Everything You Wanted to Know about DISA STIGs but were Afraid to Ask



Similar documents
Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

THE TOP 4 CONTROLS.

Best Practices for PCI DSS V3.0 Network Security Compliance

SecureVue Product Brochure

20 Critical Security Controls

BIG SHIFT TO CLOUD-BASED SECURITY

The Business Case for Security Information Management

Security Management. Keeping the IT Security Administrator Busy

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Continuous Network Monitoring

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Enterprise Security Solutions

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

The Fundamental Difference Between SIEM & Log Management Solutions: State vs. Event Data

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Defending the Database Techniques and best practices

How To Manage A System Vulnerability Management Program

Critical Controls for Cyber Security.

GFI White Paper PCI-DSS compliance and GFI Software products

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

[Insert Company Logo]

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Defending Against Data Beaches: Internal Controls for Cybersecurity

VENDOR MANAGEMENT. General Overview

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

NERC CIP VERSION 5 COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

IT Security & Compliance. On Time. On Budget. On Demand.

CloudCheck Compliance Certification Program

PCI DSS Top 10 Reports March 2011

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

SANS Top 20 Critical Controls for Effective Cyber Defense

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

How To Buy Nitro Security

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Looking at the SANS 20 Critical Security Controls

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI Compliance for Cloud Applications

Closing Wireless Loopholes for PCI Compliance and Security

Top 20 Critical Security Controls

March

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

End-user Security Analytics Strengthens Protection with ArcSight

Introduction. PCI DSS Overview

Privilege Gone Wild: The State of Privileged Account Management in 2015

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Using the Tenable Solution to Audit and Protect Firewalls, Routers, and Other Network Devices May 14, 2013 (Revision 1)

White Paper. Managing Risk to Sensitive Data with SecureSphere

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

PCI-DSS Penetration Testing

DoDI IA Control Checklist - MAC 3-Public. Version 1, Release March 2008

Sygate Secure Enterprise and Alcatel

IBM Security QRadar Vulnerability Manager

Management (CSM) Capability

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Maximizing Configuration Management IT Security Benefits with Puppet

PCI Solution for Retail: Addressing Compliance and Security Best Practices

HP NonStop Server Security and HP ArcSight SIEM

Enterprise Computing Solutions

Privilege Gone Wild: The State of Privileged Account Management in 2015

Guide to Vulnerability Management for Small Companies

Cybersecurity: What CFO s Need to Know

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

Payment Card Industry Data Security Standard

5 Steps to Implement & Maintain PCI DSS Compliance.

BSM for IT Governance, Risk and Compliance: NERC CIP

PCI Data Security Standards (DSS)

Breaking down silos of protection: An integrated approach to managing application security

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

PCI DSS Reporting WHITEPAPER

Vulnerability Management

AlienVault for Regulatory Compliance

What is Penetration Testing?

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Extreme Networks Security Analytics G2 Vulnerability Manager

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Protecting Your Organisation from Targeted Cyber Intrusion

Cybersecurity: Protecting Your Business. March 11, 2015

Total Protection for Compliance: Unified IT Policy Auditing

Transcription:

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask An EiQ Networks White Paper 2015 EiQ Networks, Inc. All Rights Reserved. EiQ, the EiQ logo, the SOCVue logo, SecureVue, ThreatVue, SOCVue, ComplianceVue, ForensicVue, and Continuous Security Intelligence are trademarks or registered trademarks of EiQ Networks, Inc. in the US and/or other countries. All other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies. All information presented here is subject to change and intended

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask Throughout this document, you ll find a number of references to the U.S. Department of Defense (DoD) and Defense Information Systems Agency (DISA). As part of its mission to keep the infrastructure secure, DISA issues configuration standards known as Security Technical Implementation Guides (STIGs) that contain technical guidance to lock down information systems/software that might otherwise be vulnerable to a malicious computer attack. 1 The STIGs specify how operating systems, applications, network devices, and other assets should be configured in order to be secure. For each asset type, the corresponding STIG contains a number of checks to determine if the current configuration meets DoD standards. For example, the Windows Server 2012 STIG contains several hundred checks to perform. It covers things like password settings, the granting of user rights, maintaining an audit trail, and much more. Each of the checks in the DISA STIG policy is also assigned a severity level as shown in the table below. Severity CAT I CAT II CAT III DISA Category Code Guidelines Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity. Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity. Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity. Source: Windows Server 2012 STIG Overview, V1R5 2 To audit a device, host, or application against the DISA STIG policies, a line-by-line assessment needs to be done for each of the required checks. This could be done manually by inspecting each applicable setting or registry key, or through the use of an automated configuration auditing tool such as EiQ Networks SecureVue platform.

Why is configuration auditing so important? The default settings of your routers, servers, and other IT assets were not necessarily designed with security in mind. Some vendors create defaults based on ease-of-deployment and other considerations. Other vendors may not have put much thought into the defaults at all. By using default vendor settings, you may be using weak configurations that can be exploited by even the most basic cyberattacks. The code for these attacks is readily available on the Internet and available to criminals, hostile nation-states, and so-called hacktivists. Secondly, the threat environment is constantly changing. Even if you are diligent about configuring new systems properly, a configuration that was considered secure last year could be vulnerable to a newly discovered exploit today. In addition, each time there is a change to your assets, there is the potential to introduce new holes. Today s browser upgrade might contain a vulnerability that requires a patch tomorrow. DISA releases revisions to STIG policies on a quarterly basis. By continually auditing your IT assets against configuration standards like the DISA STIGs, you ensure that you are keeping up with the threat landscape. Insecure Vendor Default Settings Missing Critical Patches and Updates Unauthorized Changes and Lack of Controls Configuration auditing helps detect common security risks Lastly, the configuration of devices, hosts, and applications may be the responsibility of a diverse set of teams and individuals within the organization. Change control and tracking can be a difficult task and might be outside the jurisdiction of your organization s IT Security personnel. By choosing a configuration standard and enforcing its use through configuration auditing, you can keep well-meaning colleagues from changing configurations in a way that weakens security and exposes your organization to costly threats.

What else do I need to know about DISA STIG auditing? Adherence to the DISA STIG configuration standards is not optional for DoD organizations. DoD Instruction 8500.2 contains the requirements for Information Assurance (IA) Implementation and clearly references the STIGs as the authorized Configuration Specifications (Controls DCCS-1 and DCCS-2). 3 A DoD reference document such as a security technical implementation guide or security recommendation guide constitutes the primary source for security configuration or implementation guidance for the deployment of newly acquired IA- and IA-enabled IT products that require use of the product s IA capabilities. (Note: A Security Recommendation Guide, or SRG, covers a broad technology category like Firewalls, and is used when a device-specific STIG is not available.) DoDI 8500.2 assigns IA Managers and IA Officers the responsibility to implement and enforce IA policies. The career impacts of not meeting DoDi 8500.2 requirements are beyond the scope of this document. Who else cares about configuration monitoring? The security concerns that drive the need for configuration monitoring are not unique to the U.S. Department of Defense. The use of poorly or misconfigured systems can leave an open door for the unauthorized access and use of your organization s data. This can have large and costly impacts even if you re not storing secret plans for a new stealth fighter. Personally identifiable information (PII), health records, credit card numbers, and other sensitive information can be sold for big money on the black market. This type of data breach can result in regulatory fines, civil lawsuits, and loss of business. As a result, a number of security frameworks such as PCI-DSS, HIPAA, and GLBA contain provisions for configuration monitoring and change control. For example, PCI Requirement 1 states that configuration standards are required for firewalls and routers in order to protect cardholder data. In addition, PCI Requirement 2 restricts the use of vendorsupplied defaults for important security parameters 4. These requirements can be met by implementing a process to regularly audit configurations against a known standard. Another proponent of configuration auditing is the Council on Cybersecurity, which maintains a set of 20 Critical Security Controls (CSCs) for Effective Cyber Defense. The CSCs were developed by the SANS Institute to help organizations proactively improve security posture and reduce the risk of a data breach. CSC #3 calls for Secure Configurations for Hardware & Software on Laptops, Workstations, and Servers, while CSC #10 deals with Secure Configurations for Network Devices 5. Verizon s 2014 Data Breach Investigation Report mapped security incident patterns to the CSC that could have prevented or mitigated the incidents. The authors found that Standard Configuration Controls would have a large impact across a wide range of industries, including Education, Finance, Manufacturing, and Professional Services 6.

How do I know which STIGs apply to my systems? One of the biggest challenges facing IA Managers is how to determine which STIGs to apply to each of the devices and hosts on the network. The first step is to create an inventory of all systems and software. This is a good security practice anyway (Critical Security Controls #1 and #2) and gives you a good starting point to determine against which STIGs you will need to audit. Network mapping software may be of assistance when creating the inventory. Unfortunately, tools like nmap will only give you basic information about each node. To do a thorough audit, you will need to gather more information about each individual node. Does the system have a Wireless LAN Controller? Is Oracle Database installed? What version of IIS is running? This can be a very tedious process that takes up a lot of the audit time. The new SecureVue STIG Profiler from EiQ Networks is a free tool designed to reduce this overhead cost of auditing by streamlining the system discovery and profiling process. The STIG Profiler automatically identifies IT assets and determines which DISA STIGs apply, based upon attributes such as installed software. The ability to do a detailed asset analysis in an automated fashion can save hundreds of hours spent every year on manual system profiling. Free Download: http://www.stigprofiler.com About SecureVue SecureVue from EiQ Networks is a continuous security intelligence platform that combines audit log management & SIEM capabilities with a powerful configuration auditing solution. By collecting a broad array of data elements, SecureVue can meet a number of the IA requirements in DoDI 8500.2 and NIST 800-53 at a fraction of the cost of acquiring multiple tools. SecureVue will automatically and continuously monitor devices against predefined configuration standards including DISA STIGs and CIS Benchmarks. About EiQ Networks EiQ Networks, a pioneer in security hybrid SaaS and continuous security intelligence solutions and services, is transforming how organizations identify threats, mitigate risks, and enable compliance. EiQ offers SOCVue, a security hybrid SaaS offering, and provides 24x7 security operations to Small to Medium enterprises who need to protect themselves against cyber attacks but lack resources or on-staff expertise to implement an effective security program. SecureVue, a continuous security intelligence platform, helps organizations proactively detect incidents, implement security best practices, and receive timely and actionable intelligence along with remediation guidance. Through a single console, SecureVue enables a unified view of an organization s entire IT infrastructure for continuous security monitoring, critical security control assessment, configuration auditing, and compliance automation. For more information, visit: http://www.eiqnetworks.com. Notes: 1. http://iase.disa.mil/stigs/pages/index.aspx 2. Windows Server 2012 STIG, Version 1, Release 5, November 10, 2014 3. U.S. Department of Defense Instruction 8500.2, February 6, 2003 4. Payment Card Industry (PCI) Data Security Standard, Version 3.0 5. http://www.counciloncybersecurity.org/critical-controls/ 6. Verizon 2014 Data Breach Investigations Report, Figure 70

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information