Rapid7 CAG Compliance Guide
 

Rapid7 CAG Compliance Guide

on

  • 331 views

The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of ...

The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. This compliance guide will provide readers with an overview of the requirements as well as suggested steps in achieving CAG compliance.

Statistics

Views

Total Views
331
Views on SlideShare
331
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Rapid7 CAG Compliance Guide Rapid7 CAG Compliance Guide Document Transcript

  • Consensus Audit Guidelines (CAG) Compliance Guide September 2011
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com What is the CAG? The Consensus Audit Guidelines (CAG) provide critical U.S. Federal government infrastructures with a proactive cyber-security framework to prioritize critical IT security concerns. The CAG was developed by a consortium of Federal government agencies and private sector partners, including such notable members as the Department of Defense, Department of Energy, FBI and US-CERT, National Institute of Standards and Technology (NIST) and the SANS Institute. Designed to protect critical IT systems from real-world attacks, the CAG goes beyond the annual compliance-driven audits and the checklist-focused approach found in the Federal Information Security Management Act (FISMA). The CAG provides Federal agencies with tools to prioritize critical IT security concerns as part of managing system design and operations rather than trying to manage security as an ad-hoc exercise on the side. The CAG has been mapped to FISMA controls, and has been leveraged by NIST to update the FISMA controls outlined in Special Publication SP 800-53. The CAG is also being used to update FISMA as part of the new U.S. Information and Communications Enhancement (ICE) Act. In the meantime, the consortium that developed the CAG is advising the use of the security controls CAG as a first step towards implementing the controls outlined in NIST’s SP 800- 53 guidelines for FISMA compliance. The mapping of CAG security controls to FISMA makes it possible to leverage standardization efforts like SCAP together with repositories of content like the National Vulnerability Database (NVD), enabling organizations to use automated tools for on-going infrastructure monitoring for vulnerabilities, mis-configurations and policy violations. This baseline data also helps auditors to perform the additional validation required to meet annual and quarterly compliance requirements. Using CAG provides a simple first step towards becoming compliant with current FISMA regulations, with the added benefit of getting aligned with the provisions in the ICE Act. However, the most important benefit provided by the CAG is real-world tested guidance on how to implement robust, proactive, continuous security control measures. The real goal of applying CAG is not simply to become compliant with regulations, but rather to provide a template for making security best practices an integral part of system design and operation so that Federal agencies can ensure their systems are capable of withstanding the more frequent and in-depth attacks found in an increasingly complex threat landscape. Who needs the CAG? The CAG was originally designed to meet the needs of information technology providers for Federal government agencies and departments. However, studies of the cyber security threats to North American critical infrastructure revealed that private sector entities interact with more than 85% of the critical infrastructure in the United States. As a result, President Obama’s former interim Cyber Security Czar, Melissa Hathaway, recommended applying the same security guidelines to both public and private sector entities that utilize, manage, or run critical infrastructures. Critical infrastructure entities outside of the Federal government include organizations in Healthcare Services, Energy, Financial Services, Telecommunications and Transportation. CAG guidelines easily supplement and enhance the security requirements already needed to comply with regulations in these industries, including FISMA, NERC, PCI, GLBA and HIPAA. How Rapid7 Helps Rapid7 provides the only unified threat management solution to help organizations understand risk and adopt best practices to optimize their network security, Web application security and database security strategies. Rapid7 has extensive experience partnering with Federal departments and agencies, such as the U.S. Department of
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Energy, United States Postal Service (USPS), the National Nuclear Security Administration (NNSA), and the National Telecommunications and Information Administration (NTIA), to help them meet their regulatory requirements. Rapid7 security solutions help thwart real-world attacks by helping organizations apply the CAG’s twenty Critical Security Controls (CSC), also known as the SANS twenty Critical Security Controls. To meet CAG compliance, organizations must demonstrate adherence to the twenty CSCs as outlined below. Controls suited for automation Fifteen CSC categories are suited for automated collection, measurement and validation. Rapid7 Nexpose proactively automates the process of monitoring, measuring, validating, and prioritizing security threats for these CSC as follows: Control Rapid7 Solution CSC-1 Inventory of Authorized and Unauthorized Devices Enables administrators to build and manage an asset inventory by performing either manual or scheduled discovery scans. Automates the task of asset discovery and identification by scanning the entire infrastructure for all networked devices. Assembles an inventory of every system that has an IP address on the network, including databases, desktops, laptops, servers, subnets, network equipment (routers, switches, firewalls, etc.), printers, Storage Area Networks, and Voice-over- IP (VoIP) phones. Enables administrators to configure asset scanning and reporting using sites and asset groups based on specific criteria such as device type, software type, operating system type, or geographic location. Provides fully customizable policy scanning to determine presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices. Catalogs all devices in Nexpose as it scans and automatically sends alerts to administrators about any deviations from the expected inventory of assets on the network.
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-2 Inventory of Authorized and Unauthorized Software Automates the task of asset discovery and identification by scanning and assembling an inventory of software on all networked devices in every system that has an IP address on the network anywhere in the entire infrastructure including servers, workstations and laptops. Provides automation in tracking types of operating systems and applications installed on each system, including versions and patch levels. Provides fully customizable policy scanning to establish baseline configurations to test the effectiveness of security measures, and determine presence of unauthorized software and services in accordance with policies for whitelisting authorized software and blacklisting unauthorized software. Catalogs all software as it scans, including any malicious software, by using the latest fingerprinting technologies to identify systems, services, and installed applications. Sends alerts automatically to administrators for any deviations from the expected inventory of assets on the network. CSC-3 Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Provides the ability to establish baseline configurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized devices in accordance with policies for whitelisting authorized devices and blacklisting unauthorized devices. Provides fully customizable Nexpose scanning templates to allow for policy scanning for Windows, Oracle and IBM systems. Provides flexible, customizable policy scanning to detect misconfigurations, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established desktop and server configuration management policies on servers, workstations, laptops, handheld devices, multiple classes of Web applications, and database applications including MS SQL Server, Oracle, MySQL, and DB2. Enables administrators to validate and report on adherence to configuration policies within the asset inventory by performing either manual or scheduled policy configuration scans.
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-4 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Provides fully customizable policy scanning to detect misconfigurations, locate unnecessary services, find default accounts, identify missing patches against mitigating control policies, and apply risk scoring to measure violations against established configuration management policies for network devices, including firewalls, routers and switches. Provides fully customizable Nexpose scanning templates to allow for policy scanning in order to validate Windows firewall settings. Provides the ability to establish baseline configurations to validate the effectiveness of security policies in both test environments and production environments against the baseline condition by checking for presence of unauthorized network device configuration in accordance with policies for firewall rules, router access control lists, and IDS/IPS detection. CSC-5 Boundary Defense Provides fully customizable policy compliance framework to setup automated monitoring of port access policies. Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfigurations, including validation of up-to- date firewalls, and IDS/IPS system patches. Includes option to use either a hosted scan engine through Rapid7’s Managed PCI Compliance Services, or your own external distributed scan engine outside your DMZ to perform external perimeter vulnerability scanning. CSC-6 Maintenance, Monitoring, and Analysis of Security Audit Logs Provides fully customizable policy compliance framework to setup automated monitoring of security audit log policies.
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-7 Application Software Security Provides ability to perform on-going scheduled and ad-hoc scanning of Web applications for XSS and SQL injection. Enables Web form scanning using form- based authentication. Provides the ability to establish baseline configurations to validate the effectiveness of security policies after Web application changes in both test environments and production environments against the baseline condition by checking for security violations in Web applications, as well as in underlying database servers, including MS SQL Server, Oracle, MySQL, and DB2. Provides comprehensive unified vulnerability scanning of all vital systems to evaluate potential risks to operating systems, Web applications, databases, enterprise applications, and custom applications. Provides fully customizable policy compliance framework to setup automated monitoring of software policy settings, including Web browser patching levels, and configuration settings for Web applications, including their underlying database servers. Provides fully customizable risk scoring, policy auditing, and vulnerability scanning to alert you of policy violations or misconfigurations. CSC-8 Controlled Use of Administrative Privileges Provides ability to segregate administrative privileges using role based access control to limit vulnerability information to appropriate parties. Provides access to Rapid7 Risk Assessment Services to identify gaps in your security program, determine if security policies are being followed in actual day-to-day operations (i.e. policies for maintaining least privilege, segregation of duties, and patching on databases containing private data), and provide guidance on developing missing control policies and procedures required to secure private data from external threats. CSC-9 Controlled Access Based on Need to Know Provides ability to test servers to ensure access policies they are configured with the proper level of access control, including separation of duties for default and new accounts and configurations of servers to ensure they have been locked down to a least level of privilege.
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-10 Continuous Vulnerability Assessment and Remediation Provides ad-hoc scans of newly introduced vulnerabilities so that you can immediately: o Scan for new vulnerabilities o View a report of all vulnerabilities found o View a records of new vulnerabilities added Provides the ability to define scan frequency , including the option to use randomized scanning, and high-speed parallel scanning (2-4 times faster than competitors), which enhances security by providing capacity for more frequent scans so your security team always has access to the most current data. Enables authenticated scanning in applications as well as in Web forms. Provides flexible, customizable policy scanning to detect misconfigurations, identify missing patches against mitigating controls or compensating control policies, and apply risk scoring to measure violations to establish trends against established baselines for all networked devices and software. Provides customizable policy scanning to establish baseline configurations, test effectiveness of security measures, and provide both executive and detailed analyst reports. The findings will include what authorized and unauthorized devices were discovered based on Nexpose templates configured to identify whitelist (authorized) and blacklist (unauthorized) devices. Provides customizable, prioritized risk scoring to customize severity levels for more accurate remediation reporting suited for your environment. Enables an easy integration of vulnerability and compliance management into existing business processes and IT systems such as GRC solutions like Archer, help desk, asset management and other security solutions via pre-built integrations and Rapid7’s Nexpose API. CSC-11 Account Monitoring and Control Enforces password policies through regular scheduled scanning and reporting. Uses our customized policy compliance framework to setup automated monitoring of passwords policies (including number of login attempts, password length, allowable special characters etc.). Provides monitoring software installation policies, and reports on illegal software installed on users’ system.
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Control Rapid7 Solution CSC-12 Malware Defenses Catalogs all software as it scans, including any malicious software. CSC-13 Limitation and Control of Network Ports, Protocols, and Services Provides fully customizable policy scanning to monitor policy violations or misconfigurations of network ports, protocols, and services. CSC-14 Wireless Device Control Provides fully customizable policy scanning to monitor policy violations or misconfigurations of network ports, protocols, and services. Provides access to Rapid7 Wireless Audit Consulting Services to evaluate your wireless security controls on all wireless access points, identify gaps in your security program, determine if security policies are being followed in actual day- to-day operations, and provide guidance on developing missing control policies and procedures required to secure private data from unauthorized access. CSC-15 Data Loss Prevention Provides HIPAA scan template which detects PII data, or Social Security numbers, on Web pages for better patient privacy in medical institutions. To further enhance the HIPAA audit, the scan template can be configured to allow file searching so that if Nexpose gains access to an asset’s file system in the scanning process, it can search for, and retrieve, files in that system. For example medical offices cannot store patient data on local drives due to HIPAA regulations, so file searching can be useful for that purpose.  Provides ability to configure custom scan templates to search for specific data pattern in Web applications that indicate presence of PII that would lead to security violations. Provides automated mechanisms that increase the availability of incident response related information by providing details on potential vulnerabilities that were exploited, as well as remediation steps to prevent future exploits Provides continuous logging of historical scan data for use in disaster recovery and auditing. Provides access to Rapid7 Risk Assessment Services to provide guidance on development of incident management and disaster recovery program best practices for protecting personal information by evaluating security controls for modification of access rights, and providing guidance on developing missing control policies.
  • Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Controls not directly supported by automation Five CSC categories are not directly supported by automation. Rapid7’s Consulting Services has security experts to assist you in measuring and validating these CSC categories as follows: Control Rapid7 Solution CSC-16 Secure Network Engineering Provides access to Rapid7 Risk Assessment Services to evaluate your security controls, identify gaps in your security program, and provide guidance on incorporating secure network engineering best practices. CSC-17 Penetration Tests and Red Team Exercises Provides access to Rapid7 Penetration Testing Services to evaluate your security controls, perform internal and external testing, perform social engineering, identify gaps in your security program, and provide an actionable remediation plan. Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats. CSC-18 Incident Response Capability Provides automated end-to-end security solution to automatically document all security incidents and subsequent effects of vulnerability remediation to establish historical audit log record, including fully configurable automated notifications and ticketing system for customizable case escalation, ticket creation, and notification, including ability to integrate with third-party ticketing systems. Provides access to Rapid7 Security Experts to determine if security policies are being followed in actual day-to-day operations, and provides guidance on developing missing control policies and procedures required to secure information systems and data from external threats. CSC-19 Data Recovery Capability Provides access to Rapid7 Risk Assessment Services to evaluate if data recovery capabilities have been adequately embedded into security controls, and identify gaps in your security program. CSC-20 Security Skills Assessment and Appropriate Training to Fill Gaps Provides access to Rapid7 Risk Assessment Services to determine need for holistic vulnerability management security training by evaluating security awareness during penetration testing and social engineering exercises, followed by recommendations for security awareness training required as part of an integrated security management program. Contact us to find out more about how Rapid7 can help you incorporate the twenty CSCs of the CAG into your on-going, prioritized, unified security management program. To see how Rapid7’s IT Security Risk Management suite can benefit your organization, visit Rapid7.com.