The Future Is SECURITY THAT MAKES A DIFFERENCE. Implementing the 20 Critical Controls

Transcription

1 The Future Is SECURITY THAT MAKES A DIFFERENCE Implementing the 20 Critical Controls

2 Introduction Security is an evolution! Understanding the benefit and know how to implement the 20 critical controls is key. The controls are prescriptive The controls can be automated

3 Getting Started With Implementation What do you need? What am I trying to protect? What are my gaps? What are my priorities? Where can I automate? How can my vendor partners help? Where can I learn more?

4 Data Driven Decisions Control 1 Score Control 2 Score Control 3 Score Control 4 Score Number of Breaches Project 1 Project 2 Project 3 Project 4 Project 5 Project 6 Project 7

5 Track Progress Project 1 Project Jan Feb March April May June July August Sept Oct Nov Dec

6 Understand the Environment x Sendmail Apache Expn VRFY input buffer allowed overfl ow

7 Rule 1: Fix the Problem Not the Symptoms Critical Controls Starting Point Critical Controls 20: Penetration Test Critical Controls 4: Continuous Vulnerability Assessment and Remediation

8 Understanding the Problem PrivacyRights.org (updated weekly) Here are some that are reported (most are not) Just a small sample (organization/records breached): Heartland Payment Systems (130+ million 1/2009) Oklahoma Dept of Human Services (1 million 4/2009) Oklahoma Housing Finance Agency (225,000 4/2009) University of California (160,000 5/2009) Network Solutions (573,000 7/2009) U.S. Military Veterans Administration (76 million 10/2009) BlueCross BlueShield Assn. (187,000 10/2009)

9 Rule 2: Understand the Problem Critical Controls Starting Point Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations

10 What is the Adversary After

11 Rule 3: Focus on the Data Critical Controls Starting Point Critical Control 15: Controlled Access Based on Need to Know Critical Control 17: Data Loss Prevention

12 Understand How the Adversary Works

13 Rule 4: Implement a Multi-Dimensional Approach to Security Critical Controls Starting Point Critical Control 5: Malware Defense Critical Control 6: Application Security Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs

14 Performing Gap Analysis Create a spreadsheet with the following columns Critical Control Current State Ideal State (18 months) Subtract the two columns Maturity 0 No sub-controls Maturity 1 - Quick Wins (QW) Maturity 2 - Improved Visibility and Attribution (Vis/Attrib) Maturity 3 - Hardened Configuration and Improved Information Security Hygiene (Config/Hygiene) Maturity 4 - Advanced (Adv)

15 Gap Analysis Drives Plan

16 Implementing the Controls Sample Implementation Control 2 Inventory of Authorized and Unauthorized Software Kaspersky Anti Virus tool Software inventory report lists software and version number Microsoft System Center Configuration Manager (SCCM) Inventory software and services on each system Windows Management Instrumentation Console (WMIC) Ability to script and automate the process

17 Implementing the Controls Sample Implementation Control 4 Continuous Vulnerability Assessment and Remediation QualysGuard Enterprise Suite Comprehensive vulnerability scanning Includes critical control 1 and 2 plus more.

18 Starting with Implementation The Top 5 The First Five cover (1) software white listing (2) secure standard configurations (3) application security patch installation within 48 hours (4) system security patch installation within 48 hours (5) ensuring administrative privileges are not active while browsing the web or handling .

19 ER Diagram Drives Implementation Entity Relationship Diagram (ERD) One of the 14 types of UML diagrams (structure) Also referred to as a Class Diagram Type of static structure diagram that describes the structure of a system by showing the system's classes, their attributes, and the relationships between the classes. Wikipedia

20 Sample ER Diagram (Critical Control #1)

21 Potential Result: A Consolidated ERD

22 Summary: Plan for Success Perform Initial Gap Assessment determining what has been implemented and where gaps remain for each control and sub-control. Develop an Implementation Roadmap selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations. Implement the First Phase of Controls identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training. Integrate Controls into Operations focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations. Report and Manage Progress against the Implementation Roadmap developed.

23 THANK YOU for your time Dr. Eric Cole Twitter: drericcole