software/data packages proliferated and required interaction
among one another, another layer of interface was required. These interfaces, collectively known
as enterprise application integration (EAI), often tended to encourage vendor lock-in, as it is generally easy
to integrate applications that are built upon the same foundation technology.
The result of the combined software/data consumer package and required EAI middleware has been an
increased amount of software for organizations to manage and maintain, simply for the use of particular
data. In addition to routine maintenance costs, a cascading amount of software updates are required as the
format of the data changes. The existence of this situation contributes to the attractiveness of DaaS to data
consumers because it allows for the separation of data cost and usage from that of a specific software or
platform.
BenefitsData as a Service brings the notion that data quality can happen in a centralized place, cleansing and
enriching data and offering it to different systems, applications or users, irrespective of where they were in
the organization or on the network. As such, Data as Service solutions provide the following advantages:
Agility Customers can move quickly due to the simplicity of the data access and the fact that theydont need extensive knowledge of the underlying data. If customers require a slightly different datastructure or has location specific requirements, the implementation is easy because the changes are
minimal.
Cost-effectiveness Providers can build the base with the data experts and outsource the presentationlayer, which makes for very cost effective user interfaces and makes change requests at the
presentation layer much more feasible.
Data quality Access to the data is controlled through the data services, which tends to improve dataquality because there is a single point for updates. Once those services are tested thoroughly, they only
need to be regression tested if they remain unchanged for the next deployment.
77 | P a g e
SecurityLike any other cloud based service there are several main issues:
1. Network downtime vendor or client downtime for maintenance, disaster or Denial ofService attacks completely deny the ability of the users to work
2. Data Security Data is physically stored on the vendors remote servers and may read,modified and deleted by: mistake, bribery, extortion and etc
3. Data Security Over the internet - All the information is transferred on the wire andphysically leaves the organizations computers. This enables countries and enemies to record,decrypt traffic and obtain secret information
PC Metal Locking
78 | P a g e
Disabling Internal/External USB, DVD, CD-ROM Boot
Organizations should implement an intensive Endpoint Security Solution for Device Control. Thesolution must cover the following aspects:
1. Protected Physical Interfaces1.1.1.USB1.1.2.FireWire1.1.3.PCMCIA1.1.4.Secure Digital (SD)1.1.5.Parallel1.1.6.Serial1.1.7.Modem1.1.8.Internal Ports
2. Protected Wireless Interfaces2.1.1.Wi-Fi2.1.2.Bluetooth2.1.3.Infra-Red (IrDA)2.1.4.Protected Storage Devices
3. External Hard Drives3.1.1.Removable Storage Devices3.1.2.CD / DVD Drives3.1.3.Floppy Drives3.1.4.Tape Drives
79 | P a g e
Security Policy - Flexible Strategy, Simple ImplementationDifferent organizations have different needs and different corporate cultures. Thats why devicecontrol solutions allows administrators to first choose their endpoint security strategy, and thenimplement it in line with their unique organizational needs.
Device control solutions creates forensic logs of all data moving in and out of the organization,allowing administrators to create policies that dont necessarily restrict device usage, but allowfull visibility of device activity and content traffic. Through a flexible management console,device control solutions allow administrators to create comprehensive and granular endpointsecurity policies.
Device control solutions - Features and Benefits Granular control - detects and restricts devices by device type, device model or unique
serial number. Data awareness - control the transfer of files both to and from external storage devices
according to the file types. Removable media encryption - encrypts corporate data in motion on removable storage
devices, external hard drives, and CD/DVDs. Track offline usage of removable storage - tracks file transfers to/from encrypted devices
on non-corporate computers (offline). Built-in compliance policies - includes detailed configurations for achieving security
policies that are mapped to specific regulatory compliance standards such as PCI, HIPAAand SOX.
Granular Wi-Fi control - by MAC address, SSID, or the security level of the networkAnti bridging - prevents hybrid network bridging by blocking Wi-Fi, Bluetooth, Modemsor IrDA while the PC is connected to the wired corporate LAN.
Anti-hardware Keylogger - blocks or detects both USB and PS/2 hardware Keyloggers. U3 and auto run control - turns U3 USB drives into regular USB drives while attached to
organization endpoints, protecting against auto-launch programs by blocking auto run. Flexible and intuitive management - automatically synchronizes with Microsoft Active Directory and Novell eDirectory.
If the organization decides to allow USB device usage such as USB Disk-On-Keys and USBStorage devices, it should use secure solutions. Secure Disk-On-Key solutions are:
4. Encrypted and: Requires a password Requires a certificate and a password Requires a biometric fingerprint Requires a certificate and a biometric fingerprint
5. Device has a physical switch between two modes: Read Only Read and Write
80 | P a g e
Biometric Integrated USB Devices:
Biometric Integrated USB Devices:
81 | P a g e
Setting Bios Passwords
BIOS passwords can add an extra layer of security for desktop and laptop computers. They are used toeither prevent a user from changing the BIOS settings or to prevent the PC from booting without apassword. Unfortunately, BIOS passwords can also be a liability if a user forgets their password, orchanges the password to intentionally lock out the corporate IT department. Sending the unit back to themanufacturer to have the BIOS reset can be expensive and is usually not covered in the warranty. Neverfear, all is not lost. There are a few known backdoors and other tricks of the trade that can be used tobypass or reset the BIOS
Upgrading to Windows 7 + UAC
User Account ControlUser Account Control (UAC) helps defend your PC against hackers and malicious software. Any time aprogram wants to make a major change to your computer, UAC lets you know and asks for permission.
In Windows 7, UAC is now less intrusive and more flexible. Fewer Windows 7 programs and tasks requireyour consent. If you have administrator privileges on your PC, you can also fine-tune UAC's notificationsettings in Control Panel.
82 | P a g e
User Account Control (UAC) is a feature in Windows that can help you stay in control of your computer byinforming you when a program makes a change that requires administrator-level permission. UAC worksby adjusting the permission level of your user account. If youre doing tasks that can be done as a standarduser, such as reading e-mail, listening to m