BSides Delhi, profile picture
Uploaded byBSides Delhi
PPTX, PDF2,259 views

Effective Cyber Defense Using CIS Critical Security Controls

The document discusses the concept of 'fog of war' and the importance of the CIS Critical Security Controls (CIS CSC) for effective cyber defense. It outlines the top 5 foundational controls, their significance in improving security posture, and emphasizes the need for continuous assessment and automation in security measures. The author, Vikas Singh Yadav, shares his qualifications and experience in information security, presenting a roadmap for implementation and assessment of these controls.

Embed presentation

Downloaded 107 times
Fog of War “Nebel des Krieges” The unavoidable aspect of war wherein the intelligence gathered is always incomplete to a degree, thereby making any decisions concerning said war a bit... foggy. .
The Security “Fog of More”
Simple Achievable Understandable Affordable Real World , Finally After lots of …………. … ( Internet Browsing ) CIS ( SANS ) Critical Security Controls
EFFECTIVE CYBER DEFENSE USING CIS CRITICAL SECURITY CONTROLS Vikas Singh Yadav vikassinghyadav@gmail.com @VikasSYadav 09999402059
Who am I ? • Vikas Singh Yadav • Information Security Professional • M Tech (Comp Science) – IIT Khargapur • Certifications - PMP, CISM, CCSK • Member – ISACA , CCICI, PMI, CISO Platform • Indian Army Officer • Soldier and Leader - OP Vijay , Op Parakram • Information Warrior • Speaker , Writer , Blogger.
Overview • Are we Doing Enough ? • Why the CIS CSC ? • CIS 20 Controls • Top 5 – Foundational Cyber Hygiene • Benefits • Action points
Are we not doing Enough ? Audits Firewall UTM Air Gap DMZ VLAN Policies DLP Compliance Anti Malware IDS / IPS SIEM
Are we Winning ?
Median time to discover Incidents Source : Fireye MTrends Asia Pacific 2016
What are CIS Critical Security Controls ? “ Technical Controls selected and prioritized by consensus agreement “ “ Prioritized well vetted and supported Security Actions that organizations can take to assess and improve their current security state”
CIS CSC Body of Knowledge 90 page PDF with pictures
Core Principles or Critical Tenets Automation Are we reducing human effort and error ? Continuous Diagnostics and Mitigation Are the controls still in place and functional ? Metrics Is What we are doing Effective ? Prioritization Are u investing in Controls that provide greatest Risk Reduction? Offense informs Defense Use Knowledge of Actual Attacks
Exercise What are the top controls for your organisation ?
The Top 5 Controls CSC 5: Controlled Use of Administrator Privileges CSC 4: Continuous Vulnerability Assessment and Remediation CSC 3: Secure Configurations for Hardware and Software CSC 2: Inventory of Authorized and Unauthorized Software CSC 1: Inventory of Authorized and Unauthorized Devices Prevents/stops 85-90% attacks…
CIS Critical Security Controls CSC 10: Data Recovery Capability CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 8: Malware Defenses CSC 7: Email and Web Browser Protections CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CIS Critical Security Controls CSC 15: Wireless Access Control CSC 14: Controlled Access based on the Need to Know CSC 13: Data Protection CSC 12: Boundary Defense CSC 11: Secure Configurations for Network Devices
CIS Critical Security Controls CSC 20: Penetration Tests and Red Team Exercises CSC 19: Incident Response and Management CSC 18: Application Software Security CSC 17: Security Skills Assessment and Training CSC 16: Account Monitoring and Control
CIS CRITICAL SECURITY CONTROLS
Sub Controls • 198 Sub Controls • Each controls has 4 – 8 Sub Controls • Categories • Foundational • Advanced
CIS CSC 1 – Inventory of Devices
CSC 1 Inventory of Devices Why? Unpatched Systems, Unchecked Networks, BYOD “‘If you can’t see it, you can’t protect it’ Identify all devices Document the inventory Keep the inventory current
CSC 2 Inventory of Auth and UnAuth Software Why? Attackers look for vulnerable software, malware installation, etc. List of Auth software Application whitelisting Software inventory tools Use of VMs and Air Gapped NWs Vikas Singh Yadav 30
CSC 3 Secure Config for HW and SW Why? Default configuration designed for use, not security. Security “Decay”. Secure Config for OS and SW Strict Config Mgt File integrity Checkers Config Mgt Tools Vikas Singh Yadav 31
CSC 4 Continuous Vulnerability Assess & Remediation Why? Attackers exploit vulnerable systems “Vendors continue to produce security remediations, it does little good if they are not installed by the end user.” Automated Scanning Tools Automated Patch Mgt Monitor event logs Vikas Singh Yadav 32
CSC 5 Controlled use of Admin Privileges Why? One of the primary means attackers spread through an enterprise. Minimize Admin Privileges Inventory Admin Accounts Change default passwords Use Multi Factor Auth Vikas Singh Yadav 33
Benefits of CIS Controls • Risk based • Simple. • Reality based • Dynamic • Affordable
Additional Benefits Solid Platform to build other standards on Can be used to create a Roadmap A starting point for those who don’t know where to begin
Getting Started Answer Key Questions • What am I trying to protect ? • What are my Gaps ? • What are my priorities ? • Where can I automate ? • How can my vendor partners help ?
Implementation • Depends on your Environment • Areas which you are weak • Gap Analysis • Do the Foundational first • Then tackle Advanced
Action Steps • Read the CIS CSC version 6.1 • Do a Gap Assessment • Read implementation articles • Make a roadmap for 1 / 3 / 6 / 12 months what you want to accomplish in your organisation.
Critical Security Controls Initial Assessment Tool
Starting Off Take inventory and/or use existing tools or free tools to start. • CSC 1: Nmap, DHCP, 802.1x, Wireshark • CSC 2: Windows SRP, GPOs • CSC 3: CIS Security Benchmarks • CSC 4: OpenVAS, Nmap • CSC 5: Runas, sudo
Issues and Concerns • Technology Centric • Overlooks Policies and Governance • Is not a replacement for a proper Risk Management Framework.
Which is the most widely used Information Security framework in India ?
Are we doing all this ? Simple Basic Intuitive Is it prioritized ?
Questions https://linkedin.com/in/vikassinghydav @VikasSYadav vikassinghyadav@gmail.com 09999402059
Vikas Singh Yadav • Information Security professional with specialization in Telecom and Cloud Computing. • 15 years plus experience in field of Information Security, Cyber Audit, Incident Response, Technology Management, Project Management, Training & Development and Personnel Management. • Leadership role in It and Cyber Security for last 6 years. • B Tech (Telecom and IT) , M Tech (Comp Science) – IIT Khargapur • Certifications - PMP, CISM, CCSK • Member – ISACA , CCICI, PMI, CISO Platform • Keen Photographer, Travel Enthusiast and Golfer.
REFERENCES • The CIS Critical Controls for Effective Cyber Defence Version 6.0 - http://www.cisecurity.org/critical-controls. • SANS Critical Controls - http://www.sans.org/critical-security-controls • NIST Cyber Security Framework (CSF) - http://www.nist.gov/cyberframework/ • UK Cyber Essentials Scheme - https://www.cyberstreetwise.com/cyberessentials/ • ISO 27001 - www.iso.org/iso/iso27001 • Open Vulnerability Assessment System (OpenVAS)- http://www.openvas.org • Total Network Inventory - http://www.softinventive.com • CIS Security Benchmark resources - https://benchmarks.cisecurity.org/downloads • NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems - http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 128.pdf

More Related Content

PPTX
cyber-security-reference-architecture
byBirendra Negi ☁️
 
PPTX
SOC 2 Compliance and Certification
byControlCase
 
PPTX
Basic introduction to iso27001
byImran Ahmed
 
PPTX
ISO_ 27001:2022 Controls & Clauses.pptx
byforam74
 
PDF
Endpoint Detection & Response - FireEye
byPrime Infoserv
 
PDF
NQA-ISO-27001-Implementation-Guide.pdf..
byssuserc911b3
 
PPTX
Implementing ISO27001 2013
byscttmcvy
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
cyber-security-reference-architecture
byBirendra Negi ☁️
 
SOC 2 Compliance and Certification
byControlCase
 
Basic introduction to iso27001
byImran Ahmed
 
ISO_ 27001:2022 Controls & Clauses.pptx
byforam74
 
Endpoint Detection & Response - FireEye
byPrime Infoserv
 
NQA-ISO-27001-Implementation-Guide.pdf..
byssuserc911b3
 
Implementing ISO27001 2013
byscttmcvy
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 

What's hot

PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PDF
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PPTX
PCI DSS 4.0 Webinar Final.pptx
byControlCase
 
PPTX
Rothke rsa 2012 building a security operations center (soc)
byBen Rothke
 
PPTX
CISSP Chapter 1 BCP
byKarthikeyan Dhayalan
 
PPTX
Cyber Threat Hunting Training (CCTHP)
byENOInstitute
 
PDF
Understanding Cyber Attack - Cyber Kill Chain.pdf
byslametarrokhim1
 
PPT
isms-presentation.ppt
byHasnolAhmad2
 
PPTX
IBM Security QRadar
byVirginia Fernandez
 
PDF
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
 
PDF
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
byHaris Chughtai
 
PDF
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
PDF
Steps to iso 27001 implementation
byRalf Braga
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PDF
SOC 2 and You
bySchellman & Company
 
PPTX
Cissp Training PPT
byADEPT TECHNOLOGY
 
PDF
ISO 27001 (v2013) Checklist
byIvan Piskunov
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
NIST cybersecurity framework
byShriya Rai
 
PCI DSS 4.0 Webinar Final.pptx
byControlCase
 
Rothke rsa 2012 building a security operations center (soc)
byBen Rothke
 
CISSP Chapter 1 BCP
byKarthikeyan Dhayalan
 
Cyber Threat Hunting Training (CCTHP)
byENOInstitute
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
byslametarrokhim1
 
isms-presentation.ppt
byHasnolAhmad2
 
IBM Security QRadar
byVirginia Fernandez
 
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
 
ISC2 CC Course (Certified in Cybersecurity) - Part 2.pdf
byHaris Chughtai
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
byEdureka!
 
Steps to iso 27001 implementation
byRalf Braga
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
SOC 2 and You
bySchellman & Company
 
Cissp Training PPT
byADEPT TECHNOLOGY
 
ISO 27001 (v2013) Checklist
byIvan Piskunov
 

Similar to Effective Cyber Defense Using CIS Critical Security Controls

PDF
Cs cmaster
byHafid CHEBRAOUI
 
PPTX
The CIS Critical Security Controls the International Standard for Defense
byEnclaveSecurity
 
PDF
(Ebook) CIS Critical Security Controls by Center for Internet Security
byhqusshov3993
 
PDF
C I S C r i t i c a l C o n t r o l s
byssuserd4ef17
 
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
byLisa Niles
 
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
byLisa Niles
 
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
byLisa Niles
 
PPTX
Solving the CIO’s Cybersecurity Dilemma
byJohn Gilligan
 
PPTX
Top 20 Security Controls for a More Secure Infrastructure
byInfosec
 
PDF
CIS20 CSCs+mapping to NIST+ISO.pdf
byLBagger1
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
PDF
CIS_Controls_v7.1_Implementation_Groups.pdf
byNesterWare
 
PDF
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
byJames W. De Rienzo
 
PPTX
Critical Controls Of Cyber Defense
byRishu Mehra
 
PPTX
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
bytechnext1
 
PDF
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
PPTX
Cybersecurity: Challenges, Initiatives, and Best Practices
byJohn Gilligan
 
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
byLisa Niles
 
PPT
WE16 - Defense in Depth: Top 10 Critical Security Controls
bySociety of Women Engineers
 
Cs cmaster
byHafid CHEBRAOUI
 
The CIS Critical Security Controls the International Standard for Defense
byEnclaveSecurity
 
(Ebook) CIS Critical Security Controls by Center for Internet Security
byhqusshov3993
 
C I S C r i t i c a l C o n t r o l s
byssuserd4ef17
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
byLisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #2
byLisa Niles
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
byLisa Niles
 
Solving the CIO’s Cybersecurity Dilemma
byJohn Gilligan
 
Top 20 Security Controls for a More Secure Infrastructure
byInfosec
 
CIS20 CSCs+mapping to NIST+ISO.pdf
byLBagger1
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
byhoang971
 
CIS_Controls_v7.1_Implementation_Groups.pdf
byNesterWare
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
byJames W. De Rienzo
 
Critical Controls Of Cyber Defense
byRishu Mehra
 
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
bytechnext1
 
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
Cybersecurity: Challenges, Initiatives, and Best Practices
byJohn Gilligan
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
byLisa Niles
 
WE16 - Defense in Depth: Top 10 Critical Security Controls
bySociety of Women Engineers
 

Recently uploaded

PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
Computer Science Degree for College .pptx
byHanenek1
 
PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PDF
classification of elements and periodicity.pdf
byaryanshreya2010
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPTX
Anti-DDoS Service Introduction(Customer Version) - 2025(1).pptx
bybunhongkruy
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Computer Science Degree for College .pptx
byHanenek1
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
classification of elements and periodicity.pdf
byaryanshreya2010
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Anti-DDoS Service Introduction(Customer Version) - 2025(1).pptx
bybunhongkruy
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 

Effective Cyber Defense Using CIS Critical Security Controls

  • 2.
    Fog of War “Nebeldes Krieges” The unavoidable aspect of war wherein the intelligence gathered is always incomplete to a degree, thereby making any decisions concerning said war a bit... foggy. .
  • 3.
  • 6.
    Simple Achievable Understandable Affordable Real World , FinallyAfter lots of …………. … ( Internet Browsing ) CIS ( SANS ) Critical Security Controls
  • 7.
    EFFECTIVE CYBER DEFENSE USING CISCRITICAL SECURITY CONTROLS Vikas Singh Yadav vikassinghyadav@gmail.com @VikasSYadav 09999402059
  • 8.
    Who am I? • Vikas Singh Yadav • Information Security Professional • M Tech (Comp Science) – IIT Khargapur • Certifications - PMP, CISM, CCSK • Member – ISACA , CCICI, PMI, CISO Platform • Indian Army Officer • Soldier and Leader - OP Vijay , Op Parakram • Information Warrior • Speaker , Writer , Blogger.
  • 9.
    Overview • Are weDoing Enough ? • Why the CIS CSC ? • CIS 20 Controls • Top 5 – Foundational Cyber Hygiene • Benefits • Action points
  • 10.
    Are we notdoing Enough ? Audits Firewall UTM Air Gap DMZ VLAN Policies DLP Compliance Anti Malware IDS / IPS SIEM
  • 11.
  • 13.
    Median time todiscover Incidents Source : Fireye MTrends Asia Pacific 2016
  • 14.
    What are CISCritical Security Controls ? “ Technical Controls selected and prioritized by consensus agreement “ “ Prioritized well vetted and supported Security Actions that organizations can take to assess and improve their current security state”
  • 16.
    CIS CSC Bodyof Knowledge 90 page PDF with pictures
  • 18.
    Core Principles orCritical Tenets Automation Are we reducing human effort and error ? Continuous Diagnostics and Mitigation Are the controls still in place and functional ? Metrics Is What we are doing Effective ? Prioritization Are u investing in Controls that provide greatest Risk Reduction? Offense informs Defense Use Knowledge of Actual Attacks
  • 19.
    Exercise What are thetop controls for your organisation ?
  • 20.
    The Top 5Controls CSC 5: Controlled Use of Administrator Privileges CSC 4: Continuous Vulnerability Assessment and Remediation CSC 3: Secure Configurations for Hardware and Software CSC 2: Inventory of Authorized and Unauthorized Software CSC 1: Inventory of Authorized and Unauthorized Devices Prevents/stops 85-90% attacks…
  • 21.
    CIS Critical SecurityControls CSC 10: Data Recovery Capability CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 8: Malware Defenses CSC 7: Email and Web Browser Protections CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • 22.
    CIS Critical SecurityControls CSC 15: Wireless Access Control CSC 14: Controlled Access based on the Need to Know CSC 13: Data Protection CSC 12: Boundary Defense CSC 11: Secure Configurations for Network Devices
  • 23.
    CIS Critical SecurityControls CSC 20: Penetration Tests and Red Team Exercises CSC 19: Incident Response and Management CSC 18: Application Software Security CSC 17: Security Skills Assessment and Training CSC 16: Account Monitoring and Control
  • 24.
  • 27.
    Sub Controls • 198Sub Controls • Each controls has 4 – 8 Sub Controls • Categories • Foundational • Advanced
  • 28.
    CIS CSC 1– Inventory of Devices
  • 29.
    CSC 1 Inventory ofDevices Why? Unpatched Systems, Unchecked Networks, BYOD “‘If you can’t see it, you can’t protect it’ Identify all devices Document the inventory Keep the inventory current
  • 30.
    CSC 2 Inventory ofAuth and UnAuth Software Why? Attackers look for vulnerable software, malware installation, etc. List of Auth software Application whitelisting Software inventory tools Use of VMs and Air Gapped NWs Vikas Singh Yadav 30
  • 31.
    CSC 3 Secure Configfor HW and SW Why? Default configuration designed for use, not security. Security “Decay”. Secure Config for OS and SW Strict Config Mgt File integrity Checkers Config Mgt Tools Vikas Singh Yadav 31
  • 32.
    CSC 4 Continuous VulnerabilityAssess & Remediation Why? Attackers exploit vulnerable systems “Vendors continue to produce security remediations, it does little good if they are not installed by the end user.” Automated Scanning Tools Automated Patch Mgt Monitor event logs Vikas Singh Yadav 32
  • 33.
    CSC 5 Controlled useof Admin Privileges Why? One of the primary means attackers spread through an enterprise. Minimize Admin Privileges Inventory Admin Accounts Change default passwords Use Multi Factor Auth Vikas Singh Yadav 33
  • 34.
    Benefits of CISControls • Risk based • Simple. • Reality based • Dynamic • Affordable
  • 35.
    Additional Benefits Solid Platformto build other standards on Can be used to create a Roadmap A starting point for those who don’t know where to begin
  • 36.
    Getting Started Answer KeyQuestions • What am I trying to protect ? • What are my Gaps ? • What are my priorities ? • Where can I automate ? • How can my vendor partners help ?
  • 37.
    Implementation • Depends onyour Environment • Areas which you are weak • Gap Analysis • Do the Foundational first • Then tackle Advanced
  • 38.
    Action Steps • Readthe CIS CSC version 6.1 • Do a Gap Assessment • Read implementation articles • Make a roadmap for 1 / 3 / 6 / 12 months what you want to accomplish in your organisation.
  • 39.
  • 40.
    Starting Off Take inventoryand/or use existing tools or free tools to start. • CSC 1: Nmap, DHCP, 802.1x, Wireshark • CSC 2: Windows SRP, GPOs • CSC 3: CIS Security Benchmarks • CSC 4: OpenVAS, Nmap • CSC 5: Runas, sudo
  • 42.
    Issues and Concerns •Technology Centric • Overlooks Policies and Governance • Is not a replacement for a proper Risk Management Framework.
  • 43.
    Which is themost widely used Information Security framework in India ?
  • 44.
    Are we doingall this ? Simple Basic Intuitive Is it prioritized ?
  • 45.
  • 46.
    Vikas Singh Yadav •Information Security professional with specialization in Telecom and Cloud Computing. • 15 years plus experience in field of Information Security, Cyber Audit, Incident Response, Technology Management, Project Management, Training & Development and Personnel Management. • Leadership role in It and Cyber Security for last 6 years. • B Tech (Telecom and IT) , M Tech (Comp Science) – IIT Khargapur • Certifications - PMP, CISM, CCSK • Member – ISACA , CCICI, PMI, CISO Platform • Keen Photographer, Travel Enthusiast and Golfer.
  • 47.
    REFERENCES • The CISCritical Controls for Effective Cyber Defence Version 6.0 - http://www.cisecurity.org/critical-controls. • SANS Critical Controls - http://www.sans.org/critical-security-controls • NIST Cyber Security Framework (CSF) - http://www.nist.gov/cyberframework/ • UK Cyber Essentials Scheme - https://www.cyberstreetwise.com/cyberessentials/ • ISO 27001 - www.iso.org/iso/iso27001 • Open Vulnerability Assessment System (OpenVAS)- http://www.openvas.org • Total Network Inventory - http://www.softinventive.com • CIS Security Benchmark resources - https://benchmarks.cisecurity.org/downloads • NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems - http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 128.pdf

Editor's Notes

  • #3 The state of ignorance in which commanders frequently find themselves as regards the real strength and position, not only of their foes, but also of their friends Cal Von Clauswitz the great German or be more precise Prussian military strategist is believed to have coined the term Fog Of War It describes a state in which military commanders find themselves when they are flooded with Information which is both ambiguous and incomplete thereby making decision making difficult but necessary.
  • #4 Similarly in Security today we are confronted with huge amount of information in terms of Polices , procedures , standards and guidelines, Latest technologies – DLP, UTM, SIEM, Anti Malware , multiple compliances – IT Act , ISO 27001, RBI Guidelines , GDPR ,. Add to that Audits and need to adhere to budgets and deadlines and the whole situation can be described by the term Security Fog of More coined by Tony Sager Technology evangelist of Centre of Internet Security the non profit org which presently oversees the development and progress of CIS Critical Security Controls.
  • #8  Over the next 15 to 20 mins I will talk of how to achieve Effective Cyber Defense using CIS CSC.
  • #11  Now most of time Security professionals tend to be asking the question that are they doing enough - Technology - Audit - Compliance
  • #12  The question is are Are we Winning ?
  • #14 Statistics speak other wise We can dispute the findings to be hype and biased But there is no denying the fact that breaches and incidents are happening. Examples range from Yahoo internationally to Hitachi ATMs locally Stuxnet by Nation States to Lottery SCAMs by Nigerains
  • #16  So the Issue is what can an organization do in this regard. In 2010 I was deep into implementing telecom networks and then computer science research during my M Tech in IIT Kharagpur After getting back to mainstream I was given the task of Driving Infosecurity across our Organisation with 30 locations all over India. I did not have the time to see all these locations , we could not hire consultants and I did not know the state of IT implementations in this departments My best bet would have been Install Anti Virus at the Endpoints , Firewall at the perimeter and Encrypting the Data But I decided to take a while and study the literature of Info Sec and I read a few articles browsed a few books including the Tome 1000 age Shon Harris I needed a framework - ISO 27001 cost money , NIST was too long. Then I stumbled on the Top 20 Security Controls - or the SANS Critcal Security controls as they were called a that point m time
  • #17 90 page PDF with number of Diagrams
  • #19 Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to continually learn from these events to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks. Prioritization: Invest first in Controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment. Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly. Continuous diagnostics and mitigation: Carry out continuous measurement to test and validate the effectiveness of current security measures and to help drive the priority of next steps. Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.
  • #21 Do we know what is connected to our systems and networks? Do we know what software is running (or trying to run) on our systems and networks? Are we continuously managing our systems using “known good” configurations? Are we continuously looking for and managing “known bad” software? Do we limit and track the people who have the administrative privileges ? Prevents/stops 85-90% attacks…
  • #22 Do we know what is connected to our systems and networks? Do we know what software is running (or trying to run) on our systems and networks? Are we continuously managing our systems using “known good” configurations? Are we continuously looking for and managing “known bad” software? Do we limit and track the people who have the administrative privileges ?
  • #23 Do we know what is connected to our systems and networks? Do we know what software is running (or trying to run) on our systems and networks? Are we continuously managing our systems using “known good” configurations? Are we continuously looking for and managing “known bad” software? Do we limit and track the people who have the administrative privileges ?
  • #24 Do we know what is connected to our systems and networks? Do we know what software is running (or trying to run) on our systems and networks? Are we continuously managing our systems using “known good” configurations? Are we continuously looking for and managing “known bad” software? Do we limit and track the people who have the administrative privileges ?
  • #35 These seem to meet my requirement as they were • What are we trying to protect? How much should we spend? • Risk is function of threat (offense), vulnerability (defense), probability, and, consequence • What can be controlled?