Countermeasures and Best Practices Track 1: Large Business Sophisticated IT Security Program

Transcription

1 Countermeasures and Best Practices Track 1: Large Business Sophisticated IT Security Program Keith A. Watson, CISSP, CISA CERIAS Purdue University

2 Overview The Security Basics Risk Management, Controls Threat-Sources The short list Best and Worst Practices People, Process, Technology Countermeasures Automation and Measurement

3 Info Security Basics: Risk Management 1. Find and Understand Assets 2. Identify Threats 3. Identify Vulnerabilities 4. Analyze Controls 5. Determine Likelihood 6. Analyze Impact 7. Determine Risk 8. Deploy Appropriate Controls 9. Goto 1

4 Info Security Basics: Controls Types: Deterrent Preventative Corrective Detective Categories: Administrative Operational Technical Security Controls must be commensurate with the risk and cost effective

5 Threat-Sources Intentional Alteration of Data Alteration of Systems Disclosure Disruption Collusion Sabotage Theft Unauthorized Use Vandalism Unintentional Disclosure Operator/User Error Software Error Telecommunications Interruption Other Environmental Failures

6 Best and Worst Practices Overview People Process Technology

7 Best Practices for People (Do this!) Background checks for all employees More intensive checks for critical employees Training and Certification Security Awareness program for everyone Security Training tailored to jobs tasks Certification for security and admin personnel All job descriptions should outline security duties and responsibilities Create a security conscious organization

8 Worst Practices for People (Avoid this!) Fill IT positions with unqualified people Admins with no technical background/edu Reformed hackers Put all the responsibility/trust in one admin Cut training and certification efforts to save money and avoid brain drain Push all security responsibilities to security team

9 Best Practices for Process Remember that security is a continually evolving process, not an end state View security as an evolving, repeatable, and measurable process Threats and technology change fast Practices/techniques can be applied again If you can measure it, you can understand it Move ad hoc processes into defined, documented, and automated processes

10 Best Practices for Process Organize information security management around international standards, codes of practice, or frameworks ISO/IEC series ITGI COBIT and ValIT ITIL NIST Special Publication

11 Worst Practices for Process View compliance as security You can be compliant but not secure Being compliant in one area only NERC-CIP for energy control side HIPAA for patient health information PCI for cardholder data Have few controls on the corporate side Being compliant in paperwork only Have a written policy, but have no controls or enforcement

12 Best Practices for Technology Remember that technology is constantly changing and evolving View infrastructure as always under construction Avoid monocultures Stay up-to-date Software Vendor and third-party notifications Remove, Reduce, Restrict

13 Worst Practices in Technology Install it and then forget it Install systems in an ad hoc manner Fail to decommission old systems Old systems never die Rely on border defenses as primary protection Use VM technology for consolidation, instead of isolation and failover

14 Countermeasures Overview Inventories Data Classification DLP Secure Configurations Isolation Filtering/Monitoring Scanning Operationalization Users and Admins

15 Inventory: Devices Issue: Unsecured/unauthorized devices Systems that do not meet security standards are targets of attack Newly installed systems Test and development systems Privately owned equipment Use active and/or passive systems to create inventory list of IP-based systems Actively isolate unauthorized systems

16 Inventory: Software Issue: Outdated/unauthorized software Unsecure software are targets of attack Old vulnerabilities, multiple versions Attackers use external resources to target internal weaknesses (web, media, content) Once inside, weak systems become targets Use tools to inventory software Remove software without a business need Use automated deployment tools to sync software and update it when needed

17 Inventory: Data Issue: Sensitive data on unsecure systems Systems without controls hold critical data Application and DB servers sitting under desks Test systems with real data, not sanitized data Old copies of data stored on shared servers Use tools to search for sensitive data Move to more secure systems Move systems with data to data center

18 Data Classification Issue: What is sensitive data? Where is it? Few orgs have definition of sensitive data No definition and no protection requirements Each custodian has a different understanding of sensitive and critical Create policy for data classification, protection, labeling, and destruction Create standards listing approved tools and techniques

19 Data Loss Prevention Issue: Sensitive data is leaking outside Without controls, data is exposed Employees sharing, copying, losing data Vulnerable systems exposing it Loss occurs through approved channels DLP is more than a product Administrative, operational, technical controls Classifying data makes the DLP process easier

20 Secure Configurations Issue: Unsecure systems are targets An unsecure system: Lacks updated software Provides more services than required Has promiscuous services Differs in software load from a similar system Develop/maintain standard installations Incorporate security modification and tools Collect and maintain a standard software set

21 Isolation: Systems Issue: Trusted systems open to untrusted Systems configured for open access Default configuration from vendor Admins don t want to be hassled (sys, user) Most services are promiscuous Reduce services and restrict access to authenticated and authorized users Limit net access to authorized systems

22 Isolation: Networks Issue: Trusted networks open to untrusted Organizations with networks of operationally critical systems should be isolated from the corporate network Billing, trading, SCADA, service management Untrusted networks should be isolated Test/development, partners, third-parties Segment the network and define access Apply boundary defenses and monitor

23 Ingress and Egress Filtering Issue: Open access allows data in/out Users can download/install malware Malware has direct route to the internet Sensitive data can be uploaded, exposed Botnets can receive instructions (IRC, web) Direct internet access should be blocked Use authenticated proxies to reduce outbound malware connections Internet access should be a necessity

24 Monitoring Issue: Admins operate in the dark without log review and network monitoring Most orgs ignore log data and do not monitor network traffic Logs are collected but not reviewed Logs are useful finding attack attempts Network traffic contains probes, weird stuff Centralize log data and automate review Deploy monitoring systems at various points around the network

25 Account Management Issue: Poor user account management Old accounts are everywhere Contractor accounts on critical systems Terminated employee accounts in directories Critical servers with no users as admin Need policy and standards for user accts Use tools to find old accounts Move to a centralized directory service and policy system

26 Excessive Administrator Privileges Issue: Too many admins, not enough users DBAs with admin password Users logged in as an administrator have compromised machines. Period. Admin users make mistakes by installing unsafe applications, rogue software Need policy to reduce admin privileges

27 Network, System, and Vulnerability Scanning Issue: A multitude of vulnerable services Default system configurations tend to have more net services than required Vulnerable network services are targets Web-based applications can leak data Automated scans are the best approach Consistent coverage and timing Look for systems, services, vulnerabilities Store and analyze reports for analysis

28 Application Scanning and Code Review Issue: Applications have flaws and errors Functional testing, but no security testing Design weaknesses that expose data Programmer errors that accept bad input Train programmers on secure coding Use tools to examine code prior to checking it into source repository Perform code scans nightly and before production use

29 Operationalization or O16n Issue: Security teams are burdened with operational tasks Operational tasks should be moved to functional teams Software updates and anti-virus management for system admins Firewall management for network admins Directory management for user support Security teams must focus on threats, design, response, and investigations

30 Automation Issue: Tasks done manually are the last ones to get done correctly, if ever Humans are lazy, computers are not Tasks are forgotten or applied lackadaisically When I said tools I meant automated tools Look for security (and system) admins with development education/experience Experience with tool integration a plus

31 More on Automation Automated tasks can assist in Finding issues, sensitive data, weak systems Alerting administrators to issues Isolating authorized devices Preventing data loss and exposure Rolling out updated software Hardening deployed systems

32 Measuring Effectiveness Issue: Are the controls effective? Controls must be commensurate with risk Cost effective Functionally effective Each control can have functional metrics System must provide an alert within 24 hours System must provide follow-up alerts in 4 hours System must provide a status report everyday Testing can verify response and timing

33 More on Measuring Effectiveness Orgs should have an incident response capability and document all actions Review and refine response procedures Categorize and analyze event types Conduct an annual assessment on incidents Compare with annual reports from thirdparties (Symantec, McAfee, Verizon Biz, SANS, Ernst & Young, Deloitte Touche Tohmatsu, IBM, Computer Security Institute & FBI, CIO Magazine & PricewaterhouseCoopers, etc)

34 Conclusion Complex IT tends to have poor security Many weaknesses and vulnerabilities Require large teams to manage Understand information assets Simplify infrastructure and services Isolate, filter, monitor, and scan Manage users and access Automate and measure where feasible

35 Resources Twenty Critical Controls for Effective Cyber Defense, SANS 2009 Data Breach Investigations Report, Verizon Business Symantec Report on Rogue Security Software, Symantec Risk Management Guide for Information Technology Systems, NIST SP

36 Thanks! Questions?