Securing IT Systems with the Consensus Benchmarks and Scoring Tools Clint Kreitner
-
Upload
herman-collier -
Category
Documents
-
view
17 -
download
0
description
Transcript of Securing IT Systems with the Consensus Benchmarks and Scoring Tools Clint Kreitner
1
Securing IT Systems with the Consensus Benchmarks
andScoring Tools
Clint Kreitnerwww.cisecurity.org
THE CENTER FOR
INTERNET SECURITYSM
2
Unfortunate, but true…
“Through 2005, 90 percent of cyber attacks will continue to exploit known security flaws for which a patch is available or a preventive measure known.”
• Gartner Group, May 6, 2002
3
What is causing the vulnerabilities that are being exploited?
Software defects Fixed with vendor patches
Lack of technical security controls Security settings made to enable or
disable security features of the OS software
Think of them as software switches
4
Examples of security settings
Password length, complexity Account lockout after X attempts Audit what system events? Idle time before logoff Users allowed to install print drivers? What unneededservices to disable? File system to use?
5
Aren’t these standards adequate to improve user security practice?
ISO 17799 COBIT from ISACA SysTrust, WebTrust from AICPA FISCAM from GAO Principles and Practices for Security
of IT Systems from NIST Standard of Good Practice from ISF
6
These standards are helpful, but incomplete
They describe “what” to do, but not “how”
These standards are effective only when accompanied by details on how to implement their requirements
7
An Example from ISO 177999.7.1 Event logging
Audit logs recording exceptions and other security-relevant events should be produced and kept for an agreed period to assist in future investigations and access control monitoring.
Audit logs should also include:a) user IDs;b) dates and times for log-on and log-off;c) terminal identity or location if possible;d) records of successful and rejected system access attempts;e) records of successful and rejected data and other resource access attempts.
8
One of several actions needed to implement event logging on Sun Solaris systems:
cat <<END_SCRIPT >/etc/init.d/newperf#!/sbin/sh/usr/bin/su sys -c \"/usr/lib/sa/sadc /var/adm/sa/sa\`date +%d\`"END_SCRIPTchown root:sys /etc/init.d/newperfchmod 744 /etc/init.d/newperfrm -f /etc/rc2.d/S21perfln -s /etc/init.d/newperf /etc/rc2.d/S21perf/usr/bin/su sys -c crontab <<END_ENTRIES0,20,40 * * * * /usr/lib/sa/sa145 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -AEND_ENTRIES
9
Why has it been so difficult to proliferate good security practice?
Vendors have been shipping unconfigured systems to users with technical security controls turned off
Users don’t know how to properly configure their systems
Users are afraid to disrupt operations With patches or security settings
10
Microsoft Issues Patches, but Users Don’t Apply Them
Forrester Research Report
April 3, 2003
11
Responding to the challenge Cosmos Club meeting Aug 2000 Need to develop and proliferate
detailed technical best practicesThe only true solution is try to raise the
bar everywhere--globally Employ a consensus process to define
best practices that is driven by security savvy users from the public and private sectors
12
The Center for Internet Security (CIS)
Formed in October 2000 Modeled after other community
initiatives, e.g., transportation safety A not-for-profit consortium of users Convenes and facilitates teams that
build consensus benchmarks
13
Some of the participants in the consensus effort:Government:
Nat’l Inst Stds & Tech. Infocomm Development
Authority of Singapore Naval Surface Warfare
Center US Treasury Financial
Management Service Washington State Dept.
of Health Defense Info Sys
Agency (DISA) Federal Reserve System NASA
US Dept of Justice Library of Congress Royal Canadian Mounted
Police Communications Security
Establishment (Canada) Canadian CERT NSA GSA FedCIRC Dept Homeland Security State of Maryland
14
Participants (cont’d):Commercial: Eastman Kodak SASKTel LG&E Energy Hallmark Intel Deutsche Telecom Caterpillar Baylor College of Medicine NCR Batelle U.S. Central Credit Union VISA
Thomson Holdings Pitney Bowes First Union Corporation Intuit Union Bank of California Swiss Reinsurance Co Elemica Online Resources Agilent Technologies Shell Info. Tech. Int’l PeopleSoft News Corporation
15
More (cont’d):Consulting/Service:
IBM Business Consulting Grant Thornton Deloitte Touche ISS Symantec BindView NetIQ SecureNet Solutions RDA Corp
CSC Procinct Security Solutionary Polivec Mobile Automation ConfigureSoft GFM Consulting
16
More (cont’d):Universities:
Institute for Security Tech. Studies at Dartmouth Virginia Tech Monash University (Australia) Illinois Institute of Technology University of Missouri William & Mary Utah State University University of California, SF New York University
17
Auditing Participants
Information Systems Audit and Control Association (ISACA)
American Institute of Certified Public Accountants (AICPA)
Institute of Internal Auditors (IIA)
18
What has thispublic/private partnership
produced so far?
19
Currently available: Level I Configuration Benchmarks
Solaris Linux HP-UX Windows NT Windows 2000 Cisco Router IOS
20
A Level I Benchmark:
Can be implemented by a sysadmin of any level of security expertise
Can be monitored by a compliance tool
Is not likely to “break” any function Represents a baseline level of
security
21
Currently available:
Gold Standard Benchmarks W2K Professional Level II W2K Server Level II CISCO Router IOS Level I/II Solaris Level I
22
Also currently available: Configuration Scoring Tools
Solaris Linux HP-UX Windows NT Windows 2000 Server Windows 2000 Professional Cisco Router IOS
23
24
Under development: Benchmarks and Scoring Tools for:
Oracle databases Apache Windows IIS Windows XP Windows Server 2003 Catalyst Switches PIX Firewalls Check Point FW-1 SQL Server Juniper Routers
25
How is this work being done? Teams are formed with security experts
from member organisations An initial benchmark draft is obtained or
developed Consensus is established via email and
conference call discussion A scoring tool is developed They are made available free to all users
globally via the CIS website (www.cisecurity.org)
26
The good news…
Case studies show that 80-90% of known vulnerabilities are blocked by the security settings in the consensus benchmarks…….
27
Case Study Methodology
(1) Scan a system “out of the box” and list identified vulnerabilities
(2) Configure the system with the appropriate benchmark
(3) Rescan the system and note the vulnerabilities remaining
28
Vulnerability Assessment Case studies
Study System Benchmark% of Vuls
EliminatedSolutionary W2K Server Level I 85
Citadel W2K Pro Level I 81
NSA W2K Pro Level II 91
Mitre W2K Pro Level II 83 (CVE)
Citadel W2K Server Level II 99
Citadel RedHatLinux Level I 100
29
Encouraging progress: U.S. government promulgation of CIS
benchmarks and tools via FedCIRC VISA adoption of CIS benchmarks for its
Cardholder Information Security Program’s Digital Dozen
Progress at the vendor level Dell now delivering pre-configured systems Top security experts from Microsoft, Sun, HP,
Cisco, and Oracle are active on the benchmark consensus teams
30
Benefits of using benchmarks and tools Substantially reduce the risk of
unauthorized intrusion Following a recognized patching and
configuration standard demonstrates due care against legal liability
Provides a basis for ongoing measurement and reporting of security status to management
31
Recommended policies: Use govt purchasing power to buy only
benchmark configured systems from vendors
Encourage corporate and other institutional buyers to do the same
Establish benchmark compliance as an audit requirement
Encourage users in all sectors to download and use the consensus benchmarks and tools