Embed Size (px)
Citation preview
Critical Controls for Cyber Defense
Madhur VermaCISSP, MVP (Consumer Security)CEH, CIW Security Analyst, MCTS, MCSE, MCSA
Computer Attacker Activities and Associated Defenses
Maintain Long-Term Access to
Compromised Systems: “Staying In”
Cause Damage: “Acting”
Initial Compromise: “Getting In”
Security defenses include identifying
attacker presence and reducing “living space”
Security defenses include decreasing attack surface and hardening security
Security defenses include controlling
superuser privileges [admin and root]
Security defenses include disrupting
command and control of attacker-implanted
software
Critical Control 1
• All outgoing traffi c must pass through at least one proxy on a DMZ network
• All remote login access required to use two-factor authenti cati on
• Health checking of all remotely logging devices• Periodically scan for back-channel connections
to the Internet that bypass the DMZ• Identify covert channels exfi ltrating data
through a fi rewall with built-in firewall session tracking mechanisms
Boundary Defense
Critical Control 2
Secure Configurations for Network Devices such as
Firewalls, Routers and Switches• Compare firewall, router and switch
configurati on against standard secure configurati ons defi ned for each type of network device
• Implement ingress and egress fi ltering• Management network should be seprated from
production network
Critical Control 3
Wireless Device Control• Ensure that each wireless device connected to the
network matches an authorized confi gurati on and security profi le
• Ensure all wireless traffi c leverages at least AES encrypti on used with at least WPA2 protecti on
• Ensure wireless networks use authenti cati on protocols such as EAP/TLS or PEAP
• Disable peer-to-peer wireless network capabiliti es on wireless clients
• Disable wireless peripheral access of devices• Regularly scan for unauthorized or misconfi gured
wireless infrastructure devices
Critical Control 4
Limitation and Control of Network Ports, Protocols and
Services• Use Host-based Firewalls or port fi ltering tools• Regularly review the ports, protocols and services
needed• Operate criti cal services on separate physical host
machines• Port scanning tools are used to determine which
services are listening
Critical Control 5
Malware Defenses• Monitor workstati ons, servers and mobile devices
for acti ve, up-to-date anti -malware protecti on• All malware detecti on events should be sent to
enterprise anti -malware administrati on tools and event log servers
• Confi gure laptops, workstati ons and servers so that they will not auto-run content from removable media
• Confi gure systems to conduct an automated anti -malware scan of removable media when it is inserted
Critical Control 6
Secure Configurations for Hardware and Software on Laptops, Workstations and
Servers• Standardized images should represent hardened
versions of the underlying OS and the applicati ons installed on the system
• Uti lize fi le integrity checking tools to ensure that criti cal systems fi les have not been altered
Critical Control 7
Application Software Security• Protect web applicati ons by deploying web
applicati on fi rewalls that inspect all traffi c fl owing to the web applicati on for common web applicati on att acks
• Check for in-house developed and third-party procured web and other applicati on soft ware for coding errors, malware inserti on, including backdoors prior to deployment
• Verify that security considerati ons are taken into account throughout phases of the applicati on development life cycle of all applicati ons
Critical Control 8
Controlled use of Administrative Privileges
• Should have a good password policy• Change all default passwords before deploying• Ensure that administrator accounts are used only
for system administrati on acti viti es and not for reading e-mail, composing documents or surfi ng the Internet
• Confi gure systems to issue a log entry and alert when an account is added to or removed from domain administrators group
• User awareness
Critical Control 9
Controlled Access Based on Need-to-Know
• Establish a multi -level data identi fi cati on or separati on scheme
• Ensure that fi le shares have defi ned controls• Enforce detailed audit logging for access to non-
public data and special authenti cati on for sensiti ve data
Critical Control 10
Account Monitoring and Control
• Establish a good account management policy• Review all system accounts and disable any
account that cannot be associated with a business process and business owner
• Monitor account usage to determine dormant accounts
• Monitor att empts to access deacti vated accounts through audit logging
Critical Control 11
Inventory of Authorized and Unauthorized Software
• Devise a list of authorised soft ware that is required• Deploy soft ware inventory tools• Deploy soft ware white-listi ng technology that
allows systems to run only approved applicati ons and prevents executi on of all other soft ware
Critical Control 12
Inventory of Authorized and Unauthorized Devices
• Devise a list of authorised devices • Deploy asset/network management tools
Critical Control 13
Maintenance, Monitoring and Analysis of Security Audit Logs
• Logs should be recorded in standardized format such as syslog or those outline by Common Event Expression (CEE) initi ati ve
• Network boundary should be confi gured to log verbosely all traffi c arriving at the device
• Ensure logs are writt en to write-only devices or to dedicated logging servers
• Deploy SEIM system tool for log aggregati on and consolidati on
Critical Control 14
Data Loss Prevention• Deploy hard drive encrypti on soft ware to laptop
machines that hold sensiti ve data• Control the use of removable devices • Data stored on removable drives should be
encrypted• Deploy an automated tool on network perimeter
that monitors certain Personally Identi fi able Informati on, keywords and other document characteristi cs to determine att empts to exfi ltrate data
Critical Control 15
Continuous Vulnerability Assessment and Remediation
• Run automated vulnerability scanning tools against all systems
• Compare the results from back-to-back vulnerability scans to verify that vulnerabiliti es were addressed
• Measure the delay in patching new vulnerabiliti es• Deploy automated patch management tools and
soft ware update tools
Critical Control 16
Secure Network Engineering• Segment the enterprise network• Follow best security practi ces for deploying
servers, network devices and Internet services• Network should support rapid response and
shunning of detected att acks
Critical Control 17
Penetration Tests and Red Team Exercises
• Conduct regular penetrati on test to identi fy att ack vectors
• Perform periodic red team exercises to test the readiness of organizati ons to identi fy and stop att acks or to respond quickly and eff ecti vely
• Ensure that systemic problems discovered in penetrati on tests and red team exercises are fully miti gated
Critical Control 18
Incident Response Capability
• Should have writt en incident response procedures• Should assign job ti tles and duti es for handling
incidents to specifi c individuals• Should noti fy CERT-In in accordance• Publish informati on to all personnel about
informati on of incidents for awareness• Conduct periodic incident response drills for
scenario to ensure that personnel understand current threats, risks and their responsibiliti es
Critical Control 19
Data Recovery Capability• Should have good backup policy• Ensure that backups are encrypted• Backup media should be stored in physically secure
areas
Critical Control 20
Security Skills Assessment and Appropriate Training to Fill
Gaps • Develop security awareness trainings• Devise periodic security awareness assessment
quizzes• Conduct periodic exercises to verify that
employees and contractors are fulfi lling their informati on security duti es
Resources
• http://www.sans.org• http://www.microsoft.com/technet
