WE16 - Defense in Depth: Top 10 Critical Security Controls

Copyright © 2016 Raytheon Company. All rights reserved.

Defense in Depth: Top 10 Critical Security Controls

Mary Y WangOctober 28, 2016

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

Annual Women Engineers Conference 2016

05/02/2023 2

Why Center for Internet Security (CIS) Critical Security Controls Work?

Based on actual attacks and effective defenses

Based on prioritiesNot one-size-fits-all

solutions

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NO N-EXPORT CONT ROLLED TECHNICAL I NF ORMATIO N

05/02/2023 3

1. Inventory of Hardware Authorized and

Unauthorized Devices– Attackers are

continuously scanning the target organizations

– Attackers are waiting for new and unprotected systems to be attached to network

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMATIO N

05/02/2023 4

2. Inventory of Software Authorized and

Unauthorized Software–Attackers are

continuously looking for vulnerable versions of software that can be remotely exploited

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NO N-EXPORT CO NT ROL LED T ECHNICAL INF ORMATI ON

05/02/2023 5

3. Secure Configurations of Hardware and Software

Default configurations are for ease-of-use not security

Open services, ports, default account or passwords–Can be exploitable

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMATIO N

05/02/2023 6

4. Continuous Vulnerability Assessment and Remediation Scan for vulnerabilities and

address discovered flaws Understand and manage

vulnerabilities is a continuous discovered activity

Attackers have the same information– Race to deploy an attack

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMATIO N

05/02/2023 7

5. Controlled Use of Administrative Privileges Track and control the

use of administrative privileges

Attackers can take advantage of uncontrolled administrative privileges– Can crack the

password

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMATIO N

05/02/2023 8

6. Maintenance, Monitoring and Analysis of Audit Logs

Collect, analyze audit logs of events– Detect an attack– Recover from an attack

Sometimes, logs are the only evidence of an attack

Attackers can also hide their activities

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMATIO N

05/02/2023 9

7. Email and Web Browser Protections Minimize the attack surface

through web browsers–Fully up to date and patched–Default – not installing

plugins, ActiveX controls–Block third-party cookies

Attackers use phishing emails as the entry point of attack

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

05/02/2023 10

8. Malware Defenses Control the installation and

spread of malicious code Attackers can use

malware to attack target organizations via number of entry points like end-user devices, email attachments and web pages

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NO N-EXPORT CONT RO LLED T ECHNI CAL INFORMAT ION

05/02/2023 11

9. Limitation and Control of Network Ports and Services

Manage and track the use of ports, protocols and services

Attackers are continuously searching for remotely accessible network services and open ports

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMATIO N

05/02/2023 12

10. Data Recovery Capability Backup critical information When attackers

compromise systems– Make significant changes

to configurations of software

– Make alterations of data When discovered, need to

remove all data that have been altered by attackers

NON-EXPORT CONT ROLLED TECHNICAL INF ORMAT ION

NON-EXPORT CONT ROLLED TECHNICAL INF ORMATIO N

05/02/2023 13

Win the Cyber War !!

05/02/2023 14

05/02/2023 15

05/02/2023 16

BiographyMary Y WangInformation Systems Security OfficerRaytheon Space and Airborne Systems, California

Mary Wang joined Raytheon in August, 2015. Currently, she works in the Raytheon Space and Airborne Systems Information Assurance organization. She has a strong passion in cybersecurity especially in the penetration testing and application security areas. Prior to joining Raytheon, she was a Senior Software Engineer and Project Lead at The Boeing Company. She worked on a variety of software projects at Boeing. Mary holds a Bachelor of Science degree in Computer Science and Masters degree in Master Business Administration. She is currently attending SANS Technology Institute for a graduate degree in Pen Testing & Ethical Hacking. Mary also has been a frequent speaker at Annual Women Engineers Conferences.