Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Similar documents
File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

PCI DSS File Integrity Monitoring

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

Event Log Monitoring and the PCI DSS

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

GFI White Paper PCI-DSS compliance and GFI Software products

SANS Top 20 Critical Controls for Effective Cyber Defense

Achieving Compliance with the PCI Data Security Standard

SECURITY. Risk & Compliance Services

PCI DSS Requirements - Security Controls and Processes

Presented by Evan Sylvester, CISSP

5 Steps to Advanced Threat Protection

Did you know your security solution can help with PCI compliance too?

PCI Data Security Standards (DSS)

PCI Requirements Coverage Summary Table

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

IT HEALTHCHECK TOP TIPS WHITEPAPER

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

PCI Requirements Coverage Summary Table

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

A Decision Maker s Guide to Securing an IT Infrastructure

Security Management. Keeping the IT Security Administrator Busy

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

The Art of Layered Security - Data Protection in a Threatscape of Modern Malware

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Cybersecurity Health Check At A Glance

Digi Device Cloud: Security You Can Trust

PCI Compliance for Cloud Applications

Goals. Understanding security testing

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Ovation Security Center Data Sheet

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Global Partner Management Notice

Passing PCI Compliance How to Address the Application Security Mandates

Introduction. PCI DSS Overview

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Information Security Services

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Defending Against Data Beaches: Internal Controls for Cybersecurity

CONTENTS. PCI DSS Compliance Guide

05.0 Application Development

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Thoughts on PCI DSS 3.0. September, 2014

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Document ID. Cyber security for substation automation products and systems

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

How To Secure Your Store Data With Fortinet

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Enterprise Computing Solutions

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Protecting Your Organisation from Targeted Cyber Intrusion

LogRhythm and PCI Compliance

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Basics of Internet Security

March

Data Security for the Hospitality

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Client Security Risk Assessment Questionnaire

TRIPWIRE NERC SOLUTION SUITE

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Agenda. Agenda. Security Testing: The Easiest Part of PCI Certification. Core Security Technologies September 6, 2007

ICANWK406A Install, configure and test network security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Endpoint Threat Detection without the Pain

24/7 Visibility into Advanced Malware on Networks and Endpoints

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Achieving PCI-Compliance through Cyberoam

Guide to Vulnerability Management for Small Companies

The Comprehensive Guide to PCI Security Standards Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Transcription:

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies www.nntws.com

The PCI DSS demands Device Hardening... Establish firewall and router configuration standards.. Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industryaccepted system hardening standards. Always change vendorsupplied defaults before installing a system on the network for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission Introduction All security standards and Corporate Governance Compliance Policies such as PCI DSS, GCSx CoCo, SOX (Sarbanes Oxley), GLBA, NERC CIP, HIPAA, HITECH, ISO27000 and FISMA require IT systems to be secure in order that they protect confidential data. This whitepaper explores one of the key dimensions to securing devices through the process of hardening, and examines the various means available to audit devices and maintain them in a hardened, secure state. There are a number of buzzwords being used in this area Security Vulnerabilities and Device Hardening? Hardening a device requires known security vulnerabilities to be eliminated or mitigated. A vulnerability is any weakness or flaw in either the software design, implementation or administration of a system that ultimately provides a mechanism by which IT systems can be infiltrated and compromised. There are two main areas to address in order to eliminate security vulnerabilities configuration settings and software flaws in program and/or operating system files. Eliminating vulnerabilities will require either remediation - typically a software upgrade or patch for program or OS files - or mitigation - a configuration settings change. Hardening is required equally for servers, workstations and network devices such as firewalls, switches and routers. How do I identify Vulnerabilities? A Vulnerability scan or external Penetration Test will report on all vulnerabilities applicable to your systems and applications. You can buy in 3rd Party scanning/pen testing services pen testing by its very nature is done externally via the public internet as this is where any threat would be exploited from. Vulnerability Scanning services need to be delivered in situ on-site. This can either be performed by a 3rd Party Consultant with scanning hardware, or you can purchase a black box solution whereby a scanning appliance is permanently sited within your network and scans are provisioned remotely. Of course, the results of any scan are only accurate at the time of the scan which is why solutions that continuously track configuration changes are the only real way to guarantee the security of your IT estate is maintained. www.nntws.com page 2

Operation Aurora - The bar is raised for hackers with the Advanced, Persistent Threat Operation Aurora has been widely reported and its effectiveness acknowledged by a number of high-profile targets including Google, Adobe and Juniper Networks. The attack is seen as a grim warning of what is possible if hacking is well-planned and orchestrated. In this example, the aim appears to have been industrial espionage. Project Aurora used targetted social engineering to infiltrate the workstations of key users withing the organizations attacked. A trojan masquerading as a windows dll was installed and sensitive intellectual property intelligence was stolen over a prolonged period of time. source: searchsecurity.com What is the difference between remediation and mitigation? Remediation of a vulnerability results in the flaw being removed and fixed permanently i.e. software update or patch. Patch management is increasingly automated by the Operating System and Product Developer as long as you implement patches when released, then in-built vulnerabilities will be remediated. As an example, the recently reported Operation Aurora, classified as an Advanced Persistent Threat or APT, was successful in infiltrating Google and Adobe. A vulnerability within Internet Explorer was used to plant malware on targeted users PCs that allowed access to sensitive data. The remediation for this vulnerability is to fix Internet Explorer using Microsoft released patches. Vulnerability mitigation via Configuration settings ensures vulnerabilities are disabled. Configuration-based vulnerabilities are no more or less potentially damaging than those needing to be remediated via a patch, although a securely configured device may well mitigate a program or OS-based threat. The big problem with Configuration-based vulnerabilities is that they can be re-introduced at any time just a few clicks are needed to change most configuration settings. How often are new vulnerabilities discovered? Unfortunately, all of the time! Worse still, often the only way that the global community discovers a vulnerability is after a hacker has discovered it and exploited it. It is only when the damage has been done and the hack traced back to its source that a preventative course of action can be formulated. There are various centralized repositories of threats and vulnerabilities on the web such as the MITRE CCE lists http://cce.mitre.org/ and many security product vendors compile live threat reports or storm center websites. So all I need to do is to work through the checklist and then I am secure? In theory, yes, but there are literally hundreds of known vulnerabilities for each platform and even in a small IT estate, the task of verifying the hardened status of each and every device is an almost impossible task to conduct manually. Even if you automate the task by using a vulnerability scanning tool, you will still have work to do to mitigate and remediate vulnerabilities. But this is only the first step. Let s consider a typical configuration vulnerability, for example, Windows Servers should have the Guest account disabled. We run a scan, identify a server where this vulnerability exists, so we mitigate the vulnerability by disabling the Guest Account. As a result, we have hardened this server. However, if another user with Administrator rights then re-enables the Guest Account, the server will be left exposed. The only time you will identify that the server has been rendered vulnerable is when you next run a scan which may not be for another 3 or even 12 months. There is another factor that hasn t yet been covered which is how do you protect systems from an internal threat more on this later. www.nntws.com page 3

All the firewalls, Intrusion Protection Systems, Anti-virus and Process Whitelisting technology in the world won t save you from a well-orchestrated internal hack where the perpetrator has admin rights to key servers or legitimate access to application code file integrity monitoring used in conjunction with tight change control is the only way to properly govern sensitive IT systems Phil Snell, CTO, NNT So tight change management is essential for ensuring we remain compliant? Indeed Section 6.4 of the PCI DSS describes the requirements for a formally managed Change Management process for this very reason. Any change to a server or network device may have an impact on the device s hardened state and therefore it is imperative that this is considered when making changes. Using a continuous configuration change tracking solution provides an audit trail and delivers the concept of closed loop change management the detail of the approved change is documented, along with details of the exact changes that were actually implemented. Furthermore, the devices changed will be re-assessed for vulnerabilities and their compliant state confirmed automatically. What about internal threats? Cybercrime is joining the Organized Crime league which means this is not just about stopping malicious hackers proving their skills as a fun pastime! Firewalling, Intrusion Protection Systems, AntiVirus software and fully implemented device hardening measures will still not stop or even detect a rogue employee who works as an inside man. This kind of threat could result in malware being introduced to otherwise secure systems by an employee with Administrator Rights, or even backdoors being programmed into core business applications. Similarly, with the advent of Advanced Persistent Threats (APT) such as the publicized Operation Aurora hacks that use social engineering to dupe employees into introducing Zero-Day malware. Zero-Day threats exploit previously unknown vulnerabilities a hacker discovers a new vulnerability and formulates an attack process to exploit it. The job then is to understand how the attack happened and more importantly how to remediate or mitigate future re-occurrences of the threat. By their very nature, anti-virus measures are often powerless against zero-day threats. In fact, the only way to detect these types of threats is to use File-Integrity Monitoring technology. See the other NNT whitepaper File-Integrity Monitoring The Last Line of Defense of the PCI DSS for more details, but here is a brief summary. Clearly, it is important to verify all adds, changes and deletions of files as any change may be significant in compromising the security of a host. However, since we are looking to prevent one of the most sophisticated types of hack we need to introduce a completely infallible means of guaranteeing file integrity. This calls for each file to be DNA Fingerprinted, typically using a Secure Hash Algorithm. A Secure Hash Algorithm, such as SHA1 or MD5, produces a unique, hash value based on the contents of the file and ensures that even a single character changing in a file will be detected. This means that even if a program is modified to expose payment card details, but the file is then padded to make it the same size as the original file, and with all other attributes edited to make the file look and feel the same, the modifications will still be exposed. File-Integrity Monitoring is a mandatory requirement for PCI DSS compliance. www.nntws.com page 4

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance What Do NNT Provide? Device Hardening Templates can be applied for all Security and Governance Policies, providing a fast Compliance Audit of all Devices Devices are then continuously tracked for Configuration Changes where vulnerabilities may be re-introduced Changes tracked include registry keys and values, file system and file integrity, user accounts, process and service white and blacklists, installed programs, performance vital signs, text-based configuration files All Planned and Unplanned Changes are detected and documented Any breach of Compliance Rules reported, including File Integrity Changes All platforms and environments supported, all network devices and appliances www.nntws.com page 5

Conclusion - The NNT View Device hardening is an essential discipline for any organization serious about security. Furthermore, if your organization is subject to any corporate governance or formal security standard, such as PCI DSS, SOX, GLBA, HIPAA, NERC CIP, ISO 27K, GCSx Co Co, then device hardening will be a mandatory requirement. servers, workstations and network devices need to be hardened via a combination of configuration settings and software patch deployment changes to a device may adversely affect its hardened state and render your organization exposed to security threats file-integrity monitoring must also be employed to mitigate zero-day threats and the threat from the inside man vulnerability checklists will change regularly as new threats are identified NNT can help Change Tracker and Log Tracker Enterprise solutions will provide continuous configuration auditing, ensuring that any change to the hardened state of a device will be identified clearly and simply. NNT solutions provide About NNT configuration hardening NNT build the world s best solutions for tracking and managing change, managing and protecting users, maintaining system performance and ensuring availability across the entire enterprise. Understanding and managing the day to day changes within your environment is critical to establishing and maintaining reliable service. NNT Solutions are affordable and easy to use. change management centralized event log correlation file integrity monitoring NNT Change Tracker and Log Tracker Enterprise - Compliance Clarified Audit Configuration Settings - The core function of NNT Change Tracker Enterprise is to first understand how your IT estate is configured Compare Audited Settings Against Policy - Configuration settings are assessed for compliance with any policy or standard relevant to your organization and deviations highlighted NNT help you establish and maintain a known and compliant state for your IT systems. Including: PC, Network, Software, Host Machine and Database. www.nntws.com 2010 New Net Technologies Continuously Monitor Configuration Settings - Configuration attributes are then monitored continuously for all changes, both from a compliance standpoint and from a general change management/control standpoint Change Management Process Underpinned - Authorized changes approved via the formal change management process are reconciled with the original RFC to ensure the correct changes were implemented accurately The Change Management Safety Net - All unplanned changes are flagged up for review immediately to mitigate security vulnerabilities or service delivery performance degradation SIEM Event Log Correlation - Centralize and correlate event logs messages from all windows, unix/linux, firewall and IPS systems For more details, or to arrange a free trial of NNT Change Tracker please contact us info@nntws.com www.nntws.com page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information