Tips for Passing an Audit or Assessment

Transcription

1 Tips for Passing an Audit or Assessment Rob Wayt CISSP-ISSEP, HCISPP, CISM, CISA, CRISC, CEH, QSA, ISO Lead Auditor Senior Security Engineer Structured Communication Systems

2 Who likes audits?

3 Compliance Requirements PCI DSS NERC CIP HIPAA FERPA CJIS ISO FISMA/NIST SP SP Cybersecurity Framework SOC 1/2/3 GLBA/NCUA SOX CIS 20 CSC

4 Compliance vs. Security Compliance is the low bar Your security controls can and should go well beyond

5 The Findings Most common findings on security assessments by our assessors.

6 Data Inventory What is your sensitive data? Where is it? If it is a person, process or system that transmits, stores, or processes sensitive information, it s in scope

7 By data security levels Segmentation Encrypt when traversing a lower level PCI using P2PE Micro segmentation, zero trust, private vlans

8 Asset Inventory Use dynamically updated system All hardware in scope Or manually keep updated with additions and subtractions Track owner, purpose, IP address, name and location if possible

9 Account Management Run reports for 90 days of inactivity Use expiration Validate month prior Disable on last day Management approval of access

10 Multi Factor Authentication U2F, push, OTP, For all admin access or access to sensitive information OWA, VPN, cloud Multi factor or multi step Factor independence

11 Use a SIEM! Not just purchase one All in scope systems Security systems NTP Logging

12 Change Management Document all changes to configurations Include approvals and roll back plans

13 Non OS patches JAVA, Flash Patching Network devices End of support = compensating controls

14 Network Access Control MAC spoofing **DHCP is not a security mechanism

15 Authorized Software Inventory of applications Whitelist the approved, Blacklist the others Or other form of application control FIM executables, system files, application files

16 Secure Configurations Use benchmarks for all systems CIS, NIST, STIGS Apply by GPO Build into gold disk

17 Vulnerability Scans Use authenticated scans Include all in scope assets

18 Admin Privileges No local admins Even for IT Use separate accounts for admin functions RunAs, Sudo Log/alert everything Added accounts, failed logins, adds to admin group

19 IoT Don t allow on your network Change admin credentials for everything

20 USB Storage Don t allow or limit usage Set to auto scan Encrypt on use

21 Firewalls Only allow authorized ports and protocols Inbound AND outbound Inbound connections to inside network Test segmentation Web content filtering

22 DLP Decrypt SSL and send to DLP for in scope data types Host based effective for inside threats

23 Encrypt Sensitive Data In motion and at rest Archive systems Laserfische, archive flat files Backups

24 Segmentation Authentication Rogue access points Wireless

25 Application Development Separate development environment Peer review code OWASP Top 10 WAF

26 Policies Worse than the audit itself Make sure policy is implemented And followed Don t forget Incident Response Disaster Recovery Business Continuity Plan

27 Accounting and HR Preparation needs to include these areas Store too much information, never purge anything More fun to audit than IT staff

28 SSL/TLS and SHA-1 Use TLS 1.1 and 1.2 SSL and TLS 1.0 are weak Still see SHA-1 signed certificates

29 Map to controls Risk Assessment Reviewed by Senior Management

30 Penetration Testing Not a vulnerability scan Actual hacking Should be near the end of your preparation task list Pay for social engineering

31 End User Training Include phishing campaign Real life scenarios Document

32 Virtual Environment Separate hypervisor and hardware by classification level Validate data, admin, and control planes in SDN Cloud environments

33 Questions? That s All!

34