SANS 20 Security Controls
Casey Wimmer
Security Capstone
2330 01
Pine Technical and Community College
May 9, 2016
In this paper I am going to talk about the 20 SANS Critical Security Controls. The
controls are an Inventory of Authorized and Unauthorized Devices, Inventory of Authorized and
Unauthorized Software, Secure Configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers and Continuous Vulnerability Assessment and Remediation,
Inventory of Application Software Security, Wireless Access Control, Data Recovery Capability,
Security Skills Assessment and Appropriate Training to Fill Gaps, and Secure Configurations for
Network Devices, Limitation and Control of Network Ports, Protocols, and Services, Controlled
the use of Administrative Privileges, Boundary Defense, Maintenance, Monitoring, and Analysis
of Audit Logs, and Controlled Access based on the need to know, Account Monitoring and
Control, Data Protection, Incident Response and Management, Secure Network Engineering,
Penetration Tests and Red Team exercises. These controls can be used to take inventory,
tracking, correcting, acquiring, accessing and taking action, as well as, installing, spreading and
execution malicious code. Also, I am going to be talking about how the controls are being used
in a business setting and some of the quick wins to more advanced ways to makeones systems
safe. As technology grows, black hats and some of the gray hats will become more advanced in
their hacking, so as a cyber-world we need to become more advanced and aware of how our
networks are set up and how much we should lock down systems to keep our information safe
and the needs of the business.
The first control is Inventory the Authorized and Unauthorized Devices. There are some
tools that will help one keep inventory of devices, these tools are Dynamic Host Configuration
Protocol (DHCP) server logging, automated asset inventory tool, asset inventory database,
inventory of information asset, network level authentication (802.1x), network access control,
and client certificates. Also, there are tools that help one keep track of devices, client certificates
and DHCP server logging. After performing inventory and tracking devices and users, it will
help one make the proper correcting to ones network.
One of the tools that is used most after is DHCP server logging. When one is looking at a
DHCP server logs, there will be fields that one will have to look at. Those are the identification
(ID), date, time, description, IP address, host name and Media Access Control (MAC) address
fields. The ID is the DHCP server event code, date is when the entry was logged, time is when
the entry was logged, description is what the entry was about, IP address is IP address of the
client, host name is the name of the client and MAC address is the address that is attached to the
network adapter hardware of the client. This log helps one keep track of what events are
happening. Another good tool that one can use is automated asset inventory tool. This tool helps
one build a preliminary asset inventory of all that is connected to the networks. There are active
tools and passive tools that come with this tool. The active tools scan the network ranges. Some
examples of active tools are Wireshark and Network Map (NMAP). Passive tools identify hosts
by looking at their traffic. Some examples are Firewalls, Intrusion Detection Systems (IDS) and
Intrusion Prevention System (IPS).
Most tools can help one keep track and inventory. One of the best tracking tool is
Network Access Control (NAC). NAC monitors authorized systems, so when an attack occurs it
can be moved to a separate Virtual Local Arena Network (VLAN) that has minimal access and,
so it will so minimal damage to the network. A good way to help secure ones network is to hand
out client certificates. The way the certificates are handed out is through a Certificate Authority
(CA). The certificates verifies and authenticates devices before they connect to the network.
The second control is how one will Inventory the Authorized and Unauthorized
Software. There are plenty of things one can do to help with the inventorying software’s. A
good quick way is to utilize Whitelisting technology. The Whitelist is an inventory list of
software on the network or systems, also they are called anti-virus suits. When a software tries to
run, the Whitelist will check and see if it is on the list and if it not on the list, it will kill it and not
let it run until it is on the list. One can get Whitelist technology from outside venders and this
technology can be expensive. A few examples of Whitelist technology are Avast and McAfee.
Those are a few of the common that we use every day, but for a business setting one will want to
use the more advance ones. Another quick way to keep inventory of software is to use file
integrity checking tools. These tools check and see if the software has been tampered with or
changed. This would help one to make a list of software on all systems, as well as, the versions
being used. An example of file integrity checking tools is Syscheck. The tool will make a list of
the software being used on the servers, workstations, and laptops that is on the network. The last
quick win is using strict change-control process. This process is used to control changes or
installation of software on any system on the network. Also, strict change-control process checks
for unrecognized binaries. The binaries would include Executable Files (.exe), Dynamic Link
libraries (DLL) and more. Also, it will check the folders and files that are compressed. The way
it checks is that it uses the file hash values that it has stored in its inventory lists.
A more developed way to inventory is to use software inventory tools. This tool makes a
list of the operating systems, servers, workstations, and laptops in use on the network. The tool
will record the type of software, version number and patch level. The software inventory tool
will check the version and applications installed on the systems and network. Also, one can use
the integrate software and hardware asset inventory list to put then into one location. That one
location, is where all the hardware and software will be tracked from. Another way that is better
than the quick wins is to track and/ or block all the dangerous file types. Some of those file types
are .exe, Compressed (.zip) and Microsoft Installation (.msi) files. Another way is to use virtual
machines and air-gapped systems to run applications for the business. Air-gapped is a separate
environment that is off ones network that is used to run software. If the application is a higher
risks it should be never be install on the network, they should be installed on an air-gapped
system.
For a business setting, make sure one make clients workstations that have non-persistent,
virtualized operating environments. This will help one restore them quickly and easier with less
down time. This way one will have a trusted snapshot that one can restore them to periodically.
This will make the risk of spreading dangerous software around that might have dangerous code
or files attached to the software. Deploy software that will sign software ID tags. A software ID
tag is an Extensible Markup Language (XML) file that is put with software to identify what
software it is. This will help provide list that can be used for software inventory list and asset
management. There are some solutions that the commercial solutions put together. Some of these
solutions are anti-spyware, personal firewall, host IDS’s and IPS’s. One are able to get some of
these products for free, but if one want the best of the best, one will have to spend a little money
to get good protection for one’s network. Gray lists define the rules for execution of specific
programs. One can do this by using certain users and certain times of the day for the programs to
run. This is a god way to help with unnecessary applications to be running on the network. If one
leave applications running, it can bog down ones systems and make it run slow. Also, one can
use White lists. White lists can be customized by using the applications executable path, hash, or
regular expression matching.
Control three is Securing Configurations for Hardware and Software on Mobile Devices,
Laptops, Work stations and Servers. When one is doing this, make sure to use a standard secure
configurations of all the OS’s. Also, make sure one harden all versions and applications that are
on one’s systems to make sure that there are no security concerns or vulnerabilities. A few good
idea to help harden ones system is to remove unnecessary accounts this will include service
accounts, disable or remove services that one don’t need to be running, configure non-executable
stacks and heaps. Heaps are information that is dynamically allocated variables are found and
stacks are where one can find the local variables, function parameters, and other functions that
are related can be found. Also, it’s a good idea to make patches and apply them to one’s system,
make sure ports that are not being used are closed or disabled and if the port is open but is being
used, but not all the time, one can still close it and open it when it needs to be used, put in IDS
and or IPS on one’s system, and install host-based firewalls. Another thing one should do is to
make sure that one’s firewalls are validated and refreshed daily, so that, one prevent attacks,
vulnerabilities, and it will help keep one’s security up to date.
Also, one can put in automated patch tools to help make sure the patched for application
and one’s system are put in. Sometimes it can be a bad thing because it can interrupt business
functions, so make sure the patches are good for one’s system. If the patch is interrupting
business production, take a look at the patch and see if one can make correction a different way,
without using the patch. Most of these patched will be coming for applications and OS software.
When an application or an OS software is outdated, older, unused or it can no longer be patched,
make sure one remove it or update it, so it will not be a security concern or make vulnerabilities.
Try to limit administration privileges to a few users that have the knowledge to modify the
configuration and apply it to the systems. This will help prevent people from changing the
configurations and make problems and vulnerabilities on the systems and network. Make sure
one follow a strict configuration that one build. When one builds an image, make sure it is
secure. This will help in prevent attacks and when a system is compromised, it should be re-
imaged with the secure build that one has created. After one have created secure images, make
sure one store the master on a server that is configured securely and is offline and air-gapped
from one’s system and production network. Copy images to secure media that can be moved
between the image storage and production network. One can use a USB or a portable hard drive.
A good way to help with the system secure is to buy systems that can be configured
securely out of the box using standardized images. This will help avoid software that one does
not need, decrease attack surface and decrease vulnerabilities on the system and devices. When
one’s system has remote administration servers, workstations, network devices and similar
equipment being used on one’s network, make sure one put them on secure channels for security
risk. When one put them on channels, do not use telnet, Virtual Network Computing (VNC) and
RDP as just a few of the channels because they have low level encryption. A good tool to have is
file integrity checking tools. These tools check to see of the systems critical files have not been
altered or tampered with. Also, these tools can show suspicious changes to the system. It will
show one the owner and the permissions that are changed to the files or directories. Another
good thing about these tools is that they will show one, if any, extra files that are on the system.
If there are extra files on the system, it can mean that there is malicious file on the system or
someone has hacked the system and it creates the files, which in turn would create a security
concern.
It’s a good idea to apply and test the automated configuration monitoring system. This
will measure all the secure configurations by using remote testing. An example of this tool is
Security Content Automation Protocol (SCAP). SCAP will alert one when there are changes that
are not authorized that happened on the system. Another good tool to have are system
configuration management tools. This tools will enforce and redeploy the configuration setting at
a time and date one input into the tools when one configure. A few examples are a tool from
Microsoft called Active Directory Group Policy Objects and a tool from Unix called Puppet.
A good quick way to check the system for vulnerabilities is to put in automated
vulnerabilities tools. When one set this tool up, one can configure it so that the tool will scan the
system on a daily or weekly basis and one can put a list together of the most crucial
vulnerabilities. This tool will rate the vulnerabilities on risk and produce risk scores of them.
When one use this tool make sure one use SCAP. SCAP looks for code-based and configuration-
based vulnerabilities on the system. If one bring the older scan and the new scan together, one
will be able to see if the vulnerability has been fixed. To achieve this, one will have to reach two
goals. These goals are to make sure the scans makes logs as they scan the system and make sure
one combine the older and newer scans together. When one is setting up these scans, make sure
one put them in authenticated mode when they run. Authenticated mode means that one have
authorized the software, applications or files to run. Also, make sure to put agents that run
locally at the end of the system to check the security configurations or one can put up remote
scanners that have administrative rights. Make sure that the authorized people have access to the
vulnerability management user interface. If one give the wrong people access, it could make
more vulnerabilities and security concerns and production will go down in the company.
Regularly check into the intelligence security services. Keep up on the emerging
exposures that are released and make sure the vulnerability scanning tool are up to date on the
organizations system. A good way to keep up on the patches one’s system is to install automated
patch management and software tools. Make sure the tools are used for OS’s, software and
applications patches. Before pushing out the patches to the network, make sure to test them in a
sandbox machine or a text environment. The reason one do this is to make sure the patch will not
affect production of the company and will not make any more vulnerabilities to the system and
network. If the patches that run in the test environment break some of the applications, one will
have to find another way to fix the vulnerabilities that the patch would have fixed without
affecting business production. When one are patching or fixing vulnerabilities, make sure to
patch or fix the ones that are high-risk first. To help determine this, look at the exploitability and
potential impact. When one has a bunch of patches, make sure to test them first then one is ready
to push them out, make sure one will phase them out. This will help to minimize the impact of
them on the company.
Control five is Malware Defenses. A good idea is to put in automated tools that will
monitor servers, workstations and mobile devices with anti-virus software, anti-spyware
software, personal firewalls and host-based IPS’s. The detections that the software detects can be
sent to an anti-malware tools or event log servers. Another good thing to have on the system is to
have anti-malware software. Anti-malware offers cloud-based infrastructure that is remote and is
in sync with the information file reputations or with the administration manually pushing the
updates to the network and all machines. Also, it will verify that all the machines and systems
has received the signature update or updates. Make sure that one configures laptops,
workstations, and servers, so that it will not automatically install the removable media that is
inserted. Some of the examples removable media are USB tokens, USB HD, CD/DVD, firewall
devices, external serial advanced technology attachment devices, and mounted network shares.
When removable media is inserted, make sure the workstations, laptops and servers is set up to
automatically run anti-malware scan on the media. This will provide more security to the
systems and help prevent malware and virus attacks.
Make sure to run software that will scan all email attachments for malicious code or if it
is not necessary for a business needs. They can do this by setting up a size limit on the emails
that can come in. Also, they can run web content filtering and email content filtering. Enable
anti-exploitation feature on workstations, laptops, and servers. There are a bunch of ways to do
this, but some of those are using Data Execution Prevention (DEP), Address Space Layout
Randomization (ASLR) and virtualization. A good tool to use is Mitigation Experience Toolkit
(EMET) because it can be set up to be put at the boarders of applications and software. Ensure to
limit the external devices that come on to the network. Make sure that people are using those that
are used for business purposes only and monitor the uses of these and the attempt uses of the
external devices. When one is using automated monitoring tools, make sure they are in behavior-
based mode than being in signature-based mode. Use network-based anti-malware tools. This
will allow one to identify executable in the networks traffic. Use others based detection modes
other than signature-based modes because they will identify and take out the malicious code
before they reach the endpoints. Establish an incident response process. If one establishes this, it
will supply the security team with malware samples that are not detected by the anti-malware
software. When the security team has the malicious samples, they can tear it apart and see what
the malicious code is and look at how it was made, so if it come up again, it will be easier to
detect. Also, it’s good to create “out-of-band” signatures. When a sample is found, the security
team will send it to their security company that they are outsourcing to, to create the signature
and then the outsourced security company will send it back and the security team for the business
will use it in their tools to help detect the malicious code if it come up again. This will help the
network team to establish trust when they go into the management function to apply the network
with resources. These will be later put on the enterprise by the administration.
I talked about the twenty SANS critical security controls. The controls were Inventory
of Authorized and Unauthorized Devices, Inventory of Authorized and Unauthorized Software,
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,
and Servers, Continuous Vulnerability Assessment and Remediation, and Malware Defenses.
These controls can be used to take inventory, tracking, correcting, acquiring, accessing and
taking action, as well as, installing, spreading and execution malicious code. Also, I talked about
how the controls are being used in a business setting and some of the quick wins to some more
advanced ways to make the systems safe. Remember, as a company grows, they will be in need
for more increased security defenses.
Control six is Application Software Security. Control six is designed to help businesses
prevent detect and correct the security on the software applications. First, some of the quick wins
that will temporarily help are to make sure that the version of the application is still supported by
the vendor or company. If it is still supported, make sure all of the patched and security
recommendations are up-to-date with the vendor or company. If the version is not supported, one
will have to update to the version that is supported and ensure all the patched and security
recommendations are up-to-date. Another quick win is to deploy Wed Application Firewalls
(WAF’s). WAF’s inspect the traffic that is coming into the Web Application for the commonly
known web application attacks. One will have to something a little different for the non-web-
based applications, one will have to deploy an application or applications that specifically for
that software application. If the traffic is encrypted, the application should be able to decrypt the
traffic or should be placed behind to wait for it to be decrypted.
Ensure that all the in-house software that is developed is ran through explicit error
checking. This checking will record the size, data type and all the acceptable ranges and formats
for the application. Another way to help with the web-based applications is to run automated
remote web application scanners. This will help one check all the in-house and third party web
applications for the commonly known security weaknesses. Also, run tests for Denial-of-Service
(DoS) attacks and resource exhaustion attacks. DoS is an attack that will make ones software
applications not run properly by restricting the size and/or amount of resources that can be
requested. A DoS attack is an example of Uncontrolled Resource Consumption. Make sure to
configure the systems so that the end-users do not see the error messages of applications. This is
called output sanitation. Another good thing to do is to separate the production system from the
non-production systems. Production systems are systems that are used for the production of the
products or equipment. Non-production systems are systems that are not being used for the
production.
Some of the more advanced ways to secure ones applications are:
Deploy automated static code analysis software
o Scans the code for changes to all the in-house applications and third party
software and it will scan the application before it is deployed on the
system
Risk management process
o Determine the vulnerability that are high risk and correct them first
o Look at the vendors security process for the application, which includes
history of vulnerabilities, customer notification, patching, and remediation
Manual testing and inspection
o Review and test the input validations and the output encoding routers
Also, make sure to use standard hardening configurations templets that are only for
applications that rely on the database. Always test applications that are critical to the business
processes because one does not want to have any security problems. Ensure all the personnel that
are in the software development receive training in writing secure code for their development
environments. When deploying ones in-house developed applications, make sure there are not
any development artifacts are not on it and it cannot be accessed from the production setting. The
development artifacts are sample data, sample scripts, unused libraries, components, and
debugging codes and tools.
Lastly, to see if this control is working, businesses should ask these four questions, all of
these questions are yes or no answers or put the time in minutes according to the Council on
CyberSecurity.
1. Can the application system detect attacks and block them within 24 hours of
being detected?
2. Are all the internet facing applications scanned by web application vulnerability
scanners at least weekly?
3. How long does it take for alerts to be generated and sent to system administrators
that a vulnerability scan has or has not completed?
4. Are the vulnerabilities detected by the scanning tools fixed or remediated within
15 days of detection?
In order to help identify failure points, follow these three steps and they are to set up web
applications firewalls to protect connections to the internal web applications, make sure software
applications securely connect to the databases systems, and use code analysis and vulnerability
scanning tools to scan the application systems and database systems.
Control seven is Wireless Access Control. First, a few quick wins that will help secure
the wireless network are to ensure the wireless device that is connected to the network, matches
the authorized configuration and security profile that an individual has created beforehand. Also,
confirm that that each device has a documented owner of the connection and has defined the
business need for it to be connected to the network. Another quick win is to configure all the
network vulnerability scanning tools, so they will detect the wireless access points that are
connected to the wired network. A good idea is to disconnect all the unauthorized access points
and make a list of the devices that are reconciled from the authorized wireless access points. This
will help gather information on the devices and help detect them if they try to connect again.
Next, more advanced ways to help secure ones systems are to Deploy Wireless Intrusion
Detection Systems (WIDS) to help identify unauthorized devices, attack attempts and successful
attacks on the system. This helps to keep a log of the vulnerabilities and lets one take action to
the system to secure it. Also, let the WIDS monitor the traffic that passes to the wired network to
help catch the common attacks on networks. Confirm that the client machines that belong to
one’s network, will have access to the authorized wireless points. To be able to do this, one will
have to configure the devices to give them access to the certain wireless devices. In addition,
make sure to go into the hardware setting of the machines, to disable the wireless access on, that
don’t have business purposes for connecting to the wireless network. Always configure the
devices with passwords to lower the possibility that the user will override the configurations that
one puts on the device. Ensure that all wireless traffic leverages the use of Advanced Encryption
Standard (AES) with Wi-Fi Protected Access 2 (WPA2) security. Also, make certain that all
wireless networks are using Extensible Authentication Protocol-Transport Layer Security
(EAP/TLS). This provides protection and authentication that is mutual and EAP/TLS is an
authentication protocol. Make sure that peer-to-peer wireless network capabilities are disabled on
the devices that are not sure business purposes, but if it is for business purposes do not disable it.
Any wireless peripheral access of devices should be disabled on all the devices if it come on the
device. An example of this is Bluetooth. This can come with a huge security problem because
they are easy to hack and take control of because they do not have very good security on them or
people do not know how to use them properly, so it best to just disable them. An even more
advanced way to help with BYOD or other untrusted devices is to make separate VLAN’s for
them. When one does this, make sure that the internet access goes through the same boarder as
the corporate internet access. VLAN’s should be known as untrusted, filtered, and audited if they
access the enterprise network. To help understand this control and to help check to see if this
control is in place, use the following steps.
1. Ensure all the configurations on the wireless devices are hardened.
2. Hardened all the configurations that are controlled by the configuration management
system.
3. Make use the configuration management system is managing the wireless devices.
4. Make certain the wireless IDSs are monitoring the wireless communications.
5. Use the vulnerability scanners to scan the wireless devices for vulnerabilities.
6. Make sure the clients that are using wireless communication use the wireless
infrastructure securely.
Control eight is Data Recovery Capability. First, the some quick wins then to some more
advanced ways to back up ones data. The first quick win is to automatically back up each system
on a weekly basis, at least. If the system has more sensitive data on it, back it up more often.
Make sure to include the OS’s, application software, and data, but it does not need to be in the
same backup file or same back up software. This will help to restore system that have failed or
crashed more quickly and get it back up and running. Make certain to test the back-up data on a
regular basis to make sure it is working properly. The way to test the data is by using the data
restoration process. When storing the backup data, make sure all the back-up data is properly
protected when stored. Use physical security and encryption, plus it is a good idea to use remote
back-ups and cloud services. Also, when using key systems, one should have at least one
destination for the back-ups. It is always better to have more than one place to have copies of the
original back-up file, but remember to have the security configuration more advanced so no one
will get in that is not authorized. Make certain that there are not always being calls to it by the
OS. This will reduce the risk of attacks like cryptolockers. Cryptolocker is an attack that encrypts
or damages data on addressable data shared, which will include the back-up destinations. It is a
good idea to air gap the back-up data or make sure a copy is stored offline away from the
enterprise network.
One should be testing back up data on a monthly basis or at least one time per quarter. To
do this testing, one should have a testing team that will attempt to restore five systems using the
backup data in either a physical or virtual testing environment. When doing the testing, make
sure to test and see if they are compatible with Operating Systems (OS) and Applications. It is a
good idea to make diagrams of the entities because it will make it easier to implement, test the
controls, and identify vulnerabilities or faults in the systems. A control system is where a device
or a group of devices manage, command, direct or regulate other systems or devices. The
diagram below shows how this control is implemented in two easy steps and how the different
devices work together.
Figure 1: 2 Step Process
These two steps are:
1. Make sure the business systems backup their data on a daily basis.
2. The backups are stored offline on a secure storage device
Control nine is Security Skills Assessment and Appropriate Training to Fill Gaps. People’s
actions is an important role in the success or failure of the enterprise. Also, people provide
important functions at the stages of implementation, operation, use, and over sight of each
application. Some examples are that end users can become victims of social engineering attempts
like phishing, security analysts that have a hard time to keep up with the new information of
expulsions and vulnerabilities, and system owners and executives who do not understand how
the CyberSecurity role plays in the operation and has no way to make relevant investment
decisions reasonably. Black hats are aware of these issues that the public and businesses have, so
they will plan their attacks accordingly. Even companies that have good defenses in place always
have to be increasing their readiness to new vulnerabilities.
There are a few quick wins that will help train employees and those are using the gap
analysis, implement the necessary training and put in an online security awareness program. Gap
analysis is where one looks at the skills and behaviors employees need to improve on. Obtaining
this information will help build a baseline for training and awareness of all employees. Also, this
will help the employees develop more skills and help adept their skills they have now. After one
has developed their baseline of the employees, implement the necessary training. It is a good
idea to use senior staff and to use outside sources to deliver the training. The reason one will use
senior staff to help train the employees is to show the employees that the upper management
cares enough to take the time to come and train them. The seniors at the business sets the tone for
the employees, so if the seniors are upbeat, excited, and caring it will make the employees feel
good and want to work harder.. Using outside sources to train is necessary because they are
specifically trained in skills businesses want their employees to excel in or to be more successful
with. Another way to help train employees, where there is a small number of employees, is to use
online training and/or conference training. The last quick win to use is putting in an online
security awareness program for the employees. The online program will help keep the employees
up to date on the common intrusions that can be blocked by individual actions. Implement short
convenient modules for the employees to complete. As the person that is creating the modules,
ensure they are up to date with the latest attack techniques, set a date for the employees to have
the modules done, and keep an eye on the progress of the modules of all the employees, so that
they are completing them.
Make sure to test the employees periodically because this will improve awareness and
validate their levels. If an employee fails one of the tests, make a specific training for them, but
make sure to inform them that it is not a punishment and it is to help them improve. Place
security skill assessments for all the mission critical role. Using this will help one identify the
skill gaps. If an individual has skill gaps, there are third parties that have stuff online that can
help improve and master their skills.
To make an enterprise-wide training program effective, use the Holistic approach and
make sure to look at the policy and technology as training employees. The Holistic approach is
all about developing a person as a whole. Senior management should put in technical controls to
help reduce mistakes. Also, focus on training employees that one cannot control technically.
Ensure to keep in mind the cost and outcome of the training. To do this make sure to keep the
training prioritized, focuses on what needs to be accomplished and specific focus on the
businesses critical roles and jobs first. Use the list that the Council on CyberSecurity developed,
which is based on the 2012 Task Force on Cyber Skills established by the Secretary of Homeland
Security according to the Council on CyberSecurity.
1. System and Network Penetration Testers.
2. Application Penetration Testers.
3. Security Monitoring and Event Analysts.
4. Incident Responders In-depth.
5. Counter-Intelligence and Insider Threat Analysts.
6. Risk Assessment Engineers.
7. Secure Coders and Code Reviews.
8. Security Engineers Architectures and Design.
9. Security Engineers and Operations.
10. Advanced Forensics Analysts.
Control ten is secure configurations for the network devices such as firewalls, routers and
switches. A quick win is to compare the standard configuration with the configuration of the
devices that are connected to the network. All the configurations should be documented,
reviewed, and approved by the change control board of the organization. Ensure to log all the
new configurations rules that are beyond a baseline-hardened configuration that will allow traffic
to flow through the security devices on the network. These devices includes firewalls and
network-based IPs. When one documents the new configurations make sure to include the
specific reason of the change in the business, the person or people that are responsible for the
business need, and the amount of time the change is needed. Another way to help with the
securing the network configurations for network devices is to use automated tools that will look
at the standing devices configurations to detect if there is change to it. Sometimes it necessary to
use two factor authentication and encrypted sessions to manage network devices. An example of
this is a Common Access Card (CAC). A CAC is a chipped card that is inserted into a computer
allowing an individual to login with either a password or Personal Identification (PIN) Number
then allowing access to the network. Ensure all the stable versions of the security-related updates
ae installed on each device, but make sure totes t the updates before they are installed on the
devices on the network. One will want to test them before because if an update interrupts the
business function, then the update is not adequate for the businesses devices. If it is not a good
update for the device, one will have to look into what the update is for and find another way to
incorporate the update. One will want to keep an eye on the network infrastructure that is
separated from the network using VLAN’s. It is even better to put those devices on a completely
different physical connection for management sessions.
These six steps show how the different systems work together.
1. Harden the devices configurations that are part of the production devices
2. Harden the devices configurations that is stored in secure configuration management
system
3. Make sure the management systems validates all the configuration on the devices on the
production network
4. Ensure the patch management system applies updates that were tested to the production
network
5. Make sure to use two factor authentication systems for administrative accesses to the
production network
6. Make certain the proxy, firewall, and network monitoring systems analyze all the
connection to the production network at all times
Also, to test the effectiveness of the automated implementation of this control, one should ask
these questions and record them down as yes, no or time in minutes according to the Council on
CyberSecurity.
1. How long does it take to detect configuration changes to a network system?
2. How long does it take the scanners to alert the organizations administrators that an
unauthorized configuration change has occurred?
3. How long does it take to block/quarantine unauthorized changes on network systems?
4. Are the scanners able to identify the location, department, and other critical details
about the systems where unauthorized changes occurred?
Lastly, to be able to help sort through all of the data to get the most relevant data, one should ask
these questions and record them in business units according to the Council on CyberSecurity.
1. What is the percentage of network devices that are not currently configured with a
security configuration that matches the organization’s approved configuration
standard?
2. What is the percentage of network devices whose security configuration is not
enforced by the organization’s technical configuration management applications?
3. What is the percentage of network devices that are not up to date with the latest
available operating system software security patches?
4. What is the percentage of network devices do not require two-factor authentication to
administer the device?
In this paper, I talked about the six through ten SANS Critical Security Controls. The
controls were Inventory of Application Software Security, Wireless Access Control, Data
Recovery Capability, Security Skills Assessment and Appropriate Training to Fill Gaps, and
Secure Configurations for Network Devices. These controls can be used to help track, detect,
report, prevent, and backup data and help with training of employees. Also, I talked about how
the controls are being used in a business setting and about some quick wins to more advanced
ways to make the systems safe. As technology grows, black hats and some of the gray hats will
become more advanced in their hacking, so as a cyber-world we need to become more advanced
and aware of how our networks are set up and how much we should lock down systems to keep
our information safe and the needs of the business. Always remember, to keep up to date on all
the new security vulnerabilities and always expand ones knowledge.
Control 11 is limitation and control of network ports, protocols, and services. There are
several quick wins that will help put limitations and controls in place and those are to only make
sure the ports, protocols and services that are used for business needs are running on each system
because if one have unauthorized ports, protocols and services open it could create
vulnerabilities. Put in host-based firewalls and/or port filtering tools on the end systems to help
filter traffic coming through. Ensure to include the default deny rule that has the ports and
services allowed and will drop the rest. The default deny rule is that the administrator will make
a list of the services that is allowed and that is denied. Also, apply automated port scans on a
regular basis. This should be used against all key services and known effective baseline an alert
will generate, if a change to the baseline is not on the approved organizations baseline. The last
quick win is to ensure all the services are up-to-date, remove, and uninstall all the unnecessary
components from the systems. This will help with making sure there is no services that can
create vulnerabilities on the systems.
There are more advanced ways to help limit and control the ones ports, protocols, and
services on the systems. Be sure to look at all the servers that is visible from the internet or on
untrusted network. If a server is visible from the internet or is on an untrusted network, move it
to a VLAN and give it a private address, if it is not required for a business needs. Also, put
critical services on different logical or physical host machines like DNS, file, mail, web and
database servers. Lastly, put in firewalls for applications in front of the critical servers to check,
verify, and validate the traffic to the server, unauthorized services or traffic should be blocked or
an alert should be generated and reviewed by security personnel.
To help test this control, one should look at the following questions and put the answers in
time in minutes or yes or no status.
1. How long does it take systems to identify any new unauthorized listening network ports
that are installed on network systems?
2. How long does it take for alerts to be generated about new services being installed? \
3. Are alerts then sent every 24 hours until the listening network port has been disabled or it
has been authorized by change management?
4. Do alerts indicate the location, department, and other details about the system where
authorized and unauthorized network ports are running?
To help automate the collection of the relevant data, one should gather the following data in
business units.
1. What is the percentage of the organizations systems that are not currently running a host
based firewall?
2. How many unauthorized are currently running on the organizations business systems?
3. How many deviations from approved service baselines have been discovered recently on
the organizations business systems?
The following list describes this control in four steps to help identify the potential failure
points.
Step 1- Activate scanner analyzes production systems for unauthorized ports, protocols, and
services.
Step 2- Regularly update system baselines based on the required services of the business.
Step 3- The activate scanners should validate what ports, protocols, and services that are
blocked or allow by the application firewall.
Step 4- The activate scanners should also validate the accessible ports, protocols and services
that the business systems protect with host-based firewalls.
Control 12 is controlled the use of administrative privileges. One should keep the
administrative privileges to a minimum and use the accounts when it is required. The use of
administrative privileges functions and monitor for anomalous behavior should be the focus of
the auditing. A good idea is to put in automated tools to take inventory of all the administrative
accounts and the tool should verify that the privileges are authorized by a senior executive on
desktops, laptops and servers. One should create the administrative password with complex
passwords that have numbers, letters, and alternative characters that are mixed together. It is
okay to use passwords that include dictionary words and special characters, but that have to be a
reasonable length. When one is deploying new devices on to the network, ensure to change the
passwords on the applications, operating systems (OS), routers, firewalls, wireless access points,
and other systems. Also, all service accounts should have difficult-to-guess passwords and be
changes on a regular basis as users and administrative passwords. For passwords to be repeated,
there have to be at least a six month period.
All passwords should be encrypted or hashed while they are in storage. The hashes
should follow the National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-132 or some similar guidance. The only people that should have access to these files
that contain the hashed or encrypted files should have super-user privileges. Use Access Control
Lists (ACLs) to ensure that the administrative accounts using the system for administrative
purposes only and not to read emails, create documents or going onto the internet. It is best to
configure the web browsers to never run when someone is logged into administrative accounts.
Ensure all the administrative and users have different and unique passwords by the policies that
are put in place and user awareness. Any employee that requires administrative access needs to
be given their own account. One should use the “administrator” in Windows or “root” in Unix
for emergencies only. For the system administrator, use the Domain administrator accounts and
not the local administrative accounts. Make sure to have the tool create an alert and a log entry
when a new account is added or removed from the domain administrative group and or when a
new local administrator account is added on the system. By configuring, the system to generating
an alert and a log entry when a failed login attempt happens when logging into an administrative
account is to make sure there is no unauthorized person trying to get access to the administrative
account.
Use multi-factor authentication for all administrative accounts because it will make it
harder for people to get access to administration accounts. A few techniques one can use for
multi-factor authentication are smart cards with certificates, One Time Password (OTP) tokens,
and Biometrics. Biometrics is the identification of a person by using their biological features.
Some of the devices include face scanners, hand scanners, finger scanners, retina or iris scanner,
and voice scanners. When using multi-factor certificate-based authentication, make sure all the
private keys are protected by strong passwords or stored on a trusted and secure hardware tokens.
When using a machine for administrate-level accounts, ensure it is blocked remotely or locally.
Instead of doing that, administrators should use a logged and non-administrator account. When
they are logged on, they are able to use administrative privileges by using such tools ad RunAS
in Windows and Sudo in Linux/Unix. Each time a user used their own administrator account,
they will have to enter a password because it is different from their user account they are logged
in as.
Control 13 is boundary defense. There are a few quick wins that can help in the boundary
defense more quickly than the more advanced ways, but the more advanced ways will help long
term. One quick win is to limit or deny data flow to known malicious IP addresses, blacklists,
and or limit access to trusted sites, whitelists. To help verify that blacklist addresses are not
sending any data is by using a bogon source IP address, which are non-routable or unused IP
addresses, to send packets. These bogon addresses can be found on the internet. The last quick
win is when one are using a Demilitarized Zone (DMZ) networks, be sure to configure the
monitoring systems to inventory at minimum the packet header information, but preferred to
have inventory the full packet header and the payloads of traffic designated for or that passes
through the network boarder. Some more advanced ways are to put a Sender Policy Framework
(SPF) to help lower the chances of getting spoofed emails. To do this, all one has to do is to
deploy SPF records in the DNS and enable the receiver-side verification in the mail servers.
Deploy IDS servers that are network-based on the Internet and extract DMZ system and
networks will identify unusual attack mechanisms and detect compromised systems.
One should put in network-based IPS devices to help with blocking the known bad
signatures or behavior attacks. These IDS will delay the amount of time it will take for someone
to react to the attack. Before one deploys these IPS’s, make sure to include techniques other than
signature-based detection. One should include virtual machines and or sandbox-based
approaches. Build network perimeters and put them on the system, so that the outgoing web, file
transfer protocol (FTP), and secure shell traffic that is on the internet. The proxy server should
support individual TCP sessions, blocking specific URL’s, domain names, and IP addresses to
implement a blacklists. One should use two-factor authentication on all remote login access.
Make sure to include, VPN’s, dial-up, and all other forms that allow access with a login into the
internal systems. The enterprise should manage all the enterprise devices that are logging in
remotely. The enterprise should manage it with controlling the configuration of each remote
control, installing software, and the patch levels. One should build a minimum security standards
to the network and should do a security scan before it has access for all third-party devices. The
third party devices include subcontractors, and vendors. Scan the network for back-channel
connections to the internet that bypasses the DMZ. One should include unauthorized VPN
connections, dual-homed hosts that are connected to the network, dial-up modems, and other
mechanism networks. Devise internal network segmentation schemes to limit traffic to those
services that are needed for businesses use through the whole internal network. By putting this
in, it will help limit access to insider, untrusted subcontractors, and malware spreading on the
network. To help with an attacker from moving around a compromised systems, make sure the
DMZ systems are only communicating with private network systems using application proxies or
application-aware firewalls that are on approved channels. One should use built-in firewalls to
track mechanisms to identify TCP sessions that last an unusually long time for the organizations
and firewall devices, in turn will alert the personnel with the source and destination addresses
that are apart of these long sessions. This will identify channels filtering data through a firewall.
Lastly, to detect anomalous activity, deploy NetFlow collection and analysis to the DMZ
network. NetFlow was developed by Cisco for monitoring and collecting network traffic flow
data by NetFlow-enabled routers and switches.
The following steps will show how the devices work together and how these steps will
help identify the potential failure points of this control.
1. Hardened devices configuration applied to production devices.
2. Two-factor authenticated systems required for administrative access to
production devices.
3. Production network devices send events to log management and correlation
system.
4. Network monitoring system analyzes network traffic.
5. Network monitoring system sends events to log management and correlation
system.
6. Outbound traffic passes through and it is examined by network proxy devices.
7. Network systems scanned for potential weaknesses.
Control 14 is maintenance, monitoring, and analysis of audit logs. There are some quick
wins that will help. Use two synchronized time sources that all servers and network equipment
get the time information on a regular basis. The two time sources should be Coordinate Universal
Time (UTC) and Network Time Protocol (UTP). Be sure to look at the audit log setting for all
hardware devices and software to include a date, timestamp, source addresses, destination
addresses, and other useful elements of packets and or transaction. The systems need to record
logs in a standardized format like syslog entries or like the common event expression outlined.
There is tools that can be put in to convert the logs in the format of the system cannot do it. Make
sure all the systems logs has enough space to store the logs. These logs should be digitally signed
and archived on a daily basis. Build a log retention police because this will help make sure that
the logs are being kept for a period of time. On average, systems can be compromises for several
months without even know, so it is a good rule of thumb to make sure the logs are being kept
longer that 3 months. It is good to keep the longs for six months or longer. Have either security
personnel or system administration or both do every other week logs reports to try to find the
anomalies. An anomaly is something that us out of the ordinary from the set standard. If one is
found, the person that is looking for into the anomaly be sure to document the findings.
Configure all the firewalls, network-based IP’s, and inbound and outbound proxies that
are network boundary devices to log all the traffic arriving at the devices even if it is allowed or
blocked. To lower the chance for an attacker to change the logs that are stored on the local
computer that is compromised, make sure the logs are being written in on write-only devices or
logging servers that are running on separate machines away from the host that is creating the
event log. Also, put in Security Incident and Event Management (SIEM) or a similar log analysis
tools that do log aggregation and consolidation from multiple machines and also for correlation
and analysis. When using the SIEM, security, personnel, and system administration should put
together common events from the systems, so it will be easier to determine unusual activity,
avoid false positives, faster to identify anomalies and giving the analysist with none important
alerts. Ensure to keep an eye on the service creation events and be sure to turn on the process
tracking logs. Attackers use the PsExec function to help spread from system to system in
Windows systems. Creation of service events is unusual and should be looked at closely and the
process tracking cane used to help with incident handling. Be sure that the log collection system
does not lose events during the peak activity. Also, ensure the system detects and alerts if an
event loss happens. An example of an event loss is when a volume exceeds the capacity of the
log collection system.
Answer the following questions in yes or no answers or time in minutes, to help test the
effectiveness of the automated implementation of this control.
1. Does each system log appropriately to a central log management system?
2. Does each log event generated included a date, timestamp, source address,
destination address and other details about the packet?
3. If a system fails to log properly, how long does it take for an alert about the
failure to be sent?
4. If a system fails to log properly, how long does it take for enterprise personnel to
receive the alert about the failure?
The information one will gather from the following questions will help the automated collection
of relevant data and it should be done in business units.
1. What percentage of the organizations systems do not currently have comprehensive
logging enabled in accordance with the organizations standards?
2. What percentage of the organization’s systems are not currently configured to centralize
their logs to a central log management system?
3. How many anomalies and or events of interest have been discovered in the organizations
logs recently?
Lastly, there are four steps that will help identify the potential failure points in this control and
how they work together to do this.
Step 1- Production systems generate logs and send them to a centrally managed log
database system.
Step 2- Production systems and log database systems pulls synchronized time with
central time management systems.
Step 3- Logs analyzed by a log analysis system.
Step 4- Log analysis examine data generated by log analysis system.
Control 15 is controlled access based on the need to know. There is a quick win to help
right away, but the more advanced way are the best to use. The quick win is to find all the
sensitive data that are on separate VLANS by using firewall filtering. Data that is sensitive,
should be encrypted if it is going over less-trusted networks. Now on to the advanced ways, to
access sensitive data, one should use special authentication and should enforce detailed audit
logging for access to nonpublic data on the system. Segment data on the servers based on trust
levels. When data goes over a low trust level, the data should be encrypted. Put in host-based
Data Loss Prevention (DLP) need to be applied to ACL’s when data is copied off a server. After
the data is copied off the server and been copied to the desktop system, the ACL’s will be no
longer enforced and the user will be able to send it to whomever.
To help test the effectiveness of this control, one should answer these two questions in
either yes or no answers or time in minutes.
1. Can the system detect all attempts by users to access files on the local systems or
network-accessible files shares without the appropriate privileges?
2. How long does it take the system to generate an alert or e-mail for administrative
personnel of a user inappropriately accessing the file shares?
Automate the collection of relevant data from these systems, one should answer the
following questions in business units.
1. What percentage of the organization’s data sets have not been classified in
accordance with the organizations data standards?
2. What percentage of sensitive data sets are not configured to require logging of
access to the data set?
3. What percentage of the organization’s business systems are not utilizing host-
based DLP software applications?
Figure 1. Five steps
The figure above shows the five steps in a business setting and how the different system
work together. The five steps that will help identify potential failure points in this control are:
1. An appropriate data classification system and permissions baselined applied to
production data systems.
2. Access appropriately logged to a log management system.
3. Proper access control applied to portable media and USB drives.
4. Active scanner validates, checks access and checks data classification.
5. Host-based encryption and data-loss prevention validates and checks all access
requests.
In this paper, I talked about the 11 through 15 SANS Critical Security Controls. The
controls were limitation and control of network ports, protocols, and services, controlled the use
of administrative privileges, boundary defense, maintenance, monitoring, and analysis of audit
logs, and controlled access based on the need to know. These controls were used to help detect,
track, control, manage, prevent, analyze and correct access to data. Also, I am going to be talking
about how the controls are being used in a business setting. Also, I talked about using some
quick wins to more advanced ways to make the systems safe. As technology grows, black hats
and some of the gray hats will become more advanced in their hacking, so as a cyber-world we
need to become more advanced and aware of how our networks are set up and how much we
should lock down systems to keep our information safe and the needs of the business. Always
remember, to keep up to date on all the new security vulnerabilities and always expand ones
knowledge.
Control 16 is account monitoring and control. First, there are some quick wins that will
help make the system more secure. First, ensure to look over the systems and disable and
accounts that are not associated with a business process or owner. Make sure all the accounts
expiration dates associated. All systems should create a report that has a list of locked-out
accounts, disabled accounts, all accounts that have exceeded that maximum password age, and
accounts that has passwords that never expire. Be sure to build and follow the process for
revoking access by disabling accounts that are no longer being used or the employee was
terminated. Next, all accounts that have been logged on for a certain period of time without
activity, should be automatically logged off. This will help with the security risks and
vulnerabilities. Any unattended workstations should be configured with screen locks to limit
access to the systems. If one keeps up on monitoring accounts, one will be able to find dormant
accounts on the systems. For all the non-administrator accounts, they should contain passwords
that have letters, numbers, and special characters, should be changed every 90 days, have a
minimum age of one day and not be allowed to use the previous fifteen passwords as the new
password. Lastly, configure the accounts to lock up if the max number of login attempts was
reached. When that happens, the account will lock for a standard period of time.
Some more advanced ways to help with securing ones system is to have all managers
match active employees and contractors with each accounts that belongs to the managed staff.
One should use audit logging to monitor attempts to deactivate accounts and should use active
directory or Lightweight Directory Access Protocol (LDAP) for all accounts to access through.
To help determine a user’s typical account usage, use a normal-time-of-day access and access
duration. There should be reports generated that will indicate unusual hours or has went over the
normal login duration. One should use a flagging system to flag user’s credentials from
computers that the user would not normally work from. All accounts that have access to sensitive
data or systems, should use multi-factor authentication to gain access. Also, for all users that
have access to web services, their accounts should go over an encrypted channel and a password
hash files are being stored securely if the centralized service is not employed. One should use
encrypted channels for transmission of passwords over a network. Finally, all passwords of all
users should be using encrypted or hashed files that cannot be accessed without root or
administrative privileges. Make sure to audit the access to passwords systems.
To help see if the control is being effective, answer the following questions.
1. Does the system audit and report on valid and invalid log-ins to user accounts?
2. Does the system audit and report on valid and invalid log-ins to network and security
devices user accounts?
3. Does the system lock users out after five invalid attempts?
4. Do user account passwords expire at least every 90 days?
5. Does the system report on dormant accounts that have been used for configurable period
of time?
6. How long does it take to send an alert or email to administrative personnel that the
comparison report has been created (time in minutes)?
The following questions will help one automate the monitoring and control of the user accounts.
1. How many invalid attempts to access user accounts have been detected within a period of
time?
2. How many accounts have been locked out within a period of time?
3. How many attempts to gain access to password files in the system have been detected
within a period of time?
4. Perform authorized password cracking against password files and identify the number of
administrator accounts passwords that are cracked during the attempt. Remediate any
compromised passwords immediately.
5. Is an automated list of user accounts on the system created daily and compared to a
baseline (Yes or No)?
6. How long does it take to send an alert or e-mail to administrative personnel that the
comparison report has been created (time in minutes)?
The following test will are techniques that gain access to user accounts and these should
be performed three time, periodically. Also when doing these tests, they should be performed
from a widely multiple distributed systems on the organizations network to be sure that the user
accounts controls are working and in place.
Attempt to configure weak user accounts passwords that are non-compliant with
established policy. Verify that the system does not allow weak passwords to be used,
Attempt to re-use a user account password that was previously used for the account.
Verify that the system requires unique new passwords during each update.
Attempt to capture passwords by monitoring network traffic to server resources.
Remediate any instances where passwords are transmitted in clear text.
Attempt to gain access to password files stored on each system. If successful, identify
whether passwords are cryptographically secured.
Control 17 is data protection. This control is important because data can be found in
many different places. The way one can protect ones data is to keep up where data is at, make
sure it is encrypted, integrity protection and using Data Loss Prevention (DLP) techniques. When
using encryption, it can be used when data is being transferred or as it is be stored. Encryption
keys should be stored on secure servers or Hardware Security Modules (HSM’s). To businesses
if sensitive data is lost, it could turn into a potential threats to the business or a national security
incident. The controls of DLP’s are based on policy and will include the classification of
sensitive data, finding data across the network, enforcing controls, reporting, and auditing to
make sure the compliance of the policies. There are four quick ways to secure ones data and
then there are more advanced ways. For mobile devices and systems that have sensitive data on
them, deploy hard drive encryption software to help protect the devices and systems. Also, check
to see if the cryptographic devices and software are using publicly-vetted algorithms. Publicly-
vetted algorithms are algorithms that every system or user, depending on their level, knows and a
cryptographic devices or software are devices or software that encrypts data. One should do an
assessment of data to help identify sensitive data or information that has the application of
encryption and integrity control. The last quick win is to help with data protection, review the
cloud provider security practices.
Some more advances ways are to discover unauthorized attempts to withdraw data that is
across network boundaries and help block these transfers and alerting the security personnel by
deploying tools that are automated on the network perimeters that will monitor sensitive
information, keywords, and document characteristics. One should run scans on servers to check
and see if there is sensitive data in clear text by using automated tools. When one is moving data
between networks, ensure one is using secure, authenticated and, encrypted mechanisms. On the
other hand, if a business does not have a need for these devices, be sure that one configures that
system, so that it does not write data to USB tokens or USB hard drives. If ones system does
require these devices, configure the enterprise software to allow only specific USB devices that
can be accessed and the data should be automatically encrypt that is being placed on these
devices. Always keep and inventory of these authorized devices, so that one will know what is
allowed. One should Data Loss Prevention (DLP) solutions that are network-based to watch and
control the flow of data or a network. DLP solutions are solutions that detect possible data
breaches and alert security personnel. Any data that exceeds the normal traffic pattern, should be
logged and action should be taken to address them. Only Approved Certificate Authorizes (CAs)
issues the certificates on the enterprise and ensure one reviews and verifies each CAs Certificate
Practices Statement (CPS) and Certificate Policy (CP). For the protection of sensitive data,
annually review the key length and algorithms that are in use. On the systems, there should be
the monitoring of traffic that is leaving the organization and detecting that unauthorized uses of
encryption. Hackers will use encrypted channels to bypass the security devices. It is very
important that one is able to identify these connections, terminate the connection and remediate
the system. Any file transfer and email exfiltration websites should be blocked because ones
system could get a virus or a trojan horse if an employee opens an email on their personal email.
Determine the roles and responsibilities that are related to the management of encryption keys
that are on the network and define the processes of the lifecycles. Implement Hardware Security
Modules (HSMs) to help protect the private keys or Key Encryption Keys.
This control is important because data can be found in many different places.
The following five steps will show how the processes described above works together and puts
them in order.
1. Data encryption systems ensures that appropriate hard disks are encrypted.
2. Sensitive network traffic encrypted.
3. Data connections monitored at the network perimeter by monitoring systems.
4. Stored data scanned to identify where sensitive data information is stored.
5. Offline media encrypted.
To test the effectiveness of this control, answer the following questions or statements in time in
minutes or yes or no answers.
Does the system identify and report on authorized data being exfiltrated, whether
via network file transfers or removable media?
Does the system identify the attachment of unencrypted USB tokens and requires
encrypted tokens?
Does the systems store cryptographic key material securely?
Does the system use only NIST approves encryption algorithms?
Within one hour of data exfiltration event or attempt, enterprise administrative
personnel must be alerted by the appropriate monitoring system.
Do alerts notifying of data exfiltration also note the system and location where the
event or attempt occurred?
Are the systems able to identify the location, department, and other critical details
about where the sensitive data originated from?
How long does it take before a data leakage risk has been remediated from the
time it was detected?
The following question helps one gather information to help automate the protection of data by
using cryptography and DLP functions.
How many unauthorized data exfiltration attempts have been detected within a period of
time by DLP software?
How many plaintext instances of sensitive data have been detected with in a period of
time by automated scanning software?
How many attempts to access known file transfer and e-mail exfiltration websites have
been detected within a period of time?
Control 18 is incident response and management. There are six quick wins for this
control and they are to make sure there are incident response procedures written down that
defines the roles of personnel for incident handling. This should define the phases of incident
handling. One should write down assigned job titles and duties to specific individuals for
handling computer and network incidents. Thirdly, determine the management personnel that
will support the incident handling process that are in key decision-making roles. Forth, one
should put standards in place for the time it should take for the system administrators and other
personnel to report anomalous events to the incident handling team. Also, there should be
mechanisms for the reporting and the kinds of information that is included in the notification.
One should notify the right Community Emergency Response Team with the legal or regulatory
requirements for the involvement of the organization in the computer incidents. There should be
a document that is built and kept up with the information of the third-party information that will
be used to report a security incident. In regards to reporting anomalies on a computer and
incidents to the incident handling team, the information should be published for all personnel,
which includes employees and contractors. An advanced way is to ensure to periodically conduct
incident response scenarios sessions for the incident response handling personnel. This will help
to make sure that they are up-to-date with the current threats, risks, and their responsible in
supporting the incident handling team. Also, this will help to see what needs to be fixed in the
process, what is working perfect or what personnel need to be trained more.
Make sure to have an incident response plan in place because if one does not have on in
place, it will be too late to develop procedures, report data collection, management
responsibility, legal protocols, and communication strategies that will allow the business to
understand, manage and recover from an incident. There are six steps that will help implement
this control and identify the potential failure points of this control.
1. Incident handling policies and procedures educate workforce members as to their
responsibilities during an incident.
2. Some workforce members designed an incident handlers.
3. Incident handling policies and procedures educate management as to their responsibilities
during an incident.
4. Incident handlers participate in incident handling scenarios tests.
5. Incident handler’s reports incident to management.
6. The organizations reports incidents to outside law enforcement and the appropriate
Computer Emergency Response Team, if necessary.
Control 19 is secure network engineering. There is one quick win to help and this quick
win is to implement a network that has a minimum of three-tier architecture. The three-tier
architecture can include a DMZ middleware and a private network. Any system that can be
accesses from the Internet should be on a DMZ, but the DMZ should not have any sensitive data
on it. Systems with sensitive data on it should never be accessed form the Internet and it should
be in a private network. The DMZ and the private network should be communicating through an
application proxy on the middleware tier. There are three advanced ways and they are that one
should configure the system to rapid deploy new ACL’s, rules, signatures, blocks, black holes,
and other defensive measures. A black hole is a filter technique that filters out bad traffic that
one does not want. A DNS should be deployed in a hierarchical structure with all of the internal
network clients machines configured to send the requests to the Internet. If the DNS cannot
resolve a forward request, the DNS should send it to the DNS server on the protected DMZ. The
DNS servers that are on the protected DMZ should be the only ones that should send requests to
the Internet. One should segment the enterprise network into multiple separate trusted zones to
provide more specific controls of the system access and additional intranet boundary defenses.
There are six steps that will help identify potential failure points and how to implement
this control.
1. Network engineering policies and procedures dictate how network systems function to
include Dynamic Host Configurations Protocols (DHCP) systems.
2. DHCP servers provide IP addresses to systems on the network.
3. Network devices perform DNS look-ups to internal DNS servers.
4. Internal DNS servers perform DNS look-ups to external DNS servers.
5. Network engineering policies and procedures dictate how a central network management
system functions.
6. Central network management systems configure network devices.
Control 20 is penetration tests and Red Team exercises. There are a few quick wins that
one should do are to be sure to do regular internal and external penetration test to help identify
vulnerabilities and the attack vectors used by hackers to exploit ones systems successfully. The
testing can occur from inside and outside the network. This simulates attacks from inside and
outside the network. The account that is being used for the penetration testing should be
monitored to make sure it is being used for the right purposes. Also after the account is done
doing the testing, it should be put back to the normal functions or be removed. Some more
advanced ways. The Red team should periodically run exercises to test the readiness of the
organization to identify and stop stacks or to respond quickly and effectively. If there is a
presence of an unprotected system information or artifacts that could be used by hackers, one
should encrypt that information. This includes network diagrams, configuration files, older
penetration test reports, emails or documents containing passwords or other data that is critical to
system operations. Next, ensure to plan out clear goals of each penetration tests with blended
attacks in mind, identify the goal machine or target asset. Advanced Persistent Threat (APT)-
style attacks. Implement multiple vectors, often social engineering can be combined with a web
or network exploitation. The Red Team manual or the automated testing that captures all the
pivoted and multi-vector attacks will be a more realistic view of the security postures and the risk
to security assets. A good idea is to use the penetration testing tools and the vulnerability
scanning tools together. The reason one should use these tools together is because the
vulnerability scans will be a starting point and the penetration testing tools come after to test the
vulnerabilities that were found and to help secure the systems. Putin place a scoring method to
help determine the results of the Red Team exercises. This will help compare the results over
time of doing these exercises. Implement a test bed that duplicates the production environment
for each specific penetration tests and Red Team attacks that are against elements that are not
typically tested in production. The elements can be attacks against supervisory controls and data
acquisitions and other control systems.
The following seven steps will help one implement this control and identify potential
failure points in this control.
1. Penetration testers perform penetration tests of production systems.
2. Automated pen-testing tools perform penetration test of production systems.
3. Automated pen-testing tools inform penetration testers of vulnerabilities discovered.
4. Penetration testers perform more extensive penetration tests of test lab systems.
5. Auditors evaluate and inspect the work that is performed by the penetration testers.
6. Auditors evaluate and inspect the work performed by penetration testers.
7. Penetration testers generate reports and statistics about vulnerabilities that have been
discovered.
The following picture helps explain the steps explained above.
Figure 1. Seven Steps
In this paper, I am talked about the 16 through 20 SANS Critical Security Controls. The
controls were account monitoring and control, data protection, incident response and
management, secure network engineering, penetration tests and Red Team exercises. These
controls can be used to help detect, track, control, manage, prevent, analyze and correct access to
data. Also, I am going to be talking about how the controls are being used in a business setting. I
going to talk about them from using some quick wins to more advanced ways to make the
systems safe. As technology grows, black hats and some of the gray hats will become more
advanced in their hacking, so as a cyber-world we need to become more advanced and aware of
how our networks are set up and how much we should lock down systems to keep our
information safe and the needs of the business.
Resources
Synergies Systems - Network Solutions Roseville, Sacramento. (n.d.). Retrieved January
21, 2016, from http://ssnetworks.net/network-solutions/8-securityadvisor/27-inventory-of-
authorized-and-unauthorized-devices.
More About DHCP Audit and Event Logging. (n.d.). Retrieved January 21, 2016, from
https://technet.microsoft.com/en-us/library/dd759178.aspx.
D2L, security capstone, Martials, CSC-5-Course Reading
Common Weakness Enumeration. (n.d.). Retrieved February 11, 2016, from
https://cwe.mitre.org/data/definitions/400.html
What do you mean by a holistic approach? (n.d.). Retrieved March 03, 2016, from
http://www.boastl.com/content/what-do-you-mean-holistic-approach
What is NetFlow? - Definition from WhatIs.com. (n.d.). Retrieved March 24, 2016, from
http://whatis.techtarget.com/definition/NetFlow-Cisco
One Time Password (OTP). (n.d.). Retrieved March 19, 2016, from
http://www.gemalto.com/techno/otp
What is biometrics? (n.d.). Retrieved March 19, 2016, from
http://www.computerhope.com/jargon/b/biometri.htm
National Institute of Standards and Technology. (n.d.). Retrieved May 04, 2016, from
http://www.nist.gov/
Kanagasingham, P. (n.d.). SANS Institute InfoSec Reading Room. Retrieved May 4,
2016, from https://www.sans.org/reading-room/whitepapers/dlp/data-loss-prevention-32883