Critical Security Controls 2

Download Report

Transcript Critical Security Controls 2

Chapter 12: Large
Enterprise Cyber Security
– Data Centers and Clouds
Lecture Materials for the John Wiley & Sons book:
Cyber Security: Managing Networks, Conducting
Tests, and Investigating Intrusions
April 9, 2015 DRAFT
1
Critical Security Controls
• Controls are security requirements and there are over 200 with
thousands of sub-controls in NIST SP 800-53
• But which controls are the most important?
• Luckily security experts formed a consensus on the top 20 most
critical controls, from organizations including:
–
–
–
–
–
–
–
–
SANS Institute
National Security Agency
US Cyber Command
McAfee
US Department of Defense
Lockheed Martin
commercial pen testing firms
and many others
• The Critical Controls are based upon the actual threats
experienced by large enterprises.
• US State Department and Idaho National Laboratories (SCADA
R&D) validated that these controls address the real threats
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
2
Critical Security Controls 2
• 1: Inventory of Authorized and Unauthorized Devices
• 2: Inventory of Authorized and Unauthorized Software
• 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops,
Workstations, and Servers
• 4: Continuous Vulnerability Assessment and Remediation
• 5: Malware Defenses
• 6: Application Software Security
• 7: Wireless Device Control
• 8: Data Recovery Capability
• 9: Security Skills Assessment and Appropriate Training to Fill Gaps
• 10: Secure Configurations for Network Devices such as Firewalls, Routers, and
Switches
• 11: Limitation and Control of Network Ports, Protocols, and Services
• 12: Controlled Use of Administrative Privileges
• 13: Boundary Defense
• 14: Maintenance, Monitoring, and Analysis of Audit Logs
• 15: Controlled Access Based on the Need to Know
• 16: Account Monitoring and Control
• 17: Data Loss Prevention
• 18: Incident Response and Management
• 19: Secure Network Engineering
• 20: Penetration Tests and Red Team Exercises
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
3
Solving Key Threat/Vuln Antipatterns
using the Critical Controls
• The Critical Controls document identifies
top threats and vulnerabilities behind realworld cyber attacks
• We have used these threats and
vulnerabilities to compile an antipatterns
catalog
– The catalog shows how the Top 20 Controls
proactively address the most prevalent threats
and vulnerabilities
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
4
Threat/Vuln Antipatterns
1. Scanning Enterprise IP Address Range
2. Drive-By-Malware
3. Unpatched Applications in Large Enterprises
4. Internal Pivot from Compromised Machines
5. Weak System Configurations
6. Unpatched Systems
7. Lack of Security Improvement
8. Vulnerable Web Applications and Databases
9. Wireless Vulnerability
10.Social Engineering
11.Temporary Open Ports
12.Weak Network Architectures
13.Lack of Logging and Log Reviews
14.Lack of Risk Assessment and Data Protection
15.Data Loss via Undetected Exfiltration
16.Poor Incident Response – APT
17.Cloud Security
18.New Governance and QA for Cloud Computing
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
5
Scanning Enterprise IP
Address Range
• Most large enterprises have IP address blocks that are
public information, e.g. via Internet registries
• Malicious actors scan these ranges to find vulnerable
machines
– When machines first appear on the net, they are often
unpatched, e.g.
• A brand new system using dated image from CD
• A system that has been turned off and unpatched for a while
• A system that is not being managed or patched
• Partial Solution: Control 1 Inventory of Authorized and
Unauthorized devices
– Control and change management of devices on the network
can address the threat/vulns in this antipattern
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
6
Drive-By-Malware
• Malicious websites can infect a machine
that simply visits that website via browser
• Partial Solution: Controls 2 and 3
– Secure configurations assures that nonzero-day threats could be stopped
– Eliminating unauthorized software could
reduce the attack surface
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
7
Unpatched Applications in
Large Enterprises
• A typical large enterprise end-user could have
100’s of different vendor and open source
applications
– Keeping these applications patched is a nearly
impossible task
• Controls 2, 4
– Eliminating unauthorized software enables the
enterprise to focus on patching a limited set
– Continuous vuln assessment and remediation
enables the enterprise to discover and patch
applications automatically and rapidly
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
8
Internal Pivot from
Compromised Machine
• Once an enterprise is penetrated,
attackers expand their footprint through
pivots to find new exploitable targets
• Controls 2, 10
– Unauthorized software should include most
security and network tools such as netcat,
which are essential for implementing pivots
– Hardening network devices minimizes the
ability for attackers to penetrate
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
9
Weak System Configurations
• Operating systems and commercial
applications strive for broad flexibility and
ease of use, thus enable many
unnecessary features and services
– Unnecessary features and services expand
the attack surface
• Controls 3, 10
– Secure configurations includes eliminating
unnecessary open ports and services
– Network device security can stop access to
these vulnerabilities by closing ports at the
perimeter
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
10
Unpatched Systems
• As new operating system vulnerabilities
are announced (e.g. on Patch Tuesday),
attackers rush to exploit unpatched
machines
• Controls 4, 5
– Continuous monitoring can quickly discover
these vulns and remediate them rapidly
– Malware defenses should also be updated
on Patch Tuesday, so that these attacks are
inhibited
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
11
Lack of Security Improvement
• Threats are continually evolving. If
security is not being continuously
improved, then it is falling behind, and
vulns are increasing daily
• Controls 4, 5, 11, 20
– Network defenses should be constantly upto-date and evolving with the state-of-the-art
– Conscious improvement of limits on ports,
protocols and services can improve the
security profile
– Pen testing is a highly recommended best
practice that can reveal latent vulns and weak
security strategies
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
12
Vulnerable Web Applications
and Databases
• Internet facing applications and
databases are exposed to worldwide
threats… Threats that are escalating daily
• Controls 6, 20
– Application software security is critical,
especially for Internet-facing apps. Web
security testing is essential
– Pen testing can reveal latent vulns and
suggest remediations
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
13
Wireless Vulnerability
• Attackers can easily spoof WAPs (the
strongest signal wins), and otherwise
compromize wireless systems which
operate on the public airwaves
• Control 7
– Following configuration benchmarks and
best practices for managing WAPs and
wireless devices is essential for network
defense
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
14
Social Engineering
• The human element is the most significant
vulnerability, scenarios include: Phishing,
Pretexting, and USB attacks
• Controls 9, 12, 16
– End user training for Internet Safety is perhaps the
most significant improvement an enterprise can make
to its security profile
– Limiting user privileges prevents over-privileged
machines from posing threats
– Account monitoring watches for potentially
hazardous activities
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
15
Temporary Open Ports
• It is common practice to grant requests to open
firewall and server ports to support a temporary
business activity, e.g. a video teleconference
– Few organizations managing the process of reclosing the ports after the need is gone
• This gap leads to an escalating vuln of open ports
• Controls 10, 13
– Keeping network devices security includes
continuous monitoring and cleanup of changes
– Boundary defenses should be hardened and
monitored for configuration issues
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
16
Weak Network Architectures
• Focus on Internet perimeter security often
leads to neglect of the internal security
architecture
– For example, machines with restricted data
should be encrypted and defended from
internal attacks from the rest of the network
• Controls 13, 19
– Secure network engineering means that
internal as well as external defenses are
considered
• For example, internal network partitions and
defenses should be designed to protect the most
valuable assets
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
17
Lack of Logging and Log
Reviews
• It’s often said that the network guys with
the big fancy video network dashboards
miss everything, and the professionals with
simple tools watching the logs see what’s
really happening
• Control 14
– Log consolidation, log normalization, and
frequent log analysis are needed for the
network team to understand the network and
what’s happening on it
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
18
Lack of Risk Assessment and
Data Protection
• It is impossible to security everything, so
organizations must identify what needs to be
protected and prioritize their defenses
– Failure to do so results in a mis-allocated array of
defenses that are not protecting the right things
• Controls 15, 17
– The need to know is a fundamental principle for
controlling internal access to sensitive information
• Internal threats are more potentially dangerous than
external ones – they already know what’s very sensitive,
where to obtain it, and have legitimate access privileges
– In organizations with restricted data (and most are)
DLP is an essential defense against the
consequences of data spillage, e.g. fines, costs, loss
of customer goodwill
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
19
Data Loss via Undetected
Exfiltration
• Data is constantly in motion in mobile
devices and on networks
– Data is vulnerable to insider threats as well
as Advanced Persistent Threats (APT) and
common crime such as theft or even worker
negligence
• Control 17
– DLP proactively seeks out sensitive data
and ensures it’s encryption in motion and at
rest – thus preventing future potential
exfiltrations
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
20
Poor Incident Response - APT
• Typical time from APT penetration to
detection by the enterprise is 6 months
– Even some of the most savvy companies
respond this slowly, e.g. RSA, Google
• Control 18
– Mature intrusion detection practices,
coupled with effective incident response are
essential to protect restricted data, mission
critical systems, intellectual property, and
competitiveness
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
21
Cloud Security - Introduction
• Clouds are massive pools of computing
and storage resources.
– Public Clouds – provide outsourcing of
scalable computing resources, software
applications, and system management
– Private Clouds – owned within an
organization
• Private Clouds are increasingly easy to build
with Performance Optimized Datacenter (POD)
preconfigured racks
• Why go private? Security. Performance. Control.
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
22
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
23
How do clouds form?
How do clouds work?
• Data Storage Clouds
– Scalable mass storage… automatic backup
– Data volume escalating
• e.g. Large Hadron Collider, MRI/CT, EHR, DNA
Sequencing, Internet Click Stream, Customer Purchases…
• Infrastructure/Application Provisioning
– Scalable outsourcing of computation/applications
• Computation Intensive
– e.g. supercomputing, big data computing
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
24
Special Security Implications
• In clouds, data and processing migrate
across physical, virtual, and organizational
boundaries
• Data and applications are aggregated
– Increases potential risks from security
breach
• Potential end-user community is
expanded
– Many more users potentially have access,
including malicious insider or external threats
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
25
Security Implications 2
• Consolidation into Clouds Can Magnify
Risks
• Clouds Require Stronger Trust
Relationships
• Clouds Change Security Assumptions
• Data Mashups Increase Data Sensitivity
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
26
Cloud Indexing Changes
Security Semantics
• To aid in search, cloud developers create
various indexes into big data collections
• In large enterprises, the big data could be
a mashup
– from multiple applications which originally
had security assumptions about who can
access and need to know
– How can those original security assumptions
be translated into a multi-application mashup?
• Indexing accelerates access to data with
aggregated and/or compromised security
assumptions
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
27
Cloud Security Technology
Maturity
• Virtual servers on virtual networks may be invisible to
physical network security devices
• Mobile Code
– Clouds rely on thin clients (e.g. Internet browsers) which
require extensive mobile code to emulate sophisticated end user
applications
– Code authentication technologies exist but are not widely
utilized – introduction of malicious mobile code can go
undetected
• Mobile Devices Extend the Cloud to the Edge
– Increasingly an extension of our enterprises, largely
unprotected from malicious software and spoofed access points
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
28
Stovepiped Widgets in the
Cloud
• Stovepiped Cloud Widgets
– Developers building cloud applications (i.e. widgets)
on top of primitive services (i.e. operating systems,
sockets, and databases) are reinventing their own
technology stacks and security solutions
• Widget Frameworks
– Ideally, primitive services should be encapsulated
into higher level application services, which…
• Accelerate development due to the higher level of
enterprise-context-specific abstraction, e.g. battlefield
simulation services, customer relationship services
• Embed security solutions in higher level services, so that
security does not have to be re-validated from the ground up
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
29
New Governance and QA for
Cloud Computing
• Small-scale widget developers can move
code into production without the usual QA
checks required of large-scale applications
• Service Oriented Architecture (SOA)
approaches are encapsulating legacy
applications and making that processing
and data available to widget developers
– Data access can more easily cross
organizational boundaries creating new
governance and security challenges
• IT governance must evolve to address
this growing ecosystem
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
4/9/2015 DRAFT
30
Cyber Security: Managing Networks,
Conducting Tests, and Investigating Intrusions
REVIEW CHAPTER SUMMARY
4/9/2015 DRAFT
31