Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Tips for Passing an Audit or
AssessmentRob WaytCISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO 27001 Lead AuditorSenior Security EngineerStructured Communication Systems
Who likes audits?
Compliance Requirements• PCI DSS• NERC CIP• HIPAA• FERPA• CJIS• ISO 27001
• FISMA/NIST– SP 800-53 SP 800-171 Cybersecurity Framework
• SOC 1/2/3• GLBA/NCUA• SOX• CIS 20 CSC
Compliance vs. Security• Compliance is the low bar
• Your security controls can and should go well beyond
The Findings
Most common findings on security assessments by our assessors.
Data Inventory • What is your sensitive data?• Where is it?
• If it is a person, process or system that transmits, stores, or processes sensitive information, it’s in scope
Segmentation• By data security levels
– Encrypt when traversing a lower level
• PCI using P2PE• Micro segmentation, zero trust, private vlans
Asset Inventory• Use dynamically updated system
– All hardware in scope• Or manually keep updated with additions and
subtractions• Track owner, purpose, IP address, name and
location if possible
Account Management• Run reports for 90 days of inactivity• Use expiration
– Validate month prior
• Disable on last day• Management approval of access
Multi Factor Authentication• U2F, push, OTP, …………• For all admin access or access to sensitive
information• OWA, VPN, cloud• Multi factor or multi step• Factor independence
Logging• Use a SIEM!
– Not just purchase one
• All in scope systems• Security systems• NTP
Change Management• Document all changes to configurations• Include approvals and roll back plans
Patching• Non OS patches
– JAVA, Flash
• Network devices• End of support = compensating controls
Network Access Control• MAC spoofing• **DHCP is not a security mechanism
Authorized Software• Inventory of applications
– Whitelist the approved, Blacklist the others – Or other form of application control
• FIM executables, system files, application files
Secure Configurations• Use benchmarks for all systems
– CIS, NIST, STIGS
• Apply by GPO• Build into gold disk
Vulnerability Scans• Use authenticated scans• Include all in scope assets
Admin Privileges• No local admins
– Even for IT• Use separate accounts for admin functions
– RunAs, Sudo• Log/alert everything
– Added accounts, failed logins, adds to admin group
IoT• Don’t allow on your network• Change admin credentials for everything
USB Storage• Don’t allow or limit usage• Set to auto scan• Encrypt on use
Firewalls• Only allow authorized ports and protocols
– Inbound AND outbound
• Inbound connections to inside network• Test segmentation• Web content filtering
DLP• Decrypt SSL and send to DLP for in scope data
types• Host based effective for inside threats
Encrypt Sensitive Data• In motion and at rest• Archive systems
– Laserfische, e-mail archive flat files
• Backups
Wireless• Segmentation• Authentication• Rogue access points
Application Development• Separate development environment• Peer review code• OWASP Top 10• WAF
Policies• Worse than the audit itself• Make sure policy is implemented
– And followed
• Don’t forget– Incident Response– Disaster Recovery– Business Continuity Plan
Accounting and HR• Preparation needs to include these areas• Store too much information, never purge
anything• More fun to audit than IT staff
SSL/TLS and SHA-1• Use TLS 1.1 and 1.2
– SSL and TLS 1.0 are weak
• Still see SHA-1 signed certificates
Risk Assessment• Map to controls• Reviewed by Senior Management
Penetration Testing• Not a vulnerability scan• Actual hacking• Should be near the end of your preparation
task list• Pay for social engineering
End User Training• Include phishing campaign• Real life scenarios• Document
Virtual Environment• Separate hypervisor and hardware by
classification level• Validate data, admin, and control planes in
SDN• Cloud environments
That’s All!
Questions?