Check list เตรียมความพร้อมด้าน · • NIST 800-53 (Security and ... referred to as the SANS 20 Critical Security Controls) ... security programs

1

© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template

Effective: 2015-07-01

Check list เตรียมความพร้อมด้าน Cyber Security ให้หน่วยงาน

6th October 2015 Avirut Liangsiri

2



Agenda

• Traditional vs. Modern Cyber Defense แตกต่างหรือส่งเสริมกันและกันอย่างไร?

• Industry Standard Checklist for Cyber Security

• Security Configuration ส าคัญอย่างไรในการเตรียมการณ์เพื่อรับมือภัยคุกคามยุคใหม่ (Security Configuration Management for Modern Threat mitigation)

• Security Control ที่ส าคัญในการป้องกันและตรวจจับภัยคุกคาม (SANS Top 20 Security Controls)

3



Traditional vs. Modern Cyber Defense

4



Traditional Cyber Defense

• What does a typical cyber defense entail?

• Traditional != Outdated Devices

– Shiny, sexy, 2.0, NG, cloud, mobile awesomeness can comprise a traditional security architecture

• So what constitutes a traditional approach to cyber defense then?

5



Prevention Sanity Check

• Quick sanity check for your organization

• Take a network map and consider security controls

• If a control is primarily preventive note a P

• If primarily detective note it with a D

• Add up all the P's and compare to the D's

Most organizations are >80% preventive

6



Sanity Check Illustrated

Preventive

• Firewall

• IPS

• NGFW

• Antivirus

• Proxy

• Web Content Filter

• Malware Detonation

Devices

• DLP

• NAC

Detective

• IDS

• SIM/SIEM

7



Traditional Cyber Defense

• Characteristics

– Preventive Oriented

– Perimeter Focused

– Addresses Layer 3/4

– Centralized IS/Security

– Device Driven Security

8



Traditional Successes

• Conceptually simple architecture (easy)

• Staffing requirements fairly low (cheap)

• Staff skill required not extremely high (cheap)

• CAPEX relatively low by comparison (cheap)

• OPEX extremely low by comparison (cheap)

• Unlikely to detect breaches (easy)

- Which reduces breach notification likelihood (cheap)

• Management typically likes cheap and easy

• Shortcomings discussed later

9



Modern Cyber Defense Principles

• Characteristics

– Detection-Oriented

– Proactive Detection : Hunt Teams

– Post-Exploitation Focused

– Response-Driven

– Layer 7 Aware

– Decentralized Data/Systems

– Risk Informed

– Network Security Monitoring

– Continuous Security Monitoring

10



Traditional vs. Modern C2

11



Industry Standard Checklist for Cyber Security

12



Recognized Checklist

• ISO/IEC 27001:2013 ISMS

– It is a specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process.

• SANS Top 20 Security Control

– The “Top 20” Critical Security Controls (20 CSC—also known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) have emerged as the “de facto yardstick by which corporate security programs can be measured,”.

• NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)

13



Top 20 Critical Security Controls

– The “Top 20” Critical Security Controls (20 CSC—also known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) have emerged as the “de facto yardstick by which corporate security programs can be measured,”. The 20 CSC are now governed by the Council on Cyber Security, an independent, expert, not-for-profit organization with a global scope.

– The development of this set of standards was first undertaken in 2008 by the National Security Agency at the behest of the US Secretary of Defense in an effort to efficiently direct resources towards combating the most common network vulnerabilities which resulted in the greatest number of attack vectors. In 2008, the Office of the Secretary of Defense asked the National Security Agency for help in prioritizing the myriad security controls that were available for cyber security.

14



Security Configuration Management for Modern Threat mitigation

15


Effective: 2015-07-01 15

16


Effective: 2015-07-01 16

the 1st priority

1

17


Effective: 2015-07-01 17

2nd most effective 2

18


Effective: 2015-07-01 18

3rd most

important

3

19


Effective: 2015-07-01 19

four highest-priority 4

20



Fundamental SecOps File Integrity Monitoring

New changes determined

Current running state

FIM Captures Baseline State as a “Digital Fingerprint”

Baseline State

Compare

Compare

Compare

21



1. Detect all configuration changes

Networks DomainDirectories Servers Servers

Databases

Automated

Changes

Manual

Changes

Scripted

Changes

!

!

!

!

! !

!

!

Type of System? Type of Change?

Within Maintenance Window?

Made by Authorized Users?

Matches Release System?

Passes Compliance Tests?

2. Analyze change activity

User-defined Policies

3. Take Action

Investigate Changes

! ! !

! !

! ! ! !

Security & Ops Reports

Remediate Changes

!

• Automatic filtering of change

- By change or system type

- By policy criteria

- Conditional actions

Visibility Accountability Control

Continuously Detect for Unauthorized Changes

22



Sample of Security and Compliance Policies

AIX

Cisco IOS

Cisco PIX

HP-UX

IBM DB2

Linux (Red Hat)

Linux (SUSE)

Microsoft Exchange

Microsoft IIS

MS SQL Server 2000

MS SQL Server 2005

MS SQL Server 2008

Oracle 9i

Oracle 10g

Oracle 11g

Solaris 8,9 & 10

VMware ESX

Windows Server 2000

Windows Server 2003

Windows Server 2008

Windows Server DC

Windows Server DM

Windows XP and Vista

23



A Comprehensive Approach to Addressing Security Security Configuration Assessment • Assess existing Controls Gap against Baselines/Standards

24



A Comprehensive Approach to Addressing Security

Devise Remediation Plan • Achieve the Baselines/Standards State

25



A Comprehensive Approach to Addressing Security Maintain “Known & Trusted State” • Real-time Alert on Deviation – Before & After View

26



Strong Security is More Important Than Ever

• Compromise takes minutes. Discovery takes weeks & months

26 2010 Data Breach Investigations Report Verizon Business

27



Well Known Configuration Standard

• CIS – Center for Internet Security (https://benchmarks.cisecurity.org/) configuration

• NIST 800-70 - National Checklist Program for IT Products—Guidelines for Checklist Users and Developers (http://checklists.nist.gov/) vulnerabilities, configuration

• DISA STIG – US DoD DISA Secure Technical Implementation Guide – Different 9 levels (Mission Assurance Category (I-III) and Confidentiality Level (Public, Sensitive, Classified)) (http://iase.disa.mil/stigs/Pages/index.aspx)

• FDCC/USGCB – US Federal Desktop Core Configuration – focus mainly on desktop operating system (Windows XP, Vista, 7, 8, 10) started in 2007 by OMB (http://usgcb.nist.gov/)

28



CIS Standard

• The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications.

• The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of this reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements.

29



CIS Checklist Example (Windows XP)

30



CIS Listed Systems • Amazon Linux Benchmarks

• Apache HTTP & Tomcat Benchmarks

• Apache HTTP Server Assessment Tool

• Apple iOS Benchmarks

• Apple OSX Benchmarks

• Apple Safari Benchmarks

• Benchmark Mappings: Medical Device Security Standards

• CentOS Linux Benchmarks

• CheckPoint Firewall Benchmarks

• Cisco Device Benchmarks

• Consensus Security Metrics

• Debian Linux Benchmarks

• Docker Benchmarks

• FreeBSD Benchmarks

• FreeRadius Benchmarks

• Google Android Benchmarks

• HP-UX Benchmarks

• IBM AIX Benchmarks

• IBM DB2 Benchmarks

• ISC BIND Benchmarks

• Juniper Device Benchmarks

• Kerberos Benchmarks

• LDAP Benchmarks

• Microsoft Exchange Server Benchmarks

• Microsoft IIS Benchmarks • Microsoft Internet Explorer

Benchmarks • Microsoft MS SQL Server Benchmarks • Microsoft Office Benchmarks • Microsoft SharePoint Server

Benchmarks • Microsoft Windows 7 Benchmarks • Microsoft Windows 8 Benchmarks • Microsoft Windows NT Benchmarks • Microsoft Windows Server 2000 • Microsoft Windows Server 2003 • Microsoft Windows Server 2008 • Microsoft Windows Server 2012 • Microsoft Windows XP Benchmarks • Mozilla Firefox Benchmarks • Multi Function Print Devices

Benchmark • MySQL Database Server Benchmarks • Novell Netware Benchmarks • Opera Benchmarks • Oracle Database Server Assessment

Tool • Oracle Database Server Benchmarks • Oracle Linux Benchmarks • Oracle Solaris Benchmarks

• Red Hat Linux Benchmarks • Router Assessment Tool • Slackware Linux Benchmarks • SuSE Linux Benchmarks • Sybase ASE Benchmarks • Ubuntu Linux Benchmarks • Unix Assessment Tools • Virtualization Benchmarks • VMware Benchmarks • Wireless Network Devices

Benchmarks Archive • Xen Benchmarks

31



NIST Checklist Download Page (checklists.nist.gov)

• The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. (http://scap.nist.gov/)

32



NIST Category

• Supported Category – Antivirus Software

– Application Server

– Authentication

– Configuration Management Software

– Database Management System

– Desktop Application

– Desktop Client

– Directory Service

– DNS Server

– Email Server

– Encryption Software

– Enterprise Application

– Firewall

– Handheld Device

– Identity Management

– Intrusion Detection System

– KVM

– Malware

– Mobile Solution

– Multi-Functional Peripheral

– Network Router

– Network Switch

– Office Suite

– Operating System

– Peripheral Device

– Security Server

– Server

– Virtualization Software

– Web Browser

– Web Server

– Wireless Email

– Wireless Network

33



DISA STIG

• The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

• Complete list (541): http://iase.disa.mil/stigs/Pages/a-z.aspx

34



FDCC/USGCB

• The Federal Desktop Core Configuration was a list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency.

• FDCC applied only to Windows XP and Vista desktop and laptop computers.

• FDCC was replaced by the United States Government Configuration Baseline (USGCB), which also includes settings for Windows 7 and Red Hat Enterprise Linux 5.

35



USGCB Content Page

36



SANS Top 20 Security Control in detail

37



SANS Critical Security Controls v5 1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

4. Continuous Vulnerability Assessment and Remediation

5. Malware Defenses

6. Application Software Security

7. Wireless Access Control

8. Data Recovery Capability

9. Security Skills Assessment and Appropriate Training to Fill Gaps

10.Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11.Limitation and Control of Network Ports, Protocols, and Services

12.Controlled Use of Administrative Privileges

13.Boundary Defense

14.Maintenance, Monitoring, and Analysis of Audit Logs

15.Controlled Access Based on the Need to Know

16.Account Monitoring and Control

17.Data Protection

18.Incident Response and Management

19.Secure Network Engineering

20.Penetration Tests and Red Team Exercises

38



NSA Ranking on 20 CSC

39



Critical Security Controls by trending

40



Critical Security Controls V6 comparison

41



Critical Security Controls V6 comparison

42



Question & Answer

43



ขอบพระคุณ!

Documents

Check list เตรียมความพร้อมด้าน · • NIST 800-53 (Security and ... referred to as the SANS 20 Critical Security Controls) ... security programs