View
215
Download
0
Category
Tags:
Preview:
Citation preview
( C ) M A RC H A N Y 2 0 1 1
THE 2
0 CRIT
ICAL C
ONTROLS
:
A SECURIT
Y STR
ATEGY
RA
ND
Y M
AR
CH
AN
Y
VA
TE
CH
IT
SE
CU
RI T
Y O
F F I CE
1
( C ) M A RC H A N Y 2 0 1 1
WHO AM I?
Been working in IT Security since 1992, working in IT for 38 years
CISO at VA Tech
• 40K node network. dual stack IPV4, IPV6 network since 2006
• Multi-national – Main campus (Blacksburg, VA), Remote campuses (Arlington, Norfolk, VA), Swiss, Indian, Egyptian campuses
My IT Security Philosophy
All Security is Local
Empower the local IT staff
The Business Process trumps the Security Process
Learn the business process before imposing security requirements
Restrictive security practices cause worse problems overall
2
3
( C ) M A RC H A N Y 2 0 1 1
MOST COMMON SECURITY MISTAKES MADE BY INDIVIDUALS (2001)
Poor password management
Leaving your computer on, unattended
Opening e-mail attachments from strangers
Not installing anti-virus software
Laptops on the loose
Blabber mounts
Plug and Play without protection
Not reporting security violations
Always behind the times (OS, application patches)
Keeping an eye out inside the organization
4
( C ) M A RC H A N Y 2 0 1 1
WHAT I SAID: 1990’S – 2000’S
“Viruses, trojans and worms will never be eliminated. There is a multi-billion $ industry built to contain them.” - RCM 2002
There’s no economic incentive to eliminate the root causes of cybersecurity issues.
We have created a cyber-security industrial complex
Eisenhower was right.
5
VT CYBER SECURITY STRATEGY
University has 3 main business processes Academic, Administrative, Research
Academic Open access needed – THE ISP MODEL
Administrative Traditional corporate security model
Research Hybrid
Open access Restricted research, e.g. ITAR
6
( C ) M A RC H A N Y 2 0 1 1
VA TECH IT SECURITY STRATEGY
Based on ISO 27002, NIST 800-53 Standards
BYOD All students required to purchase their own computers, bring their own
smartphones. We’ve been doing this since 1984
Protect sensitive data regardless of location
Business process defines and trumps the security process if there is a conflict
IT and Business processes must adapt to new situation
Don’t care what comes in the net. Worry about what leaves the net.
7
( C ) M A RC H A N Y 2 0 1 1
IMPLEMENTING THE 20 CRITICAL CONTROLS STRATEGY
Quick wins
Focus on the most common and damaging threats
Consistent implementation
Metrics to justify acquisitions
Interfere with
Attackers getting in
Attackers staying in
Attackers causing damage
Focus on what leaves the net rather than what comes in
8
( C ) M A RC H A N Y 2 0 1 1 9
( C ) M A RC H A N Y 2 0 1 1
WHY 20 CRITICAL CONTROLS?Subset of the Priority 1 items in NIST 800-53
Mapping of 27002->800-53->20 Critical Controls
http://www.systemexperts.com/assets/tutors/SystemExperts-SANS20-1.pdf
Technical controls only, not operational controls
Have to start somewhere
Focus is ASSURANCE not compliance!
10
( C ) M A RC H A N Y 2 0 1 1
THE 20 CRITICAL CONTROLS: 1-3
1. Inventory of authorized and unauthorized devices
Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up-to-date inventory
2. Inventory of authorized and unauthorized software
Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches)
3. Secure configurations for hardware and software on laptops, workstations, and servers
Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems deployed to the enterprise
11
( C ) M A RC H A N Y 2 0 1 1
THE 20 CRITICAL CONTROLS: 4-5
4. Continuous Vulnerability Assessment and Remediation
Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities
5. Malware Defenses
Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading
12
( C ) M A RC H A N Y 2 0 1 1
THE 20 CRITICAL CONTROLS: 6-10
6. Application Software Security
Neutralize vulnerabilities in web-based and other application software:
Vendor Application Security Questionnaire
7. Wireless Device Control
Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if it matches an authorized configuration and security profile and has a documented owner and defined business need.
8. Data Recovery Capability (validated manually)
9. Security Skills Assessment and Appropriate Training To Fill Gaps (validated manually)
10. Secure configurations for network devices such as firewalls, routers, and switches
Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device.
13
( C ) M A RC H A N Y 2 0 1 1
THE 20 CRITICAL CONTROLS: 11-13
11. Limitation and Control of Network Ports, Protocols, and Services
Allow remote access only to legitimate users and services: Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed
12. Controlled Use of Administrative Privileges
Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack:
13. Boundary Defense
Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines:
14
( C ) M A RC H A N Y 2 0 1 1
THE 20 CRITICAL CONTROLS: 14-15
14. Maintenance, Monitoring and Analysis of Audit Logs
Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines:. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies.
15. Controlled Access Based On Need to Know
Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to nonpublic data and files.
15
( C ) M A RC H A N Y 2 0 1 1
THE 20 CRITICAL CONTROLS: 16-20
16. Account Monitoring and Control
Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner.
17. Data Loss Prevention
Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers.
18. Incident Response Capability (validated manually)
19. Secure Network Engineering (validated manually)
Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Allow rapid deployment of new access controls to quickly deflect attacks.
20. Penetration Tests and Red Team Exercises (validated manually)
16
( C ) M A RC H A N Y 2 0 1 1
IMPLEMENTATION TIPS
Secure upper management backing
Do a 20 Critical Controls Gap Analysis
Find out who at your organization has the information needed by a particular control
Get access to the info
Pick 2-4 controls at a time,
Rinse, lather and repeat
This is a 3-5 year project.
17
( C ) M A RC H A N Y 2 0 1 1
YOU HAVE THE ANSWERS ALREADY
1. Inventory of authorized and unauthorized deviceObtain from your network management group
2. Inventory of authorized and unauthorized softwareObtain from software purchasing group
3. Secure configurations for hardware and software on laptops, workstations, and servers
Policy
4. Continuous Vulnerability Assessment and RemediationIT Security Office runs weekly scans against critical servers
5. Malware DefenseIT Security Office
18
( C ) M A RC H A N Y 2 0 1 1
YOU HAVE THE ANSWERS ALREADY
6. Application Software SecuritySecurity Questionnaires
7. Wireless Device ControlNetwork management group
8. Data Recovery Capability (validated manually)
Network Backup service, departmental backup process
9. Security Skills Assessment & Appropriate Training To Fill Gaps (validate manually)
Secure the Human
10. Secure configurations for network devices such as firewalls, routers, and switches
Network Management Group
19
( C ) M A RC H A N Y 2 0 1 1
YOU HAVE THE ANSWERS ALREADY
11. Limitation and Control of Network Ports, Protocols, and Services
Policy, Standards, Individual Departmental guidelines
12. Controlled Use of Administrative PrivilegesPolicy, Standards, Individual Departmental guidelines
13. Boundary DefensePolicy, Standards, define the boundary!
14. Maintenance, Monitoring and Analysis of Audit LogsStandard Sysadmin practice, SIEM, Syslog server
15. Controlled Access Based On Need to Know Business process rules, Identity Mgt process
20
( C ) M A RC H A N Y 2 0 1 1
YOU HAVE THE ANSWERS ALREADY
16. Account Monitoring and ControlHR Policies/process, Identity Mgt process
17. Data Loss PreventionSensitive Data protection policy/standards, network forensics
18. Incident Response Capability (validated manually)IT Security Office, Upper Mgt approval
19. Secure Network Engineering (validated manually)Network mgt group configuration rules
20. Penetration Tests and Red Team Exercises (validated manually)
21
CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #1
CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #14
( C ) M A RC H A N Y 2 0 1 1 24
( C ) M A RC H A N Y 2 0 1 1 25
( C ) M A RC H A N Y 2 0 1 1 26
( C ) M A RC H A N Y 2 0 1 1
THE CHALLENGES
Getting upper management (Board, President, CIO, VP) support
Getting the data
Internal IT groups may not have the info in a format you want
Internal IT groups may not want to give you the data
Departmental groups may not want to give you the info
Performing the Gap analysis
Building the 20 Critical Implementation plan
Just doing it!
27
( C ) M A RC H A N Y 2 0 1 1
JUST DO IT
You probably rolled your eyes when you read the controls
We can’t do that! It’s too complicated
Just do it
We have not made significant strides in overall organizational IT security in the past 20 years
Same vectors in the 1990s are causing problems in the 2010s
It’s time to change the paradigm
Just do it – a few steps at a time
28
( C ) M A RC H A N Y 2 0 1 1
QUESTIONS?
Contact Information
Randy Marchany
University IT Security Officer
VA Tech IT Security Office & Lab
1300 Torgersen Hall
Blacksburg, VA 24061
540-231-9523 (office) 540-231-1688(lab)
marchany@vt.edu
Twitter: @randymarchany
Blog: randymarchany.blogspot.com
29
Recommended