Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter
The Critical Security Controls The Critical Security Controls for Effective Cyber Defense Version 5.1 http://www.counciloncybersecurity.org/critical-controls/
The Critical Security Controls
CSC 1 Inventory of Authorized and Unauthorized Devices What? Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. Why? You cannot secure devices that you don t know about, and you cannot protect yourself from devices that you don t know are sitting on your network.
CSC 1 Inventory of Authorized and Unauthorized Devices How? ID # Description Category CSC 1-1 CSC 1-2 Deploy automated asset inventory discovery tool & use it to conduct asset inventory to find devices on the network. Enable DHCP server logging and use logs to detect unknown systems connecting to the network. CSC 1-3 Keep asset inventory updated as new devices are acquired and added to the network. CSC 1-4 CSC 1-5 CSC 1-6 CSC 1-7 Maintain asset inventory of all systems connected to the network, including network address, device name, device purpose, and asset owner. Deploy network level authentication (via 802.1x) to control which devices are allowed to connect to the network. Deploy Network Access Control (NAC) to monitor authorized systems and ease remediation of unauthorized systems. Utilize client certificates to validate and authenticate systems prior to connecting to network. Visibility Config Config Advanced
CSC 2 Inventory of Authorized and Unauthorized Software What? Why? Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. You cannot secure applications that you don t know about, and you cannot protect yourself from applications that you don t know are installed on your systems.
CSC 2 Inventory of Authorized and Unauthorized Software How? ID # Description Category CSC 2-1 Deploy application whitelisting technology. CSC 2-2 Maintain list of authorized software and versions. Use file integrity checking software to ensure that authorized software has not been modified. CSC 2-3 Scan for unauthorized software deployments and alert when found. CSC 2-4 Deploy software inventory tools and track deployed software. CSC 2-5 Integrate software and hardware inventories. CSC 2-6 Closely monitor and/or block dangerous file types (exe, zip, msi) CSC 2-7 High risk applications required for business use should be segregated with VMs or airgapped systems. CSC 2-8 Configure client workstations with non-persistent operating environments. CSC 2-9 Only deploy software with signed software ID tags. Visibility Visibility Config Advanced Advanced Advanced
CSC 3 Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers What? Why? Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. Many systems are vulnerable in their default states. Unused services, default accounts, open ports, etc. can be abused and should be appropriately secured.
CSC 3 Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, and Servers ID # Description Category CSC 3-1 Create and use standard, secure OS configurations. CSC 3-2 Implement automated patching tools for both OS and applications. CSC 3-3 Limit administrative privileges to small number of users that require them. CSC 3-4 Follow strict configuration management processes to build and maintain secure systems. CSC 3-5 Store master images securely and continuously monitor them to ensure that they remain secure. CSC 3-6 Negotiate contracts to buy systems configured securely out of the box. Visibility CSC 3-7 Do all remote administration of systems over secure channels Config CSC 3-8 Use file integrity checking tools to ensure that critical system files have not been altered. Config CSC 3-9 CSC 3-10 Implement and test automated configuration monitoring tools to measure all secure configuration elements. Deploy system configuration management tools (AD GPO, Puppet, etc.) to automatically enforce and redeploy desired configuration settings. Advanced Config
CSC 4 Continuous Vulnerability Assessment and Remediation What? Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. Why? Changes aren t permanent But change is Tom Sawyer, Rush
CSC 4 Continuous Vulnerability Assessment and Remediation ID # Description Category CSC 4-1 Run vulnerability scanning tools against all systems on network on a weekly (or more frequent) basis. CSC 4-2 Correlate event logs with information from vulnerability scans. CSC 4-3 Perform vulnerability scanning in authenticated mode to determine true vulnerability picture of systems. CSC 4-4 Subscribe to vulnerability intelligence services to stay aware of emerging exposures. CSC 4-5 Deploy automated patch management & software update tools to keep systems updated. Visibility CSC 4-6 Monitor logs associated with vulnerability scans. Visibility CSC 4-7 CSC 4-8 Use results of vulnerability scans to ensure that identified exposures have been addressed. Measure the delay in patching new vulnerabilities to ensure that systems are being patched within agreed upon timeframes. Config Config CSC 4-9 Evaluate patches in a test environment before deploying them to critical systems. Config CSC 4-10 Establish a process to evaluate risk of patching (or not patching) vulnerabilities. Config
CSC 5 Malware Defenses What? Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. Why? Malware is pervasive and used in the majority of modern attacks and data breaches in order to compromise systems and account credentials.
CSC 5 Malware Defenses ID # Description Category CSC 5-1 CSC 5-2 Use automated tools such as anti-virus, anti-spyware, host-based firewalls, and host-based IPS to continuously monitor systems for indicators of malware. Use anti-malware software that offers remote, cloud-based centralized management infrastructure to share intelligence and update managed systems. CSC 5-3 Disable auto-run feature for removable media and network shares. CSC 5-4 Automatically scan removable media for malware upon connection to a system. CSC 5-5 Scan all email and block messages containing malicious content. CSC 5-6 Enable features such as DEP, ASLR, containerization, etc. CSC 5-7 Limit use of external devices to only where it is required. CSC 5-8 Ensure that automated monitoring tools use behavior-based anomaly detection in addition to signature based detection. Visibility CSC 5-9 Use network-based malware scanning tools to detect and filter network traffic. Visibility CSC 5-10 Implement IR process to collect malware samples found to be running that were not caught by existing malware defenses. Advanced CSC 5-11 Enable DNS query logging to detect lookups for known bad sites. Advanced
First Five s 1. Application Whitelisting CSC 2 2. Use of Standard, Secure System Configurations CSC 3 3. Patch Application Software Within 48 Hours CSC 4 4. Patch System Software Within 48 Hours CSC 4 5. Reduce Number of Users With Administrative Privileges CSC 3, CSC 12
The Top 4 Strategies The Top 4 Strategies to Mitigate Targeted Cyber Intrusions (the Strategies) are the most effective security controls an organization can implement at this point in time based on the our current visibility of the cyber threat environment. The Defence Signals Directorate (DSD) assesses that implementing the Top 4 will mitigate at least 85% of the intrusion techniques that the Cyber Security Operations Centre (CSOC) responds to. http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm
AUS DSD Top 4 Strategies 1. Application Whitelisting Explicitly define the applications that are allowed to run on a system 2. Patch Applications Keep applications updated 3. Patch the Operating System Keep the OS and core components updated 4. Minimize Administrative Privileges Limit the power that users have on systems and what they are allowed to change http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm
Key Takeaways You don t have to invent this yourself! The Critical Security Controls are realworld tested & proven to be effective for defending your assets The Critical Security Controls are a Map, not necessarily turn-by-turn directions You need to plan the best route for your journey based on your environment You have to decide which controls are right for your environment and prioritize them Start with the First Five s and Top 4 Strategies
Key Takeaways Multi-Factor Authentication Monitoring / Visibility
The Critical Security Controls