Top 20 Critical Security Controls (CSC) for Effective Cyber Defense Christian Espinosa Alpine Security christian.espinosa@alpinesecurity.com
Background Christian Espinosa christian.espinosa@alpinesecurity.com Entrepreneur, Penetration Tester, Security Researcher, Incident Response, Survival Instructor for Bear Grylls Projects: Commercial Aircraft Penetration Testing, Healthcare Pen Testing, Abu Dhabi Forensic Work, Enterprise Security Analysis Ed: BSGE, MBA Certs: CISSP, CCSP, CISA, CRISC, CPT, CSSA, CEPT, CEH, CREA, ECI, LPT Patents: Systems and Methods for a Simulated Network Traffic Generator. US 2009/0319248 A1. December 24, 2009. Systems and Methods for Network Monitoring and Analysis of a Simulated Network. US 20009/0319249 A1. December 24, 2009. Systems and Methods for a Simulated Network Attack Generator. US 2009/0320137 A1. December 24, 2009. Interests: Ironman Triathlon, Mountaineering, Travel, Security, Things that Involve a Waiver
Overview Are we Winning? Why the Center for Internet Security Critical Security Controls (CIS CSC) CIS CSC Tenets Top 20 Top 5 Deep Dive Tips
Are We Winning?
Unfortunate Facts Most compromises are based on known problems that have known solutions 85+% of incidents managed by the US-CERT come down to the same 5 basic defenses Most attacks should have been blocked at the perimeter Very few attackers use stealth techniques Very few defenders have automated workflow
Source: Mandiant M-Trends 2015
Source: Mandiant M-Trends 2015
Which should we do first? Penetration Test vs Asset Inventory
Which should we do first? (20) Penetration Test vs (1) Asset Inventory
Which should we do first? Data Loss Prevention (DLP) vs Audit Log Maintenance
Which should we do first? (13) Data Loss Prevention (DLP) vs (6) Audit Log Maintenance
Why CIS CSC?
Risk-Based What are we trying to protect? How much should we spend? Risk is function of threat (offense), vulnerability (defense), probability, and, consequence What can be controlled?
Priority-Based
Not Compliance-Based
Community-Based
Dynamic Updated as attacks evolve and lessons are learned from breaches Changes from v5.1 to 6:
Affordable
Reality-Based
Simple
CSC Five Tenets
Offense Informs Defense
Prioritization
Metrics
Continuous Diagnostics and Mitigation (CDM)
Automation
Top 20 Controls
CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrator Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises
Top 5 Controls Deep Dive
Top 5 Foundational Cyber Hygiene (FCH) Prevents/stops 85-90% attacks CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrator Privileges
Know authorized & unauthorized devices Know authorized & unauthorized software You can t defend what you don t know
Control Basics Categories System Network Application Layout Why is the Control Critical? Procedures and Tools Entity Relationship Diagram
CSC 1: Inventory of Authorized and Unauthorized Devices Why? Unpatched Systems, Unchecked Networks, BYOD
CSC 1: Inventory of Authorized and Unauthorized Devices Procedures and Tools Active scanning Passive scanning DHCP 802.1x
CSC 2: Inventory of Authorized and Unauthorized Software Why? Attackers look for vulnerable software, malware installation, etc.
CSC 2: Inventory of Authorized and Unauthorized Software Procedures and Tools Application Whitelisting Application Blacklisting
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Why? Default configuration designed for use, not security. Security Decay.
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Procedures and Tools: Security Baselines CIS Benchmarks NIST National Checklist
CSC 4: Continuous Vulnerability Assessment and Remediation Why? Attackers exploit vulnerable systems.
CSC 4: Continuous Vulnerability Assessment and Remediation Procedures and Tools Vulnerability Scanning Tools
CSC 5: Controlled Use of Administrator Privileges Why? One of the primary means attackers spread through an enterprise.
CSC 5: Controlled Use of Administrator Privileges Procedures and Tools Use Built-in OS Features (runas, sudo, strong passwords, etc.)
Tips Take inventory and/or use existing tools or free tools to start. CSC 1: Nmap, DHCP, 802.1x, Wireshark CSC 2: Windows SRP, GPOs CSC 3: CIS Security Benchmarks, DISA STIGs https://benchmarks.cisecurity.org/ http://iase.disa.mil/stigs/pages/index.aspx CSC 4: OpenVAS, Nmap CSC 5: Runas, sudo
Contact Info Christian Espinosa christian.espinosa@alpinesecurity.com www.alpinesecurity.com CIS CSC: https://www.cisecurity.org/critical-controls.cfm