Pages

Categories

Search

 

Enhance Your Security Posture: Doing Four Things Can Reduce Unauthorized Penetrations by 85%

by
February 4, 2014
CTOvision
No Comment

By Bob Gourley

We often highlight the importance of applying security controls to your enterprise. Our favorite model for doing that is the 20 Critical Controls coordinated by community leaders and curated at SANS (available here).  When you read of a government agency being penetrated or a corporation losing data I can almost always guarantee you that they have failed to implement and measure these controls.

As a review, they are:

20 Critical Security Controls – Version 4.1

  • <a title="
    Inventory of Authorized and Unauthorized Devices
    ” href=”http://www.sans.org/cag/control/1.php”>Critical Control 1: Inventory of Authorized and Unauthorized Devices
  • <a title="
    Inventory of Authorized and Unauthorized Software
    ” href=”http://www.sans.org/cag/control/2.php”>Critical Control 2: Inventory of Authorized and Unauthorized Software
  • <a title="
    Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
    ” href=”http://www.sans.org/cag/control/3.php”>Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • <a title="
    Continuous Vulnerability Assessment and Remediation
    ” href=”http://www.sans.org/cag/control/4.php”>Critical Control 4: Continuous Vulnerability Assessment and Remediation
  • <a title="
    Malware Defenses
    ” href=”http://www.sans.org/cag/control/5.php”>Critical Control 5: Malware Defenses
  • <a title="
    Application Software Security
    ” href=”http://www.sans.org/cag/control/6.php”>Critical Control 6: Application Software Security
  • <a title="
    Wireless Device Control
    ” href=”http://www.sans.org/cag/control/7.php”>Critical Control 7: Wireless Device Control
  • <a title="
    Data Recovery Capability
    ” href=”http://www.sans.org/cag/control/8.php”>Critical Control 8: Data Recovery Capability
  • <a title="
    Security Skills Assessment and Appropriate Training to Fill Gaps
    ” href=”http://www.sans.org/cag/control/9.php”>Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
  • <a title="
    Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
    ” href=”http://www.sans.org/cag/control/10.php”>Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • <a title="
    Limitation and Control of Network Ports, Protocols, and Services
    ” href=”http://www.sans.org/cag/control/11.php”>Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services
  • <a title="
    Controlled Use of Administrative Privileges
    ” href=”http://www.sans.org/cag/control/12.php”>Critical Control 12: Controlled Use of Administrative Privileges
  • <a title="
    Boundary Defense
    ” href=”http://www.sans.org/cag/control/13.php”>Critical Control 13: Boundary Defense
  • <a title="
    Maintenance, Monitoring, and Analysis of Audit Logs
    ” href=”http://www.sans.org/cag/control/14.php”>Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs
  • <a title="
    Controlled Access Based on the Need to Know
    ” href=”http://www.sans.org/cag/control/15.php”>Critical Control 15: Controlled Access Based on the Need to Know
  • <a title="
    Account Monitoring and Control
    ” href=”http://www.sans.org/cag/control/16.php”>Critical Control 16: Account Monitoring and Control
  • <a title="
    Data Loss Prevention
    ” href=”http://www.sans.org/cag/control/17.php”>Critical Control 17: Data Loss Prevention
  • <a title="
    Incident Response and Management
    ” href=”http://www.sans.org/cag/control/18.php”>Critical Control 18: Incident Response and Management
  • <a title="
    Secure Network Engineering
    ” href=”http://www.sans.org/cag/control/19.php”>Critical Control 19: Secure Network Engineering
  • <a title="
    Penetration Tests and Red Team Exercises
    ” href=”http://www.sans.org/cag/control/20.php”>Critical Control 20: Penetration Tests and Red Team Exercises

If your organization is in deep trouble, how do you prioritize and ramp up security as quickly as possible? SANS can help you there too.  They have uncovered many best practices over the years, my favorite of which can help you prioritize your efforts.  In October 2011, the SANS Institute announced that the U.S. National Cybersecurity Innovation Award was won by a team that uncovered this important lesson.  The U.S. National Cybersecurity Innovation Award for 2011 went to the Australian Defence Signals Directorate (that’s right, the U.S. Award went to an Australian group, which tells an entirely different story about the state of U.S. Cybersecurity doesn’t it?)

Here is more from SANS at: http://ctolink.us/1nODIxb

Washington DC, October 24, 2011

The SANS Institute announced today that the Australian Defence Signals Directorate has won the 2011 U.S. National Cybersecurity Innovation Award for its ground-breaking innovation in finding and implementing the four key security controls that stop the spread of infection from targeted intrusions.

With limited budgets and shortages of skilled people, senior executives are asking, “What do we need to do to protect our systems, and how much is enough?” Most answers they get are unhelpful, consisting of thick books of ill-defined controls that require far more money and time to implement than organizations can spend. A team at the Australian Defence Signals Directorate (DSD), led by Steve Mcleod and Chris Brookes, took on the task of studying all known targeted intrusions against government systems – both civilian and military – and determining what would have stopped the infections from spreading. They found that 35 controls would be valuable, but that four specific controls, alone, are the only ones that must be implemented across all Cabinet-level organizations if they are to have any hope of defending their systems against targeted intrusions The Australian DSD recognized that once those four have been implemented, additional risk reduction may be gained using additional controls, but those four must be done first. The National Cybersecurity Innovation Award for effective security management goes to DSD for showing the way and to Dr Ian Watt, in particular, for his extraordinary leadership as Australian Secretary of Defence, in advocating that all Cabinet agencies in Australia should implement the four controls (nicknamed the “sweet spot”) and making sure they are doing it. The Australian Defence Signals Directorate supported the program first by identifying the 35 key mitigations for targeted intrusions and defining four of those as the ones that had to be implemented first before even considering the other thirty-one. They also developed and posted detailed explanations of the mitigations and provided expert support for the agencies as they systematically implemented all four key mitigations. In the agencies that have completed the task, the spread of targeted attacks is no longer a significant problem. Although these controls will not stop the most sophisticated attackers, they do stop the targeted attackers with medium and low sophistication, the ones that cause the greatest amount of information loss.

For more on the top four mitigation strategies see the DSD site at: http://ctolink.us/1nOEdqQ   These four strategies are:

  • Application Whitelisting: this makes it much harder for adversaries to run code on your systems.
  • Patching Applications: Patching of applications must be continuously maintained.
  • Patching Operating Systems: Operating systems on devices and servers must be continuously updated. Old OS’s allow penetrations.
  • Restricting Admin Privileges: Too many people with administrator rights introduces problems in many ways, including more sloppiness. Adversaries look for accounts with admin rights.

Bottom line of this post: there are lessons that the community can provide that can enhance the security of any enterprise. If you need to prioritize, start with the four key elements above, Whitelisting, Patching Applications, Patching Operating Systems, and Restricting Admin Rights. But don’t stop till your organization is following all twenty of the critical security controls above.

 

Via CTO Vision