Check list เตรียมความพร้อมด้าน · • NIST 800-53 (Security...
Transcript of Check list เตรียมความพร้อมด้าน · • NIST 800-53 (Security...
1
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Check list เตรียมความพร้อมด้าน Cyber Security ให้หน่วยงาน
6th October 2015 Avirut Liangsiri
2
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Agenda
• Traditional vs. Modern Cyber Defense แตกต่างหรือส่งเสริมกันและกันอย่างไร?
• Industry Standard Checklist for Cyber Security
• Security Configuration ส าคัญอย่างไรในการเตรียมการณ์เพื่อรับมือภัยคุกคามยุคใหม่ (Security Configuration Management for Modern Threat mitigation)
• Security Control ที่ส าคัญในการป้องกันและตรวจจับภัยคุกคาม (SANS Top 20 Security Controls)
3
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Traditional vs. Modern Cyber Defense
4
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Traditional Cyber Defense
• What does a typical cyber defense entail?
• Traditional != Outdated Devices
– Shiny, sexy, 2.0, NG, cloud, mobile awesomeness can comprise a traditional security architecture
• So what constitutes a traditional approach to cyber defense then?
5
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Prevention Sanity Check
• Quick sanity check for your organization
• Take a network map and consider security controls
• If a control is primarily preventive note a P
• If primarily detective note it with a D
• Add up all the P's and compare to the D's
Most organizations are >80% preventive
6
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Sanity Check Illustrated
Preventive
• Firewall
• IPS
• NGFW
• Antivirus
• Proxy
• Web Content Filter
• Malware Detonation
Devices
• DLP
• NAC
Detective
• IDS
• SIM/SIEM
7
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Traditional Cyber Defense
• Characteristics
– Preventive Oriented
– Perimeter Focused
– Addresses Layer 3/4
– Centralized IS/Security
– Device Driven Security
8
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Traditional Successes
• Conceptually simple architecture (easy)
• Staffing requirements fairly low (cheap)
• Staff skill required not extremely high (cheap)
• CAPEX relatively low by comparison (cheap)
• OPEX extremely low by comparison (cheap)
• Unlikely to detect breaches (easy)
- Which reduces breach notification likelihood (cheap)
• Management typically likes cheap and easy
• Shortcomings discussed later
9
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Modern Cyber Defense Principles
• Characteristics
– Detection-Oriented
– Proactive Detection : Hunt Teams
– Post-Exploitation Focused
– Response-Driven
– Layer 7 Aware
– Decentralized Data/Systems
– Risk Informed
– Network Security Monitoring
– Continuous Security Monitoring
10
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Traditional vs. Modern C2
11
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Industry Standard Checklist for Cyber Security
12
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Recognized Checklist
• ISO/IEC 27001:2013 ISMS
– It is a specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on successful completion of a formal audit process.
• SANS Top 20 Security Control
– The “Top 20” Critical Security Controls (20 CSC—also known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) have emerged as the “de facto yardstick by which corporate security programs can be measured,”.
• NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations)
13
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Top 20 Critical Security Controls
– The “Top 20” Critical Security Controls (20 CSC—also known as the Consensus Audit Guidelines (CAG) and formerly referred to as the SANS 20 Critical Security Controls) have emerged as the “de facto yardstick by which corporate security programs can be measured,”. The 20 CSC are now governed by the Council on Cyber Security, an independent, expert, not-for-profit organization with a global scope.
– The development of this set of standards was first undertaken in 2008 by the National Security Agency at the behest of the US Secretary of Defense in an effort to efficiently direct resources towards combating the most common network vulnerabilities which resulted in the greatest number of attack vectors. In 2008, the Office of the Secretary of Defense asked the National Security Agency for help in prioritizing the myriad security controls that were available for cyber security.
14
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Security Configuration Management for Modern Threat mitigation
15
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01 15
16
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01 16
the 1st priority
1
17
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01 17
2nd most effective 2
18
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01 18
3rd most
important
3
19
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01 19
four highest-priority 4
20
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Fundamental SecOps File Integrity Monitoring
New changes determined
Current running state
FIM Captures Baseline State as a “Digital Fingerprint”
Baseline State
Compare
Compare
Compare
21
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
1. Detect all configuration changes
Networks DomainDirectories Servers Servers
Databases
Automated
Changes
Manual
Changes
Scripted
Changes
!
!
!
!
! !
!
!
Type of System? Type of Change?
Within Maintenance Window?
Made by Authorized Users?
Matches Release System?
Passes Compliance Tests?
2. Analyze change activity
User-defined Policies
3. Take Action
Investigate Changes
! ! !
! !
! ! ! !
Security & Ops Reports
Remediate Changes
!
• Automatic filtering of change
- By change or system type
- By policy criteria
- Conditional actions
Visibility Accountability Control
Continuously Detect for Unauthorized Changes
22
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Sample of Security and Compliance Policies
AIX
Cisco IOS
Cisco PIX
HP-UX
IBM DB2
Linux (Red Hat)
Linux (SUSE)
Microsoft Exchange
Microsoft IIS
MS SQL Server 2000
MS SQL Server 2005
MS SQL Server 2008
Oracle 9i
Oracle 10g
Oracle 11g
Solaris 8,9 & 10
VMware ESX
Windows Server 2000
Windows Server 2003
Windows Server 2008
Windows Server DC
Windows Server DM
Windows XP and Vista
23
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
A Comprehensive Approach to Addressing Security Security Configuration Assessment • Assess existing Controls Gap against Baselines/Standards
24
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
A Comprehensive Approach to Addressing Security
Devise Remediation Plan • Achieve the Baselines/Standards State
25
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
A Comprehensive Approach to Addressing Security Maintain “Known & Trusted State” • Real-time Alert on Deviation – Before & After View
26
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Strong Security is More Important Than Ever
• Compromise takes minutes. Discovery takes weeks & months
26 2010 Data Breach Investigations Report Verizon Business
27
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Well Known Configuration Standard
• CIS – Center for Internet Security (https://benchmarks.cisecurity.org/) configuration
• NIST 800-70 - National Checklist Program for IT Products—Guidelines for Checklist Users and Developers (http://checklists.nist.gov/) vulnerabilities, configuration
• DISA STIG – US DoD DISA Secure Technical Implementation Guide – Different 9 levels (Mission Assurance Category (I-III) and Confidentiality Level (Public, Sensitive, Classified)) (http://iase.disa.mil/stigs/Pages/index.aspx)
• FDCC/USGCB – US Federal Desktop Core Configuration – focus mainly on desktop operating system (Windows XP, Vista, 7, 8, 10) started in 2007 by OMB (http://usgcb.nist.gov/)
28
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
CIS Standard
• The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications.
• The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of this reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements.
29
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
CIS Checklist Example (Windows XP)
30
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
CIS Listed Systems • Amazon Linux Benchmarks
• Apache HTTP & Tomcat Benchmarks
• Apache HTTP Server Assessment Tool
• Apple iOS Benchmarks
• Apple OSX Benchmarks
• Apple Safari Benchmarks
• Benchmark Mappings: Medical Device Security Standards
• CentOS Linux Benchmarks
• CheckPoint Firewall Benchmarks
• Cisco Device Benchmarks
• Consensus Security Metrics
• Debian Linux Benchmarks
• Docker Benchmarks
• FreeBSD Benchmarks
• FreeRadius Benchmarks
• Google Android Benchmarks
• HP-UX Benchmarks
• IBM AIX Benchmarks
• IBM DB2 Benchmarks
• ISC BIND Benchmarks
• Juniper Device Benchmarks
• Kerberos Benchmarks
• LDAP Benchmarks
• Microsoft Exchange Server Benchmarks
• Microsoft IIS Benchmarks • Microsoft Internet Explorer
Benchmarks • Microsoft MS SQL Server Benchmarks • Microsoft Office Benchmarks • Microsoft SharePoint Server
Benchmarks • Microsoft Windows 7 Benchmarks • Microsoft Windows 8 Benchmarks • Microsoft Windows NT Benchmarks • Microsoft Windows Server 2000 • Microsoft Windows Server 2003 • Microsoft Windows Server 2008 • Microsoft Windows Server 2012 • Microsoft Windows XP Benchmarks • Mozilla Firefox Benchmarks • Multi Function Print Devices
Benchmark • MySQL Database Server Benchmarks • Novell Netware Benchmarks • Opera Benchmarks • Oracle Database Server Assessment
Tool • Oracle Database Server Benchmarks • Oracle Linux Benchmarks • Oracle Solaris Benchmarks
• Red Hat Linux Benchmarks • Router Assessment Tool • Slackware Linux Benchmarks • SuSE Linux Benchmarks • Sybase ASE Benchmarks • Ubuntu Linux Benchmarks • Unix Assessment Tools • Virtualization Benchmarks • VMware Benchmarks • Wireless Network Devices
Benchmarks Archive • Xen Benchmarks
31
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
NIST Checklist Download Page (checklists.nist.gov)
• The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. (http://scap.nist.gov/)
32
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
NIST Category
• Supported Category – Antivirus Software
– Application Server
– Authentication
– Configuration Management Software
– Database Management System
– Desktop Application
– Desktop Client
– Directory Service
– DNS Server
– Email Server
– Encryption Software
– Enterprise Application
– Firewall
– Handheld Device
– Identity Management
– Intrusion Detection System
– KVM
– Malware
– Mobile Solution
– Multi-Functional Peripheral
– Network Router
– Network Switch
– Office Suite
– Operating System
– Peripheral Device
– Security Server
– Server
– Virtualization Software
– Web Browser
– Web Server
– Wireless Email
– Wireless Network
33
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
DISA STIG
• The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.
• Complete list (541): http://iase.disa.mil/stigs/Pages/a-z.aspx
34
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
FDCC/USGCB
• The Federal Desktop Core Configuration was a list of security settings recommended by the National Institute of Standards and Technology for general-purpose microcomputers that are connected directly to the network of a United States government agency.
• FDCC applied only to Windows XP and Vista desktop and laptop computers.
• FDCC was replaced by the United States Government Configuration Baseline (USGCB), which also includes settings for Windows 7 and Red Hat Enterprise Linux 5.
35
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
USGCB Content Page
36
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
SANS Top 20 Security Control in detail
37
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
SANS Critical Security Controls v5 1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Access Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10.Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11.Limitation and Control of Network Ports, Protocols, and Services
12.Controlled Use of Administrative Privileges
13.Boundary Defense
14.Maintenance, Monitoring, and Analysis of Audit Logs
15.Controlled Access Based on the Need to Know
16.Account Monitoring and Control
17.Data Protection
18.Incident Response and Management
19.Secure Network Engineering
20.Penetration Tests and Red Team Exercises
38
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
NSA Ranking on 20 CSC
39
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Critical Security Controls by trending
40
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Critical Security Controls V6 comparison
41
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Critical Security Controls V6 comparison
42
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
Question & Answer
43
© Copyright 2015 Bay Computing Co., Ltd. Bay Computing Presentation Template
Effective: 2015-07-01
ขอบพระคุณ!