Check list เตร ยมความพร อมด าน Cyber Security ให หน วยงาน 6 th October 2015 Avirut Liangsiri 1. Effective:

Transcription

1 Check list เตร ยมความพร อมด าน Cyber Security ให หน วยงาน 6 th October 2015 Avirut Liangsiri 1

2 Agenda Traditional vs. Modern Cyber Defense แตกต างหร อส งเสร มก นและก น อย างไร? Industry Standard Checklist for Cyber Security Security Configuration สาค ญอย างไรในการเตร ยมการณ เพ อร บม อภ ยค กคามย ค ใหม (Security Configuration Management for Modern Threat mitigation) Security Control ท สาค ญในการป องก นและตรวจจ บภ ยค กคาม (SANS Top 20 Security Controls) 2

3 Traditional vs. Modern Cyber Defense 3

4 Traditional Cyber Defense What does a typical cyber defense entail? Traditional!= Outdated Devices Shiny, sexy, 2.0, NG, cloud, mobile awesomeness can comprise a traditional security architecture So what constitutes a traditional approach to cyber defense then? 4

5 Prevention Sanity Check Quick sanity check for your organization Take a network map and consider security controls If a control is primarily preventive note a P If primarily detective note it with a D Add up all the P's and compare to the D's Most organizations are >80% preventive 5

6 Sanity Check Illustrated Preventive Firewall IPS NGFW Antivirus Proxy Web Content Filter Malware Detonation Devices DLP NAC Detective IDS SIM/SIEM 6

7 Traditional Cyber Defense Characteristics Preventive Oriented Perimeter Focused Addresses Layer 3/4 Centralized IS/Security Device Driven Security 7

8 Traditional Successes Conceptually simple architecture (easy) Staffing requirements fairly low (cheap) Staff skill required not extremely high (cheap) CAPEX relatively low by comparison (cheap) OPEX extremely low by comparison (cheap) Unlikely to detect breaches (easy) - Which reduces breach notification likelihood (cheap) Management typically likes cheap and easy Shortcomings discussed later 8

9 Modern Cyber Defense Principles Characteristics Detection-Oriented Proactive Detection : Hunt Teams Post-Exploitation Focused Response-Driven Layer 7 Aware Decentralized Data/Systems Risk Informed Network Security Monitoring Continuous Security Monitoring 9

10 Traditional vs. Modern C2 10

11 Industry Standard Checklist for Cyber Security 11

12 Recognized Checklist ISO/IEC 27001:2013 ISMS It is a specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process. SANS Top 20 Security Control The Top 20 Critical Security Controls (20 CSC also known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) have emerged as the de facto yardstick by which corporate security programs can be measured,. NIST (Security and Privacy Controls for Federal Information Systems and Organizations) 12

13 Top 20 Critical Security Controls The Top 20 Critical Security Controls (20 CSC also known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) have emerged as the de facto yardstick by which corporate security programs can be measured,. The 20 CSC are now governed by the Council on Cyber Security, an independent, expert, not-for-profit organization with a global scope. The development of this set of standards was first undertaken in 2008 by the National Security Agency at the behest of the US Secretary of Defense in an effort to efficiently direct resources towards combating the most common network vulnerabilities which resulted in the greatest number of attack vectors. In 2008, the Office of the Secretary of Defense asked the National Security Agency for help in prioritizing the myriad security controls that were available for cyber security. 13

14 Security Configuration Management for Modern Threat mitigation 14

15 15 15

16 1 the 1 st priority 16 16

17 2 2 nd most effective 17 17

18 3 3rd most important 18 18

19 4 four highest-priority 19 19

20 Fundamental SecOps File Integrity Monitoring FIM Captures Baseline State as a Digital Fingerprint Current running state New changes determined Baseline State Compare Compare Compare 20

21 Continuously Detect for Unauthorized Changes 1. Detect all configuration changes 2. Analyze change activity 3. Take Action Investigate Changes Manual Changes Automated Changes!!!!! Type of Change? Type of System? Within Maintenance Window? Made by Authorized Users?!!!!!!!!! Security & Ops Reports Scripted Changes!!! Matches Release System? Passes Compliance Tests? Remediate Changes Networks Servers Servers Domain Directories Databases User-defined Policies! Visibility Accountability Control Automatic filtering of change - By change or system type - By policy criteria - Conditional actions 21

22 Sample of Security and Compliance Policies AIX Cisco IOS Cisco PIX HP-UX IBM DB2 Linux (Red Hat) Linux (SUSE) Microsoft Exchange Microsoft IIS MS SQL Server 2000 MS SQL Server 2005 MS SQL Server 2008 Oracle 9i Oracle 10g Oracle 11g Solaris 8,9 & 10 VMware ESX Windows Server 2000 Windows Server 2003 Windows Server 2008 Windows Server DC Windows Server DM Windows XP and Vista 22

23 A Comprehensive Approach to Addressing Security Security Configuration Assessment Assess existing Controls Gap against Baselines/Standards 23

24 A Comprehensive Approach to Addressing Security Devise Remediation Plan Achieve the Baselines/Standards State 24

25 A Comprehensive Approach to Addressing Security Maintain Known & Trusted State Real-time Alert on Deviation Before & After View 25

26 Strong Security is More Important Than Ever Compromise takes minutes. Discovery takes weeks & months Data Breach Investigations Report 26 Verizon Business

27 Well Known Configuration Standard CIS Center for Internet Security ( configuration NIST National Checklist Program for IT Products Guidelines for Checklist Users and Developers ( vulnerabilities, configuration DISA STIG US DoD DISA Secure Technical Implementation Guide Different 9 levels (Mission Assurance Category (I-III) and Confidentiality Level (Public, Sensitive, Classified)) ( FDCC/USGCB US Federal Desktop Core Configuration focus mainly on desktop operating system (Windows XP, Vista, 7, 8, 10) started in 2007 by OMB ( 27

28 CIS Standard The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of this reputation, our resources are recommended as industryaccepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements. 28

29 CIS Checklist Example (Windows XP) 29

30 CIS Listed Systems Amazon Linux Benchmarks Apache HTTP & Tomcat Benchmarks Apache HTTP Server Assessment Tool Apple ios Benchmarks Apple OSX Benchmarks Apple Safari Benchmarks Benchmark Mappings: Medical Device Security Standards CentOS Linux Benchmarks CheckPoint Firewall Benchmarks Cisco Device Benchmarks Consensus Security Metrics Debian Linux Benchmarks Docker Benchmarks FreeBSD Benchmarks FreeRadius Benchmarks Google Android Benchmarks HP-UX Benchmarks IBM AIX Benchmarks IBM DB2 Benchmarks ISC BIND Benchmarks Juniper Device Benchmarks Kerberos Benchmarks LDAP Benchmarks Microsoft Exchange Server Benchmarks Microsoft IIS Benchmarks Microsoft Internet Explorer Benchmarks Microsoft MS SQL Server Benchmarks Microsoft Office Benchmarks Microsoft SharePoint Server Benchmarks Microsoft Windows 7 Benchmarks Microsoft Windows 8 Benchmarks Microsoft Windows NT Benchmarks Microsoft Windows Server 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2012 Microsoft Windows XP Benchmarks Mozilla Firefox Benchmarks Multi Function Print Devices Benchmark MySQL Database Server Benchmarks Novell Netware Benchmarks Opera Benchmarks Oracle Database Server Assessment Tool Oracle Database Server Benchmarks Oracle Linux Benchmarks Oracle Solaris Benchmarks Red Hat Linux Benchmarks Router Assessment Tool Slackware Linux Benchmarks SuSE Linux Benchmarks Sybase ASE Benchmarks Ubuntu Linux Benchmarks Unix Assessment Tools Virtualization Benchmarks VMware Benchmarks Wireless Network Devices Benchmarks Archive Xen Benchmarks 30

31 NIST Checklist Download Page (checklists.nist.gov) The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. ( 31

32 NIST Category Supported Category Antivirus Software Application Server Authentication Configuration Management Software Database Management System Desktop Application Desktop Client Directory Service DNS Server Server Encryption Software Enterprise Application Firewall Handheld Device Identity Management Intrusion Detection System KVM Malware Mobile Solution Multi-Functional Peripheral Network Router Network Switch Office Suite Operating System Peripheral Device Security Server Server Virtualization Software Web Browser Web Server Wireless Wireless Network 32

33 DISA STIG The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. Complete list (541): 33

34 FDCC/USGCB The Federal Desktop Core Configuration was a list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency. FDCC applied only to Windows XP and Vista desktop and laptop computers. FDCC was replaced by the United States Government Configuration Baseline (USGCB), which also includes settings for Windows 7 and Red Hat Enterprise Linux 5. 34

35 USGCB Content Page 35

36 SANS Top 20 Security Control in detail 36

37 SANS Critical Security Controls v5 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4. Continuous Vulnerability Assessment and Remediation 5. Malware Defenses 6. Application Software Security 7. Wireless Access Control 8. Data Recovery Capability 9. Security Skills Assessment and Appropriate Training to Fill Gaps 10.Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11.Limitation and Control of Network Ports, Protocols, and Services 12.Controlled Use of Administrative Privileges 13.Boundary Defense 14.Maintenance, Monitoring, and Analysis of Audit Logs 15.Controlled Access Based on the Need to Know 16.Account Monitoring and Control 17.Data Protection 18.Incident Response and Management 19.Secure Network Engineering 20.Penetration Tests and Red Team Exercises 37

38 NSA Ranking on 20 CSC 38

39 Critical Security Controls by trending 39

40 Critical Security Controls V6 comparison 40

41 Critical Security Controls V6 comparison 41

42 Question & Answer 42

43 ขอบพระค ณ! 43