NIST Cybersecurity Framework Protect / Maintenance and Protective Technology
Presenter Charles Ritchie CISSP, CISA, CISM, GSEC, GCED, GSNA, +6 Information Security Officer IT experience spanning two centuries
Agenda Continue with the Protect core function Maintenance - two subcategories Protective Technology - four subcategories Focus is on basic security hygiene, not bleeding edge security tools and techniques
There are many frameworks and theories that we can leverage The point is to have some kind of a framework, and to insure its completeness, depending on your industry and current IT situation Brandon R. Williams, ISSA Distinguished Fellow
Maintenance
Maintenance Maintenance and repair of industrial control and information system components is performed consistent with policies and procedures
Maintenance MA-1 MA-2 Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
In the news Medical Devices Could be Used as Point of Entry into Healthcare Networks May 25, 2016 The US Department of Veterans Affairs (VA) deputy director of health information security told Nextgov that attackers are more likely to break into Internet-connected medical devices to gain access to a hospital network than to disrupt a patient's treatment. Medical records are a valuable commodity on the data black market. Medical devices are not as readily patched as computers and phones. Lynette Sherrill also said that her agency removes devices that are found to be infected with malware, even if it means cancelling appointments.
Maintenance Includes all types of maintenance to all components System software, business applications Network devices, scanners, copiers, printers Firmware, industrial control systems Also addresses who is performing the maintenance, maintenance tools, and remote access
Relevance Known vulnerabilities cause 44 percent of all data breaches 1 Old vulnerabilities are a favorite tool among malicious actors 2 2015 report: companies take 100 to 120 days to patch 3 Infrastructure components can have critical vulnerabilities too 1 The Game Plan for Closing the SecOps Gap, BMC, 2016 2 2016 Verizon Data Breach Investigations Report 3 How the Rise in Non-Targeted Attacks Has Widened the Remediation Gap, Kenna
Relevance Advisory (ICSA-16-154-01) GE MultiLink Series Hard-coded Credential Vulnerability Original release date: June 02, 2016 OVERVIEW GE has identified a hard-coded credential vulnerability in GE s MultiLink series managed switches. GE has produced new firmware versions to mitigate this vulnerability. This vulnerability could be exploited remotely. IMPACT Exploitation of this vulnerability may allow an attacker to gain unauthorized administrative access to device configurations resulting in exposure and control of all configuration options available through the web interface. BACKGROUND The affected products, Multilink series switches, are managed Ethernet switches designed specifically for use in industrial facilities, substations, and transportation environments. According to GE, the Multilink series switches are deployed across several sectors including Critical Manufacturing, Energy, and Water and Wastewater Systems. GE estimates that these products are used worldwide.
Recommendations Inventory all IP-addressible systems - not just servers Establish maintenance procedures for each type Audit the inventory and whether maintenance is taking place per the procedure Monitor industry sources (vendors, US-CERT) Scan frequently for vulnerabilities; remediate ASAP
Protective Technology
Protective Technology Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements
Protective Technology PT-1 PT-2 PT-3 PT-4 Audit/log records are determined, documented, implemented, and reviewed in accordance with policy Removable media is protected and its use restricted according to policy Access to systems and assets is controlled, incorporating the principle of least functionality Communications and control networks are protected
Protective Technology Audit / log records are critical to any security program Log relevant events from all systems Capture all relevant information about these events: what, when, who, etc. Use automation to collect, protect, and analyze logs, and produce logbased reports Retain log data in support of investigations
In the news Taobao s Security Breach from a Log Perspective February 10, 2016 Taobao.com, one of the world s top 10 most visited websites, just faced what seems like a brute force attack of staggering proportions on its user accounts. Taobao is a Chinese buying-and-selling site owned by China s online giant, Alibaba, and offers a consumer-to-consumer (C2C) retail platform, where users are not buying from the website but through sellers offering their goods on it. It seems the attackers didn t attempt to breach Taobao s own systems but used a very large database of usernames and passwords that stem from previous hacks of various other web sites. They then used these credentials for massive automated login attempts to Taobao.com. Because many people use the same name and password on different web sites, a number of these login attempts were successful. What makes this particular case special is the dimension: Reports say the hackers executed approximately 100 million login attempts, and almost 21 million of these turned out to be successful.
Protective Technology Protect removable media and restrict its use according to policy Lost external media has been the cause of multiple significant data breaches USB drives can be used to bypass enterprise controls, even infecting air gapped systems Technical controls can restrict the use of USB storage If allowed, require encryption and AV scans
Protective Technology Control access to systems and assets, incorporating the principle of least functionality Any access to any system creates some risk Privileged access (e.g., admin accounts) entail far more risk than typical user privileges Remote access and other factors add to this risk Remote access, unnecessary access, and access by too many individuals unnecessarily increases business risk
Protective Technology Access to systems or assets should: Have a business justification, and approval by the owner Provide individual accountability Require appropriate authentication: multi-factor, complex passwords Be reviewed at least annually, and revoked immediately when no longer needed
Protective Technology Protect communications and control networks Technologies include firewalls, proxy servers, VPN, intrusion detection, and more Perimeter defense challenged by BYOD Avoid single points of failure Restrict access to control networks, admin functions Include in maintenance plans as well as DR plans
Protective Technology Encryption notes When in doubt, encrypt communications No encryption or weak encryption can allow information to be intercepted, including credentials Eliminate insecure protocols: telnet, ftp, etc. Encryption technologies continue to evolve; be prepared to upgrade/enhance your controls
Summary
We need to make sure our proactive measures in anticipation of a breach get better and more mature. Randy V. Sabett, Cybersecurity Attorney
Summary The Protect function focuses on developing and implementing safeguards to ensure delivery of critical infrastructure services Ongoing, timely maintenance addresses a leading cause of data breaches and other incidents Protective technologies support the security and resilience of systems and assets, and contribute to the ability to identify and respond to incidents Use the Cybersecurity Framework to assess your current capabilities and create a plan to improve and maintain these capabilities
Questions?