Critical Security Controls 2
advertisement
Chapter 12: Large Enterprise Cyber Security – Data Centers and Clouds Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 9, 2015 DRAFT 1 Critical Security Controls • Controls are security requirements and there are over 200 with thousands of sub-controls in NIST SP 800-53 • But which controls are the most important? • Luckily security experts formed a consensus on the top 20 most critical controls, from organizations including: – – – – – – – – SANS Institute National Security Agency US Cyber Command McAfee US Department of Defense Lockheed Martin commercial pen testing firms and many others • The Critical Controls are based upon the actual threats experienced by large enterprises. • US State Department and Idaho National Laboratories (SCADA R&D) validated that these controls address the real threats Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 2 Critical Security Controls 2 • 1: Inventory of Authorized and Unauthorized Devices • 2: Inventory of Authorized and Unauthorized Software • 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers • 4: Continuous Vulnerability Assessment and Remediation • 5: Malware Defenses • 6: Application Software Security • 7: Wireless Device Control • 8: Data Recovery Capability • 9: Security Skills Assessment and Appropriate Training to Fill Gaps • 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches • 11: Limitation and Control of Network Ports, Protocols, and Services • 12: Controlled Use of Administrative Privileges • 13: Boundary Defense • 14: Maintenance, Monitoring, and Analysis of Audit Logs • 15: Controlled Access Based on the Need to Know • 16: Account Monitoring and Control • 17: Data Loss Prevention • 18: Incident Response and Management • 19: Secure Network Engineering • 20: Penetration Tests and Red Team Exercises Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 3 Solving Key Threat/Vuln Antipatterns using the Critical Controls • The Critical Controls document identifies top threats and vulnerabilities behind realworld cyber attacks • We have used these threats and vulnerabilities to compile an antipatterns catalog – The catalog shows how the Top 20 Controls proactively address the most prevalent threats and vulnerabilities Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 4 Threat/Vuln Antipatterns 1. Scanning Enterprise IP Address Range 2. Drive-By-Malware 3. Unpatched Applications in Large Enterprises 4. Internal Pivot from Compromised Machines 5. Weak System Configurations 6. Unpatched Systems 7. Lack of Security Improvement 8. Vulnerable Web Applications and Databases 9. Wireless Vulnerability 10.Social Engineering 11.Temporary Open Ports 12.Weak Network Architectures 13.Lack of Logging and Log Reviews 14.Lack of Risk Assessment and Data Protection 15.Data Loss via Undetected Exfiltration 16.Poor Incident Response – APT 17.Cloud Security 18.New Governance and QA for Cloud Computing Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 5 Scanning Enterprise IP Address Range • Most large enterprises have IP address blocks that are public information, e.g. via Internet registries • Malicious actors scan these ranges to find vulnerable machines – When machines first appear on the net, they are often unpatched, e.g. • A brand new system using dated image from CD • A system that has been turned off and unpatched for a while • A system that is not being managed or patched • Partial Solution: Control 1 Inventory of Authorized and Unauthorized devices – Control and change management of devices on the network can address the threat/vulns in this antipattern Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 6 Drive-By-Malware • Malicious websites can infect a machine that simply visits that website via browser • Partial Solution: Controls 2 and 3 – Secure configurations assures that nonzero-day threats could be stopped – Eliminating unauthorized software could reduce the attack surface Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 7 Unpatched Applications in Large Enterprises • A typical large enterprise end-user could have 100’s of different vendor and open source applications – Keeping these applications patched is a nearly impossible task • Controls 2, 4 – Eliminating unauthorized software enables the enterprise to focus on patching a limited set – Continuous vuln assessment and remediation enables the enterprise to discover and patch applications automatically and rapidly Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 8 Internal Pivot from Compromised Machine • Once an enterprise is penetrated, attackers expand their footprint through pivots to find new exploitable targets • Controls 2, 10 – Unauthorized software should include most security and network tools such as netcat, which are essential for implementing pivots – Hardening network devices minimizes the ability for attackers to penetrate Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 9 Weak System Configurations • Operating systems and commercial applications strive for broad flexibility and ease of use, thus enable many unnecessary features and services – Unnecessary features and services expand the attack surface • Controls 3, 10 – Secure configurations includes eliminating unnecessary open ports and services – Network device security can stop access to these vulnerabilities by closing ports at the perimeter Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 10 Unpatched Systems • As new operating system vulnerabilities are announced (e.g. on Patch Tuesday), attackers rush to exploit unpatched machines • Controls 4, 5 – Continuous monitoring can quickly discover these vulns and remediate them rapidly – Malware defenses should also be updated on Patch Tuesday, so that these attacks are inhibited Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 11 Lack of Security Improvement • Threats are continually evolving. If security is not being continuously improved, then it is falling behind, and vulns are increasing daily • Controls 4, 5, 11, 20 – Network defenses should be constantly upto-date and evolving with the state-of-the-art – Conscious improvement of limits on ports, protocols and services can improve the security profile – Pen testing is a highly recommended best practice that can reveal latent vulns and weak security strategies Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 12 Vulnerable Web Applications and Databases • Internet facing applications and databases are exposed to worldwide threats… Threats that are escalating daily • Controls 6, 20 – Application software security is critical, especially for Internet-facing apps. Web security testing is essential – Pen testing can reveal latent vulns and suggest remediations Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 13 Wireless Vulnerability • Attackers can easily spoof WAPs (the strongest signal wins), and otherwise compromize wireless systems which operate on the public airwaves • Control 7 – Following configuration benchmarks and best practices for managing WAPs and wireless devices is essential for network defense Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 14 Social Engineering • The human element is the most significant vulnerability, scenarios include: Phishing, Pretexting, and USB attacks • Controls 9, 12, 16 – End user training for Internet Safety is perhaps the most significant improvement an enterprise can make to its security profile – Limiting user privileges prevents over-privileged machines from posing threats – Account monitoring watches for potentially hazardous activities Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 15 Temporary Open Ports • It is common practice to grant requests to open firewall and server ports to support a temporary business activity, e.g. a video teleconference – Few organizations managing the process of reclosing the ports after the need is gone • This gap leads to an escalating vuln of open ports • Controls 10, 13 – Keeping network devices security includes continuous monitoring and cleanup of changes – Boundary defenses should be hardened and monitored for configuration issues Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 16 Weak Network Architectures • Focus on Internet perimeter security often leads to neglect of the internal security architecture – For example, machines with restricted data should be encrypted and defended from internal attacks from the rest of the network • Controls 13, 19 – Secure network engineering means that internal as well as external defenses are considered • For example, internal network partitions and defenses should be designed to protect the most valuable assets Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 17 Lack of Logging and Log Reviews • It’s often said that the network guys with the big fancy video network dashboards miss everything, and the professionals with simple tools watching the logs see what’s really happening • Control 14 – Log consolidation, log normalization, and frequent log analysis are needed for the network team to understand the network and what’s happening on it Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 18 Lack of Risk Assessment and Data Protection • It is impossible to security everything, so organizations must identify what needs to be protected and prioritize their defenses – Failure to do so results in a mis-allocated array of defenses that are not protecting the right things • Controls 15, 17 – The need to know is a fundamental principle for controlling internal access to sensitive information • Internal threats are more potentially dangerous than external ones – they already know what’s very sensitive, where to obtain it, and have legitimate access privileges – In organizations with restricted data (and most are) DLP is an essential defense against the consequences of data spillage, e.g. fines, costs, loss of customer goodwill Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 19 Data Loss via Undetected Exfiltration • Data is constantly in motion in mobile devices and on networks – Data is vulnerable to insider threats as well as Advanced Persistent Threats (APT) and common crime such as theft or even worker negligence • Control 17 – DLP proactively seeks out sensitive data and ensures it’s encryption in motion and at rest – thus preventing future potential exfiltrations Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 20 Poor Incident Response - APT • Typical time from APT penetration to detection by the enterprise is 6 months – Even some of the most savvy companies respond this slowly, e.g. RSA, Google • Control 18 – Mature intrusion detection practices, coupled with effective incident response are essential to protect restricted data, mission critical systems, intellectual property, and competitiveness Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 21 Cloud Security - Introduction • Clouds are massive pools of computing and storage resources. – Public Clouds – provide outsourcing of scalable computing resources, software applications, and system management – Private Clouds – owned within an organization • Private Clouds are increasingly easy to build with Performance Optimized Datacenter (POD) preconfigured racks • Why go private? Security. Performance. Control. Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 22 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 23 How do clouds form? How do clouds work? • Data Storage Clouds – Scalable mass storage… automatic backup – Data volume escalating • e.g. Large Hadron Collider, MRI/CT, EHR, DNA Sequencing, Internet Click Stream, Customer Purchases… • Infrastructure/Application Provisioning – Scalable outsourcing of computation/applications • Computation Intensive – e.g. supercomputing, big data computing Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 24 Special Security Implications • In clouds, data and processing migrate across physical, virtual, and organizational boundaries • Data and applications are aggregated – Increases potential risks from security breach • Potential end-user community is expanded – Many more users potentially have access, including malicious insider or external threats Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 25 Security Implications 2 • Consolidation into Clouds Can Magnify Risks • Clouds Require Stronger Trust Relationships • Clouds Change Security Assumptions • Data Mashups Increase Data Sensitivity Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 26 Cloud Indexing Changes Security Semantics • To aid in search, cloud developers create various indexes into big data collections • In large enterprises, the big data could be a mashup – from multiple applications which originally had security assumptions about who can access and need to know – How can those original security assumptions be translated into a multi-application mashup? • Indexing accelerates access to data with aggregated and/or compromised security assumptions Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 27 Cloud Security Technology Maturity • Virtual servers on virtual networks may be invisible to physical network security devices • Mobile Code – Clouds rely on thin clients (e.g. Internet browsers) which require extensive mobile code to emulate sophisticated end user applications – Code authentication technologies exist but are not widely utilized – introduction of malicious mobile code can go undetected • Mobile Devices Extend the Cloud to the Edge – Increasingly an extension of our enterprises, largely unprotected from malicious software and spoofed access points Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 28 Stovepiped Widgets in the Cloud • Stovepiped Cloud Widgets – Developers building cloud applications (i.e. widgets) on top of primitive services (i.e. operating systems, sockets, and databases) are reinventing their own technology stacks and security solutions • Widget Frameworks – Ideally, primitive services should be encapsulated into higher level application services, which… • Accelerate development due to the higher level of enterprise-context-specific abstraction, e.g. battlefield simulation services, customer relationship services • Embed security solutions in higher level services, so that security does not have to be re-validated from the ground up Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 29 New Governance and QA for Cloud Computing • Small-scale widget developers can move code into production without the usual QA checks required of large-scale applications • Service Oriented Architecture (SOA) approaches are encapsulating legacy applications and making that processing and data available to widget developers – Data access can more easily cross organizational boundaries creating new governance and security challenges • IT governance must evolve to address this growing ecosystem Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 4/9/2015 DRAFT 30 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions REVIEW CHAPTER SUMMARY 4/9/2015 DRAFT 31
