TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Similar documents
CS 356 Operating System Security. Fall 2013

Information Security Controls Policy

ANATOMY OF AN ATTACK!

IC32E - Pre-Instructional Survey

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

Security Architecture

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NEN The Education Network

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Client Computing Security Standard (CCSS)

AUTHORITY FOR ELECTRICITY REGULATION

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Juniper Vendor Security Requirements

External Supplier Control Obligations. Cyber Security

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Cyber Essentials Questionnaire Guidance

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

K12 Cybersecurity Roadmap

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Total Security Management PCI DSS Compliance Guide

Security by Default: Enabling Transformation Through Cyber Resilience

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

The Common Controls Framework BY ADOBE

CYBERSECURITY RISK LOWERING CHECKLIST

Process System Security. Process System Security

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Cyber Security Program

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

AT&T Endpoint Security

Copyright 2011 Trend Micro Inc.

Building Resilience in a Digital Enterprise

the SWIFT Customer Security

Security Fundamentals for your Privileged Account Security Deployment

Security+ SY0-501 Study Guide Table of Contents

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Changing face of endpoint security

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

OA Cyber Security Plan FY 2018 (Abridged)

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

CYBER SECURITY POLICY REVISION: 12

Tripwire State of Cyber Hygiene Report

10 FOCUS AREAS FOR BREACH PREVENTION

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Cybersecurity in Government

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Cyber Security. Our part of the journey

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

CloudSOC and Security.cloud for Microsoft Office 365

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

SECURITY PRACTICES OVERVIEW

GUIDE. MetaDefender Kiosk Deployment Guide

2017 Annual Meeting of Members and Board of Directors Meeting

IoT & SCADA Cyber Security Services

Cybersecurity Auditing in an Unsecure World

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Gujarat Forensic Sciences University

TestBraindump. Latest test braindump, braindump actual test

PCI DSS Compliance. White Paper Parallels Remote Application Server

QuickBooks Online Security White Paper July 2017

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Locking down a Hitachi ID Suite server

MEETING ISO STANDARDS

NIST Special Publication

Security analysis and assessment of threats in European signalling systems?

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

How AlienVault ICS SIEM Supports Compliance with CFATS

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Checklist: Credit Union Information Security and Privacy Policies

Managed Endpoint Defense

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Securing Today s Mobile Workforce

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

CYBER RESILIENCE & INCIDENT RESPONSE

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

T22 - Industrial Control System Security

SFC strengthens internet trading regulatory controls

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Transcription:

INFORMATION TECHNOLOGY SECURITY GUIDANCE TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION ITSM.10.189 October 2017

INTRODUCTION The Top 10 Information Technology (IT) Security Actions to Protect Internet-Connected Networks and Information (ITSM.10.189) is based on the Communication Security Establishment s (CSE) analysis of cyber threat activity trends and their impact on Internet-connected networks. Organizations that implement these recommendations will address many vulnerabilities and counter the majority of current cyber threats. POLICY SUGGESTIONS The Government of Canada (GC) has several policies that address cyber security practices requirements. These policies identified below, may be used as reference materials when organizations are creating their own policies and building the foundation of their cyber security practices and programs. Policy on Management of Information Technology [1] 1 Policy on Government Security (PGS) [2] Operational Security Standard: Management of Information Technology Security (MITS) [3] APPLICABLE ENVIRONMENTS The information in ITSM.10.189 provides best practices and guidance for all IT solutions. However, an organization may want to increase security by applying additional measures to protect their most sensitive business information. It is important that organizations understand their organizational environment in order to protect their information assets. 1 Numbers in square brackets indicate reference material. A list of references is located in the Supporting Content section. ITSM.10.189 2

THE TOP 10 Table 1 The Top 10 IT Security Actions To Protect Internet-Connected Networks Rank Action Description of Implementation 1 Consolidate, monitor and defend Internet gateways 2 Patch operating systems (OS) and applications 3 Enforce the management of administrative privileges 4 Harden operating systems (OS) and applications Organizations should monitor the traffic at their Internet gateways. To simplify this task, the number of external connections to an organization s network should be reduced. Normal traffic patterns must first be understood in order to detect and react to traffic pattern changes. The organization will benefit from the protection provided by cyber defences that monitor for, and can respond to, unauthorized entry, data exfiltration, or other malicious activity. In response to malicious activity, cyber defences should be able to shut down access points to stop data exfiltration or block unwanted attacks. Organizations should implement a timely patch maintenance policy for OS and third-party applications to reduce the organization s exposure to threats that could exploit publically known vulnerabilities. Organizations should use supported, up-to-date, and tested versions of OS and applications. The deployment of unsupported OS or applications, in which updates are no longer available, will result in a higher risk of exposure to exploitation because there is no mechanism available to mitigate vulnerabilities. Patches must be applied in a timely manner, ideally via an automatic patch management system. It is also important to have a mechanism to identify the patches that have been applied to ensure timely response to threats and to understand the risk of potential exposure. CSE s ITSB-96 Security Vulnerabilities and Patches Explained [4] further explains the importance of patching. Organizations should minimize the number of users with administrative privileges. The list of administrative users should be validated frequently. The creation of different levels of administrative accounts is a best practice to ensure that, if an administrative account is compromised, the level of exposure is limited. Organizations should either implement a password change process, according to an established schedule, for administrative account passwords or implement an administrative password solution to protect passwords. Where applicable, two-factor authentication (2FA) for accessing sensitive applications or remote networks should be implemented to improve the assurance of user credentials. To prevent exposure from phishing attacks or malware, administrators should perform administrative functions on dedicated workstations that do not have Internet or open e-mail access, or that have Internet and e-mail disabled from administrative accounts. Administrative accounts should be separate from standard organizational accounts; administrators should be aware of which account they are using. A compromised standard account is easier to recover than a compromised administrative account. To prevent compromise of Internet-connected assets and infrastructures, organizations should disable all non-essential ports and services, and remove unnecessary accounts. Both an enterprise-level auditing and an anti-virus solution are key elements of any secure configuration. Further security controls should be applied to when hardening an OS; organizations can consult CSE s ITSG-33 IT Security Risk Management: A Lifecycle Approach [5] for more information on selecting and applying security controls. Third-party applications should be assessed for components or functions that are not required, and should be disabled or require human intervention before they are enabled (i.e. macros). ITSM.10.189 3

5 Segment and separate information 6 Provide tailored awareness and training 7 Protect information at the enterprise level 8 Apply protection at the host-level 9 Isolate Webfacing applications 10 Implement application whitelisting All organizations should have an inventory of their essential business information. These information stores should be categorized, considering any protection requirements based on the sensitivity or privacy impact of information. Networks should be zoned by segmenting and grouping infrastructure services that have the same information protection requirements or that must adhere to the same communication security policies. This logical design approach is used to control and restrict access and data communication flows. Further, organizations should monitor and enforce controls to maintain zone protection and integrity. For additional guidance, consult CSE s ITSG-22 Baseline Security Requirements for Network Security Zones in the Government of Canada [6] and ITSG-38 Network Security Zoning Design Considerations for Placement of Services within Zones [7]. Organizations should initiate regular awareness activities to address current user-related vulnerabilities and proper user behaviours. IT security awareness programs and activities should be frequently reviewed, maintained, and made accessible to all users who have access to organizational systems. Although system safeguards are expected to curtail suspected malicious activity on networks, the human element will continue to provide a risk of exposure. Current examples of spear phishing or improper handling of removable media demonstrate the continued need to focus awareness in this area. In addition, regular reports to management on attempted or actual compromises will help to reinforce the behavioural changes required. Management involvement in information protection decisions is essential when choosing appropriate security controls. CSE has a number of publications that can be used to increase employee awareness levels of cyber threats and mitigations. Visit CSE s Web site to read these publications. Organizations may allow users to leverage their own personal devices to conduct business. If it makes business sense, organizations should provide equipment (e.g. servers, desktops, laptops, mobile devices) to employees, leveraging a device management framework and providing control using a configuration change management process. If a bring-your-own-device (BYOD) scheme is being considered, a strict control policy should be implemented. Organizations should investigate technologies and legal requirements to enable BYOD environments in which business information and transactions are segregated and protected from personal use. One such technology is a mobile device management (MDM) system, which protects mobile devices and the network to which they connect. Organizations should deploy a host-based intrusion prevention system (HIPS) solution to protect systems against both known and unknown malicious activity. HIPS take active measures to stop an application, or close ports, in the event of an intrusion. Monitoring HIPS alerts and logging information will provide early indications of intrusions. There are many commercial vendors who provide host-based services. Organizations should use virtualization to create an environment where Web-facing applications can run in isolation. Internet browsers and e-mail clients are examples of applications that are susceptible to exploits that execute malware. Security exploits specific to such applications can be confined to this sandbox. Any malware that infects the virtualized environment cannot get out of the sandbox; therefore, the malware cannot infect the host or enterprise. Organizations should explicitly identify authorized applications and application components. All other applications and application components should be denied by default to reduce the risk of executing zero-day malware. Application whitelisting technologies can control which applications are permitted to be installed or executed on a host. The whitelist can be defined by a selection of several file and folder attributes (e.g. file path, file name, file size, digital ITSM.10.189 4

signature or publisher, or cryptographic hash). Application whitelisting policies should be defined and deployed across an organization. Whitelisting is described in the following resources: CSE s ITSB-95 Application Whitelisting Explained [8] SUMMARY The CSE Top 10 IT Security Actions to Protect Internet-Connect Networks and Information (ITSM.10.189) is a list of IT security actions that can be applied within organizations to help reduce the risk of exposure from threat actor activities. Implementing these actions will reduce the risk; however, IT security activities need to be reviewed and improved continuously to address changes in the cyber threat landscape. CONTACTS AND ASSISTANCE If you would like more detailed information on how to implement the Top 10 IT Security Actions, please contact: ITS Client Services E-mail: itsclientservices@cse-cst.gc.ca ITSM.10.189 5

SUPPORTING CONTENT LIST OF ABBREVIATIONS Abbreviation 2FA BYOD CSE HIPS IT ITS OS MDM Full Term Two-Factor Authentication Bring your own Device Communications Security Establishment Host-Based Intrusion Prevention System Information Technology Information Technology Security Operating System Mobile Device Management REFERENCES Number 1 Reference Treasury Board of Canada Secretariat. Policy on Management of Information Technology, 1 July 2007. 2 Treasury Board of Canada Secretariat. Policy on Government Security, 1 July 2009. 3 4 5 6 7 Treasury Board of Canada Secretariat. Operational Security Standard: Management of Information Technology (MITS), n.d. Communications Security Establishment. ITSB-96 Security Vulnerabilities and Patches Explained, March 2015. Communications Security Establishment. ITSG-33 IT Security Risk Management: A Lifecycle Approach, December 2014. Communications Security Establishment. ITSG-22 Baseline Security Requirements for Network Security Zones in the Government of Canada, June 2007. Communications Security Establishment. ITSG-38 Network Security Zoning Design Considerations for Placement of Services within Zones, May 2009. 8 Communications Security Establishment. ITSB-95 Application Whitelisting Explained, March 2015. ITSM.10.189 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback