Implementing SANS Top 20 Critical Security Controls with ConsoleWorks

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Implementing SANS Top 20 Critical Security Controls with ConsoleWorks"

Transcription

1 Implementing SANS Top 20 Controls with ConsoleWorks The following whitepaper summarizes TDi Technologies interpretation of the SANS Top 20 Controls and how ConsoleWorks, developed by TDi Technologies, addresses each control in whole or in part. TDi provides solutions to a global customer base with key verticals including Financial Services, Healthcare, Telecommunications, Utilities, and Government. The company s solutions help customers reduce operating costs, meet compliance requirements, secure the IT foundation, and improve IT Service delivery. TDi Technologies is the first solution provider to offer a unified enterprise IT operations solution for Privileged Access Management, Baseline Configuration Management, Event Monitoring and Remediation, and Logging over the IT foundation. The company s patented technology provides automation, optimization, control and management capabilities that dramatically improve the ability of IT to meet the demands of the business. From SANs: In 2008, the U.S. National Security Agency (NSA), began an effort that took an "offense must inform defense" approach to prioritizing a list of the controls that would have the greatest impact in improving risk posture against real- world threats. A consortium of U.S. and international agencies quickly grew, and was joined by experts from private industry and around the globe. Ultimately, recommendations for what became the Controls (CSCs) were coordinated through the SANS Institute. The Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls. The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs. ConsoleWorks - Continuous, Automated Protection & Monitoring ConsoleWorks monitors, manages, logs, remediates, and secures physical (routers, switches, servers, and so on) and logical (SANs and applications, for example) and virtual infrastructures at the lowest level, in real- time and in all machine states, including operating, service, configuration, and maintenance modes. It accomplishes this without using agents and does not rely on the Operating System to be present in order to monitor and manage the infrastructure. ConsoleWorks uses a unique blend of connector, centralized web server, and out- of- band 1

2 ConsoleWorks Applications to SANS Top 20 Controls technologies to implement a robust, no- worry, lights- out management solution. ConsoleWorks addresses the need for a single- source management by providing the ability to stop, start, run, load firmware, reboot, and monitor assets enabling console operations for system administrators anytime, anyplace, and anywhere they can connect to the ConsoleWorks server. ConsoleWorks is designed to minimize operational disruptions, downtime, and mean- time- to- repair. It can automatically trigger operator- specified actions as soon as it detects a known or user- defined condition on a monitored asset. On its own or when partnered with legacy notification applications, ConsoleWorks can phone, fax, page, and appropriate personnel and provide them with critical information when it s needed and as it happens. ConsoleWorks Unified Dashboard Centralized Management of People, Processes, and Systems ConsoleWorks brings together technologies and other related information for processing into a unified dashboard. ConsoleWorks logs and monitors, 24x7, in real- time, all incoming log sources, including those from people (down to the keystroke), processes and systems. All log files collected and aggregated by ConsoleWorks are Date/Time stamped using a common base Date and Time, thus eliminating the problems caused by unsynchronized clocks. Log files can be viewed individually or interlaced with other log files in Date/Time order at the sub- second level using TDi Technologies patented timestamp mechanism in ConsoleWorks. This normalization helps shorten the remediation process in determining the source of an issue. The unified dashboard encapsulates ConsoleWorks secure role based / privileged access control, baseline configuration management, event detection and log aggregation with a sophisticated integration engine containing its Intelligent Event Modules (IEMs). IEMs apply intelligence to the information being monitored from devices, 3 rd party application event log files, SNMP traps, and Syslog so that the information can be processed and acted on in a meaningful way. Adding to that, ConsoleWorks customer specific knowledge base captures customer specific remediation steps for a particular Event together enabling faster remediation. On the front end, ConsoleWorks integration engine facilitates the integration with almost any 3rd party software application such as Identity Management, Change Management, Password Management systems. On the backend, ConsoleWorks facilitates Incident Response and Compliance / Regulatory Reporting, etc. ConsoleWorks Architecture 2

3 ConsoleWorks Applications to SANS Top 20 Controls ConsoleWorks Functionality ConsoleWorks functionality includes the following features: Agentless, persistent monitoring Asset access secured using role- based or task- based user privileges Scanning of incoming data streams for pre- defined text patterns Complete intelligence gathering, including capture of source and account IDs, incident context, and commands and their outcomes Centralized command and control for physical, logical and virtual console connections, Syslog messages, SNMP traps, and other streams of information within your cyber infrastructure Connections secured using SSL and SSH encryption Automatic, securable logging of all data flows to and from monitored assets All asset activity logged and the logs digitally signed to make it easier to detect modifications Color- coded logs from different information sources facilitating drill- down analyses in aggregated log views Hassel- free, large- scale deployments Multiple users granted simultaneous access to a single console Single user granted Read and Write access to several systems simultaneously Automated incident recognition and response Complete event lifecycle management: Recognition, Notification, and Remediation Events consolidated from all data sources using a common natural time, independent of asset vendor or type Events prioritized by severity, set initially by OEMs and 100% customizable by users Real- time, customizable graphs and charts for reporting and business intelligence Sub- second timeframe for more insightful granularity Easy- to- understand dashboards, displays, and views into the health Summary and overview event mapping with drill- down capability Privileged Access Management Remote Access to Legitimate Users / Protecting and Validating Administrative Accounts on Servers ConsoleWorks is a unique solution with advanced security capabilities that manage user access to assets. ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code- based attacks (malware, viruses, etc.); monitor all remote activity in real- time; and enforces authorized remote user access rights. Prevent Unauthorized Access ConsoleWorks users must properly authenticate themselves to ConsoleWorks - accessing it without proper authentication is not possible. Once authenticated to ConsoleWorks, then the users role- based security profile determines the method as well as which assets a user may access or be "Aware" of. ConsoleWorks would retain a predefined username/password, PKI Certificate, or other credentials that ConsoleWorks would use to connect the user to the asset with based on the assets capabilities. Effectively, ConsoleWorks "owns" the actual connectivity to an asset, can control the access to the asset by the users using ConsoleWorks so it can also determine how a user is connected to the asset. Some users may be required to enter or know a username and password while others are restricted from knowing a username and password - the method used is configured in ConsoleWorks for a given security profile. ConsoleWorks is essentially a PROXY for all types of user access to cyber assets. ConsoleWorks "owns" the access to all shared accounts on each cyber asset. The user authenticates to ConsoleWorks; then, ConsoleWorks, based on the user s role- based security profile, is granted access to the shared account - not the asset. Preventing Unauthorized Access to Sensitive Data The fine- grained, role based privilege model in ConsoleWorks gives client s business units control over assets with which each user may interact. Least privilege automatically defaults to deny and supports command- by- command privileged grants for absolute control over electronic access to systems and sensitive data. This enables it to manage/control what an actor may see, how they may access the asset and log all their activity down to the keystroke and response. It also allows ConsoleWorks to alert and alarm on user activity, black list or whitelist or abstract commands they may use or execute. ConsoleWorks would see the users command and then decide based on security role whether or not to send the command to the asset. It may also handle the authentication on the asset on behalf of the user - eliminating the need for the user to know a privileged username/password combination on the asset - this is particular useful for a device where only one privileged 3

4 ConsoleWorks Applications to SANS Top 20 Controls account exist - ConsoleWorks knows who is using the privileged account and can audit back to the user of ConsoleWorks even though a share account is in use. Wireless Device Control For wireless devices, ConsoleWorks scans for the SSID of the wireless network and knows about the connections by recognizing the MAC address and whether that it is a good or bad login key. ConsoleWorks then captures the access port messages and monitors the content for nefarious activity. White list / Blacklist ConsoleWorks can be customized to control the application of white list commands. Specifically, it can be configured to apply to a specific role, user, device name or type, or by any term or value specified by the ConsoleWorks administrator. Specific commands could be allowed or disallowed based on the following classifications: Secret Confidential Regulatory Restricted ConsoleWorks can also implement a black list of disallowed or restricted commands or characters. Under this access control approach, the user could be given seemingly unfettered access to a managed asset. If one of these black listed commands is executed, ConsoleWorks could be configured to automatically end the user's connection and send an to Security to apprehend this internal threat, as an example. ConsoleWorks can also integrate to an identify management system. Current callouts and integrations to Radius SecureID two- factor authentication, Active Directory, LDAP or other UNIX PAM modules are supported. End to End Monitoring and Management Active Monitoring ConsoleWorks is a unique solution with advanced security capabilities that are actively monitoring user access to assets. ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code- based attacks (malware, viruses, etc.); monitor all remote activity in real- time; and enforces only authorized remote user access rights. Third- party monitoring applications such as anti- virus, anti- spyware, vulnerability scanners, patch management systems, change management systems and many more can be integrated with ConsoleWorks for a unified management and monitoring portal. Rules for access can be automated based on the organizations security policies. Real- time Notification of Events Received from 3 rd Party Applications ConsoleWorks monitors 24x7 and logs and monitors, in real- time, all incoming log sources, including those from vulnerability scanners. ConsoleWorks IEMs (Intelligent Event Modules) contain the definitions of known / documented Events provided by the Vendor, Event context information, definitions and suggested solutions, and much more. All log files collected and aggregated by ConsoleWorks are Date/Time stamped using a common base Date and Time, thus eliminating the problems caused by unsynchronized clocks. Log files can be viewed individually or interlaced with other log files in Date/Time order at the sub- second level using TDi Technologies patented timestamp mechanism in ConsoleWorks. Evidence of potentially compromised machines can be identified through Alerts and Alarms. Uncovering Details of an Attack ConsoleWorks is agnostic about the source of information. Any information source can be managed and monitored as long as it generates data. Sources like net flow, identity management, databases, applications, and other data sources are treated in the same manner as devices that are managed and monitored by ConsoleWorks. ConsoleWorks monitors these logs in the context of all other managed applications or hardware. Its ability to aggregate error conditions across all log files enables administrators to view multiple log files, in context, to help in root cause analysis. In many cases, issues have been resolved before other solutions have been notified that an Event has occurred. ConsoleWorks sees an incoming message that is important. An Event is defined for that message and when detected, ConsoleWorks determines who did it, what the message was, what the description was and saves that information. From there, additional context of remediation actions, best practices, links to vendor documentation, etc. can be added to that Event. Helping Prevent Code- based Attacks - ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code- based attacks (malware, viruses, etc.); monitor all remote activity in real- time; and enforces only authorized remote user access rights. 4

5 ConsoleWorks Applications to SANS Top 20 Controls Logging of Updates to 3 rd Party Applications ConsoleWorks logs all people and system activity for the systems that it manages. As changes are made to a system or software on a system, ConsoleWorks is monitoring and logging those changes. This normalization helps shorten the remediation process in determining the source of an issue. Knowledge Gaps - ConsoleWorks "learns" about Events from the experts so that less trained people can apply the knowledge of better- trained people/experts. As Events are remediated by experts, ConsoleWorks captures their keystroke input and resulting output. That remediation session can be tagged as the Best Practice in the ConsoleWorks knowledge base for the remediation of that particular Event. In the future, if that Event re- occurs, this previously tagged Best Practice is automatically made available, by ConsoleWorks, to reference. Alternatively, this session can also be used to automate resolution when possible to do so, through ConsoleWorks Actions. User knowledge of Events can be incorporated into this IEM knowledgebase. ConsoleWorks "learns" about Events from the experts so that less trained people can apply the knowledge of better- trained people/experts. Baseline Configuration Management Configuration Management - Once a baseline configuration for accounts, software, ports and services is established for a cyber asset and a schedule defined for regular checks, all configuration comparison results are logged in ConsoleWorks for each asset. As such, changes in configurations are kept by ConsoleWorks as long as required, for future reference or compliance purposes. Changes in configurations, identified by ConsoleWorks, create notification Events in the system. These notifications can be used to alert a change management system, user or other personnel. ConsoleWorks accomplishes this by executing Actions that have been defined by the customer. These Actions can send notifications of the asset affected, along with the approved and new baselines, and any changes detected between the two. ConsoleWorks can easily identify the accounts, patch level, services, and settings for the assets that it manages. Once collected, ConsoleWorks can use this information as part of the approved configuration baseline. Once that baseline configuration is established for a cyber asset and a schedule defined for regular checks, all configuration comparison results are logged for each asset. Changes in baseline configurations are kept by ConsoleWorks as long as required, for future reference. Baseline checks can be evaluated based on a control / test system to deter if any deviations have been introduced. If so, these changes to the configuration create notification Events in the system. Notifications can be used to Alert a change management system, user or other personnel. ConsoleWorks uses Actions to send notifications of the asset affected, along with the approved and new baselines and any changes detected between the two. Comparing & Validating Secure Configurations Against Standards & Document Deviations - ConsoleWorks can collect firewall, router, switch and other network device configurations for each type of device that it manages. Once collected, ConsoleWorks can use this information as part of the approved configuration baseline. Once that baseline configuration is established and a schedule is defined to execute regular checks, all configuration comparison results are logged in ConsoleWorks, for each asset. Approvals for the change are also documented. Changes in baseline configurations and resulting approvals are kept by ConsoleWorks as long as required, for future reference. Tracking Installed Software Once a baseline of authorized software for each system type has been established, the ConsoleWorks Baseline Configuration Management module has the ability to run scheduled comparisons of current software type, version and patches installed versus the baseline that was previously established. Changes that are identified by ConsoleWorks will create notification Events that may be used to Alert a change management system, user or other personnel. Establishing Baseline Configurations for Patches Once the patch level has been updated on a test system, for example, other similarly configured devices can be checked to ensure that the same patches have been installed. If not, a Notification Event is triggered and Alerts are sent to the appropriate personnel. ConsoleWorks BCM can also be used to perform regular checks on devices to ensure that Autorun has been disabled. If not, an Event is triggered and notification sent to the appropriate personnel. Documenting that the Backup and Restoration Test Occurred ConsoleWorks Baseline Configuration Management module can be used to trigger a system or command that runs on a scheduled basis such as a backup command. Events that notify the appropriate personnel of the need for the restoration test can be triggered. 5

6 ConsoleWorks Applications to SANS Top 20 Controls ConsoleWorks then logs that the backup command was run and the test notification was sent (as Events) for future compliance reporting purposes. Monitoring for Unnecessary Software, Ports & Services - Once a baseline of authorized software, ports, services, accounts, etc., for each system type has been established, the ConsoleWorks Baseline Configuration Management module has the ability to run comparisons of current configurations versus the baseline that was previously established. Any differences that are identified by ConsoleWorks will create notification Events that may be used to Alert a change management system, user or other personnel. ConsoleWorks Mapping to the SANS Top 20 Critical Cyber Security Controls The following table documents each of the SANS Top 20 Critical Cyber Security Controls along with a more detailed description of a typical application of the Control. TDi Technologies has mapped each of the 20 Controls to a ConsoleWorks module and a feature within that module that address that control in whole or in part. Each of the modules and feature is outline above and referenced in the table. 1. Inventory of Authorized and Unauthorized Devices Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up- to- date inventory of devices connected to the enterprise network, including servers, workstations, laptops and remote devices. Any time a new device is installed on a network, the risks of exposing the network to unknown vulnerabilities or hampering its operation are present. Malicious code can take advantage of new hardware that is not configured and patched with appropriate security updates at the time of installation. Attackers can use these vulnerable systems to install backdoors before they are hardened. In automating critical control 1, it's critical for all devices to have an accurate and up- to- date inventory control system in place. Any device not in the database should be prohibited from connecting to the network. Some organizations maintain asset inventories by using specific large- scale enterprise commercial products or by using free solutions to track and sweep the network periodically. To evaluate the implementation of Control 1 on a periodic basis, the evaluation team will connect hardened test systems to at least 10 locations on the network. This will include a selection of subnets associated with DMZs, workstations, and servers. End to End Monitoring & Management Active Monitoring Baseline Configuration Management Very High 2. Inventory of Authorized and Unauthorized Software Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorized or unnecessary software. An organization without the ability to inventory and control its computer's installed programs makes its systems more vulnerable to attack. Furthermore, poorly controlled machines are more likely to be running software that is unneeded for business purposes, introducing potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this potential threat, an organization should scan a network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications, pulling information about the patch level of each installed program. This ensures that it's the latest version and that it leverages standardized application names, like those found in the Common Platform Enumeration (CPE) specification. In addition to inventory checks, tools that implement whitelists (allow) and blacklists (deny) of programs are included in many modern end- point security suites. To evaluate the implementation of Control 2 on a periodic basis, the team must move a benign software test program that is not included in the authorized software list on 10 systems on the network. The team must then 6

7 ConsoleWorks Applications to SANS Top 20 Controls verify that the software is blocked and unable to run. Baseline Configuration Management Tracking Installed Software Privileged Access Management White list / Blacklist Very High 3. Secure Configuration s for Hardware & Software on Laptops, Workstations, and Servers Prevent attackers from exploiting services and settings that allow easy access through networks and browser: Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system. Default configurations of software are often geared to ease- of- deployment and ease- of- use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network- accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization. To evaluate the implementation of Control 3 on a periodic basis, an evaluation team must move a benign test system (one that does not contain the official hardened image, but does contain additional services, ports, and configuration files changes) onto the network. The evaluation team must then verify that the systems generate an alert or e- mail notice regarding the changes to the software. Baseline Configuration Management Validating a Secure Configuration Very High 4. Continuous Vulnerability Assessment and Remediation Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours. Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines identified by the asset inventory system must be scanned for vulnerabilities. To evaluate the implementation of Control 4 on a periodic basis, the evaluation team must verify that scanning tools have successfully completed their weekly or daily scans. End to End Monitoring and Management Real- time Notification of Events Received Very High 5. Malware Defenses Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading: Use automated anti- virus and anti- spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti- malware tools on all machines on a daily basis. Prevent network devices from using auto- run programs to access removable media. Malicious software is an integral and dangerous aspect of Internet threats. It targets end users and 7

8 ConsoleWorks Applications to SANS Top 20 Controls organizations via Web browsing, e- mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's contents, capture sensitive data, and spread to other systems. To ensure anti- virus signatures are up- to- date, effective organizations use automation. They use the built- in administrative features of enterprise endpoint security suites to verify that anti- virus, anti- spyware, and host- based Intrusion Detection Systems (IDS) features are active on every managed system. They also run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed, attempted to be installed, executed, or attempted to be executed, on a computer system. To evaluate the implementation of Control 5 on a periodic basis, the evaluation team must move a benign software test program appearing to be malware onto a system and make sure it is properly discovered and remediated. End to End Monitoring and Management Helping Prevent Code- based Attacks End to End Monitoring and Management Logging of Updates to 3 rd Party Applications Baseline Configuration Management Establishing Baseline Configurations High Medium 6. Application Software Security Neutralize vulnerabilities in web- based and other application software: Carefully test internally developed and third- party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type). Criminal organizations frequently attack vulnerabilities in both web- based and non- web- based application software. In fact, it's a top priority for criminals. Application software is vulnerable to remote compromise in three ways: It does not properly check the size of user input It fails to sanitize user input by filtering out potentially malicious character sequences It does not initialize and clear variables properly To avoid attacks, internally developed and third party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application- level software attack, and must generate an alert or send e- mail to enterprise administrative personnel. To evaluate the implementation of Control 6 on a monthly basis, an evaluation team must use a web application vulnerability scanner to test software security flaws. End to End Monitoring and Management Real- time Notification of Events High 7. Wireless Device Control Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if they match an authorized configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points. Attackers who gain wireless access to an organization from nearby parking lots have initiated major data thefts. This allows attackers to bypass an organization to maintain long- term access inside a target. Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems. The system must be capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's 8

9 ConsoleWorks Applications to SANS Top 20 Controls systems or connected to its networks. To evaluate the implementation of Control 7 on a periodic basis, the evaluation team staff must configure unauthorized but hardened wireless clients and wireless access points to the organization's network. It must also attempt to connect them to the organization's wireless networks. These access points must be detected and remediated in a timely manner. Privileged Access Management Wireless Device Control High 8. Data Recovery Capability Minimize the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly: back up sensitive systems more often. Regularly test the restoration process. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and datum from the backup are all intact and functional. Baseline Configuration Management Documenting that the Backup and Restoration Test Occurred Medium 9. Security Skills Assessment and appropriate Training to Fill Gaps Find knowledge gaps, and fill them with exercises and training: Develop a security skills assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices. An organization hoping to find and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement, not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness. End to End Monitoring and Management Knowledge Gaps Medium 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configuration are documented and approved and that any temporary deviations are undone when the business need abates. Attackers penetrate defenses by searching for electronic holes in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic on that network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices, which determine whether they are consistent or in conflict and provide an automated check of network filters. Additionally, these commercial tools 9

10 ConsoleWorks Applications to SANS Top 20 Controls search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies. To evaluate the implementation of Control 10 on a periodic basis, an evaluation team must make a change to each type of network device plugged into the network. At a minimum, routers, switches, and firewalls need to be tested. If they exist, IPS, IDS, and other network devices must be included. Baseline Configuration Management Comparing Configurations Against Standards & Documenting Deviations High Medium 11. Limitation and Control of Network Ports, Protocols, and Services Allow remote access only to legitimate users and services: Apply host- based firewalls and port- filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes. Attackers search for remotely accessible network services that are vulnerable to exploitation. Many software packages automatically install services and turn them on as part of the installation of the main software package. When this occurs, the software rarely informs a user that the services have been enabled. Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. The system must be capable of identifying any new unauthorized listening network ports that are connected to the network. To evaluate the implementation of Control 11 on a periodic basis, the evaluation team must install hardened test services with network listeners on ten locations on the network, including a selection of subnets associated with DMZs, workstations, and servers. Privileged Access Management Remote Access to Legitimate Users Baseline Configuration Management Monitoring for Unnecessary Software, Ports & Services High Medium 12. Controlled Use of Administrative Privileges Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious attachment, or file, or to visit a malicious website, and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow Federal Desktop Core Configuration (FDCC) standards. The most common method attackers use to infiltrate a target enterprise is through an employee's own misuse of administrator privileges. An attacker can easily convince a workstation user to open a malicious e- mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built- in operating system features can extract lists of accounts with superuser privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely. To evaluate the implementation of Control 12 on a periodic basis, an evaluation team must verify that the organization's password policy is enforced and administrator accounts are carefully controlled. The evaluation team does this by creating a temporary, disabled, limited privilege test account on ten different systems. It then attempts to change the password on the account to a value that does not meet the organization's password policy. Privileged Access Management Protecting and Validating Administrative Accounts on Servers 10

11 ConsoleWorks Applications to SANS Top 20 Controls High Medium 13. Boundary Defense Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: Establish multilayered boundary defenses by relying on firewalls, proxies, demilitarized zone (DMZ), perimeter networks, and other network based tools. Filter inbound and outbound traffic, including through business partner networks ( Extranets ). By attacking Internet- facing systems, attackers can create a relay point to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi- layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network- based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability- scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted. To evaluate the implementation of Control 13 on a periodic basis, an evaluation team must test boundary devices. This is done by sending packets from outside a trusted network, which ensures that only authorized packets are allowed through the boundary. All other packets must be dropped. End to End Monitoring & Management Uncovering Details of an Attack High Medium 14. Maintenance, Monitoring, and Analysis of Security Audit Logs Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machine: Generate standardized logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers and run biweekly reports to identify and document anomalies. At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs aren't reviewed, organizations don't know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host- based systems. To evaluate the implementation of Control 14 on a periodic basis, an evaluation team must review the security logs of various network devices, servers, and hosts. End to End Monitoring and Management Uncovering Details of an Attack Medium 15. Controlled Access Based on Need to Know Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure and ensure that only authenticated uses have access to nonpublic data and files. Some organizations do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built- in separation of administrator accounts from non- administrator 11

12 ConsoleWorks Applications to SANS Top 20 Controls accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e- mail for administrative personnel. This includes information on local systems or network accessible file shares. To evaluate the implementation of Control 15 on a periodic basis, the evaluation team must create test accounts with limited access and verify that the account is unable to access controlled information. Privileged Access Management Preventing Unauthorized Access to Sensitive Data Medium 16. Account Monitoring and Control Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that confirm to FDCC standards. Attackers frequently impersonate legitimate users through inactive user accounts. This method makes it difficult for network watchers to identify attackers' behavior. Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Security personnel can configure systems to record more detailed information about account access and utilize homegrown scripts or third- party log analysis tools to analyze this information. The system must be capable of identifying unauthorized user accounts when they exist on the system. To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed daily. Privileged Access Management Preventing Unauthorized Access Medium 17. Data Loss Prevention Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework. The loss of protected and sensitive data is a serious threat to business operations, and potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices. These include, but are not limited to, a lack of effective policy architectures and user error. The phrase "Data Loss Prevention" (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. The system must be capable of identifying unauthorized datum leaving the organization's systems whether via network file transfers or removable media. To evaluate the implementation of Control 17 on a periodic basis, the evaluation team must attempt to move test datum sets (that trigger DLP systems but do not contain sensitive data) outside of the trusted computing environment via both network file transfers and via removable media. Privileged Access Management Centralized Management of People, Processes, Applications and Systems Medium Low 18. Incident Response Management 12

13 ConsoleWorks Applications to SANS Top 20 Controls Protect the organization s reputation, as well as its information: Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker s presence, and restoring the integrity of the network and systems. Without an incident response plan, an organization may not discover an attack in the first place. Even if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have far higher impact on the target organization, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible. After defining detailed incident response procedures, the incident response team should engage in periodic scenario- based training. This includes, but is not limited to, working through a series of attack scenarios that are fine- tuned to the threats and vulnerabilities the organization faces. End to End Monitoring and Management Medium 19. Secure Network Engineering Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy a network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks. Security controls can be circumvented in networks that are poorly designed. Without carefully planned and properly implemented network architecture, attackers can pivot through the network to gain access to target machines. To help ensure a consistent, defensible network, the architecture of each network should be based on a template that describes the overall layout of the network and the services it provides. Organizations should prepare network diagrams for each of their networks. Network diagrams should show components such as routers, firewalls, switches, significant servers, and groups of client machines. Privileged Access Management End to End Monitoring & Management Baseline Configuration Management Low 20. Penetration Tests and Red Team Exercises Use simulated attacks to improve organizational readiness: Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises all- out attempts to gain access to critical data and systems to test existing defenses and response capabilities. Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Penetration testing involves mimicking the actions of computer attackers, and exploiting them to determine what kind of access an attacker can gain. Each organization should define a clear scope and the rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at least, systems with the highest value information and production processing functionality. N/A Low More details on ConsoleWorks unique capabilities, can be found at About TDi Technologies 13

14 ConsoleWorks Applications to SANS Top 20 Controls TDi provides solutions to a global customer base with key verticals including Financial Services, Healthcare, Telecommunications, Utilities, and Government. The company s solutions help customers reduce operating costs, meet compliance requirements, secure the IT foundation, and improve IT Service delivery. TDi Technologies is the first solution provider to offer a unified enterprise IT operations solution for Privileged Access Management, Baseline Configuration Management, Event Monitoring and Remediation, and Logging over the IT foundation. The company s patented technology provides automation, optimization, control and management capabilities that dramatically improve the ability of IT to meet the demands of the business. 14

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

Top 20 Critical Security Controls

Top 20 Critical Security Controls Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need

More information

Top 20 critical security controls

Top 20 critical security controls Top 20 critical security controls What it is These Top 20 Controls were agreed upon by a powerful consortium under the auspices of the Center for Strategic and International Studies. Members of the Consortium

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

Applying the CPNI Top 20 Critical Security Controls in a University Environment

Applying the CPNI Top 20 Critical Security Controls in a University Environment IT Services Applying the CPNI Top 20 Critical Security Controls in a University Environment RUGIT IT Security Group October 2013 1. Introduction Universities UK (UUK) has published a policy briefing on

More information

Cyber Essentials Scheme

Cyber Essentials Scheme Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols

THE TOP 4 CONTROLS. www.tripwire.com/20criticalcontrols THE TOP 4 CONTROLS www.tripwire.com/20criticalcontrols THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014 Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security

More information

GE Measurement & Control. Cyber Security for NEI 08-09

GE Measurement & Control. Cyber Security for NEI 08-09 GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

The Critical Security Controls for Effective Cyber Defense. Version 5.0

The Critical Security Controls for Effective Cyber Defense. Version 5.0 The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a

More information

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2 Texas Wesleyan Firewall Policy Purpose... 1 Scope... 1 Specific Requirements... 1 PURPOSE Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

More information

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

Defence Cyber Protection Partnership Cyber Risks Profile Requirements Good Governance L.01 Define and assign information security relevant roles and responsibilities. L.02 Define and implement a policy that addresses information security risks within supplier relationships.

More information

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services Lifecycle Solutions & Services Managed Industrial Cyber Security Services Around the world, industrial firms and critical infrastructure operators partner with Honeywell to address the unique requirements

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

SANS Institute First Five Quick Wins

SANS Institute First Five Quick Wins #1 QUICK WIN- APPLICATION WHITELISTING SANS Critical Controls: #2: Inventory of Authorized and Unauthorized Software 1) Deploy application whitelisting technology that allows systems to run software only

More information

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

ITEC441- IS Security. Chapter 15 Performing a Penetration Test 1 ITEC441- IS Security Chapter 15 Performing a Penetration Test The PenTest A penetration test (pentest) simulates methods that intruders use to gain unauthorized access to an organization s network and

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow Agenda Background & Threat landscape Breach: A Case Study Incident Response Best Practices Lessons Learned

More information

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808 cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Critical Security Controls

Critical Security Controls Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security

More information

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE

More information

The Comprehensive Guide to PCI Security Standards Compliance

The Comprehensive Guide to PCI Security Standards Compliance The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager Should Ask Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting Network Security: 30 Questions Every Manager/Executive Must Answer in Order

More information

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009 Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance Draft 1.0: February 23, 2009 NOTICE to readers of this draft document: Criticisms and suggestions

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

The Trivial Cisco IP Phones Compromise

The Trivial Cisco IP Phones Compromise Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002

More information

University Convocation. IT 4823 Information Security Administration. Firewalls and Intrusion Prevention Systems. Firewall Capabilities and Limits DMZ

University Convocation. IT 4823 Information Security Administration. Firewalls and Intrusion Prevention Systems. Firewall Capabilities and Limits DMZ IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Information Technology Security Procedures

Information Technology Security Procedures Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3

More information

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised

More information

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta.

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation www.lumeta. Why Leaks Matter Leak Detection and Mitigation as a Critical Element of Network Assurance A publication of Lumeta Corporation www.lumeta.com Table of Contents Executive Summary Defining a Leak How Leaks

More information

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref: SERVER SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Instructions Improperly configured systems,

More information

CorreLog Alignment to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks IPsonar provides visibility into every IP asset, host, node, and connection on the network, performing an active probe and mapping everything that's on the network, resulting in a comprehensive view of

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Information Technology Cyber Security Policy

Information Technology Cyber Security Policy Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Network and Host-based Vulnerability Assessment

Network and Host-based Vulnerability Assessment Network and Host-based Vulnerability Assessment A guide for information systems and network security professionals 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free:

More information

Achieving PCI Compliance Using F5 Products

Achieving PCI Compliance Using F5 Products Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Building A Secure Microsoft Exchange Continuity Appliance

Building A Secure Microsoft Exchange Continuity Appliance Building A Secure Microsoft Exchange Continuity Appliance Teneros, Inc. 215 Castro Street, 3rd Floor Mountain View, California 94041-1203 USA p 650.641.7400 f 650.641.7401 ON AVAILABLE ACCESSIBLE Building

More information

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,

More information

Verve Security Center

Verve Security Center Verve Security Center Product Features Supports multiple control systems. Most competing products only support a single vendor, forcing the end user to purchase multiple security systems Single solution

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy: Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance

More information

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY

More information

Automate PCI Compliance Monitoring, Investigation & Reporting

Automate PCI Compliance Monitoring, Investigation & Reporting Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently

More information

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose

More information

Network Security Guidelines. e-governance

Network Security Guidelines. e-governance Network Security Guidelines for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

Avaya TM G700 Media Gateway Security. White Paper

Avaya TM G700 Media Gateway Security. White Paper Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account

More information

Information Technology Solutions

Information Technology Solutions Managed Services Information Technology Solutions A TBG Security Professional Services Offering LET TBG MANAGE YOUR INFRASTRUCTURE WITH CONFIDENCE: TBG S INTEGRATED IT AUTOMATION FRAMEWORK PROVIDES: Computer

More information

Avaya G700 Media Gateway Security - Issue 1.0

Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise

More information

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

More information

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those

More information

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s During the period between November 2012 and March 2013, Symantec Consulting Services partnered with Bomgar to assess the security

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Controls Book

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Controls Book Larry Wilson Version 1.0 November, 2013 University Cyber-security Program s Book Cyber-security s Summary Council on Cyber-security Critical Security s (CSC) CSC-01 CSC-02 CSC-03 CSC-04 CSC-05 IT Asset

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information