D. Best Practices D.2. Administration The 6 th A

Transcription

1 Best Practices I&C School Prof. P. Janson September 2014 D. Best Practices D.2. Administration The 6 th A 1 of 26

2 The previous section described how to improve IT security through use of better development practices by vendors 2 of 26

3 This section discusses how to improve IT security through use of better administrative practices by operators 3 of 26

4 Securely managing an IT operation involves a number of aspects Risk management Security management and policy setting Procurement / outsourcing Deployment Surveillance Incident response Audit, control, compliance Risk Governance Compliance 4 of 26

5 Security management and policy setting Emerging standards & recommendations Access matrix definition Employee / user education 5 of 26

6 Access matrix definition Identify applicable legal and regulatory standards especially in PI-related activities Medical sector Financial sector Identify / classify assets and set their control attributes Asset administration Mine / define user / roles and set their privilege attributes User administration \ Who \ What \ People Applications Containers Systems Facilities People Data Applications Containers Systems Facilities Networks 6 of 26

7 Asset administration Identification, classification, access control Identify all assets / data managed by the business (1) Classify them into sensitivity / type categories (1) Set access controls for each category (3-4) Discard old / no longer needed assets (1) Storage is not free keeping everything is costly Retaining garbage slows down searching regular pruning is doable It will be 4 times harder every year never delay the process Retaining evidence beyond legal requirements can lead to e-discovery liabilities Always shred / destroy / overwrite discarded data / storage assets Periodically review asset classes, classification, access controls (1-4) 7 of 26

8 User administration Mining / defining user roles and privileges / entitlements Mine / define user roles / groups (1) Defining from scratch is rarely possible Mining from status observation is more typical Associate proper privileges / entitlements with each role / group (3) Manage all user accounts and keep them up to date in real time (1) Assign roles rigorously Adjust roles promptly Delete accounts promptly Periodically review user roles and their privileges / entitlements 8 of 26

9 Employee / user education (8) Mandatory annual security education possibly on line Mandatory quizzes possibly on line Random checks Put security in personal terms Advertise penalties Remember limits of training Encourage CISSP certification for IT security professionals 9 of 26

10 Safe procurement / outsourcing Large enterprises afford own IT security team Smaller enterprises should outsource IT security to reputable providers Drawback = keys to the castle => third-party organization Advantage = professionally managed security Security components with standardized APIs help Medium-size businesses ( employees) are often the least secured Insist on assurance / certification Insist on signed software downloads 10 of 26

11 Deployment IT systems deployment Hardware and software Policy deployment Access control matrix 11 of 26

12 IT systems deployment hardware and software Deconfigure (deactivate) unnecesary services and features e.g. on Linux / Unix using kill command (always possible though not clean) better run stop option for all services launched by init, inittab, insserv, and cron processes using start option of scripts found (among others) in /etc/inittab, /etc/init.d, /etc/init.conf, /etc/xinetd.d/*, and /etc/xinetd.conf which drive the main startup super-server /etc/rc[0-6].d which drive startup for each run level 0-6 /etc/cron* which drives the cron process controlling regularly restarting services /etc/rc.local which drives user processes started after normal boot Restrict services through Configuration files Firewalls, incl. local ones such as Linux iptables Local TCP wrapper, e.g. Linux tcpd substituted for TCP service in /etc/inetd.conf which filters TCP connections as defined by /etc/hosts.allow and /etc/hosts.deny 12 of 26

13 IT systems deployment hardware and software Properly configure security parameters, e.g. crypto use, protocol use, etc. Immediately eliminate default accounts & passwords Also applies to home routers to prevent external re-flashing with botnet Trojan Also applies to manufacturers integrating OEM components (2009 Apple battery flaw) Pay special attention to firewalls, block unwanted ports and protocols Properly configure event logging for run-time monitoring and subsequent auditing 13 of 26

14 IT systems deployment hardware and software Regularly schedule penetration testing Use internal as well as external pen testers Feed back results to defect management / development teams for mitigation Systematically patch all systems as soon as possible Un-patched programs risk >> zero-day exploits risk Typical Pareto issue: 80% of vulnerabilities reside in top 20-40% most popular programs Patch those first Ensure secure and authenticated patching Do not accept upgrade incentives from unknown / untrusted sources Real-time patching would be ideal but is often unrealistic Disruptions may be intolerable Patching many devices takes time Promising technologies are emerging for hot patching 14 of 26

15 Access control policy matrix deployment Push out asset categories and user roles definitions across all deployed systems \ Who \ What \ People Applications Containers Systems Facilities People Data Applications Containers Systems Facilities Networks 15 of 26

16 Surveillance Security Incident and Event Management (SIEM) Log all events if potentially relevant Secure all monitoring devices (e.g. CCTV surveillance) against tampering Back up all logs a.s.a.p. on W once media for critical ones Monitor logs in real time if possible Filter out false positives with suitable tools Immediately report signs of attacks to alert center Sign logs and reports for auditing and compliance verification 16 of 26

17 Incident response Must have plan in place Must respond according to plan Shut down / quarantine offending / infected application, container, system, or network Alert proper management level immediately Analyze attacked target (network, HV, VM, OS, middleware, application, etc.) Report to responsible CERT / umbrella / peer organizations / developer Fix (cleanse, sanitize, purge, restore) affected system(s) watch for infected back-ups Restart operations a.s.a.p. but no sooner than safe Document event and secure report 17 of 26

18 Audit, control, compliance Regular (annual) assessment Asset inventory & classification Threat model Risk assessment Applicable policies Deployed mechanisms Configured authorizations Employee education Maintained logs Reported events Verify compliance with applicable laws, regulations, plans Measure & track evolution over time Document evidence and sign if possible Use outside experts to ensure unbiased assessment Use guidelines and tools to help automate process Incident responses 18 of 26

19 Security assessment Physical facilities Digital equipment procurement, configuration, patching, monitoring Networks, incl. Perimeter defenses (firewalls, VPNs, etc.) and crypto deployment Segmentation of critical sub-networks Systems (servers and end user), incl. Malware defenses, intrusion detection / prevention / response Applications, incl. Regular vulnerability analysis, pen-testing 19 of 26

20 Security metrics If a system is secure there is nothing to report! Interesting is if / when / where / how a system is insecure High-level metrics categories HR employee education and testing statistics Facility & workplace incidents statistics Network firewall statistics (e.g., address coverage, blocked packets) Applications vulnerability & pen testing statistics (see next CIS recommendation) Patch coverage and latency (see next CIS recommendation) Malware coverage and timeliness of anti-malware filters and scanners Incidents audit and report statistics (see next CIS recommendation) external addresses traffic statistics Password cracking tests statistics Help desk security-related calls statistics Statistics need not be cast in absolute numbers => relative changes reflect pertinent trends Cannot measure benefit (ROI) or cost (TCO) => measure Annual Loss Expectancy (ALE) 21 of 26

21 Center for Internet Security (CIS) 21 suggested IT security metrics Application security Number of applications Percentage of critical applications Risk assessment coverage Security testing coverage Configuration change management Mean-time to complete changes Percent of changes with security review Percent of changes with security exceptions Financial position Information security budget as % of IT budget Information security budget allocation 22 of 26

22 Center for Internet Security (CIS) 21 suggested IT security metrics Incident management Incident rate Percentage of incidents detected by internal controls Mean-time between incidents Mean-time to discovery Mean-time to recovery Patch management Patch policy compliance Patch management coverage Mean-time to patch Vulnerability management Vulnerability scan coverage Number of known vulnerability instances Percent of systems without known severe vulnerabilities Mean-time to mitigate vulnerabilities 23 of 26

23 NIST Security Content Automation Protocol (SCAP) Platform compliance specification and verification tools XML checklists to automate measurement & control of some 300 security configuration parameters on IT systems 2 languages Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL), 3 taxonomy databases Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), Common Vulnerabilities and Exposures (CVE), Assessment ratings use Common Vulnerability Scoring System (CVSS) 24 of 26

24 Platform compliance verification tools Center for Internet Security Configuration Audit Tools (CIS-CAT) Checks and reports configuration of target IT system 25 of 26

25 Platform compliance verification tools Center for Internet Security Benchmark Audit Tools (CIS-BAT) Compares CIS Benchmarks to configuration of target IT system on scale of of 26