SlideShare a Scribd company logo

Compliance technical controls and you rva sec 2019

Download as PPTX, PDF
D
Derek Banks

A pentester's take on security compliance and controls and why they matter.

Internet
1 of 37
© Black Hills Information Security @BHInfoSecurity Compliance, Technical Controls and You Derek Banks (@0xderuke)
© Black Hills Information Security @BHInfoSecurity About • Compliance work without enforcement through technical controls is just checking a box • Technical control systems without backing policy and management framework is just playing around with technology toys • How do either of these two areas of Infosec work to keep attackers out of a network?
© Black Hills Information Security @BHInfoSecurity Me • Pentester / Red Team at Black Hills Information Security • GSEC, GCFA, GCIH, GPEN, GFNA, GMOB, GCIA, CISSP, ABCDEFG • CitySec Meetup Organizer • TidewaterSec – (Hampton, VA) • Avid OWA enthusiast
© Black Hills Information Security @BHInfoSecurity You • Two general areas of Infosec industry – Information Assurance and Technical Analysts • Information Assurance roles handle compliance and policy adherence • Analyst roles use specialized software and hardware to monitor and enforce security controls on computer systems
© Black Hills Information Security @BHInfoSecurity Information Security • What is the goal of information security? • Assessment of risk and to communicate that assessment to management • To support the organization’s goals • Depending on business goals, protection of: • Availability of data • Confidentiality of data • Integrity of data
© Black Hills Information Security @BHInfoSecurity Policy, Plan, Procedure • Policy: Strategic guidance on what will be done at a high level and has executive sponsorship • Plan: Tactical guidance on how the strategic policy goal will be met and includes identification of key roles involved • Procedures: Specific detailed series of actions taken that fulfill what is outlined in the plan
© Black Hills Information Security @BHInfoSecurity Frameworks • Risk Management Framework • NIST 800-53, NIST 800-37, and other hit singles • CIS Critical Controls • DHS CDM • ISO 27002:2005 • NSA MNP, Top 10 • PCI DSS 3.0 • HIPAA • And many, many…. Many more
© Black Hills Information Security @BHInfoSecurity Crosswalk • May have to map between frameworks for multiple compliance requirements • Impossible to remember all the different controls in all the frameworks • Use a crosswalk document • https://www.auditscripts.com/wp- content/uploads/mgm/downloads/809 05300.xlsx
© Black Hills Information Security @BHInfoSecurity On the same team • Information assurance and technical analyst roles have the same overall goal • Mitigation of risk to the IT infrastructure to ensure efficient IT operations • Information security workers have the same overall goal as the rest of IT • To ensure efficient IT operations so that the organization can meet its objectives • Too often we see unnecessary internal politics and conflict and an “us versus them attitude” • Work to defeat this
© Black Hills Information Security @BHInfoSecurity Common Issues • Weak Passwords • Lack of Two-Factor Authentication (2FA) on external systems • Over Privileged Users • Widespread Local Administrator Account • Lack of Egress Filtering • Unpatched Software • Lack of Effective Logging
© Black Hills Information Security @BHInfoSecurity Weak Passwords • The single largest issue we see on almost all of our tests are poor password choices • Very common to find 8 character minimum, change every 90 days • Might have been ok in 1985? • Insufficient now… entire 8 character space can be brute-forced in 3 days with commodity gaming video cards • Also, likely an attacker can guess a password
© Black Hills Information Security @BHInfoSecurity Password Policy • Length is the most important password attribute • Policy should be set to 15 character minimum • Can alleviate operations concerns by increasing time between changes • CIS #16: Account Monitoring and Control • AC-2: Account Management • AC-3: Access Enforcement
© Black Hills Information Security @BHInfoSecurity Password Control Enforcement • Set password length through Group Policy Objects (GPO) • Not technically complex change • Prior to Windows Server 2012 “appeared” to be limited to 14 max in the Windows GUI • Can still be changed with ADSI or other tools • https://www.blackhillsinfosec.com/increase-minimum-character- password-length-15-policies-active-directory/ • Consider additional technical controls like a password filter • https://www.blackhillsinfosec.com/the-creddefense-toolkit/
© Black Hills Information Security @BHInfoSecurity Password Attacks • Attacks that take advantage of poor password choices: • Password Spraying • Credential Stuffing • LLMNR & NetBIOS Poisoning • Kerberoasting • Malicious Shortcut and SMB Listener
© Black Hills Information Security @BHInfoSecurity Two-Factor Authentication • All external facing systems need to be known and part of an inventory • No external user authentication without two-factor authentication • Is a significant hurdle for an attacker to overcome (but not impossible) • Multiple options • Apps • Hardware Tokens • SMS Messaging and Voice Calls
© Black Hills Information Security @BHInfoSecurity Two-Factor Policy • Written policy should state where and when 2FA is needed • Ensure policy addresses what circumstances allow individual 2FA can be turned off (and when it gets turned back on) • CIS #1: Inventory of Hardware • CIS #16: Account Monitoring and Control (as well as other CSC #s) • AC-2: Account Management • AC-3: Access Enforcement
© Black Hills Information Security @BHInfoSecurity Two-Factor Enforcement • Multiple options for implementation • Apps, some are even “free” • Hardware Tokens – historically most common, but falling out of favor for apps • SMS Messaging and Voice Calls • Regular analysis of border systems to ensure no unknown systems introduced
© Black Hills Information Security @BHInfoSecurity Over Privileged Users • Are all of your users local administrators on their workstations? • Sometime systems admins are under pressure to “just make it work” • Instant privilege escalation for an attacker
© Black Hills Information Security @BHInfoSecurity Widespread Local Admin • If you’re using one password for all local Administrator accounts, stop! • Compromise of that password will likely lead to domain compromise • Can be potentially be obtained through: • OS Deployment artifacts • Group Policy Preferences (GPP) though that’s falling out of favor • Admin access to a workstation (in NTLM hash form) • Implement Microsoft Local Administrator Password Solution (LAPS) to make workstation Administrator accounts unique
© Black Hills Information Security @BHInfoSecurity Administrative Rights Policy • Policy should set forth least privilege and only certain roles • Accounts with admin rights should be separate that normal user accounts • Should also not use the same password as the regular account • Only be used for admin functions from a jump workstation • They should have no direct access to the Internet or Email • Common local admin password should be banned if possible • CIS #4: Continuous Vulnerability Assessment and Remediation • CIS #16: Account Monitoring and Control • AC-2: Account Management and CA-7: Continuous Monitoring
© Black Hills Information Security @BHInfoSecurity Admin Rights Technical Controls • Use the tools Microsoft gives you • Local Administrator Password Solution (LAPS) • the Microsoft Active Directory administrative tier model • https://docs.microsoft.com/en-us/windows-server/identity/securing- privileged-access/securing-privileged-access-reference- material#ADATM_BM
© Black Hills Information Security @BHInfoSecurity Lack of Egress Filtering • Firewalls are often only thought of for blocking inbound traffic • Outbound traffic control is important too • TCP 445 open to the Internet could allow for exfiltration hashes • Weaponzied LNK file = NetNTLM v2 hashes sent externally for an attacker to crack • Combined with a commonly used file share can lead to a lot of hashes to crack
© Black Hills Information Security @BHInfoSecurity Egress Filtering Policy • Overall Secure Architecture Policy should include: • All outbound ports blocked by default • All traffic should flow through an application proxy if possible • Any direct access should only be by documented exception • CSC #13: Boundary Defense • AC-4: Information Flow Enforcement • SC-7: Boundary Defense
© Black Hills Information Security @BHInfoSecurity Egress Filtering Implementation • No doubt its more work to implement and maintain but it’s a much more secure posture • There will be ongoing changes as changes to the environment occur • If all ports can’t be blocked outbound at a minimum TCP 445 should be • Application aware firewalls may be easier to implement this strategy
© Black Hills Information Security @BHInfoSecurity Unpatched Software • Patching is important – that’s been drilled into us for years • Uptick of web server and content management systems compromises as an initial infection vector • Sign up for USCERT email lists and email lists for the vendors of products you use to get notifications when vulns are realeased • Needs continuous monitoring and remediation
© Black Hills Information Security @BHInfoSecurity Patch Management Policy • Avoid language that puts one group in charge of all patching or groups in charge of specific systems • Patching should be an operations function that happens near automatically after patch release • Complete inventory of all software in use, do not ignore 3rd party • CSC #2: Software Inventory • CSC #3: Secure Configuration for Hardware/Software • CSC #4: Continuous Vulnerability Assessment and Remediation • CM-8: Information System Component Inventory • CM-2: Baseline Configuration • RA-5: Vulnerability Scanning
© Black Hills Information Security @BHInfoSecurity Patch Management Program • Group vulnerability scans by plugin, not by systems missing patches • Only deal with individual systems when there is a patching issue • Work towards immediate deployment of patches and the ability to quickly remediate an operations issue • Do not ignore Low and Informational level vulnerabilities • Annual third-party penetration test
© Black Hills Information Security @BHInfoSecurity Lack of Effective Logging • Mobile devices and cloud services have blurred the network boundary line • Host and network protections can (and will) be bypassed • Consolidating specific endpoint logs and alerting on actionable activity is a must • Microsoft provides some tools for this
© Black Hills Information Security @BHInfoSecurity Lack of Effective Logging
© Black Hills Information Security @BHInfoSecurity Log File Policy • Avoid stating logs will be reviewed at a specific time interval (daily, weekly, etc) – this doesn’t work • Consolidation of logs from specific devices and specific events on servers and endpoints to provide actionable alerts • Address log retention (one year?) • CSC #4: Continuous Vuln Assessment and Remediation • CA-7: Continuous Monitoring
© Black Hills Information Security @BHInfoSecurity Logging Implementation • Set a foundation for centralized logging of Windows Events on Servers and Workstations • Microsoft has a free way to do this – Windows Event Forwarder (WEF) Server • Only send specific Event IDs that are actionable – log what matters • NSA Spot the Adversary list • https://www.blackhillsinfosec.com/e nd-point-log-consolidation- windows-event-forwarder/
© Black Hills Information Security @BHInfoSecurity Atomic Critical Controls • What is your password policy, specifically the minimum character length requirement? • Do you have any single factor external portals for users (or, do you use 2FA on all external access)? • Do you have a patch management program that includes third- party software? • Do you allow workstation to workstation communication? • Do you require separate administrative accounts for systems admins perform work?
© Black Hills Information Security @BHInfoSecurity Atomic Critical Controls • Are you using any Enterprise Detection and Response (EDR) products? • Is there a team reviewing and actively responding to alerts? • Are you collecting and consolidating Windows endpoint logs? • Are you logging network traffic and web access? • How long are these logs retained for? • Have you migrated to Windows 10 and Server 2012 (or higher)? • Do you have legacy operating systems no longer supported by the vendor?
© Black Hills Information Security @BHInfoSecurity Atomic Critical Controls • Have you implemented LAPS? • Are all of your users local administrators on their workstations? • Are you restricting egress traffic from your network? • Are you using any form of application whitelisting? • Do you have an inventory of all hardware and software assets?
© Black Hills Information Security @BHInfoSecurity How to Security? • Want to really frustrate an attacker (or pen tester)? • Long minimum character length password policy • Separation of admin accounts and all admin functions performed from a non-domain joined jump workstation • Implement Microsoft 3-tier architecture • No workstation to workstation communication (clients only talk to servers) • Implement application whitelisting • Run all Windows systems on latest version with latest patches • Do not disable Windows Defender and run UAC in Always Notify
© Black Hills Information Security @BHInfoSecurity How to Security? • Turns out good security is really just good systems administration backed by policy • The latest anti-APT Cyber Blinky Box Hacktron 5000 does not replace this • Implement the first CSC five controls • They support the remaining 15
© Black Hills Information Security @BHInfoSecurity Questions • Black Hills Information Security • http://www.blackhillsinfosec.com • @BHInfoSecurity • Derek Banks • @0xderuke

Recommended

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Essential Layers of IBM i Security: File and Field Security
Essential Layers of IBM i Security: File and Field SecurityEssential Layers of IBM i Security: File and Field Security
Essential Layers of IBM i Security: File and Field Security
Precisely
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and Security
Precisely
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
Precisely
 
Essential Layers of IBM i Security: Security Monitoring and Auditing
Essential Layers of IBM i Security: Security Monitoring and AuditingEssential Layers of IBM i Security: Security Monitoring and Auditing
Essential Layers of IBM i Security: Security Monitoring and Auditing
Precisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Design Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris JungDesign Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris Jung
ManageIQ
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 

Recommended

Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Essential Layers of IBM i Security: File and Field Security
Essential Layers of IBM i Security: File and Field SecurityEssential Layers of IBM i Security: File and Field Security
Essential Layers of IBM i Security: File and Field Security
Precisely
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and Security
Precisely
 
IBM i Security SIEM Integration
IBM i Security SIEM IntegrationIBM i Security SIEM Integration
IBM i Security SIEM Integration
Precisely
 
Essential Layers of IBM i Security: Security Monitoring and Auditing
Essential Layers of IBM i Security: Security Monitoring and AuditingEssential Layers of IBM i Security: Security Monitoring and Auditing
Essential Layers of IBM i Security: Security Monitoring and Auditing
Precisely
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Design Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris JungDesign Summit - User stories from the field - Chris Jung
Design Summit - User stories from the field - Chris Jung
ManageIQ
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
Precisely
 
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
Micro Focus
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
Precisely
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
Precisely
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
Precisely
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Jayesh Naik
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
HelpSystems
 
Essential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityEssential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access Security
Precisely
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access
Nirmal Thaliyil
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Precisely
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
Hitachi ID Systems, Inc.
 
Secure IT 2014
Secure IT 2014Secure IT 2014
Secure IT 2014
ADGP, Public Grivences, Bangalore
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
Karthikeyan Dhayalan
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i Security
HelpSystems
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 

More Related Content

What's hot

Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
Precisely
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access
Nirmal Thaliyil
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
Hitachi ID Systems, Inc.
 

What's hot (20)

#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
 
Essential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access SecurityEssential Layers of IBM i Security: System-Access Security
Essential Layers of IBM i Security: System-Access Security
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
Increase IBM i Security & Accelerate Compliance with New Syncsort Security Re...
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged Passwords
 
Secure IT 2014
Secure IT 2014Secure IT 2014
Secure IT 2014
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
Chapter 1 Law & Ethics
Chapter 1 Law & EthicsChapter 1 Law & Ethics
Chapter 1 Law & Ethics
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i Security
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 

Similar to Compliance technical controls and you rva sec 2019

Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
Precisely
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
Precisely
 
The Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM iThe Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM i
Precisely
 
The digital natives are coming
The digital natives are comingThe digital natives are coming
The digital natives are coming
Sean Massey
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerce
Mentalist Akram
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
Precisely
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Beau Bullock
 

Similar to Compliance technical controls and you rva sec 2019 (20)

Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Designing Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase SecurityDesigning Flexibility in Software to Increase Security
Designing Flexibility in Software to Increase Security
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
The Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM iThe Best Shield Against Ransomware for IBM i
The Best Shield Against Ransomware for IBM i
 
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
 
11 secure development
11 secure development 11 secure development
11 secure development
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
 
Centrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptxCentrify Access Manager Presentation.pptx
Centrify Access Manager Presentation.pptx
 
IBM i HA and Security: Why They Need to Work Together
IBM i HA and Security: Why They Need to Work TogetherIBM i HA and Security: Why They Need to Work Together
IBM i HA and Security: Why They Need to Work Together
 
The digital natives are coming
The digital natives are comingThe digital natives are coming
The digital natives are coming
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Threats
ThreatsThreats
Threats
 
Threats of Database in ECommerce
Threats of Database in ECommerceThreats of Database in ECommerce
Threats of Database in ECommerce
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Securing the cloud and your assets
Securing the cloud and your assetsSecuring the cloud and your assets
Securing the cloud and your assets
 
Best Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM iBest Practices for Multi-Factor Authentication on IBM i
Best Practices for Multi-Factor Authentication on IBM i
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 

Recently uploaded

一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 

Recently uploaded (20)

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 

Compliance technical controls and you rva sec 2019

  • 1. © Black Hills Information Security @BHInfoSecurity Compliance, Technical Controls and You Derek Banks (@0xderuke)
  • 2. © Black Hills Information Security @BHInfoSecurity About • Compliance work without enforcement through technical controls is just checking a box • Technical control systems without backing policy and management framework is just playing around with technology toys • How do either of these two areas of Infosec work to keep attackers out of a network?
  • 3. © Black Hills Information Security @BHInfoSecurity Me • Pentester / Red Team at Black Hills Information Security • GSEC, GCFA, GCIH, GPEN, GFNA, GMOB, GCIA, CISSP, ABCDEFG • CitySec Meetup Organizer • TidewaterSec – (Hampton, VA) • Avid OWA enthusiast
  • 4. © Black Hills Information Security @BHInfoSecurity You • Two general areas of Infosec industry – Information Assurance and Technical Analysts • Information Assurance roles handle compliance and policy adherence • Analyst roles use specialized software and hardware to monitor and enforce security controls on computer systems
  • 5. © Black Hills Information Security @BHInfoSecurity Information Security • What is the goal of information security? • Assessment of risk and to communicate that assessment to management • To support the organization’s goals • Depending on business goals, protection of: • Availability of data • Confidentiality of data • Integrity of data
  • 6. © Black Hills Information Security @BHInfoSecurity Policy, Plan, Procedure • Policy: Strategic guidance on what will be done at a high level and has executive sponsorship • Plan: Tactical guidance on how the strategic policy goal will be met and includes identification of key roles involved • Procedures: Specific detailed series of actions taken that fulfill what is outlined in the plan
  • 7. © Black Hills Information Security @BHInfoSecurity Frameworks • Risk Management Framework • NIST 800-53, NIST 800-37, and other hit singles • CIS Critical Controls • DHS CDM • ISO 27002:2005 • NSA MNP, Top 10 • PCI DSS 3.0 • HIPAA • And many, many…. Many more
  • 8. © Black Hills Information Security @BHInfoSecurity Crosswalk • May have to map between frameworks for multiple compliance requirements • Impossible to remember all the different controls in all the frameworks • Use a crosswalk document • https://www.auditscripts.com/wp- content/uploads/mgm/downloads/809 05300.xlsx
  • 9. © Black Hills Information Security @BHInfoSecurity On the same team • Information assurance and technical analyst roles have the same overall goal • Mitigation of risk to the IT infrastructure to ensure efficient IT operations • Information security workers have the same overall goal as the rest of IT • To ensure efficient IT operations so that the organization can meet its objectives • Too often we see unnecessary internal politics and conflict and an “us versus them attitude” • Work to defeat this
  • 10. © Black Hills Information Security @BHInfoSecurity Common Issues • Weak Passwords • Lack of Two-Factor Authentication (2FA) on external systems • Over Privileged Users • Widespread Local Administrator Account • Lack of Egress Filtering • Unpatched Software • Lack of Effective Logging
  • 11. © Black Hills Information Security @BHInfoSecurity Weak Passwords • The single largest issue we see on almost all of our tests are poor password choices • Very common to find 8 character minimum, change every 90 days • Might have been ok in 1985? • Insufficient now… entire 8 character space can be brute-forced in 3 days with commodity gaming video cards • Also, likely an attacker can guess a password
  • 12. © Black Hills Information Security @BHInfoSecurity Password Policy • Length is the most important password attribute • Policy should be set to 15 character minimum • Can alleviate operations concerns by increasing time between changes • CIS #16: Account Monitoring and Control • AC-2: Account Management • AC-3: Access Enforcement
  • 13. © Black Hills Information Security @BHInfoSecurity Password Control Enforcement • Set password length through Group Policy Objects (GPO) • Not technically complex change • Prior to Windows Server 2012 “appeared” to be limited to 14 max in the Windows GUI • Can still be changed with ADSI or other tools • https://www.blackhillsinfosec.com/increase-minimum-character- password-length-15-policies-active-directory/ • Consider additional technical controls like a password filter • https://www.blackhillsinfosec.com/the-creddefense-toolkit/
  • 14. © Black Hills Information Security @BHInfoSecurity Password Attacks • Attacks that take advantage of poor password choices: • Password Spraying • Credential Stuffing • LLMNR & NetBIOS Poisoning • Kerberoasting • Malicious Shortcut and SMB Listener
  • 15. © Black Hills Information Security @BHInfoSecurity Two-Factor Authentication • All external facing systems need to be known and part of an inventory • No external user authentication without two-factor authentication • Is a significant hurdle for an attacker to overcome (but not impossible) • Multiple options • Apps • Hardware Tokens • SMS Messaging and Voice Calls
  • 16. © Black Hills Information Security @BHInfoSecurity Two-Factor Policy • Written policy should state where and when 2FA is needed • Ensure policy addresses what circumstances allow individual 2FA can be turned off (and when it gets turned back on) • CIS #1: Inventory of Hardware • CIS #16: Account Monitoring and Control (as well as other CSC #s) • AC-2: Account Management • AC-3: Access Enforcement
  • 17. © Black Hills Information Security @BHInfoSecurity Two-Factor Enforcement • Multiple options for implementation • Apps, some are even “free” • Hardware Tokens – historically most common, but falling out of favor for apps • SMS Messaging and Voice Calls • Regular analysis of border systems to ensure no unknown systems introduced
  • 18. © Black Hills Information Security @BHInfoSecurity Over Privileged Users • Are all of your users local administrators on their workstations? • Sometime systems admins are under pressure to “just make it work” • Instant privilege escalation for an attacker
  • 19. © Black Hills Information Security @BHInfoSecurity Widespread Local Admin • If you’re using one password for all local Administrator accounts, stop! • Compromise of that password will likely lead to domain compromise • Can be potentially be obtained through: • OS Deployment artifacts • Group Policy Preferences (GPP) though that’s falling out of favor • Admin access to a workstation (in NTLM hash form) • Implement Microsoft Local Administrator Password Solution (LAPS) to make workstation Administrator accounts unique
  • 20. © Black Hills Information Security @BHInfoSecurity Administrative Rights Policy • Policy should set forth least privilege and only certain roles • Accounts with admin rights should be separate that normal user accounts • Should also not use the same password as the regular account • Only be used for admin functions from a jump workstation • They should have no direct access to the Internet or Email • Common local admin password should be banned if possible • CIS #4: Continuous Vulnerability Assessment and Remediation • CIS #16: Account Monitoring and Control • AC-2: Account Management and CA-7: Continuous Monitoring
  • 21. © Black Hills Information Security @BHInfoSecurity Admin Rights Technical Controls • Use the tools Microsoft gives you • Local Administrator Password Solution (LAPS) • the Microsoft Active Directory administrative tier model • https://docs.microsoft.com/en-us/windows-server/identity/securing- privileged-access/securing-privileged-access-reference- material#ADATM_BM
  • 22. © Black Hills Information Security @BHInfoSecurity Lack of Egress Filtering • Firewalls are often only thought of for blocking inbound traffic • Outbound traffic control is important too • TCP 445 open to the Internet could allow for exfiltration hashes • Weaponzied LNK file = NetNTLM v2 hashes sent externally for an attacker to crack • Combined with a commonly used file share can lead to a lot of hashes to crack
  • 23. © Black Hills Information Security @BHInfoSecurity Egress Filtering Policy • Overall Secure Architecture Policy should include: • All outbound ports blocked by default • All traffic should flow through an application proxy if possible • Any direct access should only be by documented exception • CSC #13: Boundary Defense • AC-4: Information Flow Enforcement • SC-7: Boundary Defense
  • 24. © Black Hills Information Security @BHInfoSecurity Egress Filtering Implementation • No doubt its more work to implement and maintain but it’s a much more secure posture • There will be ongoing changes as changes to the environment occur • If all ports can’t be blocked outbound at a minimum TCP 445 should be • Application aware firewalls may be easier to implement this strategy
  • 25. © Black Hills Information Security @BHInfoSecurity Unpatched Software • Patching is important – that’s been drilled into us for years • Uptick of web server and content management systems compromises as an initial infection vector • Sign up for USCERT email lists and email lists for the vendors of products you use to get notifications when vulns are realeased • Needs continuous monitoring and remediation
  • 26. © Black Hills Information Security @BHInfoSecurity Patch Management Policy • Avoid language that puts one group in charge of all patching or groups in charge of specific systems • Patching should be an operations function that happens near automatically after patch release • Complete inventory of all software in use, do not ignore 3rd party • CSC #2: Software Inventory • CSC #3: Secure Configuration for Hardware/Software • CSC #4: Continuous Vulnerability Assessment and Remediation • CM-8: Information System Component Inventory • CM-2: Baseline Configuration • RA-5: Vulnerability Scanning
  • 27. © Black Hills Information Security @BHInfoSecurity Patch Management Program • Group vulnerability scans by plugin, not by systems missing patches • Only deal with individual systems when there is a patching issue • Work towards immediate deployment of patches and the ability to quickly remediate an operations issue • Do not ignore Low and Informational level vulnerabilities • Annual third-party penetration test
  • 28. © Black Hills Information Security @BHInfoSecurity Lack of Effective Logging • Mobile devices and cloud services have blurred the network boundary line • Host and network protections can (and will) be bypassed • Consolidating specific endpoint logs and alerting on actionable activity is a must • Microsoft provides some tools for this
  • 29. © Black Hills Information Security @BHInfoSecurity Lack of Effective Logging
  • 30. © Black Hills Information Security @BHInfoSecurity Log File Policy • Avoid stating logs will be reviewed at a specific time interval (daily, weekly, etc) – this doesn’t work • Consolidation of logs from specific devices and specific events on servers and endpoints to provide actionable alerts • Address log retention (one year?) • CSC #4: Continuous Vuln Assessment and Remediation • CA-7: Continuous Monitoring
  • 31. © Black Hills Information Security @BHInfoSecurity Logging Implementation • Set a foundation for centralized logging of Windows Events on Servers and Workstations • Microsoft has a free way to do this – Windows Event Forwarder (WEF) Server • Only send specific Event IDs that are actionable – log what matters • NSA Spot the Adversary list • https://www.blackhillsinfosec.com/e nd-point-log-consolidation- windows-event-forwarder/
  • 32. © Black Hills Information Security @BHInfoSecurity Atomic Critical Controls • What is your password policy, specifically the minimum character length requirement? • Do you have any single factor external portals for users (or, do you use 2FA on all external access)? • Do you have a patch management program that includes third- party software? • Do you allow workstation to workstation communication? • Do you require separate administrative accounts for systems admins perform work?
  • 33. © Black Hills Information Security @BHInfoSecurity Atomic Critical Controls • Are you using any Enterprise Detection and Response (EDR) products? • Is there a team reviewing and actively responding to alerts? • Are you collecting and consolidating Windows endpoint logs? • Are you logging network traffic and web access? • How long are these logs retained for? • Have you migrated to Windows 10 and Server 2012 (or higher)? • Do you have legacy operating systems no longer supported by the vendor?
  • 34. © Black Hills Information Security @BHInfoSecurity Atomic Critical Controls • Have you implemented LAPS? • Are all of your users local administrators on their workstations? • Are you restricting egress traffic from your network? • Are you using any form of application whitelisting? • Do you have an inventory of all hardware and software assets?
  • 35. © Black Hills Information Security @BHInfoSecurity How to Security? • Want to really frustrate an attacker (or pen tester)? • Long minimum character length password policy • Separation of admin accounts and all admin functions performed from a non-domain joined jump workstation • Implement Microsoft 3-tier architecture • No workstation to workstation communication (clients only talk to servers) • Implement application whitelisting • Run all Windows systems on latest version with latest patches • Do not disable Windows Defender and run UAC in Always Notify
  • 36. © Black Hills Information Security @BHInfoSecurity How to Security? • Turns out good security is really just good systems administration backed by policy • The latest anti-APT Cyber Blinky Box Hacktron 5000 does not replace this • Implement the first CSC five controls • They support the remaining 15
  • 37. © Black Hills Information Security @BHInfoSecurity Questions • Black Hills Information Security • http://www.blackhillsinfosec.com • @BHInfoSecurity • Derek Banks • @0xderuke