WHITE PAPER June 2012 20 Critical Security Controls How CA Technologies can help federal agencies automate compliance processes Philip Kenney CA Security Management
Table of Contents Executive Summary 3 SECTION 1: 4 Meeting FISMA and NIST requirements SECTION 2: 6 How CA Technologies supports the 20 CSCs SECTION 3: 7 Technologies for automating the 20 CSCs SECTION 4: Conclusions 14 A practical platform for implementing the 20 CSCs SECTION 5: 15 About the authors 2
Executive Summary Challenge In 2008, the Center for Strategic and International Studies (CSIS) created a diverse consortium of information security experts from both public and private sectors to identify key security controls that agencies should implement. The resulting document, 20 Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, identified a core set of measures that federal agencies should employ to reduce risk and conform to FISMA requirements. By focusing on these measures as a subset of the comprehensive NIST guidelines, security administrators can implement an evolving approach to comprehensive security by instituting what the document calls quick wins. While the document sets forth activities that CISOs, CIOs and IGs can adopt as their top, shared priorities, many agencies lack critical components of the security infrastructure required to carry them out. Many of the controls require process support or automation to be truly effective. Even with a majority of these individual measures in place, compliance will still be elusive if agencies cannot achieve overall management visibility and control. Opportunity The 20 Critical Security Controls document designates areas where agencies can quickly improve their security postures and sustain those enhancements over time. Given the scope, scale and complexity of the typical agency enterprise, it is certain that neither of those things can be accomplished solely with manual methods and processes. But by automating controls and by managing and documenting control performance agencies can achieve the ultimate goal of FISMA and NIST 800-53, which is to provide improved security. In addition, agencies will be better able to meet their own goals of regulatory compliance. Benefits CA Technologies gives federal agencies a practical and affordable way to enable implementation of many of the 20 Critical Security Controls (CSCs) by combining security automation with service assurance and automation management technology. Security Management solutions from CA Technologies deliver security automation that can help build policy enforcement into processes, improve quality of compliance and reduce burdens on administrators. Service Assurance and Service Automation solutions from CA Technologies provide agencies with centralized visibility into and additional control over their 20 Critical Security Control efforts. CA Technologies is uniquely qualified to support agencies with an overall solution for 20 CSC management and compliance. CA Technologies gives agencies an efficient, cost-effective way to enable and manage compliance by building on what they already own. 3
Section 1: Meeting FISMA and NIST requirements The National Institute of Standards and Technology (NIST) has produced excellent security guidelines that provide a comprehensive set of security controls in NIST Special Publication 800-53, revision 3. By contrast, the CSIS authored document, Twenty Critical Security Controls for Effective Cyber Defense, identifies a subset of security control activities that CISOs, CIOs and IGs can focus on as their foremost priorities for cyber security. This subset is based on attacks occurring recently and those anticipated in the near future. A Head Start for compliance with NIST 800-53 The 20 Critical Security Controls (20 CSCs) principally address technical areas. However, they do map directly to a critical subset of the Priority Code 1 controls identified in NIST Special Publication 800-53. They are intended to give agencies a sound head start in achieving overall NIST 800-53 compliance. The intent is to help agencies ensure that they have assessed and implemented an appropriate set of management and technical controls to address their specific risk areas. Within the guidance of 800-53, the 20 CSCs can be viewed as requirements for establishing consensus priorities when assessing potential security risks to the confidentiality, integrity and availability of systems and information within the agency s enterprise environment. Once a consensus on priorities has been reached by the CIO and CISO, it is recommended that the 20 CSCs be the foundation for implementing management and technical controls within an agency. Both management and technical controls are required Both the 20 CSCs and NIST Special Publication 800-53 make it clear that controls must address two aspects: overall management and specific implementation. Agencies must not only put controls in place, they must also be able to monitor those controls and document their performance. Failure in either aspect constitutes non-compliance. In addition to the requirements of the 20 CSCs and NIST 800-53, agencies must accommodate another practical consideration: the architecture and elements of the security infrastructure they already own. Agencies are unlikely to pursue any approach to implementing the 20 CSCs that does not use their existing systems as a foundation. This means that almost every implementation of the 20 CSCs will take place in a multi-vendor, heterogeneous environment. 4
Finding the right balance It is perhaps easiest to visualize the implementation of the 20 CSCs in three core dimensions: Specific technical controls are those that address individual devices and functions such as cataloging authorized devices, securing configurations, managing access, etc. Management, visibility and control includes capabilities that enable administrators to track, analyze, manage and document data, alerts and other outputs from technical controls. Existing technologies are the systems and software agencies already own. These must serve as a foundation for new implementations. The appropriate balance between dimensions will vary for each agency, depending on the maturity of their security infrastructures, their resources and the particular risks they face. Figure A. Three core dimensions in a heterogeneous environment 5
Section 2: How CA Technologies supports the 20 CSCs CA Technologies combines security automation with service assurance and automation management to help streamline agency implementations of the 20 CSCs. As an industry leading provider of enterprise IT management software, CA Technologies is uniquely positioned to support any agency aiming to meet the requirements for securing their environment. CA Technologies has been providing management and security solutions to industry and government for over thirty years. Based on our experience in providing management and security solutions in large, heterogeneous environments all over the globe, we have developed the following solutions map for implementing the 20 CSCs: Management Unified, central view across the IT environment Automation of Controls Can Be Automated CA Technologies Supports Automation CA Technologies Supports Management 1 Inventory of authorized and unauthorized devices 2 Inventory of authorized and unauthorized software 3 Secure configurations for hardware and software on laptops, workstations and servers 4 Continuous vulnerability assessment and remediation 5 Malware defenses 3 6 Application software security 3 3 7 Wireless device control 8 Data recovery capability 3 9 Security skills assessment and training 3 6
Management Unified, central view across the IT environment Automation of Controls Can Be Automated CA Technologies Supports Automation CA Technologies Supports Management 10 Secure configurations for network devices such as firewalls, routers and switches 11 Limitation and control of network ports, protocols, and services 12 Controlled use of administrative privileges 13 Boundary defense 3 3 14 Maintenance, monitoring and analysis of security audit logs 15 Controlled access based on need to know 16 Account monitoring and control 17 Data loss prevention 18 Incident response capability 3 19 Secure network engineering 3 20 Penetration tests and red team exercise 3 Section 3: Technologies for automating the 20 CSCs CA Technologies combines security automation with service assurance and automation management to help streamline agency implementations of the 20 CSCs. The 20 Critical Security Controls document categorizes tasks into six basic areas: 1. Identifying what assets agencies have 2. Knowing who is using those assets and how 7
3. Controlling access according to roles and responsibilities 4. Keeping configurations, versions and patches up-to-date 5. Managing security data to improve compliance and support audits 6. Ensuring availability by identifying and pre-empting threats Multiply those few tasks by the number of assets in inventory and the number of stakeholders using them and the result is a lot of work for compliance administrators. In addition to identifying the 20 controls, this document provides guidance on how organizations can further improve their controls. The document lists four different categories of increased security that organizations can strive towards. These four categories are: 1. Quick wins: These are identified in the 20 CSC document as QWs. Implementing a QW does not completely mitigate a given threat, but as the name implies, it does identify where security can be rapidly improved. 2. Improved visibility and attribution: These are identified in the 20 CSC document as Vis/Attrib and are focused on improving existing processes and increasing awareness and visibility against given security threat vectors. 3. Hardened configuration and improved information security hygiene: These are identified in the 20 CSC document as Config/Hygiene. This area deals with methods to improve security operations and end-user behavior to reduce vulnerabilities. 4. Advanced: These are identified in the 20 CSC document as Advanced and should only be considered after an organization has addressed the preceding three categories. CA Technologies directly supports 12 of the 15 CSCs that can be automated with security solutions for asset management/configuration, identity management, security information management and threat management: CSC #1: Inventory of authorized and unauthorized devices CA Client Automation CA Client Automation helps provide the level of enforcement and reporting required for detecting and cataloging authorized and unauthorized devices. It can automatically detect systems across heterogeneous platforms and operating systems, and then use both agent and agent-less methods to capture detailed hardware inventory and usage levels for each asset. CA Client Automation contains advanced discovery tools, which can provide continuous monitoring of the network, detection of new devices and application of policy to the newly discovered devices. Collected asset data can be assessed against policies to determine if enforcement or remediation is necessary. It can also be reconciled with an enterprise directory to correlate discovered devices with authorized users. 8
CSC #2: Inventory of authorized and unauthorized software CA Client Automation CA Client Automation helps provide the level of enforcement and reporting to detect and catalog application usage. It can automatically detect systems across heterogeneous platforms and operating systems, then capture detailed inventory information, including: All operating system software All user applications and software Release, versions and patch levels Usage histories and levels Asset data can be assessed against policies to enable enforcement and remediation where necessary. Unauthorized software can be remediated by patching it to the appropriate levels or removing it completely. CSC #3: Secure configurations for hardware & software on laptops, workstations, & servers CA Client Automation, CA Configuration Automation, CA ControlMinder TM CA Client Automation collects and manages detailed hardware and software information for a heterogeneous set of platforms and operating systems. The Federal Desktop Core Configuration (FDCC) Scanner within CA Client Automation provides the capability to continuously scan managed systems for compliance with various mandated FDCC security configurations. Where necessary, automated remediation steps may be provisioned to help eliminate vulnerabilities and bring variant systems into compliance. This scanning can be augmented to include agency-specific controls and to meet agency-specific requirements. CA Configuration Automation uses compliance rules to check that server and application configurations adhere to compliance policies. Built-in rules are used to facilitate compliance with industry standards such as PCI and DISA STIG. In addition to scanning for configuration compliance, the operating systems can be made resistant to unauthorized changes. CA ControlMinder is a privileged user management solution that creates an environment where fine-grained, system hardening settings on servers can be configured, deployed and enforced. It helps protect that environment by hardening servers according to policies and preventing unauthorized persons from changing settings. CA ControlMinder works by hardening the underlying OS, and applying policies that have been pre-defined by an organization to enforce segregation of duty, and enforcing a policy of least privilege. It enables management visibility and control over the environment by automatically generating reports and alerts when a policy violation occurs, or has been prevented. CA ControlMinder can also provide logs files to be centrally collected by CA User Activity Reporting Module. See CSC#6 for additional information. 9
CSC #4: Continuous vulnerability assessment and remediation CA Client Automation, CA Spectrum, CA Configuration Automation As noted above, CA Client Automation collects and manages detailed hardware and software information for a heterogeneous set of platforms and operating systems. CA Client Automation will scan workstations and servers on a scheduled basis, on demand, or in response to an event, for example a security log entry. CA Spectrum will similarly scan network devices on a schedule, on demand, or in response to an event. The Federal Desktop Core Configuration (FDCC) Scanner within CA Client Automation provides the capability to continuously scan managed systems for compliance with various mandated FDCC security configurations. Where necessary, automated remediation steps may be provisioned to help eliminate vulnerabilities and bring variant systems into compliance. CA Client Automation includes remediation capability, being able to patch systems and apply configuration settings. This remediation can be initiated manually, or automatic detection of noncompliance can trigger automated remediation. CA Configuration Automation uses compliance rules to check that server and application configurations adhere to compliance policies. Built-in rules are used to facilitate compliance with industry standards such as PCI and DISA STIG. CSC #7: Wireless Device Control CA Spectrum, CA Client Automation CA Spectrum helps meet the requirements of this security control. CA Spectrum modules provide Wireless Device control, MIB and trap support, descriptive device type identification, OneClick views, technology support and standard capabilities for specific devices and firmware. Examples of devicefamily management modules include Catalyst, PIX Firewall, Wireless LAN Controller and AiroNet. CA Client Automation can be installed on supported wireless devices to help provide protection at the level of workstations as described under Control #3 and others. CSC #10: Secure configurations for network devices such as firewalls, routers, and switches CA Spectrum CA Spectrum helps provide the level of Secure Configurations (SSH v2 Support/communication mode), enforcement and reporting required by this control. It identifies and monitors the configurations of device families and single devices including routers, hubs and switches. Each device can be configured to provide specific services. 10
Details on how devices operate and how they are customized can be included in each configuration. The CA Spectrum Network Configuration Manager component increases uptime, eliminates network issues and lowers costs by enabling administrators to: Create policies for configurations and verify that devices are compliant Prevent or detect performance problems by verifying configurations Manage configurations for devices modeled in Spectrum/OneClick Capture configurations and store them in the Spectrum database Load/merge configurations to devices of the same family type Set up a schedule of automatic captures and policies Maintain a history of network device configurations CSC #11: Limitation and control of network ports, protocols and services CA ControlMinder, CA Client Automation As noted under Control #3, CA ControlMinder helps protect sensitive data and critical applications that reside on the protected host by strictly controlling access to system resources. CA ControlMinder can lock down ports and provide Host-based Intrusion Detection. CA Client Automation can be used, as described under Control #3, to scan open ports and active services and to apply policy to the results. This can include alerting appropriate personnel up to closure of unauthorized ports and termination of disallowed services. CSC #12: Controlled use of administrative privileges CA ControlMinder CA ControlMinder is a security enforcement tool that manages user privileges, including administrative privileges and superusers. Misuse of administrative privileges is the number one method attackers use to compromise enterprise security. CA ControlMinder protects server resources by controlling user, superuser and administrator privileges. It constrains levels of access solely to authorized uses. With the Privileged User Password Management (PUPM) component, administrative passwords are obtained as they are needed, and available for use only while checked out to an authorized user. As soon as a user checks in the password it is changed on the target system. Additionally, CA ControlMinder allows agencies to create and enforce password quality including password composition, minimum and maximum length, repetition and dictionary review. CA ControlMinder helps ensure that any time users change their password they must comply with agency policies and guidelines. 11
CA ControlMinder also aids in eliminating privilege creep through delegation of access rights to designated systems operators. It allows administrators to precisely match users with the privileges they need, thereby helping to eliminate any reason to grant excessive rights. CA ControlMinder includes protected logs that capture administrative actions; these can be forwarded to CA User Activity Reporting Module for central collection and review. This provides an additional level of protection and review since actions by administrators will be collected and audited as standard operating procedures. CSC #14: Maintenance, monitoring and analysis of security audit logs CA User Activity Reporting Module CA User Activity Reporting Module (CA UARM) is a log collection, review, reporting and archiving solution that supports this control requirement. CA UARM collects logs from virtually any source; operating systems, network devices, Syslogs and applications. Collected logs can then be reviewed either by using built-in queries that map to most significant regulatory requirements (HIPAA, FISMA, DoD, etc.), or with user-defined queries. Administrators can define action alerts that will be automatically generated when queries meet certain criteria. CA UARM also centralizes log management. Geographically separated office logs can be collected locally and then reviewed and reported at a central location without moving large volumes of data. Federalized queries can be processed so a review for a specific log event can be created in one location and then used to check all other CA UARM managed sites. CA UARM includes 350+ different reports for many different regulatory requirements as well as extensive ad hoc reporting capabilities. It also supports long-term management with archiving capabilities that keep logs either online or near-online as required. CSC #15: Controlled access based on need to know CA ControlMinder CA ControlMinder helps enforce controlled access based on a need-to-know basis by enabling administrators to associate access rules with specific systems. Users are granted access to sensitive or classified information only if they meet a pre-defined set of criteria. Any type of resource can be associated with access rules that incorporate just about any type of policy-driven qualifications. CA ControlMinder manages access to all these types of resources: Files and folders Processes User IDs and group IDs Privileged programs 12
Network connections Terminals User-defined resources Because access and protections are governed by a combination of policy, procedure and enforcement, CA ControlMinder can help protect data and files, entire systems or processes and even registry entries from authorized access or changes. User activity is captured in audit logs and can be centralized with CA User Activity Reporting Module. CSC #16: Account monitoring and control CA IdentityMinder TM, CA GovernanceMinder TM, CA User Activity Reporting Module CA Technologies is uniquely positioned to support this control because it provides a full complement of components that manage a user s identity life cycle. From the creation of the original user account, managing that account s access throughout its lifecycle, enforcing least privilege rules and access rights, to collecting the complete audit trail of associated user activity CA Technologies offers a robust security solution for account monitoring and control. CA IdentityMinder, CA GovernanceMinder and CA User Activity Reporting Module work together to provide agencies with an integrated identity management platform that helps automate the creation, modification and deletion of user identities and govern access to enterprise resources. CA IdentityMinder goes beyond traditional provisioning systems by providing a unified solution that enables the management of highly diverse and growing user populations on a wide range of enterprise systems, from mainframes to web applications. Key features of CA IdentityMinder include: Automated provisioning & de-provisioning of user accounts and access permissions Centralized audit & reporting of user entitlements Delegated user administration Integrated workflow Password management Registration services User self-service Supports periodic review of user access and creates attestation reports CA GovernanceMinder provides advanced pattern recognition technology and analytical tools that serve as a flexible foundation on which to establish cross-system identity security policies and automate processes required to meet compliance audits. These include entitlements certification and enforcement of consistent identity compliance policies, continually validating that users, roles 13
and resources have appropriately associated entitlements, which helps meet compliance objectives and security requirements. As noted under Control #14, CA User Activity Reporting Module can collect logs from a wide variety of sources, including operating systems, network devices, syslogs and applications. CSC #17: Data loss prevention CA DataMinder TM CA DataMinder monitors a wide breadth of data activities and provides a spectrum of response actions so that the appropriate balance between continuity and enforcement can be achieved throughout an organization. It provides a scalable, accurate and cost effective way to protect and control data-in-motion on the network and in messaging systems, data-in-use at endpoints and data-at-rest on servers and in repositories. CA DataMinder capabilities include: Broad protection coverage Built-in and user-defined policies Automated enforcement actions Secure review for sensitive data Section 4: Conclusions A practical platform for implementing the 20 CSCs The 20 Critical Security Controls document embodies a quick-wins strategy designed to help agencies accelerate compliance with NIST Special Publication 800-53. Both the 20 Critical Security Controls document and 800-53 indicate that compliance must consist of both overall management and implementation of controls. Of the 15 CSCs that are technology based, 12 can be automated with CA Technologies solutions. All 20 controls can be monitored and managed through the combined capabilities of the referenced tools from CA Technologies. Of course, technology alone cannot secure an IT environment. This requires a combination of sound governance, consistent management and the persistent evaluation of results. Security solutions from CA Technologies give agencies a practical platform for doing all three of these things. The 20 CSCs are a means to an end: maintaining a secure IT environment. CA Technologies helps agencies facilitate that means with proven solutions that streamline the process of managing critical controls. 14
For more information on this topic and other areas of IT, please contact your CA Technologies account team or the CA Technologies Federal Sales Hotline at 866-836-5234. Section 5: About the Author Philip Kenney is a Director of Security Management Solutions, for CA Technologies Inc. In his role, Mr. Kenney works with DoD and civilian agencies to ensure that CA Technologies security products are meeting their needs. He coordinates with product management teams to represent the requirements of federal customers as CA Technologies security solutions are developed. Additionally, he manages a team of technical consultants who help government customers understand and realize the full value of Security Management solutions from CA Technologies. Mr. Kenney has over 25 years of IT experience in operational, management and consulting roles spanning a wide range of platforms in both government and business organizations. He focuses on a results oriented approach to ensure technology outcomes are aligned with business needs. Connect with CA Technologies at ca.com Agility Made Possible: The CA Technologies Advantage CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organizations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. CA Technologies is committed to ensuring our customers achieve their desired outcomes and expected business value through the use of our technology. To learn more about our customer success programs, visit ca.com/customer-success. For more information about CA Technologies go to ca.com. Copyright 2012 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein. acs2452_0612