SlideShare a Scribd company logo

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3

Lisa Niles
Lisa Niles

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3

Technology
1 of 35
Download to read offline
Tech TV Series COLLABORATE, INNOVATE, VALIDATE CIS Top 20 #3 Secure Configuration of Hardware and Software Lisa Niles – CISSP, Chief Solution Architect 1
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • Critical Governance and the CIS Critical Security Controls 2
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • How the CIS Critical Security Controls can help? 3
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • Sample: • Governance item #1: Manage the known cyber vulnerabilities of your information and make sure the necessary security policies are in place to manage the risk. • At a minimum, you should be able to identify and manage the large volume of known flaws and vulnerabilities found in information technology and processes. The flowing CIS Critical Security Controls are the primary means to establish a baseline of responsible practices that can be measured, managed and reported. • CSC3: Secure Configurations of Hardware and Software • CSC#4: ContinuousVulnerability Assessment and Remediation 4
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • CIS CSC focus on various technical aspects of information security • Outside of the technical realm, a comprehensive security program should also take into account: • Numerous additional areas of security • Policies • Procedures • Process • Organizational structure • Physical security. 5
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE • What am I trying to protect? • Where are my gaps? • What are my priorities? • Where can I automate? 6 CIS Top 20 Critical Security Controls
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 7
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 8
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls Implementing the Controls: • Carefully plan • Organizational structure • “Governance, Risk, and Compliance (GRC)” program. • Program managers 9
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 10 Basic Security Hygiene (Back to the Basics!) • Know what you have (Inventory HW &SW) • Limit what you don’t NEED (EOL, Services, Networks, Rights) • Update your software • Secure Default Configurations • Employ Process Controls
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 11
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE 12 CIS Top 20 Critical Security Controls
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE • Control #3 • Secure Configuration of Hardware and Software • Key Principle Control: • Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, workstations, mobile devices using rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. 13 CIS Top 20 Critical Security Controls
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE How to Get Started Step 1. Gap Assessment. Step 2. Implementation Roadmap Step 3. Implement the First Phase of Controls Step 4. IntegrateControls into Operations Step 5. Report and Manage Progress 14 CIS Top 20 Critical Security Controls
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE Why is CIS Control 3 critical? • CSC #3 is all about preventing exposure due to misconfiguration. 15 CIS Top 20 Critical Security Controls
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 16 System 3.1 Establish standard secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. System 3.2 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this image should be integrated into the organization’s change management processes. Images should be created for workstations, servers, and other system types used by the organization. System 3.3 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network. System 3.4 Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. System 3.5 Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes). System 3.6 Implement and test an automated configuration monitoring system that verifies all remotely testable secure configuration elements, and alerts when unauthorized changes occur. This includes detecting new listening ports, new administrative users, changes to group and local policy objects (where applicable), and new services running on a system. Whenever possible use tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline reporting and integration. System 3.7 Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. They should be capable of triggering redeployment of configuration settings on a scheduled, manual, or event-driven basis.
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 17 CSC 3.1 Establish standard secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system.These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. CSC 3.1 Procedure: Standardize configuration of operating system. The organization: 1. IT department to build hardened OS configuration data base. 2. IT department will update hardened configurations as high risk vulnerabilities are identified. 3. IT department will push confirmation updates out to active devices Metrics: 1. The IT department will maintain a list hardened configurations 2. The IT department will audit configurations monthly.
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE • CSC 3 Procedures andTools • Start with publicly developed, vetted, supported benchmarks, security guides or checklists: • CISecurity.org • NIST (checklists.nist.gov) • DISA STIG’s • Many tools available to measure (agent or agentless) 18 CIS Top 20 Critical Security Controls
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls •How to start.. • Automated discovery tool (MBSA) for Windows • Use you CSC #1 & #2 inventories • Network devices (Firewalls, switches, routers, wifi) • Create system baselines (CISecurity.org) 19
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 20
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 21
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-1 Establish and ensure the use of standard secure configurations of your operating systems. • FreeTools • DISA STIGs - DoD recommended secure systems baselines including phones, applications, OSes, network devices, etc... • MBSA - assessing missing security updates and less-secure security settings within MicrosoftWindows • Cisecurity.org Baselines, hardening guides and templates. • CommercialTools • Qualys - Policy Compliance – automatic tech control assessment across network ***Also available for cloud resources • skybox - Policy Compliance, firewall audit, network map andmodeling 22
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-2 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. • FreeTools • Cisecurity.org Baselines, hardening guides and templates. • FOG - Free and Open Source imaging from a central server based on Linux. • CommercialTools • Deep Freeze - Build a clean image, revert to it easily with a reboot. • ManageEngine OS Deployer 23
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-3 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. • FreeTools • FOG - Free and Open Source imaging from a central server based on Linux. • CommercialTools • Deep Freeze - Build a clean image, revert to it easily with a reboot. • ManageEngine OS Deployer-OS Deployer automates the disk imaging and deployment process • Avecto - Offers Privilege Management, Application Control, and Sandboxing 24
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-4 Do all remote administration of servers, workstation, network devices, and similar equipment over secure channels. • This is referring to protocols, such as RDP, SSH, etc... • FreeTools • MRemoteNG - All-in-one for remote access. does NOT support encryptedVNC. • UltraVNC - Offers a server and client which can provide encryptedVNC • CommercialTools • RealVNC - Feature richVNC server/client • RemoteDesktopManager - Feature rich RDP client • Centrify - Secure and manage super user, service, and application accounts on servers and network devices, both on-premises and in the cloud. 25
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-5 Utilize file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered... • This is basically referring to a HIDS. • FreeTools • AlienVault OSSIM - HIDS, SEIM, Inventory, Service Monitor, and more. • OSSEC - used in OSSIM, it is just the HIDS portion. • OpenHIDS -Windows only • CommercialTools • Tripwire - heterogeneous server monitoring acrossWindows, Linux, Solaris, AIX and HP-UX platforms. 26
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-6 Implement and test an automated configuration monitoring system that measures all secure configuration elements that can be measured through remote testing using features such as those included with tools compliant with Security Content Automation Protocol (SCAP), and alerts when unauthorized changes occur. • FreeTools • AlienVault OSSIM - HIDS, SEIM, Inventory, Service Monitor, and more. • OSSEC - used in OSSIM, it is just the HIDS portion. • OpenHIDS -Windows only • SCM – Microsoft’s Security Compliance manager • nmap –Security Scanner, Port Scanner, & Network ExplorationTool. • CommercialTools • ForeScout - see devices, control them and orchestrate system-wide wired and wireless campus, data center, cloud and operational technology deployments without agents. • Qualys – Unparalleled visibility and control of all your assets • Skybox – as mentioned earlier 27
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-7 Deploy system configuration management tools, such as Active Directory Group Policy Objects for MicrosoftWindows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. • FreeTools • Salt - Meant for deploying change management to ANY scale. Great for cloud deployments with OpenStack. • Puppet - GPMC for Linux. Kind of. • CommercialTools • Chef -The Chef client is installed on each server, virtual machine, container, or networking device you manage.The client periodically polls Chef server latest policy and state of your network. If anything on the node is out of date, the client brings it up to date. • Ansible - Deploy apps. Manage systems. Centrally managed. 28
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 29
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 30
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 31
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 32
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 33 • Center for Internet Security (CIS): https://www.cisecurity.org/ • NIST Cyber Security Framework (CSF): http://www.nist.gov/cyberframework/ • CIS Critical Security Controls (CSC): https://www.cisecurity.org/critical-controls.cfm • Auditscripts resources (provided by James Tarala, CSC Editor): https://www.auditscripts.com/free-resources/critical-security- controls/ • STIG https://iase.disa.mil/stigs/Pages/index.aspx
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 34
TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE Thank you for Attending. Hope you can join us for the Complete CISTop 20 CSC Tuesday March 6th CIC CSC #4 – ContinuousVulnerability & Remediation 35 CIS Top 20 Critical Security Controls

Recommended

8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Computación forense
Computación forenseComputación forense
Computación forensemarcoacruz12
 
Auditoria de seguridad informatica
Auditoria de seguridad informaticaAuditoria de seguridad informatica
Auditoria de seguridad informaticaAdan Ernesto Guerrero Mocadan
 
Analisis Riesgo Metodología OCTAVE
Analisis Riesgo Metodología OCTAVEAnalisis Riesgo Metodología OCTAVE
Analisis Riesgo Metodología OCTAVEYairTobon
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Nist.sp.800 61r2
Nist.sp.800 61r2Nist.sp.800 61r2
Nist.sp.800 61r2Jesús Yustas Romo
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 

Recommended

8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Computación forense
Computación forenseComputación forense
Computación forensemarcoacruz12
 
Auditoria de seguridad informatica
Auditoria de seguridad informaticaAuditoria de seguridad informatica
Auditoria de seguridad informaticaAdan Ernesto Guerrero Mocadan
 
Analisis Riesgo Metodología OCTAVE
Analisis Riesgo Metodología OCTAVEAnalisis Riesgo Metodología OCTAVE
Analisis Riesgo Metodología OCTAVEYairTobon
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Nist.sp.800 61r2
Nist.sp.800 61r2Nist.sp.800 61r2
Nist.sp.800 61r2Jesús Yustas Romo
 
How Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityHow Hack WiFi through Aircrack-ng in Kali Linux Cyber Security
How Hack WiFi through Aircrack-ng in Kali Linux Cyber SecurityAhmad Yar
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLCChitpong Wuttanan
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Chaitanya chandra sekhar
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Network Intelligence India
 
Threat landscape 4.0
Threat landscape 4.0Threat landscape 4.0
Threat landscape 4.0Dr. C.V. Suresh Babu
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Cifrado
CifradoCifrado
Cifradosindiguevarad
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introductionyuliana_mar
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Gestion de Seguridad informatica
Gestion de Seguridad informaticaGestion de Seguridad informatica
Gestion de Seguridad informaticaCarlos Cardenas Fernandez
 
Security Framework from SANS
Security Framework from SANSSecurity Framework from SANS
Security Framework from SANSJeffrey Reed
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 

More Related Content

What's hot

An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Chaitanya chandra sekhar
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introductionyuliana_mar
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 

What's hot (20)

An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Basic of SSDLC
Basic of SSDLCBasic of SSDLC
Basic of SSDLC
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
Mcafee data loss_prevention_11.6.x_product_guide_9-28-2021
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Threat landscape 4.0
Threat landscape 4.0Threat landscape 4.0
Threat landscape 4.0
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Cifrado
CifradoCifrado
Cifrado
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Application Security
Application SecurityApplication Security
Application Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Gestion de Seguridad informatica
Gestion de Seguridad informaticaGestion de Seguridad informatica
Gestion de Seguridad informatica
 

Similar to SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3

Security Framework from SANS
Security Framework from SANSSecurity Framework from SANS
Security Framework from SANSJeffrey Reed
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Network management aa
Network management aaNetwork management aa
Network management aaDhani Ahmad
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixHCLSoftware
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in KubernetesFibonalabs
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapJoel Cardella
 
Software Engineering Introduction
Software Engineering IntroductionSoftware Engineering Introduction
Software Engineering IntroductionrajeswaricseAvinuty
 
Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...apprize360
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4Lisa Niles
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
31779261-NOC-and-SOC.pdf
31779261-NOC-and-SOC.pdf31779261-NOC-and-SOC.pdf
31779261-NOC-and-SOC.pdfssusera5b321
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
Improving System Upgrades and Patching using SolarWinds
Improving System Upgrades and Patching using SolarWindsImproving System Upgrades and Patching using SolarWinds
Improving System Upgrades and Patching using SolarWindsSolarWinds
 

Similar to SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3 (20)

Security Framework from SANS
Security Framework from SANSSecurity Framework from SANS
Security Framework from SANS
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
Network management aa
Network management aaNetwork management aa
Network management aa
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFix
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation
 
Security Practices in Kubernetes
Security Practices in KubernetesSecurity Practices in Kubernetes
Security Practices in Kubernetes
 
GrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the CheapGrrCon 2014: Security On the Cheap
GrrCon 2014: Security On the Cheap
 
Software Engineering Introduction
Software Engineering IntroductionSoftware Engineering Introduction
Software Engineering Introduction
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
 
Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #4
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
31779261-NOC-and-SOC.pdf
31779261-NOC-and-SOC.pdf31779261-NOC-and-SOC.pdf
31779261-NOC-and-SOC.pdf
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
Improving System Upgrades and Patching using SolarWinds
Improving System Upgrades and Patching using SolarWindsImproving System Upgrades and Patching using SolarWinds
Improving System Upgrades and Patching using SolarWinds
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3

  • 1. Tech TV Series COLLABORATE, INNOVATE, VALIDATE CIS Top 20 #3 Secure Configuration of Hardware and Software Lisa Niles – CISSP, Chief Solution Architect 1
  • 2. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • Critical Governance and the CIS Critical Security Controls 2
  • 3. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • How the CIS Critical Security Controls can help? 3
  • 4. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • Sample: • Governance item #1: Manage the known cyber vulnerabilities of your information and make sure the necessary security policies are in place to manage the risk. • At a minimum, you should be able to identify and manage the large volume of known flaws and vulnerabilities found in information technology and processes. The flowing CIS Critical Security Controls are the primary means to establish a baseline of responsible practices that can be measured, managed and reported. • CSC3: Secure Configurations of Hardware and Software • CSC#4: ContinuousVulnerability Assessment and Remediation 4
  • 5. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • CIS CSC focus on various technical aspects of information security • Outside of the technical realm, a comprehensive security program should also take into account: • Numerous additional areas of security • Policies • Procedures • Process • Organizational structure • Physical security. 5
  • 6. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE • What am I trying to protect? • Where are my gaps? • What are my priorities? • Where can I automate? 6 CIS Top 20 Critical Security Controls
  • 9. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls Implementing the Controls: • Carefully plan • Organizational structure • “Governance, Risk, and Compliance (GRC)” program. • Program managers 9
  • 10. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 10 Basic Security Hygiene (Back to the Basics!) • Know what you have (Inventory HW &SW) • Limit what you don’t NEED (EOL, Services, Networks, Rights) • Update your software • Secure Default Configurations • Employ Process Controls
  • 13. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE • Control #3 • Secure Configuration of Hardware and Software • Key Principle Control: • Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, workstations, mobile devices using rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. 13 CIS Top 20 Critical Security Controls
  • 14. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE How to Get Started Step 1. Gap Assessment. Step 2. Implementation Roadmap Step 3. Implement the First Phase of Controls Step 4. IntegrateControls into Operations Step 5. Report and Manage Progress 14 CIS Top 20 Critical Security Controls
  • 15. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE Why is CIS Control 3 critical? • CSC #3 is all about preventing exposure due to misconfiguration. 15 CIS Top 20 Critical Security Controls
  • 16. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 16 System 3.1 Establish standard secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. System 3.2 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this image should be integrated into the organization’s change management processes. Images should be created for workstations, servers, and other system types used by the organization. System 3.3 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network. System 3.4 Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. System 3.5 Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered. The reporting system should: have the ability to account for routine and expected changes; highlight and alert on unusual or unexpected alterations; show the history of configuration changes over time and identify who made the change (including the original logged-in account in the event of a user ID switch, such as with the su or sudo command). These integrity checks should identify suspicious system alterations such as: owner and permissions changes to files or directories; the use of alternate data streams which could be used to hide malicious activities; and the introduction of extra files into key system areas (which could indicate malicious payloads left by attackers or additional files inappropriately added during batch distribution processes). System 3.6 Implement and test an automated configuration monitoring system that verifies all remotely testable secure configuration elements, and alerts when unauthorized changes occur. This includes detecting new listening ports, new administrative users, changes to group and local policy objects (where applicable), and new services running on a system. Whenever possible use tools compliant with the Security Content Automation Protocol (SCAP) in order to streamline reporting and integration. System 3.7 Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. They should be capable of triggering redeployment of configuration settings on a scheduled, manual, or event-driven basis.
  • 17. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 17 CSC 3.1 Establish standard secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system.These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. CSC 3.1 Procedure: Standardize configuration of operating system. The organization: 1. IT department to build hardened OS configuration data base. 2. IT department will update hardened configurations as high risk vulnerabilities are identified. 3. IT department will push confirmation updates out to active devices Metrics: 1. The IT department will maintain a list hardened configurations 2. The IT department will audit configurations monthly.
  • 18. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE • CSC 3 Procedures andTools • Start with publicly developed, vetted, supported benchmarks, security guides or checklists: • CISecurity.org • NIST (checklists.nist.gov) • DISA STIG’s • Many tools available to measure (agent or agentless) 18 CIS Top 20 Critical Security Controls
  • 19. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls •How to start.. • Automated discovery tool (MBSA) for Windows • Use you CSC #1 & #2 inventories • Network devices (Firewalls, switches, routers, wifi) • Create system baselines (CISecurity.org) 19
  • 22. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-1 Establish and ensure the use of standard secure configurations of your operating systems. • FreeTools • DISA STIGs - DoD recommended secure systems baselines including phones, applications, OSes, network devices, etc... • MBSA - assessing missing security updates and less-secure security settings within MicrosoftWindows • Cisecurity.org Baselines, hardening guides and templates. • CommercialTools • Qualys - Policy Compliance – automatic tech control assessment across network ***Also available for cloud resources • skybox - Policy Compliance, firewall audit, network map andmodeling 22
  • 23. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-2 Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. • FreeTools • Cisecurity.org Baselines, hardening guides and templates. • FOG - Free and Open Source imaging from a central server based on Linux. • CommercialTools • Deep Freeze - Build a clean image, revert to it easily with a reboot. • ManageEngine OS Deployer 23
  • 24. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-3 Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. • FreeTools • FOG - Free and Open Source imaging from a central server based on Linux. • CommercialTools • Deep Freeze - Build a clean image, revert to it easily with a reboot. • ManageEngine OS Deployer-OS Deployer automates the disk imaging and deployment process • Avecto - Offers Privilege Management, Application Control, and Sandboxing 24
  • 25. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-4 Do all remote administration of servers, workstation, network devices, and similar equipment over secure channels. • This is referring to protocols, such as RDP, SSH, etc... • FreeTools • MRemoteNG - All-in-one for remote access. does NOT support encryptedVNC. • UltraVNC - Offers a server and client which can provide encryptedVNC • CommercialTools • RealVNC - Feature richVNC server/client • RemoteDesktopManager - Feature rich RDP client • Centrify - Secure and manage super user, service, and application accounts on servers and network devices, both on-premises and in the cloud. 25
  • 26. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-5 Utilize file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered... • This is basically referring to a HIDS. • FreeTools • AlienVault OSSIM - HIDS, SEIM, Inventory, Service Monitor, and more. • OSSEC - used in OSSIM, it is just the HIDS portion. • OpenHIDS -Windows only • CommercialTools • Tripwire - heterogeneous server monitoring acrossWindows, Linux, Solaris, AIX and HP-UX platforms. 26
  • 27. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-6 Implement and test an automated configuration monitoring system that measures all secure configuration elements that can be measured through remote testing using features such as those included with tools compliant with Security Content Automation Protocol (SCAP), and alerts when unauthorized changes occur. • FreeTools • AlienVault OSSIM - HIDS, SEIM, Inventory, Service Monitor, and more. • OSSEC - used in OSSIM, it is just the HIDS portion. • OpenHIDS -Windows only • SCM – Microsoft’s Security Compliance manager • nmap –Security Scanner, Port Scanner, & Network ExplorationTool. • CommercialTools • ForeScout - see devices, control them and orchestrate system-wide wired and wireless campus, data center, cloud and operational technology deployments without agents. • Qualys – Unparalleled visibility and control of all your assets • Skybox – as mentioned earlier 27
  • 28. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls • 3-7 Deploy system configuration management tools, such as Active Directory Group Policy Objects for MicrosoftWindows systems or Puppet for UNIX systems that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. • FreeTools • Salt - Meant for deploying change management to ANY scale. Great for cloud deployments with OpenStack. • Puppet - GPMC for Linux. Kind of. • CommercialTools • Chef -The Chef client is installed on each server, virtual machine, container, or networking device you manage.The client periodically polls Chef server latest policy and state of your network. If anything on the node is out of date, the client brings it up to date. • Ansible - Deploy apps. Manage systems. Centrally managed. 28
  • 33. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE CIS Top 20 Critical Security Controls 33 • Center for Internet Security (CIS): https://www.cisecurity.org/ • NIST Cyber Security Framework (CSF): http://www.nist.gov/cyberframework/ • CIS Critical Security Controls (CSC): https://www.cisecurity.org/critical-controls.cfm • Auditscripts resources (provided by James Tarala, CSC Editor): https://www.auditscripts.com/free-resources/critical-security- controls/ • STIG https://iase.disa.mil/stigs/Pages/index.aspx
  • 35. TECHTVSERIES COLLABORATE,INNOVATE,VALIDATE Thank you for Attending. Hope you can join us for the Complete CISTop 20 CSC Tuesday March 6th CIC CSC #4 – ContinuousVulnerability & Remediation 35 CIS Top 20 Critical Security Controls