November 30, 2017 By: Richard D. Condello NRECA Senior Director Implementing the Center for Internet Security (CIS) Critical Security Controls (CSC) November 30, 2017 By: Richard D. Condello NRECA Senior Director
How To Eat a Herd of Elephants Without Being Trampled to Death November 30, 2017 By: Richard D. Condello NRECA Senior Director
Purpose To familiarize you with the 20 Critical Security Controls Give you the benefit of our experience to date Get a discussion going here this morning To help you decide your path forward
Everything needs context It matters where you are at the moment What controls you need What controls you have What is the Effectiveness of your existing controls How much work can you take on A little bit about me Aim for Font size 28 Background and start the (successful) Story Simple Unexpected Concrete Credible Emotion (tap into a) Story Context in which I work, etc. Who are you? Are there any lawyers present? Who has started or has implemented a framework/controls? If anyone can’t respect the need for confidentiality as I will be disclosing some elements of the NRECA Information Security Program
A Little About Me
Why we are believers Implementing the CSCs is working for us We saw measurable results in about 15 months Penetration Testers were not able to escalate privileges Forensics evaluation found no anomalous behaviors Survived an external program assessment Passed Internal Audit Passed External Financial Controls Audit
Attack Lifecycle Model http://intelreport.mandiant.com/
Information Assurance Frameworks Many industry groups trying to address the issues Numerous frameworks have been established NIST 800-53 NIST Core Framework ISO 27000 Series CoBIT IT Assurance Framework (ITAF) IT Baseline Protection Manual Consensus Audit Guidelines / Critical Security Controls Many, many others
Select a starting point Your context matters Do you have existing frameworks? Do you at least have a Program Framework in mind? We picked ISO 27001/ 27002 / 2005 standards Pick something that is right sized Suggest one programmatic and one technical
Enter the CIS Critical Security Controls For Effective Cyber Defense A realistic solution Defines specific defenses against known cyber attacks Created and maintained by a volunteer army Provides actionable tasks in clear language
History and Document Contributors US Contributors Include: International Contributors Include: Department of Homeland Security (DHS) National Security Agency (NSA) Department of Energy (DoE) Laboratories Department of State (DoS) US-CERT and other incident response teams DoD Cyber Crime Center (DC3) The Federal Reserve The SANS Institute Civilian penetration testers Numerous other Federal CIOs and CISOs Hundreds of other private sector researchers UK Government Communications Headquarters (GCHQ) UK Centre for the Protection of National Infrastructure (CPNI) Australian Defence Signals Directorate (DSD) Japanese Security Researchers Scandinavian Security Researchers GCC Security Researchers Turkish Security Researchers Canadian Security Researchers Many other international researchers
Offense Informs Defense Continuous Diagnostics & Mitigation Prioritization Metrics Continuous Diagnostics & Mitigation Automation
By the Numbers….. 20 Critical High Level Controls 148 sub-controls 125 Foundational, 23 Advanced 9 System, 5 Network and 6 Application 96 Measures, metrics and thresholds 30 Effectiveness tests 4 Governance items and 15 Governance topics 23 Attack Types
The Controls Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Maintenance, Monitoring and Analysis of Audit Logs Email and Web Browser Protections Malware Defenses Limitation and Control of Network Ports Data Recovery Capability Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Security Skills Assessment and Appropriate Training To Fill Gaps Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises
Secure Configurations Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports Protocols Services Boundary Defense Data Recovery Network Secure Configurations
Measures, Metrics and Thresholds Each Measure has lower, moderate and higher risk thresholds Time based: An hour, a day and a week Percentage based:1%, 4% and 10% Quantitative : How many – you set your own thresholds except for CSC 20 This is where automation hits the road
Example Measures How long does it take to deploy operating system patches? (CSC 4 Vulnerability Management) What percentage of elevated accounts do not require two factor authentication? (CSC 5 Admin Access) How many attempts to gain access to password files have been detected recently? (CSC 16 Controlled Access)
Effectiveness Testing 30 Tests to run, some are quite complex Adding items to your environment and seeing what your responses are Just think like the bad guys x 10 Periodic – need to decide what frequency to run the tests Need to design your systems so they can be tested
Example Testing Connect hardened systems to the network and verify that the system generates an alert (CSC 1 Hardware Inventory and NAC) Attempt to gain access to cross section of devices using default administrator passwords (CSC 5 Admin Access) Perform authorized phishing attempts (CSC 7 Email and Browser Protections)
Attack Types 23 Attack types Useful for risk assessments Can cross reference to top level controls (v5) Can be used mitigate Incident Scenarios We identified 9 Incident Scenarios
Example Attack Types Attackers distribute hostile content on Internet-accessible websites that exploit unpatched and improperly secured client software running on Attackers exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness Attackers exploit weak application software, particularly web applications, through attack vectors such as SQL injection, cross- site scripting, and similar tools
Example Incident Scenarios Attackers exploit Inbound email to introduce malware into the environment Attackers exploit our Websites to either introduce malware or to extract data directly Insiders surfing the internet resulting in malware being introduced into the environment
Tying Things Together Attack Type: Attacker exploit users and system administrators via social engineering scams that work because of a lack of security skills and awareness Incident Scenario: Attackers exploit Inbound email to introduce malware into the environment Applicable Controls: 05 Controlled Use of Administrative Privileges 07 Email and Web Browser Protections 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training to Fill Gaps
Other Component Parts Governance Controls Defines 15 categories of governance controls Appendices: Evolving An Attack Model NIST Framework National Hygiene Campaign Privacy Impact Assessment
Select an approach Essential that you are thoughtful and organized A huge task to undertake If you aren’t careful you can actually make things worse Going to need a lot of support and resources Have some idea of time frame, length of time Project vs. Operational focus
Start with an Assessment Broke the 149 sub-controls into device and area specific sub- controls (350 total) Surveyed by team Overall effectiveness vs. the actual words Aggregated results, worked out differences between teams Risk ranked based on the security value Validate against effectiveness measures
What We Discovered Tangible benefits from initial assessment Identified Any really serious gaps Low hanging fruit Anything close to completion Absolutely need high-level prioritization Absolutely need project management
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Quick Wins based upon risk Assessment
Created a Formal Project Cross-functional teams Qualified Project Manager Let the teams self-identify the work within the work Made it a real priority Obtained the tools and training that the teams needed
Get training and awareness program going Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Get training and awareness program going
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Drive to Vulnerability Management
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Drive to Vulnerability Management and Include Network secure Configurations
Tackle Incident Management, Audit Logs and Data Recovery Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Tackle Incident Management, Audit Logs and Data Recovery
In many cases Incident Management may include Penetration Exercises Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery In many cases Incident Management may include Penetration Exercises Network Secure Configurations
Complete controls over Accounts and data Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Complete controls over Accounts and data
May want to attack App Sec, Email and Browsers at same time Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations May want to attack App Sec, Email and Browsers at same time
Consider all of the network related controls together Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Consider all of the network related controls together
Putting it all Together
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Quick Wins based upon risk Assessment
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Start with training
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Drive to Vulnerability Management
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Add in Incident Response
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Complete controls over Accounts and data
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations Complete app sec, email and browsers
Ensure Network Controls are completed Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Ensure Network Controls are completed Network Secure Configurations
An “On Ramp” to Compliance Use the CSC Compliance model if its useful Mappings currently exist between the CSCs and: NIST 800-53 rev4 NIST Cyber Security Framework ISO 27002 Control Catalog HIPAA / HITECH Act
Actionable Next Steps Get Charter from Senior Executives Create governance structures Document policies Implement the controls defined by policies Measure/audit the controls that are defined by the policies Communicate, Communicate, Communicate
In Summary Implementing these controls will mitigate risks But its easy to get overwhelmed Do at least a high-level risk assessment Prioritize actions Get the quick wins Settle in for the long haul Know that there is a lot of help available
Q & A
Resources for further study: The Critical Security Controls Courses – SEC 440 / 566 The Critical Security Controls Project AuditScripts.com Resources Mandiant APT1 Report (with Appendixes) The Security Content Automation Protocol (SCAP) by NIST NIST 800 Series Special Publications DHS Cyber Security Tool cset
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery – System Network Secure Configurations
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery Network Secure Configurations – Network
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery Network Secure Configurations – Application
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Basic Structure Boundary Defense Data Recovery – System Network Secure Configurations – Network – Application
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services – Identify Info Assets Boundary Defense Data Recovery Network Secure Configurations
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery – Know Your Vulnerabilities Network Secure Configurations
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery Network Secure Configurations – Identify Key Threats
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services – Identify Info Assets Boundary Defense Data Recovery – Know Vulnerabilities Network Secure Configurations – Identify Key Threats – Control Access
Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Governance (what you should do) Data Protection Network Ports, Protocols, and Services – Identify Info Assets Boundary Defense Data Recovery – Know Vulnerabilities Network Secure Configurations – Identify Key Threats – Control Access
All the 20 controls are in progress if not finished Hardware Inventory and NAC Penetration Tests and Exercises Software Inventory and Whitelisting CSC 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Incident Management Host Secure Configurations Application Security Vulnerability Management Training Administrative Privileges Account Control Audit Logs Wireless Email and Web Browser Controlled Access Malware Defense Data Protection Network Ports, Protocols, and Services Boundary Defense Data Recovery All the 20 controls are in progress if not finished Network Secure Configurations