Mitigation Controls on. 13-Dec-16 1

Similar documents
Insider Threats: Actual Attacks by Current and Former Software Engineers

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

The Enemy Within: Dealing with Insider Threats

Carbon Black PCI Compliance Mapping Checklist

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

the SWIFT Customer Security

The Insider Threat Center: Thwarting the Evil Insider

Cyber Security Program

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Oracle Data Cloud ( ODC ) Inbound Security Policies

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SECURITY & PRIVACY DOCUMENTATION

Cyber Risks in the Boardroom Conference

NEN The Education Network

(1) Top Page. Before Using GCMS Plus. Chapter3. Top Page. Top Page is the initial screen displayed after you log in. My Menu

Tripwire State of Cyber Hygiene Report

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Insider Threats to the Healthcare Industry

Privileged Account Security: A Balanced Approach to Securing Unix Environments

A (sample) computerized system for publishing the daily currency exchange rates

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The CERT Top 10 List for Winning the Battle Against Insider Threats

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Cyber Hygiene: A Baseline Set of Practices

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Information Security Policy

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Convergence Myth to Reality Jericho Forum

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Handbook Webinar

Juniper Vendor Security Requirements

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

NIST Special Publication

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

MEETING ISO STANDARDS

Total Security Management PCI DSS Compliance Guide

CyberArk Privileged Threat Analytics

K12 Cybersecurity Roadmap

MINIMUM SECURITY CONTROLS SUMMARY

Aligning with the Critical Security Controls to Achieve Quick Security Wins

QuickBooks Online Security White Paper July 2017

CND Exam Blueprint v2.0

Insider Threats. Nathalie Baracaldo. School of Information Sciences. March 26 th, 2015

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

10 FOCUS AREAS FOR BREACH PREVENTION

How Breaches Really Happen

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Checklist: Credit Union Information Security and Privacy Policies

Writer Corporation. Data Protection Policy

Vulnerability Management Policy

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Governance Ideas Exchange

ICS Security Monitoring

WHITE PAPER. 10 Principles of Database Security Program Design

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

TIPS FOR AUDITING CYBERSECURITY

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

How AlienVault ICS SIEM Supports Compliance with CFATS

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

CISO as Change Agent: Getting to Yes

Understanding IT Audit and Risk Management

Security Audit What Why

DEFINITIONS AND REFERENCES

Security Fundamentals for your Privileged Account Security Deployment

Cyber Protections: First Step, Risk Assessment

The Cyber War on Small Business

Vulnerability Management

Defense in Depth Security in the Enterprise

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Baseline Information Security and Privacy Requirements for Suppliers

CYBER SECURITY POLICY REVISION: 12

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

G DATA WhitePaper. Layered Security

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

SDR Guide to Complete the SDR

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Apex Information Security Policy

Software Updating: Hitting the Mark

CIS Controls Measures and Metrics for Version 7

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

External Supplier Control Obligations. Cyber Security

Transcription:

Mitigation Controls on 13-Dec-16 1

An organization s users are its greatest assets and its most challenging adversaries. one of the vulnerabilities posed by insiders is their knowledge of the quality of their organization s defenses. 13-Dec-16 2

EMPLOYEES CONTRACTORS BUSINESS ASSOCIATES FORMER EMPLOYEES FORMER CONTRACTORS 13-Dec-16 3

FRAUD THEFT OF CONFIDENTIAL OR COMMERCIALLY VALUABLE INFORMATION INTELECTUAL PROPERTY SABOTAGE OF COMPUTER SYSTEM 13-Dec-16 4

CHECK RESTRAIN HINDER 13-Dec-16 5

URGENTLY NEEDED ABSOLUTELY NECESSARY 13-Dec-16 6

Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ 13-Dec-16 7

Percentage of crimes in CERT s case database Current or former employee? Type of position Insider IT Sabotage Insider Theft or Modification of Information for Financial Gain 45% 44% 14% Former Current Current Technical (e.g. system administrators or database administrators) Non-technical, lowlevel positions with access to confidential or sensitive information (e.g. data entry, customer service) Gender Male Fairly equally split between male and female Source: http://www.cert.org/insider-threat/ Insider Theft of Information for Business Advantage Technical (71%) - scientists, programmers, engineers Sales (29%) 13-Dec-16 8 Male

Target Insider IT Sabotage Network, systems, or data Insider Theft or Modification of Information for Financial Gain Personally Identifiable Information or Customer Information Insider Theft of Information for Business Advantage Intellectual Property (trade secrets) 71% Customer Information 33% Access used Unauthorized access Authorized access Authorized access When Outside normal working hours During normal working hours During normal working hours Where Remote access At work At work Recruited by outsiders None Half recruited for theft; less than one third recruited for modification Collusion None ~ ½ colluded with another insider in modification cases; 2/3 colluded with outsiders in theft cases Less than one fourth ~ ½ colluded with at least one insider; half acted alone 13-Dec-16 9

13-Dec-16 10

UNAUTHORIZED DEVICES UNAUTHORIZED SOFTWARE INSECURE CONFIGURATION VULNERABLE ASSET EXCESSIVE ADMINISTRATIVE PREVILEDGES Source: https://www.cisecurity.org/critical-controls/ 13-Dec-16 11

UNAUTHORIZED DEVICE UNAUTHORIZED SOFTWARE 13-Dec-16 12

13-Dec-16 13

13-Dec-16 14

UNAUTHORIZED DEVICE UNAUTHORIZED SOFTWARE 13-Dec-16 15

13-Dec-16 16

ADMINISTRATOR 13-Dec-16 17

INVENTORY AUTHORIZED AND UNAUTHORIZED DEVICES AUTHORIZED AND UNAUTHORIZED SOFTWARE SECURE CONFIGRATION CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION LIMIT AND CONTROL ADMIN PREVILEDGES 13-Dec-16 Source: https://www.cisecurity.org/critical-controls/ 18

Offense informs defense Prioritization Metrics Continuous diagnostic and mitigation Automation 13-Dec-16 19

Policy: standard naming convention for PCs, servers, network devices and everything that authorized to connect to network. in every incident or support request, related device name should be recorded in helpdesk ticket. record all devices MAC addresses, addition and removal of devices should be reported to helpdesk so then record can be updated. Process: regularly scan all network segments and compare scan result with authorized devices MAC addresses list. mapping authorized MAC addresses to IP addresses detect any addition or reduction of devices as a result of regular network scanning detect any changes in mapping between MAC addresses to IP addresses Technical Control: Use ZENMAP (www.kali.org) for network segment scanning Use SNORT (www.securityonion.net) to detect any anomaly or malicious activities in critical segment 13-Dec-16 20

Policy: Installation of authorized software should and only can be performed by authorized ICT personnel. User should not have administrative privilege on a device provided by company List of standard software for each type of machine should be available, regularly reviewed and updated. Process: Standard image (baseline configuration) should be created for each type of devices Standard image should be regularly reviewed and updated Software installation as part of standard image should adhere software licensing policy. Each software should have valid license Technical Control: Standard (baseline) image. Compare result with authorized software list on each type of machine (General, Engineering and Mobile) 13-Dec-16 21

Policy: Standard hardware and software configuration document should exist for all types of CI Standard configuration should be reviewed periodically Configuration changes should follow proper change management process Process: Each new hardware and software default configuration should be altered following secure standard configuration Following completion of configuration, scanning for possible configuration weakness or vulnerabilities should take place immediately Technical Control: Technical writer and SME for each CI should work closely to put together configuration standards use OpenVAS and ZENMAP (both available on Kali Linux) to detect vulnerabilities and unnecessary or insecure services running on CI. Use Microsoft Baseline Security Analyzer to evaluate Windows end point configuration. 13-Dec-16 22

Policy: Vulnerability assessment and finding remediation should be exercised regularly. Process: Vulnerability assessment on critical CI should be performed on regular basis and any medium to critical vulnerabilities found should be rectified immediately. Technical Control: Use OpenVAS to perform vulnerability assessment 13-Dec-16 23

Policy: Administrative privileges should only be given to appropriately trained and fully accountable personnel. Inventory of account with elevated access right such as administrator or root account should be done regularly. Change control board should approved every new account that requires persistent administrative or root access. Personnel with administrative privileges should not use his or her administrative account for dayto-day activities and should have different account for that purpose. Process: Administrator account creation should follow strict process and should have definite period and expiry date. Technical Control: Microsoft: use Microsoft Management Console and RunAs using administrative privileges account. Linux: login using regular account and run as root or sudo su as and when needed only for the activity period that need it. 13-Dec-16 24

Switched Port Analyzer (SPAN) Configuration 13-Dec-16 25

13-Dec-16 26

13-Dec-16 27

13-Dec-16 28

13-Dec-16 Sumber: https://securityonion.net/ 29

Insider threats is an enterprise wide risk Enforced policies and procedures is vital in mitigating insider threats risk Awareness training for all to adhere prevalent policies Log, monitor, and audit all online actions. 13-Dec-16 Source: http://resources.sei.cmu.edu/asset_files/technicalreport/2012_005_001_34033.pdf 30

MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES TRACK AND SECURE THE PHYSICAL ENVIRONMENT IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS IMPLEMENT SYSTEM CHANGE CONTROLS. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES DEVELOP AN INSIDER INCIDENT RESPONSE PLAN 13-Dec-16 Source: http://resources.sei.cmu.edu/asset_files/technicalreport/2012_005_001_34033.pdf 31

13-Dec-16 32

Abu Hanifah mailto:abuhanifah@live.com https://id.linkedin.com/in/abuhanifah https://absissite.wordpress.com/ 13-Dec-16 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback