Presentation is loading. Please wait.

Presentation is loading. Please wait.

THE 20 CRITICAL CONTROLS: A SECURITY STRATEGY RANDY MARCHANY VA TECH IT SECURITY OFFICE 1 (C) MARCHANY 2011.

Published byAvery Bever Modified over 9 years ago

Similar presentations

Presentation on theme: "THE 20 CRITICAL CONTROLS: A SECURITY STRATEGY RANDY MARCHANY VA TECH IT SECURITY OFFICE 1 (C) MARCHANY 2011."— Presentation transcript:

1 THE 20 CRITICAL CONTROLS: A SECURITY STRATEGY RANDY MARCHANY VA TECH IT SECURITY OFFICE 1 (C) MARCHANY 2011

2 WHO AM I? Been working in IT Security since 1992, working in IT for 38 years CISO at VA Tech 40K node network. dual stack IPV4, IPV6 network since 2006 Multi-national – Main campus (Blacksburg, VA), Remote campuses (Arlington, Norfolk, VA), Swiss, Indian, Egyptian campuses My IT Security Philosophy All Security is Local Empower the local IT staff The Business Process trumps the Security Process Learn the business process before imposing security requirements Restrictive security practices cause worse problems overall 2 (C) MARCHANY 2011

3 3

4 MOST COMMON SECURITY MISTAKES MADE BY INDIVIDUALS (2001) Poor password management Leaving your computer on, unattended Opening e-mail attachments from strangers Not installing anti-virus software Laptops on the loose Blabber mounts Plug and Play without protection Not reporting security violations Always behind the times (OS, application patches) Keeping an eye out inside the organization 4 (C) MARCHANY 2011

5 WHAT I SAID: 1990’S – 2000’S “Viruses, trojans and worms will never be eliminated. There is a multi-billion $ industry built to contain them.” - RCM 2002 There’s no economic incentive to eliminate the root causes of cybersecurity issues. We have created a cyber-security industrial complex Eisenhower was right. 5 (C) MARCHANY 2011

6 VT CYBER SECURITY STRATEGY University has 3 main business processes  Academic, Administrative, Research Academic  Open access needed – THE ISP MODEL Administrative  Traditional corporate security model Research  Hybrid  Open access  Restricted research, e.g. ITAR 6

7 VA TECH IT SECURITY STRATEGY Based on ISO 27002, NIST 800-53 Standards BYOD  All students required to purchase their own computers, bring their own smartphones. We’ve been doing this since 1984 Protect sensitive data regardless of location Business process defines and trumps the security process if there is a conflict IT and Business processes must adapt to new situation Don’t care what comes in the net. Worry about what leaves the net. (C) MARCHANY 2011 7

8 IMPLEMENTING THE 20 CRITICAL CONTROLS STRATEGY Quick wins Focus on the most common and damaging threats Consistent implementation Metrics to justify acquisitions Interfere with Attackers getting in Attackers staying in Attackers causing damage Focus on what leaves the net rather than what comes in (C) MARCHANY 2011 8

9 9

10 WHY 20 CRITICAL CONTROLS? Subset of the Priority 1 items in NIST 800-53 Mapping of 27002->800-53->20 Critical Controls http://www.systemexperts.com/assets/tutors/SystemExperts-SANS20-1.pdf Technical controls only, not operational controls Have to start somewhere Focus is ASSURANCE not compliance! (C) MARCHANY 2011 10

11 THE 20 CRITICAL CONTROLS: 1-3 1. Inventory of authorized and unauthorized devices Reduce the ability of attackers to find and exploit unauthorized and unprotected systems: Use active monitoring and configuration management to maintain an up-to-date inventory 2. Inventory of authorized and unauthorized software Identify vulnerable or malicious software to mitigate or root out attacks: Devise a list of authorized software for each type of system, and deploy tools to track software installed (including type, version, and patches) 3. Secure configurations for hardware and software on laptops, workstations, and servers Prevent attackers from exploiting services and settings that allow easy access through networks and browsers: Build a secure image that is used for all new systems deployed to the enterprise (C) MARCHANY 2011 11

12 THE 20 CRITICAL CONTROLS: 4-5 4. Continuous Vulnerability Assessment and Remediation Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities 5. Malware Defenses Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading (C) MARCHANY 2011 12

13 THE 20 CRITICAL CONTROLS: 6-10 6. Application Software Security Neutralize vulnerabilities in web-based and other application software: Vendor Application Security Questionnaire 7. Wireless Device Control Protect the security perimeter against unauthorized wireless access: Allow wireless devices to connect to the network only if it matches an authorized configuration and security profile and has a documented owner and defined business need. 8. Data Recovery Capability (validated manually) 9. Security Skills Assessment and Appropriate Training To Fill Gaps (validated manually) 10. Secure configurations for network devices such as firewalls, routers, and switches Preclude electronic holes from forming at connection points with the Internet, other organizations, and internal network segments: Compare firewall, router, and switch configurations against standards for each type of network device. (C) MARCHANY 2011 13

14 THE 20 CRITICAL CONTROLS: 11-13 11. Limitation and Control of Network Ports, Protocols, and Services Allow remote access only to legitimate users and services: Apply host-based firewalls and port-filtering and scanning tools to block traffic that is not explicitly allowed 12. Controlled Use of Administrative Privileges Protect and validate administrative accounts on desktops, laptops, and servers to prevent two common types of attack: 13. Boundary Defense Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines: (C) MARCHANY 2011 14

15 THE 20 CRITICAL CONTROLS: 14-15 14. Maintenance, Monitoring and Analysis of Audit Logs Use detailed logs to identify and uncover the details of an attack, including the location, malicious software deployed, and activity on victim machines:. Store logs on dedicated servers, and run biweekly reports to identify and document anomalies. 15. Controlled Access Based On Need to Know Prevent attackers from gaining access to highly sensitive data: Carefully identify and separate critical data from information that is readily available to internal network users. Establish a multilevel data classification scheme based on the impact of any data exposure, and ensure that only authenticated users have access to nonpublic data and files. (C) MARCHANY 2011 15

16 THE 20 CRITICAL CONTROLS: 16-20 16. Account Monitoring and Control Keep attackers from impersonating legitimate users: Review all system accounts and disable any that are not associated with a business process and owner. 17. Data Loss Prevention Stop unauthorized transfer of sensitive data through network attacks and physical theft: Scrutinize the movement of data across network boundaries, both electronically and physically, to minimize the exposure to attackers. 18. Incident Response Capability (validated manually) 19. Secure Network Engineering (validated manually) Keep poor network design from enabling attackers: Use a robust, secure network engineering process to prevent security controls from being circumvented. Allow rapid deployment of new access controls to quickly deflect attacks. 20. Penetration Tests and Red Team Exercises (validated manually) (C) MARCHANY 2011 16

17 IMPLEMENTATION TIPS Secure upper management backing Do a 20 Critical Controls Gap Analysis Find out who at your organization has the information needed by a particular control Get access to the info Pick 2-4 controls at a time, Rinse, lather and repeat This is a 3-5 year project. (C) MARCHANY 2011 17

18 YOU HAVE THE ANSWERS ALREADY 1. Inventory of authorized and unauthorized device Obtain from your network management group 2. Inventory of authorized and unauthorized software Obtain from software purchasing group 3. Secure configurations for hardware and software on laptops, workstations, and servers Policy 4. Continuous Vulnerability Assessment and Remediation IT Security Office runs weekly scans against critical servers 5. Malware Defense IT Security Office (C) MARCHANY 2011 18

19 YOU HAVE THE ANSWERS ALREADY 6. Application Software Security Security Questionnaires 7. Wireless Device Control Network management group 8. Data Recovery Capability (validated manually) Network Backup service, departmental backup process 9. Security Skills Assessment & Appropriate Training To Fill Gaps (validate manually) Secure the Human 10. Secure configurations for network devices such as firewalls, routers, and switches Network Management Group (C) MARCHANY 2011 19

20 YOU HAVE THE ANSWERS ALREADY 11. Limitation and Control of Network Ports, Protocols, and Services Policy, Standards, Individual Departmental guidelines 12. Controlled Use of Administrative Privileges Policy, Standards, Individual Departmental guidelines 13. Boundary Defense Policy, Standards, define the boundary! 14. Maintenance, Monitoring and Analysis of Audit Logs Standard Sysadmin practice, SIEM, Syslog server 15. Controlled Access Based On Need to Know Business process rules, Identity Mgt process (C) MARCHANY 2011 20

21 YOU HAVE THE ANSWERS ALREADY 16. Account Monitoring and Control HR Policies/process, Identity Mgt process 17. Data Loss Prevention Sensitive Data protection policy/standards, network forensics 18. Incident Response Capability (validated manually) IT Security Office, Upper Mgt approval 19. Secure Network Engineering (validated manually) Network mgt group configuration rules 20. Penetration Tests and Red Team Exercises (validated manually) (C) MARCHANY 2011 21

22 CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #1

23 CONTROL ENTITY RELATIONSHIP DIAGRAM (ERD) #14

24 (C) MARCHANY 2011 24

25 (C) MARCHANY 2011 25

26 (C) MARCHANY 2011 26

27 THE CHALLENGES Getting upper management (Board, President, CIO, VP) support Getting the data Internal IT groups may not have the info in a format you want Internal IT groups may not want to give you the data Departmental groups may not want to give you the info Performing the Gap analysis Building the 20 Critical Implementation plan Just doing it! (C) MARCHANY 2011 27

28 JUST DO IT You probably rolled your eyes when you read the controls We can’t do that! It’s too complicated Just do it We have not made significant strides in overall organizational IT security in the past 20 years Same vectors in the 1990s are causing problems in the 2010s It’s time to change the paradigm Just do it – a few steps at a time (C) MARCHANY 2011 28

29 QUESTIONS? Contact Information Randy Marchany University IT Security Officer VA Tech IT Security Office & Lab 1300 Torgersen Hall Blacksburg, VA 24061 540-231-9523 (office) 540-231-1688(lab) marchany@vt.edu Twitter: @randymarchany Blog: randymarchany.blogspot.com (C) MARCHANY 2011 29

Download ppt "THE 20 CRITICAL CONTROLS: A SECURITY STRATEGY RANDY MARCHANY VA TECH IT SECURITY OFFICE 1 (C) MARCHANY 2011."

Similar presentations

1 CHALLENGES Users growing and becoming more demanding –E-learning, electronic registration and other services –Require 24x7 access to learning materials.

1 CHALLENGES Users growing and becoming more demanding –E-learning, electronic registration and other services –Require 24x7 access to learning materials.
Chapter 24 Quality Management.

Chapter 24 Quality Management.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Automating Crosswalk between SP 800, 20 Critical Controls, and Australian Government.
SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.

SESSION ID: Continuous Monitoring with the 20 Critical Security Controls SPO1-W02 Wolfgang Kandek CTO.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
Firewalls Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Firewalls Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Similar presentations

Ads by Google