CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

Similar documents
CIS Top 20 #13 Data Protection. Lisa Niles: CISSP, Director of Solutions Integration

CIS Top 20 #5. Controlled Use of Administrative Privileges

CSC - DRAFT - VER6c FOR PUBLIC COMMENT ONLY

CIS TOP 20 CONTROLS with RedSeal

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

Aligning with the Critical Security Controls to Achieve Quick Security Wins

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

Chapter 9. Firewalls

COMPUTER NETWORK SECURITY

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

CSE 565 Computer Security Fall 2018

ASA Access Control. Section 3

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Dynamic Datacenter Security Solidex, November 2009

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

CyberP3i Course Module Series

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

SecureTrack. Supporting SANS 20 Critical Security Controls. March

CSC Network Security

T22 - Industrial Control System Security

Paloalto Networks PCNSA EXAM

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

CIH

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Network Security and Cryptography. 2 September Marking Scheme

Tech TV Series. Lisa Niles CISSP, Chief Solution Architect

Indicate whether the statement is true or false.

Defense Wins Championships. April 16, 2014 For Educational Purposes Only

NETWORK THREATS DEMAN

How can OSSIM help you with your PCI DSS Wireless requirements?

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Firewalls, Tunnels, and Network Intrusion Detection

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Firewalls, IDS and IPS. MIS5214 Midterm Study Support Materials

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

SIEM Overview with OSSIM Case Study. Mohammad Husain, PhD Cal Poly Pomona

IC32E - Pre-Instructional Survey

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Network Security. Thierry Sans

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Introduction. The Safe-T Solution

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Forensic Network Analysis in the Time of APTs

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Security Assessment Checklist

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Designing and Building a Cybersecurity Program

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

CNIT 121: Computer Forensics. 9 Network Evidence

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Chapter 8 roadmap. Network Security

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Automated Threat Management - in Real Time. Vectra Networks

Security Considerations for Cloud Readiness

SIEM FOR BEGINNERS Everything You Wanted to Know About

CyberArk Privileged Threat Analytics

RSA NetWitness Suite Respond in Minutes, Not Months

10 FOCUS AREAS FOR BREACH PREVENTION

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Simple and Powerful Security for PCI DSS

Cisco IPS AIM Deployment, Benefits, and Capabilities

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Total Security Management PCI DSS Compliance Guide

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Securing CS-MARS C H A P T E R

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Hands-On Ethical Hacking and Network Defense 3 rd Edition

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Internet Security: Firewall

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

68 Insider Threat Red Flags

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Network Defenses 21 JANUARY KAMI VANIEA 1

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Network Defenses 21 JANUARY KAMI VANIEA 1

The Future of Threat Prevention

Compare Security Analytics Solutions

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.

Education Network Security

Network Security Monitoring: An Open Community Approach

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Ceedo Client Family Products Security

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

Transcription:

CIS Top 20 #12 Boundary Defense Lisa Niles: CISSP, Director of Solutions Integration

CSC # 12 - Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data

Boundary defenses are not just about keeping attackers out, but just as much about keeping sensitive information in.

Where should you place these controls? Consider asking yourself these three questions: What is my risk? What am I trying to monitor and protect? How does the traffic flow in my environment?

To Zone or not Zone, that is the question I ask Internet Zone - No Trust External DMZ - Low Trust Enterprise Zone - Medium Trust Extranet Zone - Medium Trust Internal DMZ - High Trust Management Zone - Highest Trust Restricted Zone - Highest Trust

MAINTAIN AN INVENTORY OF NETWORK BOUNDARIES Description: Maintain an up-to-date inventory of all of the organization s network boundaries.

SCAN FOR UNAUTHORIZED CONNECTIONS ACROSS TRUSTED NETWORK BOUNDARIES Description: Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.

DENY COMMUNICATION OVER UNAUTHORIZED PORTS Description: Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization s network boundaries.

Key Takeaways for Control 12 Leverage existing controls. Know your network and data boundaries Segment, segment, segment.

How to Get Started Step 1. Gap Assessment. 2. Implementation Roadmap 3. Implement the First Phase of Controls 4. Integrate Controls into Operations 5. Report and Manage Progress

Sample Gap questions 1. Are clear business requirements defined each time custom business applications are developed or implemented? 2. Is appropriate security always defined as a business requirement for business application systems? 3. Have users only been assigned the appropriate permissions to the data sets necessary to complete their job requirements? 4. Do proper authorizations exist for each user granted rights to each of the organization s data sets? 5. Does an automated validation process exist to ensure that only proper users have the proper rights to each data set?

12.1 Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists). Tests can be periodically carried out by sending packets from bogon source IP addresses (non-routable or otherwise unused IP addresses) into the network to verify that they are not transmitted through network perimeters. Lists of bogon addresses are publicly available on the Internet from various sources, and indicate a series of IP addresses that should not be used for legitimate traffic traversing the Internet. 12.2 On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured Security Information Event Management (SIEM) or log analytics system so that events can be correlated from all devices on the network. 12.3 Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors may detect attacks through the use of signatures, network behavior analysis, or other mechanisms to analyze traffic. 12.4 Network-based IPS devices should be deployed to complement IDS by blocking known bad signatures or the behavior of potential attacks. As attacks become automated, methods such as IDS typically delay the amount of time it takes for someone to react to an attack. A properly configured network-based IPS can provide automation to block bad traffic. When evaluating network-based IPS products, include those using techniques other than signature-based detection (such as virtual machine or sandbox-based approaches) for consideration. 12.5 Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy should support decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a black list, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. Organizations should force outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. 12.6 Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication. 12.7 All enterprise devices remotely logging into the internal network should be managed by the enterprise, with remote control of their configuration, installed software, and patch levels. For third-party devices (e.g., subcontractors/vendors), publish minimum security standards for access to the enterprise network and perform a security scan before allowing access. 12.8 Periodically scan for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms. 12.9 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity. 12.10 To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions.

12-1 - Deny communications with (or limit data flow to) known malicious IP addresses (black lists), or limit access only to trusted sites (whitelists). Free Tools Sans storm center feed IEEExplore feed Global List Commercial Tools Advanced endpoint, NextGen Firewalls (PaloAlto, etc)

12-2 - On DMZ networks, configure monitoring systems to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured Security Information Event Management (SIEM) or log analytics system so that events can be correlated from all devices on the network. Tools: This is typically your NGFW, Proxy, IPS logs

12-3 - Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors may detect attacks through the use of signatures, network behavior analysis, or other mechanisms to analyze traffic. Free Tools AlienVault OSSIM - contains behavioral monitoring. And a lot of other stuff. Security Onion Suricata snort beater OSSEC Host IDS Commercial Tools AlienVault USM - Commercial release of OSSIM NGFWs PaloAlto, etc SourceFire - Cisco

12-4 Network-based IPS devices should be deployed to complement IDS by blocking known bad signatures or the behavior of potential attacks. As attacks become automated, methods such as IDS typically delay the amount of time it takes for someone to react to an attack. A properly configured network-based IPS can provide automation to block bad traffic. When evaluating network-based IPS products, include those using techniques other than signature-based detection (such as virtual machine or sandbox-based approaches) for consideration. Free Tools Snort - Probably the most used open source IPS Commercial Tools Most Firewall devices offer network IPS.

12-5 - Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. Free Tools Most modern firewalls provide transparent and non-transparent proxy servers. However, this can severely degrade total throughput. Consider: Squid - Standalone proxy server. IP Fire - open source firewall/proxy that uses squid. Endian - One of my personal favorites. It also uses squid. Very friendly interface. PFSense - Well supported; with frequent updates fixing vulnerabilities as they are detected. Also uses squid, and several others through means of a 3rd party package manager. Commercial Tools All of the above tools have paid for enterprise features.

12-6 -Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication. Free Tools FreeRADIUS - This is the poor-man's RSA token. But, it works. Authy - 2 factor authentication Commercial Tools Duo Security Easily the most feature rich and well documented implementations of 2FA. Centrify - The only full function (SSO, Federation, MFA, Privilege acct mgmt

12-7 - All enterprise devices remotely logging into the internal network should be managed by the enterprise, with remote control of their configuration, installed software, and patch levels. For third-party devices (e.g., subcontractors/vendors), publish minimum security standards for access to the enterprise network and perform a security scan before allowing access. The security scan comes from Network health checks and NPS as outlined in section 1-6. Free Tools Spiceworks with MaaS360 - Features are lacking for a free solution, but better than nothing. Miradore - Free, unlimited devices, no time limit. Commercial Tools Gets back to CSC 1, 2, 3, Vulnerability scanners

12-8 Periodically scan for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms. Free Tools AlienVault OSSIM - HIDS, SEIM, Inventory, Service Monitor, and more. OSSEC - used in OSSIM, it is just the HIDS portion. OpenHIDS - Windows only Commercial Tools Tripwire - heterogeneous server monitoring across Windows, Linux, Solaris, AIX and HP-UX platforms.

12-9 Deploy NetFlow collection and analysis to DMZ network flows to detect anomalous activity. Free Tools AlienVault OSSIM - HIDS, SEIM, Inventory, Service Monitor, and more. OSSEC - used in OSSIM, it is just the HIDS portion. OpenHIDS - Windows only Commercial Tools Solarwinds ManageEngine Tripwire - heterogeneous server monitoring across Windows, Linux, Solaris, AIX and HP-UX platforms.

12-10 To help identify covert channels exfiltrating data through a firewall, configure the built-in firewall session tracking mechanisms included in many commercial firewalls to identify TCP sessions that last an unusually long time for the given organization and firewall device, alerting personnel about the source and destination addresses associated with these long sessions. Tools: This is really only something you can do, if your firewall allows you to do it.

Thank you for Attending. Hope you can join us for the Complete CIS Top 20 CSC Tuesday July 10th CIC CSC # 13 Data Protection

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback