Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brian Ventura SANS Community Instructor

Published byJuniper Miller Modified over 6 years ago

Similar presentations

Presentation on theme: "Brian Ventura SANS Community Instructor"— Presentation transcript:

1 A Prioritized Approach to Implement the NIST CSF using the CIS Critical Security Controls
Brian Ventura SANS Community Instructor ISSA Portland, Director of Education @brianwifaneye

2 Who am I? Brian Ventura 20+ years in Information Technology, ranging from systems administration to project management and information security. Currently an Information Security Architect in Portland, Oregon and volunteer as the Director of Education for the Portland ISSA Chapter. Brian holds his CISSP, GSEC, GCFA, and GCCC, as well as other industry certifications. As the ISSA Director of Education, Brian coordinates relevant local and online training opportunities. Timbers Army, Thorns Riveter, bike commuter, Land Cruiser enthusiast SEC440: Critical Security Controls: Planning, Implementing and Auditing SEC566: Implementing and Auditing the Critical Security Controls - In-Depth MGT414: SANS Training Program for CISSP® Certification Coming Soon… SEC401: Security Essentials Bootcamp Style

3 One approach is to use the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with the Center for Internet Security’s Critical Security Controls. Today we will discuss a case study of how the City of Portland used the CSF and CSC together to prioritize their security controls

4 City of Portland Delivery of services and value to Bureaus Align security strategy with business risk

5 NIST Framework+ City of Portland’s Adoption of CSF Risk & remediation prioritization Maturity gaps and selective metrics Alignment of business risk to CSC Budget & resource prioritization

6 NIST Framework

7

8

9 NIST Framework+

10 NIST Framework+ InfoSec Service Catalog Risk Management CSC Top Twenty
Budget: Actual Unfunded Projections 3 year plan Maturity Matrix Current State Challenges Progress - Investment Future State KPI – Metrics 3-year Quarter by Quarter Project Roadmap Goals in developing the NIST CSF+

11 NIST Framework+ Here is what it looks like as a whole

12 NIST Framework+ Service Catalog
Basic NIST CSF with our Service Catalog added.

13 NIST+ Risk and Critical Security Controls
Internal Risk Rankings and Critical Security Control mapping

14 NIST+ Budget Budgetary numbers for 3 years. Colors denote requested, granted and rejected.

15 NIST+ Maturity Maturity ranking (could follow the CMMI, this scale is out of 6 Dark Grey is maturity, Yellow is a challenge area. Green is a growth area. Light Grey is the target maturity.

16 NIST Roadmap 3-5 year project plan to support budgetary requests. Think about service refresh, hardware refresh, maintenance costs and initiatives.

17 Overall view with the budgetary numbers removed
Overall view with the budgetary numbers removed. Good for sharing with operations or other departments.

18 Governance The first 2 areas focus on Governance controls. This area is likely managed by the Information Security team directly, working with business lines.

19 Operations The final 3 areas focus on operations. These could be managed by the operational teams.

20 Some of the columns can be removed, when talking to different groups
Some of the columns can be removed, when talking to different groups. Maybe we don’t want to show budget numbers, maybe we want to hide maturity. Commonly we remove the risk levels and CSC prioritization.

21 When working with specific teams, we may view specific rows, pertaining to their group. Here we can express the risk level, project expectations, budget requested and granted as well as maturity level.

22 The CSF+ tool has documentation built in and guidance and section descriptions.

23 CIS Critical Security Controls
Foundational Cyber Hygiene controls Prioritized order The Critical Security Controls focus on mitigating known vectors for breach or compromise. Offense informs Defense. These 20 controls are a prioritized list of technical control families. Control 1 is the most important and control 20 is less important, but still something to focus efforts on before moving to other controls or solutions. The first 5 controls are the core controls that would have mitigated >85% of the breaches that have occurred to date (based on research from the Australian Signals Directorate top 35. The critical security controls are based on previous breaches and attacks. Thus can be considered a general risk assessment. Without performing a specific risk assessment of a given network, this is a great starting point. The critical security controls do not address governance controls. The NIST cybersecurity framework does address the governance controls. This makes their combination a powerful union. Here we will outline the first 5 controls.

24 CIS Critical Security Controls
Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software Continuous Vulnerability Assessment and Remediation Controlled Use of Administrative Privileges Maintenance, Monitoring, and Analysis of Audit Logs and Web Browser Protections Malware Defenses Limitation and Control of Network Ports Data Recovery Capability Secure Configurations for Network Devices Boundary Defense Data Protection Controlled Access Based on the Need to Know Wireless Access Control Account Monitoring and Control Security Skills Assessment and Appropriate Training to Fill Gaps Application Software Security Incident Response and Management Penetration Tests and Red Team Exercises

25 CIS Critical Security Control 1: Inventory of authorized and unauthorized devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. Workstations, servers, printers, TVs, phones, what else? How do we find these? Discuss the risks presented by the devices connected to the network. Any device on the network potentially has access to data. Without knowing about the devices, we cannot successfully apply controls. If we apply excellent controls to 80% of the devices on the network and ignore 20%, the 20% are the likely vector for successful attack or breach. We want active and passive scanners to feed an inventory database that includes all the devices and IP space used by the organization. The inventory database can then power a Network Level Access solution to manage network connectivity.

26 CIS Critical Security Control 1: Inventory of authorized and unauthorized devices
Here is a sample dashboard showing us device activity on our network. What can we see for activity on the network? We see how many new devices, how many are windows or mobile, etc. This data comes from active and passive scanners on our network. Workflows can use this data to create tickets to address unexpected devices or validate devices against the inventory database. How long does it take our organization to identify new devices, validate those devices against inventory and ensure they have the appropriate management software, malware defense, etc?

27 CIS Critical Security Control 1: Inventory of authorized and unauthorized devices

28 CIS Critical Security Control 1: Inventory of authorized and unauthorized devices

29 CIS Critical Security Control 2: Inventory of authorized and unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution. We need an inventory and a way to manage appropriate use of software! We want an inventory of installed software. From there, we want to authorize some software to run and disallow or alert on software that is not approved. The control requires a software/hardware inventory system and a software whitelisting solution. As with our inventory of hardware. If I don’t know what software is in use or what systems have that software, then how do I patch the software or apply software controls? Once we have a list of approved software, then we can use a software whitelisting solution to block any software not on our list. This will block most malicious code from running. This control feeds off control 1. I need to know all my machines, before I can collect information on all my software.

30 CIS Critical Security Control 2: Inventory of authorized and unauthorized Software
In this sample dashboard, I see the operating systems, software versions and changes to software. Using authenticated scanners and inventory agents, we collect all the installed software. This information is validated against our existing inventory database. Deviations from the approved software list creates alerts. Software whitelisting solutions can use the inventory data to validate software prior to execution and block unauthorized software.

31 CIS Critical Security Control 2: Inventory of authorized and unauthorized Software

32 CIS Critical Security Control 3: Secure configurations for hardware and software
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings. Example: Is our webserver using TLS for authentication/sensitive data transfers? Are our users using strong passwords? For each hardware platform, Operating System and Application, there are options for how they operate. Some of those options are security related. For those settings, we want to ensure we are choosing the highest security for our environment. Without knowing what devices we have and what software we have, this is an impossible task. Now that we have control 1 and 2 completed, we can tackle the settings for these devices, OS, and applications. There are a few resources to identify the security settings and best practices for applying these settings. The vendor is a great starting point. Microsoft, as an example, provides a number of security best practice documents. In addition the Center for Internet Security (CIS) provides their benchmark settings for a number of common solutions and provides testing tools for checking compliance with the recommended settings.

33 CIS Critical Security Control 3: Secure configurations for hardware and software
Using authenticated scans, we can verify compliance with approved security settings. Using the Security Content Automation Protocol (SCAP), settings can be verified using authenticated scans from a vulnerability scanner. The SCAP file will contain all of the approved security settings and check systems against this standard. Many vulnerability scanners have the ability to use SCAP files to augment vulnerability scans.

34 CIS Critical Security Control 3: Secure configurations for hardware and software

35 CIS Critical Security Control 4: Continuous vulnerability assessment and remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. Are there vulnerabilities in our installed versions of Java, Flash, Windows, others? For each device and each piece of software, are there vulnerabilities we need to address? Have we patched to the latest security patch? There are some very obvious software packages receiving regular vulnerabilities and patches (Oracle Java, Adobe Flash, Microsoft OS and applications). Maybe we have solutions to patch those already (WSUS). What about the rest of the software? How do I know if I successfully patched everything?

36 CIS Critical Security Control 4: Continuous vulnerability assessment and remediation
Using our vulnerability scanner, we can perform authenticated scans against all devices, looking for vulnerabilities as well as validating against our SCAP settings. These vulnerabilities are managed over time to identify how much risk exists in the environment.

37 CIS Critical Security Control 4: Continuous vulnerability assessment and remediation

38 CIS Critical Security Control 5: Controlled use of administrative privileges
The misuse of administrative privileges is a primary method for attackers to move laterally inside a target enterprise. This applies to any device: workstations, servers, applications, appliances, network devices. Attackers want to execute malicious code, install back doors and log in where they do not have access. The use of privileged accounts makes this much easier. How do we limit the use of privileged accounts? We need to remove user access to the administrators group on their workstations, Use separate accounts for privileged access. One for normal use (surfing the web and reading ) and a different account for administering the systems. Ensure passwords are different for these 2 different accounts. Never log into a workstation as an privileged user, instead use “run as administrator” or an equivalent Monitor use of privileged accounts. Reduce the number of “domain admins”… to 0 Use multi-factor for all privileged activities and accounts Disallow privileged accounts from running web browsers and clients.

39 CIS Critical Security Control 5: Controlled use of administrative privileges
Report on systems with privileged access, users in the administrators group and when those privileged accounts are used.

40 CIS Critical Security Control 5: Controlled use of administrative privileges
We need to monitor administrative access. How often is a domain admin account used and where?

41 AuditScripts: CSC Initial Assessment Tool Maintained and provided by CSC Editor James Taralla
Here is a sample spreadsheet for helping audit and track maturity with the Critical Security Controls. This is a temporary solution before automation and dashboards replace this document and successfully track control maturity.

42 Questions?

43 Links and Resources https://www.sans.org/instructors/brian-ventura
Center for Internet Security (CIS): NIST Cyber Security Framework (CSF): CIS Critical Security Controls (CSC): Auditscripts resources (provided by James Tarala, CSC Editor): resources/critical-security-controls/ CSF planning spreadsheet: implementation-planning-tool

Download ppt "Brian Ventura SANS Community Instructor"

Similar presentations

David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.

IT PLANNING Enterprise Architecture (EA) & Updates to the Plan.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.

NovaTech You Focus on Your Business & We Focus on Your IT Managed Services.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Event Management & ITIL V3

Event Management & ITIL V3
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.

Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Microsoft Management Seminar Series SMS 2003 Change Management.

Microsoft Management Seminar Series SMS 2003 Change Management.
HO20110473 1 © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Similar presentations

Ads by Google