Tech TV Series. Lisa Niles CISSP, Chief Solution Architect

Transcription

1 Tech TV Series COLLABORATE, INNOVATE, VALIDATE CIS Top 20 #1 Inventory of Authorized and Unauthorized Devices Lisa Niles CISSP, Chief Solution Architect 1

2 Monitor, detect, analyze, protect, report, and respond against known vulnerabilities, known & unknown attacks, and exploitations and continuously test and evaluate information And the security controls and techniques to ensure that they are effectively implemented. 2

3 The control areas in the CIS CSC focus on various technical aspects of information security Primary goal of supporting organizations in prioritizing their efforts in defending against today s most common and damaging attacks. Outside of the technical realm, a comprehensive security program should also take into account: Numerous additional areas of security, including overall policy, organizational structure, personnel issues (e.g., background checks, etc.), and physical security. To help maintain focus, the controls in this document do not deal with these important, but non-technical, aspects of information security. Organizations should build a comprehensive approach in these other aspects of security as well 3

4 What is an IT security framework? An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. These frameworks are basically a "blueprint" for building an information security program to manage risk and reduce vulnerabilities. Information security teams can utilize these frameworks to define and prioritize the tasks required to build security into an organization. NIST Cybersecurity Framework, NIST guidelines, and the ISO series or regulations such as PCI DSS, HIPAA, NERC CIP, FISMA 4

5 5

6 Understanding the CIS Critical Security Controls In 2008, the Center for Internet Security s Critical Security Controls ( CIS Controls ) were created A collaboration between representatives from the U.S. government and private sector security & research organizations. A set of practical defenses specifically targeted toward stopping cyber attacks The CIS Controls were crafted to answer the frequent question: Where should I start when I want to improve my cyber defenses? 6

7 The CIS CSC Relationship to Other Federal Guidelines, Recommendations, and Requirements Once companies have addressed the 20 Critical Controls, it is recommended that NIST guidelines be used to ensure that they have assessed and implemented an appropriate set of management controls The CIS controls are meant to reinforce and prioritize some of the most important elements of other frameworks, guidelines, standards, and requirements put forth in other US Government documentation, such as NIST Special Publication : Recommended Security Controls for Federal Information Systems, SCAP, FDCC, FISMA, and Department of Homeland Security Software Assurance documents. 7

8 Guiding principles used in devising these control areas and their associated sub controls include: Defenses should focus on addressing the most common and damaging attacks Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. Defenses should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. 8

9 Getting Started: Ask and Answer Key Questions What am I trying to protect? Where are my gaps? What are my priorities? Where can I automate? How can my vendor partners help? 9

10 General Guidance for Implementing the Controls: Carefully plan. Organizational structure for program s success. Establish a Governance, Risk, and Compliance (GRC) program. Assigning program managers 10

11 There are a few practical considerations an organization should make when embarking on this journey. Specifically, an organization should: Make a formal, top-level decision to make the CIS Controls part of the organization s standard Senior management - support and accountability. Assign a program manager Who will be responsible for the long-term maintaining cyber defenses. Start with a gap analysis Develop an implementation plan Document the long-term plan (3-5 years) Embed the definitions of CIS Controls into organization s security policies Educate workforce on the organization s security goals and enlist their help as a part of the long-term defense of the organization s data. 11

12 Successful implementation of the Controls will require many organizations to shift their mindset on security and how they approach IT operations and defense. No longer can employees be allowed to install software at random or travel with sensitive data in their pockets. It has been established that the cultural acceptance of changes needed to implement the technical controls is a necessary prerequisite for success. This is probably the most significant obstacle most organizations need to overcome. 12

13 The Controls are not limited to blocking the initial compromise of systems Detecting already-- compromised machines and preventing or disrupting attackers follow-- on actions. Reducing the initial attack surface by hardening device configurations, identifying compromised machines to address long-- term threats inside an organization s network, disrupting attackers command-- and-- control of implanted malicious code, and establishing an adaptive, continuous defense 13

14 The five critical tenets of an effective cyber defense system as reflected in the CIS Critical Security Controls are: Offense informs defense Prioritization Metrics Continuous diagnostics and mitigation Automation 14

15 15

16 How to Get Started Step 1. Perform Initial Gap Assessment. Step 2. Develop an Implementation Roadmap Step 3. Implement the First Phase of Controls Step 4. Integrate Controls into Operations Step 5. Report and Manage Progress against the Implementation Roadmap 16

17 Control #1 Inventory of Authorized and Unauthorized Devices Key Principle Control: Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. 17

18 The purpose of this Control is to help organizations define a baseline of what must be defended. Without an understanding of what devices and data are connected, they cannot be defended. 18

19 Why is CIS Control 1 critical? Attackers are continuously scanning the address space of target organizations, waiting for new and unprotected systems to be attached to the network. Devices that are not visible from the Internet can be used by attackers who have already gained internal access and are hunting for internal jump points or victims. Looking for new or test systems 19

20 Family Control Control Description Foundational Advanced Critical Security Control #1: Inventory of Authorized and Unauthorized Devices System 1.1 Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization s public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed. System 1.2 If the organization is dynamically assigning addresses using DHCP, then deploy dynamic host configuration protocol (DHCP) server logging, and use this information to improve the asset inventory and help detect unknown systems. System 1.3 Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network. System 1.4 Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization s network. Y Y Y Y Use a mix of active and passive tools, and apply as part of a continuous monitoring program. System 1.5 Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems. Y Authentication mechanisms are closely coupled to management of hardware inventory System 1.6 Use client certificates to validate and authenticate systems prior to connecting to the private network. Y 20

21 CSC 1 Procedures and Tools The Control requires both technical and procedural actions; It is critical for all devices to have an accurate and up-to-date inventory control system in place (excel, database, manual or commercial automatic tool) with device details/owners Securely pull device details (MAC) switch, routers, aps, DHCP, servers, span ports Scanning tools (Active/passive) every 12 hours, ICMP sweep, fingerprinting Standard device naming conventions can help so unrecognized device names stand out Maturity goes from manual, automated, monitored and measured Place new device on network monthly to test tools/procedures effectiveness 21

22 CSC 1 Procedures and Tools Ensure that network inventory monitoring tools keeping the asset inventory up to date on a real-time basis Looking for deviations from the expected inventory of assets on the network, and alerting security Secure the asset inventory database with asset information is encrypted. Limit access to these systems to authorized personnel only, and carefully log all such access. For additional security, a secure copy of the asset inventory may be kept in an off-line system. 22

23 CSC 1 Procedures and Tools In addition to an inventory of hardware, organizations should develop an inventory of data/information assets and maps critical information to the hardware assets A department and individual responsible for each data asset should be identified, recorded, and tracked. To evaluate the effectiveness of automated asset inventory tools, periodically attach several hardened computer systems not already included in asset inventories to the network and measure the delay before each device connection is disabled or the installers confronted. Advanced: The organization s asset inventory should include removable media devices, including USB sticks, external hard drives, and other related information storage devices. 23

24 24

25 25

26 CSC 1.1 Requirement: Inventory of Authorized and Unauthorized devices CSC 1.1 Procedure: Asset Inventory The organization: 1. Departments will document and clearly define what authorized and unauthorized devices are in their respective areas. 1. Departments will update the Assets inventory reports and auditors of inventory devices. 1. Departments will spot check devices monthly to ensure that they are authorized Metrics: 1. The IT department will maintain a list of de-authorized devices 1. The IT department spot check each department every 6-months 26

27 Sub-Control Description Control Security Technology Controls 1 2 Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Devices Active Device Discovery System Passive Device Discovery System Tenable, Qualys, Infoblox NetMRI, ForeScout Tenable, Qualys, Infoblox NetMRI, ForeScout 3 Inventory of Authorized and Unauthorized Devices Log Management System / SIEM Log Rhythm, Splunk 4 Inventory of Authorized and Unauthorized Devices Asset Inventory System Tenable, Qualys, Infoblox NetMRI, ForeScout, Db, Excel 5 Inventory of Authorized and Unauthorized Devices Network Level Authentication (NLA) Tenable, Qualys, Infoblox NetMRI, ForeScout, Juniper 6 Inventory of Authorized and Unauthorized Devices Public Key Infrastruture (PKI) Microsoft 27

28 Inventory of Authorized and Unauthorized Devices Deploy an automated asset inventory discovery tool Free Tools Spiceworks - active scanning. AlienVault OSSIM - Inventorying OpenAudIT - All open source inventorying, and auditing platform OpenNSM - Open Network Management System Windows DHCP Server Audit Event Tool - This tool can be used by Admins to view all the events generated by DHCP Server directly Linux DHCP Server Config and Logging - CentOS DHCP Server 28

29 1-5 - Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems. Free Tools Windows NPS Server Role - Just beware that NAP is deprecated in Windows 10 so you will need a 2rd party NAP client. FreeRADIUS & 802.1x - How to setup 802.1x with FreeRADIUS. SANS guide to deploy 802.1x Group Policy for Wireless 802.1x - Group Policy for Wired 802.1x 802.1x standard on most switches Enterprise tools Cisco ISE 29

30 1-6 - Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access. Free Tools PacketFence - Flagship of open source Network Access Control (NAC). OpenNAC - Open source Network access control that provide secure access for LAN/WAN. Commercial Tools Forescout - Offers health checks before authenticating supplicants to your network. For wired and wireless networks. Microsoft SCCM - NAC with health checks is but one small piece of the SCCM 30

31 31

32 # CIS Critical Security Controls 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configuration of end-user devices Customer solution? Budgeted 2018? Reviewed solutions? SynerComm Solutions Tenable, Qualys, Infoblox, Forescout Tenable, Qualys, Infoblox, Carbonblack Tenable, Rapid7 4 Continious Vulnerability & remediation Qualys, Tenable, Rapid7 5 Controlled Use of Administrative priviledges 6 Maintenance, Monitoring and Analysis of Audit Logs Centrify, CyberArk, BeyondTrust, Okta SolarWinds, Log Rhythum 7 and Web Browser Protection Barracuda, Proofpoint, zscaler, Fireeye (Web - Palo, Checkpoint, Forcepoint) 8 Malware Defense Bitdefender, carbonblack, PaloAlto TRAPS, Sophos, TrendMicro 9 Limitation & Control of network Ports, protocols, and Service PaloAlto, Juniper, Checkpoint, Fortinet 10 Data Recovery Capability Barracuda 11 Secure Configuration of Network Devices SynerComm Config Assurance, A&A, Firemon, RedSeal, Tenable, Rapid7 12 Boundry Defense PaloAlto, Juniper, Checkpoint, Fortinet 13 Data Protection Rapid7, tenable, Imperva, Infoblox, PaloAlto 14 Controlled Access Based on Need to Know Centrify, OKTA 15 Wireless Access Control Aerohive with 802.1x & WIPS/FW 16 Account Monitoring and Control Centrify, Beyond Trust, OKTA, 17 Security Skills Assessment and A&A training Appropriate Training 18 Application Software Security Rapid7, Splunk 19 Incident Response and Management Rapid7, redseal, A&A 20 Penetration Tests and Red Team Exercises A&A 32

33 Center for Internet Security (CIS): NIST Cyber Security Framework (CSF): CIS Critical Security Controls (CSC): Auditscripts resources (provided by James Tarala, CSC Editor): CSF planning spreadsheet: 33

34 CISsecurity.org JOIN!! 34

35 35

36 Thank you for Attending. Hope you can join us for the Complete CIS Top 20 CSC 36