Designing & Building a Cybersecurity...
Transcript of Designing & Building a Cybersecurity...
1
Larry Wilson Lesson 3 June, 2015
Designing & Building a Cybersecurity Program
Based on the NIST Cybersecurity Framework (CSF)
2
Lesson 3: Building the Programs The Controls Factory
Lesson 3 - Building the Program
Step 1: Establish Goals, Objectives, Approach, Deliverables
Step 2: Get Management Support
Step 3: Establish Budget, Resources, Scope, Funding, Timeline
Step 4: Establish Program, Asset, Controls Roadmap
Step 5: Select Controls, Technologies, Services
Step 6: Build Asset / Program Master Plan
Step 8: Conduct Asset / Program Review
Step 7: Prioritize Deliverables
Step 9: Establish Risk Dashboards
Step 10: Program Summary: End to End Security
3
Step 1: Establish Goals, Objectives, Deliverables
Program Approach
4
The Controls Framework The Controls Family
The Organizational Assets The Technologies and Solutions
Endpoint Security
Application Security
Network Security
Data Center Security Database Security
Data Governance
Program Catalog
Identity Governance Crown Jewels
Step 1: Establish Goals, Objectives, Deliverables
The Process 1. Establish system of record.
Create initial baseline of known devices and information assets Include critical information mapping and information owners
2. Update with known assets Add / remove assets following standard approach Create systems build template for new systems Create asset deletion / destruction for devices removed from inventory
3. Update with Unknown Assets Scan for unknown assets (active discovery) Monitor for unknown assets (passive discovery) Filter unknown assets (access control)
4. Apply appropriate controls based on asset type Technical Controls [TEC] Operational Controls [OPS] Management Controls [MGT]
5. Generate Real-time Alerts and Management Reports Alert Security Defenders when suspicious activity is detected. Produce management and operations reports (ad-hoc and pre-defined)
6. Update system of record. Update with known as well as unknown (discovered) devices
2. Add Known Assets
3. Scan for Unknowns
3. Monitor for
Unknowns
3. Filter for Unknowns
4. Apply Management
Controls
4. Apply Operational
Controls
4. Apply Technical Controls
5. Alerts & Reports
The Process
6. Update
1. System
of Record
The Deliverables
Managed Assets
Unmanaged Assets
Asset Governance
Management Controls
Operational Controls
Technical Controls
The Deliverables
1. Asset Governance – Management of an asset group Provisioning – the initial creation of the asset into the environment Reconciliation – periodic recertification of the asset De-provisioning – removal of the asset from the environment Generate reports and alerts
2. System of Record- Authoritative asset management system
Includes all known assets Scan for unknown assets Monitor for unknown assets Filter for unknown assets Update known assets with those discovered via scan, monitor, filter process
3. Apply Security Controls - apply management, technical and operational controls
Technical Controls [TEC] Operational Controls [OPS] Management Controls [MGT]
4. Managed Assets
Consists of all known assets with controls applied
5
Step 1: Establish Goals, Objectives, Deliverables
Company Leadership Directors, Department Heads, Governance
Teams
Primary Role Program leader and advocate. Develop and
support InfoSec factory. Inform staff of responsibilities for compliance.
Responsibilities Understand, support, advocate , fund program
to ensure compliance with Policy, Program, Risk Assessments, Compliance Mandates, Acceptable Use
System / Application Administration IT Department, Business Operations,
Application Specialists, System Administration &Operations
Primary Role Comply with program best practices.
Implement & maintain security controls that protect IT resources.
Responsibilities Understand, implement, manage, comply
with technical, physical and administrative controls that protect IT resources & information
All employees, contractors, vendors Business and administrative users, customers,
contractors, vendors
Primary Role Comply with program best practices. Develop
knowledge, skills and attitude to improve security posture.
Responsibilities Awareness of risks, best practices, acceptable
use, incident response, on-line resources. Comply with requirements of Information Security Awareness Program.
Set the tone! Do what’s right! Understand the risks!
Step 2: Get Management Support
6
Step 3: Establish Budget, Resources, Funding, Timeline
Annual IT Budget (%) $ 5.0 M $ 10.0 M $ 15.0 M $ 20.0 M $ 30.0 M $ 40.0 M $ 50.0 M
Annual Information Security Budget Includes annual cost for technology / tools and resources
6.0 % $ 300 K $ 600 K $ 900 K $ 1.20 M $ 1.80 M $ 2.40 M $ 3.00 M
Costs of Security Technology / Tools Includes capital depreciation and annual maintenance
3.0 % $ 150 K $ 300 K $ 450 K $ 600 K $ 900 K $ 1.20 M $ 1.50 M
Cost of Security Resources Includes management, administrative, technical, and audit / compliance resources
3.0 % $ 150 K $ 300 K $ 450 K $ 600 K $ 900 K $ 1.20 M $ 1.50 M
Security Resource Estimates Based on $ 100 K per FTE
$ 100 K 1.5 FTE 3 FTE 4.6 FTE 6 FTE 9 FTE 12 FTE 15 FTE
Estimated annual costs and resources (based on 6% of IT budget)
Sample budget
What are the technology / tools used for? Cyber-security program: Protecting university resources against cyber-attacks What are the security resources used for? Manage the security program deliverables (Management Controls) Implement cybersecurity technology (Technical Controls) Security operations and administration (Operations Controls)
7
8
Resource Planning, Allocation and Tracking
Security Program Funding Program Scope
Program Implementation Timeline
Show me the money!
Show me the people!
Show me the plan!
Show me the schedule!
Step 3: Establish Budget, Resources, Funding, Timeline
9 9 9
Step 4: Establish Teams, Controls, Roadmap
The Infrastructure Security Program Team The Application Security Program Team
The Data Governance Program Team The Identity Governance Program Team
10
Framework
Core
Framework
Core Description
Category
Identifier
Framework
Categories
Controls
Identify (ID)
Identify organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
ID.AM ID.BE ID.GV ID.RA ID.RM
Asset Management (AM) Business Environment (BE) Governance (GV) Risk Assessment (RA) Risk Management Strategy (RM)
CSC-01 CSC-02 CSC-04
IT Asset Management Software Asset Management Vulnerability Management
Protect (PR)
Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT
Access Control (AC) Awareness and Training (AT) Data Security (DS) Information Protection Processes (IP ) Maintenance (MA) Protective Technology (PT)
CSC-03 CSC-07 CSC-09 CSC-10 CSC-12 CSC-14 CSC-15 CSC-16 CSC-17
System Configuration Wireless Access Control Security Training Network Configuration Administrative Privileges Maintenance, monitoring, analysis of audit logs Controlled Access Account Monitoring Data Loss Protection
Detect
(DE)
Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
DE.AE DE.CM DE.DP
Anomalies and Events (AE) Security Continuous Monitoring (CM) Detection Processes (DP )
CSC-05 CSC-14 CSC-16
Malware Defenses Maintenance, monitoring and analysis of audit logs Account monitoring and control
Respond
(RS)
Develop and implement the activities to take action regarding a detected cybersecurity event.
RS.RP RS.CO RS.AN RS.MI RS.IM
Response Planning (RP) Communications (CO) Analysis (AN ) Mitigation (MI). Improvements (IM)
CSC-18 Incident Response and Management
Recover (RC)
Develop and implement appropriate activities to maintain plans for resilience and restore any services impaired due to a cybersecurity event.
RC.RP RC.IM RC.CO
Recovery Planning (RP) Improvements (IM) Communications (CO)
CSC-08 Data Recovery Capability
Step 4: Establish Teams, Controls, Roadmap
11 11
Identify NIST Controls Framework
Attack Chain 1 2 3 4 5 6 7
Management Controls (ISO 27001:2013)
Technical Controls (Council on Cyber-security CSC)
General Computer Controls (ISO 27001:2013)
Controls Families
Corporate Assets
Technology & Services
Controls Roadmap
Application
Security
Crown Jewels
1 2 3 4 5 6 7 8
Endpoint Devices
Network Security
Data Center Systems
Database Security
Identity Governance
Data Governance
Controls Assessment
Cybersecurity Controls Testing Methodology
Phase 1: Before an Attack Phase 2: During an Attack Phase 3: After an Attack Attack Phase
Controls Testing
2
3
4
Cybersecurity Controls Assessment Methodology
Protect Detect Respond Recover
1
Step 4: Establish Teams, Controls, Roadmap
12
Co
ntr
ols
Fac
tory
Imp
lem
en
tati
on
Del
iver
able
s
Phase 1 Phase 2 Phase 3 Phase 4
Product Phases Phase 1: Planning & Approval Phase 2: Design & Resource Allocation Phase 3: Implementation / Operations Phase 4: Assurance / Maturity
Initiate stakeholder security program Stakeholder sponsored
program with responsibilities assigned
Allocate Resources Assign responsibility,
accountability, authority to individuals & organizations to implement & manage programs
Purchase Technologies Establish standard
technologies to support security programs
Controls Assurance Audit, monitor, report
controls alignment with standards and best practices
Document Strategy, Policy, Controls Framework, Governance Set of technology-independent
programs developed from the business strategy
Design Security Programs (WISP) Establish structure and
timeline for implementing and maintaining security programs
Implement Controls Establish Control Book to
document controls, test controls and verify controls are in place and are effective
Controls Maturity Measure efficiency,
effectiveness, value, improvement of security controls
Program Roadmap
Step 4: Establish Teams, Controls, Roadmap
13
CSC 1.0 Inventory of Authorized & Unauthorized Devices (10 Controls)
CSC 2.0 Inventory of Authorized & Unauthorized Software (10 Controls)
CSC 3.0 Secure Configurations for Mobile Devices, Laptops, Workstations, and Servers (13 Controls)
CSC 4.0 Continuous Vulnerability Assessment & Remediation (10 Controls)
CSC 5.0 Malware Defenses (9 Controls)
CSC 6.0 Application Software Security (9 Controls)
CSC 7.0 Wireless Access Control (16 Controls)
CSC 8.0 Data Recovery Capability (7 Controls)
CSC 9.0 Security Skills Assessment & Training to Fill Gaps (5 Controls)
CSC 10.0 Secure Configurations for Network Devices (Firewalls, Routers, Switches) (7 Controls)
CSC 11.0 Limitation and Control of Network Ports, Protocols, Services (6 Controls)
CSC 12.0 Controlled Use of Administration Privileges (14 Controls)
CSC 13.0 Boundary Defense (14 Controls)
CSC 14.0 Maintenance, Monitoring & Analysis of Audit Logs (11 Controls)
CSC 15.0 Controlled Access Based on the Need to Know (5 Controls)
CSC 16.0 Account Monitoring & Control (12 Controls)
CSC 17.0 Data Protection (8 Controls)
CSC 18.0 Incident Response and Management (6 Controls)
CSC 19.0 Secure Network Engineering (4 Controls)
CSC 20.0 Penetration Tests and Red Team Exercises (10 Controls)
Step 5: Select Controls, Technologies, Services
Critical Security Controls
Control Objective Reduce the ability of attackers to find and exploit unauthorized and unprotected systems.
Control Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the network, including servers, workstations, laptops, remote devices.
Consequences of not Implementing this control Criminal groups deploy systems that scan address spaces of target organizations, waiting for new and unprotected systems to be attached to the network. Attackers from anywhere in the world may quickly find and exploit such systems that are accessible via the Internet.
Control System Analysis ITAM control systems identify new systems introduced into the environment that has not been authorized.
Step 1: Active device scanner scans network systems Step 2: Passive device scanner captures system information Step 3: Active scanner reports to inventory database Step 4: Passive scanner reports to inventory database Step 5: Inventory database stored offline Step 6: Inventory database initiates alert system Step 7: Alert system notifies security defenders Step 8: Security defenders monitor and secure inventory database Step 9: Security defenders update secure inventory database Step 10: Network access control continuously monitors network Step 11: Network access control checks and provides updates to the asset inventory database.
Control Design 1.1: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to the network. Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed. 1.2: Deploy DHCP Server logging, and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information. 1.3: All equipment acquisitions should automatically update the inventory system as new, approved devices are connected to the network. A robust change control process can also be used to validate and approve all new devices. 1.4: Maintain an asset inventory of all systems connected to the network and the network devices themselves. The inventory should include every system that has an IP address on the network, including desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), storage area networks, etc. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether or not they are attached to the network. 1.5: Ensure the asset inventory database is properly protected and a copy stored in a secure location. 1.6: In addition to an inventory of hardware, the organization should develop an inventory of information assets that identifies their critical information and maps critical information to the hardware assets (including servers, workstations, and laptops) on which it is located. A department and individual responsible for each information asset should be identified, recorded, and tracked. 1.7: Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. 802.1x must be tied into the inventory data to determine authorized vs. unauthorized systems. 1.8: Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access. 1.9: Create separate VLANs for BYOD systems or other untrusted devices. 1.10: Implement client certificates to validate and authenticate systems prior to connecting to the private network.
CSC-01 Inventory of Authorized and Unauthorized Devices
14
15
Control Objective Identify vulnerable or malicious software to mitigate or root out attacks
Control Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorized or unnecessary software.
Consequences of not Implementing this control Computer attackers deploy systems that continuously scan address spaces of target organizations looking for vulnerable versions of software that can be remotely exploited. Without proper knowledge or control of the software deployed in an organization, defenders cannot properly secure their assets.
Control System Analysis Software asset management control systems identify new software introduced to the environment that has not been authorized. Step 1: Active device scanner Step 2: Active scanner reports to inventory database Step 3: Inventory database compares to inventory baseline Step 4: Inventory database initiates alerting system Step 5: Alert system notifies security defenders Step 6: Security defenders monitor and secure inventory database Step 7: Security defenders update software inventory database Step 8: White listing tool continuously monitors all systems on the network Step 9: White listing checks and updates to the software inventory database.
Control Design 2.1: Deploy application white listing technology that allows systems to run software only if it is included on the white list and prevents execution of all other software on the system. When protecting systems with customized software difficult to white list, isolate the software in virtual operating system that does not retain infections. 2.2: Devise a list of authorized software that is required for each type of system, including servers, workstations, laptops, etc. This list should be monitored by file integrity checking tools to validate authorized software has not been modified. 2.3: Perform regular scanning for unauthorized software and generate alerts when discovered on a system. A strict change-control process should be implemented to control any changes or installation of software to any systems on the network. 2.4: Deploy software inventory tools covering each of the operating system types in use, including servers, workstations, and laptops. Track the version of the underlying operating system as well as the applications installed on it. Record not only the type of software installed on each system, but also its version number and patch level. The software inventory should be tied to vulnerability reporting/threat intelligence services to fix vulnerable software proactively. 2.5: The software inventory systems must be tied into the hardware asset inventory so that all devices and associated software are tracked from a single location. 2.6: The software inventory tool should monitor for unauthorized software installed on each machine. This unauthorized software includes legitimate system administration software installed on inappropriate systems where there is no business need. Dangerous file types (e.g., exe, zip, msi, etc.) should be monitored and/or blocked. 2.7: Software inventory and application white listing should also be deployed on all mobile devices that are utilized across the organization. 2.8: Virtual machines or air-gapped systems used to isolate applications required based on higher risk and should not be installed within a networked environment. 2.9: Configure client workstations with nonpersistent, virtualized operating environments that can be quickly and easily restored to a trusted snapshot on a periodic basis. 2.10: Deploy software that only provides signed software ID tags. A software identification tag is an XML file that is installed alongside software and uniquely identifies the software, providing data for software inventory and asset management.
CSC-02 Inventory of Authorized and Unauthorized Software
Control Objective Prevent attackers from exploiting services and settings that allow easy access through networks and browsers
Control Establishing a secure configuration standard (based on industry best practices such as DISA STIGs, CIS Benchmarks, etc.) ensures the secure configurations are deployed on pre-configured hardened systems, the configurations are updated on a regular basis, and are tracked in a configuration management system
Consequences of not implementing this control On both the Internet and internal networks that attackers have already compromised, automated computer attack programs constantly search target networks looking for systems that were configured with vulnerable software installed the way it was delivered from manufacturers and resellers, thereby making it immediately vulnerable to exploitation.
Control System Analysis SDCM Control Systems manage and implement consistent configuration settings to workstations, laptops, servers on the network.
Step 1: Secured system images applied to computer systems Step 2: Secured system images stored in a secure manner Step 3:Configuration management system validates and checks system images Step 4: Scan production systems for misconfigurations or deviations from baselines Step 5: File integrity assessment systems monitor critical system binaries and data sets Step 6: White listing tool monitors systems configurations and software Step 7: SCAP configuration scanner validates configurations Step 8: File integrity assessment system sends deviations to alerting system Step 9: White listing tool sends deviations to alerting system Step 10: SCAP configuration scanner sends deviations to alerting system Step 11 and 12: Management reports document configuration status
Control Design 3.1: Establish and ensure the use of standard secure configurations of your operating systems. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. 3.2: Implement automated patching tools and processes that ensure security patches are installed within 48 hours of their release (applications and for operating system software) 3.3: Limit administrative privileges to very few users who have the knowledge and a business need to modify the configuration of the underlying operating system 3.4: Follow strict configuration management, building a secure image that is used to build all new systems that are deployed. Any compromised system should be re-imaged. 3.5: Store master images on securely configured servers, with integrity checking tools and change management to ensure that only authorized changes to the images are possible. 3.6: Any deviations from the standard build or updates to the standard build should be approved by a change control board and documented in a change management system. 3.7: Negotiate contracts to buy systems configured securely out of the box using standardized images, which should be devised to avoid extraneous software that would increase their attack surface and susceptibility to vulnerabilities. 3.8: Utilize application white listing to control and manage any configuration changes to the software running on the system. 3.9: Remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, etc., should only be used if they are performed over a secondary encryption channel, such as SSL or IPSEC. 3.10: Utilize file integrity checking tools on a weekly basis to ensure critical system files have not been altered. All alterations to files should be reported to security personnel. 3.11: Implement and test an automated configuration monitoring system that measures all secure configuration elements that can be measured through remote testing. 3.12: Deploy system configuration management tools, such as Active Directory Group Policy Objects for Microsoft Windows systems or Puppet for Unix systems that will automatically enforce and redeploy configuration settings at regularly scheduled intervals. 3.13: Establish formal process and management approach for controlling mobile devices.
CSC-03 Secure Configurations for Laptops, Workstations, Servers
Control Objective Proactively identify and repair software vulnerabilities reported by security researchers or vendors
Control Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours.
Consequences of not implementing this control Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest. Any significant delays in finding or fixing software with dangerous vulnerabilities provides ample opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain
Control System Analysis VM Control Systems include vulnerability scanners, management system, patch management systems, and configuration baselines that work together to address vulnerability management and remediation. Step 1: Vulnerability intelligence service provides inputs to vulnerability scanner Step 2: Vulnerability scanners scan production systems Step 3: Scanners report detected vulnerabilities to Vulnerability Management System (VMS) Step 4: The VMS compares production systems to configuration baselines Step 5: The VMS sends information to log management correlation system Step 6: The VMS produces reports for management Step 7: A patch management system applies software updates to production systems.
Control Design 4.1: Run automated vulnerability scanning tools against all systems on their networks on a weekly or more frequent basis. Any vulnerability identified should be remediated in a timely manner, with critical vulnerabilities fixed within 48 hours. 4.2: Event logs should be correlated with information from vulnerability scans to verify activity of the regular vulnerability scanning tools is logged, and to correlate attack detection events with earlier vulnerability scanning results to determine whether the exploit was used against a known-vulnerable target.
4.3: Deploy automated patch management tools and software update tools for operating system and third-party software on all systems for which such tools are available and safe.
4.4: In order to overcome limitations of unauthenticated vulnerability scanning, ensure that all vulnerability scanning is performed in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested.
4.5: Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk. 4.6: Vulnerability scanning tools should be tuned to compare services that are listening on each machine against a list of authorized services. 4.7: Security personnel should chart the numbers of unmitigated, critical vulnerabilities for each department/division. 4.8: Security personnel should share vulnerability reports indicating critical issues with senior management to provide effective incentives for mitigation.
4.9: Measure the delay in patching new vulnerabilities and ensure that the delay is equal to or less than the benchmarks set forth by the organization.
4.10: Critical patches must be evaluated in a test environment before being pushed into production on organization systems
CSC-04 Continuous Vulnerability Assessment and Remediation
Control Objective Detect/prevent/correct installation and execution of malicious software on all devices.
Control Use automated ant-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti-malware tools on all machines on a daily basis. Prevent network devices from using auto-run programs to access removable media.
Consequences of not Implementing this Control Malicious software is an integral and dangerous aspect of Internet threats, targeting end-users and organizations via web browsing, e-mail attachments, mobile devices, the cloud, and other vectors. Malicious code may tamper with the system’s contents, capture sensitive data, and spread to other systems.
Control System Analysis The control system includes anti-malware systems and threat vectors such as removable media. Step 1: Anti-malware systems analyze production systems and removable media Step 2: Removable media is analyzed when connected to production systems Step 3: Email/web and network proxy devices analyze incoming and outgoing traffic Step 4: Network access control monitors all systems connected to the network Step 5: Intrusion/network monitoring systems perform continuous monitoring looking for signs of malware.
Control Design 5.1: Employ automated tools to continuously monitor workstations, servers, and mobile devices for active, up-to-date anti-malware protection with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to anti-malware administration tools and event log servers. 5.2: Employ anti-malware software and signature auto update features or have administrators manually push updates to all machines on a daily basis. After applying an update, automated systems should verify that each system has received its signature update. 5.3: Configure laptops, workstations, and servers so that they will not auto-run content from USB tokens (i.e., “thumb drives”), USB hard drives, CDs/DVDs, Firewire devices, external serial advanced technology attachment devices, mounted network shares, or other removable media. 5.4: Configure systems so that they conduct an automated anti-malware scan of removable media when it is inserted. 5.5: All attachments entering the organization’s e-mail gateway should be scanned and blocked if they contain malicious code or file types unneeded for the organization’s business. This scanning should be done before the e-mail is placed in the user’s inbox. This includes email content filtering and web content filtering. 5.6: Automated monitoring tools should use behavior-based anomaly detection to complement and enhance traditional signature-based detection. 5.7: Deploy network access control tools to verify security configuration and patch-level compliance before granting access to a network. 5.8: Continuous monitoring should be performed on outbound traffic. Any large transfers of data or unauthorized encrypted traffic should be flagged and, if validated as malicious, the computer should be moved to an isolated VLAN. 5.9: Implement an Incident Response process which allows their IT Support organization to supply their Security Team with samples of malware running undetected on corporate systems. Samples should be provided to the Anti-Virus vendor for ‘out-of-band’ signature creation and deployed to the organization by system administrators.
CSC-05 Malware Defense
Control Objective Detect/prevent/correct security weaknesses in the development and acquisition of software applications
Control Carefully test internally developed and third-party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect traffic, and explicitly check for errors in all user input (including by size and data type).
Consequences of not implementing this control Attacks against vulnerabilities in web-based and other application software have been a top priority for criminal organizations in recent years. Application software that does not properly check the size of user input, fails to sanitize user input by filtering out unneeded but potentially malicious character sequences, or does not initialize and clear variables properly could be vulnerable to remote compromise. Attackers can inject specific exploits, including buffer overflows, SQL injection attacks, cross-site scripting, cross-site request forgery, and clickjacking of code to gain control over vulnerable machines.
Control System Analysis The process of monitoring applications and using tools that enforce a security style when developing applications. Step 1: Web application firewalls protect connections to internal web applications Step 2: Software applications securely connect to database systems Step 3: Code analysis and vulnerability scanning tools scan application systems and database systems.
Control Design 6.1: Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks, including but not limited to cross-site scripting, SQL injection, command injection, and directory traversal attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed. 6.2: At a minimum, explicit error checking should be done for all input. Whenever a variable is created in source code, the size and type should be determined. When input is provided by the user it should be verified that it does not exceed the size or the data type of the memory location in which it is stored or moved in the future. 6.3: Test in-house-developed and third-party-procured web applications for common security weaknesses using automated remote web application scanners prior to deployment, whenever updates are made to the application, and on a regular recurring basis. 6.4: Do not display system error messages to end-users (output sanitization). 6.5: Maintain separate environments for production and nonproduction systems. Developers should not typically have unmonitored access to production environments. 6.6: Test in-house-developed and third-party-procured web and other application software for coding errors and malware insertion, including backdoors, prior to deployment using automated static code analysis software. If source code is not available, test compiled code using static binary analysis tools. In particular, input validation and output encoding routines of application software should be carefully reviewed and tested. 6.7: For applications that rely on a database, conduct a configuration review of both the operating system housing the database and the database software itself, checking settings to ensure that the database system has been hardened using standard hardening templates. All of the organization's systems that are part of critical business processes should also be tested. 6.8: Ensure that all software development personnel receive training in writing secure code for their specific development environment. 6.9: Uninstall or remove from the system sample scripts, libraries, components, compilers, or any other unnecessary code that is not being used by an application.
CSC-06 Application Software Security
20
Control Objective Track/control/prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.
Control Allow wireless devices to connect to the network only if they match an authorized configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points.
Consequences of not implementing this control Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization
Control System Analysis The configuration and management of wireless devices, wireless IDS/scanners, wireless device management systems, and vulnerability scanners
Step 1: Hardened configurations applied to wireless devices Step 2: Hardened configurations managed by a configuration management system Step 3: Configuration management system manages the configurations on wireless devices Step 4: Wireless IDS monitor usage of wireless communications Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.
Control Design 7.1: Ensure each wireless device connected to the network matches an authorized configuration and security profile, with documented owner and business need.
7.2: All wireless access points are manageable using organization management tools.
7.3: Network vulnerability scanning tools are configured to detect wireless access points connected to the wired network. Unauthorized (rogue) access points are deactivated.
7.4: Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromises. 7.5: 802.1x is used to control devices allowed to connect to the wireless network.
7.6: A site survey is performed to determine what areas that need coverage.
7.7: Where a specific business need for wireless access has been identified, configure wireless access on client machines to allow access only to authorized wireless networks.
7.8: For devices that do not have an essential wireless business purpose, disable wireless access in the hardware configuration. 7.9: Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at least WiFi Protected Access 2 (WPA2) protection. 7.10: Wireless networks use authentication (Extensible Authentication Protocol-Transport Layer Security EAP/TLS), with credential protection and mutual authentication.
7.11: Ensure that wireless clients use strong, multi-factor authentication credentials to mitigate the risk of unauthorized access from compromised credentials.
7.12: Disable peer-to-peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need.
7.13: Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need.
7.14: Wireless access points are not directly connected to the private network. They are either placed behind a firewall or a separate VLAN with traffic examined and filtered.
7.15: All mobile devices must be registered prior to connecting to the wireless network. 7.16: Configure all wireless clients used to access private networks or handle the organization’s data in a manner so that they cannot be used to connect to public wireless networks.
CSC-07 Wireless Access Control
Control Objective The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
Control Implement trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly; back up sensitive systems more often. Regularly test the restoration process.
Consequences of not Implementing this control When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. When the attackers are discovered, it can be extremely difficult for organizations without a trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine..
Control System Analysis The capability to restore systems in the event that data need to be restored because of a data loss or breach of a system. While backups are certainly an important part of this process, the ability to restore data is the critical component. Step 1: Production business systems backed up on a regular basis to authorized backup systems Step 2: Backups created are stored offline at secure storage facilities
Control Design 8.1: Each system should be automatically backed up on at least a weekly basis, and more often for systems storing sensitive information. 8.2: Operating systems, application software, and organization data should be included in the overall backup procedure. 8.3: Data on backup media should be tested on a regular basis by performing a data restoration process. 8.4: Key personnel should be trained on both the backup and restoration processes. 8.5: Alternative personnel should be trained on the restoration process in case the primary point of contact is not available. 8.6: Backups should be properly protected via physical security or encryption when stored locally, or transmitted across the network. 8.7: Backup media, such as hard drives and tapes, should be stored in physically secure, locked facilities
CSC-08 Data Recovery Capability
Control Objective Ensure an organization understands the technical skill gaps within its workforce, including an integrated plan to fill the gaps through policy, training, and awareness.
Control Develop a security skills assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices.
Consequences of not Implementing this Control A constantly updated security awareness and education program for all users is important, but it will not stop determined attackers. Most determined adversaries will be stopped by effective implementation of the other Critical Controls, but some will slip through fissures in the security program. Skilled employees are essential for implementing and monitoring those Controls, for finding those attackers that get through the defenses, and for developing systems that are much harder to exploit.
Control System Analysis CSCS Securing the Human (STH) - The organization Security Awareness Training is based on CSCS Securing The Human (STH) CSCS Securing The Human provides the materials for an engaging, high-impact security awareness program. The training addresses the most common risks using a proven framework based on the Critical Security Controls. Security Skills Assessment Use Cases Use Case 1: Perform gap analysis to see which skills employees need and which behaviors
employees are not adhering to, using this information to build a training and awareness roadmap.
Use Case 2: Deliver training to fill the skills gap. Use more senior staff or outside instructors to train employees.
Use Case 3: Implement an online security awareness program such as CSCS Securing the Human tat is mandated for completion by all employees at least annually.
Use Case 4: Validate and improve awareness levels through tests such as PhishMe.com. PhishMe is a spear phishing simulator that raises awareness of the strategies and sophisticated tactics utilized today by hackers looking to compromise your organization’s data and systems.
Use Case 5: Use security skills assessments for each of the mission-critical skills to identify skills gaps.
Control Design 9.1: Perform gap analysis to see which skills employees need and which behaviors employees are not adhering to, using this information to build a training and awareness roadmap. 9.2: Deliver training to fill the skills gap. If possible, use more senior staff to deliver the training. A second option is to have outside teachers provide training onsite so the examples used will be directly relevant. If you have small numbers of people to train, use training conferences or online training to fill the gaps. 9.3: Implement an online security awareness program that: (1) focuses on methods used in intrusions blocked through individual action (2) is delivered in short online modules convenient for employees (3) is updated frequently (at least annually) to represent the latest attack techniques (4) is mandated for completion by all employees at least annually (5) is reliably monitored for employee completion 9.4: Validate and improve awareness levels through periodic tests to see whether employees will click on a link from suspicious e-mail or provide sensitive information on the telephone without following appropriate procedures for authenticating a caller; targeted training should be provided to those who fall victim to the exercise. 9.5: Use security skills assessments for each of the mission-critical skills to identify skills gaps. Use hands-on, real-world examples to measure mastery. If you do not have such assessments, use one of the available online competitions that simulate real-world scenarios for each of the identified jobs in order to measure skills mastery
CSC-09 Security Skills Assessment and Training to Fill Gaps
Control Objective Track/control/prevent/correct security weaknesses in the configurations in network devices such as firewalls, routers, and switches based on formal configuration management and change control processes.
Control Compare firewall, router, switch configurations against standards for each type of network device. Ensure that any deviations from the standard configurations are documented and approved and that any temporary deviations are undone when the business need abates.
Consequences of not Implementing this control Attackers take advantage of the fact that network devices may become less securely configured over time as users demand exceptions for specific and temporary business needs, as the exceptions are deployed, and as those exceptions are not undone when the business need is no longer applicable. Attackers search for electronic holes in firewalls, routers, and switches and use those to penetrate defenses. Attackers have exploited flaws in these network devices to gain access to target networks, redirect traffic on a network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission.
Control System Analysis NCM control systems examine network devices, test lab network devices, configuration systems, and configuration management devices. Step 1: Hardened device configurations applied to production devices Step 2: Hardened device configuration stored in a secure configuration management system Step 3: Management network system validates configurations on production network devices Step 4: Patch management system applies tested software updates to production network devices Step 5:Two-factor authentication system required for administrative access to production devices Step 6: Proxy/firewall/network monitoring systems analyze all connections to production network devices.
Control Design 10.1: Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviations from the standard configuration or updates to the standard configuration should be documented and approved in a change control system. 10.2: At network interconnection points-such as Internet gateways, inter-organization connections, and internal network segments with different security controls--implement ingress and egress filtering to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols should be blocked with default-deny rules by firewalls, network-based IPS, and/or routers. 10.3: All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, should be documented and recorded in a configuration management system, with a specific business reason for each change, a specific individual's name responsible for that business need, and an expected duration of the need. 10.4: Network filtering technologies employed between networks with different security levels (firewalls, network-based IPS tools, and routers with access controls lists) should be deployed with capabilities to filter Internet Protocol version 6 (IPv6) traffic. However, if IPv6 is not currently being used it should be disabled. Since many operating systems today ship with IPv6 support activated, filtering technologies need to take it into account. 10.5: Manage network devices using two-factor authentication and encrypted sessions. 10.6: Install the latest stable version of any security-related updates within 30 days of the update being released from the device vendor. 10.7: Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.
CSC-10 Secure Configurations for Firewalls, Routers, and Switches
Control Objective Track/control/prevent/correct use of ports, protocols, and services on networked devices.
Control Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file servers, print servers and domain name servers (DNS) to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes.
Consequences of not Implementing this Control Attackers search for remotely accessible network services that are vulnerable to exploitation. Common examples include poorly configured web servers, mail servers, file and print services, and domain name system (DNS) servers installed by default on a variety of different device types, often without a business need for the given service. Many software packages automatically install services and turn them on as part of the installation of the main software package without informing a user or administrator that the services have been enabled. Attackers scan for such issues and attempt to exploit these services, often attempting default user IDs and passwords or widely available exploitation code.
Control System Analysis Examine how active scanning systems gather information on network devices and evaluate that data against the authorized service baseline database.
Step 1: Active scanner analyzes production systems for unauthorized ports, protocols, and services Step 2: System baselines regularly updated based on necessary/required services Step 3: Active scanner validates which ports, protocols, and services are blocked or allowed by the application firewall Step 4: Active scanner validates which ports, protocols, and services are accessible on business systems protected with host-based firewalls.
Control Design 11.1: Host-based firewalls or port filtering tools should be applied on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. 11.2: Automated port scans should be performed on a regular basis against all key servers and compared to a known effective baseline. If a new port is found open, an alert should be generated and reviewed. 11.3: Any server that is visible from the Internet or an untrusted network should be verified, and if it is not required for business purposes it should be moved to an internal VLAN and given a private address. 11.4: Services needed for business use across the internal network should be reviewed quarterly via a change control group, and business units should re-justify the business use. Sometimes services are turned on for projects or limited engagements, and should be turned off when they are no longer needed. 11.5: Operate critical services on separate physical host machines, such as DNS, file, mail, web, and database servers. 11.6: Application firewalls should be placed in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized services or traffic should be blocked and an alert generated
CSC-11 Limitation & Control of Network Ports, Protocols, Services
Control Objective Track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Control Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open malicious e-mail, attachment, or file, or to visit a malicious website; and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow Federal Desktop Core Configuration (FDCC) standards.
Consequences of not implementing this control The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise.
Control System Analysis Examine the components of user account provisioning and user authentication. Step 1: Production systems use proper authentication systems Step 2: Standard and administrative user accounts use proper authentication systems Step 3: Standard and administrative user accounts properly managed via group memberships Step 4: Administrative access to systems properly logged via log management systems Step 5: Password assessment system validates the strength of the authentication systems.
Control Design 12.1: Minimize admin privileges and only use admin accounts when required. Implement auditing on administrative privileged functions and monitor for anomalous behavior. 12.2: Use automated tools to inventory admin accounts and validate individuals with admin privileges on desktops, laptops, and servers is authorized by a senior executive. 12.3: Configure all admin passwords to be complex and contain letters, numbers, and special characters intermixed, with no dictionary words present in the password. Passwords should be of a sufficient length to increase the difficultly it takes to crack the password. 12.4: Configure all administrative-level accounts to require regular password changes on a frequent interval tied to the complexity of the password. 12.5: Before deploying new devices, change default passwords for applications, operating systems, routers, firewalls, access points, etc., to a difficult-to-guess value. 12.6: Ensure all service accounts have long and difficult-to-guess passwords that are changed on a periodic basis of no longer than 90 days. 12.7: Store passwords in a well-hashed or encrypted format. Files containing these hashed passwords required for systems to authenticate readable only with super-user privileges. 12.8: Utilize access control lists to ensure that admin accounts are used only for system admin activities, and not for reading e-mail, composing documents, or surfing the Internet. Web browsers and e-mail clients must be configured to never run as administrator. 12.9: Require administrators establish different passwords for admin and non-admin accounts. Admin accounts should never be shared. Domain admin accounts should be used when required for system administration instead of local administrative accounts. 12.10: Configure operating systems so that passwords cannot be re-used within six months. 12.11: Configure systems to alert when an account is added /removed from a domain. 12.12: Use two-factor authentication for admin access, including domain admin access. 12.13: Block access to a machine for admin-level accounts. Instead, access a system using a fully logged and non-admin account. Once logged on to the machine without admin privileges, the administrator should transition to admin privileges using tools such as Sudo on Linux/UNIX, RunAs on Windows, and other similar facilities for other types of systems. 12.14: If services are outsourced to third parties, include language in the contracts to ensure that they properly protect and control administrative access.
CSC-12 Controlled Use of Administrative Privileges
CSC-13 Boundary Defenses
Control Objective Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
Control Establish multi-layer boundary defenses by relying on firewalls, proxies, demilitarized zone (DMZ) perimeter networks, and other network-based tools. Filter inbound and outbound traffic, including through business partner networks (extranets)
Consequences of not Implementing this Control Attackers focus on exploiting systems that they can reach across the Internet, including not only DMZ systems but also workstation and laptop computers that pull content from the Internet through network boundaries. Threats such as organized crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and Internet-accessing client machines to gain initial access into an organization. Then, with a base of operations on these machines, attackers often pivot to get deeper inside the boundary to steal or change information or to set up a persistent presence for later attacks against internal hosts.
Control System Analysis Examine network boundary devices and supporting systems such as authentication servers, two-factor authentication systems, network monitoring systems, network proxy devices. Step 1: Hardened device configurations applied to production devices Step 2:Two-factor authentication systems for administrative access to production devices Step 3: Production network devices send events to log management and correlation system Step 4: Network monitoring system analyzes network traffic Step 5: Network monitoring system sends events to log management and correlation system Step 6: Outbound traffic passes through and is examined by network proxy devices Step 7: Network systems scanned for potential weaknesses
Control Design 13.1: Deny communications with known malicious IP addresses (black lists), or limit access only to trusted sites (white lists). 13.2: Configure monitoring systems on DMZs to record packet header and payloads of the traffic destined for or passing through the network border. Send traffic to SEIM so that events can be correlated from all devices on the network.
13.3: To mitigate spoofed e-mail messages, implement the Sender Policy Framework (SPF) by deploying SPF records in DNS and enabling receiver-side verification in mail servers.
13.4: Deploy network-based IDS sensors on Internet and extranet DMZs that look for unusual attack mechanisms and detect compromise of these systems.
13.5: Use network IPS devices to compliment IDS by blocking known bad signature or behavior of attacks. 13.6: Implement network perimeters for outgoing web, FTP, and SSH traffic to the Internet passes through a DMZ proxy. The proxy should support logging individual TCP sessions; blocking specific URLs, domain names, IP addresses to implement blacklist / white list.
13.7: Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication. 13.8: All devices remotely logging into the internal network should be managed by the organization, with remote control of their configuration, installed software, and patch levels.
13.9: Periodically scan for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the organization network and to other networks via wireless, dial-up modems, or other mechanisms.
13.10: To limit access by an insider or malware spreading on an internal network, the organization should devise internal network segmentation schemes to limit traffic to only those services needed for business use across the internal network.
13.11: Rapidly deploy internal network filters to stop spread of malware or intruder. 13.12: Only allow DMZ systems to communicate with private network systems via application proxies or application-aware firewalls over approved channels.
13.13: To identify covert channels exfiltrating data through a firewall, configure firewall session tracking mechanisms to identify TCP sessions that last an unusually long time.
13.14: Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity.
Control Objective Detect/prevent/correct the use of systems and information based on audit logs of events that are considered significant or could impact the security of an organization
Control Generate standardized logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers, and run bi-weekly reports to identify and document anomalies.
Consequences of not Implementing this Control Deficiencies in security logging and analysis allow attackers to hide their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.
Control System Analysis Examine audit logs, the central log database system, the central time system, and log analysts. Step 1:Production systems generate logs and send them to a centrally managed log database system Step 2: Production systems and log database system pulls synchronize time with central time management systems Step 3: Logs analyzed by a log analysis system Step 4: Log analysts examine data generated by log analysis system
Control Design 14.1: Include at least two synchronized time sources (NTP) so that timestamps in logs are consistent. 14.2: Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Record logs in a standardized format such as syslog. 14.3: Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. 14.4: Develop a log retention policy to make sure that the logs are kept for a sufficient period of time. As APT (advanced persistent threat) continues to stealthily break into systems, organizations are often compromised for several months without detection. The logs must be kept for a longer period of time than it takes an organization to detect an attack. 14.5: Verbosely log all remote access to a network, whether to the DMZ or the internal network (i.e., VPN, dial-up, or other mechanism). 14.6: Configure operating systems to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions. Failed logon attempts must also be logged. 14.7: Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings. 14.8: Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device. 14.9: For all servers, ensure that logs are written to write-only devices or to dedicated logging servers running on separate machines from hosts generating the event logs, lowering the chance that an attacker can manipulate logs stored locally on compromised machines. 14.10: Deploy a SEIM for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SEIM, system administrators and security personnel should devise profiles of common events so that they can tune detection to focus on unusual activity, avoid false positives, rapidly identify anomalies, and prevent insignificant alerts. 14.11: Carefully monitor for service creation events. On Windows systems, many attackers use psexec functionality to spread from system to system. Creation of a service is an unusual event and should be monitored closely.
CSC-14 Maintenance, Monitoring, and Analysis of Audit Logs
Control Objective Track/control/prevent/correct secure access to information according to the formal determination of which persons, computers, and applications have a need and right to access information based on an approved classification.
Control Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to nonpublic data and files.
Consequences of not Implementing this Control Some organizations do not carefully identify and separate their most sensitive data from less sensitive, publicly available information on their internal networks. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance.
Control System Analysis The data classification system and permission baseline is the blueprint for how authentication and access of data is controlled. Step 1: An appropriate data classification system and permissions baseline applied to production data systems Step 2: Access appropriately logged to a log management system Step 3: Proper access control applied to portable media/USB drives Step 4: Active scanner validates, checks access, and checks data classification Step 5: Host-based encryption and data-loss prevention validates and checks all access requests.
Control Design 15.1: Locate any sensitive information on separated VLANS with proper firewall filtering. All communication of sensitive information over less-trusted networks needs to be encrypted. 15.2: Establish a multi-level data identification/classification scheme (e.g., a three- or four-tiered scheme with data separated into categories based on the impact of exposure of the data). 15.3: Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. 15.4: Segment the network based on the trust levels of the information stored on the servers. Whenever information flows over a network with a lower trust level, the information should be encrypted. 15.5: Use host-based data loss prevention (DLP) to enforce ACLs even when data is copied off a server. In most organizations, access to the data is controlled by ACLs that are implemented on the server. Once the data have been copied to a desktop system, the ACLs are no longer enforced and the users can send the data to whomever they want
CSC-15 Controlled Access Based on Need to Know
Control Objective Track/control/prevent/correct the use of system and application accounts.
Control Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees and contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that conform to FDCC standards.
Consequences of not Implementing this Control Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users, thereby making discovery of attacker behavior difficult for network watchers. Accounts of contractors and employees who have been terminated have often been misused in this way. Additionally, some malicious insiders or former employees have accessed accounts left behind in a system long after contract expiration, maintaining their access to an organization’s computing system and sensitive data for unauthorized and sometimes malicious purposes.
Control System Analysis Examine user accounts and how they interact with the data systems and the log management systems Step 1: User accounts are properly managed on production systems Step 2: User accounts are assigned proper permissions to production data sets Step 3: User account access is logged to log management system Step 4: Log management systems generate user account and access reports for management Step 5: Account baseline information is sent to log management system Step 6: Critical information is properly protected and encrypted for each user account.
Control Design 16.1: Review all system accounts and disable any account that cannot be associated with a business process and owner. 16.2: Ensure that all accounts have an expiration date associated with the account. 16.3: Ensure systems automatically create a report that includes a list of locked-out accounts, disabled accounts, accounts with passwords that exceed maximum password age, and accounts with passwords that never expire. 16.4: Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor. 16.5: Regularly monitor the use of all accounts, automatically logging off users after a standard period of inactivity. 16.6: Monitor account usage to determine dormant accounts that have not been used for a given period, such as 45 days, notifying the user or user's manager of the dormancy. After a longer period, such as 60 days, the account should be disabled. 16.7: When a dormant account is disabled, any files associated with that account should be encrypted and moved to a secure file server for analysis by security or management personnel. 16.8: Require that all non administrator accounts have strong passwords that contain letters, numbers, and special characters, be changed at least every 90 days, have a minimal age of one day, and not be allowed to use the previous 15 passwords as a new password. These values can be adjusted based on the specific business needs of the organization. 16.9: Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time. 16.10: On a periodic basis, such as quarterly or at least annually, require that managers match active employees and contractors with each account belonging to their managed staff. Security or system administrators should then disable accounts that are not assigned to active employees or contractors. 16.11: Monitor attempts to access deactivated accounts through audit logging. 16.12: Profile each user's typical account usage by determining normal time-of-day access and access duration. Daily reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal login duration by 150 percent. This includes flagging the use of the user's credentials from a computer other than computers on which the user generally works.
CSC-16 Account Monitoring and Control
Control Objective Track/control/prevent/correct data transmission and storage, based on the data’s content and associated classification.
Control Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework.
Consequences of not Implementing this Control In recent years, attackers have exfiltrated significant amounts of often-sensitive data from organizations of all shapes and sizes. Many attacks occurred across the network, while others involved physical theft of laptops and other equipment holding sensitive information. Yet in most cases, the victims were not aware that the sensitive data were leaving their systems because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.
Control System Analysis Examine the flow of information in and out of the organization in an attempt to limit potential data loss via network or removable media sources. Step 1: Data encryption system ensures that appropriate hard disks are encrypted Step 2: Sensitive network traffic encrypted Step 3: Data connections monitored at the network's perimeter by monitoring systems Step 4: Stored data scanned to identify where sensitive information is stored Step 5: Offline media encrypted.
Control Design 17.1: Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.
17.2: Deploy an automated tool on network perimeters that monitors for certain sensitive information (i.e., personally identifiable information), keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and block such transfers while alerting information security personnel. 17.3: Conduct periodic scans of server machines using automated tools to determine whether sensitive data (i.e., personally identifiable information, health, credit card, and classified information) is present on the system in clear text. These tools, which search for patterns that indicate the presence of sensitive information, can help identify if a business or technical process is leaving behind or otherwise leaking sensitive information. 17.4: Data should be moved between networks using secure, authenticated, and encrypted mechanisms. 17.5: If there is no business need for supporting such devices, the organization should configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, organization software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained. 17.6: Use network-based DLP solutions to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action taken to address them. 17.7: Monitor all traffic leaving the organization and detect any unauthorized use of encryption. Attackers often use an encrypted channel to bypass network security devices. Therefore it is essential that the organization detect rogue connections, terminate the connection, and remediate the infected system. 17.8: Block access to known file transfer and e-mail exfiltration websites.
CSC-17 Data Protection
Control Objective Ensure an organization has a properly tested plan with appropriate trained resources for dealing with any adverse events or threats of adverse events.
Control Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of network and systems.
Consequences of not Implementing this Control Considerable damage has been done to organizational reputations and a great deal of information has been lost in organizations that do not have fully effective incident response plans in place. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus, the attacker may have a far greater impact, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible were an effective incident response plan in place.
Control System Analysis Examine the incident handling process and how prepared the organization is in the event that an incident occurs. Step 1: Incident handling policies and procedures educate workforce members as to their responsibilities during an incident Step 2: Some workforce members designated as incident handlers Step 3: Incident handling policies and procedures educate management as to their responsibilities during an incident Step 4: Incident handlers participate in incident handling scenario tests Step 5: Incident handlers report incidents to management Step 6: The organization's management reports incidents to outside law enforcement and the appropriate computer emergency response team, if necessary.
Control Design 18.1: The organization should ensure that they have written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling consistent with the NIST guidelines cited above. 18.2: The organization should assign job titles and duties for handling computer and network incidents to specific individuals. 18.3: The organization should define management personnel who will support the incident handling process by acting in key decision-making roles. 18.4: The organization should devise organization-wide standards for the time required for system administrators and other personnel to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification. 18.5: The organization should publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team. Such information should be included in routine employee awareness activities. 18.6: The organization should conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team.
CSC-18 Incident Response and Management
Control Objective Build, update, and validate a network infrastructure that can properly withstand attacks from advanced threats.
Control Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy a network architecture with at least three tiers; DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks.
Consequences of not Implementing this Control Many controls in this document are effective but can be circumvented in networks that are poorly designed. Without a carefully planned and properly implemented network architecture, attackers can bypass security controls on certain systems, pivoting through the network to gain access to target machines. Attackers frequently map networks looking for unneeded connections between systems, weak filtering, and a lack of network separation. Therefore, a robust, secure network engineering process must be employed to complement the detailed controls being measured in other sections of this document.
Control System Analysis Examine the network engineering process and evaluating the controls that work together in order to create a secure and robust network architecture. Step 1: Network engineering policies and procedures dictate how network systems function to include dynamic host configuration protocol (DHCP) servers Step 2: DHCP servers provide IP addresses to systems on the network Step 3: Network devices perform DNS lookups to internal DNS servers Step 4: Internal DNS servers perform DNS lookups to external DNS servers Step 5: Network engineering policies and procedures dictate how a central network management system functions Step 6: Central network management systems configure network devices.
Control Design 19.1: Design the network using a minimum of a three-tier architecture (DMZ, middleware, and private network). Any system accessible from the Internet should be on the DMZ, but DMZ systems should never contain sensitive data. Any system with sensitive data should reside on the private network and never be directly accessible from the Internet. DMZ systems should communicate with private network systems through an application proxy residing on the middleware tier. 19.2: To support rapid response and shunning of detected attacks, engineer the network architecture and its corresponding systems for rapid deployment of new access control lists, rules, signatures, blocks, black holes, and other defensive measures. 19.3: Deploy domain name systems (DNS) in a hierarchical, structured fashion, with all internal network client machines configured to send requests to intranet DNS servers, not to DNS servers located on the Internet. These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to send requests to the Internet. 19.4: Segment the enterprise network into multiple, separate trust zones to provide more granular control of system access and additional intranet boundary defenses
CSC-19 Secure Network Engineering
Control Objective Simulate attacks against a network to validate the overall security of an organization.
Control Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises – all-out attempts to gain access to critical data and systems to test existing defenses and response capabilities.
Consequences of not Implementing this Control Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Once they get access, they often burrow deep into target systems and broadly expand the number of machines over which they have control. Most organizations do not exercise their defenses, so they are uncertain about their capabilities and unprepared for identifying and responding to attack.
Control System Analysis Examine red team and penetration exercises and how those efforts can be valuable to organization personnel when identifying which vulnerabilities are present in the organization.
Step 1: Penetration testers perform penetration tests of production systems Step 2: Automated pen-testing tools perform penetration tests of production systems Step 3: Automated pen-testing tools inform penetration tester of vulnerabilities discovered Step 4: Penetration testers perform more extensive penetration tests of test lab systems Step 5: Auditors evaluate and inspect the work performed by automated pen-testing tools Step 6: Auditors evaluate and inspect the work performed by penetration testers Step 7:Penetration testers generate reports and statistics about the vulnerabilities that have been discovered.
Control Design 20.1: Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems. Penetration testing should occur from outside the network perimeter as well as from within its boundaries to simulate both outsider and insider attacks. 20.2: If any user or system accounts are used to perform penetration testing, control and monitor those accounts to make sure they are only being used for legitimate purposes. 20.3: Perform periodic red team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively. 20.4: Ensure that systemic problems discovered in penetration tests and red team exercises are fully tracked and mitigated. Control 20.5: Measure how well the organization has reduced the significant enablers for attackers by setting up automated processes to find: Cleartext e-mails and documents with "password" in the filename or body Critical network diagrams stored online and in cleartext Critical configuration files stored online and in cleartext Vulnerability assessment, penetration test reports, and red team finding documents
stored online and in cleartext Other sensitive information identified by management personnel as critical to the
operation of the enterprise 20.6: Include social engineering within a penetration test. The human element is often the weakest link in an organization and one that attackers often target. 20.7: Plan clear goals of the penetration test itself with blended attacks in mind, identifying the goal machine or target asset. Many APT-style attacks deploy multiple vectors--often social engineering combined with web or network exploitation. Red team manual or automated testing that captures pivoted and multi-vector attacks offers a more realistic assessment of security posture and risk to critical assets. 20.8: Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts. 20.9: Devise a scoring method for determining the results of red team exercises so that results can be compared over time. 20.10: A test bed that mimics a production environment for specific penetration tests and red team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.
CSC-20 Penetration Testing and Red Team Exercises
34
Information Security Advisory Services
Information Security Technology Providers
Information Security Managed Services
Step 5: Select Controls, Technologies, Services
Technology Architecture
Data Center
Intrusion Detection System
Boundary Defense (Firewall)
Security Event Management
External Vulnerability Scans
Web Content Filtering
Internet
Internet DMZ
External Vulnerabilities
External Threats
Boundary Defense
Internal Threats
Internal Vulnerabilities
Web Content Filtering
Web Application Firewall
Asset & Configuration
Network Access Control
DMZ Networks
Web Application Firewall
Cybersecurity Technologies / Tools
Internal Vulnerability Scans
Asset & Config Management
Network Access Control
Patch Management
External vulnerability scanning Systems and networks vulnerable to external attacks Identify missing patches or system misconfigurations
External threat mitigation Actively block threats from Internet Includes DDoS mitigation, content filtering, suspicious traffic
Network firewall policy analysis Separate trusted network from untrusted Internet Reports produced for high-risk firewall policies
Web Application Firewalls Focus on application level threats (OWASP Top 10) Mitigate known attack vectors
DMZ for web-facing applications Semi-trusted security zone for controlled access Separate security zones for isolating applications
Web Content Filtering Continuous website monitoring for malicious code Web reputation & block access to suspicious websites
Internal vulnerability scanning Systems and networks vulnerable to internal attacks Identify missing patches or system misconfigurations
Internal PII Scanning Scan for sensitive data on desktops/laptops and share drives Discover sensitive data on websites, databases, e-mail, …
Network Access Control (NAC) NAC validates devices based on MAC filtering. Ensures device is patched and secure before allowing access
User Access Management • Control User Access (AuthN and AuthZ) Continuous management of university assets & configurations Assets – servers, desktops/laptops, networks Configuration – University standard configurations
Continuous monitoring / alerting for internal threats Alert for privileged user account creation & deletion Alert for log-on failures and account lockouts
Database security technologies
Next-Gen Firewall
Internal PII Scans Sensitive Data
Cybersecurity Program Deliverables
Users, Endpoint, Applications
Database Server Info.
Network
Web Server
User Access Management
User Access Control
36 36
Data Flow Diagram (DFD)
36
Client DNS
Server
Global Load
Balancer
System System Ext. Firewall User, Endpoint, Applications
System Ext. Firewall
Psoft Web
Gateway
System Int. Firewall
IDM Web
Gateway
Oracle Access
Manager (SSO)
System System Active Directory
Name Resolution
Authentication (AuthN)
System Ext. Firewall System Int. Firewall
PSoft Web
Server
PSoft App
Server
System System PSoft Database
Authorization (AuthZ)
1
6
2
5
15
8
14
9
13
10
11
12
25
PSoft Web
Gateway
18
23
7
24
17
Name Resolution: 1. Endpoint client requests name resolution for Psoft.umass.edu 2. Client’s DNS server resolves name to Corporate External DNS 3. Global Load Balancer delegates to External DNS 4. External DNS returns IP address for Web Server (Load Balancer) 5. Global Load Balancer returns IP address to Client DNS 6. Client DNS returns IP address to endpoint client web browser
Authentication (AuthN): 7. Endpoint requests access to PSoft application via Load Balancer 8. Local load balancer forwards request to PSoft Web Gateway 9. PSoft Web Gateway forwards request to IDNM Web Gateway 10. IDM Web Gateway forwards request to Oracle Access Manager 11. Oracle Access Manager forwards request to Active Directory 12. Active Directory authenticates client (Allow or Deny) 13. Oracle Access Manager returns authentication to IDM Web Gateway 14. IDM Web Gateway returns authentication to Psoft Web Gateway 15. Psoft Web Gateway returns authentication to Endpoint client
Authorization (AuthZ): 16. Endpoint requests access to specific page / view within PSoft app 17. Psoft Web Gateway forwards request to PSoft Web Server 18. PSoft Web Serrver forwards request to PSoft App Server 19. Psoft App Server forwards request to Oracle Internet Directory 20. Oracle Internet Directory authorizes access to page / view 21. PSoft App Server provides access to specific tables in database 22. Data is returned from Database to PSoft App Server 23. PSoft App Server returns data to PSoft Web Server 24. PSoft Web Server returns data to Psoft Web Gateway 25. Psoft Web Gateway returns data to Endpoint client
16 Oracle Internet Directory
Local Load
Balancer
Local Load
Balancer
Roles
User Entitlement Store <AuthZ>
User Identity Store <AuthN>
36
Endpoint Devices
Computer Networks
Data Center System
Database
PSoft Tables
User, Endpoint, Applications
Identities
User, Endpoint, Applications
Mobile Application
RSA Appliance
Tokens
User Token Store <2 factor>
11
12
Information
External DNS
Server
3
4
37
Technologies and Services
CSC-01 Inventory of Authorized and Unauthorized Devices
Type: Primary Vendor: Beyond Security Product: AVDS
Type: Primary Vendor: Beyond Trust Product: Retina
Type: Primary Vendor: Critical Watch Product: Fusion VM
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Vulnerability Manager
Type: Primary Vendor: Lumeta Product: IPSonar
Type: Primary Vendor: Open Source Product: NMAP, Open VAS
Type: Primary Vendor: Qualys Product: QualysGuard
Type: Primary Vendor: Rapid7 Product: Nexpose
Type: Primary Vendor: Symantec Product: Altiris Asset Management Suite, CCS
Type: Primary Vendor: Tenable Product: Nessus, PVS
Type: Primary Vendor: Tripwire Product: Tripwire IP360, Tripwire Enterprise , Tripwire CCM
Type: Secondary Vendor: Aruba Product: ClearPass
Type: Secondary Vendor: Bradford Networks Product: Network Sentry
Type: Secondary Vendor: Cisco Product: Identity Services Engine
Type: Secondary Vendor: ForeScout Product: CounterACT
Primary Capability: Discovery, Vulnerability Assessment Secondary Capability: Network Access Control
38
CSC-02 Inventory of Authorized and Unauthorized Software
Type: Primary Vendor: Beyond Trust Product: Retina
Type: Primary Vendor: IBM Product: Endpoint Manager
Type: Primary Vendor: Lumension Product: Patch and Remediation
Type: Primary Vendor: Microsoft Product: System Center
Type: Primary Vendor: Qualys Product: QualysGuard
Type: Primary Vendor: Secunia Product: Corporate Software Inspector
Type: Primary Vendor: Qualys Product: QualysGuard
Type: Primary Vendor: Symantec Product: Altiris Client Management Suite
Type: Primary Vendor: Tenable Product: Nessus, PVS
Type: Primary Vendor: Tripwire Product: Tripwire IP360, Tripwire Enterprise , Tripwire CCM
Type: Secondary Vendor: Avecto Product: Privilege Guard
Type: Secondary Vendor: Bit9 Product: Security Platform
Type: Secondary Vendor: Bromium Product: vSentry
Type: Secondary Vendor: IBM Product: Trusteer Apex
Type: Secondary Vendor: Intel Security/McAfee Product: McAfee Application Control
Type: Secondary Vendor: Invincea Product: FreeSpace Enterprise
Type: Secondary Vendor: Lumension Product: Application Control
Type: Secondary Vendor: Signacert Product: Integrity
Type: Secondary Vendor: Viewfinity Product: Application Control
Primary Capability: Software Change Management, Vulnerability Management Secondary Capability: Application Whitelisting, Virtual Container
39
CSC-03 Secure Configurations for Laptops, Workstations, Servers
Type: Primary Vendor: Beyond Trust Product: Retina
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Vulnerability Manager/McAfee Policy Auditor
Type: Primary Vendor: Lumension Product: Patch and Remediation
Type: Primary Vendor: Microsoft Product: System Center
Type: Primary Vendor: Qualys Product: QualysGuard
Type: Primary Vendor: Symantec Product: Altiris Client Management Suite
Type: Primary Vendor: Tenable Product: Nessus, PVS
Type: Primary Vendor: Tripwire Product: Tripwire IP360, Tripwire Enterprise , Tripwire CCM
Type: Primary Vendor: VMWare Product: vCenter Configuration Manager
Type: Secondary Vendor: Axeda Product: Connected Access
Type: Secondary Vendor: SecureLink Product: Enterprise
Type: Secondary Vendor: Xceedium Product: Xsuite
Primary Capability: Vulnerability Assessment Secondary Capability: Patch Management, Secure Remote Access
40
CSC-04 Continuous Vulnerability Assessment and Remediation
Type: Primary Vendor: Beyond Trust Product: Retina
Type: Primary Vendor: Beyond Security Product: AVDS
Type: Primary Vendor: Critical Watch Product: Fusion VM
Type: Primary Vendor: IBM Product: Endpoint Manager
Type: Primary Vendor: Qualys Product: QualysGuard
Type: Primary Vendor: Symantec Product: Altiris ITMS, CCS
Type: Primary Vendor: Tenable Product: Nessus, PVS
Type: Primary Vendor: Tripwire Product: Tripwire IP360, Tripwire Log Center
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Vulnerability Manager
Type: Primary Vendor: Lumeta Product: IPSonar
Type: Primary Vendor: Open Source Product: NMAP, Open VAS
Type: Primary Vendor: Rapid7 Product: Nexpose, Metasploit
Primary Capability: Vulnerability Assessment
41
CSC-05 Malware Defense
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Endpoint Protection
Type: Primary Vendor: Kaspersky Product: Endpoint Security for Business
Type: Primary Vendor: Sophos Product: Complete Security Suite
Type: Primary Vendor: Symantec Product: SEP
Type: Primary Vendor: Trend Micro Product: Enterprise Security for Endpoints
Type: Secondary Vendor: Damballa Product: FailSafe
Type: Secondary Vendor: FireEye Product: FireEye Network Threat Prevention Platform
Type: Secondary Vendor: IBM Product: Network IPS
Type: Secondary Vendor: Intel Security/McAfee Product: Advanced Threat Defense
Type: Secondary Vendor: Lancope Product: StealthWatch
Type: Secondary Vendor: Sourcefire Product: = Firepower
Type: Secondary Vendor: Trend Micro Product: Deep Discovery
Primary Capability: Endpoint Protection Platforms Secondary Capability: Network-Based Protection
42
CSC-06 Application Software Security
Type: Primary Vendor: Armorize (ProofPoint) Product: HackAlert CodeSecure
Type: Primary Vendor: Cenzic (Trustwave) Product: Cenzic Enterprise
Type: Primary Vendor: Checkmarx Product: CX Suite
Type: Primary Vendor: Coverity (Synopsis) Product: Code Advisor
Type: Primary Vendor: HP (Fortify) Product: HP Fortify 360, HP Fortify on Demand, HP WebInspect
Type: Primary Vendor: Appscan Product: IBM
Type: Primary Vendor: Klocwork (RogueWave Software) Product: Insight
Type: Primary Vendor: NTObjectives Product: NTO Spider
Type: Primary Vendor: Open Source Product: Agnitio, W3AF, Wapiti
Type: Primary Vendor: Qualys Product: QualysGuard WAS
Type: Primary Vendor: Sonatype Product: = CLM
Type: Primary Vendor: Veracode Product: Static/Dynamic
Type: Primary Vendor: WhiteHat Product: Sentinel
Type: Secondary Vendor: Akamai Product: Kona
Type: Secondary Vendor: Barracuda Product: Web App Firewall
Type: Secondary Vendor: Citrix Product: = Netscaler
Type: Secondary Vendor: Cloudflare Product: CloudFlare Pro, Business, Enterprise
Type: Secondary Vendor: Dell SecureWorks Product: Managed Web App Firewall, Web Application Testing
Type: Secondary Vendor: F5 Product: Application Security Manager
Type: Secondary Vendor: Imperva Product: SecureSphere, Incapsula
Type: Secondary Vendor: Open Source Product: = Mod Security, IronBee
Type: Secondary Vendor: Qualys Product: QualysGuard WAF
Type: Secondary Vendor: Radware Product: AppWall
Type: Secondary Vendor: Riverbed Product: StingRay Application Firewall
Type: Secondary Vendor: Trustwave Product: Web Application Firewall
Primary Capability: Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) Secondary Capability: Web Application Firewalls
43
CSC-07 Wireless Access Control
Type: Primary Vendor: Aerohive Product: HiveOS
Type: Primary Vendor: AirMagnet (Fluke) Product: WiFi Analyzer
Type: Primary Vendor: AirPatrol (Sysorex) Product: Zone Defense
Type: Primary Vendor: AirTight Product: WIPS
Type: Primary Vendor: Aruba Product: RF Protect
Type: Primary Vendor: Cisco Product: aWIPS
Type: Primary Vendor: Motorola Product: AirDefense
Type: Primary Vendor: Tenable Product: Nessus, Security Center
Type: Primary Vendor: Tripwire Product: Tripwire CCM
Type: Secondary Vendor: Aruba Product: ClearPass
Type: Secondary Vendor: Bradford Networks Product: = Network Sentry
Type: Secondary Vendor: Cisco Product: Identity Services Engine
Type: Secondary Vendor: ForeScout Product: CounterACT
Primary Capability: Wireless LAN Intrusion Prevention System (WIPS) Secondary Capability: Network Access Control
44
CSC-08 Data Recovery Capability
Type: Primary Vendor: AccessData Product: HiveOSAccessData FTK and PRTK
Type: Primary Vendor: BeyondTrust Product: PowerBroker Recovery for Active Directory
Type: Primary Vendor: Elcom Product: ElcomSoft EFDD – Bitlocker, TruCrypt
Type: Primary Vendor: Guidance Software Product: Encase Enterprise Edition
Type: Primary Vendor: IBM Product: Tivoli Storage Manager
Type: Primary Vendor: Symantec Product: NBU
Primary Capability: Data Recovery
45
CSC-09 Security Skills Assessment & Training to Fill Gaps
Type: Primary Vendor: GIAC (SANS) Product: Cyber Skills Assessment
Type: Primary Vendor: SANS Institute Product: Cyber Simulators (Netwars) and Skills Validation
Type: Secondary Vendor: GIAC (SANS) Product: GIAC Critical Controls Certification
Type: Secondary Vendor: SANS Institute Product: 50 Hands-on Immersion Courses
Type: Secondary Vendor: SANS Technology Institute Product: Degree Programs
Type: Secondary Vendor: University of Tulsa Product: Degree Programs
Type: Secondary Vendor: Virginia Tech Product: Degree Programs
Type: Secondary Vendor: Dakota State University Product: Degree Programs
Type: Secondary Vendor: Naval Postgraduate School Product: Degree Programs
Primary Capability: Assessment Secondary Capability: Skills Development/Degrees
46
CSC-10 Secure Configurations for Firewalls, Routers, and Switches
Type: Primary Vendor: AlgoSec Product: Firewall Analyzer & FireFlow
Type: Primary Vendor: FireMon Product: SecurityManager
Type: Primary Vendor: IBM Product: Network Configuration Manager
Type: Primary Vendor: RedSeal Product: Platform
Type: Primary Vendor: Firewall Assurance Product: Skybox Security
Type: Primary Vendor: Firewall Security Manager Product: Solarwinds
Type: Primary Vendor: Tripwire Product: Tripwire Enterprise
Type: Primary Vendor: Tuffin Product: Security Policy Orchestration Solution
Primary Capability: Assessment
47
CSC-11 Limitation & Control of Network Ports, Protocols, Services
Type: Primary Vendor: Beyond Security Product: AVDS
Type: Primary Vendor: Beyond Trust Product: Retina
Type: Primary Vendor: Critical Watch Product: Fusion VM
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Vulnerability Manager
Type: Primary Vendor: Lumeta Product: IPSonar
Type: Primary Vendor: Open Source Product: NMAP, Open VAS
Type: Primary Vendor: Qualys Product: QualysGuard
Type: Primary Vendor: Symantec Product: Altiris Asset Management Suite, CCS
Type: Primary Vendor: Rapid7 Product: Nexpose
Type: Primary Vendor: Tenable Product: Altiris Asset Nessus, PVS
Type: Primary Vendor: Tripwire Product: Tripwire IP360, Tripwire Enterprise and Tripwire CCM
Type: Secondary Vendor: Cisco Product: ASA Series and Virtual ASA
Type: Secondary Vendor: Dell Sonicwall Product: SonicWall
Type: Secondary Vendor: Fortinet Product: FortiGate
Type: Secondary Vendor: Intel Security/McAfee Product: McAfee Next Generation Firewall
Type: Secondary Vendor: Juniper Product: SRX, Netscreen, Firefly
Type: Secondary Vendor: Palo Alto Networks Product: PaloAlto NGFW
Primary Capability: Discovery, Vulnerability Assessment Secondary Capability: Application Firewall
48
CSC-12 Controlled Use of Administrative Privileges
Type: Primary Vendor: Avecto Product: Privilege Guard
Type: Primary Vendor: Beyond Trust Product: PowerBroker
Type: Primary Vendor: Chainfire Product: SuperSU
Type: Primary Vendor: Cyber-Ark Product: Privileged Account Security Solution
Type: Primary Vendor: Dell Product: Privileged Password Manager
Type: Primary Vendor: IBM Product: Security Privileged identity Manager
Type: Primary Vendor: Microsoft Product: System Center, Active Directory
Type: Primary Vendor: Open Source Product: sudo
Type: Primary Vendor: Security Compliance Corporation (SCC) Product: Access Auditor
Type: Primary Vendor: Symantec Product: CCS
Type: Primary Vendor: Viewfinity Product: Privilege Management
Type: Primary Vendor: Xceedium Product: Xsuite
Primary Capability: Assessment
49
CSC-13 Boundary Defense
Type: Primary Vendor: Check Point Product: 2200
Type: Primary Vendor: Cisco Product: ASA Series and Virtual ASA
Type: Primary Vendor: Dell Sonicwall Product: SonicWall
Type: Primary Vendor: Fortinet Product: FortiGate
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Next Generation Firewall
Type: Primary Vendor: Juniper Product: SRX, Netscreen, Firefly
Type: Primary Vendor: Palo Alto Networks Product: PaloAlto NGFW
Type: Secondary Vendor: Fidelis Product: XPS
Type: Secondary Vendor: FireEye Product: FireEye Network Threat Prevention Platform
Type: Secondary Vendor: HP Product: HP Tipping Point NGFW
Type: Secondary Vendor: IBM Product: Network IPS
Type: Secondary Vendor: Intel Security/McAfee Product: McAfee Network Security Platform
Type: Secondary Vendor: Lancope Product: StealthWatch
Type: Secondary Vendor: Open Source Product: Snort, Suricata
Type: Secondary Vendor: Sourcefire (Cisco) Product: Firepower
Primary Capability: Firewall Secondary Capability: Intrusion Prevention System
50
CSC-14 Maintenance, Monitoring, and Analysis of Audit Logs
Type: Primary Vendor: AccelOps Product: SIEM
Type: Primary Vendor: AlienVault Product: Unified Security Management
Type: Primary Vendor: CorreLog Product: CorreLog Security Correlation Server
Type: Primary Vendor: Dell SecureWorks Product: Security Monitoring, Log Management
Type: Primary Vendor: EIQ Networks Product: SecureVUE
Type: Primary Vendor: EventTracker Product: Enterprise
Type: Primary Vendor: HP Product: ArcSight ESM, Logger
Type: Primary Vendor: IBM Product: QRadar
Type: Primary Vendor: Infogressive Product: Event Correlation
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Enterprise Security Manager
Type: Primary Vendor: Lancope Product: StealthWatch
Type: Primary Vendor: LogRhythm Product: Security Intelligence Platform
Type: Primary Vendor: KeyW Product: Hawkeye AP
Type: Primary Vendor: Open Source Product: Snare, OSSIM
Type: Primary Vendor: SolarWinds Product: Log and Event Manager
Type: Primary Vendor: Splunk Product: Splunk App for Enterprise Security
Type: Primary Vendor: Tenable Product: Security Center
Type: Primary Vendor: TIBCO Product: LogLogic
Type: Primary Vendor: Tripwire Product: Tripwire Log Center
Primary Capability: Log Management
51
CSC-15 Controlled Access Based on Need to Know
Type: Primary Vendor: Courion Product: Access Assurance Suite
Type: Primary Vendor: HyTrust Product: Appliance
Type: Primary Vendor: IBM Product: Access Manager for Web
Type: Primary Vendor: Novell Product: Access Governance Suite
Type: Primary Vendor: Oracle Product: Identity Governance Suite
Type: Primary Vendor: Aveksa Product: RSA
Type: Primary Vendor: Sailpoint Product: Identity IQ
Type: Primary Vendor: Security Compliance Corporation (SCC) Product: Access Auditor
Primary Capability: Access Management
52
CSC-16 Account Monitoring and Control
Type: Primary Vendor: Courion Product: Access Assurance Suite
Type: Primary Vendor: HyTrust Product: Appliance
Type: Primary Vendor: IBM Product: Security Identity Manager
Type: Primary Vendor: Novell Product: Access Management Suite
Type: Primary Vendor: Oracle Product: Identity Governance Suite
Type: Primary Vendor: RSA Product: Aveska
Type: Primary Vendor: Sailpoint Product: Identity IQ
Type: Primary Vendor: Security Compliance Corporation (SCC) Product: Access Auditor
Type: Primary Vendor: Dell Product: Enterprise Reporter
Type: Primary Vendor: MaxPowerSoft Product: AD Reports
Type: Primary Vendor: Microsoft Product: Active Directory
Primary Capability: Account Monitoring
53
CSC-17 Data Protection
Type: Primary Vendor: Check Point Product: DLP Software Blade
Type: Primary Vendor: Code Green Product: TrueDLP
Type: Primary Vendor: Fidelis Product: XPS
Type: Primary Vendor: Fortinet Product: FortiGate
Type: Primary Vendor: Intel Security/McAfee Product: McAfee Total Protection for DLP
Type: Primary Vendor: RSA Product: DLP
Type: Primary Vendor: Symantec Product: DLP
Type: Primary Vendor: Trend Micro Product: DLP and SecureCloud
Type: Primary Vendor: Verdasys Product: Digital Guardian
Type: Secondary Vendor: Check Point Product: Full Disk Encryption
Type: Secondary Vendor: CloudLock Product: Cloud Lock for Salesforce
Type: Secondary Vendor: Intel Security/McAfee Product: McAfee Total Protection for DLP
Type: Secondary Vendor: Microsoft Product: BitLocker
Type: Secondary Vendor: RSA Product: Data Protection Manager
Type: Secondary Vendor: Safenet Product: Storage Secure
Type: Secondary Vendor: Symantec Product: Encryption Manager Services
Type: Secondary Vendor: Wave Product: Safend Data Protection Suite
Type: Secondary Vendor: WinMagic Product: SecureDoc
Primary Capability: DLP Secondary Capability: Encryption
54
CSC-18 Incident Response and Management
Type: Primary Vendor: AccessData Product: ResolutionOne™ Platform
Type: Primary Vendor: Bit9 Product: CarbonBlack
Type: Primary Vendor: Cellebrite Product: UFED
Type: Primary Vendor: Co3 Systems Product: Security Module
Type: Primary Vendor: CorreLog Product: CorreLog Enterprise Server
Type: Primary Vendor: CyberSponse Product: CyberSponse
Type: Primary Vendor: Dell SecureWorks Product: Essential Series, Incident Response Services, Security Monitoring
Type: Primary Vendor: F-Response Product: F-Response Enterprise
Type: Primary Vendor: Guidance Software Product: EnCase Cybersecurity
Type: Secondary Vendor: Infogressive Product: Incident Response & Forensics
Type: Secondary Vendor: Lancope Product: StealthWatch
Type: Secondary Vendor: LogRhythm Product: Smart Response
Type: Secondary Vendor: Mandiant Product: Mandiant Intelligent Response (MIR)
Primary Capability: Incident Management
55
CSC-19 Secure Network Engineering
Type: Primary Vendor: AlgoSec Product: Firewall Analyzer & FireFlow
Type: Primary Vendor: CloudPassage Product: Halo Platform
Type: Primary Vendor: FireMon Product: SecurityManager
Type: Primary Vendor: RedSeal Product: Platform
Type: Primary Vendor: Skybox Security Product: Firewall Assurance
Type: Primary Vendor: Solarwinds Product: Firewall Security Manager
Type: Primary Vendor: Tripwire Product: Tripwire Enterprise
Type: Primary Vendor: Tuffin Product: Security Policy Orchestration Solution
Primary Capability: Network Security Engineering
56
CSC-20 Penetration Testing and Red Team Exercises
Type: Primary Vendor: Core Security Product: Core Impact
Type: Primary Vendor: Dell SecureWorks Product: Penetration Testing Services
Type: Primary Vendor: Infogressive Product: Penetration Testing Services
Type: Primary Vendor: Immunity Product: CANVAS
Type: Primary Vendor: Open Source Product: Mobisec
Type: Primary Vendor: Pwnie Express Product: Pwn Pad/Plug/Appliance
Type: Primary Vendor: Rapid7 Product: Metasploit
Type: Primary Vendor: SAINT Product: SAINT 8 Security Suite
Type: Primary Vendor: Secure Ideas Product: MySecurityScanner
Type: Primary Vendor: Strategic Cyber LLC Product: Armitage / Cobalt Strike
Primary Capability: Penetration Testing
57
NIST Framework Vendor Technology/ Tool PRG-01 PRG-02 PRG-03 PRG-04 PRG-05 PRG-06 PRG-07 PRG-08
Identify
(ID)
Qualys Vulnerability Scanner • • • •
Dell KACE K1000 • • • •
Oracle Virtual Machine (OVM) • • • •
Oracle Enterprise Manager (OEM) • • • •
Oracle Mobile Security Suite • • • •
Solar Winds Network Performance Monitor • • • •
Plixer Scrutinizer Flow Analyzer • • • •
AlgoSec Firewall Analyzer • • • •
Identity Finder Data Discover • • • •
Microsoft DHCP Server Logging • • • •
Veracode Secure Code Developer Training • • • •
Veracode Binary Static Analysis • • • •
Veracode Dynamic Analysis • • • •
Protect
(PR)
Qualys Web Application Firewall • • • •
Quest Software Tool for Oracle App Developer (TOAD) • • • •
Aruba Wireless LAN • • • •
EiQ SecureVue SIEM • • • •
Check Point NextGen Firewall • • • •
SANS Securing The Human • • • •
McAfee Endpoint Protection Suite (EPS) • • • •
McAfee Data Protection Suite (DPS) • • • •
Oracle Database Security Suite • • • •
Microsoft Bitlocker Drive Encryption • • • •
Microsoft Windows Active Directory (AD) • • • •
Apple File Vault Full Disk Encryption for MACs • • • •
Cisco Firewall Services Management (FWSM) • • • •
Cisco ASA Firewall • • • •
Cisco AnyConnect VPN • • • •
Sophos E-mail Appliance • • • •
Detect
(DE)
EiQ SecureVue SIEM • • • •
Check Point NextGen Firewall • • • •
Dell KACE K1000 • • • •
Splunk Splunk Enterprise SIEM • • • •
Oracle Enterprise Manager (OEM) • • • •
Oracle Database Security Suite • • • •
Solar Winds Network Performance Monitor • • • •
Plixer Scrutinizer Flow Analyzer • • • •
Respond
(RS) Absolute SW CompuTrace Lojack for Laptops
• • • •
Recover
(RC)
EMC Avamar • • • •
EMC Data Guard • • • •
Step 6: Build Asset / Program Master Plan
58
Framework
Core
Framework Categories Security
Controls
Controls Description Primary Vendors Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Qualys
Qualys
Dell
Oracle
Oracle
Plixer
Microsoft
Identity Finder
Quest Software
Vulnerability Assessment and Reporting Asset Management via Asset Tagging Device and Software Inventory for windows and MACs Gold Image – Standard Build Configuration Baseline Mobile Application and Data Security
Identify devices on the network (via traffic monitoring)
Identify devices on the network (via connection monitoring) Identify documents, files, that store sensitive data Configuration Change Control
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
CSC-16
CSC-17
CSC-19
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Account Monitoring and Control
Data Loss Prevention
Secure Network Engineering
Dell
Absolute Software
Oracle
Aruba
Check Point
McAfee
McAfee
Microsoft
Microsoft
Apple
Device and Software Inventory for windows and MACs
Track, lock, wipe, recover stolen devices
Mobile Application and Data Security Access control for mobile devices and users Visibility of users, groups and machines (via AD) Desktop & Server Anti-virus, Firewall, Filtering File, Folder, Drive, Media Encryption Domain services for users, computers, printers, services Hard Drive Encryption for Windows Hard Drive Encryption for MACs
Detect
(DE)
Anomalies and Events
Security Continuous Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
McAfee
McAfee
Aruba
Check Point
Dell
Plixer
Absolute Software
Desktop & Server Anti-virus, Firewall, Filtering File, Folder, Drive, Media Encryption Access control for mobile devices and users Visibility of users, groups and machines 9via AD) Active monitoring for devices, software, configuration changes
Identify devices on the network (via traffic monitoring)
Track, lock, wipe, recover stolen devices
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management Absolute Software Remotely engage with the device regardless of user or location
Remotely wipe (and if necessary retrieve) corporate data
Employ forensic tools, carry out investigations
Work closely with police to recover stolen devices
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery Oracle
Microsoft
Absolute Software
Gold Image – Standard Build Configuration Baseline
File Share (H Drive) to save local files
Remotely engage with the device regardless of user or location
Remotely wipe (and if necessary retrieve) corporate data
Employ forensic tools, carry out investigations
Work closely with police to recover stolen devices
A1 Endpoint Devices Security
59
A2 Network Security
Framework Core Framework Categories Security
Controls
Controls Description Primary Vendors Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Qualys
Qualys
Solar Winds
Plixer
AlgoSec
Quest Software
Vulnerability Assessment and Reporting Asset Management via Asset Tagging Monitor network devices (Availability)
Identify devices on the network (via traffic monitoring)
Identify firewall policy risks Configuration Change Control
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
CSC-16
CSC-17
CSC-19
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Account Monitoring and Control
Data Loss Prevention
Secure Network Engineering
Aruba
EiQ
Check Point
Check Point
Check Point
Microsoft
Cisco
Cisco
Cisco
Cisco
Wireless network for endpoint connectivity Manage traffic entering the network and connecting to servers
Application security and identity control
Detects bot-infected machines, prevents bot damages Enforcement and management of Web security Domain services for users, computers, printers, services Segment networks into different trust zones Manage privileged access to firewalls, switches, routers Manage access from the Internet based on firewall rules Provides employee and vendor remote access (AD)
Detect
(DE)
Anomalies and Events
Security Continuous Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
Aruba
EiQ
Check Point
Check Point
Check Point
Splunk
Oracle
Solar Winds
Plixer
Wireless network for endpoint connectivity Manage traffic entering the network and connecting to servers Identify, block, limit usage to web apps & widgets) Detects bot-infected machines, prevents bot damages Cloud based categorization and URL updates) Firewall blocks and syslog for network devices Availability and Performance Monitoring Monitor network devices (Availability)
Identify devices on the network (via traffic monitoring)
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery
60
A3 Data Center System Security
Framework Core Framework Categories Security
Controls
Controls Description Primary Vendors Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Qualys
Qualys
Dell
Oracle
Oracle
Plixer
Identity Finder
Quest Software
Vulnerability Assessment and Reporting Asset Management via Asset Tagging Device and Software Inventory for windows and MACs Gold Image – Standard Build Configuration Baseline Availability and Performance Monitoring
Identify devices on the network (via traffic monitoring)
Identify documents, files, etc. that store sensitive data (SSN, credit card,.) Configuration Change Control
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
CSC-16
CSC-17
CSC-19
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Account Monitoring and Control
Data Loss Prevention
Secure Network Engineering
EiQ
Check Point
Check Point
McAfee
McAfee
McAfee
Microsoft
Managing and Monitoring for Security Events Manage traffic entering the network and connecting to servers Protection against the latest threat vectors Desktop & Server Anti-virus, Firewall, Filtering File, Folder, Drive, Media Encryption Remote Desktop / Citrix capability Domain services for users, computers, printers, services
Detect
(DE)
Anomalies and Events
Security Continuous
Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
EiQ
Check Point
Check Point
Dell
Splunk
Oracle
Managing and Monitoring for Security Events
Firewall and IPS Software Blade
Anti-Bot, Anti-Malware, Anti-Spam Software Blade
Active monitoring for devices, software, configuration changes
Monitoring syslog events
Availability and Performance Monitoring
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery EMC Scheduled backups for files, folders
61
A4 Database Security
Framework Core Framework Categories Security
Controls
Controls Description Primary
Vendors
Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Qualys
Qualys
Qualys
Quest Software
Malicious code protector and streaming inspection (OWASP top 10 risks)
Vulnerability Assessment and Reporting Asset Management via Asset Tagging Configuration Change Control
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
CSC-16
CSC-17
CSC-19
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Account Monitoring and Control
Data Loss Prevention
Secure Network Engineering
Qualys
Quest Software
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Blocks attacks against websites in real time Build, manage, maintain Oracle Centralized configuration of the audit policies Parse and categorize database traffic originating from application or user Table space encryption for data at rest, encrypt SQL network traffic Protect databases to known & newly identified vulnerabilities Store & manage password policies and reporting users in a directory Scripts can be built to mask data Password management - provision, manage access to privileged accounts
Detect
(DE)
Anomalies and Events
Security Continuous
Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Centralized configuration of the audit policies Parse and categorize database traffic originating from application or user Table space encryption for data at rest, encrypt SQL network traffic Protect databases to known & newly identified vulnerabilities Store & manage password policies and reporting users in a directory Scripts can be built to mask data Password management - provision, manage access to privileged accounts
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery EMC
62
Framework Core Framework Categories Security
Controls
Controls Description Primary Vendors Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Qualys
Veracode
Veracode
Veracode
Quest Software
Malicious code and streaming inspection (OWASP top 10 risks)
Secure code development (improve skills / knowledge)
Code review / reporting (Enforce standards through code reviews)
Schedule and conduct regular penetration testing
Application Change Control and Ticketing
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection
Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
CSC-16
CSC-17
CSC-19
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Account Monitoring and Control
Data Loss Prevention
Secure Network Engineering
Qualys
Quest Software (TOAD)
Check Point
Check Point
Check Point
Check Point
Microsoft
Sophos
Blocks attacks against websites in real time Build, manage, maintain Oracle databases
Application security and identity control
Detects bot-infected machines, prevents bot damages Enforcement and management of Web security
Protects sensitive information from unintentional loss
Authenticates users on the network (via credentials)
Protection for messaging infrastructure (spam, virus, malware threats)
Detect
(DE)
Anomalies and Events
Security Continuous
Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
Check Point
Check Point
Check Point
Check Point
Identify, block, limit usage to web apps & widgets)
Prevents bot damages by blocking C&C communications Cloud based categorization and URL updates)
Protects sensitive information from unintentional loss
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery
A5 Application Security
63
A6 Data Governance
Framework Core Framework Categories Security
Controls
Controls Description Primary Vendors Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Identity Finder Identify documents, files, that store sensitive data (SSN, credit card, etc.)
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
CSC-16
CSC-17
CSC-19
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Account Monitoring and Control
Data Loss Prevention
Secure Network Engineering
Check Point
Check Point
Check Point
Check Point
McAfee
Microsoft
Microsoft
Apple
Sophos
Application security and identity control
Detects bot-infected machines, prevents bot damages Enforcement and management of Web security
Protects sensitive information from unintentional loss
File, Folder, Drive, Media Encryption Domain services for users, computers, printers, services Hard Drive Encryption for Windows
Hard Drive Encryption for MACs
Protection for messaging infrastructure (spam, virus, malware threats)
Detect
(DE)
Anomalies and Events
Security Continuous Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
Check Point
Check Point
Check Point
Check Point
Absolute Software
Identify, block, limit usage to web apps & widgets
Detects bot-infected machines, prevents bot damages Cloud based categorization and URL updates)
Protects sensitive information from unintentional loss
Track, lock, wipe, recover stolen devices
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management Absolute Software Track, lock, wipe, recover stolen devices
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery Absolute Software
EMC
Track, lock, wipe, recover stolen devices Scheduled backups for files, folders
64
A7 Identity & Access Governance Program
Framework Core Framework Categories Security
Controls
Controls Description Primary Vendors Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Quest Software
Provisioning, password management, entitlements Report on usage, build IT roles, detect audit issues Password management solution - provision, manage privileged accounts SSO across an organization’s web presence.
Multi-factor access control
XML gateway for securing application and web access
Enable SSO across websites.
Enable trust across federation boundaries.
Fine-grained entitlements service.
SSO via authentication “wallet”
LDAP directory service based on Java and OVD product.
Integration to data sources.
LDAP directory based on Oracle database technology
Configuration Change Control
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
CSC-16
CSC-17
CSC-19
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Account Monitoring and Control
Data Loss Prevention
Secure Network Engineering
Aruba
EiQ
Check Point
SANS
Windows
Cisco
Access control for mobile devices and users Managing and Monitoring for Security Events Visibility of users, groups and machines (via AD) Training users, managers, privileged users on security best practices Domain services for users, computers, printers, services Provides employee and vendor remote access (authenticated by AD)
Detect
(DE)
Anomalies and Events
Security Continuous Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
Aruba
EiQ
Check Point
Access control for mobile devices and users Managing and Monitoring for Security Events Visibility of users, groups and machines (via AD)
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery
65
A8 Crown Jewels
Framework Core Framework Categories Security
Controls
Controls Description Primary Vendors Program Alignment
Identify (ID)
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
CSC-01
CSC-02
CSC-04
CSC-11
Inventory of Authorized / Unauthorized Devices
Inventory of Authorized / Unauthorized Software
Vulnerability Management
Control of Network Ports, Protocols & Services
Protect (PR)
Access Control
Awareness and Training
Data Security
Information Protection
Process
Maintenance
Protective Technology
CSC-03
CSC-06
CSC-07
CSC-09
CSC-10
CSC-12
CSC-13
CSC-14
CSC-15
Secure Configuration of Laptops, Workstations, Servers
Application Software Security
Wireless Access Control
Security Skills Assessment and Appropriate Training
Secure configuration of Firewalls, Routers, Switches
Controlled Use of Administrative Privileges
Boundary Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Controlled Access Based on Need to Know
Detect
(DE)
Anomalies and Events
Security Continuous
Monitoring
Detection Processes
CSC-05
CSC-14
CSC-16
CSC-20
Malware Defenses
Maintenance, Monitoring, Analysis of Audit Logs
Account Monitoring and Control
Penetration Testing and Red Team Exercises
Aruba
Aruba
EiQ
Check Point
Check Point
Check Point
Check Point
Dell
Splunk
Oracle
Oracle
Oracle
Oracle
Oracle
Oracle
Solar Winds
Plixer
Absolute Software
Wireless network for endpoint connectivity Access control for mobile devices and users Managing and Monitoring for Security Events
Application security and identity control
Detects bot-infected machines, prevents bot damages Enforcement and management of Web security
Protects sensitive information from unintentional loss
Active monitoring for devices, software, configuration changes Firewall blocks and syslog for network devices (switches, routers, firewalls) Availability and Performance Monitoring Centralized configuration of the audit policies Parse and categorize database traffic originating from application or user Table space encryption to encrypt data at rest, encrypt SQL network traffic Protect databases to known & newly identified vulnerabilities Store & manage password policies and reporting users in a directory Scripts can be built to mask data Password management solution - provision, manage privileged accounts Monitor network devices (Availability)
Identify devices on the network (via traffic monitoring)
Track, lock, wipe, recover stolen devices
Respond
(RS)
Response Planning
Communications
Analysis
Mitigation
Improvements
CSC-18
Incident Response and Management
Recover (RC)
Recovery Planning
Improvements
Communications
CSC-08
Data Backup and Recovery
66
67
Crown Jewels Program (Deliverables: Managed Critical Assets)
Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements)
Data Governance Program (Deliverables: Managed Information)
Application Security Program (Deliverables: Managed Applications)
Controls Office
Technology Center
Operations Center
Testing Center
PMO Office
Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases)
Threat Office
Input
Unmanaged Assets
Output
Managed Assets
GRC Office
Controls Design
Technology Build & Run
Operations Build & Run
Testing Build & Run
Programs Build & Run
Attack Models
Risk Reporting
P1
P2
P3
P4
P5
Step 7: Conduct Asset / Program Review
68
P1: The Infrastructure Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations 5. The Testing 6. The Assessments & Reporting
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
69 69
P2: The Application Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations 5. The Testing 6. The Assessments & Reporting
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
70 70 70
P3: The Data Governance Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations / Administration 5. The Testing
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
6. The Assessments & Reporting
71
P4: The Identity Governance Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations / Administration 5. The Testing
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
6. The Assessments & Reporting
72
P5: The Critical Assets Program
1. The Assets 2. The Controls 3. The Solutions
4. The Operations / Administration 5. The Testing
Crown Jewels Identities Information Applications Infrastructure
Program Engine
Controls Engine
COBIT 5.0
ISO 27001
CSC CSC
IEC 62443
NIST 800-53
BSIMM V5
PCI DSS
HIPAA
201 CMR 17
The C Test Analyzer
Identify
Protect
Detect
Respond
Recover
3
6. The Assessments & Reporting
Build a Cybersecurity Program The Program Summary
Identify NIST Controls Framework
Cyber Attack Chain
1 2 3 4 5 6 7
Management Controls (ISO 27001:2013)
Technical Controls (Council on Cyber-security CSC)
Operations Controls (ISO 27001:2013)
Controls Standards & Mapping
Unmanaged Assets [Programs]
Technologies & Services
Application
Security
Crown Jewels
1 2 3 4 5 6 7 8
Endpoint Devices
Network Security
Data Center Systems
Database Security
Identity Governance
Data Governance
Managed Assets [Programs]
Testing & Reporting
Protect Detect Respond Recover
Cybersecurity Operations Testing & Reporting
Cybersecurity Technology Testing & Reporting
Cybersecurity Controls Testing & Reporting
Application
Security
Crown Jewels
1 2 3 4 5 6 7 8
Endpoint Devices
Network Security
Data Center Systems
Database Security
Identity Governance
Data Governance
Incident Response Team
Cybersecurity Administration Center
Cybersecurity Operations Center
Operations & Administration
74
The A Team – Primary Vendors
The B Team – Test Vendors
TEC-01A TEC-02A TEC-03A TEC-04A TEC-05A
TEC-06A TEC-07A TEC-08A
Quest Software
TEC-09A TEC-10A
TEC-11A TEC-12A
TEC-01B TEC-02B TEC-03B TEC-04B SVC-05B
TEC-06B TEC-07B TEC-08B SVC-09B
Program Alignment: Key Vendors
Step 8: Prioritize Deliverables
Milestone Goal Description
1 Limit data retention This milestone targets a key area of risk for entities that have been compromised.
Remember – if sensitive data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it.
2 Protect the perimeter, internal and wireless networks
This milestone targets controls for points of access to most compromises – the network or a wireless access point.
3 Secure critical applications This milestone targets controls for applications, application processes, and application
servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to sensitive data.
4 Monitor and control access to systems
Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment.
5 Protect stored data For those organizations that have analyzed their business processes and determined that
they must store sensitive data, Milestone Five targets key protection mechanisms for that stored data.
6 Finalize remaining compliance efforts, ensure all controls are in place
The intent of Milestone Six is to complete the security program requirements and finalize all remaining related policies, procedures, processes and controls needed to protect the organization’s IT resources and information assets.
75
Source: PCI DSS (Payment Card Industry Data Security Standards)
Step 9: Program / Asset Risk Dashboard
76
P1 Infrastructure Security P2 Application Security P3 Identity Governance
P4 Information Governance
P5 Crown Jewels
A1 Endpoint Devices
A2 Network Security
A3 System Security A4: Database Security A5 Application Security
A6: Identity & Access Governance A7 Information Governance
A8 Crown Jewels A9 Services Catalog
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
77
CSC 1.0 Asset Management
CSC 2.0 Software Inventory
CSC 3.0 Server & Desktop Configuration Management
CSC 4.0 Vulnerability Management
CSC 5.0 Malware Defenses
CSC 6.0 Application Security CSC 7.0 Wireless Networks
CSC 8.0 Back-ups CSC 9.0 Training and Awareness
CSC 10.0 Network Configuration Management
CSC 11.0 Ports, Protocols, Services
CSC 12.0 Administrative Privileges
CSC 13.0 Boundary Defenses CSC 14.0 Log Monitoring & Analysis
CSC 15.0 Need to Know
CSC 16.0 Account Monitoring and Control
CSC 17.0 Data Protection
CSC 18.0 Incident Response CSC 19.0 Secure Network Engineering
CSC 20.0 Penetration Testing and Red Team Exercises
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
0 1 2 3 4 5
Step 9: Controls Risk Dashboard
Step 9: Program Metrics and Reporting
0
10
20
30
40
50
60
Infrastructure Security Application Security Identity Governance Data Governance Crown Jewels
Management Controls (MGT)
Technical Controls (TEC)
Operational Controls (OPS)
2015 Goal = 80%
Current = 68%
Security Program Assessment May, 2015
Co
ntr
ols
Imp
lem
en
ted
78
Management Controls
Apply to Asset Groups
Technical Controls
Apply to Asset Groups Apply to Asset Groups
+ + Operational Controls
Cybersecurity Controls Cybersecurity Controls
End-to-End Security Includes Management (People), Technology / Tools, Administration and Operations (Practices and Procedures) Foundation based on industry best practices, a comprehensive plan, documented programs and executive support Requires commitment to implement, manage/ maintain, improve over time As well as an ongoing assessment and audit to ensure controls are in place and effective in mitigating risk
Managed Assets
Step 10: Program Summary: End to End Security
NIST Cybersecurity Framework
79