Transcript Critical Security Controls: Planning, Implementing, and Auditing with

Critical Security Controls: Planning, Implementing, and Auditing
with DEMO!
Tennessee Higher Education Information Technology Symposium – April 2015
Jim Purcell – Senior IT Auditor, UT System
Problem Statement
• Data breaches & disclosures are becoming more common
• PrivacyRights.org (updated weekly)
–
–
–
–
–
–
–
–
–
JP Morgan Chase
Dairy Queen
US Investigation Services
The UPS Store
Community Health Systems
Albertsons Grocery Stores
SuperValue Stores
University of California Santa Barbara
Vibram USA
• Or – “Mommy, why does everybody have a bomb?” (Prince – 1999)
Understanding the Critical Security Controls
Prioritizing Defenses with the Critical Security Controls
Information Assurance Frameworks
• There are a number of industry groups also trying to address the
issues
• Numerous frameworks have been established, such as:
–
–
–
–
–
–
–
–
NIST 800-53
NIST Core Framework
ISO 27000 Series
CoBIT
IT Assurance Framework (ITAF)
IT Baseline Protection Manual
Consensus Audit Guidelines / Critical Security Controls
Many, many others
One Option: Critical Security Controls
• Began as a collaboration between the US Air Force, National
Security Agency, & the SANS Institute in 2008
• Originally developed as a tool for organizations responsible for NIST
800-53
• Priorities for which controls will make the most impact to stop
dedicated attackers
• Written in response to compromised US government agencies &
contractors
• Collaborative effort by over 100 different government, military, &
civilian experts
Council on CyberSecurity
• Official home of the Critical Security Controls
• CEO is Jane Lute, former Deputy Secretary of DHS
• Not for Profit group responsible for managing the Critical Security
Controls (CSCs)
• Director of the CSCs is Tony Sager
• Mission: “The Council on CyberSecurity is an independent, global
organization committed to an open and secure Internet.”
Project Guiding Principles
1. Defenses should focus on addressing the attack activities
occurring today,
2. Enterprise must ensure consistent controls across to
effectively negate attacks
3. Defenses should be automated where possible
4. Specific technical activities should be undertaken to produce a
more consistent defense
5. Root cause problems must be fixed in order to ensure the
prevention or timely detection of attacks
6. Metrics should be established that facilitate common ground for
measuring the effectiveness of security measures
Mandiant’s Attack Lifecycle Model
http://intelreport.mandiant.com/
The Critical Security Controls
1. Inventory of authorized and unauthorized devices
2. Inventory of authorized and unauthorized software
3. Secure configurations for hardware and software on laptops, workstations, and servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Device Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training To Fill Gaps
10. Secure configurations for network devices such as firewalls, routers, and switches
The Critical Security Controls
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring and Analysis of Audit Logs
15. Controlled Access Based On Need to Know
16. Account Monitoring and Control
17. Data Protection
18. Incident Response & Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises
Categories of Sub-Controls
• Quick Wins (QW)
• Improved Visibility and Attribution (Vis/Attrib)
• Hardened Configuration and Improved Information Security Hygiene
(Config/Hygiene)
• Advanced (Adv)
What the Critical Controls are NOT
• The primary goal of the Critical Security Controls is defense
– Mostly Technical and Operational Controls
– NOT a Comprehensive Security Framework (like NIST 800-53)
• Do NOT address Management Controls
–
–
–
–
–
Policy
Risk Assessment
Personnel Issues (i.e. Background Checks)
Budget/Contracts
Etc…
• Do NOT address Physical Controls
– Natural Disasters
– Alternate Datacenter
– Etc…
An “On Ramp” to Compliance
• The primary goal of the Critical Security Controls is defense
• However, by prioritizing these controls, an organization is also making
steps towards achieving compliance with other standards & regulations
• Mappings currently exist between the CSCs and:
–
–
–
–
–
NIST 800-53 rev4
ISO 27002 Control Catalog
The Australian DSD’s Top 35
HIPAA / HITECH Act
The NSA’s Manageable Network Plan
Critical Security Control #1:
Inventory of Authorized & Unauthorized Devices
Prioritizing Defenses with the Critical Security Controls
Critical Security Control #1
• Inventory of Authorized and Unauthorized Devices
• Exploit this Control is Meant to Stop:
– Exploits due to lack of implemented controls on unknown (uninventoried) devices
• Business goal of this control:
– Only authorized systems should be on the organization’s network.
Sample Attack Tool: Armitage
Fast and Easy Hacking!!!
http://www.fastandeasyhacking.com/media
Breach Case Study: Bit9
• Security whitelisting vendor, Bit9, was breached (2/13)
• Breach due to the fact that they did not install controls on
machines that were not in their inventories
• Attackers breached their network, compromising machines
where they had not installed their whitelisting product
• As a result of the breach a code signing certificate was abused,
and malicious code was signed with their certificate
Defenses: Quick Win
1. Deploy an automated asset inventory discovery tool and use it to build a
preliminary asset inventory of systems connected to an organization’s public
and private network(s). Both active tools that scan through network address
ranges and passive tools that identify hosts based on analyzing their traffic
should be employed.
2. Deploy dynamic host configuration protocol (DHCP) server logging, and utilize
a system to improve the asset inventory and help detect unknown systems
through this DHCP information.
3. Ensure that all equipment acquisitions automatically update the inventory
system as new, approved devices are connected to the network.
Defenses: Visibility & Attribution
4. Maintain an asset inventory of all systems connected to the network and
the network devices themselves, recording at least the network addresses,
machine name(s), purpose of each system, an asset owner responsible for
each device, and the department associated with each device.
– The inventory should include every system that has an Internet
protocol (IP) address on the network.
– The asset inventory created must also include data on whether the
device is a portable and/or personal device.
– Devices such as mobile phones, tablets, laptops, and other portable
electronic devices that store or process data must be identified,
regardless of whether they are attached to the organization’s
network.
Defenses: Config & Hygiene
5. Deploy network level authentication via 802.1x to limit and control which
devices can be connected to the network. The 802.1x must be tied into the
inventory data to determine authorized versus unauthorized systems.
6. Deploy network access control (NAC) to monitor authorized systems so if
attacks occur, the impact can be remediated by moving the untrusted system
to a virtual local area network that has minimal access.
Defenses: Advanced
7. Utilize client certificates to validate and authenticate systems prior to
connecting to the private network.
Minimum Control Sensors
• In order to effectively implement & automate this control, organization
must have the following sensors:
1. An Asset Inventory Database
2. An Active Device Scanner
3. A Passive Device Scanner
4. A Network Access Control (NAC) System
5. A Public Key Infrastructure (PKI)
6. DHCP Server
7. Logging / Alerting / Analytics System
Baselines & Operational Processes
• In order to effectively implement, automate, or audit this control,
organizations must have the following baselines:
1.
2.
An Approved Device Asset Inventory
An Approved Information Asset Inventory
• This control necessitates the implementation of the following governance
processes as pre-requisites for implementing the control:
1.
2.
A Procurement / Asset Acquisition Process
A Change Management Process
Entity Relationship Diagram (ERD)
DHCP Server
Network Access
Control (NAC)
Public Key
Infrastructure (PKI)
Asset Inventory
Database
Alerting / Reporting Analytics System
Active Device
Discovery
Passive Device
Discovery
Computing Systems
Sample Tool: ForeScout CounterACT
Tools for Automation
The following tools have been identified as being able to
automate the implementation of this tool:
–
–
–
–
–
–
–
–
–
–
–
Spiceworks
ManageEngine
OSSIM
BSA Visibility (Insightix)
IPSonar (Lumeta)
CCM, IP360 (nCircle)
SecureFusion (Symantec)
CounterAct (ForeScout Technologies)
Nessus & SecurityCenter (Tenable)
LANSurveyor (Solarwinds)
What’s Up Gold (IPSwitch)
Tools that can be Scripted
While the following tools are not automated by nature, they can
be scripted to automate this control:
– Nmap / Ndiff
Sample Automation Script: Nmap
nmap –sL –sn –oX network_baseline.xml 10.1.1.0/24
nmap –sL –sn –oX network_current.xml 10.1.1.0/24
ndiff network_baseline.xml network_current.xml > nmap_differences.txt
sendEmail –f [email protected]
–u “nmap Inventory Alert”
–m “Please see attached alert.”
–s mail.sans.org:25 –a nmap_differences.txt
Evaluating Critical Control #1
• Business goal of this control:
– Only authorized systems should be on the university network.
• Systems to be tested:
–
–
–
–
–
Active device scanner
Passive device scanner
Network inventory & alerting systems
802.1x based authentication system/Network Access Control
Security Event/Information Management (SEIM) system
• Test to perform:
– Add hardened systems to the network to see if they are identified &
isolated from the network
Core Evaluation Test
• Place ten unauthorized devices on various portions of the
organization’s network unannounced to see how long it takes
for them to be detected
–
–
–
–
–
They should be placed on multiple subnets
Two should be in the asset inventory database
Devices should be detected within 24 hours
Devices should be isolated within 1 hour of detection
Details regarding location, department should be recorded
Effectiveness Metrics
ID
1a
1b
1c
1d
Testing/Reporting Metric
Response
How long does it take to detect new devices added to the
organization’s network?
How long does it take the scanners to alert the organization’s
administrators that an unauthorized device is on the network?
Time in
Minutes
Time in
Minutes
How long does it take to isolate/remove unauthorized devices
from the organization’s network?
Are the scanners able to identify the location, department, and
other critical details about the unauthorized system that is
detected?
Time in
Minutes
Yes/No
Automation Metrics
1. How many unauthorized devices are presently on the organization’s
network (by business unit)?
2. How long, on average, does it take to remove unauthorized devices from
the organization’s network (by business unit)?
3. What is the percentage of systems on the organization’s network that are
not utilizing Network Access Control (NAC) to authenticate to the
organization’s network (by business unit)?
4. What is the percentage of systems on the organization’s network that are
not utilizing Network Access Control (NAC) with client certificates to
authenticate to the organization’s network (by business unit)?
Standards Mapping
Assurance Standard
NIST 800-53 rev. 4
NIST Core Framework (2014)
ISO 27002:2013 Annex A
References
CA-7: Continuous Monitoring
CM-8: Information System Component Inventory
IA-3: Device Identification and Authentication
SA-4: Acquisition Process
SC-17: Public Key Infrastructure Certificates
SI-4: Information System Monitoring
PM-5: Information System Inventory
ID.AM-1: Asset Management
ID.AM-3: Asset Management
PR.DS-3: Data Security
A.8.1.1: Inventory of assets
A.9.1.2: Access to networks and network services
A.13.1.1: Network controls
Demo – SpiceWorks – ManageEngine - TripWire
1. Scan for systems.
2. Alerts
3. Reports
Gap Analysis Tools
http://www.auditscripts.com/free-resources/critical-security-controls/
Other Resources
http://www.counciloncybersecurity.org/critical-controls/
http://www.sans.org/critical-security-controls
https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
[email protected]