In my last blog I reviewed the most recent Data Breach report sponsored by Verizon, the U.S. Secret Service and 17 other world wide government and private sector security organizations. My two main takeaways are:
- Yes, the world really is out to get you.
Mostly, the evil cybercriminals are being opportunistic, taking advantage of weaknesses they find wherever and whatever those weaknesses are. These attacks are primarily for financial gain. However, an increasing number of cyber attacks are targeted at specific companies and government organizations. These attacks try a variety of different mechanisms, and stop only once they have found and exploited vulnerability. These attacks are primarily to steal your intellectual property.
- Most companies and government organizations make it very easy for the cybercriminals.
Over three-quarters of the attacks could have been easily avoided.
What should you be doing? The Verizon Data Breach report mapped the most common threats to the Consortium for Cybersecurity Action (CCA) Critical Security Controls for Effective Cyber Defense. The CCA is a voluntary group of government and private organizations working toward defining the “consensus list of critical security controls.”
The 20 critical security controls follow, along with, in italics, the Verizon report’s examples of their areas of focus as it applies to the report’s findings.
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
Software inventories, monitoring and notifications regarding unapproved software, application whitelisting, and software identification tagging
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Configuration monitoring and management, standard system images, software currency, and file integrity checks
- Continuous Vulnerability Assessment and Remediation
Automated vulnerability scanning, port checking, and patch management solutions
- Malware Defenses
Anti-virus tools, disabling auto-run, traffic analysis, secure e-mail usage, and sandboxing
- Application Software Security
Application testing and code review
- Wireless Device Control
Wireless device identifiers, network access control
- Data Recovery Capability
No sub-controls were primary mitigators of top threat actions
- Security Skills Assessment and Appropriate Training to Fill Gaps
Security awareness training, security policies, and awareness testing
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Strong authentication for network infrastructure
- Limitations and Control of Network Ports, Protocols, and Services:
Conservative device configuration, default-deny stance
- Controlled Use of Administrative Privileges
Identification and monitoring of administrative accounts, restriction of access to administrative accounts, and securing administrative accounts with strong authentication
- Boundary Defense
Ingress and egress filtering based on blacklists, and default deny principle, DMZ traffic monitoring, IDS technologies, application proxies
- Maintenance, Monitoring, and Analysis of Security Audit Logs
Audit log settings, storage, retention, and review
- Controlled Access Based on the Need to Know
Network segmentation, logical access control
- Account Monitoring and Control
Account auditing, password parameters, account lockout settings, monitoring attempts to access disabled accounts and atypical account usage
- Data Loss Prevention:
Mobile hard drive encryption, DLP software
- Incident Response and Management
No sub- controls were primary mitigators of top threat actions
- Secure Network Engineering
Network segmentation, establishment of security zones
- Penetration Tests and Red Team Exercises
Inclusion of social attacks in sanctioned penetration testing
In the CCA report, each of these 20 critical security controls includes sections on:
- How do attackers exploit the absence of this control?
- How to implement, automate, and measure the effectiveness of this control
- Procedures and tools to implement and automate this control.
- System entity relationship diagram.
Now the bad news.
- Threats change; therefore expect this list to change. Tony Sager, retired COO of the U.S. National Security Agency (NSA) Information Assurance Directorate, leads the CCA. CCA’s commitment is to base updates on input from penetration testers including NSA’s.
- Most organizations cannot afford to implement all 20 controls. The key is to prioritize the list based on how you are currently being attacked and risks identified by partnerships like the authors of the Verizon Data Breach reports.
- You will never be totally safe. Even if you implement all 20 controls, some attacks will still work. To a certain extent, it like being chased by an angry bear in the woods. You do not necessarily have to outrun the bear, just be harder to catch then someone else who is with you.
If you ask six security experts how to prioritize the 20 critical security controls, you will get six different answers. If you bring in a subset of those experts to look at your specific environment, you will probably get a much more consistent, and actionable, priority list of these controls. Even implementing just a couple of these can make a big difference. William Pelgrin, president and CEO of the Center for Internet Security, says, “Take those areas where you have the highest risk and your critical components and deal with them first.”
The last word:
My advice: make the CCA list part of your security policy document, and develop a prioritized plan to implement those controls that make the most sense. If nothing else, when (not if) you are breached, you at least have something to show that you were making some level of effort to be secure. As I talk to lawyers on the subject, they all say that government and certification organizations are much more willing to work with you when you have an event if you have a security policy and are working towards a plan. Otherwise, as one government lawyer said, “I just want to throw the book at you and don’t care if your company survives or not.”
Unless you are a huge organization with lots of resources, you cannot do this alone. As you move to the Cloud, get and keep your Cloud Service Provider (CSP) involved early and often. They can often provide significant support for these controls.
If your CSP does seem interested, run, don’t walk, to a different one who is interested and capable of helping.
Keep your sense of humor.