Implementing SANS Top 20 Critical Security Controls with ConsoleWorks



Similar documents
Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

SANS Top 20 Critical Controls for Effective Cyber Defense

March

Top 20 Critical Security Controls

Top 20 critical security controls

Applying the CPNI Top 20 Critical Security Controls in a University Environment

NERC CIP VERSION 5 COMPLIANCE

SonicWALL PCI 1.1 Implementation Guide

Cyber Essentials Scheme

74% 96 Action Items. Compliance

THE TOP 4 CONTROLS.

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

How To Protect Your Network From Attack

Protecting Your Organisation from Targeted Cyber Intrusion

Ovation Security Center Data Sheet

GFI White Paper PCI-DSS compliance and GFI Software products

Best Practices for PCI DSS V3.0 Network Security Compliance

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

A Decision Maker s Guide to Securing an IT Infrastructure

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Supplier Information Security Addendum for GE Restricted Data

Achieving PCI-Compliance through Cyberoam

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Defending Against Data Beaches: Internal Controls for Cybersecurity

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

GE Measurement & Control. Cyber Security for NEI 08-09

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Security Management. Keeping the IT Security Administrator Busy

Cisco Security Optimization Service

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Payment Card Industry Self-Assessment Questionnaire

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SANS Institute First Five Quick Wins

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

The Comprehensive Guide to PCI Security Standards Compliance

Did you know your security solution can help with PCI compliance too?

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

How To Protect Your Network From Attack From Outside From Inside And Outside

Cybersecurity and internal audit. August 15, 2014

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Critical Security Controls

Information Technology Security Procedures

Data Management Policies. Sage ERP Online

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

CorreLog Alignment to PCI Security Standards Compliance

Achieving PCI Compliance Using F5 Products

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Trivial Cisco IP Phones Compromise

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Guideline on Auditing and Log Management

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Information Technology Cyber Security Policy

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Building A Secure Microsoft Exchange Continuity Appliance

Network and Host-based Vulnerability Assessment

Ovation Security Center Data Sheet

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Firewalls, Tunnels, and Network Intrusion Detection

The Protection Mission a constant endeavor

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Concierge SIEM Reporting Overview

LogRhythm and PCI Compliance

Cyber Security for NERC CIP Version 5 Compliance

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

How To Manage Security On A Networked Computer System

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Seven Strategies to Defend ICSs

Information Technology Solutions

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Automate PCI Compliance Monitoring, Investigation & Reporting

Verve Security Center

Larry Wilson Version 1.0 November, University Cyber-security Program Controls Book

End-user Security Analytics Strengthens Protection with ArcSight

Summary of CIP Version 5 Standards

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Transcription:

Implementing SANS Top 20 Controls with ConsoleWorks The following whitepaper summarizes TDi Technologies interpretation of the SANS Top 20 Controls and how ConsoleWorks, developed by TDi Technologies, addresses each control in whole or in part. TDi provides solutions to a global customer base with key verticals including Financial Services, Healthcare, Telecommunications, Utilities, and Government. The company s solutions help customers reduce operating costs, meet compliance requirements, secure the IT foundation, and improve IT Service delivery. TDi Technologies is the first solution provider to offer a unified enterprise IT operations solution for Privileged Access Management, Baseline Configuration Management, Event Monitoring and Remediation, and Logging over the IT foundation. The company s patented technology provides automation, optimization, control and management capabilities that dramatically improve the ability of IT to meet the demands of the business. From SANs: In 2008, the U.S. National Security Agency (NSA), began an effort that took an "offense must inform defense" approach to prioritizing a list of the controls that would have the greatest impact in improving risk posture against real- world threats. A consortium of U.S. and international agencies quickly grew, and was joined by experts from private industry and around the globe. Ultimately, recommendations for what became the Controls (CSCs) were coordinated through the SANS Institute. The Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls. The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs. ConsoleWorks - Continuous, Automated Protection & Monitoring ConsoleWorks monitors, manages, logs, remediates, and secures physical (routers, switches, servers, and so on) and logical (SANs and applications, for example) and virtual infrastructures at the lowest level, in real- time and in all machine states, including operating, service, configuration, and maintenance modes. It accomplishes this without using agents and does not rely on the Operating System to be present in order to monitor and manage the infrastructure. ConsoleWorks uses a unique blend of connector, centralized web server, and out- of- band 1

ConsoleWorks Applications to SANS Top 20 Controls technologies to implement a robust, no- worry, lights- out management solution. ConsoleWorks addresses the need for a single- source management by providing the ability to stop, start, run, load firmware, reboot, and monitor assets enabling console operations for system administrators anytime, anyplace, and anywhere they can connect to the ConsoleWorks server. ConsoleWorks is designed to minimize operational disruptions, downtime, and mean- time- to- repair. It can automatically trigger operator- specified actions as soon as it detects a known or user- defined condition on a monitored asset. On its own or when partnered with legacy notification applications, ConsoleWorks can phone, fax, page, and email appropriate personnel and provide them with critical information when it s needed and as it happens. ConsoleWorks Unified Dashboard Centralized Management of People, Processes, and Systems ConsoleWorks brings together technologies and other related information for processing into a unified dashboard. ConsoleWorks logs and monitors, 24x7, in real- time, all incoming log sources, including those from people (down to the keystroke), processes and systems. All log files collected and aggregated by ConsoleWorks are Date/Time stamped using a common base Date and Time, thus eliminating the problems caused by unsynchronized clocks. Log files can be viewed individually or interlaced with other log files in Date/Time order at the sub- second level using TDi Technologies patented timestamp mechanism in ConsoleWorks. This normalization helps shorten the remediation process in determining the source of an issue. The unified dashboard encapsulates ConsoleWorks secure role based / privileged access control, baseline configuration management, event detection and log aggregation with a sophisticated integration engine containing its Intelligent Event Modules (IEMs). IEMs apply intelligence to the information being monitored from devices, 3 rd party application event log files, SNMP traps, and Syslog so that the information can be processed and acted on in a meaningful way. Adding to that, ConsoleWorks customer specific knowledge base captures customer specific remediation steps for a particular Event together enabling faster remediation. On the front end, ConsoleWorks integration engine facilitates the integration with almost any 3rd party software application such as Identity Management, Change Management, Password Management systems. On the backend, ConsoleWorks facilitates Incident Response and Compliance / Regulatory Reporting, etc. ConsoleWorks Architecture 2

ConsoleWorks Applications to SANS Top 20 Controls ConsoleWorks Functionality ConsoleWorks functionality includes the following features: Agentless, persistent monitoring Asset access secured using role- based or task- based user privileges Scanning of incoming data streams for pre- defined text patterns Complete intelligence gathering, including capture of source and account IDs, incident context, and commands and their outcomes Centralized command and control for physical, logical and virtual console connections, Syslog messages, SNMP traps, and other streams of information within your cyber infrastructure Connections secured using SSL and SSH encryption Automatic, securable logging of all data flows to and from monitored assets All asset activity logged and the logs digitally signed to make it easier to detect modifications Color- coded logs from different information sources facilitating drill- down analyses in aggregated log views Hassel- free, large- scale deployments Multiple users granted simultaneous access to a single console Single user granted Read and Write access to several systems simultaneously Automated incident recognition and response Complete event lifecycle management: Recognition, Notification, and Remediation Events consolidated from all data sources using a common natural time, independent of asset vendor or type Events prioritized by severity, set initially by OEMs and 100% customizable by users Real- time, customizable graphs and charts for reporting and business intelligence Sub- second timeframe for more insightful granularity Easy- to- understand dashboards, displays, and views into the health Summary and overview event mapping with drill- down capability Privileged Access Management Remote Access to Legitimate Users / Protecting and Validating Administrative Accounts on Servers ConsoleWorks is a unique solution with advanced security capabilities that manage user access to assets. ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code- based attacks (malware, viruses, etc.); monitor all remote activity in real- time; and enforces authorized remote user access rights. Prevent Unauthorized Access ConsoleWorks users must properly authenticate themselves to ConsoleWorks - accessing it without proper authentication is not possible. Once authenticated to ConsoleWorks, then the users role- based security profile determines the method as well as which assets a user may access or be "Aware" of. ConsoleWorks would retain a predefined username/password, PKI Certificate, or other credentials that ConsoleWorks would use to connect the user to the asset with based on the assets capabilities. Effectively, ConsoleWorks "owns" the actual connectivity to an asset, can control the access to the asset by the users using ConsoleWorks so it can also determine how a user is connected to the asset. Some users may be required to enter or know a username and password while others are restricted from knowing a username and password - the method used is configured in ConsoleWorks for a given security profile. ConsoleWorks is essentially a PROXY for all types of user access to cyber assets. ConsoleWorks "owns" the access to all shared accounts on each cyber asset. The user authenticates to ConsoleWorks; then, ConsoleWorks, based on the user s role- based security profile, is granted access to the shared account - not the asset. Preventing Unauthorized Access to Sensitive Data The fine- grained, role based privilege model in ConsoleWorks gives client s business units control over assets with which each user may interact. Least privilege automatically defaults to deny and supports command- by- command privileged grants for absolute control over electronic access to systems and sensitive data. This enables it to manage/control what an actor may see, how they may access the asset and log all their activity down to the keystroke and response. It also allows ConsoleWorks to alert and alarm on user activity, black list or whitelist or abstract commands they may use or execute. ConsoleWorks would see the users command and then decide based on security role whether or not to send the command to the asset. It may also handle the authentication on the asset on behalf of the user - eliminating the need for the user to know a privileged username/password combination on the asset - this is particular useful for a device where only one privileged 3

ConsoleWorks Applications to SANS Top 20 Controls account exist - ConsoleWorks knows who is using the privileged account and can audit back to the user of ConsoleWorks even though a share account is in use. Wireless Device Control For wireless devices, ConsoleWorks scans for the SSID of the wireless network and knows about the connections by recognizing the MAC address and whether that it is a good or bad login key. ConsoleWorks then captures the access port messages and monitors the content for nefarious activity. White list / Blacklist ConsoleWorks can be customized to control the application of white list commands. Specifically, it can be configured to apply to a specific role, user, device name or type, or by any term or value specified by the ConsoleWorks administrator. Specific commands could be allowed or disallowed based on the following classifications: Secret Confidential Regulatory Restricted ConsoleWorks can also implement a black list of disallowed or restricted commands or characters. Under this access control approach, the user could be given seemingly unfettered access to a managed asset. If one of these black listed commands is executed, ConsoleWorks could be configured to automatically end the user's connection and send an email to Security to apprehend this internal threat, as an example. ConsoleWorks can also integrate to an identify management system. Current callouts and integrations to Radius SecureID two- factor authentication, Active Directory, LDAP or other UNIX PAM modules are supported. End to End Monitoring and Management Active Monitoring ConsoleWorks is a unique solution with advanced security capabilities that are actively monitoring user access to assets. ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code- based attacks (malware, viruses, etc.); monitor all remote activity in real- time; and enforces only authorized remote user access rights. Third- party monitoring applications such as anti- virus, anti- spyware, vulnerability scanners, patch management systems, change management systems and many more can be integrated with ConsoleWorks for a unified management and monitoring portal. Rules for access can be automated based on the organizations security policies. Real- time Notification of Events Received from 3 rd Party Applications ConsoleWorks monitors 24x7 and logs and monitors, in real- time, all incoming log sources, including those from vulnerability scanners. ConsoleWorks IEMs (Intelligent Event Modules) contain the definitions of known / documented Events provided by the Vendor, Event context information, definitions and suggested solutions, and much more. All log files collected and aggregated by ConsoleWorks are Date/Time stamped using a common base Date and Time, thus eliminating the problems caused by unsynchronized clocks. Log files can be viewed individually or interlaced with other log files in Date/Time order at the sub- second level using TDi Technologies patented timestamp mechanism in ConsoleWorks. Evidence of potentially compromised machines can be identified through Alerts and Alarms. Uncovering Details of an Attack ConsoleWorks is agnostic about the source of information. Any information source can be managed and monitored as long as it generates data. Sources like net flow, identity management, databases, applications, and other data sources are treated in the same manner as devices that are managed and monitored by ConsoleWorks. ConsoleWorks monitors these logs in the context of all other managed applications or hardware. Its ability to aggregate error conditions across all log files enables administrators to view multiple log files, in context, to help in root cause analysis. In many cases, issues have been resolved before other solutions have been notified that an Event has occurred. ConsoleWorks sees an incoming message that is important. An Event is defined for that message and when detected, ConsoleWorks determines who did it, what the message was, what the description was and saves that information. From there, additional context of remediation actions, best practices, links to vendor documentation, etc. can be added to that Event. Helping Prevent Code- based Attacks - ConsoleWorks performs the role of the Intermediate Device with unique security features which: stop code- based attacks (malware, viruses, etc.); monitor all remote activity in real- time; and enforces only authorized remote user access rights. 4

ConsoleWorks Applications to SANS Top 20 Controls Logging of Updates to 3 rd Party Applications ConsoleWorks logs all people and system activity for the systems that it manages. As changes are made to a system or software on a system, ConsoleWorks is monitoring and logging those changes. This normalization helps shorten the remediation process in determining the source of an issue. Knowledge Gaps - ConsoleWorks "learns" about Events from the experts so that less trained people can apply the knowledge of better- trained people/experts. As Events are remediated by experts, ConsoleWorks captures their keystroke input and resulting output. That remediation session can be tagged as the Best Practice in the ConsoleWorks knowledge base for the remediation of that particular Event. In the future, if that Event re- occurs, this previously tagged Best Practice is automatically made available, by ConsoleWorks, to reference. Alternatively, this session can also be used to automate resolution when possible to do so, through ConsoleWorks Actions. User knowledge of Events can be incorporated into this IEM knowledgebase. ConsoleWorks "learns" about Events from the experts so that less trained people can apply the knowledge of better- trained people/experts. Baseline Configuration Management Configuration Management - Once a baseline configuration for accounts, software, ports and services is established for a cyber asset and a schedule defined for regular checks, all configuration comparison results are logged in ConsoleWorks for each asset. As such, changes in configurations are kept by ConsoleWorks as long as required, for future reference or compliance purposes. Changes in configurations, identified by ConsoleWorks, create notification Events in the system. These notifications can be used to alert a change management system, user or other personnel. ConsoleWorks accomplishes this by executing Actions that have been defined by the customer. These Actions can send notifications of the asset affected, along with the approved and new baselines, and any changes detected between the two. ConsoleWorks can easily identify the accounts, patch level, services, and settings for the assets that it manages. Once collected, ConsoleWorks can use this information as part of the approved configuration baseline. Once that baseline configuration is established for a cyber asset and a schedule defined for regular checks, all configuration comparison results are logged for each asset. Changes in baseline configurations are kept by ConsoleWorks as long as required, for future reference. Baseline checks can be evaluated based on a control / test system to deter if any deviations have been introduced. If so, these changes to the configuration create notification Events in the system. Notifications can be used to Alert a change management system, user or other personnel. ConsoleWorks uses Actions to send notifications of the asset affected, along with the approved and new baselines and any changes detected between the two. Comparing & Validating Secure Configurations Against Standards & Document Deviations - ConsoleWorks can collect firewall, router, switch and other network device configurations for each type of device that it manages. Once collected, ConsoleWorks can use this information as part of the approved configuration baseline. Once that baseline configuration is established and a schedule is defined to execute regular checks, all configuration comparison results are logged in ConsoleWorks, for each asset. Approvals for the change are also documented. Changes in baseline configurations and resulting approvals are kept by ConsoleWorks as long as required, for future reference. Tracking Installed Software Once a baseline of authorized software for each system type has been established, the ConsoleWorks Baseline Configuration Management module has the ability to run scheduled comparisons of current software type, version and patches installed versus the baseline that was previously established. Changes that are identified by ConsoleWorks will create notification Events that may be used to Alert a change management system, user or other personnel. Establishing Baseline Configurations for Patches Once the patch level has been updated on a test system, for example, other similarly configured devices can be checked to ensure that the same patches have been installed. If not, a Notification Event is triggered and Alerts are sent to the appropriate personnel. ConsoleWorks BCM can also be used to perform regular checks on devices to ensure that Autorun has been disabled. If not, an Event is triggered and notification sent to the appropriate personnel. Documenting that the Backup and Restoration Test Occurred ConsoleWorks Baseline Configuration Management module can be used to trigger a system or command that runs on a scheduled basis such as a backup command. Events that notify the appropriate personnel of the need for the restoration test can be triggered. 5

ConsoleWorks Applications to SANS Top 20 Controls ConsoleWorks then logs that the backup command was run and the test notification was sent (as Events) for future compliance reporting purposes. Monitoring for Unnecessary Software, Ports & Services - Once a baseline of authorized software, ports, services, accounts, etc., for each system type has been established, the ConsoleWorks Baseline Configuration Management module has the ability to run comparisons of current configurations versus the baseline that was previously established. Any differences that are identified by ConsoleWorks will create notification Events that may be used to Alert a change management system, user or other personnel. ConsoleWorks Mapping to the SANS Top 20 Critical Cyber Security Controls The following table documents each of the SANS Top 20 Critical Cyber Security Controls along with a more detailed description of a typical application of the Control. TDi Technologies has mapped each of the 20 Controls to a ConsoleWorks module and a feature within that module that address that control in whole or in part. Each of the modules and feature is outline above and referenced in the table. 1. Inventory of Authorized and Unauthorized Devices Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up- to- date inventory of devices connected to the enterprise network, including servers, workstations, laptops and remote devices. Any time a new device is installed on a network, the risks of exposing the network to unknown vulnerabilities or hampering its operation are present. Malicious code can take advantage of new hardware that is not configured and patched with appropriate security updates at the time of installation. Attackers can use these vulnerable systems to install backdoors before they are hardened. In automating critical control 1, it's critical for all devices to have an accurate and up- to- date inventory control system in place. Any device not in the database should be prohibited from connecting to the network. Some organizations maintain asset inventories by using specific large- scale enterprise commercial products or by using free solutions to track and sweep the network periodically. To evaluate the implementation of Control 1 on a periodic basis, the evaluation team will connect hardened test systems to at least 10 locations on the network. This will include a selection of subnets associated with DMZs, workstations, and servers. End to End Monitoring & Management Active Monitoring Baseline Configuration Management Very High 2. Inventory of Authorized and Unauthorized Software Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) and monitor for unauthorized or unnecessary software. An organization without the ability to inventory and control its computer's installed programs makes its systems more vulnerable to attack. Furthermore, poorly controlled machines are more likely to be running software that is unneeded for business purposes, introducing potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this potential threat, an organization should scan a network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications, pulling information about the patch level of each installed program. This ensures that it's the latest version and that it leverages standardized application names, like those found in the Common Platform Enumeration (CPE) specification. In addition to inventory checks, tools that implement whitelists (allow) and blacklists (deny) of programs are included in many modern end- point security suites. To evaluate the implementation of Control 2 on a periodic basis, the team must move a benign software test program that is not included in the authorized software list on 10 systems on the network. The team must then 6

ConsoleWorks Applications to SANS Top 20 Controls verify that the software is blocked and unable to run. Baseline Configuration Management Tracking Installed Software Privileged Access Management White list / Blacklist Very High 3. Secure Configuration s for Hardware & Software on Laptops, Workstations, and Servers Prevent attackers from exploiting services and settings that allow easy access through networks and browser: Build a secure image that is used for all new systems deployed to the enterprise, host these standard images on secure storage servers, regularly validate and update these configurations, and track system images in a configuration management system. Default configurations of software are often geared to ease- of- deployment and ease- of- use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network- accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization. To evaluate the implementation of Control 3 on a periodic basis, an evaluation team must move a benign test system (one that does not contain the official hardened image, but does contain additional services, ports, and configuration files changes) onto the network. The evaluation team must then verify that the systems generate an alert or e- mail notice regarding the changes to the software. Baseline Configuration Management Validating a Secure Configuration Very High 4. Continuous Vulnerability Assessment and Remediation Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours. Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines identified by the asset inventory system must be scanned for vulnerabilities. To evaluate the implementation of Control 4 on a periodic basis, the evaluation team must verify that scanning tools have successfully completed their weekly or daily scans. End to End Monitoring and Management Real- time Notification of Events Received Very High 5. Malware Defenses Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading: Use automated anti- virus and anti- spyware software to continuously monitor and protect workstations, servers, and mobile devices. Automatically update such anti- malware tools on all machines on a daily basis. Prevent network devices from using auto- run programs to access removable media. Malicious software is an integral and dangerous aspect of Internet threats. It targets end users and 7

ConsoleWorks Applications to SANS Top 20 Controls organizations via Web browsing, e- mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's contents, capture sensitive data, and spread to other systems. To ensure anti- virus signatures are up- to- date, effective organizations use automation. They use the built- in administrative features of enterprise endpoint security suites to verify that anti- virus, anti- spyware, and host- based Intrusion Detection Systems (IDS) features are active on every managed system. They also run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed, attempted to be installed, executed, or attempted to be executed, on a computer system. To evaluate the implementation of Control 5 on a periodic basis, the evaluation team must move a benign software test program appearing to be malware onto a system and make sure it is properly discovered and remediated. End to End Monitoring and Management Helping Prevent Code- based Attacks End to End Monitoring and Management Logging of Updates to 3 rd Party Applications Baseline Configuration Management Establishing Baseline Configurations High Medium 6. Application Software Security Neutralize vulnerabilities in web- based and other application software: Carefully test internally developed and third- party application software for security flaws, including coding errors and malware. Deploy web application firewalls that inspect all traffic, and explicitly check for errors in all user input (including by size and data type). Criminal organizations frequently attack vulnerabilities in both web- based and non- web- based application software. In fact, it's a top priority for criminals. Application software is vulnerable to remote compromise in three ways: It does not properly check the size of user input It fails to sanitize user input by filtering out potentially malicious character sequences It does not initialize and clear variables properly To avoid attacks, internally developed and third party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application- level software attack, and must generate an alert or send e- mail to enterprise administrative personnel. To evaluate the implementation of Control 6 on a monthly basis, an evaluation team must use a web application vulnerability scanner to test software security flaws. End to End Monitoring and Management Real- time Notification of Events High 7. Wireless Device Control Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if they match an authorized configuration and security profile and have a documented owner and defined business need. Ensure that all wireless access points are manageable using enterprise management tools. Configure scanning tools to detect wireless access points. Attackers who gain wireless access to an organization from nearby parking lots have initiated major data thefts. This allows attackers to bypass an organization to maintain long- term access inside a target. Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems. The system must be capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's 8

ConsoleWorks Applications to SANS Top 20 Controls systems or connected to its networks. To evaluate the implementation of Control 7 on a periodic basis, the evaluation team staff must configure unauthorized but hardened wireless clients and wireless access points to the organization's network. It must also attempt to connect them to the organization's wireless networks. These access points must be detected and remediated in a timely manner. Privileged Access Management Wireless Device Control High 8. Data Recovery Capability Minimize the damage from an attack: Implement a trustworthy plan for removing all traces of an attack. Automatically back up all information required to fully restore each system, including the operating system, application software, and data. Back up all systems at least weekly: back up sensitive systems more often. Regularly test the restoration process. When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them on a test bed environment. The restored systems should be verified to ensure that the operating system, application, and datum from the backup are all intact and functional. Baseline Configuration Management Documenting that the Backup and Restoration Test Occurred Medium 9. Security Skills Assessment and appropriate Training to Fill Gaps Find knowledge gaps, and fill them with exercises and training: Develop a security skills assessment program, map training against the skills required for each job, and use the results to allocate resources effectively to improve security practices. An organization hoping to find and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement, not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness. End to End Monitoring and Management Knowledge Gaps Medium 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. Ensure that any deviations from the standard configuration are documented and approved and that any temporary deviations are undone when the business need abates. Attackers penetrate defenses by searching for electronic holes in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic on that network (to a malicious system masquerading as a trusted system), and intercept and alter information while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices, which determine whether they are consistent or in conflict and provide an automated check of network filters. Additionally, these commercial tools 9

ConsoleWorks Applications to SANS Top 20 Controls search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router ACLs, or other filtering technologies. To evaluate the implementation of Control 10 on a periodic basis, an evaluation team must make a change to each type of network device plugged into the network. At a minimum, routers, switches, and firewalls need to be tested. If they exist, IPS, IDS, and other network devices must be included. Baseline Configuration Management Comparing Configurations Against Standards & Documenting Deviations High Medium 11. Limitation and Control of Network Ports, Protocols, and Services Allow remote access only to legitimate users and services: Apply host- based firewalls and port- filtering and scanning tools to block traffic that is not explicitly allowed. Properly configure web servers, mail servers, file and print services, and domain name system (DNS) servers to limit remote access. Disable automatic installation of unnecessary software components. Move servers inside the firewall unless remote access is required for business purposes. Attackers search for remotely accessible network services that are vulnerable to exploitation. Many software packages automatically install services and turn them on as part of the installation of the main software package. When this occurs, the software rarely informs a user that the services have been enabled. Port scanning tools are used to determine which services are listening on the network for a range of target systems. In addition to determining which ports are open, effective port scanners can be configured to identify the version of the protocol and service listening on each discovered open port. The system must be capable of identifying any new unauthorized listening network ports that are connected to the network. To evaluate the implementation of Control 11 on a periodic basis, the evaluation team must install hardened test services with network listeners on ten locations on the network, including a selection of subnets associated with DMZs, workstations, and servers. Privileged Access Management Remote Access to Legitimate Users Baseline Configuration Management Monitoring for Unnecessary Software, Ports & Services High Medium 12. Controlled Use of Administrative Privileges Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: (1) enticing users to open a malicious email attachment, or file, or to visit a malicious website, and (2) cracking an administrative password and thereby gaining access to a target machine. Use robust passwords that follow Federal Desktop Core Configuration (FDCC) standards. The most common method attackers use to infiltrate a target enterprise is through an employee's own misuse of administrator privileges. An attacker can easily convince a workstation user to open a malicious e- mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built- in operating system features can extract lists of accounts with superuser privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely. To evaluate the implementation of Control 12 on a periodic basis, an evaluation team must verify that the organization's password policy is enforced and administrator accounts are carefully controlled. The evaluation team does this by creating a temporary, disabled, limited privilege test account on ten different systems. It then attempts to change the password on the account to a value that does not meet the organization's password policy. Privileged Access Management Protecting and Validating Administrative Accounts on Servers 10

ConsoleWorks Applications to SANS Top 20 Controls High Medium 13. Boundary Defense Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: Establish multilayered boundary defenses by relying on firewalls, proxies, demilitarized zone (DMZ), perimeter networks, and other network based tools. Filter inbound and outbound traffic, including through business partner networks ( Extranets ). By attacking Internet- facing systems, attackers can create a relay point to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi- layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network- based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability- scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day, which ensures log volumes are within expected parameters, are formatted properly, and have not been corrupted. To evaluate the implementation of Control 13 on a periodic basis, an evaluation team must test boundary devices. This is done by sending packets from outside a trusted network, which ensures that only authorized packets are allowed through the boundary. All other packets must be dropped. End to End Monitoring & Management Uncovering Details of an Attack High Medium 14. Maintenance, Monitoring, and Analysis of Security Audit Logs Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machine: Generate standardized logs for each hardware device and the software installed on it, including date, time stamp, source addresses, destination addresses, and other information about each packet and/or transaction. Store logs on dedicated servers and run biweekly reports to identify and document anomalies. At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs aren't reviewed, organizations don't know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host- based systems. To evaluate the implementation of Control 14 on a periodic basis, an evaluation team must review the security logs of various network devices, servers, and hosts. End to End Monitoring and Management Uncovering Details of an Attack Medium 15. Controlled Access Based on Need to Know Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure and ensure that only authenticated uses have access to nonpublic data and files. Some organizations do not carefully identify and separate sensitive data from less sensitive, publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. This control is often implemented using the built- in separation of administrator accounts from non- administrator 11

ConsoleWorks Applications to SANS Top 20 Controls accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e- mail for administrative personnel. This includes information on local systems or network accessible file shares. To evaluate the implementation of Control 15 on a periodic basis, the evaluation team must create test accounts with limited access and verify that the account is unable to access controlled information. Privileged Access Management Preventing Unauthorized Access to Sensitive Data Medium 16. Account Monitoring and Control Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner. Immediately revoke system access for terminated employees or contractors. Disable dormant accounts and encrypt and isolate any files associated with such accounts. Use robust passwords that confirm to FDCC standards. Attackers frequently impersonate legitimate users through inactive user accounts. This method makes it difficult for network watchers to identify attackers' behavior. Although most operating systems include capabilities for logging information about account usage, these features are sometimes disabled by default. Security personnel can configure systems to record more detailed information about account access and utilize homegrown scripts or third- party log analysis tools to analyze this information. The system must be capable of identifying unauthorized user accounts when they exist on the system. To evaluate the implementation of Control 16 on a periodic basis, the evaluation team must verify that the list of locked out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire has successfully been completed daily. Privileged Access Management Preventing Unauthorized Access Medium 17. Data Loss Prevention Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically to minimize the exposure to attackers. Monitor people, processes, and systems, using a centralized management framework. The loss of protected and sensitive data is a serious threat to business operations, and potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices. These include, but are not limited to, a lack of effective policy architectures and user error. The phrase "Data Loss Prevention" (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. The system must be capable of identifying unauthorized datum leaving the organization's systems whether via network file transfers or removable media. To evaluate the implementation of Control 17 on a periodic basis, the evaluation team must attempt to move test datum sets (that trigger DLP systems but do not contain sensitive data) outside of the trusted computing environment via both network file transfers and via removable media. Privileged Access Management Centralized Management of People, Processes, Applications and Systems Medium Low 18. Incident Response Management 12

ConsoleWorks Applications to SANS Top 20 Controls Protect the organization s reputation, as well as its information: Develop an incident response plan with clearly delineated roles and responsibilities for quickly discovering an attack and then effectively containing the damage, eradicating the attacker s presence, and restoring the integrity of the network and systems. Without an incident response plan, an organization may not discover an attack in the first place. Even if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have far higher impact on the target organization, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible. After defining detailed incident response procedures, the incident response team should engage in periodic scenario- based training. This includes, but is not limited to, working through a series of attack scenarios that are fine- tuned to the threats and vulnerabilities the organization faces. End to End Monitoring and Management Medium 19. Secure Network Engineering Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Deploy a network architecture with at least three tiers: DMZ, middleware, private network. Allow rapid deployment of new access controls to quickly deflect attacks. Security controls can be circumvented in networks that are poorly designed. Without carefully planned and properly implemented network architecture, attackers can pivot through the network to gain access to target machines. To help ensure a consistent, defensible network, the architecture of each network should be based on a template that describes the overall layout of the network and the services it provides. Organizations should prepare network diagrams for each of their networks. Network diagrams should show components such as routers, firewalls, switches, significant servers, and groups of client machines. Privileged Access Management End to End Monitoring & Management Baseline Configuration Management Low 20. Penetration Tests and Red Team Exercises Use simulated attacks to improve organizational readiness: Conduct regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises all- out attempts to gain access to critical data and systems to test existing defenses and response capabilities. Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Penetration testing involves mimicking the actions of computer attackers, and exploiting them to determine what kind of access an attacker can gain. Each organization should define a clear scope and the rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at least, systems with the highest value information and production processing functionality. N/A Low More details on ConsoleWorks unique capabilities, can be found at www.tditechnologies.com About TDi Technologies 13

ConsoleWorks Applications to SANS Top 20 Controls TDi provides solutions to a global customer base with key verticals including Financial Services, Healthcare, Telecommunications, Utilities, and Government. The company s solutions help customers reduce operating costs, meet compliance requirements, secure the IT foundation, and improve IT Service delivery. TDi Technologies is the first solution provider to offer a unified enterprise IT operations solution for Privileged Access Management, Baseline Configuration Management, Event Monitoring and Remediation, and Logging over the IT foundation. The company s patented technology provides automation, optimization, control and management capabilities that dramatically improve the ability of IT to meet the demands of the business. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information