Security on a budget

© nCircle 2012. All rights reserved.

Michael McKay, CISSP, CISA

Senior Security Engineer

Security on a Budget

2 © nCircle 2012 All rights reserved. nCircle Company Confidential

• Target audience

• Are you at risk?

• How to begin

• Get some quick wins

• Your roadmap: the 20 Critical Controls

• Developing your action plan

Overview


How many live IPs do you have on your network?

1- 10 11 - 50 51 – 100 More than 100

Poll Question


• Small to medium-sized business, schools and government

• Up to 500 employees

• IT wears many hats

• Often don’t have a dedicated Information Security department or person

• Primary security tools are firewalls and antivirus

• Limited budget for security

• Management often doesn’t see security as a necessary investment (why would they go after us?)

Target Audience—does this sound like you?


In your opinion, does your company understand the risk of cyber attack?

Yes No

Poll Question


• Perception: According to a recent survey conducted by Visa and the National Cyber Security Alliance, more than 85% of small business owners believe their companies are less of a target for cybercrime than large companies.

• Reality: Hackers and computer criminals are aiming directly at small and midsize businesses. Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts.

Are you at risk?


• % of SMBs lacking basic defenses against cybercrime:

Source: Panda Security online survey of 1,400 small and midsize U.S. business

Small and Mid-size Business is the “sweet spot”

Web filtering 52%

Threat training 39%

Anti-spam 29%

Anti-spyware 22%

Firewall 16%


• 79% of victims were targets of opportunity

• 96% of attacks were not highly difficult

• 94% of all data compromised involved servers

• 85% of breaches took weeks or more to discover

• 92% of incidents were discovered by a third party

• 97% of breaches were avoidable through simple or intermediate controls

• 96% of victims subject to PCI DSS had not achieved compliance

More Statistics (and you don’t want to be one)


Does your company need to be PCI Compliant? Yes No

Poll Question


• Cyberthieves funneled $217K from a convention center in Omaha– Phishy e-mail installed malware that provided access to payroll system

and phony employees were added to the payroll– “Mules” collected payroll and remitted the funds to the hackers– Prior to the heist, the center refused many of the security options

offered by its bank including a requirement that two employees sign off on every transfer.

– “We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,” “We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.”

Are you at risk?


• $497K stolen from school district in upstate New York– Initial attempt was for $3.8M, but was stopped by the bank– Thieves used malware to gain access to online bank accounts– Loss represents more than 3% of their annual budget of $15M

• Cybercrime cost magazine store in Chicago $22,000 – Malware on their POS systems sent customer credit card numbers to

Russia where they were used fraudulently. – The source of the leak was traced to the store.– The store had to pay $22K for the forensic investigation required by

MasterCard.– The malware was present for over a year

before it was discovered.

Are you at risk?


• Believe in the risk—it’s very real

• Convince management of the urgency

• Start with some quick wins—really easy!

• Great resources: SANS, CIS, NIST, vendors

• Consensus Audit Guidelines (The 20 Critical Controls)• PCI Data Security Standard (Essential if you accept credit cards)

• It’s a journey, find companions to help you

How to begin protecting yourself


Blank or default passwords

nCircle PureCloud benchmark statistics in April showed that eight of the top 10 highest risk vulnerabilities detected on small business networks are related to blank or default passwords.

A good password security policy combined with regular vulnerability scans dramatically reduces your risk.

Survey says: The Top Network Vulnerability is …


Change your passwords, now, on everything! Make them strong. Never share them, especially privileged ones. (free)

Control remote access services with firewall (free or $) Use OpenDNS (free or $) to block access to known bad sites

Create your Security Policy: SANS (free), InstantSecurityPolicy.com ($)

Educate users, managers: SANS Securing the Human ($)

Get your roadmap: SANS 20 Critical Controls (free)

Some quick wins


• A prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms

• Developed by a collaboration of leading security experts and CISOs inside and outside of the government with extensive experience in incident response, penetration testing, and computer forensics

• Designed with specific attack scenarios in mind, each Control begins with "How do attackers exploit the lack of this control?“

What are these 20 Critical Controls?


Defenses should focus on addressing the most common and damaging attacks occurring today and those anticipated in the near future.

Defenses should be automated where possible.

The Controls should provide specific prioritized guidance for how to minimize the risks.

20 Critical Controls Guiding Principles


Computer Attacker Activities and Associated Defenses



Attackers continuously search for new, unpatched systems that can be automatically exploited. You need to know what’s on your network so you can manage what should be there and detect unauthorized devices.

• Spiceworks (free)• nmap (free)• Nessus (free or $)• nCircle PureCloud ($)• nCircle IP360 ($)• nCircle CCM ($)

– Standardize naming conventions (free)– Maintain an asset inventory with network address,

machine name, purpose, asset owner, department (free)

1. Inventory of Authorized and Unauthorized Devices


Unauthorized software is a common source of malware. Authorized software needs to be updated regularly to remediate known vulnerabilities.

– Spiceworks (free)– Kaspersky Antivirus ($)– nCircle PureCloud ($)– nCircle IP360 ($)– nCircle CCM ($)– Secunia PSI (free) and CSI ($)

2. Inventory of Authorized and Unauthorized Software


Building and maintaining your systems to highly-secure “best practice” standards greatly reduces the attack surface and makes it more difficult for exploits to spread to other systems. Standard system configurations are also easier and cheaper to maintain.

– CIS Benchmarks (free)– Microsoft MBSA (free)– Microsoft security policy templates (free)– nCircle Configuration Compliance Manager ($)– Secunia PSI (free) and CSI ($)– NIST 800-53 (free)– Vendor security hardening guidelines (free)

3. Secure Configurations for H/W and S/W on servers and workstations


New vulnerabilities are discovered every day. You need to continually monitor your network for these vulnerabilities and patch them as quickly as possible. Automated vulnerability scanning tools like nCircle PureCloud can collect a hardware and software inventory in the process, addressing Controls 1 and 2 at the same time.

– Microsoft WSUS (free)– Secunia PSI (free), CSI ($)– nCircle PureCloud ($)– nCircle IP360 ($)– Nessus (free or $)

10. Continuous Vulnerability Assessment and Remediation


• Executive Management Support and Commitment to Security

• You can’t succeed without this!

Control Zero—the most essential one


– Engage senior management (CIO, CEO, CFO)

– Compare your current state to the recommendations of the Critical Controls

– Create your security policy

– Educate your users about the security policy and the dangers they need to be aware of

– Implement some “quick win” Critical Controls within 60 days

– Identify additional Controls to be implemented in the next 60 days

– Insure that the Controls are integrated into yourroutine IT processes

– Keep improving!

Your Action Plan


Poll Question

Which security resources and news sites do you visit regularly? (select all that apply if this is possible)

ISSA – Attend local meetings InfraGuard – Talk to the FBI about security SANS NewsBites Dark Reading Krebs on Security Securosis None of the above


• ISSA – Attend local meetings to learn and network (www.issa.org)

• InfraGuard – Meet and talk to the FBI about security (www.infraguard.net)

• SANS – Everything security, including the Critical Controls (www.sans.org)

– SANS NewsBites – just what it says (sans.org/newsletters/newsbites/)

• Dark Reading– security news and research (www.darkreading.com)

• Krebs on Security – cyber crime news (krebsonsecurity.com)

• Securosis – security research and advisories (securosis.com)

• NIST Special Publications (csrc.nist.gov/publications/PubsSPs.html)• PCI Data Security Standard

(pcisecuritystandards.org/security_standards/)

Make some friends and know what’s happening


nCircle Solutions for the 20 Critical Controls


Questions?


Thank You!

Technology

Security on a budget