Critical Controls Of Cyber Defense


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Critical Controls Of Cyber Defense

  1. 1. Critical Controls for Cyber Defense<br />MadhurVerma<br />CISSP, MVP (Consumer Security)<br />CEH, CIW Security Analyst, MCTS, MCSE, MCSA<br />
  2. 2. Computer Attacker Activities and Associated Defenses<br />Security defenses include identifying attacker presence and reducing “living space”<br />Security defenses include controlling superuser privileges [admin and root]<br />Security defenses include disrupting command and control of attacker-implanted software<br />Security defenses include decreasing attack surface and hardening security<br />
  3. 3. Critical Control 1<br />Boundary Defense<br /><ul><li>All outgoing traffic must pass through at least one proxy on a DMZ network
  4. 4. All remote login access required to use two-factor authentication
  5. 5. Health checking of all remotely logging devices
  6. 6. Periodically scan for back-channel connections to the Internet that bypass the DMZ
  7. 7. Identify covert channels exfiltrating data through a firewall with built-in firewall session tracking mechanisms </li></li></ul><li>Critical Control 2<br />Secure Configurations for Network Devices such as Firewalls, Routers and Switches<br /><ul><li>Compare firewall, router and switch configuration against standard secure configurations defined for each type of network device
  8. 8. Implement ingress and egress filtering
  9. 9. Management network should be seprated from production network</li></li></ul><li>Critical Control 3<br />Wireless Device Control<br /><ul><li>Ensure that each wireless device connected to the network matches an authorized configuration and security profile
  10. 10. Ensure all wireless traffic leverages at least AES encryption used with at least WPA2 protection
  11. 11. Ensure wireless networks use authentication protocols such as EAP/TLS or PEAP
  12. 12. Disable peer-to-peer wireless network capabilities on wireless clients
  13. 13. Disable wireless peripheral access of devices
  14. 14. Regularly scan for unauthorized or misconfigured wireless infrastructure devices</li></li></ul><li>Critical Control 4<br />Limitation and Control of Network Ports, Protocols and Services<br /><ul><li>Use Host-based Firewalls or port filtering tools
  15. 15. Regularly review the ports, protocols and services needed
  16. 16. Operate critical services on separate physical host machines
  17. 17. Port scanning tools are used to determine which services are listening</li></li></ul><li>Critical Control 5<br />Malware Defenses<br /><ul><li>Monitor workstations, servers and mobile devices for active, up-to-date anti-malware protection
  18. 18. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers
  19. 19. Configure laptops, workstations and servers so that they will not auto-run content from removable media
  20. 20. Configure systems to conduct an automated anti-malware scan of removable media when it is inserted</li></li></ul><li>Critical Control 6<br />Secure Configurations for Hardware and Software on Laptops, Workstations and Servers<br /><ul><li>Standardized images should represent hardened versions of the underlying OS and the applications installed on the system
  21. 21. Utilize file integrity checking tools to ensure that critical systems files have not been altered</li></li></ul><li>Critical Control 7<br />Application Software Security<br /><ul><li>Protect web applications by deploying web application firewalls that inspect all traffic flowing to the web application for common web application attacks
  22. 22. Check for in-house developed and third-party procured web and other application software for coding errors, malware insertion, including backdoors prior to deployment
  23. 23. Verify that security considerations are taken into account throughout phases of the application development life cycle of all applications</li></li></ul><li>Critical Control 8<br />Controlled use of Administrative Privileges<br /><ul><li>Should have a good password policy
  24. 24. Change all default passwords before deploying
  25. 25. Ensure that administrator accounts are used only for system administration activities and not for reading e-mail, composing documents or surfing the Internet
  26. 26. Configure systems to issue a log entry and alert when an account is added to or removed from domain administrators group
  27. 27. User awareness</li></li></ul><li>Critical Control 9<br />Controlled Access Based on Need-to-Know<br /><ul><li>Establish a multi-level data identification or separation scheme
  28. 28. Ensure that file shares have defined controls
  29. 29. Enforce detailed audit logging for access to non-public data and special authentication for sensitive data </li></li></ul><li>Critical Control 10<br />Account Monitoring and Control<br /><ul><li>Establish a good account management policy
  30. 30. Review all system accounts and disable any account that cannot be associated with a business process and business owner
  31. 31. Monitor account usage to determine dormant accounts
  32. 32. Monitor attempts to access deactivated accounts through audit logging</li></li></ul><li>Critical Control 11<br />Inventory of Authorized and Unauthorized Software<br /><ul><li>Devise a list of authorised software that is required
  33. 33. Deploy software inventory tools
  34. 34. Deploy software white-listing technology that allows systems to run only approved applications and prevents execution of all other software</li></li></ul><li>Critical Control 12<br />Inventory of Authorized and Unauthorized Devices<br /><ul><li>Devise a list of authorised devices
  35. 35. Deploy asset/network management tools</li></li></ul><li>Critical Control 13<br />Maintenance, Monitoring and Analysis of Security Audit Logs<br /><ul><li>Logs should be recorded in standardized format such as syslog or those outline by Common Event Expression (CEE) initiative
  36. 36. Network boundary should be configured to log verbosely all traffic arriving at the device
  37. 37. Ensure logs are written to write-only devices or to dedicated logging servers
  38. 38. Deploy SEIM system tool for log aggregation and consolidation </li></li></ul><li>Critical Control 14<br />Data Loss Prevention<br /><ul><li>Deploy hard drive encryption software to laptop machines that hold sensitive data
  39. 39. Control the use of removable devices
  40. 40. Data stored on removable drives should be encrypted
  41. 41. Deploy an automated tool on network perimeter that monitors certain Personally Identifiable Information, keywords and other document characteristics to determine attempts to exfiltrate data </li></li></ul><li>Critical Control 15<br />Continuous Vulnerability Assessment and Remediation<br /><ul><li>Run automated vulnerability scanning tools against all systems
  42. 42. Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed
  43. 43. Measure the delay in patching new vulnerabilities
  44. 44. Deploy automated patch management tools and software update tools</li></li></ul><li>Critical Control 16<br />Secure Network Engineering<br /><ul><li>Segment the enterprise network
  45. 45. Follow best security practices for deploying servers, network devices and Internet services
  46. 46. Network should support rapid response and shunning of detected attacks</li></li></ul><li>Critical Control 17<br />Penetration Tests and Red Team Exercises<br /><ul><li>Conduct regular penetration test to identify attack vectors
  47. 47. Perform periodic red team exercises to test the readiness of organizations to identify and stop attacks or to respond quickly and effectively
  48. 48. Ensure that systemic problems discovered in penetration tests and red team exercises are fully mitigated</li></li></ul><li>Critical Control 18<br />Incident Response Capability<br /><ul><li>Should have written incident response procedures
  49. 49. Should assign job titles and duties for handling incidents to specific individuals
  50. 50. Should notify CERT-In in accordance
  51. 51. Publish information to all personnel about information of incidents for awareness
  52. 52. Conduct periodic incident response drills for scenario to ensure that personnel understand current threats, risks and their responsibilities </li></li></ul><li>Critical Control 19<br />Data Recovery Capability<br /><ul><li>Should have good backup policy
  53. 53. Ensure that backups are encrypted
  54. 54. Backup media should be stored in physically secure areas</li></li></ul><li>Critical Control 20<br />Security Skills Assessment and Appropriate Training to Fill Gaps <br /><ul><li>Develop security awareness trainings
  55. 55. Devise periodic security awareness assessment quizzes
  56. 56. Conduct periodic exercises to verify that employees and contractors are fulfilling their information security duties</li></li></ul><li>Resources<br /><ul><li>
  57. 57.</li>