Top 20 Critical Security Controls

Transcription

1 Top 20 Critical Security Controls July 2015 Contents Compliance Guide Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11

2 01 INTRODUCTION The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise was compliant, meaning they passed their Payment Card Industry (PCI) audit, yet customer data was still compromised. Simply being compliant is not enough to mitigate probable attacks and protect critical information. In today s constantly evolving threat landscape, organizations need to focus on securing the business first and documenting the process to show compliance second, not the other way around. While there s no silver bullet, organizations can reduce chances of compromise by moving from a compliancedriven to a risk management approach to security. What are the Top 20 Critical Security Controls? In 2008, the SANS Institute, a research and education organization for security professionals, developed the Top 20 Critical Security Controls (CSCs) to address the need for a risk-based approach to security. Prior to this, security standards and requirements frameworks were predominantly compliance-based, with little relevance to the real-world threats they are intended to address. The Controls are prioritized to help organizations focus security efforts to have the greatest impact in improving their risk posture. In 2013, the stewardship of the Controls was transferred to the Council on CyberSecurity, an independent, global non-profit entity. 88% According to the US State Department, organizations can achieve more than 88% risk reduction through rigorous automation and measurement of the Controls. The Critical Controls Two Guiding Principles Prevention is ideal but detection is a must While controls that prevent attacks against networks and systems are essential, controls that detect and thwart attackers inside a network that has already been breached are also needed. Through fast detection of compromised machines, organizations can prevent follow-on attack activities that would have otherwise resulted in financial and reputational losses. Rapid7 UserInsight addresses this very need to detect security incidents and intruder behavior quickly and effectively, before attacjers can cause damage. Offense informs defense The Controls is a consensus list developed by experts with deep knowledge of actual attacks, current threats and effective defensive techniques. This ensures that only controls that can be shown to detect, prevent and mitigate known real-world attacks are included. Leveraging over 200,000 open source community members and industry-leading security researchers, Rapid7 s security data and analytics solutions are informed by deep understanding of the threat landscape and attacker methods. Rapid7.com Top 20 Critical Security Controls 1

3 02 HOW RAPID7 CAN HELP Rapid7 security solutions help organizations implement the Top 20 Critical Security Controls and thwart real-world attacks. The table below outlines how Rapid7 products and services align to each of the controls Critical Security Control Nexpose Metasploit AppSpider UserInsight Rapid7 Services Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Continuous Vulnerability Assessment and Remediation 5 Malware Defenses 6 Application Software Security 7 Wireless Access Control 8 Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Limitation and Control of Network Ports, Protocols, and Services Controlled Use of Administrative Privileges 13 Boundary Defense Maintenance, Monitoring, and Analysis of Audit Logs Controlled Access Based on the Need to Know 16 Account Monitoring and Control 17 Data Protection 18 Incident Response and Management 19 Secure Network Engineering 20 Penetration Tests and Red Team Exercises Rapid7.com Top 20 Critical Security Controls 2

4 03 RAPID7 SOLUTIONS FOR THE CRITICAL CONTROLS As displayed in the chart on the previous page, Rapid7 has products and services to address the majority of the Controls. At the highest level, Rapid7 can perform an assessment of your organization s current state against the Critical Control, identify gaps in your security program, and provide guidance on implementing missing controls. The following pages provide more detail on how each control can be addressed by Rapid7 solutions. CSC 1: Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. CSC 1-1 CSC 1-2 CSC 1-4 Deploy an automated asset inventory discovery tool. Deploy dynamic host configuration protocol (DHCP) server logging. Maintain an asset inventory of all systems connected to the network. Nexpose automatically scans the entire network to discover every system with an IP address and assembles an asset inventory. Nexpose connects to DHCP servers to automatically discover new systems connecting to the network. UserInsight analyzes DHCP logs for all systems on the network and automatically maps hosts and users to IP addresses. Nexpose provides visibility into all assets (servers, workstations, mobile devices, etc.) Including IP address and name, and it also enables assets to be tagged with additional context, e.g. asset owner. CSC 2: Inventory of Authorized and Unauthorized Software Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. CSC 2-2 CSC 2-3 CSC 2-4 Devise a list of authorized software and version. Perform regular scanning for unauthorized software. Deploy software inventory tools throughout the organization. Nexpose provides a complete list of software and version used within the enterprise, which can be used to determine which software is authorized. Nexpose provides fully customizable policy scanning to detect presence of unauthorized software. UserInsight inventories every process on the network and identifies anomalous software that is rare or unique and unsigned. Nexpose automatically scans the entire network to assemble an inventory of OS and installed software, including version and patch level. Rapid7.com Top 20 Critical Security Controls 3

5 CSC 2-5 Integrate software and hardware inventory systems. Nexpose provides a unified view of operating system, installed software, services, vulnerabilities, and policies for each asset. CSC 3: Secure Configurations for Hardware and Software Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. CSC 3-1 CSC 3-2 CSC 3-3 CSC 3-10 Establish and ensure the use of standard secure configurations of your operating systems. Implement automated patching tools and processes. Limit administrative privileges to very few users. Deploy system configuration management tools. Nexpose automatically scans all systems on the network to check their compliance with secure configuration standards. Nexpose automates task of assessing applications and operating systems for vulnerabilities, which are prioritized for patching. UserInsight monitors users with administrative privileges and alerts on new domain admins and account privilege escalation. Nexpose scans every Windows server to verify use of configuration management tools such as Microsoft GPMS and SCCM. CSC 4: Continuous Vulnerability Assessment and Remediation Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. In addition to the specific solutions listed below, Rapid7 can provide a fully-managed, cloud based vulnerability management service operated on a monthly or quarterly basis. CSC 4-1 CSC 4-2 CSC 4-3 CSC 4-4 CSC 4-6 CSC 4-7 CSC 4-10 Run automated vulnerability scanning tools. Correlate event logs with information from vulnerability scans. Perform vulnerability scanning in authenticated mode. Subscribe to vulnerability intelligence services. Carefully monitor logs associated with any scanning activity. Compare the results from backto-back vulnerability scans. Establish a process to riskrate vulnerabilities based on the exploitability and potential impact of the vulnerability. Nexpose automatically scans all systems on the network for vulnerabilities and misconfigurations, which are prioritized for remediation based on risk. Nexpose provides pre-built integration with SIEM solutions for correlating vulnerability scan results with events logs. UserInsight correlates vulnerability data with event logs to provide additional context to each vulnerability. Nexpose uses domain admin credentials to perform authenticated scans on systems and provides ability to manage credentials centrally. Nexpose is automatically updated with the latest vulnerabilities and exploits on a weekly basis and within 24 hours for critical updates. UserInsight detects all scanning activity, both legitimate and illegitimate, via honeypots deployed on the network. Nexpose provides vulnerability trend charts and reports to show progress, and ability to manage and report on vulnerability exceptions. Nexpose prioritizes vulnerabilities using risk scores that take into account exploit exposure and asset criticality. Metasploit automatically validates the exploitability of vulnerabilities to prove risk exposure for prioritization. Rapid7.com Top 20 Critical Security Controls 4

6 CSC 5: Malware Defenses Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. CSC 5-1 CSC 5-2 CSC 5-3 CSC 5-5 Employ automated tools to continuously monitor workstations, servers, and mobile devices. Employ anti-malware software that offers a remote, cloudbased centralized infrastructure. Configure laptops, workstations, and servers so that they will not auto-run content from removable media. Scan and block all attachments. Nexpose checks that anti-malware software is installed, enabled and up-to-date on every Windows workstation. UserInsight detects malicious processes on endpoints and correlates data from anti-malware solutions with user activity. UserInsight checks all endpoint processes against a cloud-based central database of known malware, and identifies rare and unique processes. Nexpose provides fully customizable policy scanning to audit whether autoplay is allowed on devices. Nexpose scans every Windows workstation to verify clients are configured to block attachments with certain file types. CSC 5-6 Enable anti-exploitation features. Nexpose checks DEP, ASLR and SEHOP is enabled, and EMET is installed and up-to-date on every Windows server and workstation. CSC 5-7 CSC 5-8 CSC 5-11 Limit use of external devices to those that have a business need. Ensure that automated monitoring tools use behaviorbased anomaly detection. Detect hostname lookup for known malicious C2 domains. Nexpose connects to DHCP servers to automatically discover unknown devices connecting to the network. UserInsight monitors and analyzes activity across the network, endpoints, cloud services and mobile devices to detect unusual behavior. UserInsight monitors the network for DNS queries to known malicious domains and newly registered internet domains. CSC 6: Application Software Security Manage the security lifecycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses. CSC 6-1 CSC 6-4 CSC 6-6 CSC 6-7 CSC 6-9 For all acquired application software, check the version is still supported. Test web applications for common security weaknesses. Maintain separate environments for production and nonproduction systems. Test in-house-developed web and other application software prior to deployment. For applications that rely on a database, use standard hardening configuration templates. Nexpose automatically scans all software on the network for vulnerabilities and identifies relevant patches to be applied. AppSpider dynamically scans and tests web applications for vulnerabilities. Metasploit automates web app testing for OWASP Top 10 vulnerabilities. UserInsight provides ability to configure network zone policies for separate production and nonproduction systems, and detect policy violations. Rapid7 can perform manual penetration testing on web and mobile applications to identify security weaknesses. Nexpose automatically scans database servers to check their compliance with secure configuration policies. Rapid7.com Top 20 Critical Security Controls 5

7 CSC 7: Wireless Access Control The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANs), access points, and wireless client systems. In addition to the solution listed below, Rapid7 can help with this control by performing wireless penetration testing to assess the security of wireless network infrastructure and identify rogue access points. CSC 7-2 Detect wireless access points connected to the wired network. Nexpose scans the entire network for wireless access points and provides ability to detect presence of unauthorized access points. CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs. CSC 9-3 CSC 9-4 Implement an online security awareness program. Validate and improve awareness levels through periodic tests. Rapid7 can provide customizable online security awareness training modules, with reporting system to monitor progress of learners. Metasploit provides ability to simulate phishing campaigns to measure user susceptibility and effectiveness of security awareness training. CSC 10: Secure Configurations for Network Devices Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. CSC 10-1 CSC 10-3 Compare firewall, router, and switch configuration against standard secure configurations. Use automated tools to verify standard device configurations. Nexpose provides fully customizable policy scanning to assess configuration of network devices such as firewalls, routers, and switches. Nexpose automatically scans network devices to check their compliance with secure configuration standards. CSC 11: Limitation and Control of Network Ports, Protocols, and Services Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers. CSC 11-1 Ensure that only ports, protocols, and services with validated business needs are running on each system. Nexpose scans every Windows server to verify that outbound service ports are blocked and IPv6 communications protocol is disabled. Rapid7.com Top 20 Critical Security Controls 6

8 CSC 11-2 CSC 11-3 CSC 11-4 CSC 11-6 Apply host-based firewalls or port filtering tools on end systems. Perform automated port scans on a regular basis. Uninstall and remove any unnecessary components from the system. Operate critical services on separate physical or logical host machines. Nexpose provides fully customizable policy scanning to audit whether Windows firewall is on and configured securely. Nexpose automatically scans all servers, including their ports, protocols and services, to check their compliance with secure configuration policies. Nexpose checks obsolete services are disabled on every Windows server, and compilers, libraries and desktop applications are not installed. Nexpose scans every Windows server to verify that a single critical role, such as DNS, file, mail, web and database, is installed. CSC 12: Controlled Use of Administrative Privileges The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. CSC 12-1 CSC 12-2 CSC 12-3 Minimize administrative privileges. Use automated tools to inventory all administrative accounts. Configure all administrative passwords to be complex. UserInsight monitors users with administrative privileges. Nexpose scans every Windows server to verify that services are run with non-admin accounts. UserInsight provides visibility of all administrative accounts on the network, on local systems, and corporate cloud services. Nexpose provides fully customizable policy scanning to audit passwords for minimum level of complexity. Metasploit tests password strength through online brute-force attacks, offline password cracking, and credentials re-use testing. CSC 12-4 Change all default passwords. Nexpose scans the entire network for systems using default credentials. CSC 12-5 CSC 12-6 CSC 12-8 CSC 12-9 CSC CSC Ensure that all service accounts have long and difficult-to-guess passwords. Passwords should be hashed or encrypted in storage. Each person requiring administrative access should be given his/her own separate account. Configure operating systems so that passwords cannot be re-used within a time frame of six months. Configure systems to issue a log entry and alert when an account is added to or removed from a domain administrators' group. Configure systems to issue a log entry and alert when unsuccessful login to an administrative account is attempted. UserInsight provides visibility of all service accounts on the network. Nexpose provides ability to audit passwords for minimum level of complexity. Nexpose provides fully customizable policy scanning to audit passwords including whether password encryption is enabled. UserInsight detects users sharing administrative accounts. Nexpose checks that admin credentials are unique on every Windows server and workstation. Nexpose provides the ability to audit passwords including minimum amount of time before passwords can be reused. UserInsight provides visibility of all administrative accounts on the network and alerts on new domain administrator accounts. UserInsight provides visibility of all authentication activity on admin accounts and alerts on excessive failed authentication attempts. Rapid7.com Top 20 Critical Security Controls 7

9 CSC 13: Boundary Defense Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data. CSC 13-1 CSC Deny communications with known malicious IP addresses. Devise internal network segmentation schemes to limit traffic to only those services needed for business use. UserInsight alerts on network access to/from known malicious IP addresses. Nexpose checks URL filtering and reputation scanning are enabled on web browsers for every Windows workstation. Metasploit automates task of testing network segmentation is operational and effective. UserInsight provides ability to configure network zones and detect network traffic that violates defined user access policies. CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. CSC 14-3 CSC 14-4 CSC 14-5 CSC 14-7 CSC 14-8 Ensure adequate storage space for the logs generated on a regular basis. Make sure that logs are kept for a sufficient period of time. Run bi-weekly reports that identify anomalies in logs. For all servers, ensure that logs are written to dedicated logging servers. Deploy a SIEM or log analytic tools for log aggregation and consolidation. UserInsight collects a wide variety of system and network logs and continuously stores copies of them in a secure, scalable cloud platform. Userlnsight retains security incident data from the day the solution is installed and makes the data readily available for investigation. UserInsight automatically analyzes log data against user behavior baselines and alerts on any anomalies or suspicious activities. UserInsight collects logs and continuously stores copies of them in a secure, scalable cloud where they cannot be manipulated by an attacker. UserInsight collects logs, correlates events by user, machine and IP, and analyzes for anomalies and suspicious activities with low false positives. CSC 15: Controlled Access Based on the Need to Know The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification. CSC 15-2 CSC 15-3 Enforce detailed audit logging for access to nonpublic data. Segment the network based on trust levels. UserInsight provides visibility of all authentication activity on assets classified as restricted, and alerts on access from a new user or source. Metasploit automates task of testing network segmentation is operational and effective. UserInsight provides ability to configure network zones and detect network traffic that violates defined user access policies. Rapid7.com Top 20 Critical Security Controls 8

10 CSC 16: Account Monitoring and Control Actively manage the life-cycle of system and application accounts their creation, use, dormancy, deletion - in order to minimize opportunities for attackers to leverage them. CSC 16-1 Review all system accounts. UserInsight provides visibility of all active user accounts across the organization, including domain, local, and cloud service accounts. CSC 16-6 CSC 16-8 CSC 16-9 CSC CSC CSC Configure screen locks on systems. Require that all nonadministrator accounts have strong passwords. Use and configure account lockouts. Monitor attempts to access deactivated accounts. Profile each user's typical account usage. Verify that all password files are encrypted or hashed. Nexpose provides fully customizable policy scanning to audit screen lock configurations, including amount of idle time before screen lock is applied. Nexpose provides fully customizable policy scanning to audit passwords for minimum level of complexity including length and required characters. Nexpose provides fully customizable policy scanning to audit account lockout configurations, including attempt threshold and lockout duration. UserInsight alerts on authentication attempts to disabled accounts. UserInsight monitors user account activity, and alerts on access from an unusual location or from multiple locations within a short period of time. Nexpose provides fully customizable policy scanning to audit passwords including whether password encryption is enabled. CSC 17: Data Protection The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. CSC 17-8 CSC Configure systems so that they will not write data to USB drives. Monitor all traffic leaving the organization. Nexpose provides fully customizable policy scanning to audit whether autoplay is allowed on devices. UserInsight provides visibility into cloud services such as Office 365, Google Apps, Box and AWS, which may be used for data exfiltration. CSC18: Incident Response and Management Protect the organization s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker s presence, and restoring the integrity of the network and systems. CSC 18-1 CSC 18-4 CSC 18-7 Ensure that there are written incident response procedures. Devise standards for incident reporting. Conduct periodic incident scenario sessions. Rapid7 can perform an assessment of the organization's current preparedness and help them to develop an incident response plan. UserInsight provides ability to map incident investigation findings to an interactive timeline and produce a final report for communication. Rapid7 can conduct exercises that simulate an actual threat scenario to practice and optimize the incident response plan. Rapid7.com Top 20 Critical Security Controls 9

11 CSC 19: Secure Network Engineering Make security an inherent attribute of the enterprise by specifying, designing, and building-in features that allow high confidence systems operations while denying or minimizing opportunities for attackers. CSC 19-4 Segment the enterprise network into multiple, separate trust zones. Metasploit automates task of testing network segmentation is operational and effective. UserInsight provides ability to configure network zones and detect network traffic that violates defined user access policies. CSC 20: Penetration Tests and Red Team Exercises Test the overall strength of an organization s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker. In addition to the solutions described below, Rapid7 can address this control by performing penetration tests to simulate real-world attack vectors and uncover security weaknesses from the attacker s perspective. CSC 20-1 CSC 20-5 CSC 20-6 Conduct regular external and internal penetration tests. Plan clear goals with blended attacks in mind. Use vulnerability scanning and penetration testing tools in concert. Metasploit provides ability to discover hosts, exploit systems, bruteforce passwords, and simulate other attacker methods. Metasploit provides ability to conduct and manage social engineering campaigns as part of a penetration test. Metasploit integrates with Nexpose to validate exploitability of vulnerabilities automatically and return results for prioritization. Rapid7.com Top 20 Critical Security Controls 10

12 04 ABOUT RAPID7 Rapid7 is a leading provider of security data and analytics solutions that enable organizations to implement an active, analytics-driven approach to cyber security. We combine our extensive experience in security data and analytics and deep insight into attacker behaviors and techniques to make sense of the wealth of data available to organizations about their IT environments and users. Our solutions empower organizations to prevent attacks by providing visibility into vulnerabilities and to rapidly detect compromises, respond to breaches, and correct the underlying causes of attacks. Rapid7 is trusted by more than 3,900 organizations across 90 countries, including 30% of the Fortune For more information, please visit Rapid7.com Top 20 Critical Security Controls 11