THE TOP 4 CONTROLS.

Transcription

1 THE TOP 4 CONTROLS

2 THE TOP 20 CRITICAL SECURITY CONTROLS ARE RATED IN SEVERITY BY THE NSA FROM VERY HIGH DOWN TO LOW. IN THIS MINI-GUIDE, WE RE GOING TO LOOK AT THE FOUR SECURITY CONTROLS AT THE TOP OF THE LIST. THESE ARE THE ONES TODAY S ORGANIZATIONS ABSOLUTELY MUST TACKLE TO ENSURE THEY ARE ADEQUATELY PROTECTED.

3 FOR EACH, WE LL PULL OUT THE THREE MOST IMPORTANT FACTORS AND PROVIDE GUIDANCE ON WHAT YOU SHOULD DO NEXT IF YOUR OWN CONTROLS ARE LACKING. For a more comprehensive guide to the full list of controls, download The Executive s Guide To The Top 20 Critical Security Controls at:

4 INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES Reduce the ability of attackers to find and exploit unauthorized and unprotected systems. Use active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the enterprise network, including servers, workstations, laptops and remote devices.

5 What to do Start small and basic Take these requirements your vendors How to do it This control is process heavy and benefits from automation, but if you move too big too fast, you re likely to end up in the integration ring of hell. Start by getting the discovery and inventory maintenance down pat and integrating that with incident detection and response system (people, process and technology). If your tool vendors aren t aware of these requirements, the data integration between business to processes will be your burden. Look for standard The tools you have today should support standard data data formats to be formats. The tools you acquire in the future should supported in tools support the asset identification specification, or one that is well-aligned with the model it puts forward.

6 INVENTORY OF AUTHORIZED AND UNAUTHORIZED SOFTWARE Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches). Then monitor for unauthorized or unnecessary software.

7 What to do Start small and basic Take Control 1 and 2 together Take these requirements your vendors How to do it As with Control 1, there s too much that can go wrong if you try to go big too soon. Start with the understanding that there are some pretty obvious edge cases that you ll need to eventually cover. The reality is that computing devices and software are, from a business perspective, assets. Tracking them both with a reasonable degree of accuracy is important, so why make the distinction from a process perspective? If your tool vendors aren t aware of these requirements, the data integration between business to processes will be your burden.

8 SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON MOBILE DEVICES, LAPTOPS, WORKSTATIONS, AND SERVERS Prevent attackers from exploiting services and settings that allows easy access through networks and browsers. Build a secure image that s used for all new systems. Host these images on secure storage servers and regularly validate and update them. Track system images in a configuration management system.

9 What to do If you do one thing, do this Prepare for incidents Take these your vendors How to do it Start with security configuration management (SCM). Look at the past year s breach reports from a variety of sources to see whether misconfigurations are common breach enablers. This is linked to your incident detection and response processes, whatever their level of maturity. If you need SCM resources to be on stand-by, prepare for it here. This control details requirements for both internal developers and vendors. Have your developers read through this control. Also consider internal common configuration enumeration identifiers for your in-house application configuration settings.

10 CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION Proactively identify and repair software vulnerabilities reported by security researchers or vendors. Regularly run automated vulnerability scanning tools against all systems. Quickly remediate any vulnerabilities (fix critical problems within 48 hours).

11 What to do Operational maturity Interoperability Coverage How to do it This control is somewhat different than the others. It s more focused on the time it takes to accomplish specific tasks and about the process of continuous vulnerability management. The efficiency of security processes is what s most important here. The three most obvious points of integration are with asset management, alerting and ticketing systems. No less important are integration opportunities with LDAP for user roles and the relationship of vulnerability management with configuration management. These points of interoperability are critically important to security automation. The requirements explicitly state that integration with the asset inventory system is important. As you re looking for scanning tools, be sure to have a list of all software asset classes covered straight out of your asset inventory system to ensure that you have adequate coverage of your enterprise.

12 HOW DO YOU RANK THREATS TO YOUR BUSINESS? Today, you need to ensure your business is protected against an ever-evolving range of security threats. In this guide and the accompanying poster, we ve outlined the key controls you need to have in place to minimize the risk to your organization. But what should you focus on first? Use the table opposite to rank the controls in order of priority for your business. This will help you prioritize what s most important within your organization to ensure you re adequately protected.

13 NSA Rank Control Your Rank (1-20) NSA Rank Control Your Rank (1-20) 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Malware Defenses 6 Application Software Security 7 Wireless Access Control 8 Data Recovery Capability 9 Security Skills Assessment and Appropriate Training to Fill Gaps 10 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11 Limitation and Control of Network Ports, Protocols, and Services 12 Controlled Use of Administrative Privileges 13 Boundary Defense 14 Maintenance, Monitoring, and Analysis of Audit Logs 15 Controlled Access Based on the Need to Know 16 Account Monitoring and Control 17 Data Protection 18 Incident Response and Management 19 Secure Network Engineering 20 Penetration Tests and Red Team Exercises

14 HOW WE CAN HELP Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats.

15 LEARN MORE: tripwire.com IMPORTANT SECURITY QUESTIONS: tripwire.com/20securityquestions FOLLOW US ON MEET US ON LINKEDIN: /company/tripwire SECURITY NEWS AND INSIGHTS: tripwire.com/blog