1 / 43

Bert Miuccio, Vice President The Center for Internet Security

Bert Miuccio, Vice President The Center for Internet Security. Technical Control Standards for Security Configuration Developed Via Public / Private Partnership . Information Security Controls (NIST Pub 800-53). Management Controls Operational Controls Technical Controls.

cassady-roy
Download Presentation

Bert Miuccio, Vice President The Center for Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bert Miuccio, Vice President The Center for Internet Security Technical Control Standards for Security Configuration Developed Via Public / Private Partnership 

  2. Information Security Controls (NIST Pub 800-53) • Management Controls • Operational Controls • Technical Controls

  3. Security Controls (NIST Pub 800-53) • Management Controls -address the assessment and management of risk related to information systems

  4. Security Controls (NIST Pub 800-53) • Operational Controls • address security risks and recommendations primarily related to the people who use information systems (as opposed to the systems themselves) • describe “what” to do in broad terms, and some times describe “when” and by “whom”

  5. Security Controls (NIST Pub 800-53) • Technical Controls • define in detailed technical terms “how” to implement the requirements of the higher level guidance within specific systems (operating systems, applications, devices / Microsoft, Sun, Cisco, Oracle, etc)

  6. Current Information Security Guidance: • High level management controls-based guidance • OECD and GAISP • Mid-level operational controls-based guidance • ISO 17799 • FISMA • CobIT (ISACA) • Standards of Good Practice (ISF) • Detailed technical controls guidance • CIS Consensus Benchmarks and Scoring Tools • NSA, DISA, NIST, and security service / software vendors

  7. Most vulnerabilities being exploited by attackers exist because of: • Software defects • Fixed with vendor patches • Inadequate technical security controls • Fixed by settings which enable or disable security features of the software or network device

  8. Examples of security requirements/policies activated via technical controls • Password length, complexity • Account lockout after X attempts • Log what system events? • Idle time before workstation logoff • Who is allowed to install printer drivers? • What unneeded services to disable?

  9. We have met the enemy, and it is us! “Through 2005, 90 percent of cyber attacks will continue to exploit known security flaws for which a patch is available or a preventive measure known.” • Gartner Group, May 6, 2002

  10. Why are vendors shipping unsecured systems? • “Our customers don’t want security; they want features and performance. When they do want security, we’ll deliver it.” • “Every customer wants something different. We can’t be expected to deliver and maintain thousands of different configurations.”

  11. Recognizing the challenge • Cosmos Club meeting Aug 2000 • Need to develop and proliferate detailed operational best practices • The only true solution is to raise the bar everywhere--globally • Private sector won’t trust gov’t to do it • Private sector companies don’t trust each other because of competitive self-interest

  12. The Center for Internet Security (CIS) • Formed in October 2000 • A not-for-profit consortium of users • Focused on the common needs of the global Internet community • Knowledge transfer from haves to have-nots • Convenes and facilitates consensus teams that develop detailed operational best practices

  13. Government: National Institute of Standards and Technology Infocomm DevelopmentAuthority of Singapore Naval Surface Warfare Center US Treasury Financial Management Service Washington State Dept. of Health US Army Corps of Engineers Defense Info Sys Agency Federal Reserve System State of Maryland NASA Australian Nat’l Audit Ofc US Dept of Justice Library of Congress Royal Canadian Mounted Police Communications Security Establishment (Canada) Canadian CERT GSA NSA DHS FedCIRC Some participants in the consensus effort:

  14. Commercial: Dun and Bradstreet Electric Power Research Inst. SASKTel Fidelity National Financial LG&E Energy Hospital Corp. of America Duetsche Telekom T-Com Intel Bank of Montreal Pfizer Caterpillar Intuit Anadarko Petroleum Batelle Swiss Reinsurance Company University Health System Consortium Humana Nu Skin Enterprises Online Resources Phelps Dodge Corporation STERIS Corporation Thomson Holdings Wachovia Corporation Agilent Technologies Shell Info. Tech. Int’l PeopleSoft News Corporation Some Participants (cont’d):

  15. Universities: Institute for Security Technology Studies at Dartmouth Virginia Tech Monash University (Australia) Duke University University of Missouri Blenkinge Inst. of Technology (Sweden) Utah State University University of California, SF New York University Illinois Institute of Technology College of William and Mary Consulting/Service: IBM Consulting Configuresoft ISS Symantec BindView Sequation NetIQ Solutionary RDA Corporation Belarc GFM Consulting Some Participants (cont’d):

  16. Vendors are fully engaged as team members, working alongside government and private sector users • Microsoft • Sun • HP • Cisco • Oracle • AOL

  17. The consensus process • Teams are formed with security experts from member organizations • An initial benchmark draft is obtained or developed • Consensus is established via email and conference call discussion • A scoring tool is developed • They are made available free to all users globally via the CIS website (www.cisecurity.org)

  18. What has collaboration among the participants achieved so far?

  19. Currently available: • Level I Configuration Benchmarks • Solaris • Linux • HP-UX • Windows NT • Windows 2000 • Windows XP • Cisco Router IOS • Oracle Database

  20. A Level I Benchmark: • Can be implemented by a sysadmin of any level of security expertise • Can be monitored by a compliance tool • Is not likely to “break” any function • Represents a baseline level of security

  21. Currently available: • Level II Benchmarks • Windows 2000 Professional • Windows 2000 Server • Windows XP • CISCO Router IOS Level • Oracle Database

  22. Currently available: • Configuration Scoring Tools • Available for each Benchmark • Scan only (don’t automatically change settings) • Host based (not network scanners) • Compare configuration of the scanned system with the corresponding benchmark, score it on a scale of 1-10 • Configure a newly deployed system and monitor configuration of the computers on which they are installed

  23. Under development: • Benchmarks and Scoring Tools for: • Apache • Windows IIS • Catalyst Switches • PIX Firewall • Check Point FW-1 • Server 2003 • SQL Server • Juniper Router • and others

  24. The impact… Case studies show that 80-90% of known vulnerabilities are blocked by the security settings in the consensus benchmarks…….

  25. Case Study Methodology • (1) Scan a system “out of the box” and list identified vulnerabilities • (2) Configure the system with the appropriate benchmark • (3) Rescan the system and note the vulnerabilities remaining

  26. Vulnerability Assessment Case studies

  27. IA Newsletter describing the NSA and Mitre studies • Vol 5, Number 3, Fall 2002 • http://iac.dtic.mil/iatac/IAnewsletter/Vol5_No3.pdf

  28. NSA Red/Blue Team Conference Oct 2003 • These teams are the security experts whose job is to discover weaknesses in DoD networks by attempting to penetrate them

  29. At that conference: • During four days of trying, these security experts were unable to break into a Microsoft Windows network with up-to-date patches and configured with the consensus benchmark technical controls

  30. Milestones in the consensus benchmark effort • Jul 02 – W2K Level-2 benchmark announced by NSA, DISA, NIST, GSA, SANS, and private sector participants • Oct 02 - U.S. government begins promulgating consensus benchmarks and tools via FedCIRC • Nov 02 – NSA reports that consensus benchmarks eliminate over 90% of known vulnerabilities • Dec 02 - VISA adopts benchmarks for its Cardholder Information Security Program Digital Dozen

  31. Milestones in the consensus benchmark effort (Cont’d) • Jul 03 – Dell begins delivering Windows 2000 systems pre-configured with consensus benchmark settings • Sep 03 - U.S. Dept of Energy announces procurement requiring Oracle to pre-configure its software with the consensus benchmark settings • Dec 03 – AOL requests a benchmark for its users • June 04 – Dell will begin shipping configured XP systems

  32. Factors driving adoption of the consensus benchmark practices • Private sector desire for liability protection via evidence of due care • Regulatory compliance • SOX, HIPAA, GLB, FISMA, etc • Incorporation in procurement req’ts by government and commercial buyers • Consensus on technical controls developed jointly with users enables vendors to deliver systems that are more secure by default

  33. How can you become involved? • Download the Benchmarks and Scoring Tools. • Use them to configure your new installations. • Compare the configuration of your production systems. How do your systems measure up? • As necessary – improve your security configs. • Share your feedback – contribute to the consensus.

  34. How else can you be involved? • Become a CIS member – help develop and proliferate the consensus benchmarks as common practice — thus making the Internet safer for you and everyone else.

  35. Conclusions • Using the benchmarks and scoring tools available free at http://www.cisecurity.org implements much of currently available high level guidance (SOX, HIPAA, GLB, FISMA, etc) • Users and vendors are working together to improve security practice • Detailed configuration practice offers substantial payoff for the effort expended

  36. Bert Miuccio bmiuccio@cisecurity.org

  37. Important Background Information“The Benefits of Membership” • The benchmarks & tools are periodically updated to • reflect consensus input from security professionals • keep pace with updated versions of the subject software • include technical controls that help defend against emerging threats and vulnerabilities • The Terms of Use prohibit redistribution of the benchmarks and software tools for the purpose of minimizing redistribution of outdated versions of the resources.

  38. TOU on the CIS web site • Grant of Limited rights.“CIS hereby grants each user the following rights, but only so long as the user complies with all of the terms of these Agreed Terms of Use: • Except to the extent that we may have received additional authorization pursuant to a written agreement with CIS, each user may download, install and use each of the Products on a single computer;”

  39. “The Benefits of Membership” • #2. The right to distribute the benchmarks and tools within your organization. (User Members and Consulting Members only are entitled to this benefit)

  40. Some problems with existing IS guidance • Requirements at various levels of abstraction that are • Structurally disconnected/fragmented • Some focus on principles; others on controls • Not readily scalable for different types and sizes of organizations • Developed and promoted by different professional communities vying for position • Different taxonomies and terminology • Detailed technical controls have been largely ignored

  41. Vendors Issue Patches – Users Don’t Apply Them Forrester Research Report April 3, 2003

More Related