NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Transcription

1 NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

2 Presenter Charles Ritchie CISSP, CISA, CISM, GSEC, GCED, GSNA, +6 Information Security Officer IT experience spanning two centuries

3 Agenda Continue with the Protect core function Maintenance - two subcategories Protective Technology - four subcategories Focus is on basic security hygiene, not bleeding edge security tools and techniques

4

5 There are many frameworks and theories that we can leverage The point is to have some kind of a framework, and to insure its completeness, depending on your industry and current IT situation Brandon R. Williams, ISSA Distinguished Fellow

6 Maintenance

7 Maintenance Maintenance and repair of industrial control and information system components is performed consistent with policies and procedures

8 Maintenance MA-1 MA-2 Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access

9 In the news Medical Devices Could be Used as Point of Entry into Healthcare Networks May 25, 2016 The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient's treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments.

10 Maintenance Includes all types of maintenance to all components System software, business applications Network devices, scanners, copiers, printers Firmware, industrial control systems Also addresses who is performing the maintenance, maintenance tools, and remote access

11 Relevance Known vulnerabilities cause 44 percent of all data breaches 1 Old vulnerabilities are a favorite tool among malicious actors report: companies take 100 to 120 days to patch 3 Infrastructure components can have critical vulnerabilities too 1 The Game Plan for Closing the SecOps Gap, BMC, Verizon Data Breach Investigations Report 3 How the Rise in Non-Targeted Attacks Has Widened the Remediation Gap, Kenna

12 Relevance Advisory (ICSA ) GE MultiLink Series Hard-coded Credential Vulnerability Original release date: June 02, 2016 OVERVIEW GE has identified a hard-coded credential vulnerability in GE s MultiLink series managed switches. GE has produced new firmware versions to mitigate this vulnerability. This vulnerability could be exploited remotely. IMPACT Exploitation of this vulnerability may allow an attacker to gain unauthorized administrative access to device configurations resulting in exposure and control of all configuration options available through the web interface. BACKGROUND The affected products, Multilink series switches, are managed Ethernet switches designed specifically for use in industrial facilities, substations, and transportation environments. According to GE, the Multilink series switches are deployed across several sectors including Critical Manufacturing, Energy, and Water and Wastewater Systems. GE estimates that these products are used worldwide.

13 Recommendations Inventory all IP-addressible systems - not just servers Establish maintenance procedures for each type Audit the inventory and whether maintenance is taking place per the procedure Monitor industry sources (vendors, US-CERT) Scan frequently for vulnerabilities; remediate ASAP

14 Protective Technology

15 Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements

16 Protective Technology PT-1 PT-2 PT-3 PT-4 Audit/log records are determined, documented, implemented, and reviewed in accordance with policy Removable media is protected and its use restricted according to policy Access to systems and assets is controlled, incorporating the principle of least functionality Communications and control networks are protected

17 Protective Technology Audit / log records are critical to any security program Log relevant events from all systems Capture all relevant information about these events: what, when, who, etc. Use automation to collect, protect, and analyze logs, and produce logbased reports Retain log data in support of investigations

18 In the news Taobao s Security Breach from a Log Perspective February 10, 2016 Taobao.com, one of the world s top 10 most visited websites, just faced what seems like a brute force attack of staggering proportions on its user accounts. Taobao is a Chinese buying-and-selling site owned by China s online giant, Alibaba, and offers a consumer-to-consumer (C2C) retail platform, where users are not buying from the website but through sellers offering their goods on it. It seems the attackers didn t attempt to breach Taobao s own systems but used a very large database of usernames and passwords that stem from previous hacks of various other web sites. They then used these credentials for massive automated login attempts to Taobao.com. Because many people use the same name and password on different web sites, a number of these login attempts were successful. What makes this particular case special is the dimension: Reports say the hackers executed approximately 100 million login attempts, and almost 21 million of these turned out to be successful.

19 Protective Technology Protect removable media and restrict its use according to policy Lost external media has been the cause of multiple significant data breaches USB drives can be used to bypass enterprise controls, even infecting air gapped systems Technical controls can restrict the use of USB storage If allowed, require encryption and AV scans

20 Protective Technology Control access to systems and assets, incorporating the principle of least functionality Any access to any system creates some risk Privileged access (e.g., admin accounts) entail far more risk than typical user privileges Remote access and other factors add to this risk Remote access, unnecessary access, and access by too many individuals unnecessarily increases business risk

21 Protective Technology Access to systems or assets should: Have a business justification, and approval by the owner Provide individual accountability Require appropriate authentication: multi-factor, complex passwords Be reviewed at least annually, and revoked immediately when no longer needed

22 Protective Technology Protect communications and control networks Technologies include firewalls, proxy servers, VPN, intrusion detection, and more Perimeter defense challenged by BYOD Avoid single points of failure Restrict access to control networks, admin functions Include in maintenance plans as well as DR plans

23 Protective Technology Encryption notes When in doubt, encrypt communications No encryption or weak encryption can allow information to be intercepted, including credentials Eliminate insecure protocols: telnet, ftp, etc. Encryption technologies continue to evolve; be prepared to upgrade/enhance your controls

24 Summary

25 We need to make sure our proactive measures in anticipation of a breach get better and more mature. Randy V. Sabett, Cybersecurity Attorney

26 Summary The Protect function focuses on developing and implementing safeguards to ensure delivery of critical infrastructure services Ongoing, timely maintenance addresses a leading cause of data breaches and other incidents Protective technologies support the security and resilience of systems and assets, and contribute to the ability to identify and respond to incidents Use the Cybersecurity Framework to assess your current capabilities and create a plan to improve and maintain these capabilities

27 Questions?

28