Security initiatives here and down under


Published on

This is a presentation introducing the SANS Institute's 20 Security Controls and the Australian Government's Top 35 Mitigation Strategies that I gave to The Small Business Technology Consulting Group in St Paul MN on November 13, 2012

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • FISMA and ISO = the Fed GovtSOX = publicly traded companiesGLBA = regulates banks and investment co.sNERC = the power gridCIP = committees charged with determining if a research project conforms to ethical principleCobit is largely used by the audit community
  • Speaking of guidance and suggestions…
  • Tony Sager is the retired chief operation officer of NSA’s Information Assurance Directorage and he now heads up the CCA, the Consortium for CyberSecurity Action, just founded days ago.
  • The rest of this presentation will focus on controls
  • Dod = Department of Defense
  • The CIA’s Tom Donahue, who worked with the White House cyber policy team, made this remark
  • In other words, use knowledge of actual attacks that have compromised systems to provide the foundation to build effective defenses.
  • There was some tweaking, they implemented automated capabilities to enforce the controls
  • There was some tweaking, they implemented automated capabilities to enforce the controls, continuous monitoring: auditing so that adjustments can be made / implemented quickly2011: Department of Homeland Security mandated the implementation of these controls across the governmentAlso in 2011, the UK’s Center for the Protection of NaitonalInfrastrutureannouned that all government agencies would adopt these controls as their framework for securing their infrastructure.
  • Maintain an asset inventory, watch for unknown and unauthorized devicesMaintain a white list of approved software. This helps in maintaining/patching the software and eliminates attack vectors based on unused/unmaintained softwareBuild a secure image and maintain it. If anything becomes compromised, reimage it. Standardized images = hardened versions of OS and the apps installed. See NIST, NSA, and CIS for examplesSubscribe to vulnerability inelligence services to stay on top of security patches and exposed vulnerabilities and patch ASAP. Run automated vulnerability scans, keep and correlate event logs
  • 5 implement anti-malware solution that auto-updates and auto-scans, scan everything—email—at the gatewayProtect web apps by using web application firewalls that inspect all traffic; explicit error checking; source code checking. Lock down, remove all unused code or scriptsWPA2 with AES encryption, Wireless intrusion detection systems to identify rogue devices, do a site surveyProper backups, and off-site backups Automation, encryptionThink end-users and social engineering, spear-phishing attacks on sysadmins and CEOs, Develop Security Awareness programsFirewalls, switches and routers (the earlier control was about endpoints)Think FTP—who uses it today? Lock it down. Use firewalls on all endpoints, perform port scanning regularly Remove any unnecssary services
  • Inventory all administrative accounts. For anyone who should had admin privliges, use 2 accounts. Complex passwords for all admin accounts. No default passwords on anything. Use access control lists to ensure that admin accounts are only used for admin duties (no web surfing, no gmail )Multi-layered boundary defenses, using firewalls, proxies, DMZ, and IPS and IDS. Filter outbound traffic as well as in-bound Everybody’s favorite, but without it, hackers can hide their location, software and activities Classify your data according to sensitivity and segment your network accordingly. Audit access. VLANs Watch for legit but inactive accounts. Review all accounts, disable anything not associated with a business process and owner, audit for terms and us contractors; auto-log off anyone after period of inactivity Use hard drive encryption, watch for exfiltration, scan for PII, lock down use of USB devices
  • The time to put together an incident response plan is BEFORE any incident has happened. Identify key players and their roles. Develop written incident response procedures Hackers, once inside, will map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation. Don’t give them anything to find: design a 3-tier network (DMZ, middleware, private network) Any system accessible from the Internet should be on the DMZ but DMZ systems should never contain any sensitive information—use an application proxy to get from DMZ inside Set up an internal DNS server. Have separate trust zones inside your network Say yes to pen tests and vulnerability scanning.
  • At the Coop, it’s taken me more than a year.
  • DSD = Australian Government’s Defense Signals Directorate, a part of their Department of Defense Intelligence and Security
  • Surprisingly similar to the 20 critical controls, though with a heavier focus on application whitelisting, using app locker or 3rd part solutions
  • Security initiatives here and down under

    1. 1. Cultivating Security, 2012Roger Hagedorn, Cultivating SecuritySecurity InitiativesHere and Down Under
    2. 2. Cultivating Security, 2012Quick Discussion Question: What do youthink of when it comes to informationsecurity?[audience participation time]
    3. 3. Cultivating Security, 2012One thing to keep in mind:In the world of information security,CIA = Confidentiality, Integrity andAvailabilityThough sometimes it refers to a certain government agency.
    4. 4. Cultivating Security, 2012What do we mean by Information Security?“the processes and methodologies designed to protectprint, electronic, or any other forms ofconfidential, private and sensitive information or datafrom unauthorizedaccess, use, misuse, disclosure, destruction, modification, or disruption.”SANS Institute“Preservation of confidentiality, integrity and availabilityof information.”ISO 27000
    5. 5. Cultivating Security, 2012Are there any models or standards for InformationSecurity that might be helpful?I thought you’d never ask. . .
    6. 6. Cultivating Security, 2012• NIST 800-53 + National Institute of Standards and Tech.• FISMA = Federal Information Security Management Act• DIACAP = DoD Information Assurance Certification and AccreditationProcess• SOX = Sarbanes-Oxley Act of 2002• GLBA = or Gramm-Leach-Bliley Act• PCI-DSS = Payment Card Industry Data Security Standard• NERC = North American Electric Reliability Corporation• CIP = Certified IRBProfessional• ISO 27000 Series = Int’l Org. for Standardization• HITECH Act of 2009There’s noshortage ofstandards toconsider:
    7. 7. Cultivating Security, 2012Confused?Overwhelmed?These standards are complex anddifficult to implement.Nevertheless . . .
    8. 8. Cultivating Security, 2012While there might not be consensus on the issue, thereis an increasing recognition that every organizationneeds to have a strategy for defense.Organizations are learning to assess their informationsecurity risks, and then to implement appropriateinformation security controls based on their needs, andusing guidance and suggestions where relevant.
    9. 9. Cultivating Security, 2012With so many standards, where shoulda person begin?
    10. 10. Cultivating Security, 2012“A lot of times, enterprises just don’t know where andhow, or what to do. Where’s the next dollar bestspent?”“This is about priority.”Tony Sager, former head of the NSA’s Systems &Network Attack Center, now with the SANS Institute
    11. 11. Cultivating Security, 2012Here’s where our government, along with theAustralian government, offer surprisingly helpfulexamples.
    12. 12. Cultivating Security, 2012First, one more quick definition:Security controls are safeguards designed toavoid, counteract or minimize risks.
    13. 13. Cultivating Security, 2012Recent Events in the History of Controls:Starting in 2008, the Office of the Secretary of Defenseasked the NSA for help with its cybersecurity posture.NSA was brought in because of their understanding ofhow cyber attacks worked and because the DoD wasinterested in fending off actual attacks rather thandeveloping a theoretical approach to security.
    14. 14. Cultivating Security, 2012Since the early 2000s, the NSA had been workingon a list of security controls that were mosteffective in stopping known attacks.The key: “no control should be made a priorityunless it could be shown to stop or mitigate aknown attack.”
    15. 15. Cultivating Security, 2012The second key: NSA was already working oncollaboration with two nonprofit organizations:The SANS Institute — a cooperative research andeducation organization, “the most trusted and by far thelargest source of information security training andsecurity certification in the world.The Center for Internet Security — “works on enhancingcyber security readiness and response of public andprivate sector entities.”
    16. 16. Cultivating Security, 2012Eventually, more than 100 public and privateorganizations joined in, as well as a few companiesinvolved in incident response, including McAfee andMandiant.The two main elements:1) The only justification for a control was actual attackinformation.2) The feeling among the participants that they wereactive contributors to protecting the country.
    17. 17. Cultivating Security, 2012The clear consensus:Just 20 Critical Controls could address themost prevalent attacks thatgovernment, industry, and the private sector face.
    18. 18. Cultivating Security, 2012The test:The Department of State put the 20Critical Controls up against the 3,085attacks it underwent in 2009.
    19. 19. Cultivating Security, 2012The Results:More than 88% reduction inattacks on vulnerabilities.
    20. 20. Cultivating Security, 2012On Nov 05 of this year, a new international consortiumwas launched to help government agencies and theprivate sector prioritize security defenses. Called theConsortium for CyberSecurity Action (CCA), it bases itsrecommendations on the most recent update of the 20Critical Controls.
    21. 21. Cultivating Security, 2012Spoiler Alert:Most of these controls are standardprocedure or “Best Practices” in networkadministration.Chances are that you’ve implemented manyof them yourself.There really shouldn’t be any surprise here.OK then, here we go . . .
    22. 22. Cultivating Security, 2012The Main Event: the 20 Critical Controls1 Inventory of Authorized and Unauthorized Devices2 Inventory of Authorized and Unauthorized Software3 Secure Configurations for Hardware and Software on all devices:mobile, laptops, workstatons, servers4 Continuous Vulnerability Assessment and Remediation
    23. 23. Cultivating Security, 20125 Malware defenses6 Application Software Security7 Wireless Device Control8 Data Recovery Capability9 Security Skills Assessment and Training to Fill Gaps10 Secure Configurations for Network Devices11Limitation and Control of Network Ports, Protocols and Services
    24. 24. Cultivating Security, 201212 Controlled Use of Administrative Privileges13 Boundary Defense14 Maintenance, Monitoring and Analysis of Audit Logs15 Controlled Access Based on Need-to-Know16 Account Monitoring and Control17 Data Loss Prevention
    25. 25. Cultivating Security, 201218 Incident Response and Management19 Secure Network Engineering20 Penetration Tests and Red Team Exercises
    26. 26. Cultivating Security, 2012So what about Implementation?In a mature environment, chances are you already havemost, if not all, of these 20 Critical Controls in place.But what about smaller organizations?You can make concrete, measurable steps in improvingyour networks by putting into place, over time, some ormost (if not all) of these controls. Yes it takes time, butit pays off. Remember:
    27. 27. Cultivating Security, 2012Keep your eye on the prize:The State Department saw areduction of more than 88%in attacks on their systems in thefirst year.
    28. 28. Cultivating Security, 2012So what about those Australians Down Under?Independently of the research we’ve discussed, theAustralians developed a list of the Top 35 MitigationStrategies that they present in order of overall effectiveness.Like the 20 Critical Controls, these rankings are based on DSD’sanalysis of reported security incidents and detectedvulnerabilities.
    29. 29. Cultivating Security, 2012For the sake of time, let’s just consider the Top Four Controlsor Mitigating Strategies:• Use application whitelisting to help prevent malicioussoftware and other unapproved programs from running• Patch applications such as PDF readers, Java, and webbrowsers• Patch operating systems vulnerabilities• Minimize the number of users with administrativeprivileges
    30. 30. Cultivating Security, 2012According to the DSD’s Strategies to MitigateTargeted Cyber Intrusions,over 85% of cyber intrusions could bedefeatedif organizations implemented just the first four ofthese strategies.
    31. 31. Cultivating Security, 2012These two initiatives provide clear examples ofwhat’s meant by “Defense in Depth”Defense in depth is the concept of protecting acomputer network with a series of defensivemechanisms suchthat if one mechanism fails, another will already be inplace to thwart an attack.SANS Institute
    32. 32. Cultivating Security, 2012Thanks very much for your attention.Any questions or commnt?Q and ARoger HagedornEmail: roger@cultivatingsecurity.comBlog:
    33. 33. Cultivating Security, 2012ResourcesThe 20 Controls Australian Government’s 35 Controls Center for Internet Security